2014 Governance, Risk, and Control Conference (An IIA … Documents/2014 GRC Abs and... · 2014 Governance, Risk, and Control Conference ... Enabling IT Risk Management Using COBIT

2014 Governance, Risk, and Control Conference (An IIA and ISACA Collaboration)

Sunday August 17, 2014 8:30 a.m. – 5:10 p.m. WRK-1 Enabling IT Risk Management Using COBIT 5 for Risk Debbie Lew, CISA, CRISC Executive Director Ernst & Young, LLP Tania Petrina, CISA Senior Manager Ernst & Young, LLP In this workshop, participants will:

Understand business drivers for IT-related risk management.

Examine important risk management practices and activities.

Articulate IT risk scenarios and communicate impact in terms that decision makers can understand, using tools and templates in the risk scenarios book. (book due out in April).

Discuss the enablers of effective risk governance and management.

Develop strategies to progress from “gap identification” to “risk triage” to quantitative comparisons of risk response options.

Identify the IT components of the 2013 COSO framework and discuss how COBIT maps to COSO.

Debbie Lew has over 20 years of IT audit and information technology industry experience and has led a broad range of advisory engagements involving IT internal controls, IT risk management, and governance. She is currently a member of EY’s IT Risk Management Center of Excellence and assists clients with the adoption of COBIT. Lew was involved in the development of COBIT 4.0/4.1 as a member of the COBIT (4.0/4.1) Steering Committee. She was also on the credentialing task force developing the Certified in Risk and Information Systems Controls (CRISC) certification. She provided oversight of the certification as a member of the CRISC Committee. Tania Petrina manages the IT risk transformation practice with nine years of experience in compliance, IT advisory, and IT risk management projects. She focuses on a range of governance risk and compliance projects, particularly related to IT risk management program design and IT risk assessment design and execution. Her experience includes GRC technology enablement with the RSA Archer products,


roadmap development, vendor risk management, and information security program assessment and development. Learning Level: Intermediate Learning Field: Management Advisory Services WRK-2 Designing and Maintaining “Effective Risk Appetite Frameworks" Tim Leech, CIA, CCSA, CRMA Managing Director, Global Services Risk Oversight Inc.

In this workshop, participants will:

Learn the attributes of an effective risk appetite framework, including what is needed for a healthy corporate risk culture.

Compare current risk and assurance methods against these new expectations.

Discuss how organizations define, assess, and communicate their risk appetite and tolerance linked to IT security, continuity of operation, cybercrime, and other key areas.

Practice completing “objective-centric” risk assessments – step-by-step including the current “residual risk status” information necessary to evaluate acceptability of retained risks being accepted.

Identify risks using 7 top methods to reduce the chances of missing major risks

Find out what needs to change within status quo audit and IT security approaches to better support boards now expected to effectively and visibly oversee “management’s risk appetite and tolerance”?

Receive specific methods and tools to produce reliable information for senior management and the board on the true state of retained/residual risk linked to key value creation and potentially high value erosion objectives.

Tim J. Leech helps companies more effectively manage risk and assurance to meet escalating board risk oversight due diligence expectations. He has more than 25 years of experience in the board risk oversight, ERM, internal audit, and forensic accounting fields, including expert witness testimony in civil and criminal proceedings, and global experience helping public and private sector organizations with ERM and internal audit transformation initiatives and the design, implementation, and maintenance of integrated GRC/ERM frameworks. Leech has provided training for tens of thousands of public and private sector board members, senior executives, professional accountants, auditors, and risk management specialists in Canada, the United States, the EU,


Australia, South America, Africa, and the Middle and Far East. He has received worldwide recognition as a pioneer, thought leader, and trainer. His newest article, “Risk Oversight: Evolving Expectations for Boards” published by the Conference Board’s Director Notes earlier this year is attracting global attention and interest from board members and risk and assurance specialists around the world. In 2009 he was honored with the first Canadian Outstanding Contributor to the Profession of Internal Auditing award in recognition of over 25 years of global service. Learning Level: Intermediate Learning Field: Business Management & Organization

Monday August 18, 2014 8:30 – 9:45 a.m. GS 1 How Emerging Technologies Will Impact You and Your Enterprise and What You Can Do About It Robert E Stroud, CGEIT, CRISC Vice President of Strategy and Innovation, CA Technologies 2014-2015 International President of ISACA In this session, participants will:

Imagine the future of technology when cars will automatically correct their path to avoid accidents and drones will deliver your groceries.

Explore the immersion of IT into everyday business, rather than a stand-alone department or data center.

Discuss the impact of emerging and disruptive technologies — from the present to those that may impact us tomorrow.

Redefine the boundaries of technology and business and answer the question, “How will this impact me and my role — and what can I do to be prepared?”

Robert E. Stroud has spent more than 15 years in the finance industry successfully managing multiple initiatives in both the IT and retail banking sectors related to IT service management and process governance. He joined CA Technologies from the Australian computer security company Cybec, where he was responsible for the company’s global expansion, including entry into the North American market. He has served numerous roles in ISACA’s leadership including chairing the ISO Liaison Subcommittee and COBIT Steering Committee, serving as a member of the Strategic


Advisory Council and the Framework Committee. In 2013, Stroud earned ISACA’s President’s Award for service. Learning Level: Intermediate Learning Field: Business Management & Organization

Monday August 18, 2014 10:15 – 11:30 a.m. CS 1-1 Black Swans: Tools for Finding Your Company’s Blind Spots Lisa Smith, CCSA, CRMA Assistant Director, ERM General Motors Company Kelli Santia Supervisor, ERM General Motors Company In this session, participants will:

Discuss the struggle companies often have with developing methods to identify black swans, blindspots, or other surprise events that may impact a company's ability to achieve its objectives.

Learn how a Fortune 5 company institutionalized a process to address black swans.

Discover tools to implement a process to identify and manage black swans. Lisa Smith played a key role in the ground-up implementation of ERM at GM and designed a new control self-assessment program for GM, which is being launched globally in 2014 and will be featured in the book “Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives.” Smith has experience in internal audit, audit committee reporting, and Sarbanes-Oxley activities. Kelli Santia plays a key role in working with GM’s risk officers and facilitating workshops to identify top risks and opportunities. She also assisted in the launch of an operational risk management program, including extensive work on the development of a new system for this program. Prior to this role, Santia worked for Ernst & Young, providing consultative guidance on risks and controls primarily in the healthcare industry, providing internal audit services and coordinating internal controls testing.


Learning Level: Intermediate Learning Field: Management Advisory Services CS 1-2 Evolution of Risk Management: Changing Successful Programs in the Face of an Uncertain Economy Ajay Gupta IT Risk Manager AARP In this session, participants will:

Review a case study starting with the development of an ITRM program integrated into ERM.

Explore how and why they tore it apart to start from scratch.

Discuss the guiding principle they chose to reformulate the ITRM program.

Share perspectives in building the new ITRM and the surprising effectiveness of the new approach.

Ajay Gupta is an authority on IT strategy, cybersecurity, and risk management, and the implications for business risk and competitiveness. Author of two best-selling IT security books and host of the Technology Today radio program, Gupta also founder of Health Solutions Research, Inc., a non-profit research firm working to identify health IT solutions to lower costs and improve quality in the U.S. healthcare system. Learning Level: Intermediate Learning Field: Business Management & Organization CS 1-3 The 5 Key Attributes of an Effective ERM Process Linh Truong, CIA CAE Kosmos Energy In this session, participants will:

Discuss how the ERM process can be integrated into a company’s strategic objectives as well as throughout the organization.

Understand how to measure effectiveness of risk management.

Review examples of ERM reporting and governance.


Learn how internal Aadit can provide assurance to and benefit from the company's ERM.

Apply learnings to either develop an ERM process or improve an existing ERM. Linh Truong has more than 20 years of audit experience and prior to Kosmos Energy, Truong worked at Xerox, Credit Suisse Group, and KPMG. Her audit career has provided her the opportunity to travel throughout the United States, Canada, Europe, and parts of Africa and the Middle East. She has built internal audit departments from ground zero and established first-year Sarbanes-Oxley compliance programs as well as spearheaded an ERM process for two companies. Learning Level: Intermediate Learning Field: Business Management & Organization CS 1-4 Data Analytics and Continuous Monitoring….A Practical Approach Cindi Hook CAE, SVP, Comcast Assurance and Advisory Team Comcast Corporation In this session, participants will:

Share the journey of implementing continuous monitoring in a large organization.

Apply strategies for effective use of data analytics drawn from real life practical examples.

Practical success factors to increase audit/GRC coverage. Cindi Hook oversees all internal audit staff, risk management, and the performance of financial, operational, and systems audits, among other responsibilities. She is also the executive sponsor for several companywide finance development programs including the Financial Management Leadership Program (FMLP), CORE (Career Opportunities and Rotational Experience), and the Finance and Accounting Intern Program. Hook was recently named to Cablefax’s “2013 Most Powerful Women in Cable.” Prior to joining Comcast, she spent 12 years at Dell, Inc., most recently serving as the vice president of global audit and transformation where she was responsible for the global audit function as well as transformation initiatives for the finance function and supporting businesswide change initiatives. Learning Level: Intermediate Learning Field: Auditing


Monday August 18, 2014 12:45 – 2:00 p.m. CS 2-1 Dude! Where’s my Data? The Potential Hazards When Third-party Governance Is Lacking

William Crowe, CISA, CRISC, CISM, CRMA VP, Controls Officer Manger JPM Chase In this session, participants will:

Review the phases of vendor management and the potential threats and risks if due diligence is not followed during vendor on-boarding, operations, and off-boarding.

Identify the five phases of the vendor management lifecycle.

Explore the importance IT audit plays in its project success.

Discuss the importance of audit involvement in mitigating risks during all phases of third-party governance.

Bill Crowe is responsible for various applications and systems risk management found in production and business applications including third parties. He is a seasoned professional with more than 25 years of military and business experience in information security management, risk management, vendor risk management, and information systems audit. Previously Crowe served as vice president and business information security officer for nearly 15 years with Citi. He is an adjunct professor with ITT-Technical Training Institute instructing in the Bachelor of Science Information Cyber Security program. Crowe is a retired Chief Petty Officer with 24 years served in aviation, surface, and training commands. Learning Level: Intermediate Learning Field: Auditing CS 2-2 Applying Lean Six Sigma Techniques In Your Audits John Livingston, CISA Senior IT Auditor Medical Mutual of Ohio In this session, participants will:


Examine a real-life case study of improving the process of an internal audit department.

Explore Lean Six Sigma techniques that can help to eliminate waste and reduce variability.

Learn how to communicate with the auditee/client using Lean Six Sigma language.

Review the Lean Six Sigma DMAIC model to define, measure, analyze, improve, and control.

John Livingston has more than 20 years’ experience in accounting, financial analysis, internal audit, enterprise risk management, and IT operations. Previously he worked for 8 years in IT operations for Rockwell Automation. Livingston has extensive experience in designing, implementing, and managing ITIL processes including IT change, problem, incident, and configuration management. Learning Level: Intermediate Learning Field: Auditing CS 2-3

Leadership Lessons From the Audit Trail

Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA President and CEO Institute of Internal Auditors In this session, participants will:

Hear how great organizations thrive under great leaders, and why internal audit is no different.

Review the common characteristics strong internal audit leaders share.

Learn the leadership traits and qualities that can be the difference between success and mediocrity.

Share stories from a professional with nearly 40 years’ experience in the internal audit industry.

Richard F. Chambers is president and CEO of The Institute of Internal Auditors. He has 38 years of internal audit and related experience. Previously, Chambers was national practice leader of Internal Audit Advisory Services at PricewaterhouseCoopers; inspector general of the Tennessee Valley Authority; deputy inspector general of the U.S. Postal Service; and director, U.S. Army Worldwide Internal Review Organization at the Pentagon. He currently serves on the Board of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), International Integrated Reporting


Council, and IIA Board of Directors. Previously, he served as chairman of the Audit Board of the City of Orlando, Fla., and was a member of the U.S. President’s Council on Integrity and Efficiency, IIA Internal Audit Standards Board, and IIA North American Board. Chambers received the Association of Government Accountants’ Frank Greathouse Distinguished Leadership Award, and Accounting Today named him one of the Top 100 Most Influential People in Accounting.

Learning Level: Intermediate Learning Field: Personal Development CS 2-4 Don’t Just Check the Box! How to Streamline Your Compliance Efforts Across Multiple Initiatives

Jamie Croudace Levitt, CISA SAP Security, Controls and GRC Solutions Director PricewaterhouseCoopers LLP In this session, participants will:

Walk through techniques to streamline compliance efforts across multiple compliance initiatives and objectives while reducing overhead.

Learn how to reduce business and audit efforts to execute and evaluate controls by reducing controls and identifying optimal controls solutions.

Explore using GRC technologies to expedite the optimal design of compliance frameworks and reduce overhead on the business side.

Review case studies of leveraging controls across FCPA and Sarbanes-Oxley initiatives.

Jamie Levitt is an SAP risk and controls specialist with experience in SAP consulting, auditing, control and process optimization, and GRC tooling and programs. Her current core focus is continuous monitoring methodologies, and streamlining controls and compliance efforts to reduce the organization’s overhead. Levitt leads a variety of client projects, focusing on streamlining controls and processes to support either compliance or new technology initiatives. She is responsible for PwC’s bimonthly SAP webcast series. Levitt has spoken at numerous conferences, ranging from ISACA local events to SAP's SAPPHIRE and GRC conferences in the United States and abroad. Learning Level: Intermediate Learning Field: Management Advisory Services


Monday August 18, 2014 2:30 – 3:45 p.m. CS 3-1 Portfolio Risk-based Approach to ITGC Auditee Selection Jim Ambrosini, CISA, CRISC, CRMA Managing Director Cohn Reznick In this session, participants will:

Review a decision-support framework used by a top 10 national accounting firm for selecting clients for an ITGC review;

Understand the factors and assumptions driving the model; Review lessons learned from the implementation and application of the model; Discuss applicability for other areas.

Jim Ambrosini oversees the infrastructure and managed services practice at CohnReznick. Prior to this role, he served as director of IT audit, and has more than 20 years’ experience working in IT audit, risk, and security. Prior to joining CohnReznick, Ambrosini led an IT risk management practice at a global consulting firm; worked in IT assurance leadership roles at two big-four accounting firms; served as an IT auditor at a leading investment bank; and was a systems programmer at a global insurance company. He is the recent past president of the ISACA New York Metro Chapter. Learning Level: Intermediate Learning Field: Auditing CS 3-2 Creating a Roadmap for an Integrated Multi-Compliance Environment Using SAP GRC 10.1 Elvia Novak, CGEIT, CRISC Director, Enterprise Risk Services Deloitte & Touche LLP Jacob Gregg, CISA Senior Manager Deloitte & Touche LLP In this session, participants will:


Learn the requirements for designing and implementing an SAP GRC solution, including validated environments.

Scope consideration examples, including key risk areas and associated business processes.

Classify key assumptions, including understanding the key objectives and goals for the project.

Identify relevant stakeholders and participants to design, build, test, and deploy the solution

Target opportunities to leverage and monitor controls to satisfy multiple compliance requirements using the “test once, satisfy many” philosophy.

Elvia Novak has 25 years of industry experience with more than 16 years focused on SAP internal controls. She has experience with assessing designing and implementing SAP Security, controls compliance, and GRC solutions in various industries. Novak’s areas of expertise include: security, controls, enterprise risk assessments, project management, and governance, risk, and compliance. She has spoken at various SAP conferences on the topics of SAP security, controls, compliance, and GRC. Jacob Gregg has nearly 10 years of experience in assessing, designing, and implementing general computer controls, business process controls, application security controls, and SOD with special emphasis in the SAP environment. He has served as the security and controls team lead for multiple full lifecycle SAP implementations; has experience designing, implementing, and assessing SAP GRC solutions; and serves as an internal audit manager for clients running SAP. Gregg is a Deloitte training facilitator for SAP GRC. He also facilitates SAP controls and GRC training for The IIA and ISACA. Learning Level: Intermediate Learning Field: Auditing CS 3-3 Making Risk Management a Core Element of Organizational Success The Honorable Douglas Webster, Ph.D., CGEIT Prosci Change Management Chief Executive Officer Cambio Consulting Group LLC Nancy Anne Baugher Director, Office of Financial Risk, Policy and Controls Department of Energy


The Honorable Theresa Grafenstine, CISA, CGEIT, CRISC, CIA, CGAP Inspector General U.S. House of Representatives In this session, participants will:

Discuss the integration of cost, benefits, and risk designed to maximize organizational value.

Review a model that links strategic planning, cost management, performance management, risk management, IT, and organizational change management.

Explore the value of the integrated approach linking performance, cost, and risk measures.

Learn how to communicate the value that risk management and audit contributes using these methods to stakeholders.

Doug Webster has two decades of consulting experience, and is a former CFO of the U.S. Department of Labor, former deputy director of the DoD Business Transformation Agency, and co-founder of the Association for Federal Enterprise Risk Management. He has served as co-author on books covering cost and performance management and organizational change management. Webster released his latest book, Managing Risk and Performance, earlier this year. He serves on boards of a $17B credit union and a veterans charitable organization. Nancy Anne Baugher led performance improvement and risk management initiatives at NASA and FEMA and stood up the first comptroller's shop for the oversight of more than $25 billion in funding initiatives at DHS. Prior to her roles in Federal service she was CFO in the private sector; assistant dean at the University of Maryland; and director of finance at UMd School of Medicine. Baugher has earned the Lean Six Sigma Green Belt, is the recipient of numerous awards including an International Eagle Service Award and a DHS Medal of Excellence, and has worked on several OIG and OMB working groups including the latest rewrites to the Federal Circular A-123. Theresa Grafenstine is responsible for planning and leading independent, non-partisan audits, advisories, and investigations of the financial and administrative functions of the U.S. House of Representatives. She is also an active volunteer in support of the technology, governance, internal auditing, and accounting professions. In addition to leadership roles with several professional trade associations, Grafenstine serves as a director on the IP3 Standards and Accreditation Council, a United Nations-rooted body; and as an audit committee member for the Department of Defense IG and the Pentagon Federal Credit Union. Learning Level: Intermediate


Learning Field: Business Management & Organization CS 3-4 Regulatory Fraud: Uncovering Schemes to Avoid Compliance Bryan C. Moser Partner, Advisory Services Grant Thornton LLP In this session, participants will:

Discuss some known regulatory compliance fraud schemes.

Understand the risk factors and how to assess them.

Learn how to prepare a risk response plan.

Share experiences or “war stories.”

Bryan Moser has more than 20 years of experience assisting clients with investigations, compliance and litigation. He has assisted clients with governmental and internal fraud investigations, including FCPA and other corruption, earnings management, billing fraud, employee embezzlement, improper vendor arrangements, and compliance with governmental policies. Moser also helps clients implement programs for prevention and remediation. Learning Level: Intermediate Learning Field: Auditing

Monday August 18, 2014 3:55 – 5:10 p.m. CS 4-1 Audit the ITIL Processes of Incident, Problem, Change, and Configuration Management John Livingston, CISA Senior IT Auditor Medical Mutual of Ohio In this session, participants will:

Learn how to speak the language of ITIL.

Discuss Problem Management: how to stop fixing the same IT outages over and over.

Explore Configuration Management: keeping track of IT assets.


Study Change Management: reducing the number of self-inflicted IT outages.

Review a Risk Control Matrix for each process.

Be prepared to conduct a thorough audit of each critical IT process. John Livingston has more than 20 years’ experience in accounting, financial analysis, internal audit, enterprise risk management, and IT operations. Previously he worked for 8 years in IT operations for Rockwell Automation. Livingston has extensive experience in designing, implementing, and managing ITIL processes including IT change, problem, incident, and configuration management. Learning Level: Intermediate Learning Field: Auditing CS 4-2 A Right-sized Risk Assessment Approach for Small to Mid-sized Organizations Justine Rourk, Ph.D. Practice Leader, IT Optimization and Planning Diane Meiller & Associates Inc.

James Garoutsos Director, Information Management Services Orange County (Fla.) Sheriff's Office

In this session, participants will:

Examine the most critical elements of a risk assessment.

Discuss how tailoring the risk assessment approach can lead to broader acceptance and support.

Explore approaches to setting the right expectations to ensure success. Tina Rourk works with clients in the area of strategic planning, business process optimization, IT security and risk management, interim IT leadership, and IT best practices. Prior to joining DM&A, she served as senior vice president and CIO for Wyndham Vacation Ownership. She is a seasoned veteran with more than 20 years in IT, providing leadership, guidance, and input in disciplines including hospitality, contact centers, business process outsourcing, and manufacturing. In her tenure as CIO, she built security departments and programs from the ground up, led a Fortune 1000 organization through level 1 PCI Certification obtaining the Record of Compliance (ROC), and oversaw successful year-over-year compliance with annual audits for SOX and PCI.


James Garoutsos leads a technology organization that supports the 2,500 members of one the largest law enforcement agencies in Florida. His responsibilities include ensuring the agency is compliant with the federally mandated criminal justice information systems security policy. Prior to the Sheriff's Office, Garoutsos held director positions with Pinellas County, Fla., and Eckerd Drugs. Learning Level: Intermediate Learning Field: Auditing CS 4-3 Using a Risk Matrix: A Practical Approach Larry Hubbard, CIA, CCSA, CISA Principal Larry Hubbard & Associates In this session, participants will:

Hear about internal auditing's growing obsession with risks.

Explore the different ways risk matrices are used.

Recognize the common errors made in using a risk matrix to identify controls.

Discuss the one format of risk matrix that is actually useful.

Understand how the risk matrix fits into the COSO internal control and ERM frameworks.

Larry Hubbard is a professional trainer and consultant with a broad background in accounting, auditing, and finance. Prior to founding his own firm, Hubbard's experience included Mobil Corporation and EY. In addition to conducting his own training seminars, Hubbard conducts training for other organizations, such as The IIA; Watkins, Meegan; and Risk Management Advisory Services. Learning Level: Advanced Learning Field: Auditing CS 4-4 Keith Keller Managing Director Protiviti Inc.


In this session, participants will: • Learn about new consumer protection requirements in conjunction with the next

phase of the Dodd-Frank Act implementation. • Get an update on the Bank Secrecy Act and its anti-money laundering

regulations. • Discuss how new compliance edits will affect third-party and operational risk

management. • Benchmark the impact of the current environment on compliance and internal

audit organizations. Keith Keller is a member of Protiviti’s financial services team and serves as the market lead for the internal audit and financial advisory solution. Keller is a seasoned executive with more than 30 years of business experience working with a variety of organizations to enhance their business performance through risk management, operational effectiveness, and enhanced governance. Learning Level: Intermediate Learning Field: Regulatory Ethics

Tuesday August 19, 2014 8:30 – 9:45 a.m. GS 2: Assuring the Audit Committee of Internal Audit’s Value Anton B. van Wyk, CIA, CRMA Partner, PricewaterhouseCoopers 2014–15 Chair, The IIA Global Board of Directors In this session, participants will:

Explore the audit committee’s role in ensuring an effective governance environment.

Discuss how the audit committee can ensure improved levels of communication with internal audit around internal audit’s role in corporate governance.

Identify key challenges for better risk management and good corporate membership and the critical elements for internal audit’s effectiveness

Share insights on the definition of risk appetite from the viewpoint of internal auditing.


Anton van Wyk has more than 25 years of experience in corporate governance, risk management, and internal audit. He leads PwC’s African Risk Assurance Services practice and previously served as Global Internal Audit Services leader between 2004 and 2009. Van Wyk is a member of the King Committee on Governance in South Africa. He also serves on the South African Corporate Governance Forum and was a member of the King Committee’s Task Team, which reviewed corporate governance practices in South Africa in 2002. A previous president of IIA–South Africa, van Wyk chaired The IIA's International Conference in 2009 and has several IIA leadership roles. He was recently installed as 2014–15 chair of the Global Board of Directors. Learning Level: Advanced Learning Field: Business Management & Organization

Tuesday August 19, 2014 10:15 – 11:30 a.m. CS 5-1 Mobile Device Security Testing and the Link to the New COSO Framework MODERATOR Sonia Luna, CIA, CRMA CEO Aviva Spectrum PANELISTS: Adair Barton, CISA VP, Internal Audit Dycom Industries Inc. David A. Less, CISA, CISM CIO, SVP Sunteck Transport, Co. Jeff M. Spivey President, Security Risk Management Inc. Past International Vice President, Board of Directors, ISACA In this session, participants will:

Learn how new threats such as "Heartbleed" can be detected by internal audit groups and IT departments and prioritize actions to deal with them.


Find out what other organizations are doing to either encourage or prevent BYOD (Bring Your Own Device) and what their policies to keep security a top priority.

Discuss mobile device security as an integral part of COSO’s 2013 Framework and the leading ITGC testing techniques.

Understand what The IIA and ISACA offer in terms of effective testing standards and how others are using them in the field today.

Sonia Luna founded her own compliance consulting firm in 2004 to help public and private organizations improve their understanding and application of Sarbanes-Oxley. She has presented numerous courses on topics related to COSO’s 2013 Framework, audit, Sarbanes-Oxley, and compliance-related matters. Luna has served as a subject matter expert on legal matters dealing with audit and internal audit standards since 2008 and has been quoted in business and trade publications. Her public accounting experience began at Arthur Andersen, then as audit manager at Ernst & Young. Luna has served as chief financial officer of AID FOR AIDS and the Orange County, Calif. chapter of ALPFA (Association of Latino Professionals in Finance and Accounting). Adair Barton joined Dycom, a provider of specialty contracting services in the telecom and utilities industries, in 2007 and oversees the organization’s internal audit function. Barton has more than 23 years of internal audit experience in the financial services, transportation, retail, telecom, and construction industries. Prior to joining Dycom, he was with FedEx Corporation’s internal audit group and had responsibility for FedEx Kinko’s corporate and field audits. David Less joined Sunteck as CIO and VP in 2008 and became senior vice president in 2011. He has nearly 25 years of information systems, governance, risk, compliance, security, audit, and consulting experience working with global corporations. Prior to joining Sunteck, Less was global director of IT Audit and Advisory Services for CTG, Inc., an information technology consulting, staffing, solutions and application management provider. Prior to CTG, he was senior vice president of IT Audit & Consulting Services for CBIZ HarborView, Inc., and co-founder, chief technology officer and executive committee member at HarborView Partners, LLC. Previously Less was global director assurance services for Woolworth / Foot Locker, and director of IT Audit for Melville Corporation, representing a collection of popular retailers. He has also worked with Ernst & Young, Avon Products, Philip Morris Management Corp., and W.R. Grace. Less is a frequent guest speaker and presenter for ISACA, The IIA, and MIS Training Institute. Jeff M. Spivey is a career security professional having served with law enforcement before entering the private sector with NCNB (now Bank of America) where he rose to


senior security management of the multi-state banking system. In 1989, Spivey established his own firm to provide strategic insight and program development for banking, corporate and governmental clients. The author and contributor of articles in professional journals, he has been a featured speaker at many security and IT risk management and counter-terrorism conferences worldwide. Spivey was past international president and chairman of the board of ASIS International, the world’s largest professional security association. Currently he serves as a member of the U.S. State Department’s Overseas Security Advisory Council (OSAC), the United States Justice Department’s Judicial Security Advisory Council, and is a founding member of the Cloud Security Alliance. Learning Level: Intermediate Learning Field: Auditing CS 5-2 Create Your Own Audit Management Software Using Out-of-the-Box SharePoint John Hagen, CISA Sr. IT Auditor 7-Eleven, Inc. In this session, participants will:

Review the basics of SharePoint 2010 document repositories and lists.

Identify key functionality needed in an audit management tool.

Understand how SharePoint's native functionality can be structured to work as an audit management tool in a Sarbanes-Oxley audit context.

Discuss the specifics of setting up SharePoint environment for a Sarbanes-Oxley audit.

John Hagen works in the corporate world with 7-Eleven and in academia as adjunct lecturer in accounting information systems at the University of Texas at Dallas. He has more than 20 years of experience in Fortune 500 companies including American Airlines, Blue Cross of California, Dole Foods, and EDS. Hagen specializes in the areas of decision support systems, data warehousing, IT audit, and eCommerce fraud. Learning Level: Intermediate Learning Field: Computer Science CS 5-3

Using ERM to Improve Strategic Decisions Jim Fitzmaurice


Senior Director, Executive Advisor The Corporate Executive Board (CEB) Company In this session, participants will:

Discuss how the best ERM teams create value with risk insights at key decision points.

Learn how to influence the development of a firm’s strategy and align risk management against strategic objectives.

Identify what insight and tools senior company leaders need to make critical decisions with greater confidence.

Explore how to conduct effective scenario planning exercises.

Find out how to embed risk management discipline in business processes. Jim Fitzmaurice provides guidance and shares proven tactics that help ERM and internal audit executives improve individual, functional, and corporate performance. Prior to joining CEB, Fitzmaurice served as a subprime mortgage account executive at The Lending Group, as a branch officer at Chevy Chase Bank (Capital One), and worked as a middle-school mathematics teacher. Learning Level: Intermediate Learning Field: Management Advisory Services CS 5-4 Initiating and Maintaining an FCPA Compliance Program Chitrak Patel Director, Risk Assurance Leader RGP Phil Wittliff, CIA Manager Snap-On Inc. In this session, participants will:

Get first-hand details on undertaking a new program.

Identify steps to take to lay the groundwork for successful implementation.

Learn key issues that may arise in maintaining a program.

Share and trade insights on sustaining a successful process.


Trak Patel oversees RGP’s client services for the Great Lakes region. He serves on the board of ISACA’s Chicago chapter and has spoken at numerous conferences. Prior to joining RGP, Patel was the vice president of internal audit at Regal Beloit, and served as the director of internal audit and compliance at Snap-on Incorporated before that for 7 years. Phil Wittliff is responsible for risk-based audit scoping, engagement planning, and overseeing fieldwork on a variety of operational, compliance, and financial audits. Wittliff has been a part of the Snap-on internal audit department for six years. Prior to joining Snap-on, he worked as an international internal auditor for Johnson Controls, Inc. for two years. Learning Level: Intermediate Learning Field: Auditing

Tuesday August 19, 2014 12:45 – 2:00 p.m. CS 6-1 A Look at ISO 27001:2013 Robert J. Vetter, CISA, CRISC VP, Governance, Risk & Compliance Ultimate Software


Review the ISO 27000 standard family.

Explore the components of the Information Security Management System (ISMS).

Discuss Annex A: Control Objectives and Controls.

Compare ISO 27001:2013 with ISO 27001:2005. Rob Vetter is a privacy, security, and enterprise risk management professional. He specializes in data protection and information risk management practices. In his current role, he has overall enterprise responsibility for privacy and security policy, risk management practices, U.S. and international privacy and security regulatory compliance practices for the protection of personal information, as well as vendor risk management and business continuity program management. He provides subject matter expertise and guidance on privacy and security data protection laws and regulations to general counsel, senior and executive management. Previously, he was in the risk advisory practice at KPMG serving Fortune 500 companies and industries. Learning Level: Intermediate


Learning Field: Specialized Knowledge & Applications CS 6-2 Five Practical Steps for Moving Toward Continuous Risk Assessment (CRA)

Steve Biskie, CISA Co-Founder and Managing Director High Water Advisors Inc. Bruce Carpenter VP, Internal Audit NVIDIA Corp. In this session, participants will:

Understand what continuous risk assessment is and how it differs from continuous monitoring or continuous auditing/

Hear how leading audit and compliance departments are using CRA to transform their audit processes to one focused on risk.

See an example of CRA risk factors that could serve as a model for any organzition attempting a migration to CRA.

Walk away with five specific, actionable steps to begin moving forward with CRA. Steve Biskie specializes in transforming inefficient processes and technologies to optimize GRC and audit performance. A leader in the audit and compliance space for more than 20 years, Biskie is a thought leader and expert on implementing high-value, sustainable analytics and continuous audit programs. His advice has been sought by hundreds of organizations in more than a dozen countries, and he has helped more than half of the Fortune Global 50 most admired companies. He has authored dozens of articles, published a book on auditing the SAP system, and is a two-time IIA All Star speaker. Bruce Carpenter has recently joined NVIDIA as the head of Internal Audit. Formerly, he lead the go-to-market activities on behalf of corporate audit for SAP’s new audit management product. He was previously with Sybase Inc. leading the Internal Audit, Risk Management and Compliance functions. He moved to the United States as a senior manager with KPMG’s Forensic Accounting practice. His career as an auditor started with KPMG in New Zealand and included a two year transfer to KPMG London. Learning Level: Intermediate Learning Field: Auditing


CS 6-3 Assessing and Auditing Third Party Risk: A Comprehensive, Risk-based Approached Brian Scherbaum Risk Audit Leader GE Capital Retail Finance William T. Chippendale, CIA MVP, Corporate Audit Services Capital One In this session, participants will:

Understand third-party risks and discover how to integrate these risks into the annual audit planning process.

Explore several methods for assessing these risks within your audit plan using a risk-based approach.

Learn about opportunities to create a third-party management subject matter expert role within the audit department.

Discuss the benefits of ensuring quality and consistency of third-party risk coverage through this role.

Brian Scherbaum is a CPA with 15 years of experience auditing the financial services industry. Brian recently joined GE Capital Retail Finance to lead their Risk Audit team. Prior to joining GE Capital Retail Finance, he spent 13 years with HSBC leading internal audits covering the organization’s U.S. consumer finance and retail banking businesses. While at HSBC, Brian served as Senior Vice President with overall internal audit responsibility for HSBC’s Retail Banking and Wealth Management business within North and South America. Brian also spent almost two years at Capital One as Audit Director where he was responsible for oversight and maintenance of the department’s third-party management audit program and methodology. His experience includes leading on-site third-party audits in the United States, Canada, Bermuda, Peru, and Brazil. Bill Chippendale leads the internal audit team in providing controls assurance and advice relating to the $300B bank's credit card, retail, direct, and commercial banking activities. He has 20 years of audit and management consulting experience, assisting and leading audit functions for mid-sized and large financial services companies. At Capital One, Chippendale has led the development of a new vision for internal auditing, redefining talent, technology, and methodology for the future of the profession. Before Capital One, he served as first vice president of internal audit at JPMorgan Chase. Prior


to that, he worked with Ernst & Young serving companies mainly in the financial services industry. Learning Level: Intermediate Learning Field: Auditing CS 6-4 Getting Overseas Business Units to Follow Compliance Initiatives Mark Diamond President & CEO Contoural, Inc. Jacki Cheslow Director, Business Ethics & Corporate Compliance Avis Budget Group In this session, participants will:

Learn to design compliance program to help – not hinder – adoption.

Identify strategies to engage foreign audiences.

Discuss how to monitor compliance in difficult-to-monitor locations.

Share tips on how to do all this with limited resources. Mark Diamond is regarded as an industry thought leader in information governance including records and information management, control of privacy, and other sensitive information as well as litigation readiness. He has helped 25 percent of Fortune 500 plus numerous public sector entities bridge legal, compliance, and business needs and policies with effective legal and IT strategies and processes. Diamond is a frequent speaker at legal and IT industry conferences as well as online venues. Jacki Cheslow is responsible for supervision of the organization’s business ethics and compliance program, risk remediation and assessment, policy governance, training, and program measurement. She is a member of the Society of Corporate Compliance and Ethics, the New Jersey Corporate Compliance Roundtable and ARMA International. She is a Certified Compliance & Ethics Professional (CCEP). Learning Level: Intermediate Learning Field: Business Management & Organization

Tuesday August 19, 2014 2:30 – 3:45 p.m.


CS 7-1 The Adaptability of GRC Walter J. Smiechewicz Managing Director PricewaterhouseCoopers LLP In this session participants will:

Explore how to view risk as an option.

Learn the importance of culture as the fulcrum to any GRC protocol.

Discuss why GRC needs to adapt to stay relevant in light of new developments

such as virtual currencies, 3d printing, IoT, increasing cybersecurity threats,

using technology to treat your customers as community, and more.

Walter Smiechewicz oversees internal audit; governance, risk and compliance (GRC); and enterprise risk management (ERM) consulting services for the financial services sector for PwC's Western Region. Beginning his career at Deloitte, he has more than 20 years of internal and external auditing experience. Smiechewicz has spent the majority of his career serving the banking sector. His past experience includes serving as chief audit executive and chief risk officer at several financial services organizations ranging in size from $20 to $250 billion in total assets. Smiechewicz’ expertise has led to numerous speaking engagements and published works in prominent industry publications including American Banker, Journal of Banking and Finance, and NACD’s Directorship Magazine and trade journals for ACFE and FEI, among others Learning Level: Intermediate Learning Field: Specialized Knowledge & Applications CS 7-2 APT: The Threat Is Real, Well-funded, and Coming for Your Data Jesse Fernandez, CISA Senior IS Audit Specialist Automobile Club of Southern California In this session, participants will:

Define what an Advanced Persistent Threat, or APT, is and what it isn’t.

Identify the potential financial impact that a successful APT attack can have on an organization.


Discover the APT’s favored means of attack.

Find out how internal audit can leverage its existing audit plan to help protect the organization.

Jesse Fernandez, with more than 10 years of industry experience, conducts complex information security audits and recently worked with the PCI DSS Standards Council to develop guidance around conducting a PCI DSS risk assessment to ensure document consistency and technical soundness. Learning Level: Intermediate Learning Field: Computer Science CS 7-3 Integrating ERM and ERA Spells Greater Success for Internal Auditors Sandra Lozano Director, Risk Consulting KPMG, LLP In this session, participants will:

Take a “top down” approach in assessing risk. Identify where assurance efforts are already in place from a first, second, and

third line of defense. Incorporate those results to better define an internal audit plan. Play the role of a business partner/advisor to align risk monitoring efforts and

provide assurance where needed. Sandra Lozano has more than 15 years of experience specializing in financial and operational auditing, Sarbanes-Oxley implementations, enterprise risk assessments, data analytics strategic assessments, and business process analysis with significant international exposure working for global multi-national companies. She has worked with internal audit departments to meet their goals by refocusing their efforts on a holistic review of risk, becoming a value-added partner, and how to adapt to the expectations of audit committees and executive management. Learning Level: Intermediate Learning Field: Auditing CS 7-4 Start With the Facts: IG Maturity Assessment as a Remediation Prioritization Tool


Julie J. Colgan Chair of the Board of Directors ARMA International In this session, participants will:

Discuss the exponential growth of digital information coupled with complex legal

and regulatory requirements in a global market.

Break down making proactive governance of corporate content into a phased

approach.

Explore the use of the Generally Accepted Recordkeeping Principles and its

Information Governance Maturity Model as a framework.

Identify steps to use the results to build a strategy and roadmap of remediation

projects prioritized according organizational.

Julie Colgan is a 15-year veteran of the information governance profession. She is the current chair and immediate past president of the Board of Directors for ARMA International, leading the board’s development and oversight of its strategy and business objectives. Colgan is also the director of information governance solutions for Nuix, a Sydney-based technology firm, where she sets product and market strategy for Nuix’s information governance products. Learning Level: Intermediate Learning Field: Business Management & Organization

Tuesday August 19, 2014 3:55 – 5:10 p.m. CS 8-1 COBIT 5 Process Capability Assessment and Continuous Improvement: A Case Study James F. Aliquo, Jr., CISA, CRISC Global IT Compliance and Controls Manager DuPont Company Zhiwei Fu, Ph.D., CISA, CGEIT, CRISC Senior Principal IBM In this session, participants will:


Review the case study of two companies’ application of the the COBIT 5 Process Assessment Model in the area of enterprise IT management to support process continuous improvement.

Learn how a continuous improvement program can help businesses assess information technology management capabilities.

Identify strengths, weaknesses, and risks with respect to business requirements in the implementation of a program.

Discover how to implement process changes that will enhance services and operations needed to meet stakeholder and business needs.

Jim Aliquo manages the global IT assurance processes which focuses on controls education and training of DuPont IT professionals. He also leads the IT governance risk, and compliance steering team. He has been with DuPont since 1978. Zhiwei Fu has an extensive background in designing, implementing, and assessing governance and compliance programs and IT controls in various industries and third-party service organizations. He is a renowned researcher and practitioner in business analytics, modeling and optimization, performance measurement and process improvement, with multiple publications in international journals, book series, and conference proceedings. Learning Level: Intermediate Learning Field: Business Management & Organization CS 8-2 IT Compliance Framework Carlos S. Lobato, CISA, CIA IT Compliance Officer New Mexico State University In this session, participants will:

Benchmark their existing practices with NMSU’s IT framework.

Determine the regulations relevant to their institutions/companies.

Understand how to review the regulations for similar requirements to streamline the implementation and testing of controls.

Create value by lending a user-friendly perspective to compliance.

Share lessons learned.


Carlos Lobato has more than over 12 of professional audit experience in the corporate and banking industries, higher education, and local government entities. Currently he oversees IT compliance with applicable state and federal laws and regulations, NMSU policies and procedures, and the implementation of best computing and management practices. Lobato’s additional responsibilities include conducting university-wide IT risk assessments, promoting IT and data security related training and awareness programs, and monitoring systems via auditing and compliance activities. Learning Level: Intermediate Learning Field: Specialized Knowledge and Applications CS 8-3 Learn Five New Ways to Assess Risks That Can Turn Results Into Rewards Adil Khan Managing Director Fulcrum Information Technology, Inc. Nick Matuch Regional Manager, GRC Oracle In this session, participants will:

Explore client case studies on how leading organizations are improving their business results by better understanding and treating their business risks.

Learn five ways to pinpoint the risks your business faces now and in the future.

Get tips on upgrading enterprise systems to meet business needs while maintaining controls over employee access to enterprise data, control configuration changes, and master data in business applications.

Adil Khan has more than 15 years of experience in enterprise business systems, designing and implementing internal controls management systems for more than 15 global companies. His expertise includes streamlining and automating governance risk and compliance processes based on industry standards such as ERM-COSO and COBIT. Prior to FulcrumWay, Khan served as chief executive officer and board member of ALTM. He has presented many times at Oracle Open World, as well at Oracle Applications Users Group (OAUG), and he co-authored the Governance, Risk, and Compliance Handbook for Oracle Applications. Khan serves on the board of the OAUG Internal Controls and Security Interest Group.


Nicholas Matuch runs the Advanced Controls sales team for North America-East, focusing on improving business process efficiencies within the ERP system to improve clients’ financial performance. He has significant experience with Sarbanes-Oxley evaluation and testing, internal control documentation, merger integration issues, audit engagement management, financial analysis, and more. Prior to joining Oracle, Matuch worked for eight years in the audit department at Deloitte, managing external audit teams of several large SEC registrants with responsibility for oversight of implementation and scoping projects for Sarbanes-Oxley; IT risk assessments regarding internal controls within Oracle, PeopleSoft, and SAP ERP systems. Learning Level: Intermediate Learning Field: Business Management & Organization CS 8-4 A Practical Approach for Federal Contractors: Leveraging COSO Ryan Koenitzer Principal Ryan Koenitzer Inc. John Van Meter Principal BDO USA, LLP John L. Manning, CIA, CCSA Chief Compliance Officer Pratt & Whitney In this session, participants will:

Design a control framework to address the unique risks of U.S. government contracts

Leverage Sarbanes-Oxley internal control programs to evaluate a company's ability to comply with terms and conditions of its federal contracts.

Monitor the operating effectiveness of a U.S. government compliance program.

Learn how to train internal audit staff to understand and apply the distinction between financial reporting and compliance risks, as defined by COSO.

Ryan Koenitzer is an independent consultant with more than 12 years of experience in risk advisory services including government contract accounting, pricing, federal contract compliance, regulatory compliance, business system implementation, and internal audit services. He advises clients on a wide range of financial and compliance


risks including FAR, CAS, and other regulatory requirements of government contractors. Prior to his independent practice, Koenitzer worked with KPMG, Navigant Consulting, and Baker Tilly specializing in their risk advisory groups, specifically services benefitting U.S. government contractors. John Van Meter assists clients with government contracting compliance risks. Prior to joining BDO, he served as managing director in the government contractor services practice of PwC, KPMG, and Navigant Consulting. Van Meter has more than 30 years of experience in government contracting and consulting, spending much of his career with KPMG, responsible for managing the firm's government contractor advisory services practice. In addition to his public accounting regulatory and compliance experience, he has worked for Northrop Aircraft, Garrett, and The Oeco Corporation in accounting, pricing, internal audit, and subcontract management positions. John Manning monitors and reports results of the risk management and self-assessment programs as well as advising the senior management team on matters relating to reporting and compliance. Previously, Manning was global compliance audit manager for Pratt & Whitney's parent, United Technologies Corporation, where he managed a variety of internal audit engagements including business process audits for antitrust, export control, improper payments, intellectual property, and privacy protection. Prior to joining United Technologies, Manning held a variety of finance and accounting positions at Ford Motor Company, Invensys plc and Cookson Group plc. Learning Level: Intermediate Learning Field: Auditing (Governmental)

Wednesday August 20, 2014 8:30 – 9:45 a.m. GS 3: Keeping it Positive: Proactive Auditing to Reduce Enterprise Risk The Honorable Theresa Grafenstine, CISA, CGEIT, CRISC, CIA, CGAP Inspector General U.S. House of Representatives Moderator of Q&A Robert E. Stroud, CGEIT, CRISC International President of ISACA Vice President of Strategy and Innovation, CA Technologies



Discuss why auditors need to take a proactive role in overseeing major private and public IT projects.

Gain perspective on how proactive, user-risk-centric audits can help avert costly missteps.

Learn how the right type of audits can boost the bottom line and positively impact end-user relationships.

Have an opportunity to participate in a Q&A moderated by Robert E. Stroud. Theresa Grafenstine is responsible for planning and leading independent, non-partisan audits, advisories, and investigations of the financial and administrative functions of the U.S. House of Representatives. She is also an active volunteer in support of the technology, governance, internal auditing, and accounting professions. In addition to leadership roles with several professional trade associations, Grafenstine serves as a director on the IP3 Standards and Accreditation Council, a United Nations-rooted body; and as an audit committee member for the Department of Defense IG and the Pentagon Federal Credit Union. Robert E. Stroud has spent more than 15 years in the finance industry successfully managing multiple initiatives in both the IT and retail banking sectors related to IT service management and process governance. He joined CA Technologies from the Australian computer security company Cybec, where he was responsible for the company’s global expansion, including entry into the North American market. He has served numerous roles in ISACA’s leadership including chairing the ISO Liaison Subcommittee and COBIT Steering Committee, serving as a member of the Strategic Advisory Council and the Framework Committee. In 2013, Stroud earned ISACA’s President’s Award for service. Learning Level: Intermediate Learning Field: Auditing

Wednesday August 20, 2014 10:15 – 11:30 a.m. GS 4 Vigilant Leadership: Looking Over the Horizon for Risk, Innovation, and Opportunity Bob Treadway Principal Treadway & Associates, Inc.


In this session participants will:

Learn how to look ahead to act on surprises, see emerging opportunities, tease out breakthrough ideas, and advance your status and effectiveness in your organization.

Shift focus to the lens of the stakeholder, and pick out the early signals requiring your attention and deeper thinking.

Look at various factors that could affect your enterprise, team, or career.

Share examples and techniques from decades of work with vigilant individuals and organizations and learn how to fold them into your own repertoire of abilities and assets.

Bob Treadway is a globally recognized consulting futurist, foresight advisor, and strategy facilitator. For the past 27 years he has helped organizations and individuals look ahead, build robust strategy, plan flexibly, and take action on the future. Clients such as Gillette, Berkshire Hathaway, ExxonMobil, Motorola, the Federal Reserve, Dow, AT&T, ISACA, Hilton, US Gypsum, and the Social Security Administration use his services to help understand uncertainty, think even more strategically, and make better decisions. Learning Level: Intermediate Learning Field: Personal Development