Advanced Access Controls

Best Practices

July 2018

Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

Safe Harbor Statement
The following is intended to outline our general product direction. It is
intended for information purposes only, and may not be incorporated into
any contract. It is not a commitment to deliver any material, code, or
functionality, and should not be relied upon in making purchasing
decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion
of Oracle.

Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

Introduction
Best practice Risk Management processes enable you to identify your
business risks, and controls necessary to mitigate these risks, while
achieving process efficiency and yielding maximum ROI at minimum cost.

Oracle recommends that you start with these best practice processes. This
deck shows the processes in some detail

Oracle provides hands-on training for configuring and performing these

processes.

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Oracle Confidential – Internal/Restricted/Highly Restricted 4
 Financial Reporting Compliance
Risk Management Applications:
Advanced Controls
Best Practice Process

Document Risks Assess Control Identify Unwanted

Transactions
& Controls Effectiveness

Identify Unwanted
Access

Address Issues,
Fine-Tune Risks Deploy Advanced
Improve
& Controls Controls
Processes

Certify
Controls

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal/Restricted/Highly Restricted 5
 Financial Reporting Compliance
Risk Management Applications:
Advanced Controls
Best Practice Process
Document Risks & Controls Document operational/financial risks and controls in central repository. Use streamlined workflow to review and
improve.
Assess Control Perform self-assessments of all controls, and independently test key controls. Streamline testing with standardized test
Effectiveness plans; accelerate with prior test results.
Identify Unwanted Design automated tests of Financials Cloud transactions to find fraud, error and policy violations.
Transactions
Identify Unwanted Access Design automated tests of Financials Cloud user access to find more users who could cause fraud, error and policy
violations.
Deploy Advanced Controls Enforce continual automated testing and incident management.

Address Issues, Improve Document treatment of control issues that are determined to be significant deficiencies or material weaknesses. Use
Processes issues and treatments to guide process improvements.
Certify Controls Compile control assessment reports for management and audit committee. Produce control certification reports for
executives and financial officers.
Fine-Tune Risks & Controls Perform periodic risk assessments based on feedback from control assessments, issues found, and new data – e.g.,
changes to business goals or regulations.

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Oracle Confidential – Internal/Restricted/Highly Restricted 6
Advanced Access Controls Best Practice Process

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal/Restricted/Highly Restricted 7
Advanced Access Controls Best Practice Process

Identify
Deploy Address Report
Excessive
Controls Issues Results
Access

Manage incidents - options:

Create Models and Convert Models to
assess results Controls Adjust ERP/HCM/SCM Report incident
security configuration management results to
Remediate excessive access Run Control Analysis managers, auditors
where feasible periodically Add compensating
transaction controls

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal/Restricted/Highly Restricted 8
Let’s see the Advanced Access Controls best
practice process in action…

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal/Restricted/Highly Restricted 9
Preview

I import pre-built models, test and

refine them, and use the results to
guide improvements to role
definitions
Business Analyst

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 10

Pre-built Models
Financials
Enter Journals – Set Up General Ledger Post Journal Entry and… – Set Up Assets
and… Sets – Set Up General Ledger
– Manage Accounting
– Assets Depreciation – Set Up General Ledger Period Statuses Chart of Accounts
Statistical Units of – Set Up General Ledger
– Assets Workbench – Define Accounting
Measure Currencies
Calendars
– Capitalizing Assets – Manage Accounting
– Manage Journal – Set Up General Ledger
– Post Journal Entry Period Statuses Daily Rates
Approval Rules
– Setup Assets – Define Accounting – Manage Accounting Data
– Set Up General Ledgers
– Set Up General Ledger Calendars Security
– Manage General Ledger
Chart of Accounts – Manage Journal – Set Up General Ledger
Balances Cube
– Set Up General Ledger Approval Rules Sets
– Manage General Ledger
Currencies – Set Up General Ledgers – Set Up General Ledger
Enterprise Structures
– Set Up General Ledger – Manage General Ledger Options
– Assets Depreciation
Daily Rates Balances Cube – Set Up General Ledger
– Assets Workbench
– Manage Accounting Data – Manage General Ledger Statistical Units of
Security Enterprise Structures – Capitalizing Assets Measure

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 11

Pre-built Models
Procurement
Enter Journals and… Invoices Create Suppliers Create Purchase Orders
– Create Payables Invoices – Maintain Supplier Bank and… and…
– Create Payments Accounts – Receive Goods and – Approval Authorization
– Create Purchase Orders – Receive Goods and Services Control
Services – Create Payments – Approve Payables
– Approve Payables – Merge Suppliers Invoices
Invoices – Create Purchase
– Bank Account Agreements – Create Payables Invoices
Reconciliation – Maintain Supplier Bank – Receive Goods and
Post Journal Entry and… Accounts Services
– Create Payables Invoices Create Payments and… – Approve Payables – Return Goods and
– Approve Payables Invoices Services
Invoices – Approve Payables – Create Payables Invoices – Receipt Accounting
Invoices
– Create Payments – Receive Goods and – Create Purchase Orders – Manage Payables System
– Create Purchase Orders Services Option
– Set up Payment – Merge Suppliers
Create Payables Invoices – Create Purchase Orders
and… – Merge Suppliers Security
– Create Payments – Bank Account Create Role and…
– Approve Payables Reconciliation
– Provision Role

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 12

Pre-built Models
Supply Chain
Enter Journals and… Receivables Invoice Item Costing and… Enter Customer Receipts
– Enter Customer – Enter Customer – Create Items and…
Receipts Receipts – Pick Release Goods – Enter Accounts
– Physical Inventory – Release Sales Order – Release Sales Order
Receivables Invoice
– Release Sales Order – Bank Account
– Ship Confirm Goods Reconciliation
– Remittances Receive Goods and
Services and…
– Cycle Counting
Release Sales Order Create Items and…
Post Journal Entry and… and…
– Inventory Transactions – Cycle Counting
– Enter Customer – Maintain Automatic
Receipts – Physical Inventory Receipts – Inventory Transactions
– Physical Inventory – Delete Receipts – Item Costing or Manage
Cost Accounting
– Release Sales Order Return Goods and – Enter Accounts Activities
– Remittances Services and… Receivables Invoice
– Create Payables Invoices – Enter Customer
Receipts Create Purchase Orders
Create Customer and… – Enter Customer and…
Receipts – Remittances
– Remittances – Reversing Receipts – Item Costing or Manage
– Receive Goods and Receipt Accounting
– Enter Accounts Services Activities

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 13

Pre-built Models
HCM
Create User and… Manage Employee and… Manage Person and… Manage Worker and…
– Manage Compensation – Manage Compensation – Manage Compensation – Manage Compensation
– Manage Payroll – Manage Payroll – Manage Payroll – Manage Payroll
– Manage Payroll Batch – Manage Payroll Batch – Manage Payroll Batch – Manage Payroll Batch
Processes Processes Processes Processes
– Manage Payroll Costing – Manage Payroll Costing – Manage Payroll Costing – Manage Payroll Costing
– Manage Time and Labor – Manage Time and Labor – Manage Time and Labor – Manage Time and Labor
Manage Compensation Manage Employee Position Manage Time and Labor Sensitive Human Resource
and… and… and… Privileges
– Manage Payroll – Manage Compensation – Manage Payroll Sensitive Payroll Privileges
– Manage Payroll Batch – Manage Payroll – Manage Payroll Batch Sensitive Time and Labor
Processes – Manage Payroll Batch Processes Privileges
– Manage Payroll Costing Processes – Manage Payroll Costing
– Manage Payroll Costing
– Manage Time and Labor

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 14

Import Pre-built Models

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 15

Review Model

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 16

Configure Model- Edit Logic

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 17

Configure Model- Add Access Conditions

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 18

Review Model Results

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 19

Visualize Results

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 20

Remediation Options

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Oracle Confidential – Internal/Restricted/Highly Restricted 21
Convert Models to Controls

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 22

Review and Remediate Incidents

I review and remediate incidents in

my business area

Process Owner

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 23

Review and Remediate Incidents

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 24

Simulate Role Redesign

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 25

Review Incident Reports

I review incident reports and re-

evaluate our existing access controls

Internal Auditor

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 26

Review Incident Reports

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 27

Advanced Access Controls Best Practice Solution
2. Setup AAC 7. Schedule User
(general, users and Sync & Control
Admin roles) Analysis

9. Review
Incident
Internal Reports
Auditor
1. Gather 5. Review 8. Review
configuration Results & Incidents &
data Remediate Remediate
4. Test &
Process Refine
Models
Owner

3. Import 6. Deploy
Business Pre-built Advanced
Models Controls
Analyst

Implementer should guide and train the users to perform their activities in Adv Controls

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. 28

Learn more

Review the Advanced Financial Controls Best Practice Process

Review the Financial Reporting Compliance Best Practice Process

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 29

Next Steps

Review the “Adopting, Sustaining and Growing” section of the Risk

Management Getting Started note in MOS

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 30

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. 31