This document will continue to evolve as existing sections change and new information is added. All updates appear in the following table:
| Date | Update Version | Notes |
|---|---|---|
| 07 SEP 2018 | Update 18C | Delivered new features in update 18C. |
| 06 APR 2018 | Update 18B | Delivered new features in update 18B. |
| 12 JAN 2018 | Update 18A | Delivered new features in update 18A. |
This document will continue to evolve as existing sections change and new information is added. All updates appear in the following table:
| Date | Feature | Notes |
|---|---|---|
| 07 SEP 2018 | Created initial document. |
This guide outlines the information you need to know about new or improved functionality in this update.
DISCLAIMER
The information contained in this document may include statements about Oracle’s product development plans. Many factors can materially affect Oracle’s product development plans and the nature and timing of future product releases. Accordingly, this Information is provided to you solely for information only, is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described remains at the sole discretion of Oracle.
This information may not be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates. Oracle specifically disclaims any liability with respect to this information. Refer to the Legal Notices and Terms of Use for further information.
Oracle Risk Management consists of three products: Oracle Fusion Financial Reporting Compliance documents your policies for identifying and resolving risk in your financial processes. Oracle Advanced Access Controls detects risk inherent in the access granted to users of business applications. Oracle Advanced Financial Controls uncovers risk exhibited by transactions completed on business applications. Advanced Financial Controls and Advanced Access Controls belong to a module called Advanced Controls Management.
Advanced Access Controls includes a new Access Certification set of features. It enables an organization to perform periodic reviews to determine whether job roles are assigned appropriately to users.
Monitor Jobs – Page Enhancements
The Monitor Jobs page tracks the status of all jobs submitted across Risk Management applications. This page has been simplified.
By default, it lists jobs submitted in the last twenty-four hours by the person who is currently logged on. Each row provides summary information about a job: an identifying number as well as its name and status. Use the Expand icon in the row to view additional details about the job.
Users can:
- Sort the list of jobs by job ID number, name, status, or submission date.
- Create searches — sets of filtering options — and save searches for reuse.
- Select the status of a job to view details around it, including record counts. Examples of counts include new, updated, and total values for each business object affected by a transaction synchronization job, or the numbers of newly generated and updated incidents for a control-analysis job.
- Download exported files and reports, by clicking a Download icon in the rows for jobs that create these items.
Changes from Related Links to Page Tabs
In the Setup and Administration work area of Risk Management Tools, navigation has changed. In earlier versions, links to Setup and Administration pages were contained in a Related Links panel tab. This panel tab is replaced by a set of fixed tabs that run vertically along the left side of the work area.
Performance Configurations for Applications
You can modify settings that improve performance by reducing the number of records involved in data-intensive operations. These settings apply to the Advanced Controls Management module. They include:
- Access Performance Configuration. For Advanced Access Controls, set the number of records an access model can return. The default value is 5,000. You can set the value lower, but not higher. The limit applies only to results returned by access models, not to control incidents. Optionally, allow the record limit to be overridden on a model-by-model basis.
- Transaction Performance Configuration. For Advanced Financial Controls, data synchronization of Transaction business objects operates only on records created or updated on or after a date you specify. This date is required and the data-synchronization jobs fail if no date is set.
- Audit Performance Configuration. For Advanced Financial Controls, data synchronization for Audit business objects operates only on records created or updated on or after a date you specify. This date is required, and is distinct from the cutoff date you set for the synchronization of Transaction business objects.
Perspective Values Can be Renamed
For a perspective hierarchy, the underlying names of values in the hierarchy can be renamed. However, the perspective hierarchy cannot be renamed.
Financial Reporting Compliance
Changes to Assessment Tabs and Related Links
New navigation options enable you to work with assessments in new ways.
- In each of the Process, Risk, and Control work areas, an object-level Assessments tab opens a page that lists assessments for the object type. You can select from the list to complete, review, or approve assessments. (This is distinct from the Assessment tab that has always existed within the record for an individual process, risk, or control, which allows you to work with assessments of that specific item.)
- In earlier versions of the Assessments work area, links to pages for completing assessment tasks were contained in a Related Links panel tab. This panel tab is replaced by a set of fixed tabs that run vertically along the left side of the work area.
Changes to Security for Assessment Records
The records being assessed within a batch assessments can be associated to their own perspectives, therefore providing data level security at the assessment record. This is a change from prior releases where security to the assessment records was inherited through the object record being assessed.
Control Test Plan Modifications
A test plan determines whether a control effectively serves its purpose in reducing risk. In earlier versions, a test plan consisted of test instructions, and each instruction consisted of test steps. This has been simplified: A test plan now consists only of test steps. Test instructions no longer exist.
Also in earlier versions, the pages to create or edit an individual control contained a grid listing its test plans, in conjunction with links to manage the test plan and its components. Now, the pages to manage test plans and its components are accessible from a fixed tab along the left border of a control record.
Updates to Survey Status and End Date
Surveys accommodate greater flexibility in handling end dates, and status values have been updated to reflect that flexibility.
- A new status, Closed to Responses, identifies that the end date has been reached.
- The Closed to Responses status allows the end date to be changed. The Closed status, on the other hand, does not allow the end date to be updated.
- The Close Survey button initiates a hard close. It prevents further updates to the survey.
Delivered Model Content for Oracle Fusion Applications Audit
Advanced Financial Controls introduces new business objects that correspond to audit-level information you configure under Manage Audit Policies in Oracle Fusion Applications. New models are delivered that use these business objects from various application audit areas.
Delivered Model Content for Enterprise Resource Planning
Oracle delivers new models for financial application areas. These models are supported by new business objects.
Delivered Model Content for Human Capital Management
Oracle delivers new models for the Human Capital Management application. These models are supported by new business objects.
Contextual Control and Incident Extract Reports Removed
Two contextual reports have been removed, but are still available as embedded reports in the Advanced Controls Reports work area.
- The Control Detail Extract report is no longer available as a contextual report in the toolbar under manage Controls page. Alternatively, use Business Intelligence for Risk Management for reporting.
- The Transaction Incident Details Extract report is no longer available as a contextual report in the toolbar under in the Results page that displays incidents generated by a specific control. Alternatively, use the Export to Excel option in toolbar. Or, use Business Intelligence for Risk Management for reporting.
Copy Cell Value in Results and Controls
Copy a cell value (or Ctrl + C) from model results, controls, or incidents results to the clipboard so that you can paste to other documents.
New Conflicts Within a Single Role Option for Model Results
A check box called Conflicts within a single role, previously available in the page that displays access incidents generated by an individual access control, is now available in the page that displays results for a model. It filters the list of results to include only those in which the assignment of a single role grants rights to access points the model defines as conflicting.
Access Visualization Enhancements
When resolving incidents, you may create graphic visualizations of paths by which users gain access to conflicting points. Enhancements have been made to access visualization.
- Instead of displaying U, R, and P, the legend for an access visualization now displays User, Role, and Privilege.
- The visualization shows the unique code associated to an access point when you hover your cursor over the node representing that access point in a visualization.
Access Simulation Enhancements
When resolving incidents, use simulations to preview the effects of steps you may take to resolve access conflicts. Enhancements have been made to access simulations.
- Create a simulation based on the results of a control visualization.
- Create a simulation across multiple control results. To do so, create the simulation from scratch, rather than from a visualization. That's because a visualization necessarily focuses on results generated by a single control.
- Create remediation steps by interacting with a visualization graph.
- View the number of conflicts that would be cleaned up if the remediation steps were executed in the Security Console.
- Generate a pdf of the remediation plan.
Create User-Defined Access Point Limitation
The Create User-Defined Access Point page limits the display of access points to 500. Create filters to restrict the number of records returned.
Contextual Control and Incident Extract Reports Removed
Two contextual reports have been removed, but are still available as embedded reports in the Advanced Controls Reports work area.
- The Control Detail Extract report is no longer available as a contextual report in the toolbar under manage Controls page. Alternatively, use Business Intelligence for Risk Management for reporting.
- The Access Incident Details Extract report is no longer available as a contextual report in the toolbar under in the Results page that displays incidents generated by a specific control. Alternatively, use the Export to Excel option in toolbar. Or, use Business Intelligence for Risk Management for reporting.
Copy Cell Value in Results and Controls
Copy a cell value (or Ctrl + C) from model results, controls, or incidents results to the clipboard so that you can paste to other documents.
Access Certification enables customers to perform role-to-user validations. It can support quarterly audit certification requirements as well as sensitive access validations. Access Certification features belong to the Advanced Access Controls application. You can:
- Define the scope of a certification.
- Monitor and manage a certification.
- Track the validations of role-to-user assignments.
An Access Certification administrator initiates a certification and is responsible for defining its details, including the scope of the roles being certified and the assignment of the role owners and auditor.
An Access Certification owner is granted responsibility for a set of the roles included in a certification. These roles are also assigned to one or more auditors, and the owner reviews the work of those auditors.
An Access Certification auditor is responsible for performing the actual certification of a set of role and user combinations.
Access Certification makes use of these tools:
- An Access Certification Synchronization job updates user administrator, owner, and certifier assignments, including notifications. This job runs automatically at midnight and does not require scheduling.
- Build analyses, dashboards, and reports using the predefined Access Certification Real Time subject area.
Transactional Business Intelligence for Risk Management
New Risk Management Administration Reports
New administration reports are available under the Risk Management catalog and can be run for Financial Reporting Compliance, Advanced Financial Controls, and Advanced Access Controls.
- Change History report provides information on changes recorded in revision history for objects under the different product areas.
- Inaccessible Records and Worklists report provides information on records and worklist items that are no longer accessible by any application user.
- Unassigned Perspective Values report provides information around perspective hierarchies and values that are not assigned to any object.
Subject Area for Access Certification
Access Certification delivers one subject area that allows creation of analyses based on Access Certification data. The subject area is Risk Management Cloud Services – Access Certification Real Time.
This document will continue to evolve as existing sections change and new information is added. All updates appear in the following table:
| Date | Feature | Notes |
|---|---|---|
| 06 APR 2018 | Created initial document. |
This guide outlines the information you need to know about new or improved functionality in this update.
DISCLAIMER
The information contained in this document may include statements about Oracle’s product development plans. Many factors can materially affect Oracle’s product development plans and the nature and timing of future product releases. Accordingly, this Information is provided to you solely for information only, is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described remains at the sole discretion of Oracle.
This information may not be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates. Oracle specifically disclaims any liability with respect to this information. Refer to the Legal Notices and Terms of Use for further information.
Oracle Risk Management consists of three products: Oracle Fusion Financial Reporting Compliance documents your policies for identifying and resolving risk in your financial processes. Oracle Advanced Access Controls detects risk inherent in the access granted to users of business applications. Oracle Advanced Financial Controls uncovers risk exhibited by transactions completed on business applications.
Advanced Financial Controls and Advanced Access Controls, which belong to a module called Advanced Controls Management, were newly introduced in release 13, update 18A.
Queued Jobs Canceled After Upgrade
Jobs queued during an upgrade are automatically canceled. Existing job schedules remain in place.
Financial Reporting Compliance
Descriptive Flexfields for Financial Reporting Compliance
You can create descriptive flexfields for use in the pages to create, edit, and manage objects in Financial Reporting Compliance. These objects include Process, Risk, Control, Assessment, Remediation Plan, and Issue. A descriptive flexfield is a user-defined entity that adds to the information you can record for each instance of the object it applies to. Each flexfield consists of segments, which may appear as individual fields or may be concatenated into a single field in a Financial Reporting Compliance page. Each segment may be configured to appear in any circumstance, or only in defined contexts.
Manage Assessment Refresh Icon
A refresh icon was added to the Manage Assessment page above the toolbar, updating the page with newly initiated assessment batches and progress indicators.
Model Definition – New Pattern Filters
A model consists of filters that select records exhibiting risk. A new type of filter, called a pattern filter, performs statistical analysis. To create such a filter, you select a pattern (a statistical function) from a predefined set: Mean, Benford, Clustering, Anomaly Detection, Absolute Deviation, Pareto, Normalize, and Lexical Tokenization. You also select one or more attributes of business objects whose values are subject to analysis by the pattern. A given model uses only one pattern; controls do not use patterns.
A typical pattern transaction model returns both graphic and tabular results. The graph depicts the statistical pattern generated by the model, and the table displays data represented in the graph. The Normalize and Lexical Tokenization patterns are exceptions; a model containing either generates only tabular results.
User-Defined Objects Run Automatically
A transaction control that generates incidents may analyze data provided by a user-defined object. That object is created by another control, known as a “dataset” control. As you configure the details for an incident control that cites a user-defined object, you may select a new check box that causes its dataset control to run automatically each time, and immediately before, the incident control runs.
User-Defined Object Automatically Created
In earlier versions, the creation of a user-defined object involved not only the creation of its dataset control, but also some additional configuration. Now, when you create a dataset control, its user-defined object is created and added to the business-object library automatically.
Delivered Model Content for Enterprise Resource Planning
Oracle delivers four new models for the expense business area, using existing business objects.
Delivered Model Content for Human Capital Management
Oracle delivers five new models for the Human Capital Management application. These models are supported by new business objects that include Employee Job Assignment, Payroll Definition, Payroll Transactions, Personal Payment Method, Salary, and Time Card.
New business objects available for use in models include Roles and General Ledger Daily Rates.
Delivered Model Content for Enterprise Resource Planning
Oracle delivers four new models that detect segregation-of-duties conflicts in Enterprise Resource Planning applications.
Delivered Model Content for Human Capital Management
Oracle delivers 34 new models that detect segregation-of-duties conflicts in Human Capital Management applications.
Transactional Business Intelligence for Risk Management
Financial Reporting Compliance
Financial Reporting Compliance provides two predefined subject areas, Risk Management Cloud – Assessment Results Real Time and Risk Management Cloud – Compliance Real Time. From these, you can build analyses, dashboards, and reports for Financial Reporting Compliance.
- Both subject areas add attributes to the Assessment Details and Control Details dimension folders. Assessment Details adds assessment ID. Control Details adds control ID.
- The Compliance Real Time subject area adds a dimension folder called Remediation Plan Details. It provides reporting on remediation plan ID.
Subject Area for Advanced Financial Controls
Advanced Financial Controls delivers one subject area that allows creation of analyses based on Advanced Financial Controls data. This subject area is Risk Management Cloud - Advanced Financial Controls Real Time.
Subject Area for Advanced Access Controls
Advanced Access Controls delivers one subject area that allows creation of analyses based on Advanced Access Controls data. This subject area is Risk Management Cloud - Advanced Access Controls Real Time.
This document will continue to evolve as existing sections change and new information is added. All updates appear in the following table:
| Date | Feature | Notes |
|---|---|---|
| 12 JAN 2018 | Created initial document. |
This guide outlines the information you need to know about new or improved functionality in this update.
DISCLAIMER
The information contained in this document may include statements about Oracle’s product development plans. Many factors can materially affect Oracle’s product development plans and the nature and timing of future product releases. Accordingly, this Information is provided to you solely for information only, is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described remains at the sole discretion of Oracle.
This information may not be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates. Oracle specifically disclaims any liability with respect to this information. Refer to the Legal Notices and Terms of Use for further information.
Oracle Risk Management consists of three products: Oracle Fusion Financial Reporting Compliance documents your policies for identifying and resolving risk in your financial processes. Oracle Advanced Access Controls detects risk inherent in the access granted to users of business applications. Oracle Advanced Financial Controls uncovers risk exhibited by transactions completed on business applications.
Advanced Financial Controls and Advanced Access Controls, which belong to a module called Advanced Controls Management, are newly introduced in release 13, update 18A.
Oracle Advanced Financial Controls implements models and controls that evaluate expense and procure-to-pay transactions for fraud, error, or other risk. You can:
- Create models, or import predefined models that embody best practices. The models establish risk logic.
- Deploy models as controls to detect risk incidents and assign them to users.
- Investigate and remediate transaction incidents identified by controls.
- Secure and report on financial controls and incidents.
Create models, or import “delivered content” — models created by Oracle. Each model consists of filters that define aspects of transaction risk, and select records that satisfy their definitions. Filters cite business objects, which supply data for analysis. Each object is, in effect, a set of related fields from a business application. Each time you run a model, new results replace any existing results, so that you can test risk logic before deploying it in a control. Models also enable auditors to assess the risk inherent in a system at a given moment.
Base transaction controls on models; each control inherits its model’s risk logic. The control, however, returns “incidents” — permanent records of control violations. The control also identifies users, known as “result investigators,” who are responsible for resolving incidents generated by the control.
Incident Remediation Activities
Review incidents, which are records of transactions that have exceeded the risk defined by controls. Result investigators may not only review incident details, but also reassign incidents or update their status to reflect whether anything should be, or has been, done to resolve them.
Advanced Financial Controls makes use of these tools:
- Data sources supply the data analyzed by models and controls. Each business object is associated with a data source, and makes data from that source available. For most business objects, the data source is the business application subject to analysis by models and controls. However, other sources may include imported data files and the Advanced Financial Controls application itself.
- Performance configuration enables you to limit the number of transactions subject to a process called data synchronization. This process keeps transaction data current by copying it regularly from data sources to Advanced Financial Controls.
- Perspectives are sets of related, hierarchically organized values. Each represents a context in which models, controls, and incidents exist. You can relate individual perspective values to individual objects, thus cataloging them by organization, region, or any other concept your company finds meaningful. Perspective values also play a part in securing the application.
- Global user configuration assigns an ID to each person who uses business applications subject to models and controls. An individual’s global user ID correlates to potentially varying IDs a user may have for business-application accounts. Although global user configuration applies principally to access analysis, it applies also to transaction models and controls that incorporate a User business object.
- Reports enable you to extract application data for analysis and distribution.
Oracle Advanced Access Controls implements models and controls that enforce segregation of duties in your applications. You can:
- Create models, or import predefined models that embody best practices. The models establish access risk logic.
- Deploy models as controls to detect access incidents and assign them to users.
- Investigate and remediate access incidents identified by controls.
- Secure and report on access controls and incidents.
Create models that identify “access points” — roles or privileges — that allow individual users to complete risky transactions. Or, import delivered content — once again, models created by Oracle. Each model consists of one or more filters that specify individually dangerous access points or dangerous combinations, and return users assigned those points. Once again, each run of a model produces an entirely new set of results, so that the model supports the testing of risk logic before it is deployed in a control. Models also enable auditors to assess the risk inherent in a system at a given moment.
Deploy controls that inherit the risk logic of access models on which they are based. Once again, a control returns permanent records of violations, known as incidents. The control also identifies result investigators responsible for resolving incidents generated by the control.
Incident Remediation Activities
Review incidents, each of which is a record of a user assigned an access point that a control defines as risky, either individually or because it conflicts with another access point. Result investigators may not only review incident details, but also reassign incidents or update their status to reflect whether anything should be, or has been, done to resolve them.
Advanced Access Controls makes use of these tools:
- Conditions define exemptions from access analysis. A model, and a control developed from the model, may contain condition filters. These apply specifically to the model or control. A global condition is a set of condition filters that apply to all models and controls.
- Entitlements are sets of related access points. A filter in an access model or control may specify an entitlement rather than an individual access point. If so, the filter returns users assigned any of the access points in the entitlement.
- Visualizations and simulations aid in resolving access incidents. A visualization is a graphic depiction of paths by which users gain access to conflicting access points. A simulation previews the effects of steps taken to resolve access conflicts. These items may be related to one another: a simulation can focus on the resolution of conflicts involving access points depicted in a visualization.
- Perspectives are sets of related, hierarchically organized values. Each represents a context in which models, controls, and incidents exist. You can relate individual perspective values to individual objects, thus cataloging them by organization, region, or any other concept your company finds meaningful. Perspective values also play a part in securing the application.
- Global user configuration assigns an ID to each person who uses business applications subject to models and controls. An individual’s global user ID correlates to potentially varying IDs a user may have for business-application accounts. Although global user configuration applies principally to access analysis, it applies also to transaction models and controls that incorporate a User business object.
- Reports enable you to extract application data for analysis and distribution.
Transactional Business Intelligence for Risk Management
Financial Reporting Compliance
Risk Management Cloud provides two predefined subject areas, Risk Management Cloud — Assessment Results Real Time and Risk Management Cloud — Compliance Real Time. From these, you can build analyses, dashboards, and reports for Financial Reporting Compliance. These subject areas are updated.
Both subject areas add a dimension folder called Fiscal Calendar. It provides reporting against fiscal calendar attributes such as date, day, period, quarter, and year. Fiscal Calendar is anchored on the created-by dates.
The Compliance Real Time subject area adds a dimension folder called Issue Details. It provides reporting on issue details such as dates, users, originator, status, object type, and remediation information, among other issue-related attributes.
New Remediation Plan Details Folder
The Compliance Real Time subject area adds a dimension folder called Remediation Plan Details. It provides reporting on remediation plan details such as dates, users, progress, priority, remediation plan information, and related attributes.
Risk Details Folder Enhancements
Both subject areas include a Risk Details dimension folder. It offers new attributes for reviewer and approval dates, users, currency, type, and state.
Control Details Folder Enhancements
Both subject areas include a Control Details dimension folder. It offers new attributes for reviewer and approval dates, users, cost, currency, and comments.
Assessment Results Folder Enhancements
The Assessment Results Real Time subject area includes an Assessment Results dimension folder, which in turn includes Assessment Results Details and Control Test Plan Result Details subfolders. These offer new attributes. Assessment results include data, user, and status attributes. Control test plan results include information around instructions, plans, and steps.
Perspective Folder Enhancements
The Compliance Real Time subject area includes a Perspective dimension folder. It offers new attributes for level status and revision number.
Assessment Details Folder Enhancement
Both subject areas include an Assessment Details dimension folder. It offers a new attribute, Assessment Plan Description.
---
Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
This document is provided for information purposes only, and the contents hereof are subject to change without notice.This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation.All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.
