โ† Blog

Why Sending a Questionnaire to Workday Is a Waste of Everyone's Time

Jonathan Mandell, Founder, Docubark ยท May 1, 2026

Workday processes payroll for thousands of enterprises. When you send them a security questionnaire, you already know what's going to happen. They'll route it to a team whose job is to respond to questionnaires. You'll get 200 polished answers back. You'll mark the review complete. Nothing about your risk posture will have changed.

We need to stop pretending this exercise is risk management.

You can't understand Workday from 200 questions

Pick any large vendor: Workday, ServiceNow, Salesforce, Microsoft. Their internal environments are sprawling. Thousands of engineers, hundreds of services, decades of architectural decisions, acquisitions layered on top of acquisitions. The idea that a 200-question SIG or CAIQ is going to give you a meaningful picture of how they actually operate is a fantasy we've all agreed to participate in.

The answers are manicured. You're not learning anything.

Large vendors have entire teams whose performance is measured by questionnaire turnaround time and pass rate. Every answer has been reviewed, sanitized, and pre-approved. You're not reading what's true. You're reading what's been cleared for external consumption.

That's not a knock on those teams. It's the rational response to receiving thousands of these per year. But it means the artifact you're collecting has almost no informational value.

You were never going to reject them anyway

Be honest about the decision tree. If Workday's questionnaire came back with a yellow flag on, say, their patch management cadence, would you tell the CHRO you're blocking the payroll implementation? Of course not. Category leaders get adopted because the business needs them. The questionnaire isn't an input to the decision. It's documentation produced after the decision.

That's fine. But if the questionnaire isn't actually gating anything, why are we burning weeks of our team's time and theirs running through it?

What to look at instead

For any vendor with more than roughly 2,000 employees, your time is better spent on public, verifiable information than on a custom questionnaire:

  • Certifications and attestations. FedRAMP, HITRUST, SOC 2 Type II, ISO 27001, PCI DSS where relevant. These aren't perfect, but they reflect ongoing third-party scrutiny rather than self-report.
  • Public company status. Public companies carry SOX obligations, audited financials, and disclosure requirements that materially reduce certain risk categories.
  • Revenue and headcount. A $7B-revenue vendor with 19,000 employees has a different risk profile than a 40-person startup. Size isn't safety, but it's relevant context.
  • Breach and incident history. Public disclosures, regulatory filings, news coverage.
  • Litigation and regulatory posture. Easily searchable. Often more informative than any questionnaire response.

You can build a credible vendor risk profile for a category leader from public sources in minutes. That's the work that actually informs a decision.

Where the real risk work lives

The questionnaire conversation is so loud it drowns out the work that would actually reduce your risk.

You can't change how Workday operates. You can change how you integrate with them. Every large vendor relationship has a containment surface on your side, and that's where your team's hours should go:

  • What data are you actually sending them, and is any of it avoidable?
  • How is access provisioned, rotated, and revoked? Are you using SSO with strong conditional access, or shared credentials?
  • What's your detection posture for anomalous activity in the integration?
  • If they had an incident tomorrow, what's your isolation plan? How quickly can you cut the connection, rotate keys, and continue operating?
  • Do you have contractual notification timelines that actually match your incident response needs?

None of that shows up in a questionnaire response. All of it materially changes your exposure.

The reframe

Third-party risk management isn't about auditing vendors who will never let you audit them. For large vendors, it's about two things. First, confirming they meet a public baseline you can verify in an afternoon. Second, hardening your own side of the relationship so that when something goes wrong โ€” and over a long enough horizon something will โ€” the blast radius is contained.

The questionnaire ritual makes us feel like we're doing risk management. The containment work actually is risk management. That's where your team's time belongs.

See How FastPass Handles Large Vendors

Related reading