Monday | October 1, 2018 8:30 – 9:30 a.m. Opening Keynote: A Conversation With Senator Dodd Facilitator: Vernon Stafford Executive Vice President and Chief Audit Executive First Horizon National Corp. Speaker: Senator Chris Dodd In the opening keynote session, Vernon Stafford, Executive Vice President and Chief Audit Executive at First Horizon National Corporation, converses with Senator Christopher Dodd on topics ranging from the current financial services environment eight years post Dodd-Frank Act to his thoughts on the November mid-term elections and their potential impact on the financial services industry. In this session, participants will:

• Gain insights on key issues from a legislative perspective. • Explore the impact of the current economic environment on policy. • Consider the effects of legislative reforms on the industry.

Vernon Stafford is responsible for corporate internal audit and credit assurance. Prior to joining First Horizon in 2013, Stafford served a distinguished 33-year career as a national bank examiner for the Office of the Comptroller of the Currency (OCC), having served as an assistant deputy comptroller (ADC) in OCC’s Midsize Bank Supervision since mid-2011. As ADC, Stafford supervised a staff of midsize bank examiners-in-charge (EIC) and a portfolio of midsize banking companies ranging in assets of $13 billion to $90 billion. After serving in various positions as a field bank examiner and regional analyst, he served as director for OCC’s Core Policy Development division (now Operational Risk & Core Policy) for about five years, with responsibility for developing and implementing supervisory policy for national banks. In 2001, Stafford was appointed director for large bank supervision, a division responsible for the supervision of the largest banking companies in the national banking system. In 2006, he was appointed EIC of supervision for First Tennessee Bank, N.A., responsible for the day-to-day supervisory activities of the banking company, where he served until 2011.

Senator Christopher J. Dodd served in the US House of Representatives for three terms and in the US Senate for 30 years. As Senator, he was Chairman of the Senate Committee on Banking, Housing, and Urban Affairs, and was also principal author of numerous bills that became law, including the Dodd-Frank Wall Street Reform and Consumer Protection Act. Senator Dodd then helped move the Motion Picture Association of America (MPAA) into the digital age as Chairman and CEO, and established the Alliance for Creativity and Entertainment (ACE), a coalition focused on protecting intellectual property. He now provides strategic counsel on governmental, political, and business challenges as a member of the Legislative and Public Policy group at Arnold & Porter.

Monday | October 1, 2018 9:45 – 11:00 a.m. General Session 1: Regulatory Panel Moderator: Kevin Ryan, CIA, CFSA Chief Risk Review Officer and General Auditor KeyCorp Panelists: Tom Crock, CISA National Bank Examiner Office of the Comptroller of the Currency David E. Palmer Division of Banking Supervision and Regulation Federal Reserve Board John Rieger Deputy Chief Accountant, Risk Management Supervision Division Federal Deposit Insurance Corporation Tim Siwy Deputy Assistant Director, Supervision Examinations Consumer Financial Protection Bureau Kevin Ryan, general auditor at Key Bank, facilitates a panel of senior leaders from the Consumer Financial Protection Bureau (CFPB), Federal Deposit Insurance Corporation (FDIC), Federal Reserve, and Office of the Comptroller of the Currency (OCC) as they share the stage to discuss the current regulatory landscape, expectations of internal audit, and other emerging issues that will impact the industry.

In this session, participants will:

• Gain insights on key issues from a regulatory perspective. • Explore the emerging areas of focus for regulatory oversight. • Discuss the expectations of the role internal audit plays within its organization.

Kevin Ryan is responsible for managing all risk review (internal audit and credit risk review) activities at KeyCorp and is a member of the organization’s executive council and executive leadership team. He began his career in 1982 at Chase Manhattan Corp. as part of the management associate program in finance. After two years, he took a position with KeyCorp’s internal audit group. He worked extensively on audits pertaining to non-banking subsidiaries (lease, mortgage, and insurance) and undertook progressively responsible roles through departments and management to arrive in his current position. Ryan is a former board member of The IIA’s International Internal Auditing Standards Board and currently serves as vice chair of The IIA’s Financial Services Advisory Board (FSAB). Tom Crock is a National Bank Examiner at the Office of the Comptroller of the Currency (OCC). Currently, he is the Risk Team Leader for Governance and Operational Risk in the Large Bank Supervision Division in Washington, D.C. Tom manages a team of examiners that look at these risks across the OCC’s Large Bank population. He helps the local Large Bank teams maintain consistent supervision across the banks and also helps them to prioritize and risk rank their examination activities. Prior to being named as a Risk Team Leader, Tom spend 20 years as a National Bank Examiner at various Large Banks with the OCC. He was responsible for assessing technology and operational risks at those institutions as well as completing general safety and soundness examinations. David Palmer focuses on several primary topic areas, including banks' capital planning practices, banks' model risk management practices, banks' and supervisors' stress testing activities, validation of supervisory stress testing models, and banks' internal audit practices. He engages in both policy-related projects as well as on-site examinations. Palmer was a key contributor to the Federal Reserve's supervisory guidance on capital planning for large firms (SR Letters 15-18 and 15-19), as well as to the Federal Reserve's final rules to implement Dodd-Frank stress testing requirements, and the Federal Reserve's Capital Plan Rule. He was also a primary author of the Federal Reserve's supervisory guidance on model risk management (SR 11-7), issued jointly with the Office of the Comptroller of the Currency, and continues to lead the implementation of that guidance within the Federal Reserve. In addition, Palmer serves in a leadership position in the Federal Reserve for evaluating firms' capital planning processes for CCAR and Pillar 2.

John Rieger is deputy chief accountant in the FDIC’s division of risk management supervision. Previously, he was responsible for core accounting policy covering all lending, leasing, bank assets, bank acquisitions, and all dispositions as vice president of accounting policy at the $460B U.S. Bank. Prior, as director of accounting and financial reporting at the Association for Financial Professionals, Rieger promoted, trained, and advocated on U.S. and international accounting standards to 15,000 financial professional members. Additionally, he was principal administrator at the Organization for Economic Cooperation and Development (OECD) in Paris and senior accounting advisor for the United States Agency for International Development (USAID). Timothy Siwy leads senior managers in the program areas of exam production, information systems (SES, ILSA, Non-Bank Registration and Compliance Tool), RAMPS (Risk, Analytics, Monitoring, Prioritization, Scheduling) and oversight (internal policies and quality management) for CFPB’s Office of Supervision Examinations. Previously, as deputy secretary for non-depository institutions with the Pennsylvania Department of Banking and Securities, Siwy oversaw the licensing, supervision, and enforcement of all non-depository institutions under the authority of the Commonwealth of Pennsylvania. He was also national ombudsman for the Nationwide Mortgage Licensing System. A United States Army veteran, Siwy served as commander and special agent in charge of several criminal investigative units within the Criminal Investigations Command.

Monday | October 1, 2018 11:15 a.m. – 12:15 p.m. CS 1-1: Data Analytics in Internal Fraud Detection Brian Allen, CPA, CISA, CISSP Senior Director, Internal Audit Data Analytics TIAA Ken Cooper, CFE Director, Internal Investigations TIAA Mike Cowell, CIA, CISA Executive Vice President and Chief Auditor TIAA Internal audit functions consider fraud a component of their auditing responsibilities. Data analytics programs provide scalable, repeatable, and cost-effective approaches to identifying indicators of potential internal fraudulent activity across an organization. This course presents strategies, approaches, and techniques for developing internal fraud detection procedures. In addition, it includes opportunities to apply those tools and techniques in real-world scenarios and shares insights on the value of collaboration between internal audit and internal investigation professionals.

In this session, participants will:

• Learn actionable strategies for developing a proactive internal fraud identification program that leverages analytics.

• Design approaches for implementing point-in-time and recurring analytics, including development, consumption, and disposition approaches.

• Gain an appreciation of the value added when internal audit and internal investigation collaborate to identify potential internal fraud and mitigate future occurrences for an organization.

• Experience demo(s) of analytics procedures, generating actionable considerations for implementation at their organization.

Brian Allen leads an international team of data analysts supporting internal fraud detection and investigations, internal audits, and professional practices reporting at TIAA. His nine-person team specializes in applying progressive analytic and automation techniques using a variety of tools, including Microsoft SQL Server, Tableau, SAS, Python, and Automation Anywhere. Allen has previous data analytics, information technology, and accounting experience within internal and external audit at Graham Holdings Company (formerly “The Washington Post Company”) and PricewaterhouseCoopers, LLP. Ken Cooper is a corporate security and federal law enforcement professional with 20 years of demonstrated knowledge and experience in the protection of people, assets, and enterprise operations. His expertise encompasses criminal and civil law procedures, investigative methodology, report writing, case management, reporting, vendor and contract management, financial responsibility and budgeting, risk assessment, and project management and supervision. Cooper is well-versed in testifying and managing investigations, as well as establishing and executing physical security programs. Mike Cowell leads the internal audit division at TIAA, a Fortune 100 diversified financial services organization. In this role, he provides strategic direction to the audit leadership team covering all legal entities and businesses of TIAA. The internal audit division includes the internal audit team and a dedicated internal investigation team. Cowell is a former member of the IIA Global Board of Directors, IIA North American Board, and Board of Governors for the IIA–Charlotte Chapter. He is currently a member of the IIA Financial Services Advisory Board and the Conference Board’s Council of Chief Audit Executives. CS 1-2: Creating Business Value Through Effective Third-Party Management Auditing Abel Clark CEO TruSight Amy Hellen Head of Third Party Risk Management TD Bank

Brian Kostek Director Protiviti Maz Kothari Managing Director JP Morgan Chase Bank Jim McDonald Managing Director Protiviti Sriram Padmanabhan Chief Auditor, Technology, Change and Third Parties Citigroup Third-party risk management continues to be a topic of focus for organizations of all sizes, and while programs continue to be enhanced, the value of real-time, value-based auditing has never been more important. Evaluating the framework, completing data analysis, and providing support to first and second line risk management activities can help reduce costs, enhance processes, and drive value for the organization. In this session, participants will:

• Consider the regulatory landscape. • Outline key considerations and guiding principles when implementing, refreshing, or auditing a third-

party management program. • Timeline the rise of “de-risking” vendors. • Discuss cybersecurity risk management for technology vendors.

Abel Clark is a global executive with over 20 years of experience running businesses in fintech and information services. He has deep expertise in identifying growth opportunities and strategic acquisitions, scaling businesses, driving simplification and operational excellence, and launching innovative products. He is CEO of TruSight, the third-party risk assessment service created by leading banks, including American Express, Bank of America, JPMorgan Chase, Wells Fargo, and Bank of New York Mellon, to elevate the discipline of third-party risk management industry-wide. Clark leads TruSight in streamlining and simplifying third-party assessment by executing best practices assessments once and delivering to many over a secure, shared-services platform. Amy Hellen Bio Being Finalized Brian Kostek is a director with Protiviti and is part of a regulatory risk team. His experience and expertise focuses on third-party vendor risk, regulatory risk and compliance, credit risk, asset management, and internal audit solutions. Prior to joining Protiviti, Brian worked as an associate national bank examiner with the Office of the Comptroller of the Currency.

Maz Kothari Bio Being Finalized Jim McDonald has deep knowledge of financial services regulation and hands-on experience in bank supervision and policy related matters. He retired from the Office of the Comptroller of the Currency (OCC) after 35 years, serving most recently as a senior member of the OCC supervisory team at a top 5 U.S. bank and as chief of staff for the examiner-in-charge. McDonald held direct responsibility for the bank’s risk management, global compliance, and internal audit functions. He drove OCC efforts to attain effective bank remediation efforts across all matters of regulatory concern. Further, McDonald was instrumental in guiding bank efforts to establish an effective risk framework, risk appetite, risk culture, and global compliance program. Sriram Padmanabhan has 28+ years of financial services experience. He joined Citi in 2014 as chief auditor for Middle East and North Africa and became chief auditor of ICG technology and operations in 2016. He was appointed chief auditor of technology in 2017 to oversee internal audit’s delivery of assurance on governance, risk management, and control across the technology function globally. Previously, Padmanabhan served in senior leadership roles in EMEA and APAC at Standard Chartered Bank. In addition to directing operations and technology teams across multiple geographies to deliver IT infrastructure and services, he led teams to develop, test, and implement new systems as well as establish centralized processing and data centers. He was also a board member at Standard Chartered Bank Nigeria Ltd. and audit committee chair. CS 1-3: Internal Audit's Pathway to the Future: CAE Panel Discussion Patricia Barbari SVP and General Auditor New York Life Insurance Company Kathleen Connolly Chief Audit Executive Goldman Sachs Matt Easton Global Head, Internal Audit Invesco Ltd. Adam Regelbrugge, CPA Principal Deloitte & Touche LLP

Many internal audit departments are finding ways to innovate processes to deliver greater assurance, advise stakeholders, and anticipate risk. What innovations are making the greatest impact, and do internal audit stakeholders agree? Join a panel of banking, insurance, investment management, and real estate CAEs as we explore how they’re preparing for the future of internal audit and examine their reactions to recent survey data from 1,000+ CAEs worldwide. In this session, participants will:

• Consider the technology-driven developments expected to impact internal audit in the next three to five years.

• Develop a point of view on a resource model that will meet the needs of the internal audit of the future.

• Map key areas in the audit lifecycle where they will innovate and add value for their stakeholders. • Develop ideas of how they want to innovate and identify the technology, skills, budget, and

methodologies needed. Patricia Barbari has served as chief auditor at New York Life since 2012. She began her career at New York Life as a director of corporate quality and spent four years in internal audit before moving to the company’s insurance service operations. Barbari held a series of positions in the service department, including head of life and annuity new business, before returning to corporate audit in 2010. Kathleen Connolly is global director of Internal Audit reporting to the Board of Directors through the Audit Committee and administratively to the firm’s general counsel. She serves as an observer on the Firmwide Client and Business Standards Committee, Firmwide Risk Committee, Firmwide Enterprise Risk Committee and Firmwide Reputational Risk Committee. Kathy is also a sponsor for the Legal, Compliance, Internal Audit and Executive Office Black Network and a managing director ally for the Lesbian, Gay, Bisexual and Transgender Network. Prior to assuming her current role, Kathy was head of Investment Management Division Controllers. Before that, she held various roles in Product Controllers in New York and Hong Kong. Kathy joined Goldman Sachs in 1996 as an analyst and was named managing director in 2007 and partner in 2014.Prior to joining the firm, Kathy worked as an auditor at Coopers and Lybrand in New York. Kathy is a member of the President's Council of Cornell Women. Kathy earned a BS in Business from Cornell University and is a certified public accountant in New York State. Matt Easton Bio Being Finalized Adam Regelbrugge is the national internal audit financial services (IA FSI) leader in Deloitte’s risk advisory practice, where he has over 30 years of global experience delivering strategic risk and control advisory services, including IA FSI outsourcing, co-sourcing, strategic and operational consulting, and enterprise-wide risk services, to FSI audit and relationship clients. In addition, as lead and advisory partner on numerous IA FSI strategic accounts, he leads and supports the risk advisory relationship as well as outsourcing and co-sourcing delivery teams, including global coordination and oversight for all risk and control related services. Regelbrugge previously served as CAE at a publicly-traded financial services company.

Monday | October 1, 2018 1:30 – 2:30 p.m. General Session 2: A Regulatory Perspective on Governance and Risk Larry L. Hattix Senior Deputy Comptroller for Enterprise Governance and Ombudsman Office of the Comptroller of the Currency Larry Hattix, senior deputy comptroller for enterprise governance and ombudsman, will discuss the role of the ombudsman, enterprise governance within the Office of the Comptroller of the Currency (OCC) and how that translates into the agency’s expectations of financial institutions, as well as emerging issues drawing the focus of the OCC. In this session, participants will:

• Understand enterprise governance. • Learn about the role of ombudsman in dispute resolution. • Uncover emerging issues within the financial services industry.

Larry Hattix oversees the enterprise governance function, bank and savings association appeals program, and customer assistance group as the senior deputy comptroller for enterprise governance and ombudsman at the OCC. He also serves on the agency’s executive committee and represents the agency as a member of the International Network of Financial Services Ombudsman Schemes, which promotes effective dispute resolution, improves international coordination and cooperation, and shares best practices globally. Previously, Hattix directly supervised 40 banks as assistant deputy comptroller for the Cincinnati/Columbus field office. His early roles with the OCC included specialist in bank information systems, BIS lead expert, and national bank examiner.

Monday | October 1, 2018 2:45 – 3:45 p.m. CS 2-1: Harnessing the Power of Innovation to #DrivePositiveChange Marc Sabino Chief Auditor, Innovation Citigroup Robotics, analytics, and artificial intelligence are just some of the buzzwords in today’s audit world. But what do they really mean within the context of audit innovation? And how can audit departments around the globe truly harness the power of innovation to enhance assurance and improve the stakeholder experience?

In this session, participants will:

• Learn how innovation can enhance the overall stakeholder experience. • Deep dive into practical, real-life examples demonstrating how implementation of innovative solutions

leads to tangible results. • Leave with an understanding of how innovation can be used to drive enhanced assurance and greater

insights. Marc Sabino was appointed chief auditor, head of innovation for audit at Citigroup in August 2017. He is responsible for the internal audit innovation team, which includes the strategic vision of an innovation strategy to support the mission of drive positive change and be a game changer in the industry. Sabino leads a team that identifies and executes innovation, automation opportunities, and performs data analytics to drive insights and operational efficiency. CS 2-2: Real-Time Insight: Assurance Over the Organization’s Strategic Plan Stacey L. Schabel, CPA Vice President & Chief Audit Executive, Jackson North American Audit Director, Prudential plc Executive management, boards, audit committees, and regulators value real-time insight on the most business-critical areas. This session will focus on how internal audit can align with this expectation through assessment of the plans, program management activities, and governance driving the organization’s strategic plan. In this session, participants will:

• Learn about the types of assurance stakeholders value most. • Become familiar with an approach that can be used to assess the likelihood of success of their

organization’s strategic plan. • Experience a real-life example of this type of audit being executed and understand keys to success,

stakeholder reactions, and common pitfalls. • Receive a sample audit program designed to support the assessment of their organization’s strategic

plan. Stacey Schabel is responsible for the North American Group-wide Internal Audit team, which examines and evaluates the key activities and processes supporting the North American operations of Prudential plc, which includes Jackson National Life Insurance Company. She assists the Board, Audit and Risk Committee members and executive management in protecting the assets, reputation and sustainability of the organization through assessment and reporting of the overall effectiveness of risk management, control and governance processes. Schabel is a member of the IIA’s Global Financial Services Guidance Committee, the IIA chief Audit Executive Engagement Committee Chair for the Lansing, Michigan Chapter, as well as a CPA and FINRA Series 6 registrant.

CS 2-3: Advancing the Internal Audit Profession Moderator: Faizal Chaudhury, CPA, CGMA Vice President, Internal Audit Sallie Mae Bank Panelists: Star McDade, CPA Vice President and Portfolio General Auditor American Express Company Maggie Phan, CIA, CISA Senior Vice President and Head of Internal Audit Practices and Operations Brown Brothers Harriman & Co. Dana Randell, CPA Senior Vice President and Head of Audit, Professional Practices Synchrony Financial IA departments at financial institutions face unique challenges in today’s business climate. Increasing demands and expectations of stakeholders (regulators, audit committees, management, etc.) are driving the profession to find ways to evolve and grow. Learn how the professional practice function within IA plays a critical and integral role in ensuring IA departments meet the evolving demands of key stakeholders while also helping enhance and maximize the IA value proposition. In this session, participants will:

• Gain expert insights into recent regulatory exams (horizontal reviews of internal audit). • Learn about disruption of traditional internal audit processes and how technology, data analytics, and

artificial intelligence/RPA can be leveraged to drive efficiencies. • Understand the role of professional practices in branding and marketing internal audit to build

strategic relationships internally, throughout the industry, and with regulators. • Discuss training and talent management, value-added QARs, best practices for professional practice

teams, and how key metrics and stakeholder reporting can drive the profession forward. Faizal Chaudhury has over 20 years of dedicated experience as an audit professional. Prior to joining Sallie Mae, he held audit leadership positions at TD Bank and Bank of America. Chaudhury’s other experiences include working as an external auditor for EY and Crowe Horwath. He is also a frequent speaker at various national and local professional association conferences related to auditing.

Star McDade is a multi-disciplined financial services professional with strong personal values and a diversity of experience that helps shape her perspective. She is currently responsible for directing internal audit activities for the global commercial services and the global merchant/network services businesses, as well as for various oversight functions, including operational risk management, global privacy and enterprise data governance, and big data. McDade’s earlier AmEx roles included vice president, chief of staff, and head of professional practices and quality assurance. Previously, she provided audit and advisory services to hedge fund, private equity, mutual fund, and government investment pool clients at PwC in Houston and New York City. Maggie Phan has over 18 years of combined experience in internal audit and the financial services and banking industries. Prior to joining BBH&Co., she led the internal audit professional practices function at TIAA. Phan also served in various audit leadership roles at large financial institutions such as Fidelity and Mitsubishi UFJ Trust & Banking, and she has worked with various regulators, including SEC, FINRA, FRB, OCC, DFS). She is fluent in Cantonese, Mandarin, and Vietnamese. Dana Randell has over 18 years of experience in audit and assurance activities, with a focus on financial services. Her extensive background spans consumer lending and bank compliance, including fair lending, UDAAP, and AML compliance requirements. She leads the Synchrony internal audit professional practices group and is currently developing a digital audit strategy for the department, focusing on leveraging data analytics, automation, and technology to develop auditors of the future. Previously, Randell spent 12 years in public accounting focused on audit and assurance work in the financial services, retail, and construction industries. Monday | October 1, 2018 4:15 – 5:15 p.m. CS 3-1: Blockchain and Cryptocurrencies, Including Assurance and Compliance Considerations Mike Lempres Chief Legal & Risk Officer Coinbase A. Michael Smith Partner PwC Rapidly evolving technologies are creating a critical need for business, technology, and compliance functions to be prepared, adaptive, and agile to emerging challenges. Specifically, blockchain — a distributed ledger technology underpinning cryptocurrencies and being tested by a variety of companies to track ownership of assets without a central authority — is now everywhere. Supporters claim it to be a panacea for the high overhead costs associated with financial services transactions.

In this session, participants will:

• Learn blockchain concepts, what blockchain means for their organization, and the benefits and unknowns of blockchain applications.

• Delve into industry use cases in financial services and gain assurance for blockchain use cases. • Understand cryptocurrency and why it requires their attention. • Discuss the regulatory environment and anticipated regulatory changes.

Mike Lempres leads the legal, compliance, risk, corporate secretary, and government affairs teams at Coinbase, working to ensure the company is able to grow while meeting all legal and regulatory obligations in the U.S. and around the world. Lempres has worked extensively in both the public and private sectors. He was appointed by three Presidential administrations to senior government positions and worked closely on a daily basis with two Attorneys General. He was selected as a White House Fellow and served as a Deputy Associate Attorney General and Executive Commissioner of the Immigration and Naturalization Service. He also served as Vice President of the U.S. Overseas Private Investment Corporation. A. Michael Smith has over 28 years of public and private industry experience, encompassing IT internal audit, cybersecurity, privacy, IT governance risk and compliance, and national/international regulatory requirements in the IT space. He has lived and worked in Europe and led teams in EMEA and APAC. Smith is responsible for PwC’s U.S. internal technology audit services practice for financial services companies and has led projects or worked in all financial services sectors. He also leads the blockchain assurance practice globally, helping clients deal with the complexities of risk, control, and assurance in blockchain infrastructures. Smith was previously global director of technology audit for Bank of New York Mellon. CS 3-2: Striking a Balance: IA’s Critical Role in Regulatory Issue Remediation Moderator: TJ Scallon Advisory Partner, Internal Audit and Enterprise Risk KPMG Panelists: Gilles Karpowicz Chief Audit Executive BNP Paribas USA and North America Wholesale Allyson Kidik, CFIRS Senior Vice President and Senior Deputy General Auditor KeyBank Vincent Pinelli, CRMA Managing Director, Deputy Chief Audit Executive MUFG Internal Audit for the Americas

This discussion on regulatory issue validation will address topics such as demonstrating operational effectiveness and sustainability, linkage with audit issues and self-identified issues, coordination with business, and evolving regulatory expectations. In this session, participants will:

• Understand evolving regulatory expectations related to regulatory issue validation and lessons learned. • Discuss practices for demonstrating operational effectiveness and sustainability. • Identify the benefits and practical application of linking regulatory issues with those issues identified by

internal audit and the other lines of defense. • Share practices for coordinating with the first and second lines of defense during regulatory issue

remediation and validation. TJ Scallon has 25 years of experience providing audit and advisory services to global financial institutions. As an advisory partner within KPMG’s internal audit and enterprise risk practice, he works closely with senior management in areas such as governance, risk and compliance, internal controls and audit frameworks, issue remediation, and enterprise risk management across all three lines of defense. Previously, Scallon served some of KPMG’s largest banking and capital markets clients as an audit partner in the financial services audit practice. He currently serves as financial services lead for internal audit and enterprise risk nationally and as banking and capital markets industry leader for KPMG’s New York office. Gilles Karpowicz is CAE for non-retail operations of BNP Paribas in North America as well as for BNP Paribas Intermediate Holding Company, which encompasses retail operations. In his role, he directs a comprehensive risk-based program providing independent evaluations of the adequacy and effectiveness of the Bank’s risk management, internal controls, credit quality, security, and governance processes. Previously, as general auditor for Bank of the West and BancWest Corp., he upgraded the audit function to meet heightened regulatory expectations associated with large complex banking organizations and Dodd-Frank reform, including CCAR. As risk manager for BancWest Corp., Karpowicz headed the Basel II program management office within the risk management division. Allyson Kidik leads the professional practices and strategy team within the internal audit group at KeyBank. She reports directly to the chief risk review officer and general auditor. Kidik has been with KeyBank’s risk review group since January 2006; she has held various positions, including leading the capital markets, compliance, and data analytics audit groups. She also completed KeyBank’s Accelerated Development Program and Corporate Leadership Center’s Leading Women Executives Program. Previously, Kidik was an auditor at JP Morgan Chase/Bank One.

Vince Pinelli is responsible for MUFG combined U.S. operations and global audit strategy as managing director, deputy CAE for MUFG Americas. His prior roles at MUFG included interim head of third-line credit review, COO, and head of audit professional practices. Previously, he was CAO for the Bank of Tokyo-Mitsubishi UFJ internal audit office for the Americas. Pinelli has been recognized as a leader across global MUFG affiliate audit offices in driving industry best practices in audit methodology, operations, GRC technology, and risk-based taxonomies to meet heightened regulatory expectations. He is a member of The IIA’s North American Advocacy Committee. CS 3-3: Reading the Tea Leaves: Handling Complaints/Concerns Ayush Agarwal, CA, CFA Audit Director SunTrust Bank Most organizations receive a significant number of complaints/concerns from various sources, but fail to realize the importance of data and analytics around the information collected, which, if aggregated and utilized appropriately, could provide senior management, the audit committee, and board of directors with invaluable information and insights into a company’s culture and potential red flags. In this session, participants will:

• List the various avenues through which a typical organization receives complaints/concerns. • Describe regulatory expectations concerning whistleblowing/complaints. • Understand some of the gaps that currently exist at most organizations, preventing them from using

complaints/concerns information in a meaningful manner. • Develop ideas for aggregating and analyzing data related to complaints/concerns.

Ayush Agarwal has over 20 years of experience in the financial services industry, including banking, capital markets, and asset management companies. His expertise spans auditing (internal/external), risk management, financial analysis, financial due diligence, accounting, and valuation. As SunTrust Bank’s audit director for corporate functions, Agarwal is tasked with evaluating the effectiveness of risk management, control, and governance processes and recommending improvements. His primary areas of audit responsibility encompass finance and accounting, human resources, legal, and marketing. Tuesday | October 2, 2018 8:30 – 9:45 a.m. General Session 3: Guard Rails for the FinTech Revolution Theresa Grafenstine, CIA, CGAP, CPA, CGMA, CISSP Former Inspector General (Retired), US House of Representatives Managing Director, Deloitte & Touche LLP

In an increasingly interconnected world, financial Institutions that don’t innovate and broaden their technology footprint are at risk of losing market share. Yet, every day, we hear news reports of another organization being breached. To provide value, internal audit needs to find a balance between providing assurance on important data protection functions while supporting the operational innovations that are driving new value. In this session, participants will:

• Receive an overview of cyber trends and classic breach tactics. • Review data protection strategies and ways to communicate these strategies with the board and C-

suite. • Discuss operational innovations, such as robotic process automation, machine learning, and agile

auditing, which are positioned to drive the future of internal auditing. Theresa Grafenstine supports both commercial and government clients as a managing director in Deloitte’s risk and financial advisory practice. Previously, as inspector general of the U.S. House of Representatives, she was responsible for planning and leading independent, non-partisan audits, advisories, and investigations of the financial and administrative functions of the House. Grafenstine also served at the Department of Defense Office of the Inspector General where she led acquisition audits of major weapon systems and was selected to respond to high-profile Congressional audit requests. She was a founding member of The IIA’s American Center for Government Auditing (now the Public Sector Audit Center).

Tuesday | October 2, 2018 10:00 – 11:00 a.m. CS 4-1: Advancing IT Audit’s Capabilities to Conduct Cyber Security Audits Jon Coughlin, CISA, CISSP Technology Audit Director PNC Bank David Dunn, CIA, CPA, CITP, CGMA Assistant General Auditor, Information Technology PNC Bank Lee Williams Audit Director, Information Technology Audit- Infrastructure and Cyber Security PNC Bank

Audit’s coverage of cybersecurity risk can be strengthened through testing techniques that go beyond traditional coverage of policies, procedures, and governance focused controls. Evolution may be required to address emerging laws and regulations, such as cyber ANPR and state privacy laws, in a timely manner. Alternate approaches, including leveraging security specialists or data analytics, can add incremental value to audit’s output, as can establishing dedicated security testing and/or ethical hacking teams. In this session, participants will:

• Understand inherent limitations in applying traditional audit testing techniques to cybersecurity areas of focus, and the need to evolve to respond to emerging laws and regulations.

• Identify specific areas where alternate testing approaches from audit can increase the value provided within cybersecurity audit activities.

• Develop ideas for implementing value-added security testing within their organizations, based on examples of data loss prevention, firewall rule auditing, and vulnerability management analysis.

• Understand a potential model for successfully building an ethical hacking team directly within the audit function.

Jon Coughlin leads audit coverage of PNC’s technology infrastructure and security functions. He has had accountability for leading the audit team’s coverage of infrastructure, security, fraud, technology risk management, and technology project auditing at various points since 2012. Coughlin previously delivered technology risk and control services in complex, highly regulated environments as a senior manager within Deloitte & Touche’s enterprise risk services function. While in public accounting, he served clients with a focus on technology external/internal audit, technology risk management, and security governance. For 17+ years, he has delivered technology, risk, and control related services, with broad, global experience in the financial services, healthcare, retail, and manufacturing industries. David Dunn is responsible for leading the internal audit function for PNC’s information technology as assistant general auditor for The PNC Financial Services Group. He was previously senior vice president and senior audit director of global technology and operations for Bank of America. Dunn’s 24+ years of experience in technology, audit, and financial services includes The Royal Bank of Scotland, where he served as head of operational risk management (ORM) and as director of ORM technology and the Basel II program. Earlier, he held senior leadership positions at Capital One Financial, PeopleSoft, and Corning. Lee Williams leads the internal audit function for PNC’s technology infrastructure services and cyber security lines of business. Previously, at Bank of America, he was senior vice president and operational risk executive for the chief technology organization, operational risk executive for global information security, senior audit manager for technology infrastructure, and technical liaison for offshoring IT operations at Bank America continuum solutions. Williams has over 26 years of experience in technology, audit, and consulting within the financial services and telecom industries. His background includes chief technology officer at Elite Outsourcing and independent consultant at Groupe Telecom, Motorola, Verio, and Bellsouth Cellular.

CS 4-2: Effectively Assessing a Risk Governance Framework Julie Scammahorn, CIA, CRMA Chief Auditor of Citibank, N.A., North America, Compliance and Anti-Money Laundering Citibank Paul Ricci Risk Management Chief Auditor, Managing Director Citibank Assessing a firm’s risk governance framework continues to be a challenge for auditors around the world. What are the key success factors to ensure an effective assessment? How does an effective assessment tie into the identification of emerging risk? And when emerging risks are identified, how are they addressed through the three lines of defense? In this session, participants will:

• Gain an understanding of key factors to consider when assessing a firm’s risk governance framework. • Learn tactics that can be employed to identify emerging risks. • Recognize how identification of emerging risks ties into the three lines of defense model.

Julie Scammahorn is responsible for the ongoing assessment of businesses’ risk and control environment through evaluation of financial, operational, and administrative controls; governance; and risk management practices as well as adherence to laws, regulations, and Citigroup and Citibank, N.A. policies. She also is the regional chief auditor for North America, overseeing the program assurance provided over Citi’s businesses across the region. Prior to joining Citi in 2014, Scammahorn was the general auditor and senior vice president of American Express Company, and also served as general auditor at Bank of America Corporation (legacy Countrywide Financial Corporation). Scammahorn started her career in banking with NationsBank (Bank of America) and was the senior vice president and audit director responsible for the global audits of Banc of America Securities. She is a member of The IIA’s Financial Services Advisory Board. Paul Ricci is Citigroup’s chief auditor of global risk management. He is responsible for internal audit program coverage of capital planning, data management, fraud risk management, and Basel related activities. His professional experience has centered on assessing the effectiveness of large financial institutions’ market risk, credit risk, operational risk, model risk, and liquidity risk management control frameworks. Ricci was previously chief auditor for the global risk management, risk technology, investment bank finance, and human resources internal audit teams at JPMorgan. He also worked at a financial planning and tax accounting services company as a tax accountant with a portfolio of high net worth clients.

CS 4-3: Focusing on Talent Management Programs for Audit Divisions Denise Harris General Auditor, Talent Strategy Bank of America Amy Korsakoff Audit Director, Senior Vice President Bank of America Gouri Veerubhotla Audit Director, Senior Vice President Bank of America Kevin Thalinger Audit Director, Senior Vice President Bank of America Internal audit is a people business. Our people can make or break the work that we do; no matter how good our strategic priorities and audit plans can be, they must be executed by people at all levels within the audit organization. Audit departments must focus on developing strong and diverse talent at all levels.

In this session, participants will: • Explore employee engagement programs that drive employment and develop diverse talent. • Discuss integration of training programs, including development of the auditor of the future. • Identify opportunities for facilitating courageous conversations amongst audit teams.

Denise Harris is responsible for division-wide skills assessment and capacity planning processes, as well as audit training and the college hire/intern program as Bank of America’s general auditor for talent strategy. She drives innovation and process improvements as the SIM partner for corporate audit and credit review. Harris serves on BOA’s global diversity and inclusion council, is co-executive sponsor for two BOA employee networks, and is executive sponsor of the employee engagement council for corporate audit. In a range of leadership positions within BOA’s audit organization, she has supported various businesses, including global consumer and small business banking, global banking, global wealth and investment management, and global treasury and operations.

Amy Korsakoff is an audit director on Bank of America’s consumer, wealth management, and anticipatory audit team. She oversees audit activities covering banking products design, sales and fulfillment, and new capabilities and sales practices. Korsakoff has been a trusted audit partner for various groups and has supported consumer card functions, small business, and collections. Previously, she was responsible for consumer compliance coverage, including a dedicated flood remediation team focused on real-time validation of BOA’s MRAs and flood consent order. She also led executive and board reporting for the audit strategy and development group. Prior to joining BOA, Korsakoff was an internal auditor for American Water. Gouri Veerubhotla is an audit director on Bank of America’s global technology and operations audit team. She joined BOA in 2017 and guides the enterprise shared services and audit issue management teams. Veerubhotla leads a workstream centered on employee wellness as a member of the corporate audit and credit review connected council, which is focused on driving an inclusive and diverse work environment, simplifying day-to-day operations, and professional development. Veerubhotla has over 25 years of audit and leadership experience in global financial institutions such as AIG and JPMorgan Chase, serving in such roles as managing director in internal audit, regulatory liaison officer, and chief of staff to the CFO. Kevin Thalinger is the audit director for the training development team and buildout of the ‘Auditor of the Future’ at Bank of America. Prior, he was BOA’s director of global stress testing, global recovery, and resolution planning and liquidity. Thalinger and his team directed and executed comprehensive audit coverage of key regulatory requirements and submissions to the FRB, OCC, and FDIC. Previously, he supported Promontory Financial’s stress testing and recovery and resolution planning practice, working on client engagements and business development. Earlier, at Ally Financial, Thalinger was responsible for regulatory capital and stress testing as well as coordinating the supervisory capital assessment program and its companywide internal capital-adequacy assessment process.

Tuesday | October 2, 2018 11:15 a.m. – 12:15 p.m. CS 5-1: Unleashing the Power of Continuous Auditing Stacy Juchno, CPA General Auditor PNC Bank Christopher Paulison, CPA Partner Grant Thornton, LLP

The days of performing a stand-alone risk assessment and having a static internal audit plan are over; internal audit is moving to real-time auditing. Continuous auditing techniques utilized in financial services include: ongoing monitoring of key risks (including external and emerging risks) for a more dynamic audit plan; harnessing and analyzing data to see risks earlier, more broadly, and through a different lens than before; and sharing best practices with the first and second line to help improve continuous monitoring. In this session, participants will:

• Discuss the benefits and challenges of continuous auditing. • Explore methods for implementing continuous auditing. • Describe how to use key risk indicators to monitor risks on an ongoing basis. • Understand how the first and second line can benefit from continuous auditing. • Receive related practical examples, leading practices, and sample deliverables.

Chris Paulison has over 25 years of experience and serves as the leader for Grant Thornton’s financial services center of excellence for internal audit. He is active in the financial institutions marketplace, providing client services to banks of varying sizes and complexity, and has led large-scale global process transformations, benchmarking/cost productivity/organizational design projects in the areas of business operations, internal audit, regulatory compliance, and risk management; as well as supervision of simultaneous work across five continents. Prior to Grant Thornton, Paulison served as partner for a Big 4 firm where he led the firm’s internal audit/risk practice for the midwest region in financial services. He also served as the CAE for a Fortune 20 company. Stacy Juchno is responsible for all aspects of the internal audit function providing assurance on the effectiveness of PNC’s risk management, control, and governance processes to the audit committee and board of directors. Prior to being named to her current position in 2013, she served as senior vice president and Finance Governance and Oversight director responsible for the oversight of enterprisewide Sarbanes-Oxley section 302 and 404 activities, including the reporting of relevant matters to the steering committee, disclosure committee, and audit committee. In addition, Juchno led the defense activities to support the Finance Basel, CCAR, and regulatory reporting processes. Her role also included coordinating and monitoring compliance of the enterprise and operational risk programs impacting finance. She was named executive vice president in 2014. Prior to joining PNC in 2009, Juchno was the director of regulatory compliance for a publicly traded telecommunication company in Pittsburgh, where she implemented the Sarbanes-Oxley 302 and 404 requirements and performed the internal audit function. She also worked at Ernst and Young for five years as an audit manager planning and performing external audit services of high-tech, hospitality, food and beverage, retail and manufacturing companies with both domestic and international operations.

CS 5-2: Co-Sourcing and Outsourcing: Why Do It? Moderator: Sabrina Serafin, CISA Partner and National Practice Leader Frazier & Deeter Panelists: Matthew Burgess, CIA, CPA, CISA Executive Vice President and Chief Internal Auditor First Financial Bancorp Paul Calhoun, CPA Executive Vice President and Chief Audit Executive TowneBank Bradley Carroll, CIA, QIAL, CFSA, CRMA Senior Vice President and Director, Internal Audit State Bank Financial Corporation Steven E. Jameson, CIA, CCSA, CFSA, CRMA, CPA Executive Vice President and Chief Internal Audit & Risk Officer Community Trust Bancorp, Inc. This will be a panel discussion on why to out/co-source. (Standard 1210; SME for specific areas, HR constraints in small banks, cost considerations). Participants will learn the characteristics of each, pros/cons (SMEs, direct report to AC, scope creep, workpaper ownership, workpaper/report consistency), and how each CAE manages the out/co-source arrangements at their institution (who selects/engages, who manages, multiple partners or one for all out/co-sourcing needs, effect on QAIP program, meeting SR 13-1 requirements). In this session, participants will:

• Recognize the difference between co-sourcing and outsourcing; analyze the characteristics of each and determine which are pros and cons in their model.

• Determine the level to which their department should rely on co-sourcing or outsourcing: strategic placement to supplement work or complete transfer of the audit plan?

• Develop a plan for seamless integration among multiple SME partners (co-sourced or outsourced) and in-sourced staff.

Sabrina Serafin Bio Being Finalized

Matthew Burgess has 37 years of experience in external audit, internal audit, and internal control consulting, primarily with companies in the financial services industry, including Comerica, VW Credit, Ally Financial Services, and Synchrony Bank. His bank audit background has spanned consumer lending, private lending, finance, operations, and wealth management. He is skilled in designing and implementing large-scale enhancements to audit processes and methodologies, establishing risk assessment models and processes, and creating and leading teams to complete audit plans. Burgess served on the Board of Governors of The IIA’s Salt Lake City chapter and is a past president of the Board of Governors of The IIA’s Detroit chapter. Paul Calhoun has served as chief audit executive of TowneBank since July 2017. He is a regular speaker on the benefits of the internal audit profession to universities and on best practices for executing risk-based audit plans. Previously he built and led the internal audit and credit risk review functions at BNC Bank and had increasing responsibilities with the internal audit function at First Citizens Bank. Bradley Carroll began his career in internal audit with Central Bank, Carter’s, and Wachovia Bank. He then started and sold a CPA practice. Carroll transitioned back into internal audit when he was hired as CAE of the now $5.2-billion State Bank Financial Corporation, which was using outsourced services for internal audit. He was challenged to develop a methodology and staff the bank’s own internal audit function. As the community bank representative for The IIA’s Financial Services Advisory Board, Carroll has advocated on Capitol Hill on behalf of IIA initiatives. He also recently joined IIA–Atlanta’s Board of Directors and Executive Committee. Steven Jameson directs Community Trust Bancorp’s internal audit, enterprise risk management, loan review, and compliance functions. He has over 30 years of combined experience in internal audit in the financial services industry, public accounting, and as AVP of The IIA’s Professional Practices Group. Jameson acted as a liaison to COSO’s Internal Control Integrated Framework 2012 Update, COSO’s Enterprise Risk Management Advisory Council 2004, IFAC’s International Auditing Practices Committee, and FFIEC’s Internal Audit Outsourcing Policy Update. He also served on the Board of Environmental, Health & Safety Auditor Certifications, as well as The IIA’s Financial Services Advisory Board, CBOK Steering Committee, Professional Issues Committee, Committee of Research & Education Advisors, and Internal Audit Foundation Board of Trustees. CS 5-3: How Strong Is Your Ability to Effectively Challenge Management? Stephen Mills, CIA, CCSA, ACA Managing Director Promontory Financial Group Andrew Jackson, CIA, CISA Chief Audit Executive TCF Financial Corporation

U.S. bank supervisors have significant underlying concerns regarding internal audit's independence, objectivity, and true ability to effectively challenge management. This session will discuss common regulatory criticisms in this area and explore an approach and framework to self-assess and evaluate internal audit strength and vulnerabilities regarding independence, objectivity, and challenge. The session will outline tangible steps that can be taken to strengthen and demonstrate effective challenge to bank supervisors and the audit committee. In this session, participants will:

• Describe and recognize the relationship between independence, objectivity, and challenge. • Construct a framework to evaluate strengths and weaknesses relating to effective challenge. • Formulate tangible actions to improve independence, objectivity, and the ability to truly challenge

management. Stephen Mills has extensive global experience, having lived and worked in Asia, Europe, and the U.S. As a managing director in Promontory Financial Group’s New York office, he advises clients in the areas of internal audit and internal control frameworks, risk management, corporate governance, regulatory relationships, compliance transformation, quality assurance and compliance testing, and regulatory compliance, including BSA/AML and sanctions, mortgage servicing and loss mitigation practices, and model validation. Previously, Mills spent nearly 20 years in global positions with American Express as a senior member of the global internal audit team. He was general auditor of the company’s major U.S. and international bank subsidiaries, with responsibility for global internal audit regulatory relationships. Andrew Jackson has been the chief audit executive of TCF Financial since 2012, responsible for internal audit, loan review, and internal investigations. Previously, he served as CAE of First Horizon National Corporation and executive vice president and corporate auditor of the internal audit function at First Tennessee Bank. Jackson is a member of The IIA’s Financial Services Advisory Board, the Financial Services Conference Board, and the Mid-Size Bank Coalition Chief Auditors Group.

Tuesday | October 2, 2018 1:15 – 2:30 p.m. General Session 4: A CEO’s Perspective: Responsible Growth Facilitator: Christine Katziff Chief Audit Executive Bank of America Speaker: Brian T. Moynihan Chairman of the Board and Chief Executive Officer Bank of America

Christine Katziff, CAE at Bank of America, will host a conversation with the company’s CEO Brian Moynihan, to discuss the economy, current challenges facing the industry, what it means to grow responsibly; and the role Audit must play. In this session, participants will:

• Hear Christine and Brian’s perspective on the current state of the economy and the industry. • Learn how a CEO thinks about financial sector growth, opportunities and challenges in the current

environment. • Discuss the expectations of internal audit and the value the team brings to the organization’s efforts to

drive responsible growth. Christine Katziff is the chief audit executive of Bank of America and a member of the executive management team. Since 2010, she has led a global division providing independent assessments of the company’s business strategies, operations, risk framework, financial management, and credit standards in support of responsible growth. Katziff is executive vice chair of BOA’s Global Diversity and Inclusion Council, and also serves as executive sponsor for BOA’s Investing in Women Leadership Council. She previously held a number of management positions in audit and compliance at FleetBoston Financial and in KPMG’s management advisory services. Brian Moynihan leads a team of more than 200,000 employees dedicated to making financial lives better for people, companies of every size, and institutional investors across the United States and around the world. Moynihan participates in several organizations focused on economic and market trends, including the World Economic Forum International Business Council, The Clearing House, the Financial Services Forum and the Financial Services Roundtable (chair of both), the Business Roundtable, and the Bi-Partisan Policy Center CEO Council on Health and Innovation. He is also a member of the Federal Advisory Council of the Federal Reserve Bank, and he leads BOA’s Global Diversity and Inclusion Council. Tuesday | October 2, 2018 3:00 – 4:15 p.m. Closing Keynote: Creating Impactful Relationships With the C-Suite Margie Bastolla, CIA, CRMA Principal Margie Bastolla Facilitations, LLC In addition to good analytical skills, an understanding of the business, and knowledge of the organization’s key risks, a great internal auditor should possess a knack for building solid relationships with management and the C-suite. Not only are internal auditors with strong professional relationships happier and more productive at work, if they are known and trusted by audit clients and executives, their recommendations are more likely to be embraced.

In this session, participants will:

• Discover seven practical ways to enhance relationships with management and the C-suite. • Identify personal hang-ups that prevent them from building impactful relationships. • Learn what to say — and how to say it — during conversations with executives.

Margie Bastolla is a professional trainer and speaker who provides customized, onsite training for internal auditors on both technical and soft skill topics. She has worked in over 40 countries, conducting hundreds of seminars, workshops, and conference sessions for corporations, government entities, U.N. agencies, and IIA chapters and institutes. Bastolla draws on 30 years of leadership experience in internal auditing, international relations, association management, and public accounting. Previously, she was an executive with The IIA’s global headquarters and an auditor with Worthen Banking Corporation and Deloitte.