Oracle Fusion Cloud Applications Suite achieved a Type 2 attestation for FINMA on October 7, 2022.

Schellman & Company, LLC completed an examination to assess Oracle Fusino Cloud (“Oracle”) internal controls against the criteria within the Swiss Financial Markets Supervisory Authority (“FINMA”) ”) regulations for operational risks, risks related to outsourcing, and business continuity management (“FINMA regulations”). The examination covers the period from July 1, 2021 to June 30, 2022. The examination focused on Oracle’s information security program supporting Oracle Fusion Cloud Applications Suite, including Oracle Fusion Cloud Enterprise Performance Management (EPM), and Oracle European Union Restricted Access (EURA) Cloud Service for Oracle Fusion Applications and Oracle Cloud EPM and related Oracle controls that assist Oracle customers in meeting their own requirements set forth in the FINMA regulations. Oracle itself is not directly subject to compliance with FINMA requirements.

Schellman conducted the examination in accordance with attestation standards established by the AICPA SSAE 18, Attestation Standards: Clarification and Recodification and in accordance with ISAE 3000, Assurance Engagements Other than Audits or Reviews of Historical Financial Information, issued by the International Auditing and Assurance Standards Board. Based on the examination, Schellman did not identify any testing exceptions for Oracle’s controls related to how customers subject to the FINMA regulations may be compliant when using the Oracle Fusion Applications, Oracle Cloud EPM, and Oracle EURA Cloud Service for Oracle Fusion Applications and Oracle Cloud EPM, as noted in their opinion dated October 7, 2022. Schellman compiled a formal report following the examination.

The report covers selected requirements of the following FINMA Circulars:

• 2018 / 03 “Outsourcing – banks and insurers”;
• 2008 / 21 “Operational Risks – Banks” – Principle 4 Technology Infrastructure;
• 2008 / 21 “Operational Risks – Banks” – Principle 5 Continuity in the Event of a Business Interruption;
• 2008 / 21 “Operational Risks – Banks” – Principle 6 Continuity of Critical Services in the Event of Liquidation and Restructuring of Systemically Important Banks;
• 2008 / 21 “Operational Risks – Banks” – Appendix 3 Handling of electronic Client Identifying Data; and
• Business Continuity Management (BCM) minimum standards proposed by the Swiss Bankers Association (SBA).

Customers are solely responsible for determining the suitability of a cloud service in the context of FINMA. The information in the report compiled by Schellman is provided to aid Swiss financial services customers in their evaluation of Oracle Fusion Applications. The reports are available both in English and German.

Please reach out to your Sales Representative and/or Account Manager to request access to the attestation report. To learn more of our compliance activities, check out the Compliance page on our website and Compliance Considerations for Cloud Services blogpost.