Oracle Risk Management Cloud. Release 13 (updates 18A 18C) What s New

Transcription

1 Oracle Risk Management Cloud Release 13 (updates 18A 18C) What s New

2 TABLE OF CONTENTS DOCUMENT HISTORY 4 UPDATE 18C 4 Revision History 4 Overview 4 Feature Summary 5 Risk Management 8 Common 8 Monitor Jobs Page Enhancements 8 Changes from Related Links to Page Tabs 10 Performance Configurations for Applications 11 Perspective Values Can be Renamed 12 Financial Reporting Compliance 12 Changes to Assessment Tabs and Related Links 12 Changes to Security for Assessment Records 14 Control Test Plan Modifications 17 Updates to Survey Status and End Date 19 Advanced Financial Controls 20 Delivered Model Content for Oracle Fusion Applications Audit 20 Delivered Model Content for Enterprise Resource Planning 20 Delivered Model Content for Human Capital Management 21 Contextual Control and Incident Extract Reports Removed 21 Copy Cell Value in Results and Controls 24 Advanced Access Controls 25 New Conflicts Within a Single Role Option for Model Results 25 Access Visualization Enhancements 25 Access Simulation Enhancements 26 Create User-Defined Access Point Limitation 27 Contextual Control and Incident Extract Reports Removed 28 Copy Cell Value in Results and Controls 31 Access Certification 32 Certification Initiation 32 Certification Management 34 Certification Worksheet 36 Supporting Activities 37 Transactional Business Intelligence for Risk Management 38 Common 38 New Risk Management Administration Reports 38 Access Certification 40 Subject Area for Access Certification 40 UPDATE 18B 43 Revision History 43 Overview 43 Feature Summary 44 Risk Management 45 Common 45 Queued Jobs Canceled After Upgrade 45 Financial Reporting Compliance 45 2

3 Descriptive Flexfields for Financial Reporting Compliance 45 Manage Assessment Refresh Icon 47 Advanced Financial Controls 48 Model Definition New Pattern Filters 48 User-Defined Objects Run Automatically 49 User-Defined Object Automatically Created 50 Delivered Model Content for Enterprise Resource Planning 51 Delivered Model Content for Human Capital Management 51 New Business Objects 51 Advanced Access Controls 52 Delivered Model Content for Enterprise Resource Planning 52 Delivered Model Content for Human Capital Management 52 Transactional Business Intelligence for Risk Management 52 Financial Reporting Compliance 52 Updated Subject Areas 52 Advanced Financial Controls 53 Subject Area for Advanced Financial Controls 53 Advanced Access Controls 54 Subject Area for Advanced Access Controls 54 UPDATE 18A 56 Revision History 57 Overview 57 Feature Summary 58 Risk Management 59 Advanced Financial Controls 59 Model Definition 59 Control Definition 61 Incident Remediation Activities 62 Supporting Activities 63 Advanced Access Controls 64 Model Definition 64 Control Definition 66 Incident Remediation Activities 67 Supporting Activities 68 Transactional Business Intelligence for Risk Management 69 Financial Reporting Compliance 69 New Fiscal Calendar Folder 69 New Issue Details Folder 70 New Remediation Plan Details Folder 70 Risk Details Folder Enhancements 70 Control Details Folder Enhancements 70 Assessment Results Folder Enhancements 70 Perspective Folder Enhancements 71 Assessment Details Folder Enhancement 71 3

4 DOCUMENT HISTORY This document will continue to evolve as existing sections change and new information is added. All updates appear in the following table: Date Update Version Notes 21 SEP 2018 Update 18C Delivered new features in update 18C. 20 APR 2018 Update 18B Delivered new features in update 18B. 19 JAN 2018 Update 18A Delivered new features in update 18A. UPDATE 18C REVISION HISTORY This document will continue to evolve as existing sections change and new information is added. All updates appear in the following table: Date Feature 21 SEP 2018 Notes Created initial document. OVERVIEW This guide outlines the information you need to know about new or improved functionality in this update, and describes any tasks you might need to perform for the update. Each section includes a brief description of the feature, the steps you need to take to enable or begin using the feature, any tips or considerations that you should keep in mind, and the resources available to help you. GIVE US FEEDBACK We welcome your comments and suggestions to improve the content. Please send us your feedback at oracle_fusion_applications_help_ww_grp@oracle.com. 4

5 FEATURE SUMMARY Column Definitions: Report = New or modified, Oracle-delivered, ready to run reports. UI or Process-Based: Small Scale = These UI or process-based features are typically comprised of minor field, validation, or program changes. Therefore, the potential impact to users is minimal. UI or Process-Based: Larger Scale* = These UI or process-based features have more complex designs. Therefore, the potential impact to users is higher. Opt In Only = These features are made available for use via Opt In. No additional setup steps are required. Opt In, Plus Additional Steps Required = To use these features you must first Opt In, then perform additional setup steps. Steps Required (No Opt In) = Setup steps must be performed before these features can be used. For example, new or expanded BI subject areas need to first be incorporated into reports. Integration is required to utilize new web services. New Features Delivered Ready to Use (Delivered Enabled) Reports plus Small Scale UI or Process-Based new features will have minimal user impact after an update. Therefore, customer acceptance testing should focus on the Larger Scale UI or ProcessBased* new features. Feature Report UI or ProcessBased: Small Scale UI or ProcessBased: Larger Scale* New Features That Customer Must Take Action to Use (Delivered Disabled) Not disruptive as action is required to make these features ready to use. As you selectively choose to leverage, you set your test and roll out timing. Customer Action: Opt In Only Customer Action: Opt In, Plus Additional Steps Required Customer Action: Steps Required (No Opt In) RISK MANAGEMENT Common Monitor Jobs Page Enhancements Changes from Related Links to Page Tabs Performance Configurations for Applications Perspective Values Can be Renamed Financial Reporting Compliance Changes to Assessment Tabs and Related Links Changes to Security for Assessment Records 5

6 New Features Delivered Ready to Use (Delivered Enabled) Reports plus Small Scale UI or Process-Based new features will have minimal user impact after an update. Therefore, customer acceptance testing should focus on the Larger Scale UI or ProcessBased* new features. Feature Report UI or ProcessBased: Small Scale UI or ProcessBased: Larger Scale* New Features That Customer Must Take Action to Use (Delivered Disabled) Not disruptive as action is required to make these features ready to use. As you selectively choose to leverage, you set your test and roll out timing. Customer Action: Opt In Only Customer Action: Opt In, Plus Additional Steps Required Customer Action: Steps Required (No Opt In) Control Test Plan Modifications Updates to Survey Status and End Date Advanced Financial Controls Delivered Model Content for Oracle Fusion Applications Audit Delivered Model Content for Enterprise Resource Planning Delivered Model Content for Human Capital Management Contextual Control and Incident Extract Reports Removed Copy Cell Value in Results and Controls Advanced Access Controls New Conflicts Within a Single Role Option for Model Results Access Visualization Enhancements Access Simulation Enhancements Create User-Defined Access Point Limitation Contextual Control and Incident Extract Reports Removed Copy Cell Value in Results and Controls Access Certification Certification Initiation Certification Management Certification Worksheet Supporting Activities 6

7 New Features Delivered Ready to Use (Delivered Enabled) Reports plus Small Scale UI or Process-Based new features will have minimal user impact after an update. Therefore, customer acceptance testing should focus on the Larger Scale UI or ProcessBased* new features. Feature Report UI or ProcessBased: Small Scale UI or ProcessBased: Larger Scale* New Features That Customer Must Take Action to Use (Delivered Disabled) Not disruptive as action is required to make these features ready to use. As you selectively choose to leverage, you set your test and roll out timing. Customer Action: Opt In Only Customer Action: Opt In, Plus Additional Steps Required Customer Action: Steps Required (No Opt In) Transactional Business Intelligence for Risk Management Common New Risk Management Administration Reports Access Certification Subject Area for Access Certification 7

8 RISK MANAGEMENT Oracle Risk Management consists of three products: Oracle Fusion Financial Reporting Compliance documents your policies for identifying and resolving risk in your financial processes. Oracle Advanced Access Controls detects risk inherent in the access granted to users of business applications. Oracle Advanced Financial Controls uncovers risk exhibited by transactions completed on business applications. Advanced Financial Controls and Advanced Access Controls belong to a module called Advanced Controls Management. Advanced Access Controls includes a new Access Certification set of features. It enables an organization to perform periodic reviews to determine whether job roles are assigned appropriately to users. COMMON MONITOR JOBS PAGE ENHANCEMENTS The Monitor Jobs page tracks the status of all jobs submitted across Risk Management applications. This page has been simplified. By default, it lists jobs submitted in the last twenty-four hours by the person who is currently logged on. Each row provides summary information about a job: an identifying number as well as its name and status. Use the Expand icon in the row to view additional details about the job. Users can: Sort the list of jobs by job ID number, name, status, or submission date. Create searches sets of filtering options and save searches for reuse. Select the status of a job to view details around it, including record counts. Examples of counts include new, updated, and total values for each business object affected by a transaction synchronization job, or the numbers of newly generated and updated incidents for a control-analysis job. Download exported files and reports, by clicking a Download icon in the rows for jobs that create these items. Below is an example in which a row is expanded. We can see who ran the report and how long the job took to run. 8

9 Monitor Jobs Often a job status is a hyperlink that leads to additional information. For example, below are details of a completed business object import job. These details allow us to verify that record counts match what we expected from our import file. Monitor Job Completed Summary Better messaging has been incorporated to help correct failed jobs. Below is an example of a business object that failed to import with the exact reason why. 9

10 Monitor Jobs Failed Messages No steps are required to enable this feature. For more information on Monitor Jobs, see the Jobs and Scheduling" chapter in Risk Management Cloud Implementing Risk Management. CHANGES FROM RELATED LINKS TO PAGE TABS In the Setup and Administration work area of Risk Management Tools, navigation has changed. In earlier versions, links to Setup and Administration pages were contained in a Related Links panel tab on the right side of the page. This panel tab is replaced by a set of fixed tabs that run vertically along the left side of the work area. Setup and Administration Tabs 10

11 No steps are required to enable this feature. For more information see Implementing Risk Management in the Oracle Risk Management Cloud library of the Oracle Help Center. PERFORMANCE CONFIGURATIONS FOR APPLICATIONS You can modify settings that improve performance by reducing the number of records involved in dataintensive operations. These settings apply to the Advanced Controls Management module. They include: Access Performance Configuration. For Advanced Access Controls, set the number of records an access model can return. The default value is 5,000. You can set the value lower, but not higher. The limit applies only to results returned by access models, not to control incidents. Optionally, allow the record limit to be overridden on a model-by-model basis. Transaction Performance Configuration. For Advanced Financial Controls, data synchronization of Transaction business objects operates only on records created or updated on or after a date you specify. This date is required and the data-synchronization jobs fail if no date is set. Audit Performance Configuration. For Advanced Financial Controls, data synchronization for Audit business objects operates only on records created or updated on or after a date you specify. This date is required, and is distinct from the cutoff date you set for the synchronization of Transaction business objects. You can access the following configuration options via Setup and Administration > Application Configurations > General Maintenance. Application Configuration - Performance Configuration Options 11

12 No steps are required to enable this feature. TIPS AND CONSIDERATIONS It's important for the Risk Management administrator to closely manage the amount of data that is either synchronized or returned. Access Performance Configuration. It's impossible to know how many result records an access model will return when you first run it. In some situations, the volume can be so significant as to materially impact performance. This configuration limits the number of records the model can return. If the full 5,000 limit is retained, this should be sufficient to perform initial analysis and remediation activities before you convert the model into a control. Transaction Performance Configuration. In many development or test environments, large volumes of data may exist for testing purposes. You should limit this to 1 to 2 months' worth of data if at all possible. In many cases that amount is sufficient to validate the model logic, which is the primary goal in these environments In production environments, the focus should be on analyzing current data, and so last 3 to 6 months' worth of data should be sufficient. Audit Performance Configuration. Even though the Audit business objects are used within Advanced Financial Controls, this is a separate configuration. This is because the volume of data for audited configuration and operational data should be minimal and therefore the period of data can be greater.. For more information about configurations, see "Risk Management Administration" chapter of Risk Management Cloud Implementing Risk Management. PERSPECTIVE VALUES CAN BE RENAMED For a perspective hierarchy, the underlying names of values in the hierarchy can be renamed. However, the perspective hierarchy cannot be renamed. No steps are required to enable this feature. For more information about perspectives, see "Perspective Management" chapter of Risk Management Cloud Implementing Risk Management. FINANCIAL REPORTING COMPLIANCE CHANGES TO ASSESSMENT TABS AND RELATED LINKS In each of the Process, Risk, and Control work areas, a new tab enables users to manage assessment transactions for the object type in view. Users can perform any of the actions their roles permit: complete, view, review, or approve assessments; view approvals; and create issues for assessments. 12

13 Controls Assessment Tab In the Assessment Management work area, features supporting the management of batch assessments are now available from tabs located in the landing page of the work area. They are no longer available from a Related Links panel tab. Assessments The person who creates a template can now associate it with only one object record type (process, risk, or control) and one assessment activity type. The object record type determines which activity types are available. 13

14 Assessment Templates No steps are required to enable this feature. For more information on working with assessments, see the "Assessing Objects" chapter of Risk Management Cloud Using Financial Reporting Compliance. CHANGES TO SECURITY FOR ASSESSMENT RECORDS Data-level security for batch assessments has been updated. Users can secure assessment transactions separately from the object record being assessed. The implementation is similar to data-level security as implemented for the core objects (processes, risks, and controls). This feature enables users to document an object record once and separately secure its assessment transactions. This applies to the ability to view, assess, review, and approve the assessment transaction. When object records are not associated to perspective values, any user whose roles grant assessment privileges can access assessment transactions for those objects. In this case there is no data-level security. Legacy assessments are not impacted by the update. For those assessments, security operates as it was designed for prior releases. This new feature applies only to batch assessments. Impromptu assessment security works as it has in prior releases. You develop batch assessments from plans. The page to create an assessment plan now includes a Perspective Selection and Assignment Criteria region. The first thing it does is enable you to set criteria to select objects for inclusion in assessments. Objects must be assigned the perspectives you select in this region. Or, a No Perspective option, which is selected by default, enables you to select records of objects that are not associated to any perspective values. Second, it also defines data-level security for assessment transactions. 14

15 If you clear the No Perspective option, you may then select perspective values for the plan. An Include Duplicate Records option becomes available. If you select it, and if an object is associated to multiple perspective values, multiple assessment records are generated, one for the pairing of that object to each perspective value. Assessment Plan and Initiating a Batch Assessment - Perspective Selection and Assignment Criteria to Include Duplicate Records But if you clear the Include Duplicate Records option, a single assessment record associates that object to all perspective values. Initiating a Batch Assessment - Perspective Selection and Assignment Criteria for a Single Instance per Record For example, you select the following perspective values in the Perspective Selection and Assignment Criteria: Cash, Short Term Investments, and Receivables and Allowances. The record to be assessed is Control Record 1, which is associated to perspective values Cash, Short Term Investments, and Receivables and Allowances. INCLUDE DUPLICATE RECORDS HAS BEEN SELECTED For each unique instance of the object record to a perspective value, the application creates an assessment transaction. Object Record Name to be Assessed Data Level Security Mapping Control Record 1 Cash Control Record 1 Short Term Investments Control Record 1 Receivables and Allowances INCLUDE DUPLICATE RECORDS HAS BEEN DE-SELECTED The record has a single assessment transaction, which is associated to all three perspective values. 15

16 Object Record Name to be Assessed Data Level Security Mapping Control Record 1 Cash, Short Term Investments, Receivables and Allowances For existing implementations to continue to function as-is, a new data security policy for assessment workflow must be created and associated to the respective assessment job roles. At a minimum, the perspectives used to secure the objects being assessed (either control, risk, or process) must be included in this new data security policy. It's recommended that the perspective filter in this data security policy specify the top node of these perspectives, and use the Includes Children condition. If this is not done, the end user will not be able to initiate a batch assessment, since there will be no available actors. If the ability to be more granular in the security assignment for assessments is desired, new data security policies also need to be created However, for this to be enabled, the specific perspective values will need to be defined as part of the perspective filter in each policy as it is for any other secured record in Financial Reporting Compliance. For as many new data security policies created, new job roles will also be required for them to be mapped to. For example, prior to your next quarterly audit assessment you have a documented control called Accounts Payable Invoice Validation. It is secured by the San Francisco perspective value; the root node of its perspective hierarchy is Region. To continue to perform assessments as-is, you must create a data security policy that includes Control Audit Assessor Data Security Policy and define a perspective filter to associate the data level security: Object = Perspective Attribute = Region Condition = Includes Children Value = Region Once the data security policy has been created, it must be associated to appropriate job roles. For example, you may have a customer-defined role Control Audit Assessor Job Role, which includes the needed assessor privileges. You would associate the newly created data security policy within Risk Management Tools Security Configuration to the job role. This enables you to leverage assessments as you would have done in prior releases. If you want to apply granular security for assessment transactions, as it is implemented for the other core object types, you must define the necessary data security policies and associate those to the corresponding job roles for each assessment activity type, by assessment actor/s. Any time security updates are made in the Security Console, you must run the User and Role Security Synchronization and Worklist Security Synchronization jobs in Risk Management. TIPS AND CONSIDERATIONS Consider using a single perspective to define the assessment transaction security. When defining the Perspective Selection and Assignment Criteria, the application is using OR and AND conditions. Therefore, when you Add perspective values and select multiple perspective values you will have a different result when you distantly click 'Add' a row for each perspective value that is being applied. 16

17 For more information on working with assessments, see the "Assessing Objects" chapter of Risk Management Cloud Using Financial Reporting Compliance. ROLE INFORMATION For each object record there are specific privileges and data security polices corresponding to the assessment activity types available for the object record. In order for users to access the assessment transactions the user will need the privilege and customer defined data security policy. For example to define the data security policies needed for a control audit assessment, the following data security policies would be applicable: Control Audit Assessor Data Security Policy Control Audit Assessment Reviewer Data Security Policy Control Audit Assessment Approver Data Security Policy Example of Customer Defined Data Security Policy Any time security updates are made in the Security Console, you must run the User and Role Security Synchronization and Worklist Security Synchronization jobs in Risk Management. CONTROL TEST PLAN MODIFICATIONS You now manage control test plans and steps within a single new test plan tab located within the control record view. You can view each test plan by its assessment activity type. When a test plan has not been defined for a specific assessment activity type, the section for that type displays only the header, allowing you to know which types have been defined. To edit a test plan, you must edit the control record. 17

18 View Control Record Test Plan To define a new control record, you define and save the control record and then navigate to the test plan tab to define the plan. Click the pencil icon within the section for assessment activity type for which you wish to define a plan. Edit Control Record Test Plan 18

19 Edit Test Plan Test plans no longer include test instructions. If you have existing test plans that include instructions, review the instruction data and, if it is needed, incorporate it into test steps. For more information on working with test plans, see the "Managing Controls" chapter of Risk Management Cloud Using Financial Reporting Compliance. UPDATES TO SURVEY STATUS AND END DATE Surveys accommodate greater flexibility in handling end dates, and status values have been updated to reflect that flexibility. A new status, Closed to Responses, identifies that the end date has been reached. The Closed to Responses status allows the end date to be changed. The Closed status, on the other hand, does not allow the end date to be updated. The Close Survey button initiates a hard close. It prevents further updates to the survey. No steps are required to enable this feature. For more information on surveys, see the "Conducting Surveys" chapter of Oracle Risk Management Cloud Using Financial Reporting Compliance. 19

20 ADVANCED FINANCIAL CONTROLS DELIVERED MODEL CONTENT FOR ORACLE FUSION APPLICATIONS AUDIT Advanced Financial Controls introduces new business objects that correspond to audit-level information you configure under Manage Audit Policies in Oracle Fusion Applications. New models are delivered that use these business objects from various application audit areas. No advance setup is required for you to create transaction audit models. However: You must review audit-level information configured under Manage Audit Policies in Oracle Fusion Applications. Create models that use audit business objects in Advanced Financial Controls only after the corresponding information is enabled and configured under Manage Audit Policies. A Risk Management administrator must set the Audit Performance Configuration date option under Application Configurations in Risk Management Tools. This option improves performance by eliminating older data from data-synchronization jobs. This date is required and the data-synchronization jobs fail if no date is set. Finally, you must run data synchronization, which refreshes the data analyzed by models and controls. TIPS AND CONSIDERATIONS Before using new delivered model content, review the readme to identify models that match requirements for your organization. The readme is available with the new model import file. Once you identify models appropriate for you, import, review, and modify them in your test environment. Importing all available models is not recommended. Some may source audit data from products you have not enabled. Moreover, models may contain user-defined objects that create data set controls that cannot be deleted, only inactivated. To download Oracle s delivered model content files for import into your instance, refer to My Oracle Support, Oracle Delivered Content for Advanced Financial Controls ( MOS ID ). Locate and download the available Patch ID for Advanced Financial Controls content for release 13, update 18C. For more information about importing models, see the "Introducing Oracle Advanced Financial Controls" chapter of Risk Management Cloud Using Advanced Financial Controls. DELIVERED MODEL CONTENT FOR ENTERPRISE RESOURCE PLANNING Oracle delivers new models for financial application areas. These models are supported by new business objects. No advance setup is required for you to create transaction models. However, you must run a datasynchronization process, which refreshes the data analyzed by models and controls. Moreover, an administrator must set the Transaction Performance Configuration date option. It improves performance by eliminating older data from data-synchronization jobs. This date is required, and the data-synchronization jobs fail if no date is set. 20

21 TIPS AND CONSIDERATIONS Before using new delivered model content, review the readme to identify models that match requirements for your organization. The readme is available with the new model import file. Once you identify models appropriate for you, import, review, and modify them in your test environment. Importing all available models is not recommended. Some may source data from products you have not enabled. Moreover, models may contain user-defined objects that create data set controls that cannot be deleted, only inactivated. To download Oracle s delivered model content files for import into your instance, refer to My Oracle Support, Oracle Delivered Content for Advanced Financial Controls ( MOS ID ). Locate and download the available Patch ID for Advanced Financial Controls content for release 13, update 18C. For more information about importing models, see the "Introducing Oracle Advanced Financial Controls" chapter of Risk Management Cloud Using Advanced Financial Controls. DELIVERED MODEL CONTENT FOR HUMAN CAPITAL MANAGEMENT Oracle delivers new models for the Human Capital Management application. These models are supported by new business objects. No advance setup is required for you to create transaction models. However, you must run a datasynchronization process, which refreshes the data analyzed by models and controls. Moreover, an administrator must set the Transaction Performance Configuration date option. It improves performance by eliminating older data from data-synchronization jobs. This date is required, and the data-synchronization jobs fail if no date is set. TIPS AND CONSIDERATIONS Before using new delivered model content, review the readme to identify models that match requirements for your organization. The readme is available with the new model import file. Once you identify models appropriate for you, import, review, and modify them in your test environment. Importing all available models is not recommended. Some may source data from products you do not use. Moreover, models may contain user-defined objects that create data set controls that cannot be deleted, only inactivated. To download Oracle s delivered model content files for import into your instance, refer to My Oracle Support, Oracle Delivered Content for Advanced Financial Controls ( MOS ID ). Locate and download the available Patch ID for Advanced Financial Controls content for release 13, update 18C. For more information about importing models, see the "Introducing Oracle Advanced Financial Controls" chapter of Risk Management Cloud Using Advanced Financial Controls. CONTEXTUAL CONTROL AND INCIDENT EXTRACT REPORTS REMOVED Two contextual reports have been removed, but are still available as embedded reports in the Advanced Controls Reports work area. 21

22 The Control Detail Extract report is no longer available as a contextual report in the toolbar under the Controls page. Alternatively, use Business Intelligence for Risk Management for reporting. The Transaction Incident Details Extract report is no longer available as a contextual report in the toolbar of the Results page that displays incidents generated by a specific control. Alternatively, use the Export to Excel option in toolbar. Or, use Business Intelligence for Risk Management for reporting. No steps are required to enable this feature. TIPS AND CONSIDERATIONS Reports are easy to create in Business Intelligence (OTBI). Here is an example of a report that lists controls. You would use the Advanced Financial Controls Real Time subject area to create it quickly. From that subject area, you may add as many detail dimensions as you wish. These might include the name of the control, its creation date, last updated date, or other details. Control Detail Extract in OTBI An alternative to using OTBI is to run the existing embedded Control Detail Extract report by navigating to Advanced Controls Management > Advanced Controls Reports. Below is an example of the Control Detail Extract report. 22

23 Embedded Control Detail Extract For incident details extraction under the Results tab, you can continue to use the Export to Excel option in the toolbar. Identify the data to be included in the exported file by using filter and column display options for the result details of a selected control. Select the Export to Excel option in the toolbar to open your file or save it. Alternatively, you can also create an OTBI report for your transaction incidents. Incident Details Extract- Export to Excel Option For information on creating OTBI reporting instruments, see Risk Management Cloud Creating Analytics and Reports for Risk Management. 23

24 COPY CELL VALUE IN RESULTS AND CONTROLS Copy a cell value (or Ctrl + C) from model results, controls, or incident results to the clipboard so that you can paste to other documents. No steps are required to enable this feature. TIPS AND CONSIDERATIONS Having the option to copy and paste a value streamlines tasks like adding comments to an incident result. For example, you can copy an Invoice Number to paste it as comment, or into a text editor so you can search on the source transaction record for additional analysis. Copy and paste multiple values into a text editor to elaborate on related records that require research. Copy a Value With the values copied, you can can edit the incident, adding a comment by pasting the information as part of the remediation action. Paste a Value 24

25 ADVANCED ACCESS CONTROLS NEW CONFLICTS WITHIN A SINGLE ROLE OPTION FOR MODEL RESULTS A check box called Conflicts within a single role, previously available in the page that displays access incidents generated by an individual access control, is now available in the page that displays results for a model. It filters the list of results to include only those in which the assignment of a single role grants rights to access points the model defines as conflicting. Conflicts Within a Single Role Check Box No steps are required to enable this feature. TIPS AND CONSIDERATIONS You can use this feature to begin the remediation of intra-role violations before converting the model into a control. For more information about model results, see the "Managing Models" chapter of Risk Management Cloud Using Advanced Access Controls. For more information about incident results, see the "Managing Results" chapter of that guide. ACCESS VISUALIZATION ENHANCEMENTS When resolving incidents, you may create graphic visualizations of paths by which users gain access to conflicting points. Enhancements have been made to access visualization. Instead of displaying U, R, and P, the legend for an access visualization now displays User, Role, and Privilege. The visualization shows the unique code associated to an access point when you hover your cursor over the node representing that access point in a visualization. 25

26 Visualization No steps are required to enable this feature. For more information on access visualizations, see the "Managing Visualizations and Simulations" chapter of Risk Management Cloud Using Advanced Access Controls. ACCESS SIMULATION ENHANCEMENTS When resolving incidents, use simulations to preview the effects of steps you may take to resolve access conflicts. Enhancements have been made to access simulations. Create a simulation based on the results of a control visualization. Create a simulation across multiple control results. To do so, create the simulation from scratch, rather than from a visualization. That's because a visualization necessarily focuses on results generated by a single control. Create remediation steps by interacting with a visualization graph. View the number of conflicts that would be cleaned up if the remediation steps were executed in the Security Console. Generate a pdf of the remediation plan. As you analyze access incidents, you may determine some role structures need to be redefined. Maybe a role would cause segregation of duties conflicts if given to a user. As you view incident details, you ask questions such as these: What would happen if I removed duty A from duty B? How many conflicts would that clean up? How many users would that affect? Would it affect more roles than just the role I'm currently analyzing? You can create a simulation to answer these types of questions. You may do so directly from the visualization of a set of incidents; just click the Create Simulation button in the visualization. Each simulation consists of remediation steps. Each of these steps hypothesizes the removal of an access point from a role hierarchy. When you create a simulation from a visualization, you can create a remediation step by clicking an arrow connecting the access point you want to remove from its parent in its role hierarchy, then selecting a Remove option. 26

27 Create Simulation from Visualization In the Create Access Simulation page, you can name the simulation and continue to add remediation steps. You can run the simulation to view the number of conflicts that would be cleaned up if the remediation steps were executed in the Security Console. You can also generate a pdf of the remediation plan. Create Access Simulation No steps are required to enable this feature. TIPS AND CONSIDERATIONS The quickest way to get simulation results is to create it from a visualization. This is because the simulation job is based on only one control. If you need to base your simulation across multiple controls, you must create it from the Access Simulations page directly. For more information about creating simulations, see the "Managing Visualizations and Simulations" chapter of Risk Management Cloud Using Advanced Access Controls. CREATE USER-DEFINED ACCESS POINT LIMITATION The Create User-Defined Access Point page limits the display of access points to 500 so that search results return immediately. 27

28 User-Defined Access Point Search When creating a user-defined access point, you already have an idea of the access path you want to create. For example, you may be looking for an access point that has to do with Journals, and so you filter for that. Notice after adding the filters to restrict the number of records returned the error message no longer shows. User-Defined Access Point Search with Filters No steps are required to enable this feature. For more information about user-defined access points, see the "Managing Model and Control Elements" chapter of Risk Management Cloud Using Advanced Access Controls. CONTEXTUAL CONTROL AND INCIDENT EXTRACT REPORTS REMOVED Two contextual reports have been removed, but are still available as embedded reports in the Advanced Controls Reports work area. The Control Detail Extract report is no longer available as a contextual report in the toolbar under the Controls page. Alternatively, use Business Intelligence for Risk Management for reporting. The Access Incident Details Extract report is no longer available as a contextual report in the toolbar of the Results page that displays incidents generated by a specific control. Alternatively, use the Export to Excel option in toolbar. Or, use Business Intelligence for Risk Management for reporting. No steps are required to enable this feature. 28

29 TIPS AND CONSIDERATIONS Reports are easy to create in Business Intelligence (OTBI). Here is an example of a report that lists controls. You would use the Advanced Access Controls Real Time subject area to create it quickly. From that subject area, you may add as many detail dimensions as you wish. These might include the name of the control, priority, last run date, or other details. Control Detail Extract in OTBI An alternative to using OTBI is to run the existing embedded Control Detail Extract report by navigating to Advanced Controls Management > Advanced Controls Reports. Below is an example of the Control Detail Extract report. Embedded Control Detail Extract 29

30 You don't have to extract your access incidents to a spreadsheet to analyze or pivot your results anymore. Instead, use OTBI to quickly create reports that allow you to see who has access to conflicts and how. You can focus in on an individual user, as shown below, and easily see there are two issues here. 1) Mason has access to create a payables invoice through the Accounts Payable Supervisor role and manage payables payments through the Accounts Payable Manager role. Should he have both roles? 2) Accounts Payable Supervisor role inherently has conflicting access. That role should be restructured. Access Incident Details Report You might want to start thinking about how the role structure needs to be cleaned up. To do that, add the Incident Information attribute to view the entire path that allows the user to get to the conflicting access. Access Incident Details Report - with Incident Information For information on creating OTBI reporting instruments, see Risk Management Cloud Creating Analytics and Reports for Risk Management. 30

31 COPY CELL VALUE IN RESULTS AND CONTROLS Copy a cell value (or Ctrl + C) from model results, controls, or incident results to the clipboard so that you can paste to other documents. No steps are required to enable this feature. TIPS AND CONSIDERATIONS Having the option to copy and paste a value streamlines tasks like adding comments to a incident result. For example, now you can copy role information that needs to be modified from the incident information field and more easily create a remediation action. Copy a Value With the values you need in my clipboard, you can edit the incident, add a comment, and use pasted values as a remediation action. 31

32 Paste a Value ACCESS CERTIFICATION CERTIFICATION INITIATION Oracle Access Certification enables your organization to perform periodic reviews to determine whether job roles are assigned appropriately to users. Access Certification users work at three levels. The first level begins with an Access Certification administrator initiating a certification. This includes defining its details, including the scope of the roles being certified and the assignment of those roles to owners and auditors who are responsible for carrying out the certification. When given the proper security, the administrator will see the Access Certifications icon on the home page. Access Certifications Navigation Icon 32

33 Once in the application the administrator can initiate a new certification by performing four steps: 1. Provide the general information about the certification 2. Provide the scoping criteria 3. Finalize the roles by manually selecting the roles generated from the scoping and then by assigning users to be owners and auditors of the selected roles 4. Once that has been completed, the administrator can initiate the certification. To enable this functionality, 1. A user must be assigned a job role that contains at least the Access Certification Administrator Duty role. 2. Once this is done, the necessary security synchronization jobs must be run. 3. The user should see the Access Certification icon on the home page. TIPS AND CONSIDERATIONS To initially test out the functionality for Access Certification, the seeded User Access Certification Manager job role should be assigned. This will give the user access to perform all the activities from administrator to owner to auditor. 33

34 For more information about creating a certification, see "Initiating a Certification" chapter of Risk Management Cloud Using Access Certification. ROLE INFORMATION User Access Certification Manager job role is seeded and inherits four duties for Access Certification. These seeded duties can be granted to users based on their required role. CERTIFICATION MANAGEMENT Oracle Access Certification enables your organization to perform periodic reviews to determine whether job roles are assigned appropriately to users. Access Certification users work at three levels. The second level is Access Certification owner, who is granted responsibility for a set of the roles included in a certification. These roles are also assigned to one or more auditors, and the owner reviews the progress and the work of those auditors. When given the proper security, the owner sees the Access Certification icon on the home page. Owner Access Certification Icon An Access Certifications page lists all certifications to which an owner is assigned. In it, the owner can select one of the certifications and open an Owner Overview page for it. 34

35 Navigation to the Owner Overview From the Owner Overview, the owner can see and manage the progress of the auditors working on their roles. Owner Overview Page To enable this functionality: 1. A user must be assigned a job role that contains at least the Access Certification Owner Duty role. 2. Once this is done, the necessary security synchronization jobs must be run. 3. The user should see the Access Certification icon on the home page. TIPS AND CONSIDERATIONS To initially test out the functionality for Access Certification, the seeded User Access Certification Manager job role should be assigned. This will give the user access to perform all the activities from administrator to owner to auditor. For more information about creating a certification, see the "Certifying Roles" chapter of Risk Management Cloud Using Access Certification. 35

36 ROLE INFORMATION User Access Certification Manager job role is seeded and inherits four duties for Access Certification. These seeded duties can be granted to users based on their required role. CERTIFICATION WORKSHEET Oracle Access Certification enables your organization to perform periodic reviews to determine whether job roles are assigned appropriately to users. Access Certification users work at three levels. The third level is Access Certification auditor, who is responsible for performing the actual certification of a set of role and user combinations. When given the proper security, the auditor sees the Access Certification icon on the home page. Access Certification Icon Once in the Access Certification product, the auditor can select the worksheet. Access to Worksheet When in the worksheet, the auditor can record access validation actions. 36

37 Auditor Worksheet. When these actions are saved, the progress is reflected in the Overview pages for the owner and administrator. To enable this functionality: 1. A user must be assigned a job role that contains at least the Access Certification Auditor Duty role. 2. Once this is done the necessary security synchronization jobs must be run. 3. The user should see the Access Certification icon on their home page. TIPS AND CONSIDERATIONS To initially test out the functionality for Access Certification, the seeded User Access Certification Manager job role should be assigned. This will give the user access to perform all the activities from administrator to owner to auditor. For more information about creating a certification, see "Certifying Roles" chapter of Risk Management Cloud Using Access Certification. ROLE INFORMATION User Access Certification Manager job role is seeded and inherits four duties for Access Certification. These seeded duties can be granted to users based on their required role. SUPPORTING ACTIVITIES Access Certification makes use of these tools: An Access Certification Synchronization job updates user administrator, owner, and certifier assignments, including notifications. This occurs daily, and the schedule should not be modified. 37

38 Build analyses, dashboards, and reports using the predefined Access Certification Real Time subject area. No steps are required to enable this feature. ROLE INFORMATION User Access Certification Manager job role is seeded and inherits four duties for Access Certification. These seeded duties can be granted to users based on their required role. TRANSACTIONAL BUSINESS INTELLIGENCE FOR RISK MANAGEMENT COMMON NEW RISK MANAGEMENT ADMINISTRATION REPORTS New administration reports are available under the Risk Management catalog and can be run for Financial Reporting Compliance, Advanced Financial Controls, and Advanced Access Controls. Change History report provides information on changes recorded in revision history for objects under the different product areas. Inaccessible Records and Worklists report provides information on records and worklist items that are no longer accessible by any application user. Unassigned Perspective Values report provides information around perspective hierarchies and values that are not assigned to any object. To run any of these reports, navigate to Business Intelligence > Catalog > Shared Folders > Risk Management and then the respective product folder you are interested in such as Advanced Financial Controls. Select the Administration folder to view the available reports. Administration Reports 38

39 The change history report shows the old and new value for a record. For example, an Advanced Control incident result status changed from assigned to remediate for result ID 12040:1 on 6/5/2018. Change History The Inaccessible Records report will show the records that are not accessible by anyone. In the example below, no user has a data security policy that will allow view access to records associated to Auto Perspective > Auto Perspective Root. A system administrator must create a data security policy that has access to this perspective. At that point the user granted access can go change the perspective associated to the record if needed. Inaccessible Records and Worklists The Unassigned Perspective Values report shows perspectives that have not been assigned to any records. This may bring visibility to perspective values that should be assigned, but were overlooked, or it may prompt the business to inactivate perspectives that are not used. 39

40 Unassigned Perspective Values A synchronization program must be run to gather real-time information pertaining to the Change History, Inaccessible Records, and Unassigned Perspective Values reports. By default, this job is scheduled to run every Sunday. To change the scheduled frequency or to run the program on demand, navigate to Risk Management Tools > Setup and Administration > Scheduling. For more information see Oracle Risk Management Cloud Creating Analytics and Reports in the Risk Management library of the Oracle Help Center. ACCESS CERTIFICATION SUBJECT AREA FOR ACCESS CERTIFICATION Access Certification delivers one subject area that allows creation of analyses based on Access Certification data. The subject area is Risk Management Cloud Services Access Certification Real Time. Risk Management Cloud - Access Certification Real Time Subject Area The subject area provides details related to certifications in Oracle Access Certification. These details include the administrators, owners, and certifiers involved, and the actions taken by each. Most organizations perform access certifications on a quarterly basis. They review the users that have access to key job roles to determine if that access is appropriate. Dimensions in this subject area allow reporting and analysis related to certification results such as the user-role combinations that have been reviewed, and whether they were approved or removed. The person who views an analysis or report based on this subject area can only see records they can also access in the Access Certification application. 40