Update 21A

Revision History

This document will continue to evolve as existing sections change and new information is added. All updates appear in the following table:

Date	Product	Feature	Notes
18 DEC 2020			Created initial document.

Overview

This guide outlines the information you need to know about new or improved functionality in this update, and describes any tasks you might need to perform for the update. Each section includes a brief description of the feature, the steps you need to take to enable or begin using the feature, any tips or considerations that you should keep in mind, and the resources available to help you.

Give Us Feedback

We welcome your comments and suggestions to improve the content. Please send us your feedback at oracle_fusion_applications_help_ww_grp@oracle.com.

Feature Summary

Risk Management

Oracle Risk Management consists of the following key solution areas:

• Financial Reporting Compliance to automate audit assessments and certifications.

• Advanced Access Controls to manage user access and separation-of-duty risk.

• Advanced Financial Controls to continuously monitor configuration changes and business transactions.

• Access Certifications to streamline reviews by process owners to ensure that employees have been granted appropriate access based on their current jobs.

• Enterprise Risk Management to streamline the analysis, evaluation, and treatment of documented risks.

Common

New Quick Actions

Users now have the ability to quickly access functionality in a single click. In this release, two new Quick Actions are added:

• Manage User Group Assignments
• Run Transaction Synchronization

Users can quickly access functionality without having to go through the full navigation, simply by selecting a quick action link.

Steps to Enable

You don't need to do anything to enable this feature.

Ability to Delete Owner from an Object Record

A user authorized as an owner of an object record can delete him or herself from the record, providing it retains at least one eligible owner. This can be a user authorized individually as an owner or a member of an owner group. Previously this functionality wasn’t available in some cases, such as when a control is deployed.

For example, the person who deploys a control is defaulted as its owner. It was not possible to delete oneself as an owner; now it is. This is true on the control security assignment train-stop as well as the result security assignment train-stop.

Deploy Control Security Assignment

With the above example, the appropriate owners can be authorized when the control is deployed.

Steps to Enable

You don't need to do anything to enable this feature.

Enable User to Search and Add Multiple Users Via Mass Edit

You now have the ability to add, remove, or append multiple individuals or user groups for an object/authorization utilizing the Mass Edit Security Assignment functionality.

Example of removing multiple individuals assignments for a group of records

Example of adding multiple user groups to a group of records

The enhancement will streamline authorization maintenance by enabling you to modify multiple individuals or user group assignments.

Steps to Enable

You don't need to do anything to enable this feature.

Control Parameter Is Filtered in Purges of Advanced Control Results

In the Purge Results page in Setup and Administration, the list of controls is now filtered based on the selected control type (Access or Transaction) and result type (Data set or Incident).

When control type "Both" is selected, notice both an Access and Transaction control show.

Control Type Both is Selected

When control type "Access" is selected, only Access controls will show.

Control Type Access is Selected

Now, only relevant controls are shown based on the previous parameter selections.

Steps to Enable

You don't need to do anything to enable this feature.

Administration Reports Link Is Removed

Navigate to Risk Management Advanced Controls Reports or Financial Compliance Reports to view embedded reports.

Springboard

Previously in the related links tab an Administration Reports link was available.

Administration Reports Link

This link and the underlying reports are removed since the reports are now in OTBI, or can be easily created in OTBI.

Administration Reports

Keep the dashboards as delivered, or create copies and modify them to suit your business needs. Consider running administration reports on a schedule and sending to interested parties to stay on top of administration tasks such as inaccessible records.

Steps to Enable

You don't need to do anything to enable this feature.

Financial Reporting Compliance

Ineligible Assessment Users Display

An ineligible assessment user icon has been added, so you can quickly identify assessment actors who are no longer eligible to complete the assessment task.

An example view of the

The ineligible icon enables you to identify quickly the user or users who no longer have the appropriate security configuration.

Steps to Enable

You don't need to do anything to enable this feature.

Authors of Approval Comments Are Identified

Comments made during an object record approval workflow will now show the actual user who submitted the comment.

User identified within the View Approvals page

Within the View Approvals you can now view the user's name who performed each step of the workflow process and their comments.

Steps to Enable

You don't need to do anything to enable this feature.

Advanced Access Controls

New Delivered Model Content

Oracle delivers four new models to detect separation-of-duties conflicts and sensitive access related to Joint Venture Management (JVM).

NEW MODELS

• 10100: Associate Customer to Invoicing Partners and Create Joint Venture Accounts Receivable Invoices

A joint venture accounts receivable invoice is created to request the invoicing partner to reimburse the managing partner for the expenditures that have been incurred for the joint venture. A user that has access to associate the customer to the invoicing partner and also create joint venture accounts receivable invoices can raise credit memos in the Accounts Receivable system that may be used to fraudulently make payments to unauthorized customers.

• 10101: Create Customer and Associate Customer to Invoicing Partners

The information in the record of the invoicing partner is used by downstream processes in JVM to create joint venture accounts receivable invoices to request the invoicing partner to reimburse the managing partner for the expenditures that have incurred for the joint venture.

A user that has access to create a customer/customer site and then associate the customer to the invoicing partner can then make use of the downstream JVM processes to fraudulently make payments to unauthorized customers.

• 10102: Sensitive Joint Venture Invoicing Partner Privileges

Manage JVM Invoice Partner List privilege gives users the ability to view the Tax Registration Number for customers and suppliers, which is considered as PII.

• 10103: Sensitive Joint Venture Stakeholder Privileges

Manage Joint Venture Definition privilege gives users the ability to view the Address, Phone, and Email of the stakeholders in the joint venture, which are considered as PII.

You can quickly identify users that are granted access that is often considered conflicting or sensitive by deploying controls from our best-practice library of content. You can leave the delivered model definitions as-is, or modify them to fit your business compliance criteria. Either way having something to start with should save time and effort.

Steps to Enable

You don't need to do anything to enable this feature.

Run Status Column Is Added to Access Simulations Page

A new column, called Run Status, is available in the Access Simulations page. It reports the status of simulation jobs. To display it, select it from the View menu on that page.

Access Simulation Run Status

Use this field to determine if the last attempt to run simulation was completed, canceled, or failed.

Steps to Enable

You don't need to do anything to enable this feature.

Added Exclusions for Procurement Agent Actions

For certain privileges to grant functional access, a user must be granted both the privilege and a corresponding "action" as a "procurement agent" for a business unit. For example, a person may be set up as a procurement agent, but unless granted the privilege to "Create Purchase Order Line from Catalog" and the action to "Manage Purchase Orders," that person will not be able to transact for that privilege. Advanced Access Controls automatically excludes privileges related to actions a procurement agent has not been granted access to perform. Two additional privileges are now excluded during analysis if not granted via a procurement agent: Generate Purchase Order and Retroactively Price Purchase Order. If the actions corresponding to these privileges are not set to allowed for that procurement agent, then no incident will be generated.

• For a procurement agent use functionality granted by the Generate Purchase Order privilege, the procurement agent has to have two actions granted: Manage Purchase Orders and Manage Requisitions.

• For a procurement agent use functionality granted by the Retroactively Price Purchase Order privilege, the procurement agent has to have the Manage Purchase Orders action granted.

In the example below, because Manage Requisitions is not granted, even if a user has a role with the Generate Purchase Order functional privilege an incident will not be generated because the user isn't actually allowed to use that functionality.

Procurement Agent Access

These automatic exclusions minimize false positives by only returning incidents for privileges a user has the ability to perform.

Steps to Enable

You don't need to do anything to enable this feature.

Updates to Export File for Control Results

In the export file for control results, column headers used to take up three rows. Beginning in release 21A, they occupy a single row. Also, beginning in release 20D the user column was removed because it was redundant with the global user, and the last-run-by field was populated.

Here's what the export looked like prior to 21A:

Column Header Is Across Three Rows

Here's what the export looks like in 21A:

Column Header Is Across One Row

With the column header only occupying one row it is easier to add filters to the header row.

Steps to Enable

You don't need to do anything to enable this feature.

Show Key Columns by Default in Results

By default, Results pages sort records by global user and display the most commonly used columns, in the following order: Global User, First Name, Last Name, Role, Access Entitlement, Access Point, Incident Information, Conflicting Roles, Group, Investigator, Comments and Attachments.

Default Columns in Results Page

Previously, the order of columns was not ideal for analysis and users had to hide, show and reorder columns to their preference. This enhancement should make analysis easier.

Steps to Enable

You don't need to do anything to enable this feature.

Status Improvements for the Mass-Edit-Incident Job

The job to mass-edit incidents may not update all incident records selected by the user who runs it. If not, it returns one of two new status values:

• Completed with Warnings indicates that the user who ran the job was authorized as a viewer for some records, and so could not update them.
• Completed with Errors indicates that some records were not updated due to an issue unrelated to authorization.

Previously, the job would have returned the status Completed in either of these cases.

These job statuses give visibility to the fact that not all records selected for edit were actually updated.

Steps to Enable

You don't need to do anything to enable this feature.

Use Mass Edit to Remove Users from Controls

If a person is both directly authorized as the owner of a control, and a member of an owner group assigned to the control, you can now use the Mass Edit Security Assignments page to remove the direct authorization. Previously, you could edit the individual control record to remove the direct assignment (and you still can), but you couldn't use the mass-edit functionality.

This saves time when making changes to security assignments by utilizing the mass-edit functionality.

Steps to Enable

You don't need to do anything to enable this feature.

Column Headings in Results Frozen

When you are reviewing model results and control incident results, the headers in these Result pages remain frozen as you scroll through a large amount of data.

Example of Model Results

The user is able to see the context of the values when scrolling through the data rows with the frozen header.

Steps to Enable

You don't need to do anything to enable this feature.

Advanced Financial Controls

New Models in Content Library

Advanced Financial Controls has three new models that can be imported through the delivered Content Library. When you have access to these models, you will be able to select the Import action on the Models tab and select them from the Content Library. The following table provides information on the content library, library type, model name and business objects associated to the each model.

Content Library	Library Type	Model Name	Business Objects
Enterprise Resource Planning Library	Advanced Transaction Controls	40007: Receivables Invoices and Receivables Standard Receipts Managed by the Same User	Receivables Invoice Receivables Standard Receipt Business Operating Unit Customer
Enterprise Resource Planning Library	Advanced Transaction Controls	40008: External Bank Accounts and Payments Managed by the Same User	External Bank Account Payment Payment Process Request
Enterprise Resource Planning Library	Advanced Transaction Controls	40009: Purchase Orders and Procurement Approval Routing Rules Managed by the Same User	Supplier Purchase Order Procurement Approval Routing Rules (New) Business Operating Unit Purchase Orders Recently Updated (User-Defined Object)

These new models for transaction analysis complement separation of duty access models by identifying users who have actually created or updated records between two different entitlements. These access models already exist in the import library and include:

• 5220: Enter Accounts Receivables Invoice and Enter Customer Receipts
• 5892: Maintain Supplier Bank Accounts and Create Payments
• 6080: Create Purchase Orders and Define Procurement Approval Routing Rules.

Steps to Enable

No advance setup is required for you to import models. However:

• For audit models, you must review audit-level information configured under Manage Audit Policies in Oracle Fusion Applications. Models that use audit business objects in Advanced Financial Controls can return data only after the corresponding information is enabled and configured under Manage Audit Policies.

• A Risk Management administrator must set the Transaction and Audit Performance Configuration date options under the Advanced Controls Configurations tab under Risk Management > Setup and Administration. Two created-as-of-date options are required, one for transactions and the other for audit events. This setting improves performance by eliminating older data from data-synchronization jobs.

Finally, once you have performed the above and imported the models, you must run data synchronization, which retrieves the source data used during model analysis.

Tips And Considerations

Before using new model content, evaluate available models that match requirements for your organization under the Import action for models. The Import from Content Library page is organized by product area and model types. Once you identify models appropriate for you, import, review, and modify them in your test environment. Importing all available models is not recommended. In some cases, you may have already imported the model in a previous update. Or, some may source data from products or audit configurations you have not enabled. Moreover, models may contain user-defined or imported business objects that create data set controls or objects, respectively.

Key Resources

• For more information about importing models, see the "Import Models, Controls, or Conditions" topic in Using Advanced Controls at Oracle Help Center > Cloud Applications > Risk Management > Books.

Changes Are Made to Business Objects

In this release there are additions and updates to business objects.

NEW BUSINESS OBJECTS

Two new business objects were added:

• Procurement Approval Routing Rules to support new model content
• Legal Entity is a new object that has no delivered relationships to other objects

NEW BUSINESS OBJECT ATTRIBUTES

The Expense Report Details business object was updated to add the following attributes:

• Expense Creation Method
• Default Cost Center

The Purchasing Setup: General business object was updated to add the following attribute:

• Match Approval Level

The Journal Entry business object was updated to add the following attribute:

• Legal Entity Identifier

The Ledger Setup: General business object was updated to add the following attributes:

• Ledger Category
• Period Close: Prevent General Ledger Period Closure When Open Subledger Periods Exist
• Journal Processing: Balancing Threshold Amount

The Audit - Ledgers Setup business object was updated to add the following attributes:

• Require manually entered journals balance by currency Old
• Require manually entered journals balance by currency New
• Limit a journal to a single currency Old
• Limit a journal to a single currency New

The Audit - Item business object was updated to add the following attributes:

• Packaging String Old
• Packaging String New

The Audit - Salary business object was updated to add the following attributes:

• ActionOccurrenceId Old
• ActionOccurrenceId New

Updates to business objects provide additional attribute criteria for your controls, and those updated for audit maintain alignment to Manage Audit Policies data source. Additionally, new business objects support delivered models in the content library.

Steps to Enable

You don't need to do anything to enable this feature.

New Message Warns When a Model Has More Than 25 Result Attributes

As part of creating or updating models in Advanced Financial Controls, you select the attributes to display in the Result Display region. A new warning message will let you know if you have selected more than 25 attributes in this region. Though you can currently select more than 25, a good design uses fewer, especially since OTBI reports use only the first 25 attributes selected.

Example of Result Display Warning

This warning helps the user design better models for use as controls and their corresponding OTBI reports.

Steps to Enable

You don't need to do anything to enable this feature.

Attribute Rate Values Can Display Up to Ten Decimal Places

In Advanced Financial Controls, an attribute in a business object can represent a rate value. Now you can now see up to ten decimal places of a rate value in your model or control results.

Results with Rate Value

Providing up to ten decimal places for a rate value provides a greater degree of precision and accuracy.

Steps to Enable

You don't need to do anything to enable this feature.

New Modifier for Configurable Attribute with Date

In an Advanced Financial Control model a user can add a configurable attribute in a business object. Previously, when you used a date attribute you could not use the plus (+) modifier. Now you can in conjunction with a value you enter.

Example Using Date in Configurable Attribute

Example of Results Using Configurable Attribute

The use of a value with a date attribute date provides an extension of the configurable attribute feature and produces another attribute and value identify related records in model logic.

Steps to Enable

You don't need to do anything to enable this feature.

Show Key Columns by Default in Results

By default, Results pages display the most commonly used columns, in the following order: Result ID, Status, Grouping Value, all the business object attributes based on the order defined in the control, followed by any system-generated columns.

Default Columns in Results Page

Changes to the control-results view displays the most important information as default.

Steps to Enable

You don't need to do anything to enable this feature.

Status Improvements for the Mass-Edit-Incident Job

The job to mass-edit incidents may not update all incident records selected by the user who runs it. If not, it returns one of two new status values:

• Completed with Warnings indicates that the user who ran the job was authorized as a viewer for some records, and so could not update them.
• Completed with Errors indicates that some records were not updated due to an issue unrelated to authorization.

Previously, the job would have returned the status Completed in either of these cases.

These job statuses give visibility to the fact that not all records selected for edit were actually updated.

Steps to Enable

You don't need to do anything to enable this feature.

Use Mass Edit to Remove Users from Controls

If a person is both directly authorized as the owner of a control, and a member of an owner group assigned to the control, you can now use the Mass Edit Security Assignments page to remove the direct authorization. Previously, you could edit the individual control record to remove the direct assignment (and you still can), but you couldn't use the mass-edit functionality.

This saves time when making changes to security assignments by utilizing the mass-edit functionality.

Steps to Enable

You don't need to do anything to enable this feature.

Column Headings in Results Frozen

When you are reviewing model results and control incident results, the headers in these Result pages remain frozen as you scroll through a large amount of data.

Example of Model Results

The user is able to see the context of the values when scrolling through the data rows with the frozen header.

Steps to Enable

You don't need to do anything to enable this feature.

Transactional Business Intelligence for Risk Management

Ability to Report on Members in a Security Assignment Group

A new dimension has been added in OTBI for secured objects that allows reporting on security assignment groups and their members. For example, navigate to the Advanced Control Details > Control folder to find the new dimension Control Group Security Assignment. Attributes include the Group Name, Member Name, Eligibility Flag and Authorization Level.

Below is an example to simply see for a group, who are the members.

Group Security Assignment

Below is an example of the security assignments by control. Information about the group security and directly assigned users are shown.

Security Assignments by Control

Now reports can be created to show a comprehensive view of security assignments for object records.

Steps to Enable

You don't need to do anything to enable this feature.

Inaccessible Records Dashboard Renamed

In the Custom > Risk Management catalog folder in OTBI, there are administration dashboards. One of those dashboards was called Inaccessible Records and Worklists Dashboard and has been renamed to Inaccessible Records Dashboard. Worklists can't be inaccessible (since the security synchronization job will be sure only accessible worklists are shown), and so the relevant dashboards have been updated.

Below is an example of the updated report.

Inaccessible Records Dashboard

The dashboard name better reflects what is available in the dashboard.

Steps to Enable

You don't need to do anything to enable this feature.

Deep Link Parameters Updated for Assessments

Two deep links have been streamlined such that fewer parameters need to be passed. The deep links affected are View Assessment Results and Complete Assessment Results. Previously multiple parameters were expected to be passed, including Result ID, Test Plan ID, Object ID, Survey ID. Out of those parameters, now only Result ID needs to be passed. The other parameters have been removed from the deep link URL.

See user guide related to deep links for specifics on each URL and to which page the link will navigate to.

You'll find setting up the deep link is much easier given there is only one parameter value to pass.

Steps to Enable

You don't need to do anything to enable this feature.

Key Resources

• For more information on using deep links, see the topic titled "Link Analyses to Application Pages" in the guide titled "Creating Analytics for Risk Management."

Deep Link Parameter Values Passed to Result Records

A common use of deep links is to navigate from an OTBI dashboard, say an incident report, directly to the corresponding records. For deep links related to incident results, the filter criteria passed in the deep link are now visible in the results page under the show filters area. For example for an Access control, if a deep link passes the global user value, that value appears in the Show Filters section of the Results page.

Parameter Value Passed

Having the parameter value passed and visible in the Show Filters area allows you to modify or add to the filters.

Steps to Enable

You don't need to do anything to enable this feature.

Deep Links Provided for Survey Pages

You can now drill down from an OTBI analysis directly to survey pages in Financial Reporting Compliance.The available links include the manage and view survey pages.

The deep link for the View Survey page is https://<hostname>/fscmUI/faces/deeplink?objType=@{1}&objKey=ObjectKey=@{2}. The parameters are VIEW_SURVEY and Survey ID.

The deep link for the Manage Surveys page is https://<hostname>/fscmUI/faces/deeplink?objType=MANAGE_SURVEYS. Parameters are not needed since the deep link redirects the user to the Manage Surveys page.

Deep drills from OTBI to the application enables users to easily access the relevant information in the application.

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

Here's an idea of what you can do:

1. Create a simple analysis with Survey ID, Survey Name, Questions, Question Choice Sets, Question Response, and Participants.
2. Select the gear icon for Survey ID and change the data format of Survey ID to a number with no commas or decimal places.

   Change Data Format

3. On the Survey Name, click the gear and select column properties, then Interaction. Select Action Links under Primary Interaction. Then click plus icon. Enter a Link Text, then create new action.
4. Select Navigate to a Web Page.

Create Action Link to Web Page

5. Enter a URL. An example link looks like this (swap out <hostname> with your server url):

https://<hostname>/fscmUI/faces/deeplink?objType=@{1}&objKey=ObjectKey=@{2}

6. Click Define Parameters

Select Define Parameters

7. Add a parameter and update the value to 'VIEW_SURVEY"
8. Add a second parameter and select Value > Column Value and then select "Survey Details"."Survey ID".
9. Mark all the parameters as hidden, and click Options and select to open in a new window. Click OK to all the pop up windows and then run your report.

Update Link Text

10. Select Do not display in popup if only one action is available at runtime

Example Report - You can hide the Survey ID column if needed by updating Survey ID Column Properties

Drills to the survey definition page in view mode for the specified survey.

Deep Drill to Manage Surveys

To drill to Manage Surveys following the same step and use the Manage Surveys URL, https://<hostname>/fscmUI/faces/deeplink?objType=MANAGE_SURVEYS. You will only need to create the action link within adding any parameters.

IMPORTANT Actions and Considerations

COMMON

Notifications

In this release, the Notification job under Setup and Administration > Scheduling has been removed.  The Security Synchronization job launches the Notification job.

Security

The following table outlines the security changes made in release 21A.  If you use custom roles, manual updates may be necessary.  Additional descriptions about these security changes follow in the corresponding product sections.

Existing Privilege Name	Replacement Privilege (Existing)	Seeded Duty Impacted	Job Role Inheriting Duty
Create Impromptu Control Assessment and Assign Users	Create Assessment Batch and Assign Users	Control Assessment Manager Duty	Risk Activities Manager
Create Impromptu Control Assessment and Assign Users	Create Assessment Batch and Assign Users	Control Manager Duty	Risk Activities Manager
Create Impromptu Process Assessment and Assign Users	Create Assessment Batch and Assign Users	Process Assessment Manager Duty	Risk Activities Manager
Create Impromptu Process Assessment and Assign Users	Create Assessment Batch and Assign Users	Process Manager Duty	Risk Activities Manager
Create Impromptu Risk Assessment and Assign Users	Create Assessment Batch and Assign Users	Risk Assessment Manager Duty	Risk Activities Manager
Create Impromptu Risk Assessment and Assign Users	Create Assessment Batch and Assign Users	Risk Manager Duty	Risk Activities Manager
Mass Edit Security Assignments	(This privilege was removed to restrict user access.)	Access Certification Configuration and Maintenance	Access Certification Administrator

Important: The 'Create Impromptu' privileges referenced in the first six rows will be removed in a future release; they are no longer used.

FINANCIAL REPORTING COMPLIANCE

New Assessment-Related Privilege

In this release, predefined duties are updated to use the privilege Create Assessment Batch and Assign Users. It replaces several privileges related to creating impromptu assessments and assigning users.  If you used customized copies of the following duty roles that belong to the Risk Activities Manager job role, you'll need to add the new privilege manually to your security roles. Predefined duty roles are updated automatically.

• Control Assessment Manager Duty
• Control Manager Duty
• Process Assessment Manager Duty
• Process Manager Duty
• Risk Assessment Manager Duty
• Risk Manager Duty

ACCESS CERTIFICATIONS

Mass Edit Security Assignments Removed

In this release the Mass Edit Security Assignments privilege was removed from the predefined duty role Access Certification Configuration and Maintenance, which is under Access Certification Administrator job role.  If you still require this page access, you'll need to add the privilege back manually to a custom role since predefined duty roles are updated automatically.