- Revision History
- Overview
-
- Risk Management
- Financial Reporting Compliance
- Advanced Access Controls
-
- New and Updated Delivered Model Content
- New Result Pages Summarized by Control, User, and Role
- Combine Up to Three Entitlement Filters
- Advanced Access Model Result Report Synchronization
- Data Set Advanced Controls No Longer Require Result Security Mapping
- Email Announcement of New Control Results Is Consolidated
-
- Advanced Financial Controls
- Transactional Business Intelligence for Risk Management
This document will continue to evolve as existing sections change and new information is added. All updates appear in the following table:
| Date | Product | Feature | Notes |
|---|---|---|---|
| 04 SEP 2020 | Created initial document. |
This guide outlines the information you need to know about new or improved functionality in this update.
DISCLAIMER
The information contained in this document may include statements about Oracle’s product development plans. Many factors can materially affect Oracle’s product development plans and the nature and timing of future product releases. Accordingly, this Information is provided to you solely for information only, is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described remains at the sole discretion of Oracle.
This information may not be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates. Oracle specifically disclaims any liability with respect to this information. Refer to the Legal Notices and Terms of Use for further information.
Oracle Risk Management consists of the following key solution areas:
- Financial Reporting Compliance to automate audit assessments and certifications.
- Advanced Access Controls to manage user access and separation-of-duty risk.
- Advanced Financial Controls to continuously monitor configuration changes and business transactions.
- Access Certifications to streamline reviews by process owners to ensure that employees have been granted appropriate access based on their current jobs.
- Enterprise Risk Management to streamline the analysis, evaluation, and treatment of documented risks.
Financial Reporting Compliance
Updates to the Assessment Train
The complete-assessment flow has been updated. Its Introduction step has been streamlined to render assessment details and participants. To view the record details, you can now click on the record name. In addition, the Review Prior Results step has been removed. You can view prior-result information within the Assessment tab of the record being assessed.
Enhancements to Assessment Records Security Assignment
The Assessment Records Security Assignment UI page has been enhanced to simplify the view of associated perspective values and the assigned assessment actors.
Record Owner Receives Notification
In the event when there is no longer an assigned record reviewer for a record in the In Review state, the record owner will receive the required action notification.
New and Updated Delivered Model Content
Oracle delivers eight new models to detect separation-of-duties conflicts and sensitive access. These models include 6924: Manage General Ledger Allocation Formulas and Generate Journal Entries From Allocation Formulas, 5241: Enter Accounts Receivables Invoice and Enter Journals, 5242: Enter Accounts Receivables Invoice and Post Journal Entry, 5898: Manage Approved Supplier List and Create Purchase Agreements, 5899: Manage Approved Supplier List and Create Purchase Orders, 9804: Sensitive Purchasing Privileges, 4574: Create Customer and Create Sales Order, 9805: HR Sensitive Access Analysis for Excluded Roles.
Three entitlements were updated and will affect several models. Updated entitlements are: Create Purchase Orders, Create Suppliers, and Sensitive Human Resource Privileges.
New Result Pages Summarized by Control, User, and Role
There are two new pages in the Advanced Controls Results management area. The first is for access violations summarized by control and user and the second is access violations summarized by control, user, and role. Both pages enable mass edit of incidents. To get to these pages, drill on the new User Count column in the Results by Control Summary page.
Combine Up to Three Entitlement Filters
You can now create access models that allow multiple filters as long as there are no more than three entitlement based filters. For example, you can create a model definition such as Enter Journals & Post Journal Entry & Manage Accounting Period Statuses for General Ledger.
Advanced Access Model Result Report Synchronization
A new subject area for access model results is being added to OTBI, and is covered under the New OTBI Subject Area for Model Results feature. To be reported on, model-result data must by synchronized into the OTBI repository. You run the synchronization job from the Models page: you would first select models whose result data is to be updated in OTBI, then select the Synchronize Results in OTBI option in the Actions menu. Previously synchronized data for other models remains intact.
Data Set Advanced Controls No Longer Require Result Security Mapping
In Advanced Controls, an incident control generates records of access assignments or transactions that may violate risk definitions, while a data set control generates data to be included in a user-defined object. You can no longer define result security as you create data set controls, although you continue to be required to define result security as you create incident controls.
Email Announcement of New Control Results Is Consolidated
Each time the Notification job runs, it sends email messages concerning new pending incidents. For each recipient, the message is consolidated: it contains a list of every advanced control that has generated at least one new incident the recipient is authorized to view, edit, or own. An incident is new if it was generated after the last time the recipient was alerted.
Two new models for Advanced Financial Controls are available for import. These include 40005: Suppliers and Purchase Orders Managed by the Same User and 40006: Customers and Receivables Invoices Managed by the Same User.
Changes Are Made to Business Objects
This release includes additions, changes, and removal of attributes from auditing business objects.
Data Set Advanced Controls No Longer Require Result Security Mapping
In Advanced Controls, an incident control generates records of access assignments or transactions that may violate risk definitions, while a data set control generates data to be included in a user-defined object. You can no longer define result security as you create data set controls, although you continue to be required to define result security as you create incident controls.
Email Announcement of New Control Results Is Consolidated
Each time the Notification job runs, it sends email messages concerning new pending incidents. For each recipient, the message is consolidated: it contains a list of every advanced control that has generated at least one new incident the recipient is authorized to view, edit, or own. An incident is new if it was generated after the last time the recipient was alerted.
Transactional Business Intelligence for Risk Management
Records are secured by being assigned to users authorized as owners, editors, or viewers. These authorizations can be assigned only to users granted functional access in the Security Console. In OTBI, you can report on users who remain authorized, but no longer have functional access. To report on this, select the existing "Eligibility Flag" in any user security folder and search for the new value "Authorized but not eligible."
New OTBI Subject Area for Model Results
A new subject area for Advanced Controls models provides a way to analyze model results before deploying models as controls. You're also able to synchronize model results to OTBI for select models (instead of all models).