Migrate to Workday
ACCESS & GOVERNANCE

Are Recertification Cycles Overwhelming Internal Teams?

Note: This article is for informational purposes only and reflects publicly available research on access governance, security controls, and enterprise process design.

Illustration of recurring recertification workload and review cycles

In this article we discuss:

  • Why companies recertify access, roles, and responsibilities
  • Where recurring reviews become repetitive and hard to manage
  • How recertification can quietly drain internal time and attention
  • What a healthier, risk-based process can look like

Recertification Exists for a Reason

Recertification is the recurring review of access, permissions, roles, approvals, or compliance items to confirm that they are still appropriate.

Organizations use these cycles for sound reasons. People change roles. Teams reorganize. Projects end. Vendors leave. New systems are added. Access that made sense last quarter may no longer be appropriate today.

In security and governance terms, recertification supports least privilege, cleaner account administration, and better control over who can see or approve what.

In Workday environments, the same logic applies to security roles, HR workflows, finance approvals, and process ownership. The goal is not to create paperwork. The goal is to keep the operating model aligned with reality.

Where the Process Starts to Fray

The challenge usually begins when recertification is treated as a calendar event instead of a governance process.

When the same managers, approvers, or system owners receive repeated requests across multiple tools, the work can become repetitive even if each request is individually valid.

Common points of friction include duplicated review cycles, spreadsheets that do not match the source system, unclear ownership, short deadlines, and review packs that arrive with too much information and too little context.

At that stage, people are not necessarily resisting control. They are reacting to process design that asks them to review the same categories of access again and again without enough signal about risk or material change.

The Hidden Cost on Employees and Internal Teams

The direct cost of recertification is easy to see in hours spent on attestation, review, follow-up, and documentation. The indirect cost is less visible.

Repeated reviews interrupt attention, fragment the workday, and pull subject matter experts away from higher-value analysis. That creates a subtle but real operational burden for HR, finance, security, IT, and business teams.

Over time, that burden can show up in a few ways:

None of that means recertification should disappear. It means the process needs to be designed with more discipline.

Recertification is supposed to reduce risk, not create avoidable noise.

Why Companies Still Need Recertification

It is easy to criticize the workload without acknowledging why recertification exists in the first place.

Security teams need it to reduce inappropriate access and remove dormant or unnecessary permissions. Compliance teams need it to support audit readiness and demonstrate that controls are not only written down, but actually operating. HR and finance teams need it to keep approvals and responsibilities aligned with current roles.

NIST SP 800-53 includes account management controls that require organizations to review and manage accounts through defined policies and procedures. ISO/IEC 27002:2022 also frames access control as part of a broader information security and resilience program.

In other words, recertification is not the problem. Weak design is the problem.

What a Healthier Process Could Look Like

A healthier process usually starts by asking a simple question: does this review add meaningful risk reduction, or is it just repeating work already covered elsewhere?

The most effective programs tend to do a few things well:

Workday and other enterprise platforms can help when they are used as part of a connected governance model rather than as another place to manually duplicate the same review step.

The better the process is mapped to actual risk, the less likely it is to become a routine burden that people simply push through.

Why This Matters

Recertification is a legitimate control when it is applied with judgment. The objective should be to protect access, support compliance, and keep responsibilities aligned with reality without turning every cycle into a morale problem or a hidden tax on internal teams.

Closing Question

In your organization, are recurring recertification cycles being managed as a focused control, or have they become a repetitive workload that could be simplified without lowering standards?

References

  1. National Institute of Standards and Technology. "Security and Privacy Controls for Information Systems and Organizations (SP 800-53 Rev. 5)."
    https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
  2. ISO. "ISO/IEC 27002:2022 - Information security, cybersecurity and privacy protection - Information security controls."
    https://www.iso.org/standard/75652.html
  3. Workday, Inc. "The Ultimate Guide to ERP Implementation."
    https://blog.workday.com/en-hk/ultimate-guide-erp-implementation.html
  4. Axios. "Welcome to the 'infinite workday'."
    https://www.axios.com/newsletters/axios-markets-a7164fa0-4aa2-11f0-8669-6370c21e4334