September Maintenance Pack for 19C

Revision History

This document will continue to evolve as existing sections change and new information is added. All updates appear in the following table:

Date	Feature	Notes
30 AUG 2019		Created initial document.

Overview

This guide outlines the information you need to know about new or improved functionality in this update, and describes any tasks you might need to perform for the update. Each section includes a brief description of the feature, the steps you need to take to enable or begin using the feature, any tips or considerations that you should keep in mind, and the resources available to help you.

Give Us Feedback

We welcome your comments and suggestions to improve the content. Please send us your feedback at oracle_fusion_applications_help_ww_grp@oracle.com.

Feature Summary

Advanced Financial Controls

Changes Are Made to HCM Business Objects and Models That Use Them

In this patch release there are updates to some business objects, and the models that use them.  These include:

BUSINESS OBJECTS 

The time-period-related attributes were removed from the Payroll Definition business object. These attributes are now in a new business object called Payroll Time Definition.

HCM MODELS 

The following three HCM models used the Payroll Definition business object and have been revised:

• 50001: Payroll Transactions and Personal Payment Method Managed by Same User
• 50002: Payroll Transactions and Time Cards Managed by Same User
• 50006: Employees on the Payroll a Short Time
  • The user-defined object Employee Receiving Pay was also revised and renamed. The new name is Employee Payroll Transactions.

In the example below, you can see the three models and corresponding user-defined object. All the model names remain the same, but the user-defined object is renamed Employee Payroll Transactions. 

Import Select Items from Human Capital Management Content Library

Steps to Enable

These revised models are a part of the Advanced Control content library, and are available when you import models. No steps are required to use them. However, there are some steps you need to consider only if you have previously used any of these models, or the Payroll Definition business object.

Consider the following:

• If you have any models or controls using the time period attributes from the Payroll Definition business object, the status may become Inactive with an Invalid state. This is because those attributes are no longer available and considered obsolete from that specified object. You can update any models in that state, but you cannot update controls.

• For any control that uses obsolete attributes, revise the model from which the control is developed so that it uses only valid attributes. Then redeploy the model as a control.

• This is the case whether you created your own models and controls from scratch, or you used the library copy for 50001, 50002, and 50006.

• If you had previously imported or used the Employee Receiving Pay user-defined object, you can no longer use this object and should delete it. Use the new Employee Payroll Transactions object available with revised model 50006.

Finally, since attribute deprecations occurred in the delivered model, you must run Synchronize Transaction job in Risk Management, under Setup and Administration > Application Configurations > Data Sources.

Update 19C

Revision History

This document will continue to evolve as existing sections change and new information is added. All updates appear in the following table:

Date	Feature	Notes
21 JUN 2019		Created initial document.

Overview

This guide outlines the information you need to know about new or improved functionality in this update, and describes any tasks you might need to perform for the update. Each section includes a brief description of the feature, the steps you need to take to enable or begin using the feature, any tips or considerations that you should keep in mind, and the resources available to help you.

Give Us Feedback

We welcome your comments and suggestions to improve the content. Please send us your feedback at oracle_fusion_applications_help_ww_grp@oracle.com.

Feature Summary

Risk Management

Oracle Risk Management consists of three products: Oracle Fusion Financial Reporting Compliance documents your policies for identifying and resolving risk in your financial processes. Oracle Advanced Access Controls detects risk inherent in the access granted to users of business applications. Oracle Advanced Financial Controls uncovers risk exhibited by transactions completed on business applications. Advanced Financial Controls and Advanced Access Controls belong to a module called Advanced Controls Management.

Advanced Access Controls includes an Access Certification set of features. It enables an organization to perform periodic reviews to determine whether job roles are assigned appropriately to users.

Common Risk Management

Two Security Jobs Are Consolidated

In the prior release, there were two predefined jobs. The first job, User and Role Security Synchronization, aligned the security defined between the Security Console and Risk Management. The second job, Worklist Security Synchronization, updated any worklist activities, adding and removing, based on the updated security.

These two predefined jobs are now consolidated into a single predefined job, Security Synchronization, for efficiency and easier scheduling.

Scheduled Jobs

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

Review and update the scheduling of this new job to ensure that it still runs at the correct time and frequency.

Jobs That Use ESS Require Rescheduling

Two jobs now use the Enterprise Scheduler Services (ESS). You won't notice any difference in how a job is scheduled or runs, but the change does require the jobs to be rescheduled. To do this, navigate to Risk Management Tools > Setup and Administration > Scheduling. The scheduling details remain intact; just open each of the following jobs, click the reschedule button, and you're all set.

• Security Synchronization
• Notification

You can reschedule or cancel these jobs only if you are the user who originally scheduled them or if you have the ESS Administrator job role.

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

You might notice these jobs show up in the Enterprise Scheduler Services. It's fine to view the jobs here, but be sure to schedule, reschedule, or cancel these jobs in Risk Management, not in ESS.

Two Jobs Have New Names

In Risk Management Tools, under Scheduling, two jobs have been renamed. These jobs relate to email notifications and data source synchronizations. Here are the changes:

Previous Name	New Name
MESSAGE_JOB	Notification
Data Source Synch	Transaction Data Source Synchronization

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

If you have these jobs included in a schedule, there's no need to reschedule. They will continue to run as expected.

More Details Link Is Removed from Monitor Jobs

In Advanced Controls, many events trigger jobs. You navigate to a Monitor Jobs screen to see details about a job, including the status. For some jobs, a link called More Details provided technical information useful for support analysts. This information has been moved into logs, as the data was not intended for business users.

Steps to Enable

You don't need to do anything to enable this feature.

New Statuses Apply to Jobs

Two new statuses apply to jobs on the Monitor Jobs page: Job completed with warnings, and Job completed with errors.

• The Job completed with warnings status applies when a job evaluates multiple controls, and some are invalid. The valid controls return results properly, while the invalid controls return warnings.

• The Job completed with errors status applies when elements of a synchronization job fail, but do not impact other elements of the job. For example, the job may fail for one business object, but synchronize data properly for all others.

Filter on the New Statuses Available

Steps to Enable

You don't need to do anything to enable this feature.

Page Headers Are Enhanced

Page headers are moving toward a common style called the universal panel. To get an idea of what it looks like, the theme style below shows the page header with a black background and buttons in white text. You'll also find the Done button is replaced with a back arrow for navigation. Here's a few pages you'll see the changes on:

ADVANCED CONTROLS

• Deploy Control
• View Control
• Edit Control
• Import Model

FINANCIAL REPORTING COMPLIANCE

• Process landing pages
• Risks
  • Overview
  • Manage Risks
  • Assessments
  • Manage Events
  • Manage Consequences
• Controls landing page
• Issues landing page
• Assessments landing page
• Survey landing page

Here's an example:

Universal Panel

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

To change the color of the universal panel, from the navigator, go to Appearance under the Configuration section and change the Heading Color setting.

Universal Panel Color Setting

New Job Role Supports Auditing

A new predefined job role, called Risk Management Auditor, is available. The new role does not introduce any new features across Risk Management applications. It does, however, organize activities for users responsible for enterprise auditing in advanced access and transaction controls, and in financial reporting compliance controls. In summary, this auditor role grants the following access:

• In Advanced Financial Controls, privileges to create, run, and edit models, and the ability to view areas such as user-defined objects, controls, and control incident results.

• In Advanced Access Controls, privileges to create, run, and edit models, and the ability to view areas such as entitlements, global conditions, access points, controls, control incident results, and simulations.

• In Financial Reporting Compliance, privileges to view controls, control assessments, and related approvals for both.

• For all three product areas, OTBI access for analysis reporting.

Risk Management Auditor Role in Security Console

Steps to Enable

Make the feature accessible by assigning or updating privileges and/or job roles.  Details are provided in the Role section below.

Tips And Considerations

This new role provides a predefined option for individuals who need to perform auditing activities across Risk Management applications. You can use this optional role as is, or you can copy it and update the copy to meet your specific audit requirements.

Role Information

This new Risk Management Auditor (ORA_GTG_RISK_MANAGEMENT_AUDITOR) job role is seeded with two new duties, one that contains advanced control privileges, and the other with financial reporting compliance privileges.

New Duty Role	Privilege Inheritance
Auditor Financial Reporting Compliance Analysis Duty ORA_GTG_AUDITOR_FINANCIAL_REPORTING_ COMPLIANCE_ANALYSIS_DUTY	Common Object Record Components View Control View Control Assessment Results View Attachments to a Control Assessment View Control Approval History View Control Assessment Approval History
Auditor Advanced Control Analysis Duty ORA_GTG_AUDITOR_ADVANCED_CONTROL_ ANALYSIS_DUTY	Cancel Job Create Access Model within Manage Models Create Imported Business Object Create Transaction Model within Manage Models Delete Imported Business Object Delete Model Edit Model Export Models Import Advanced Control Model Library Import Models Manage Access Entitlements Manage Access Global Conditions Manage Access Models Manage Access Simulations Manage Advanced Controls Manage Incident Results Manage Jobs Manage Transaction Models Manage User-Defined Access Points Run Synchronization for Model View Access Model View Access Remediation Plan View Advanced Control View Advanced Control Details View Global User Configuration in Application Configurations View Incident Result View Results for a Model View Simulation View Transaction Model View User-Defined Access Point Details View User-Defined Objects

In Risk Management, data security policies are associated to each of these new duties, and includes:

Duty Role Name	Data Security Policy
Auditor Financial Reporting Compliance Analysis Duty	Auditor Financial Reporting Compliance Analysis Data Security Policy
Auditor Advanced Control Analysis Duty	Auditor Advanced Control Analysis Data Security Policy

Finally, existing OTBI roles are also associated to the new Risk Management Auditor job and include the following:

• Financial Reporting Compliance Transaction Analysis Duty (FBI_FINANCIAL_REPORTING_COMPLIANCE_TRANSACTION_ANALYSIS_DUTY)
• Advanced Access Control Transaction Analysis Duty (FBI_ADVANCED_ACCESS_CONTROL_TRANSACTION_ANALYSIS_DUTY)
• Advanced Financial Control Transaction Analysis Duty (FBI_ADVANCED_FINANCIAL_CONTROL_TRANSACTION_ANALYSIS_DUTY)

Advanced Access Controls

Two Supply Chain Management Models Are Replaced

Oracle offers models developed to perform segregation-of-duties analysis in Advanced Access Controls. Because such models should be easy to understand and prioritize, two of them have been broken up into, and replaced by, simpler models. In each case the new models, in combination, accomplish the same results as the older model they replace.

You will no longer find:	Instead you will find these two:
8180: Item Costing or Manage Receipt Accounting Activities and Create Purchase Orders	8220: Receipt Accounting and Create Purchase Order (Available since 18A) 8181: Item Costing and Create Purchase Orders (New in this release)
8225: Item Costing or Manage Cost Accounting Activities and Create Items	8170: Item Costing and Create Items (Available since 18A) 8227: Manage Cost Accounting Activities and Create Items  (New in this release)

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

If you deployed 8180 or 8225 in a prior release, then when you upgrade, each is set to the Invalid state and the Inactive status. To have same-as functionality, you’ll want to be sure to deploy the replacement models and controls.

Also keep in mind that because the controls were made inactive, their results are also now inactive. If you had accepted any incidents, re-review them and update them on the new deployed controls.

Key Resources

Because these models and controls become invalid, refer to the related 19C topic “Limit to Access Point and Entitlement Filters Is Enforced in Models and Controls."

Limit to Access Point and Entitlement Filters Is Enforced in Models and Controls

Filters that cite the Access Point and Access Entitlement business objects can exist at no more than two vertical levels in an access model or control. You can no longer arrange these filters at three or more vertical levels.

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

In earlier releases, you may have created models or controls with filters at more than two vertical levels. When you upgrade, each of these is set to the Invalid state and the Inactive status. You can edit models so that their filters meet the new criteria. You can't modify controls. You must instead modify the models that controls are based on, and then deploy the modified models as controls.

Also keep in mind that because the controls were made inactive, their results are also now inactive. If you accepted any incidents, re-review them and update them on the new deployed controls.

Key Resources

For predefined models and controls that are affected, refer to the related 19C topic “Two Supply Chain Management Models Are Replaced."

Colors Are Updated in Visualizations

In Advanced Access Controls, a Visualization tool presents graphic depictions of paths that lead from users to the roles they're assigned and ultimately to access points involved in segregation of duties conflicts. This tool has undergone a makeover, so that its color scheme matches that of the Security Console.

Visualization Graph

Steps to Enable

You don't need to do anything to enable this feature.

Procurement-Related Controls Exclude False Positives

Procurement-related advanced access controls automatically exclude false positives when a user isn't set up as a procurement agent, or hasn't been allowed access to an action as a procurement agent. Here's how it works:

In Procurement there is a concept of a Procurement Agent. The screen looks like this:

Procurement Agents

Let's say you're running a control analysis for 5970: Create Purchase Orders and Create Payments. Now imagine two users have access to privileges that allow them to create purchase orders and create payments. User1 is set up as a procurement agent, and User2 is not. The control returns only User1 in its results. This is because User2 can't actually create a purchase order without being a procurement agent, so there is no segregation of duties risk here. The same is true if User2 is set up as a procurement agent, but isn't allowed to manage purchase orders.

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

For existing procurement-related controls, once you run control analysis, you may see the result count go down. This is because the system updates the status to Closed when a user is not a procurement agent, or is not granted procurement agent actions.

New Error Message Applies to Global User Synchronization

In Advanced Access Controls, a global user synchronization job identifies unique users in the business system based on configured identifying attributes. Model and control analysis jobs depend on the data generated by the global user synchronization process, so you can't save any changes to the identifying attributes in the global user configuration page while a model or control analysis is running. If you try to, you'll get this error: You can't change global user identifying attributes while a model or control analysis job is queued or started.

Steps to Enable

You don't need to do anything to enable this feature.

Files Can Be Added During Advanced Control Mass Edit

When performing a mass edit of advanced controls or incident results, you can now attach an actual file. In the past, you could only assign a URL of a file location if you were editing more than one control at a time.

Attach File to Mass Edit

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

You must have a common file that you want to assign (i.e. upload) to multiple advanced controls or incidents. When you select more than one of these items and then the edit button, you open a Mass Edit screen, from which you can upload the common file.

Advanced Controls Can Be Deleted

Over time, your access controls can become outdated, replaced, or invalid. You can now delete access controls that you no longer require.

The delete icon is located in the toolbar for the page you use to manage controls. To delete, select a control that is set to inactive status. You can delete only one control at a time, and it must be inactive. Additionally, the control deletion purges any incident results.

Delete Option in the Controls Page

Steps to Enable

Make the feature accessible by assigning or updating privileges and/or job roles.  Details are provided in the Role section below.

The delete control action is secured by a new privilege called Delete Advanced Controls, and a new data security policy called Delete Access Control. If you are upgrading from 19B, you may need to update your security.

First, determine whether you need to update a duty role in the Security Console.

• If you use the predefined Access Control Manager duty, the privilege is automatically added and no additional action is required.
• If you use a copy of the Access Control Manager duty, you need to update your copy by adding the Delete Advanced Controls privilege to it.

Next, determine whether you need to update the data security policy associated to the Access Control Manager role. The policy is found in the Setup and Administration work area of Risk Management Tools.

• If you use the predefined Access Control Manager data security policy, the new Delete Access Control policy is automatically added and no additional action is required.
• If you use a copy of the Access Control Manager data security policy, you need to update that copy by adding the Delete Access Control policy to it. This policy grants data security to access control types and allows the delete action.

New Data Security Policy for Access Control Deletion

No action is required for a new implementation of 19C.

Role Information

The new Delete Advanced Controls privilege was added to the predefined Access Control Manager duty.

Duty Role Updated	Privilege Inheritance Added
Access Control Manager Duty ORA_GTG_ACCESS_CONTROL_MANAGER_DUTY	Delete Advanced Controls GTG_DELETE_ADVANCED_CONTROLS

Delivered Models Are Available Within Advanced Controls Management

In the past, delivered content for Advanced Controls Management required separate import files that contained sets of models developed by Oracle. Now the access models are delivered within the product. You import these models by going to the page to manage models and use the Import option from the Actions menu.

Model Import Option from Actions

The Import page has changed; an Import from Content Library region is added. You can still import your own model files at the bottom of the page, under Import from User-Defined File. For Import from Content Library there are four library categories, and under each of these is a link to review and import models by their control type, such as access, audit, and transaction. Your assigned security to access or transaction models determine the links you see.

Once you select the models you want to import, the import validation and process steps remains the same.

Library categories are based on these product areas:

• Enterprise Resource Planning Library
• Human Capital Management Library
• Supply Chain Management Library
• Common Setup Library

Example of Import from Content Library Page

View and Select Delivered Models for Access Controls

Steps to Enable

Make the feature accessible by assigning or updating privileges and/or job roles.  Details are provided in the Role section below.

The ability to import the delivered content is secured by a new privilege called Import Advanced Control Model Library. Review the following to determine if your security needs to be updated in Security Console.

• If you use the predefined Access Model Manager duty, the privilege is automatically added and no additional action is required.
• If you use a copy of Access Model Manager duty, you need to update the role to add the Import Advanced Control Model Library privilege.

Data security changes were not made in Risk Management. The action of importing access models is the same as the predefined Create Transaction Model policy used to create models.

No action is required for a new implementation of 19C.

Tips And Considerations

If you imported delivered content from model files prior to release 19C, you do not need to reimport. The models available from the content library are the same as 19B; each model based on ID remains the same.

Role Information

The new Import Advanced Control Model Library privilege was added to the predefined Access Model Manager duty.

Duty Role Updated	Privilege Inheritance Added
Access Model Manager Duty ORA_GTG_ACCESS_MODEL_MANAGER_DUTY	Import Advanced Control Model Library GTG_IMPORT_ADVANCED_CONTROL_MODEL_LIBRARY

Source Language Is Applied to Objects

In advanced controls, each object has a new source language applied by the system. A model you create or import applies your source language, and any control and related results inherit this source language. You can expose the source-language assignment via column-view options on the pages to manage models and manage controls.

View Source Language Values for Access Controls

Steps to Enable

You don't need to do anything to enable this feature.

Notifications Page Is Removed for Advanced Controls

The Notifications landing page for the Advanced Controls work area no longer exists. Users can now read notifications by clicking a bell-shaped icon in the global header. The landing page for the Advanced Controls work area is now the Controls page.

New Landing Page for Advanced Controls

Steps to Enable

You don't need to do anything to enable this feature.

Records Are Expanded in Page to Resolve Duplicate-Name Conflicts During Imports

You can't import a model or control if your target instance contains an item of the same type with a matching name. So the import procedure includes a page to resolve duplicate-name conflicts. The first row in this page is now expanded by default to provide a visual indicator to users on what actions they need to take in order to proceed.

Resolve Duplicate Names UI

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

When you import models or controls in Advanced Controls, the resolution of duplicate names is a standard step in the process. If no duplicate names exist, then no action is required. But if any duplicate names exist, you must decide either to reuse the existing item or to rename the item you want to import.

Advanced Financial Controls

Language-Related Changes Improve Synchronization Performance

There has been a change to how language-related data is captured and stored during the synchronization of transaction data. The change was to remove the duplication of locale-related data. The impact is a significant performance improvement during the synchronization process for customers who use Advanced Financial Controls and have multiple languages configured.

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

There is no impact to existing results.

Changes Are Made to Business Objects

In this release there are updates to some business objects. These include:

• Eight additional segment attributes have been added to the General Ledger Accounts business object. The object attributes now includes Segment 6 through Segment 13 attributes.
• A new Legal Entity ID attribute has been added to Payables Invoice business object.
• An audit business object called Audit - Childbirth or Placement Details is removed and no longer available.
• The Expense Setup: General object now supports incremental data synchronization.

Steps to Enable

You don't need to do anything to enable this feature.

Strings for Patterns Are Translated

You will now find strings related to patterns in Advanced Financial Controls are translated in the supported languages. Specifically, this applies to the following patterns: Absolute Deviation, Anomaly Detection, Benford, Clustering, Mean, Normalize, Pareto, and Lexical Tokenization.

Steps to Enable

You don't need to do anything to enable this feature.

Inactive Objects Are Not Synchronized

Business objects may change from one release to another. When risk logic is based on these objects, the changes may introduce errors. During an upgrade, the application detects models whose risk logic includes such errors and sets their state to Invalid. It should also set the status of these models to Inactive, and now it consistently does. The application also detects controls whose risk logic contains errors resulting from changed business objects, and sets them to the Invalid state and Inactive status. You cannot reset these controls to Active status, even though you can generally modify status as you edit controls. Any model or control whose status is Inactive is not recognized during data synchronization.

Steps to Enable

You don't need to do anything to enable this feature.

Files Can Be Added During Advanced Control Mass Edit

When performing a mass edit of advanced controls or incident results, you can now attach an actual file instead of being limited to a URL.

Attach File to Mass Edit

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

You must have a common file that you want to assign (i.e. upload) to multiple advanced controls or incidents. When you select more than one of these items and then the edit button, you open a Mass Edit screen, from which you can upload the common file.

Advanced Controls Can Be Deleted

Over time, your transaction controls can become outdated, replaced, or invalid due to business object changes between releases. You can now delete transaction incident or data set controls that you no longer require.

The delete icon is located in the toolbar for the page you use to manage controls. To delete, select a control that is set to inactive status. You can delete only one control at a time, and it must be inactive. You can delete a data set control only if no other model or control uses its related object. Additionally, the control deletion purges any data set or incident results.

Delete Option in the Controls Page

Steps to Enable

Make the feature accessible by assigning or updating privileges and/or job roles.  Details are provided in the Role section below.

The delete control action is secured by a new privilege called Delete Advanced Controls, and a new data security policy called Delete Transaction Control. If you are upgrading from 19B, you may need to update your security.

First, determine whether you need to update a duty role in the Security Console.

• If you use the predefined Transaction Control Manager duty, the privilege is automatically added and no additional action is required.
• If you use a copy of Transaction Control Manager duty, you need to update your copy by adding the Delete Advanced Controls privilege to it.

Next, determine whether you need to update the data security policy associated to the Transaction Control Manager role. The policy is found in the Setup and Administration work area of Risk Management Tools.

• If you use the predefined Transaction Control Manager data security policy, the new Delete Transaction Control policy is automatically added and no additional action is required.
• If you use a copy of the Transaction Control Manager data security policy, you need to update that copy by adding the Delete Transaction Control policy to it. This policy grants data security to transaction control types and allows the delete action.

New Data Security Policy for Transaction Control Deletion

No action is required for a new implementation of 19C.

Role Information

The new Delete Advanced Controls privilege was added to the predefined Transaction Control Manager duty.

Duty Role Updated	Privilege Inheritance Added
Transaction Control Manager Duty ORA_GTG_TRANSACTION_CONTROL_MANAGER_DUTY	Delete Advanced Controls GTG_DELETE_ADVANCED_CONTROLS

Delivered Models Are Available Within Advanced Controls Management

In the past, delivered content for Advanced Controls Management required separate import files that contained a set of models developed by Oracle. Now the audit and transaction models are delivered within the product. You import these models by going to the page to manage models and use the Import option from the Actions menu.

Model Import Option from Actions

The Import page has changed; an Import from Content Library region is added. You can still import your own model files at the bottom of the page, under Import from User-Defined File. For Import from Content Library there are four library categories, and under each of these is a link to review and import models by their control type, such as access, audit, and transaction. Your assigned security to access or transaction models determine the links you see.

Once you select the models you want to import, the import validation and process steps remains the same. When the model definition uses an imported or user-defined object, the following apply:

• Imported business objects are automatically imported, with this exception: an object is not imported if an object of the same name already exists in the target instance.
• User-defined objects, and the data set controls they're based on, are automatically imported. If either one of these objects or its control has a naming conflict with an item already existing in the target instance, you can rename it during the import process.

Library categories are based on these product areas:

• Enterprise Resource Planning Library
• Human Capital Management Library
• Supply Chain Management Library
• Common Setup Library

Example of Import from Content Library Page

View and Select Delivered Models for Transaction Controls

Steps to Enable

Make the feature accessible by assigning or updating privileges and/or job roles.  Details are provided in the Role section below.

The ability to import the delivered content is secured by a new privilege called Import Advanced Control Model Library. Review the following to determine if your security needs to be updated in Security Console.

• If you use the predefined Transaction Model Manager duty, the privilege is automatically added and no additional action is required.
• If you use a copy of Transaction Model Manager duty, you need to update the role to add the Import Advanced Control Model Library privilege.

Data security changes were not made in Risk Management. The action of importing audit or transaction models is the same as the predefined Create Transaction Model policy used to create models.

No action is required for a new implementation of 19C.

Tips And Considerations

If you imported delivered content from model files prior to release 19C, you do not need to reimport. The models available from the content library are the same as 19B;  each model based on ID remains the same.

Key Resources

For models that are associated to imported business objects, refer to the related 19C topic “Imported Objects Accompany Delivered Models."

Role Information

The new Import Advanced Control Model Library privilege was added to the predefined Transaction Model Manager duty.

Duty Role Updated	Privilege Inheritance Added
Transaction Model Manager Duty ORA_GTG_TRANSACTION_MODEL_MANAGER_DUTY	Import Advanced Control Model Library GTG_IMPORT_ADVANCED_CONTROL_MODEL_LIBRARY

Imported Objects Accompany Delivered Models

Some delivered-content models may be associated with imported business objects. When you select one of these models for import, you automatically import the associated object with it. The exception is for imported objects that already exist; if the object name already exists, it will not be imported.  In either case, you can now export the object to download the xml file.

To export the imported business object, create or edit a model from the manage models page and select the model objects add icon to open the library. Once you open the business object library, a new export icon is available to download an imported object type that you can edit or use as a template for new objects.

Export an Imported Business Object

Steps to Enable

You don't need to do anything to enable this feature.

Key Resources

For more information about imported objects, see the “Import Objects” topic in Using Advanced Controls Management.

Source Language Is Applied to Objects

In advanced controls, each object has a new source language to facilitate logic analysis and return results with names that correspond to this language. A model you create or import applies your source language, and any control and related results inherit this source language. You can expose the source-language assignment via column-view options on the pages to manage models and manage controls.

View Source Language Values for Transaction Models

For transaction models and controls, when business objects contain Name attributes that have corresponding translated values, the source language may be used to derive result information. For example:

• The Name attribute in Business Operating Unit has values stored for each installed language. When you run a model or control that contains this Name attribute in the results, it uses the source language setting to return the corresponding value for that language.
• If you use this Name attribute in a filter, the source language setting is applied where you enter free text values.

Steps to Enable

You don't need to do anything to enable this feature.

Notifications Page Is Removed for Advanced Controls

The Notifications landing page for the Advanced Controls work area no longer exists. Users can now read notifications by clicking a bell-shaped icon in the global header. The landing page for the Advanced Controls work area is now the Controls page.

New Landing Page for Advanced Controls

Advanced Control Bell Notification

Steps to Enable

You don't need to do anything to enable this feature.

Records Are Expanded in Page to Resolve Duplicate-Name Conflicts During Imports

You can't import a model or control if your target instance contains an item of the same type with a matching name. So the import procedure includes a page to resolve duplicate-name conflicts. The first row in this page is now expanded by default to provide a visual indicator on what actions you need to take in order to proceed.

Resolve Duplicate Names UI

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

When you import models or controls in Advanced Controls, the resolution of duplicate names is a standard step in the process. If no duplicate names exist, then no action is required. But if any duplicate names exist, you must decide either to reuse the existing item or to rename the item you want to import.

Financial Reporting Compliance

Survey Activities Are Integrated with Fusion Notifications

In prior releases, an initial set of Risk Management integrations with Fusion notifications and email was completed. This enabled users to read notifications by clicking a bell-shaped icon in the global header. This integration has been extended to include the Financial Reporting Compliance Survey object.

When you select the link in the notification, the related survey UI opens in a separate browser.

Fusion Survey Notification

Steps to Enable

No setup is required to define the bell notification. However, a survey must be generated and assigned to a user or a group of users. Once the survey is initiated, those users see a number increase in the bell icon. When a user selects the bell icon, the new survey notification is displayed.

Survey Instructions Support Rich HTML

While you create or edit a survey template, you can add rich HTML to the survey instructions. Survey instructions enable you to provide guidance pertaining to the survey the responder is to complete.

Creating a Survey Template

Steps to Enable

You don't need to do anything to enable this feature.

Assessment Survey Results Can Be Updated

When an assessment includes a survey, you can update survey results even after the assessment has been rejected. For example, an assessment may have been rejected because comments were not added to survey responses.

Steps to Enable

You don't need to do anything to enable this feature.

Assessment Completion Is Enhanced

You can now enter test-step results directly in the Enter Test Results page as you complete a control assessment.

Example of Entering Test Steps

Steps to Enable

You don't need to do anything to enable this feature.

Hide Option Is Removed from Risk Treatment Configuration

During the initial implementation, you may upgrade the default risk treatment option from Hide and Default to Show. A third option, Hide, has been permanently disabled. The Hide and Default option lets you relate a risk to controls that address the risk. You can also perform residual analysis to determine the level of risk remaining after controls are defined. The Show option lets you create treatment plans. These let you relate the risks to controls, and to perform residual or target analyses, that may apply either immediately or over time.

Risk Treatment Plan Configuration Options

Steps to Enable

You don't need to do anything to enable this feature.

Workflow Comments Are Enhanced

As you review or approve an object record, you can view comments that have been added to the record. Each of these comments now includes this information: the name of the user who wrote it, as well as the state of the record and the action taken when the comment was written.

Workflow Comments Area

Steps to Enable

You don't need to do anything to enable this feature.

Access Certification

Inactive Users Can't Be Added to Certifications

A user-role record may be added to a certification if the role is assigned to an active user, but not if it is assigned to an inactive user.

• For a standard certification, all user-role records are added when you finalize the initialization of the certification. At that moment, all records involve only active users.

• For a continuous certification, user-role records may be added during daily runs of a synchronization job. Newly added records involve only active users.

• In either case, a user-role record may be added to a certification, and subsequently the user's status may change from active to inactive. If so, the user-role record remains a part of the certification.

Steps to Enable

You don't need to do anything to enable this feature.

Certification Records Include User Attributes

You can now select up to five attributes regarding the users whose job roles are reviewed in a certification. The selected attributes appear in the Certifier Worksheet. You can use attribute values to filter the user-role records within the worksheet. These are the attributes you may select among:

• Assignment Category
• Assignment Status Type
• Business Unit
• Cost Center
• Department
• Job Code
• Job Family
• Job Function
• Job Name
• Location
• Location Code
• Position Code
• Position Name

A Manager attribute has also been added, although you can’t remove it from the worksheet. It enables the certifier to view the name of the direct manager of the user being reviewed.

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

To manage these attributes, navigate to the Additional Attributes Options page. You can view whether any attributes have been selected in the Displayed User's Attributes section. The Edit button appears if you have the appropriate privileges. By clicking Edit, you can remove or add attributes. Once you have completed your changes, click Save. If you decide not to make any changes, click Cancel.

Edit Displayed User's Attributes

When a user-role combination is added to a certification, the attributes selected for that combination become static. They don't change even if you modify the attribute selections in the Additional Attributes Options page.

• For a standard certification, attribute values for all user-role pairs become static when you finalize the initiation of the certification. After that, you cannot add to or alter display name and role combinations.

• For a continuous certification, new user-role combinations may be added when a synchronization job runs each day. Attribute values for each new user-role combination become static at the moment the combination is added.

All Assignable Roles are Now Included in Access Certifications

When new certification scoping jobs are run, all roles that are assignable to a user are now included, versus only those roles labeled as job roles. Roles are scoped for certifications if their technical names include any of the following suffixes:

• ABSTRACT
• DATA
• DISCRETIONARY
• JOB
• DUTY
• HCM_DATA
• DEFAULT

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

The impact of this enhancement will be evident during the scoping activity, as you define a new access certification. When you perform either a top-down or a bottom-up scoping activity, the list of roles returned will most likely increase, as more types of roles are now available to be included.

Transactional Business Intelligence for Risk Management

Assessment Results Subject Area Has Changes

In the Assessment Results subject area, a few changes have been made. Check it out:

NEW ATTRIBUTES 

• In the Assessment Result Details folder, these attributes are added: Approver Comments, Approver Comment Created By, Approver Comment Creation Date, Enforcement Type.
• The Control Test Plan Results subfolder of the Assessment Results folder now includes a Test Step Result Summary attribute.
• The Control Details folder now includes Last Updated Date and Enforcement Type attributes.

LABEL CHANGES 

• The Test Step Result label is changed to Test Step Response to match the application user interface.
• The Assessment Result label is changed to Response to match the application user interface.
• The Response Summary label is changed to Result Summary to match the application user interface.

REMOVED ATTRIBUTE 

• The Response Name attribute has been removed because it had technical data in it and shouldn't have been exposed.

Steps to Enable

Leverage new subject area(s) by adding to existing reports or using in new reports.  For details about creating and editing reports, see the Creating Analytics and Reports for Risk Management book (available from the Oracle Help Center > your apps service area of interest > Books > User).

Tips And Considerations

Don't worry, if you have existing reports that use the attributes where a label has been changed or the attribute has been removed it will continue to work.

OTBI Analyses Provide Links to Pages in Financial Reporting Compliance

You can now drill down from an OTBI analysis directly to a page in Financial Reporting Compliance. Available links include Process, Risk, Control, Remediation Plans, Issues, and Assessments.

Steps to Enable

Leverage new subject area(s) by adding to existing reports or using in new reports.  For details about creating and editing reports, see the Creating Analytics and Reports for Risk Management book (available from the Oracle Help Center > your apps service area of interest > Books > User).

Tips And Considerations

Here's an idea of what you can do:

1. Create a simple analysis with Control ID and Control Name
2. Change data format of Control ID to Number (with no decimals or commas)

Format ID as Number

3. On the Control Name, click the gear and select column properties, then Interaction. Select Action Links under Primary Interaction. Then click plus icon. Enter a Link Text, then create new action.

New Action Link

4. Select Navigate to a Web Page. Then, enter a URL. An example link looks like this (swap out <server_url> with your server url):

• https://<server_url>/fscmUI/faces/deeplink?objType=@{1}&objKey=ObjectKey=@{2}

5. Expected parameters are:

• {1} VIEW_CONTROL_OBJECT
• {2} "Control Details"."Control ID"

Action Link Parameters

6. Select the hidden check box for both parameters so user is not prompted to enter the values
7. Select Options and check to open in a new window.

Check out an example analysis below, notice the Control Name is a link:

Link from OTBI to a Control Object

When you click the link a new tab is opened to view the actual control object:

Control Object

Advanced Access Controls Subject Area Has Changes

Check out the new attributes added in the Advanced Access Controls subject area.

ADVANCED CONTROL DETAILS DIMENSION 

• Control ID: A unique identifier for the control.
• Control Logic: Identifies the filters that define the control's risk logic. For example, the logic might look like this: Access Entitlement Name = Define Payroll Information AND Access Entitlement Name = Modify Employee Information.

INCIDENT RESULT DETAILS DIMENSION 

• Role ID: A unique identifier for the role returned on an incident.
• Incident Information Codes: Unique codes related to each access point in an incident information access path. For example, if incident information is Accounts Payable Manager > Subledger Accounting Manager > Post Journal, then the corresponding incident information codes would be: ORA_AP_ACCOUNTS_PAYABLE_MANAGER_JOB > ORA_XLA_SUBLEDGER_ACCOUNTING_MANAGER_DUTY > GL_POST_JOURNAL_PRIV
• Conflicting Roles: Identifies the roles that conflict with the role identified on the incident. For example, if incident1 has identified Role1 as a conflict, then the Conflicting Roles column would identified the roles it conflicts with, such as: (Role2)(Role3).

RELATED CONTROL RECORDS, RELATED PROCESS RECORDS, RELATED RISK RECORDS

• Enforcement Type
• Last Updated Date

ADVANCED ACCESS GLOBAL CONDITIONS

A new dimension folder has the following attributes:

• Global Condition Name: Name of condition used to filter data in Advanced Access Controls.
• Status: Identifies the status of the global condition, either Active or Inactive.
• Description: Describes what the global condition will do.
• Created By: Identifies the person who created the global condition.
• Creation Date: Identifies the date the global condition was created.
• Last Updated By: Identifies the person who last updated the global condition.
• Last Updated Date: Identifies the last date the global condition was updated on.
• Filter Name: Name of the filter defined by the user in the condition logic.
• Business Object: Name of the business object used for the condition logic.
• Attribute: Name of the attribute used for the condition logic.
• Condition: Type of operator, such as Equal to, Does not equal, Contains, or Does not contain.
• Value: Data entered by user such as the name of a business unit.

Here are a couple of attributes that have been removed:

• Default Data Source was removed from the Data Sources folder because there is only one data source, and it is always the default.
• Enforcement Type was removed from the Advanced Controls Details folder because feedback has been that it was confusing. It had a connotation of actually enforcing something when it didn't.

Steps to Enable

Leverage new subject area(s) by adding to existing reports or using in new reports.  For details about creating and editing reports, see the Creating Analytics and Reports for Risk Management book (available from the Oracle Help Center > your apps service area of interest > Books > User).

Tips And Considerations

Don't worry, if you are using any of the removed attributes in an existing report, the report will continue to return the data. The attributes are just hidden in the catalog.

Advanced Financial Controls Subject Area Has Changes

Attributes have been added to the Advanced Control Details dimension in the Advanced Financial Controls subject area. These include:

• Control ID: A unique identifier for the control.
• Control Logic: Identifies the filters that define the control's risk logic. Unlike AAC, the AFC control logic displays the filter name, such as (Suppliers with 70% similar) AND (Invoice Date in last 6 months) AND (Supplier Type Government) OR (Supplier Type Private). The filters are listed in the order they are seen in the control definition, from top to bottom and from left to right.
• Run Dependent Analyses: A control definition may reference user-defined objects, which provide data. If you want the latest data, you'll need to run control analysis for the user-defined objects. You can automate this: in the control definition, select a check box to run dependent analyses. Subsequently, you can report on this. The value Yes means the check box has been selected, No means it has not been, and No Dependencies means there are no underlying user-defined objects.

RELATED CONTROL RECORDS, RELATED PROCESS RECORDS, RELATED RISK RECORDS

• Enforcement Type
• Last Updated Date

Here are a couple of attributes that have been removed:

• Default Data Source was removed from the Data Sources folder because there is only one data source, and it is always the default.
• Enforcement Type was removed from the Advanced Controls Details folder because feedback has been that it was confusing. It had a connotation of actually enforcing something when it didn't.

Steps to Enable

Leverage new subject area(s) by adding to existing reports or using in new reports.  For details about creating and editing reports, see the Creating Analytics and Reports for Risk Management book (available from the Oracle Help Center > your apps service area of interest > Books > User).

Tips And Considerations

Don't worry, if you have existing reports where the attribute has been removed it will continue to work.

New Dashboard Report on Related Records

In Financial Reporting Compliance, objects such as Processes, Risks, and Controls can be related to one another. For example, you might relate several controls to a risk to indicate that each control plays some part in reducing the risk. You can use the delivered Related Records dashboard to view these relationships.

In the catalog, navigate to Shared Folders > Risk Management > Financial Reporting Compliance > Administration > Related Records Dashboard. Here you can select the Record Object Type of Process, Risk, or Control. If you want, you can get a little more specific by selecting an object name or perspective values.

Related Records Dashboard

Steps to Enable

Leverage new subject area(s) by adding to existing reports or using in new reports.  For details about creating and editing reports, see the Creating Analytics and Reports for Risk Management book (available from the Oracle Help Center > your apps service area of interest > Books > User).