Oracle Risk Management Cloud:

Financial Reporting Compliance

Fundamentals
Student Guide
D96213GC10
Edition 1.0 | October 2016 | D98145
Learn more from Oracle University at oracle.com/education/
Author Copyright © 2016, Oracle and/or it affiliates. All rights reserved.

David Christie Disclaimer

This document contains proprietary information and is protected by copyright and

Technical Contributors other intellectual property laws. You may copy and print this document solely for your
own use in an Oracle training course. The document may not be modified or altered
and Reviewers in any way. Except where your use constitutes "fair use" under copyright law, you
Julianna Dodick may not use, share, download, upload, copy, print, display, perform, reproduce,
publish, license, post, transmit, or distribute this document in whole or in part without
Bruce Ingram the express authorization of Oracle.
Essan Ni Jirman
The information contained in this document is subject to change without notice. If you
Mary Kalway find any problems in the document, please report them in writing to: Oracle University,
500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not
Lakshmi Rajamohan warranted to be error-free.
Irina Reinlieb
Restricted Rights Notice
Mark Stebelton
Kathy Wohnoutka If this documentation is delivered to the United States Government or anyone using
the documentation on behalf of the United States Government, the following notice is
applicable:
Editor U.S. GOVERNMENT RIGHTS
Chandrika Kennedy The U.S. Government’s rights to use, modify, reproduce, release, perform, display, or
disclose these training materials are restricted by the terms of the applicable Oracle
license agreement and/or the applicable U.S. Government contract.
Graphic Designer
Trademark Notice
Prakash Dharmalingam
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names
may be trademarks of their respective owners.
Publishers
Veena Narasimhan
Asief Baig
Contents

1 Introduction to Oracle Financial Reporting Compliance

Course Objectives 1-2
Course Approach 1-4
Course Schedule 1-5
Risk Management Cloud Implementation Resources 1-6
Lesson Objectives 1-7
What Is Financial Reporting Compliance? 1-8
What Is the Financial Reporting Compliance Best Practice Solution? 1-10
Objects Explained 1-12
Common Concepts 1-13
Advanced Concepts 1-16
Summary 1-17

2 Introducing Oracle Fusion Navigation

Lesson Objectives 2-2
Getting Started in Oracle Fusion Applications 2-3
Favorites and Recent Items 2-4
Work Areas and the Tasks Panel 2-5
Practice 2-1 Overview: Getting Started in Oracle Fusion Applications 2-6
Summary 2-7

3 Configuring Roles and Users

Lesson Objectives 3-2
Initiating Predefined Security 3-3
Oracle Cloud Security Methodology 3-4
Role Types 3-5
Role-Assignment Strategies 3-6
Predefined Duty Roles 3-7
Planning Roles 3-8
Creating Roles 3-9
A Security Example 3-10
Creating Users 3-13
Role Provisioning Tasks 3-14
Using Role Mappings 3-15
Practice 3-1 Overview: Configuring Basic and Admin Job Roles 3-16

iii
 Practice 3-2 Overview: Planning Security Assignment for Users 3-17
Practice 3-3 Overview: Creating and Assigning Other External Job Roles 3-18
Practice 3-4 Overview: Creating Other Application Job Roles 3-19
Summary 3-20

4 Migrating Risk and Control Data

Lesson Objectives 4-2
Assembling Current Data 4-3
Data Migration Utility Overview 4-4
Data Migration Objects 4-5
Introducing the Import Template 4-7
Perspective Hierarchies Defined 4-10
Planning Perspective Hierarchies 4-11
Importing Perspective Hierarchies 4-12
Practice 4-1 Overview: Reviewing an Import Template Demonstration 4-13
Generating an Import Template 4-14
Practice 4-2 Overview: Generating an Import Template 4-15
Importing an Updated Template 4-16
Practice 4-3 Overview: Importing a Populated Template 4-17
Associating Perspectives to Objects 4-18
Practice 4-4 Overview: Associating Imported Perspectives with Objects 4-19
Validating Imported Data 4-20
Summary 4-21

5 Configuring Data Security

Lesson Objectives 5-2
Data Security Overview 5-3
Data Security Filters 5-4
A Security Example 5-5
Creating Data Security Policies 5-7
Practice 5-1 Overview: Creating Data Security Policies 5-8
Mapping Policies to Roles 5-9
Practice 5-2 Overview: Mapping Data Security Policies 5-10
Summary 5-11

6 Managing Risks and Controls

Lesson Objectives 6-2
Risk Management 6-3
Creating Risks 6-4
Attaching Documents 6-5
Selecting Perspective Values 6-6

iv
 Control Management 6-7
Relating Controls to a Risk 6-8
Practice 6-1 Overview: Creating a Risk and a Related Control 6-9
Reviewing and Approving Objects 6-10
Practice 6-2 Overview: Reviewing Objects 6-11
Creating Controls Independently of Risks 6-12
Creating Test Plans 6-13
Practice 6-3 Overview: Creating a Related Control and Test Plan Independently of a
Risk 6-15
Relating Controls to a Risk: Another Option 6-16
Practice 6-4 Overview: Relating a Control to a Risk 6-17
Summary 6-18

7 Managing Assessments
Lesson Objectives 7-2
Assessment Management 7-3
Batch and Ad Hoc Assessments 7-4
Assessment Activities 7-5
Assessment Flow 7-6
Creating an Assessment Template 7-7
Practice 7-1 Overview: Creating an Assessment Template 7-9
Creating an Assessment Plan 7-10
Practice 7-2 Overview: Creating an Assessment Plan 7-12
Initiating a Batch Assessment 7-13
Practice 7-3 Overview: Initiating a Batch Assessment 7-17
Initiating an Ad Hoc Assessment 7-18
Completing an Assessment 7-19
Practice 7-4 Overview: Completing an Assessment 7-21
Summary 7-22

8 Managing Issues
Lesson Objectives 8-2
Issue Management 8-3
Creating an Issue 8-4
Practice 8-1 Overview: Creating an Issue Within Object Management 8-6
Practice 8-2 Overview: Creating an Issue Within Issue Management 8-7
Understanding Issue Security 8-8
Resolving an Issue 8-9
Validating an Issue 8-10
Reviewing Issue Details 8-11
Closing an Issue 8-12

v
 Practice 8-3 Overview: Closing an Issue 8-13
Summary 8-14

9 Managing Reports
Lesson Objectives 9-2
Report Summary 9-3
Running Reports 9-5
Managing Report Parameters 9-6
Saving Parameter Values 9-7
Reviewing Scheduled Reports 9-8
Reviewing Report Schedules 9-9
Summary 9-10

10 Additional Administration
Lesson Objectives 10-2
Activating E-Mail Alerts 10-3
Security Optimization 10-4
Configuring Currency 10-5
Practice 10-1 Overview: Setting Application Configurations Demonstration 10-6
Managing Lookups 10-7
Practice 10-2 Overview: Managing Lookups 10-8
Summary 10-9

vi
 1
IIntroduction
t d ti to t Oracle
O l Financial
Fi i l
Reporting Compliance

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

 Course Objectives

After completing this course, you should be able to:

• Understand how Oracle Financial Reporting Compliance
enables you to manage your risk-control matrix.
• Apply the Financial Reporting Compliance Best Practice
S l ti
Solution, which
hi h streamlines
t li iimplementation.
l t ti
• Configure user security.
• Migrate risk and control data from your existing systems into
Financial Reporting Compliance.
• Configure
g data security.
y
• Create new risks and controls, relate controls to risks, and
create test plans to ensure that controls mitigate related risks.
• Plan, initiate, and complete assessments of risks and controls.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

Oracle Risk Management Cloud: Financial Reporting Compliance Fundamentals 1 - 2

 Course Objectives

• Manage issues identified during assessments.

• Manage reports.
• Complete advanced activities:
– Setting application configurations.
– Managing lookups.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

Oracle Risk Management Cloud: Financial Reporting Compliance Fundamentals 1 - 3

 Course Approach

Each lesson in this course begins with your instructor presenting

important concepts related to implementing and using Financial
Reporting Compliance.
The lesson may also include one or more of the following
activities:
• Discussing key decisions and best practices.
• Completing an activity or a knowledge-assessment task.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

Oracle Risk Management Cloud: Financial Reporting Compliance Fundamentals 1 - 4

 Course Schedule

• Day One:
– Introduction
– Navigation
– User security
– G
Gathering and migrating data
• Day Two:
– Data security
– Managing risks and controls
– Managing assessments
– Managing issues
• Day Three:
– Reports
– Administration

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

Oracle Risk Management Cloud: Financial Reporting Compliance Fundamentals 1 - 5

 Risk Management Cloud Implementation Resources

Classroom Resources:
• Oracle Cloud Financial Reporting Compliance Fundamentals
(this guide)
• Oracle Applications Help
• Cloud.oracle.com/risk-management-cloud
Product summaries, data sheets, and release spotlights
• Risk Management documentation
• Customer Connect: https://ora-fusion-apps.custhelp.com
• Your instructor
• Other students

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

Risk Management documentation is available in the Oracle Help Center. You can find it at this
site: http://docs.oracle.com/cloud/latest/riskcs_gs/index.html
Next steps:
• Get Started: Learn how to plan and adopt, then sustain through growth and change:
Oracle Risk Management Cloud: Get Started with your Implementation (Doc ID
2120557.1) at https://support.oracle.com.
• Team With a Go-To Partner: Success requires experience and expertise which you can
get both from our Go-To Partners. To get connected, contact your Oracle Customer
Success Manager or Oracle Applications Sales Manager.
• Implement Our Best Practice Process: This business process and automation is the
foundation of each implementation. Once you have an implementation plan, request a
plan review from your Oracle Success Manager.
Oracle also provides additional guidance. Review the Risk Cloud datasheets, release
readiness materials, product demos and videos, as well as the Oracle Cloud Welcome
videos.

Oracle Risk Management Cloud: Financial Reporting Compliance Fundamentals 1 - 6

 Lesson Objectives

After completing this lesson, you should be able to:

• Describe Financial Reporting Compliance and its Best
Practice Solution.
• Enumerate the objects you can work with to define your risk-
control
t l matrix
t i in
i Fi
Financial
i lRReporting
ti C Compliance.
li
• Understand features that apply to all Financial Reporting
Compliance objects.
• Describe options that are more advanced than those
implemented in the Best Practice Solution.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

Oracle Risk Management Cloud: Financial Reporting Compliance Fundamentals 1 - 7

 What Is Financial Reporting Compliance?

Financial Reporting Compliance consolidates the documentation

of your business practices to satisfy financial reporting regulations.
This enterprise-scope solution enables you to:
• Define and interrelate risks, controls, assessments, and
issues.
issues
• Automate periodic reviews, approvals, tests, and follow-
through.
• Secure what users can see and do.
• Let stakeholders get the information they need to make the
best decisions.
• Lower cost by implementing efficient, repeatable, and reliable
day-to-day usage and administration.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

Financial Reporting Compliance provides two levels of review:

• As users create or edit risks, controls, or other objects, other users may review and
either
e t e app
approve
o eoor reject
eject them.
t e Thiss applies
app es only
o y if those
t ose use
userssa
are
e ass
assigned
g ed review
e e o or
approval roles, mapped to data security policies that select the object records to be
reviewed or approved.
• Assessment is a separate process by which any number of object records may be
evaluated for certification, audit, design review, or other purposes.
To set up security, you define:
• Job roles, which determine users' functional access.
• Data security policies, which determine the data users have access to.
Financial Reporting Compliance provides a set of reports that provide details about
assessments, controls and risks, and issues.

Oracle Risk Management Cloud: Financial Reporting Compliance Fundamentals 1 - 8

 What Is Financial Reporting Compliance?

Financial Reporting Compliance maintains a risk-control matrix.

Use the application to complete these actions:

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

What Is a Risk-Control Matrix?

Every business process is subject to risks, and a company enacts controls to minimize those
risks. For example:
• The Accounting Department follows a defined process for year-end closing.
• A risk to this process may be that certain tax records are omitted and so the closing is
inaccurate.
• A control may establish a routine way of handling tax records, to ensure they are readily
at hand and cannot be overlooked.
A risk
risk-control
control matrix is an organized record of the all the material risks that may affect each
process and all the controls created to address those risks.
The essential purpose of Financial Reporting Compliance is to:
• Consolidate your company's risk, control, and related records.
• Ensure their consistency and effectiveness.
• Meet financial reporting compliance requirements.

Oracle Risk Management Cloud: Financial Reporting Compliance Fundamentals 1 - 9

 What Is the Financial Reporting Compliance Best
Practice Solution?
The Best Practice Solution is a prescriptive set of steps for
deploying key elements of Financial Reporting Compliance with
maximum speed and efficiency, and with minimum cost and
upkeep.
An initial set of steps applies to configuration:

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

Best Practice Solution Steps

• Step 1:
- Retrieve existing risk and control definitions from spreadsheets,
spreadsheets e-mail records
records,
file-sharing systems, and any other repositories.
- Collect related data, such as the documentation needed to support risks and
controls.
- Consider who is to work with risks and controls, and the roles they are to fill.
• Step 2: Use a Data Migration utility to import this data into Financial Reporting
p
Compliance.
• Step 3:
- Use Oracle Identity Manager and Authorization Policy Manager to define Risk
Management roles and assign them to users. You can create job roles from
predefined duty roles.
- Use Risk Management to create data security policies that define data access, and
map these policies to job roles.

Oracle Risk Management Cloud: Financial Reporting Compliance Fundamentals 1 - 10

 What Is the Financial Reporting Compliance Best
Practice Solution?
A second set of steps applies to everyday use:

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

Best Practice Solution Steps

• Steps 4 and 5:
- Use risk-management and control-management work areas to create new risks
and controls, or modify existing ones.
- Optionally use Risk Management workflow to route risks and controls to reviewers
and approvers.
• Steps 6 through 10: Regularly assess risks and controls to ensure their continued
viability. This may involve:
- Creating g templates
p from which yyou develop
ppplans.
- Creating plans from which you route assessments to participants.
- Resolving issues uncovered by assessments.
- Using Risk Management reports to review assessment results.

Oracle Risk Management Cloud: Financial Reporting Compliance Fundamentals 1 - 11

 Objects Explained

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

Object is the generic term for any of the components that Financial Reporting Compliance
may use to define a risk-control matrix. The Best Practice Solution uses the following objects:
• A risks defines
de es ccircumstances
cu sta ces that
t at may
ay adversely
ad e se y affect
a ect a bus
business
ess pprocess.
ocess
• A control defines measures to address a risk. For each control, you can create test
plans. These document steps to be followed in determining whether the control is
effective.
• An assessment is the review of a risk or control to ensure that it is defined correctly and
remains effective over time.
• An issue is a defect or deficiency detected for a risk or control, or an activity connected
with one of these objects, such as an assessment.

Oracle Risk Management Cloud: Financial Reporting Compliance Fundamentals 1 - 12

 Common Concepts

Certain features and procedures apply to all Financial Reporting

Compliance objects and activities.
• Perspective assignments: A perspective is a set of related,
hierarchically organized values.
– Y
You assign
i iindividual
di id l perspective
ti values
l tto iindividual
di id l risks
i k or
controls.
– You also select perspective values for data security policies, to
determine whether users have access to data.
– You can use perspective values to filter Financial Reporting
Compliance object-management
object management pages and reports reports.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

Perspective Notes
The purpose of assigning perspective values to risks or controls is to place those objects in a
context. For example, you may:
• Create a Process perspective, whose values represent your company’s business
processes.
• Associate individual Process-hierarchy values with individual incidences of the Risk
object, indicating that each risk impacts the process you associate it with.
Perspectives are instrumental to Financial Reporting Compliance security:
• Job and duty roles define functional access,
access but data security policies define data-level
data level
security. You map policies to roles and assign job roles to users. Those users have
access only to data defined by policies mapped to their roles.
• A data security policy may specify perspective values. If so, it grants access only to
objects with matching perspective-value selections. For example, a user’s job role maps
to a data security policy that specifies a particular Process-perspective value. The user
has access only to data concerning that process. That is another way of saying data
associated with
ith the same value
al e of the Process perspecti
perspective.
e

Oracle Risk Management Cloud: Financial Reporting Compliance Fundamentals 1 - 13

 Common Concepts

• Reviewing and approving: You can require that risks, controls,

or assessments or the issues raised against them be reviewed
or approved, or both, when they are created or modified.
Users with appropriate job roles can:
– Accept any of these items
items.
– Request information.
– Reject the item.
– Withdraw an information request.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

Review and approval duty roles exist for each of these items. The assignment of any of these
roles to a user initiates a workflow appropriate for the item designated by the role: Any new or
edited item is routed to the reviewer or approver before anyone else can work with it. If no
user is assigned one of these roles for an item, no workflow is initiated for that item.
If you have one of these roles, review or approval requests appear among your worklists. You
can:
• Accept the risk, control, assessment, or issue: If you are a reviewer and approval is
required, the item moves to the approver. If it does not require approval, or if you are the
approver, the item’s state is set to Approved.
• Return for
f information:
f The user who created or edited an item must either provide
information you request or withdraw the object.
• Reject the item: This removes the item from the workflow and changes its state to
Rejected.
• Withdraw a return for information: The item reverts to its In Edit state, but must still be
approved before it takes effect.

Oracle Risk Management Cloud: Financial Reporting Compliance Fundamentals 1 - 14

 Common Concepts

• Saving and submitting: When you save or submit a record of a

risk, control, or other element, you preserve values you have
selected as you create or edit it. However:
– If you submit a record, you advance it to a state beyond the one
in which you opened itit.
– If you save a record, you leave it at the state in which you
opened it. Or, if you are creating it, you set its state to New.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

State matters because:

• A data security policy designates, among other criteria, the state at which a record must
be for
o a use
user to have
a e access to it. t So whene you sub
submitt a record
eco d a
and
d ttherefore
e e o e cchange
a ge its
ts
state, you make it available for other users to work with.
• Because a Save operation does not change the state of a record, it remains available for
you for further work before you release it to others.
• Although you may save a risk, control, or other element at first, your final action should
be to submit it so that it is active in your system.

Oracle Risk Management Cloud: Financial Reporting Compliance Fundamentals 1 - 15

 Advanced Concepts

You can take advantage of advanced features. Later lessons

explore these features in detail.
• Advanced administration: Complete tasks that optimize or
customize your use of Financial Reporting Compliance.
• Managing
M i llookups.
k

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

Advanced Concept Notes

• Administration tasks include:
- Activating e-mail alerts
alerts.
- Setting a security optimization schedule. This regularly synchronizes worklists with
any changes to job-role definitions.
- Selecting a default currency.
• Managing lookups. These determine the values available for selection in list-of-value
fields.

Oracle Risk Management Cloud: Financial Reporting Compliance Fundamentals 1 - 16

 Summary

In this lesson, you should have learned to:

• Describe Financial Reporting Compliance and its Best
Practice Solution.
• Enumerate the objects you can work with to define your risk-
control
t l matrix
t i in
i Fi
Financial
i lRReporting
ti C Compliance.
li
• Understand features that apply to all the Financial Reporting
Compliance objects.
• Describe options that are more advanced than those
implemented in the Best Practice Solution.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

Oracle Risk Management Cloud: Financial Reporting Compliance Fundamentals 1 - 17

 2
IIntroducing
t d i O Oracle
l FFusion
i
Navigation

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

 Lesson Objectives

After completing this lesson, you should be able to:

• Navigate Oracle Fusion Applications.
• Explore work areas.
• Examine panels.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

Oracle Risk Management Cloud: Financial Reporting Compliance Fundamentals 2 - 2

 Getting Started in Oracle Fusion Applications

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

Navigate to: Welcome Springboard

• Improve efficiency and productivity of your workforce with the simplified Welcome
p g
Springboard that is optimized
p for tables and mobile devices.
• Use the icons on the Welcome Springboard to easily access relevant work areas and
dashboards. Alternatively, use the Navigator to access any additional applications.
• Take advantage of the fact that no additional steps are required to enable the Welcome
Springboard.
• Maintain your personalization and customization of the home page in earlier releases,
which is preserved on My Dashboard.
Oracle Fusion Applications are:
• Designed from the ground up, using the latest technology advances and incorporating
best practices gathered from thousands of customers.
• Completely open, service-enabled enterprise applications.
• Designed with features for the best-in-class user-interface designs and workflows that
optimize usability and deliver business value.
All functionality
f i li revolves
l around
d the
h Oracle
O l Fusion
F i Applications
A li i W
Welcome
l S
Springboard,
i b d which
hi h
can be personalized.
Note: The Welcome Springboard view changes based on your roles and privileges.

Oracle Risk Management Cloud: Financial Reporting Compliance Fundamentals 2 - 3

 Favorites and Recent Items

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

Navigate to: Welcome Springboard > Select the Favorites and Recent Items icon.
The Favorites and Recent Items menu enables users to return to flows that have been
recently accessed, usually within, but not limited to, a single session.

Oracle Risk Management Cloud: Financial Reporting Compliance Fundamentals 2 - 4

 Work Areas and the Tasks Panel

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

Navigate to: Financial Reporting Compliance > Assessments > Manage Assessments >
Tasks panel tab.
A work area is a grouping of similar tasks.
The Tasks panel is an anchored component on the right side of a page.
• Open the panel by clicking the panel tabs. The panel is collapsed by default.
• Use the slide-out panel to access features directly from any screen without leaving the
current application or navigating through different roles or hierarchies.
• View the tasks available for your user role.

Oracle Risk Management Cloud: Financial Reporting Compliance Fundamentals 2 - 5

 Practice 2-1 Overview: Getting Started in Oracle Fusion
pp
Applications
This practice covers the following topics:
• Signing in to Oracle Fusion Applications.
• Exploring the following user interfaces:
– Global Area including:
— Accessibility
— Help
— Search
— Personalize
— Settings and Actions menu
— Navigator and Welcome Springboard
– Work Area and Panels
• Signing out of Oracle Fusion Applications.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

Oracle Risk Management Cloud: Financial Reporting Compliance Fundamentals 2 - 6