Denver Auditor Timothy O'Brien

Denver Auditor Timothy O'Brien

Denver has successfully addressed many of the user-access deficiencies in Workday, the city's accounting and human resources software, according to a follow-up report from Denver Auditor Timothy O’Brien.

The original audit, released in April 2019, found that since Denver began using Workday in 2017, the city did not put in place documented policies for user access, and that agencies had inconsistent procedures for adding new users. There was also a lack of periodic reviews of user access to Workday. The software is cloud-based, and any of the city’s 13,000 employees can access it online.

Auditors noted in the new report that the city has since established a committee to oversee Workday policies, which satisfied one of the office’s recommendations. In late 2019, there was a review of user accounts, and the oversight committee has developed guidelines for mitigating risk that stems from unauthorized user access. The guidelines specify who is charged with disabling user access when an employee leaves their city job.

However, the Technology Services agency did not implement a recommendation about “complementary customer controls,” which the original audit referred to as measures to address the security of user data.

“Even though Technology Services personnel told us they are not reviewing the complementary customer control considerations on an annual basis as they had agreed to last year, they provided evidence that Technology Services performs annual risk reviews of the Workday service organization controls report,” auditors wrote. O’Brien’s office countered that it was difficult to tell what the person reviewing the system was doing, and reaffirmed the recommendation.

(0) comments

Welcome to the discussion.

Keep it Clean. Please avoid obscene, vulgar, lewd, racist or sexually-oriented language.
PLEASE TURN OFF YOUR CAPS LOCK.
Don't Threaten. Threats of harming another person will not be tolerated.
Be Truthful. Don't knowingly lie about anyone or anything.
Be Nice. No racism, sexism or any sort of -ism that is degrading to another person.
Be Proactive. Use the 'Report' link on each comment to let us know of abusive posts.
Share with Us. We'd love to hear eyewitness accounts, the history behind an article.