TABLE OF CONTENTS

UPDATE 20C ···························································································································································································································· 2

Revision History ····················································································································································································································· 2
Overview ····································································································································································································································· 2
Risk Management ················································································································································································································ 2
Common ······························································································································································································································· 3
Mass Edit Security by Record Owners ··················································································································································· 3
Security Synchronization Is Optimized ················································································································································· 3
Financial Reporting Compliance ··········································································································································································· 3
Assessment Records Security Now Supports Adding Assessors ························································································· 3
Assessment Batch Start Date is Now Read Only ····························································································································· 3
Enhanced Assessment In-Scope Values ·············································································································································· 3
Due Date is No Longer a Required Field for Risk Analysis or Evaluation ······································································· 3
Changes Made to Context Model Name ·············································································································································· 3
Advanced Financial Controls ·················································································································································································· 4
Data Access Requirement with Messaging ········································································································································ 4
Character Length Increased on System-Generated Column ·································································································· 4
System-Generated Date Values Use Object Locale ······················································································································ 4
Data Synchronization Job Runs Across All Objects ······················································································································ 4
Mass Edit More Than 25 Incidents ··························································································································································· 4
Advanced Access Controls ······················································································································································································· 4
New and Updated Delivered Model Content ····································································································································· 4
Mass Edit More Than 25 Incidents ··························································································································································· 5
Transactional Business Intelligence for Risk Management ················································································································ 5
Created By, Reviewed By, Approved By and Comments Are Added ················································································· 5
Relabeled User Authorization Attribute ················································································································································ 5
Reporting On User Assignment Security Is Added for Process and Risk ········································································ 5
UPDATE 20C

REVISION HISTORY
This document will continue to evolve as existing sections change and new information is added. All updates
appear in the following table:

Date Product Feature Notes

Created initial
05 JUN 2020
document.

OVERVIEW
This guide outlines the information you need to know about new or improved functionality in this update.

DISCLAIMER

The information contained in this document may include statements about Oracle’s product development
plans. Many factors can materially affect Oracle’s product development plans and the nature and timing of
future product releases. Accordingly, this Information is provided to you solely for information only, is not a
commitment to deliver any material, code, or functionality, and should not be relied upon in making
purchasing decisions. The development, release, and timing of any features or functionality described
remains at the sole discretion of Oracle.

This information may not be incorporated into any contractual agreement with Oracle or its subsidiaries or
affiliates. Oracle specifically disclaims any liability with respect to this information. Refer to the Legal Notices
and Terms of Use for further information.

RISK MANAGEMENT
Oracle Risk Management consists of the following key solution areas:

Financial Reporting Compliance to automate audit assessments and certifications.

Advanced Access Controls to manage user access and segregation-of-duty risk.
Advanced Financial Controls to continuously monitor configuration changes and business transactions.
Access Certifications to streamline reviews by process owners to ensure that employees have been
granted appropriate access based on their current job.
Enterprise Risk Management to streamline the analysis, evaluation, and treatment of documented risks.

2
COMMON

MASS EDIT SECURITY BY RECORD OWNERS

You can now mass-update data-security assignments for records you're authorized to own. These records
include models, controls, and incident results in Advanced Controls; processes, risks, controls, assessments,
issues, and remediation plans in Financial Reporting Compliance; and certifications in Access Certification.

SECURITY SYNCHRONIZATION IS OPTIMIZED

Worklist synchronization used to run as part of the Security Synchronization job. In 20C, the Security
Synchronization job has been optimized. It will spawn two separate jobs, which you can view in the Monitor
Jobs page: Result Worklist Synchronization (related to Advanced Controls) and Financial Reporting
Compliance Worklist Synchronization.

FINANCIAL REPORTING COMPLIANCE

ASSESSMENT RECORDS SECURITY NOW SUPPORTS ADDING ASSESSORS

After you initiate an assessment batch that includes a survey, you can add new assessors. New assessors
have access to submit the survey responses.

ASSESSMENT BATCH START DATE IS NOW READ ONLY

The assessment batch start date is now a read only value. The application will automatically set the current
date and time as the batch start date.

ENHANCED ASSESSMENT IN-SCOPE VALUES

As you create an assessment plan for the Process or Control object, one of the two in-scope values is now
selected by default. That selection is determined by the assessment activity inherited from the template on
which a plan is based. For the Audit Test activity, the Audit Test in-scope value is selected; for any other
activity, the Assessment in-scope value is selected. The plan returns processes or controls assigned the
selected in-scope value.

DUE DATE IS NO LONGER A REQUIRED FIELD FOR RISK ANALYSIS OR EVALUATION

The due date for a risk analysis or risk evaluation is no longer mandatory.

CHANGES MADE TO CONTEXT MODEL NAME

You can now create a risk context model name with a maximum of 150 characters.

3
ADVANCED FINANCIAL CONTROLS

DATA ACCESS REQUIREMENT WITH MESSAGING

To view or edit a transaction model or control, you must not only be authorized as its owner, editor, or
viewer, but also be assigned all the business objects from which it draws data for analysis. If you are missing
business-object security, a Missing Business Objects Access icon appears at the beginning of the object or
control name. If you click the name, an error message identifies the missing objects.

CHARACTER LENGTH INCREASED ON SYSTEM-GENERATED COLUMN

Results returned by transaction models and controls may include system-generated columns, such as those
created by the Similar and Equals conditions. The character limit for system-generated columns has been
increased from 50 to 250.

SYSTEM-GENERATED DATE VALUES USE OBJECT LOCALE

A value in a system-generated column is of the string type, even if it comprises attributes of other data types.
Formatting preferences you may configure for date attributes have no bearing on dates in system-generated
columns. Instead, the Source Language (locale) of a model or control that produces system-generated values
determines the date format for those values.

DATA SYNCHRONIZATION JOB RUNS ACROSS ALL OBJECTS

Data synchronization, which is run from the Advanced Controls Configuration page, refreshes data in
business objects used by transaction models and controls. Previously, the job recognized only business
objects assigned to the person who ran the job. Now, the job updates all business objects used in all models
and controls, regardless of who runs it.

MASS EDIT MORE THAN 25 INCIDENTS

Previously, you could select up to 25 incident results to mass edit. Now, you can mass edit any number of
incidents that match your search criteria.

ADVANCED ACCESS CONTROLS

NEW AND UPDATED DELIVERED MODEL CONTENT

Oracle delivers three new models to detect segregation-of-duties conflicts and sensitive access. These
models include 4085: HDL Import Data into Stage Tables and HDL Import Data into Application Tables, 4096:
HDL Sensitive Data Loader Privileges, and 4097: HDL Sensitive Data Exchange Work Area. In addition, three
existing models were updated to reference entitlements that will reduce false positives. The affected models
are 7551: Post Journal Entry and Manage Accounting Period Statuses, 6918: Enter Journals and Manage
Accounting Period Statuses, and 10014: Maintain Project Accounting Periods and Manage Accounting Period
Statuses.

4
MASS EDIT MORE THAN 25 INCIDENTS
Previously, you could select up to 25 incident results to mass edit. Now, you can mass edit any number of
incidents that match your search criteria.

TRANSACTIONAL BUSINESS INTELLIGENCE FOR RISK MANAGEMENT

CREATED BY, REVIEWED BY, APPROVED BY AND COMMENTS ARE ADDED

The dimensions in the Risk Management Cloud - Assessment Results Real Time and Compliance Real Time
subject areas have been enhanced. Within the Risk Management Cloud - Assessment Results Real Time you
can now report on the user who reviewed the assessment record, in addition to the comments the reviewer
submitted.  Within Risk Management Cloud - Compliance Real Time subject areas you can also report on
additional attributes for the issue record.

RELABELED USER AUTHORIZATION ATTRIBUTE

In some Risk Management subject areas, you will find objects with a user security assignment folder. Within
this folder, the User Authorization attribute has been relabeled to Assigned Authorization.

REPORTING ON USER ASSIGNMENT SECURITY IS ADDED FOR PROCESS AND RISK

To secure Risk Management records, you authorize individual users or user groups as owners, editors, or
viewers. You can now report on which users and groups are authorized, and at what levels, for these objects:
process and risk in Financial Reporting Compliance.

---

5
Copyright © 2020, Oracle and/or its affiliates. All rights reserved.

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as
expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish,
or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable:

U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.
S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use,
duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or
documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.

This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous
applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all
appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this
software or hardware in dangerous applications.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC
International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The
Open Group.

This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are
not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement
between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content,
products, or services, except as set forth in an applicable agreement between you and Oracle.