Update 21D

Revision History

This document will continue to evolve as existing sections change and new information is added. All updates appear in the following table:

Date	Product	Feature	Notes
04 OCT 2021	Advanced Access Controls	Updated Delivered Model Content	Updated document.  Delivered feature in update 21D.
17 SEP 2021			Created initial document.

Overview

HAVE AN IDEA?

We’re here and we’re listening. If you have a suggestion on how to make our cloud services even better then go ahead and tell us. There are several ways to submit your ideas, for example, through the Ideas Lab on Oracle Customer Connect. Wherever you see this icon after the feature name it means we delivered one of your ideas.

GIVE US FEEDBACK

We welcome your comments and suggestions to improve the content. Please send us your feedback at oracle_fusion_applications_help_ww_grp@oracle.com.

DISCLAIMER

The information contained in this document may include statements about Oracle’s product development plans. Many factors can materially affect Oracle’s product development plans and the nature and timing of future product releases. Accordingly, this Information is provided to you solely for information only, is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described remains at the sole discretion of Oracle.

This information may not be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates. Oracle specifically disclaims any liability with respect to this information. Refer to the Legal Notices and Terms of Use for further information.

Feature Summary

Risk Common

Common Risk Management

Update to Record Attachments

When multiple attachments are added to a single record, the initial list is limited to the first five records. The list of records can be expanded in increments of five.

Attachments

This feature will enhance the usability of attachments, specifically when there's a larger number added to a single record for documentation purposes.

Steps to Enable

You don't need to do anything to enable this feature.

Group Security Assignment Authorization Display Update

When user groups are assigned to records, the Authorized As value is now displayed as read only.  Previously the authorization of the group was displayed as a list of values.

User Group Security Assignment Display

This update will remove confusion related to what can be done when user groups are assigned to records.

Steps to Enable

You don't need to do anything to enable this feature.

Additional Risk Management Quick Actions Added

The ability to quickly add new records within Risk Management has been extended to Advanced Controls and Access Certifications functionality.

• Create Access Model
• Create Transaction Model
• Add Access Certification

Risk Management Quick Actions

These new Quick Actions will reduce the number of steps needed by users who want to perform a specific create action.

Steps to Enable

You don't need to do anything to enable this feature.

Audit Is Enabled for User Assignment Groups

You can now track changes made to Risk Management user assignment groups. For example, suppose a user assignment group has three members in it originally, and later another person is added. You can now run a report to see that change, who made the change, and when. These are the attributes tracked: Group Name, Authorization, Object, User Name, User Group, and Eligibility.

Audit Business Object Security

You can now demonstrate for auditors and management who has had access to records and for what timeframe.

Steps to Enable

1. As a user such as Application Implementation Consultant, navigate to Setup and Maintenance and look for the Manage Audit Policies task. Go to Configure Business Object Attributes and then select Risks and Controls from the Product drop down.
2. Select Groups or Members under the User Assignment Groups header. Then select the plus icon in the corresponding Audited Attributes section. Check each of the attributes you'd like to track changes for.
3. Now make a change to a user assignment group.
4. Again, logged in as a user such as Application Implementation Consultant, navigate to Audit Report.
5. Search for product Risks and Controls and click Search to see the history of inserts, updates, and deletes.

Transactional Business Intelligence for Risk Management

Reports Now Cover User Assignment Security for Remediation Plans

To secure Risk Management remediation plans, you authorize users as owners, editors, or viewers, or you assign user groups that grant these authorizations. To secure remediation plan workflow, you assign reviewers and approvers. You can now report on the users and groups selected for remediation plan records, and their levels of authorization. Reports also display whether each user is eligible, meaning that the user also has the functional access.

Example of the Risk Management Cloud - Assessment Results subject area

The addition of these new dimensions in OTBI allows reporting on remediation plan security assignment groups and their members.

Steps to Enable

You don't need to do anything to enable this feature.

IMPORTANT Actions and Considerations

FINANCIAL REPORTING COMPLIANCE

Treatment Plans

Each treatment plan will support only a single treatment, rather than multiple treatments per plan. You may continue to have multiple treatment plans to manage a specific risk record.

Treatment Plans

Encrypted IDs in Export Files

In a future release, the SYSTEM_ID value will no longer be encrypted. Rather, the export template will include the numeric system ID. This is the same ID that is available in OTBI. This will require a new export of the data to be generated, so it can be used later to import the data.

ADVANCED FINANCIAL CONTROLS

Changes to Audit - Fixed Asset Category

If you have generated incident records containing Category Old or Category New attribute data from the Audit - Fixed Asset Category business object, perform these steps before your environment is updated to 21D:

1. Export an xml copy of control that generated the incidents.
2. Export documentation of the incidents.
3. Inactivate the control.
4. After the update to 21D, do not reactivate the control that you inactivated in Step 3. If you still need to analyze the same kinds of transactions, import your xml copy and deploy it as a new control; you can accelerate management of the new incidents by referring to the documentation you exported in Step 2.

NOTE: Those steps are needed because 21D introduces improvements to the way Category Old and Category New data are stored, and those improvements necessitate changes to the way Risk Management analyzes them. The steps are not needed for models.

Financial Reporting Compliance

Financial Reporting Compliance

Send Email Reminder Email Configuration Change

In Financial Reporting Compliance, users may send email reminders to complete assessments, surveys, or tasks related to issues or remediation plans. These are sent regardless of whether email alerts are enabled or disabled in the Manage Configuration Options page of the Setup and Administration work area.

The Risk Management email notification configuration setting will not impact the end user triggered email reminder within Financial Reporting Compliance. The end user can send email reminders, even though the general email notification setting is not enabled.

Steps to Enable

You don't need to do anything to enable this feature.

Data Migration Import State Transition and Ability to Import URL Attachments

At the point data is imported into Risk Management, new records are imported at the Approved state. For records when incremental imports may change existing data relationships, the state does not change; the state of each of these records remains as it was prior to the import.

In addition, you can now import URLs as attachments associated to object records.

Typically during your initial implementation, you need to import your legacy data. The process for importing object records is streamlined to enable you to apply legacy data without the need to approve new records, and simplified by maintaining the state for records being updated due to an incremental load. As already supported, you can only incrementally add net new records or relationships. The Migration tool is not meant to be used as a mass-edit tool, therefore.

In many cases, you will need to add attachments to your defined object records. The ability to import URLs minimizes the need to update each record's attachments manually.

Steps to Enable

You don't need to do anything to enable this feature.

Assign Default Actors for Control Certification Assessments

The owner of a control can select assessors, viewers, reviewers, and approvers who are assigned by default to certification assessments of the control. The control owner makes these selections while working with the control record, using a Default Assessment Security Assignment page. The assessors, viewers, reviewers, and approvers are then assigned by default to all certification assessments for which the control is scoped. (They aren't assigned, however, to any type of control assessment other than certification.) The owner of an assessment batch that includes the control can update the default security assignments.

Defining the Default Assessment Security Assignment

The assignment of default assessment security is similar to the common assignment of security within Risk Management. In the control record, the control owner can select Security Assignment > Default Assessment Security Assignment, and then assign users, groups, or both to define default actors for certification assessments. A group would specify the Control Certification Assessment Result object and an appropriate authorization, such as Assessor or Approver.

The Edit Control Definition Page Now Has Two Security Actions, One for the Control and One for Its Certification Assessments

Assessment Actors Selected in a Control's Default Assessment Security Assignment Page

Initiating an Assessment Batch When Default Security Has Been Defined

The overall steps for initiating a certification assessment batch haven't changed. The assessment batch owner follows the same guided process. Once the owner saves the batch security assignments, the Assessment Records Security Assignment page opens, displaying records of controls the owner has selected. For each control that defines assessment actors, the page displays those actors automatically. The assessment batch owner can accept the default assignments, add actors, or remove the default assessment actors and add new ones. The default assessment security assignment has no impact if an owner duplicates an assessment batch; the security definitions are copied as they were defined in the source assessment batch.

Here's an example of the Assessment Records Security Assignment page for an assessment, populated with default actors selected in a control record.

Impromptu Assessment with Prepopulated Default Security

Mass Edit Default Security Assignments for Controls

In the Mass Edit Security Assignment page, authorized users can update the default assessment security assignments for any number of controls. The page is available at Risk Management Data Security > Mass Edit. First select the Control Default Certification Assessment object, and then select any number of controls whose assessment security is to be edited.

Example of Mass Edit Security Assignment

Then you have the same options as before: In Define Security Assignment Goals, you determine whether to work with users or groups, and whether to append, remove, or replace them. If you're working with users, you select the authorizations to edit in Define Security Assignment Authorizations. Finally, you select the users or groups to be updated. The guided process walks you through the required selections. Your changes apply only to assessment batches initiated after you submit the changes.

Example of the Mass Edit Guided Process

The control certification assessment process typically requires all documented control records to be certified by many users (50 to 300 individuals). Typically these users are authorized at a minimum to view the control record. To simplify the process, the owner can define control record viewers and the appropriate default certification authorizations all at once. The same would be true when the authorization needs to be updated, due to a change in the organization or overall responsibilities. The owner can leverage Risk Management Mass Edit feature to quickly update users' authorizations.

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

In the event you have a large number of certification assessment actors, consider creating user groups, which simplify the overall maintenance of managing actors as their assessment responsibilities change.

Changes to Surveys and Perspectives in Assessments

Multiple enhancements pertain to assessment records and assessment batches:

• You can now view the assessor's submitted survey responses within the assessment record.
• When you copy an assessment batch, the copy includes the survey template.
• When you copy an assessment batch, if perspective values used for scoping in the prior batch have become inactive, they are flagged as inactive in the copy. The records associated with inactive perspectives are not included among proposed records for the assessment-batch copy.

Viewing Assessor's Submitted Survey Responses

Authorized users can view the assessor's submitted survey responses within the assessment record, by navigating to the assessment record and the Complete Survey train stop.

Example of Viewing Assessor's Submitted Survey Responses

Copying a Prior Assessment Batch Includes The Survey Template

When you copy a prior assessment batch, the new version includes the survey template that was associated with the version you're copying. You need to define a new Survey Prefix Name so that the survey name is unique. In addition, you are able to update the survey template being used.

Example of Copying a Prior Impromptu Assessment Batch That Included a Survey

Because survey responses can be viewed within the assessment record, all authorized assessment actors can view the responses without having to navigate to the Survey work area or view an OTBI report. The feature streamlines the assessment workflow by enabling reviewers and approvers to view survey responses within the assessment train. 

Scoping criteria for an assessment batch may include perspective values to filter the records proposed for assessment. A copy of an assessment batch includes the perspective values selected for the original. After the original batch was initiated, however, perspective values may have been updated to inactive. If so, the owner of the copied assessment batch can now view which values are inactive and which records are impacted, and so determine whether to create a new assessment batch with updated scoping criteria.

Steps to Enable

You don't need to do anything to enable this feature.

Associate a Survey Template to an Impromptu Assessment

You can now associate a survey template to an impromptu assessment.

Example of Creating an Impromptu Assessment for a Control Record

While defining the 'General' details of the impromptu assessment you can select a survey template and define the survey name prefix. The survey name prefix is concatenated with the assessment name to generate a unique survey name.

Example of Selecting a Survey Template

Associating a survey template to an impromptu assessment enables authorized actors to quickly initiate an assessment that includes a survey.

Steps to Enable

You don't need to do anything to enable this feature.

Risk Management

Advanced Access Controls

Job Name Changed for User Provisioning

In 21D, "Generate Provisioning Rules" replaces "User Provisioning" as the name of the job that runs when a user clicks the Generate Provisioning Rules button in the Provisioning Rules page. The name appears in the record of the job on the Monitor Jobs page. The new name better reflects the purpose of the job. The job type has also changed from "User Provisioning" to "Generate Provisioning Rules."

Provisioning Rules Page

Generate Provisioning Rules Job

This name change better reflects the job being run and distinguishes it from the job that is kicked off via the Asynchronous Separation of Duties Simulation API: advancedControlsRolesProvisioning. This API will continue to kick off a job with the job name "User Provisioning."

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

For jobs run prior to 21D, the monitor jobs page will continue to reflect the "User Provisioning" job name regardless of whether the job was initiated from Provisioning Rules page or from the Asynchronous Separation of Duties Simulation API.

New Message in Provisioning Rules

If no rules are generated when the Generate Provisioning Rules job is run, the Provisioning Rules page displays a message to the user.

Prior to 21D the Autogenerated Rules section was missing and its absence was confusing. The message now shown is "The job to generate provisioning rules finished successfully and no rules were generated."

Steps to Enable

You don't need to do anything to enable this feature.

Removed Duplicate Provisioning Rule Results in Security Console

While editing or creating roles in the Security Console, you analyze the role structure for separation-of-duties conflicts determined by provisioning rules, and make changes to the role structure as needed until your role is conflict-free. Prior to 21D the results showed duplicate conflicting-role combinations; in each, one pair was the inverse of the other. Now the results display each conflicting-role pair only once.

Below is an example from a previous release where the duplicate rows show. Now, only one row shows.

Conflicting Roles

Because the the duplicates are removed, you no longer have to sift through additional information that provides no value.

Steps to Enable

You don't need to do anything to enable this feature.

Audit Is Enabled for Global Conditions

You can now track changes made to Advanced Controls global conditions. For example, suppose a global condition was added to exclude North America business units, and someone made it inactive. This may cause many new incidents to be generated. You can now run a report to see that change, who made the change, and when, which could help answer the question as to why new incidents were created. These are the attributes tracked: Name, Filter Name, Attribute, Condition, Value.

Audit Global Conditions

You can now demonstrate for auditors and management who has changed conditions that may affect results generated by controls.

Steps to Enable

1. As a user such as Application Implementation Consultant, navigate to Setup and Maintenance and look for the Manage Audit Policies task. Go to Configure Business Object Attributes and then select Risks and Controls from the Product drop down.
2. Select Access Global Condition Logic under the Access Global Conditions header. Then select the plus icon in the corresponding Audited Attributes section. Check each of the attributes you'd like to track changes for.
3. Now make a change to a global condition.
4. Again, logged in as a user such as Application Implementation Consultant, navigate to Audit Report.
5. Search for product Risks and Controls and click Search to see the history of inserts, updates, and deletes.

Added Exclusions for Procurement Agent Actions

For certain privileges to grant functional access, a user must be granted both the privilege and a corresponding "action" as a "procurement agent" for a business unit. Advanced Access Controls automatically excludes privileges related to actions a procurement agent has not been granted access to perform. The "Merge Suppliers" privilege is now excluded during analysis if "Manage Suppliers" procurement action is not granted via a procurement agent.

Action	Access Point
Manage Suppliers	Merge Suppliers

In the example below, because Manage Suppliers is not granted, even if a user has a role with the Merge Suppliers functional privilege an incident will not be generated because the user isn't actually allowed to use that functionality.

Procurement Agent Actions

These automatic exclusions minimize false positives by only returning incidents for privileges a user has the ability to perform.

Steps to Enable

You don't need to do anything to enable this feature.

Changes Made to Invoke Model Logic Actions

When creating or editing a model, it used to be that you could select a filter node in the model logic area and right click to invoke various actions: Edit, Delete, Clear Highlight. These features still exist, but there are new ways of invoking them. Instead of right clicking, you can now click the pencil icon to edit. Select the × icon to delete the filter. To clear a highlighted/selected filter node, you simply click anywhere in the white are of the model logic panel.

There were also two tabs on the right side in the model logic area. The tab with the pencil icon has been removed since it offered the same options as seen in the Add Filter button drop down, and the overview icon has been moved to the bottom left corner.

Model Logic

Improvement in usability on mobile devices is where you'll notice these changes being most beneficial.

Steps to Enable

You don't need to do anything to enable this feature.

Messaging Around Result Default Security

In a control definition, there are two areas to assign security: first, to the control itself, and second, to the results generated by that control. There's often confusion about what happens if you edit a control to modify its result security: does the new security apply only to new incidents, or also to those generated before the result-security edit? The answer is, a result-security edit applies only to incidents generated after the edit. This has been made clear with a banner message.

Default Result Security Assignment Menu Option

Default Result Security Banner Message

With the clarified menu item name and the banner message, any confusion should be cleared up.

Steps to Enable

You don't need to do anything to enable this feature.

Updated Delivered Model Content

The privileges Define Self Managed Oracle Fusion General Ledger Allocation Formula and Define Oracle Fusion General Ledger Allocation Formula have been removed from the Enter Journals entitlement.

These privileges pertain to some level of the ability to define journal formulas, which are different from journals.  These are more of a transactional setup function. These privileges will remain in the Manage General Ledger Allocation Formulas entitlement.

REVISED ENTITLEMENT

• Enter Journals

AFFECTED MODELS

• 10015: Maintain Project Accounting Transactions, Reporting and Enter Journals
• 10016: Maintain Project Accounting for General Ledger and Enter Journals
• 5241: Enter Accounts Receivables Invoice and Enter Journals
• 6750: Enter Journals and Approve Payables Invoices
• 6770: Enter Journals and Assets Depreciation
• 6780: Enter Journals and Assets Workbench
• 6790: Enter Journals and Capitalizing Assets
• 6800: Enter Journals and Create Payables Invoices
• 6810: Enter Journals and Create Payments
• 6820: Enter Journals and Create Purchase Orders
• 6840: Enter Journals and Enter Customer Receipts
• 6870: Enter Journals and Post Journal Entry
• 6880: Enter Journals and Release Sales Order
• 6890: Enter Journals and Remittances
• 6900: Enter Journals and Set Up Assets
• 6911: Enter Journals and Set Up General Ledger Chart of Accounts
• 6912: Enter Journals and Set Up General Ledger Currencies
• 6913: Enter Journals and Set Up General Ledger Daily Rates
• 6914: Enter Journals and Manage Accounting Data Security
• 6915: Enter Journals and Set Up General Ledger Sets
• 6916: Enter Journals and Set Up General Ledger Options
• 6917: Enter Journals and Set Up General Ledger Statistical Units of Measure
• 6918: Enter Journals and Manage Accounting Period Statuses for General Ledger
• 6919: Enter Journals and Define Accounting Calendars
• 6920: Enter Journals and Manage Journal Approval Rules
• 6921: Enter Journals and Set Up General Ledgers
• 6922: Enter Journals and Manage General Ledger Balances Cube
• 6923: Enter Journals and Manage General Ledger Enterprise Structures
• 6925: Enter Journals and Post Journal Entry and Manage Accounting Period Statuses for General Ledger
• 6926: Enter Journals and Post Journal Entry and Manage Journal Sources
• 6927: Enter Journals and Post Journal Entry and Setup General Ledgers

The content library is continually reviewed by experts in relevant business areas to provide the most accurate and comprehensive SoD and sensitive access control definitions. Consider uptaking these updated changes based on your business requirements.

Steps to Enable

As a rule, when you import a model that uses entitlements, you import the entitlements automatically. But if an earlier version of an entitlement exists in your target environment, the content-import job cannot replace it with a newer version. So:

• If an entitlement has been revised, but you have not yet imported any of the models that use it, you can import one of these models now. The import operation includes the new entitlement along with the model.

• If an entitlement has been revised, and you imported a model that uses it during an earlier update, you also imported the earlier version of that entitlement. To use the new version, your only option is to edit your existing entitlement to incorporate its revisions.

Access Certification

Changes to Access Certification Scoping Feature

In Functional Setup Manager, you can use a Manage Data Access for Users task to define the data access each user has when assigned a particular role. For example, a user's role assignment might grant access only to data associated with a specific business unit. When a certification uses bottom-up scoping, you can now create condition filters that recognize these data-security definitions. For example, if a filter sets a Business Unit attribute equal to a specific unit, the certification includes only user-role pairs granted access to that business unit in Manage Data Access for Users.

Create a Condition Scoping Filter

Condition filters select from a pool of roles and therefore exclude the roles they don't select.

• If a certification uses top-down scoping, a condition filter selects from a pool that includes all assignable roles. The only attribute available to a condition filter is Access Point, and the filter selects or excludes roles involving an access point you specify.

• If a certification uses bottom-up scoping, a condition filter selects from a pool that includes roles returned by an access-point or entitlement filter. The Access Point attribute is available to condition filters, but so are other attributes that recognize definitions configured in the Manage Data Access for Users task in Functional Setup Manager. In that task, you define the data access each user has when assigned a particular role. A condition filter may then allow a certification to scope that role, but only as it applies to users with the defined data access.

The enhancement allows you to leverage Access Point to specific specific filtering requirements when you use bottom-up scoping. For example, User1 and User2 may be assigned the Accounts Receivable Specialist role. But in Manage Data Access for Users, the assignment to User1 may be defined as applying only to data appropriate for the Consumer Electronics business unit. The assignment to User2 may be defined as applying to the Database Servers business unit.

A certification that uses bottom-up scoping may include an access-point filter that selects the Accounts Receivable Specialist role. It may also include the condition filter Business Unit Equals Consumer Electronics, which would, on its own, select the assignment to User1 and reject User2, as well as users assigned the role in other business units. But you may create a second condition filter, Business Unit Equals Database Servers, which would scope the roles as it applies to User2. The certification would then include the role assignment to both User1 and User2, but exclude other users assigned the role in other business units.

Steps to Enable

You don't need to do anything to enable this feature.

Advanced Financial Controls

New Read-Audit Model in Content Library

Advanced Financial Controls has one new sensitive-data model that can be imported through the delivered Content Library. In release 21C we introduced a new content library called Advanced Sensitive Data Access Audit Controls; this new model is found there. The new model leverages the Sensitive Data Access Audit business object, and a user-defined object. The following table provides the model name and user-defined object associated to the model.

Model Name	User-Defined Objects
70007: Infrequently Used IP Addresses	Cluster Pattern on Viewer IP Address

Additionally, this is the first delivered model that uses a pattern filter. In this case, the Clustering pattern filter is defined in the user-defined object against the Viewer IP Address attribute in the Sensitive Data Access Audit business object. The data derived from this pattern is used in the final model to identify IP addresses used one time. Since the pattern filter is not used in the final 70007 model, the model can be deployed as a control for monitoring. Pattern result graphs you see in the user-defined object for Clustering are not supported for incident type controls.

Clustering Pattern Filter

This new transaction-analysis model tracks users whose viewing of sensitive data appears suspicious because they accessed the data via infrequently used IP addresses.

Steps to Enable

The new model in Advanced Controls, and its returning any audit data on persons viewing sensitive data, depends on another feature enabled in Oracle Global Human Resources. Confirm the profile option is enabled and set to Y for Mobile-Responsive Sensitive Data View Audit Enabled (ORA_HCM_SENSITIVE_DATA_VIEW_AUDIT_ENABLED). Additional information on this feature can be found in Oracle Human Resources Cloud, What's New for 21B, feature called Sensitive Data Access Audit.

No advance setup is required for you to import models in Advanced Controls. However, a Risk Management administrator must set the Transaction and Audit Performance Configuration date options under the Advanced Controls Configurations tab under Risk Management > Setup and Administration. Two created-as-of-date options are required, one for transactions and the other for audit events. These settings improve performance by eliminating older data from data-synchronization jobs.

Finally, once you have performed the above and imported the model, you must run data synchronization, which retrieves the source data used during model analysis.

Key Resources

• Review the Advanced Controls dependency for using these new read-audit models in the Oracle Human Resources Cloud, What's New for 21B, feature called Sensitive Data Access Audit. The auditing of sensitive information read by individuals must be enabled to return any data records.

• For more information about pattern models, see the "Patterns" topic; for more information about importing models, see the Import and Export topics. All are available in Using Advanced Controls at Oracle Help Center > Cloud Applications > Risk Management > Books.

Changes Are Made to Business Objects

This release includes additions, changes, and removal of attributes in business objects.

New Business Object Attributes

The following two attributes were added across all Audit business objects to provide additional user and value description about the audited record returned.

• User ID
• Parent Object Value

The following attribute addition and label changes were made to the Purchase Order business object:

• The existing Line: Quantity attribute was renamed to Line: Quantity Rounded because it does not include decimal places. If you are using the original attribute in your model or control, the label is updated.

• A new Line: Quantity attribute was added that includes the decimal places. To include quantities that might include decimal places, you need to revise your model or control to use this new attribute.

The following table lists additional business objects updated with new attributes.

Business Object	New Attributes
Asset Workbench	Adjusted Cost Asset Ineffective Date Capitalized Depreciation Start Date Effective Date Termination Transaction Header Identifier
Sensitive Data Access Audit	Viewed Person: Created By Viewed Person: Creation Date Viewed Person: Effective End Date Viewed Person: Effective Start Date Viewed Person: First Name Viewed Person: Full Name Viewed Person: Last Name Viewed Person: Last Updated By Viewed Person: Last Updated Date Viewed Person: Middle Name Viewed Person: Person ID
Audit - Contract	Share externally New Share externally Old
Audit - Organization Unit	Title New Title Old
Audit - Person Allocated Checklist	AllocationNotifiedFlag New AllocationNotifiedFlag Old AssignedTemplateId New AssignedTemplateId Old BackgroundThumbnailUrl New BackgroundThumbnailUrl Old CombinedTaskTemplateId New CombinedTaskTemplateId Old DefCompletionDate New DefCompletionDate Old ProcessingMode New ProcessingMode Old
Audit - Person Allocated Checklist Tasks	NextReminderDate New NextReminderDate Old ProcessingMode New ProcessingMode Old ReminderCount New ReminderCount Old ReminderTemplateId New ReminderTemplateId Old
Audit - Participant Header	SourceSystemId
Audit - RcvParametersAuditVO	Allow defaulting of lots and serial numbers from ASN New Allow defaulting of lots and serial numbers from ASN Old
Audit - Mapping Set Value Audit	ConcatInput New ConcatInput Old
Audit - Supplier Bank Accounts	Assignment Inactive On New Assignment Inactive On Old ExtPmtPartyId From Assignment Date New From Assignment Date Old InstrumentId InstrumentPaymentUseId Primary New Primary Old

New Business Object Relationship

In this release, a new relationship was created between External Bank Account and Payables Payment Schedule business objects.

Attributes Removed

The following attributes are no longer available in the Audit - Payroll Calculation Value Definition business object, and have been removed:

• Effective End Date
• Effective Start Date

The following attribute is no longer available in the Audit - Person Allocated Checklist business object, and has been removed:

• AssignmentId

Attribute Name Changes

Business objects have attributes that correspond to various business areas such as Expenses, Procurement, Payables, and so on. In an effort to align the attribute labels shown in the Advanced Financial Controls business objects to labels defined in the corresponding application pages, several are updated.  Access the list of Attribute Name Changes to review the changes.

Updates to business objects provide additional attribute criteria for your controls, and those updated for audit maintain alignment to Manage Audit Policies data source.

Steps to Enable

When you use business objects that introduced new attributes, such as User ID and Parent Object Value for any audit object, or Purchase Order's new Line: Quantity attribute, you must run the Transaction Data Source Synchronization job. Business objects using the new attributes require that data synchronization job to run in order to return the related values. Depending upon the number of business objects you are using with the new attributes, the data synchronization job may take a little longer than usual.

Next, with regard to the new Line: Quantity attribute in Purchase Order, you will want to evaluate the following additional steps. These include:

• If you were previously using this attribute, you will find it was renamed to Line: Quantity Rounded. Identify the models or controls that use it.
• In the event you want to uptake the new Line: Quantity, first export your control xml file and import it as a model.
• As a model, you can revise it to apply the new attribute.
• Redeploy the revised model as a new control.

NOTE:  There is no way to revise an existing control with the new attribute.

Important Note for Audit Business Objects:  Take a moment and review 21C feature called Data Available for Secured Audit Business Objects. If you are using audit business objects, and you did not previously perform the Steps to Enable for that feature, do so now before running the data synchronization job.  In a future release, this process to invoke security for secured audit business objects will not be necessary.

Number of Occurrences Attribute Value No Longer Impacts Control Incident Status

In previous releases, if the Number of Occurrences attribute was the only value that changed in an incident record after control analysis was run, the existing incident was closed and a new one was created. This is no longer the case for newly created incidents in release 21D. If the Number of Occurrences changes, the value is updated and there is no impact to the existing status of the incident.

The update to Number of Occurrences for incident is not necessarily material, but more informational.  Therefore, the change to the value should not have an impact on the incident status.

Steps to Enable

You don't need to do anything to enable this feature.

Audit Is Enabled for Business Object Security

You can now track changes made to Risk Management business object security. For example, suppose a user has access to all business objects in the area of procurement, and later the user is also given access to the business object Journal Entry. You can now run a report to see that change, who made the change, and when. These are the attributes tracked: User Name, Access by Product or Business Object.

Business Object Security

Audit Business Object Security

You can now demonstrate for auditors and management who has had access to records and for what timeframe.

Steps to Enable

1. As a user such as Application Implementation Consultant, navigate to Setup and Maintenance and look for the Manage Audit Policies task. Go to Configure Business Object Attributes and then select Risks and Controls from the Product drop down.
2. Select Business Object Security under the Business Object Security header. Then select the plus icon in the corresponding Audited Attributes section. Check each of the attributes you'd like to track changes for.
3. Now make a change to business object security.
4. Again, logged in as a user such as Application Implementation Consultant, navigate to Audit Report.
5. Search for product Risks and Controls and click Search to see the history of inserts, updates, and deletions.

Changes Made to Invoke Model Logic Actions

When creating or editing a model, it used to be that you could select a filter node in the model logic area and right click to invoke various actions: Edit, Delete, Clear Highlight. These features still exist, but there are new ways of invoking them. Instead of right clicking, you can now click the pencil icon to edit. Select the × icon to delete the filter. To clear a highlighted/selected filter node, you simply click anywhere in the white are of the model logic panel.

There were also two tabs on the right side in the model logic area. The tab with the pencil icon has been removed since it offered the same options as seen in the Add Filter button drop down, and the overview icon has been moved to the bottom left corner.

Model Logic

Improvement in usability on mobile devices is where you'll notice these changes being most beneficial.

Steps to Enable

You don't need to do anything to enable this feature.

Messaging Around Result Default Security

In a control definition, there are two areas to assign security: first, to the control itself, and second, to the results generated by that control. There's often confusion about what happens if you edit a control to modify its result security: does the new security apply only to new incidents, or also to those generated before the result-security edit? The answer is, a result-security edit applies only to incidents generated after the edit. This has been made clear with a banner message.

Default Result Security Assignment Menu Option

Default Result Security Banner Message

With the clarified menu item name and the banner message, any confusion should be cleared up.

Steps to Enable

You don't need to do anything to enable this feature.