1z0-1058-23 Questions and Answers

• Validate New Lookup Values: Before importing data, it’s crucial to ensure that any custom list of values, such as Control Frequency, has new lookup values created. This is necessary because the import process relies on these values to correctly map the imported data to the corresponding fields in the Oracle Risk Management system.
• Validate Worksheet IDs: It’s important to check that there are no duplicate worksheet IDs within the same worksheet. Duplicate IDs can cause conflicts and errors during the import process, leading to data corruption or loss.
• Validate System ID Column: The System ID column must be populated correctly to maintain data integrity. This column typically contains unique identifiers for records, which are used to track and manage data throughout the import process.

References:

• For the validation of new lookup values and ensuring the correct population of the System ID column, refer to the best practices outlined in the Oracle documentation on import and export management1.
• The importance of unique worksheet IDs and their validation is discussed in the Oracle Risk Management User Guide, which provides instructions on preparing data for import2.

• Navigate to Risk Management Tools > Setup and Administration > Data Migration, and select Advanced Controls: This step initiates the process by accessing the Data Migration tool within the Advanced Controls module.
• Generate Template as Without Data – Perspectives Only: This step involves generating a template that is specifically tailored for perspective data without including any pre-existing data. This is suitable when the data to be uploaded has no relationships to data already existing in the target environment.
• Click the Create Import Template button: This final step creates the import template which can then be updated with the new perspective items before running the import process.

References:The information has been verified and is based on the Oracle Risk Management documentation, which provides detailed instructions on using the Data Migration tool12.

To build a transaction model that identifies invoices with USD amounts greater than the supplier’s average invoice amount, the filters must be arranged to first calculate the average invoice amount for each supplier, then select only those invoices in USD, and finally compare the invoice amounts to the average. Here’s the correct order:

• Add an “Average” Function filter grouping by “Supplier ID” where “Invoice Amount” is greater than 0. This will calculate the average invoice amount for each supplier.
• Add a standard filter where “Invoice Currency” equals “USD.” This will narrow down the invoices to those in USD currency.
• Add a standard filter where the delivered “Average Value” attribute is less than “Invoice Amount.” This will identify the invoices that are greater than the average amount calculated for each supplier.

References:The arrangement of filters is based on the AND relationship processing order as described in the Oracle Risk Management documentation, which specifies that filters at one level are evaluated before those at the level below it1.

• Filter A is used to select payments from the specified business units (BU1, BU2, BU3, and BU4), excluding BU5.
• Filter B groups the payments by each supplier and sums the payment amounts. This filter is then used to identify suppliers who have been paid more than $100,000 USD across the selected business units.

References:The information is based on the Oracle Risk Management Cloud documentation and resources that discuss transaction models and filtering criteria for identifying specific conditions such as payment amounts to suppliers1.

• Identify the organizations or business units: This involves determining the specific parts of the organization where the new controls will be applied. It is crucial to understand the scope of the controls within the organizational structure to ensure that the appropriate levels of review and approval are established.
• Identify users who will perform control review and approval: After defining the scope, the next step is to specify the individuals who will be responsible for reviewingand approving the controls. This includes assigning users to the roles that will have the authority to review and approve the controls at each required level.

References:The information provided is based on the Oracle Risk Management documentation, which outlines the processes for setting up approvals within the system123. These references detail the necessary steps and considerations for managing approvals and ensuring proper control within the Oracle Risk Management framework.

To meet the requirement for performing Design Review and Certification assessment for all controls, the client can choose two options:

• Option A: This option might involve using pre-built assessment templates that are aligned with industry standards and best practices. By selecting this option, the client can ensure a consistent and thorough review of all controls, leveraging the expertise embedded in these templates.
• Option E: This option could include the creation of custom assessment plans tailored to the specific needs of the client’s organization. Custom plans allow for flexibility and can address unique aspects of the client’s controls that may not be covered by standard templates.

Both options provide a structured approach to conducting Design Review and Certification assessments, ensuring that all controls are evaluated effectively and in accordance with the client’s requirements.

References:The answers are based on the Oracle Risk Management Cloud documentation, which includes detailed descriptions of the assessment processes and options available within the system123.

• For an incident to be automatically assigned a status of “Closed,” it must be resolved within the Fusion Cloud system. This is confirmed by a subsequent evaluation of controls that verifies the incident no longer exists.
• Similarly, if the incident is resolved using simulation within Advanced Access Controls (AAC), and a subsequent evaluation confirms the absence of the incident, it will also be automatically closed.

References:The information is based on Oracle’s documentation, which states that the actual resolution of incidents occurs outside of Oracle Fusion Cloud Advanced Controls. For example, resolving a purchase order in the Financials application or revising role assignments due to a separation-of-duties conflict can lead to the closure of an incident1. Additionally, closed incidents that are reopened through a request in Advanced Access Requests are assigned the Accepted status, indicating that the closure of incidents is tied to their resolution1.

1: Incident Status and State - Oracle Documentation

To change the participant who completes the assessment, the assessment manager should:

• Navigate to the assessment record.
• Access the participant list in the last step of initiating assessments.
• Modify the participant list to select a different user as the assessor.

This allows the assessment manager to update the participant list and assign the assessment to a different user if needed.

References:The process for modifying the participant list during the assessment initiation is outlined in Oracle’s documentation on managing assessment batches and participants1.

Once the remediation of a segregation of duties conflict is completed in Fusion Security by removing the conflicting access from the users, the status of the incident in Advanced Access Controls (AAC) should be set to “Resolved”. This indicates that the necessary actions have been taken to address the incident and no further immediate action is required. The “Resolved” status is used to signify that the incident has been dealt with and the conflict has been eliminated.

References:The information is verified and aligned with the Oracle Risk Management documentation, which details the incident statuses and states within the AAC1.

In Oracle Risk Management, a transaction model includes filters that define aspects of risk, then select transactions exhibiting the defined risk. These models, known as “transaction models” in Oracle Advanced Financial Controls, return temporary results. The suspect records identified by a model are replaced each time the model is evaluated. This feature is particularly useful for testing a risk-logic definition before applying it in a control or for auditors assessing the risk inherent in a system at a given moment.

References:

• Overview of Oracle Advanced Controls1.

When a Control object has scheduled assessments with future dates and the test plans associated with it are updated before the assessment starts, the assessment will be associated with the version of the test plans that were current at the time the assessment was initiated. This ensures that the assessment is conducted with the relevant procedures and criteria that were intended for that specific period.

References:The information provided is based on the Oracle Risk Management documentation, which details the use of test plans in control assessments and how they are managed within the system123. The REST API documentation for Oracle Fusion Cloud Risk Management also provides insights into how test plans can be viewed and managed, indicating the behavior of the system when updates occur2.

• Composite Duty Role: Can be created and viewed in the Security Console.
• Job Role Perspective Policy: Cannot be created or viewed in the Security Console. This is typically managed outside the Security Console because it pertains to the perspective of a job role rather than its functional security.
• Data Security Policy: Can be created and viewed in the Security Console.
• Functional Security Policy: Can be created and viewed in the Security Console.

References:The information has been verified and is based on the Oracle Financial Reporting Compliance documentation, which provides detailed instructions on using the Security Console12.

In Oracle Risk Management, when you want to identify Controls with the most Incidents, particularly where those Controls account for a significant percentage (like 80%) of all Incidents, you would apply the Pareto principle. This principle is also known as the 80/20 rule, where roughly 80% of the effects come from 20% of the causes. In this context, after importing a custom object that contains the number of incidents associated with each control into a transaction model, you would use the Pareto pattern filter. This filter will help you identify the subset of Controls that are contributing to the majority of Incidents, allowing you to focus on the most critical areas that need attention.

References:

• Oracle Advanced Controls Cloud Service documentation1.
• Overview of Oracle Advanced Controls2.

To add values to a Risk Type list of values, you need to add the lookup codes to the GRCM_RISK_TYPE Lookup Type. Here’s how you can do it:

• Navigate to the Lookups page in the Setup and Administration work area.
• Click on Create Lookup to open the Create Lookup page.
• In the Lookup Type field, enter GRCM_RISK_TYPE.
• Enter a code in the Lookup Code field. The code should consist of 30 or fewer characters, use upper-case for alphabetic characters, and underscores to fill the space between words.
• In the Meaning field, enter the text that will be presented in the list of values.
• Ensure that the combination of lookup code and meaning is unique.
• In the Status field, select Active to make the new value available for use.

References:

• Manage Lookups documentation from Oracle1.
• Risk Management User Guide2.

• Remove Control Certification Assessor Composite: This action will address Problem 1 by removing the duty composite that is likely causing the user to receive notifications for control assessments1.
• Set Perspective Value to EMEA Including All Child Nodes: Adjusting the data security policy to include all child nodes of the EMEA region will solve Problem 2, granting the user access to controls created for individual regions within EMEA1.

References: For the official and verified answer, please refer to the Oracle Risk Management documentation on their website, specifically the sections discussing role configuration and data security policies123.