15th annual iia and isaca spring conference a very active mental and physical process, and you will...

15TH ANNUAL

IIA and ISACA Spring Conference

MARCH 10-12, 2014

University of Michigan-Dearborn

Fairlane Center

1

If you are responsible for your company's internal auditing, information systems security and integrity, accounting, finance, Sarbanes-Oxley compliance or other

regulatory matters, or simply getting back to the basics, you will want to join us for the 15th annual Detroit Spring Conference.

The Detroit Chapters of the IIA and ISACA are proud to co-sponsor the annual Spring Conference. Each year, the conference committee spends a considerable amount of

time planning a comprehensive series of course offerings for our members and guest. The 2014 event is no exception.

A number of classes sell out each year. Don't miss this opportunity to network with your peers, enhance your skills, and learn about new products and services in the

marketplace! Our goal is to provide a training conference of world-class caliber tailored to your needs.

We look forward to seeing you at the Spring Conference.

- The 2014 Spring Conference Committee

Welcome

RETURNING THIS YEAR! – VENDOR EXPO

We have invited many audit and assurance vendors to set up displays during the

conference giving you an opportunity to learn about products and partners that are in the marketplace, and their associated benefits for your organization.

A Special Thanks to our Platinum Sponsors who continue

to give generous support to this annual event!

Monday Lunch– PwC

Tuesday Lunch – Experis Finance Wednesday Lunch – Accretive Solutions

2

2014 CONFERENCE PROGRAM

TRACK MON MARCH 10 TUES MARCH 11 WED MARCH 12

A Listening and Positive

Influencing Skills

(Dr. Joan Pastor)

Effective Interviewing Skills

(Dr. Joan Pastor)

Managing Resistance and Conflict Before, During and

After an Audit

(Dr. Joan Pastor)

B Organizational Ethics and

Compliance

(Paul Zikmund)

Procurement Fraud: Tools and Techniques

(Paul Zikmund)

Forensic Interview and Interrogation

(Paul Zikmund)

C Internal Audit University

(Hernan Murdock)

D Risk-Based Auditing

(Greg Duckert)

E Intermediate ACL

(Opher Jackson)

F Auditing IT Outsourcing

(Norm Kelson)

Assessing Data Integrity

(John Beveridge)

G

Cyber Security and

Emerging Risks

(John Tannahill)

Ethical Hacking

(John Tannahill)

H COSO 2013: Implementing the Framework

(Kathleen Crawford)

I COBIT 5

(Mark Edmead)

J Identity and Access Management

(Ken Cutler)

K

Planning for a Secure and Controlled IPV6

Implementation

(Jeff Kalwerisky)

How to Perform an IT General Controls Review

(Norm Kelson)

3

TRACK A -1

LISTENING AND POSITIVE INFLUENCING SKILLS

(DR. JOAN PASTOR, MONDAY) 7 CPEs

Seminar Focus and Features Anyone who has to audit or conduct interviews, or who manages others as part of their

work, knows how important listening skills are. This is especially true in Western countries, where we are known to have the worst listening skills of all cultures. Yet

little time is spent actually learning what exactly to do in order to listen well! And, in order to influence really well, guess what? You have to first be an outstanding

listener!

In this one-day session, you will learn how to listen! You will also learn that listening is actually a very active mental and physical process, and you will practice the single most important behavior that will guarantee your ability to listen will increase exponentially.

You will also learn how to break any and all bad habits related to poor listening: interrupting, daydreaming, poor rapport-building, and more. And as you learn how to

overcome these bad habits, you will at the same time learn all the secrets to building the best collaborative audit relationship possible. Many of these skills can be applied at

the management level too – where ever you need to influence others to listen to you, and to seriously consider what you have to say. This session will be tailored to the specific roles and responsibilities of the participants. Again, when you leave, you will

not only know how to listen, but you will clearly understand the powerful connection between listening and influencing, and you will know how and when to do both!

Prerequisite: None

Learning Level: Basic

Field of Study: Auditing

4

TRACK A -2

EFFECTIVE INTERVIEWING SKILLS (DR. JOAN PASTOR, TUESDAY)

7 CPEs

Seminar Focus and Features

This one-day program focuses on the skills needed for a typical audit process (interviewing in situations of suspected fraud is not the focus here, please refer to Track B-3 for fraud interrogation and interviewing skills). The workshop lays out a

step-by-step process for conducting an interview that focuses on several key principles. It is especially helpful to those performing collaborative, risk-based and

process focused audits, or for interviewing those in similar, technical types of professions.

Role-plays are an important part of the training, and other exercises occur throughout the day.

Program topics include: 1. The Collaborative Approach to Interviewing

2. Where Interviewing and Interviewing Skills Fit Into the Overall Audit Process 3. Six Steps of the Collaborative Interviewing Process

4. Planning a step-by-step process that is critical 5. The Initial Meeting (Opening the Interview) 6. Information Gathering and all about questions

7. Information Clarification and the secrets to probing deeper 8. How to Read Your Interviewee (discussed throughout the day)

9. Handling Resistant Individuals During Interviews 10. Dozens of subtle tactics to use during interviewing others 11. Ending the Interview

12. Documenting and Evaluating the Interview 13. Actual interview practice

14. Close and Action Plans Prerequisite: None



5

TRACK A -3

MANAGING RESISTANCE AND CONFLICT BEFORE, DURING, AND AFTER AN AUDIT

(DR. JOAN PASTOR, WEDNESDAY) 7 CPEs


A change-agent is one who uses his or her leadership position and expertise to assist others in making necessary changes to increase efficiency and effectiveness in a work

function. Auditors don’t often realize that they are indeed in leadership positions, and to the degree that you require others to change their thinking and their previous ways

of working, you are also a change agent. We will focus on one key skill that must be mastered in order to make change happen -

people’s natural resistance to change, to suggestions and what are perceived as corrections from others, and their resistance to “outsiders” coming into their territory

and asking them questions on how they do their work!

In this one-day workshop, you will learn: 1. The psychology behind resistance 2. How people become more or less resistance, and the specific places where you can

intervene in order to reduce resistance 3. How resistance is related to change, how that impacts their perception of you, and

how you can change that perception from adversary and troublemaker to collaborator and partner

4. How resistance shows up at the various stages in an audit, and a step-by-step

process for minimizing resistance in each stage. 5. A special focus on managing resistance in the opening meeting so that you can

vastly reduce resistance and conflict throughout the rest of the audit as much as possible (and what to do when you can’t)

6. The psychology of resistance in yourself (yep- you have it big-time and it gets

in your way), and how to greatly reduce your own stress around what you perceive as their resistance to you!

7. Exercises teaching you what resistance looks like and feels like so that you can catch it early, plus an exercise to help you and your audit team to plan in advance for how to handle resistance that you suspect will arise

Prerequisite: None



6

About the Instructor

Joan Pastor, PhD

Joan Pastor, Ph.D., is president of JPA International, Inc., and has been a professional

international speaker, trainer and coach since 1979. She is well-known for her training, facilitation, and consulting skills, and has worked with numerous organizations to

develop their vision and then apply the strategies and processes to achieve it. Joan is a certified speaking professional (CSP) and also a certified mediator, and has mediated numerous workplace and business conflicts over the years. Her book, “Conflict

Management and Negotiation Skills for Internal Auditors” was published in 2007 by The Institute of Internal Auditors. Her article “The Eight Habits of Highly Effective Audit

Committees” received the AICPA Excellence in Journalism Award in 2008. The recipient of numerous awards, Joan has been working with the IIA chapters,

congresses and conferences since 1987 and with the AICPA and ACFE since 1998.

Joan and her associates focus on developing all the people, communication, organizational and leadership skills associated with these professions. She has also made pioneering contributions related to fraud and the white collar criminal, ethics,

fraud risk-assessment and business process management and its application to organizational change (downsizing, fast growth, mergers & acquisitions). Her

consulting projects in collaboration with audit departments have ranged from redesigning the major business processes for a major airline, redesigning a faulty 360-

degree performance management process, facilitating the acquisition and merger of several hospitals and a college with another major university, and assisting in re-engineering risk assessment programs.

When the Enron debacle blew open, Joan unleashed the model that she had been

working on for over 10 years on the psychology behind fraud and unethical people in business. It has been extremely well received from CFEs to Audit Committees to the FBI to senior executive teams. Joan often works alongside legal counsel, audit and

executives on potential or discovered fraud situations, and has uncovered three embezzlement and fraudulent schemes on her own as well.

7

TRACK B-1

ORGANIZATIONAL ETHICS AND COMPLIANCE

(PAUL ZIKMUND – MONDAY) 7 CPEs


An organizational compliance program is an important mechanism to help ensure

effective governance. Auditing and evaluating compliance programs and controls is critical to the success of any program, and not performed only to keep the regulators

happy. Compliance with regulatory requirements and the organization’s own policies is a critical component of effective risk management. A well designed and effectively administered compliance program helps organizations achieve business goals, maintain

ethical health, support long-term prosperity, and preserve and promote organizational values.

A well designed internal audit plays an important role for evaluating the effectiveness and efficiency of the organization’s compliance program.

In this session, attendees will learn the following: 1. Hallmarks of an effective compliance program

2. Auditing procedures for compliance programs 3. Communicating results to obtain best results 4. Determination of key compliance risks

5. Leveraging strategic partnerships to ensure success

Prerequisite: None



8

TRACK B - 2

PROCUREMENT FRAUD: TOOLS AND TECHNIQUES (PAUL ZIKMUND – TUESDAY)

7 CPEs


Procurement of goods and services creates an increase in procurement fraud, which can occur at any stage of the contracting and procurement process. Appropriate controls, fraud detection & prevention strategies, and proper programs and controls related to

the tendering processes are necessary in the fight against procurement fraud. This course provides tools and techniques related to practices for preventing, detecting and

investigating contract and procurement fraud. Organizations are often defrauded through various procurement fraud schemes

including bid rigging, kickbacks, conflicts of interest, and fictitious invoicing schemes. Consequently, you need to be aware of the vulnerabilities and risks associated with

these fraud schemes, which impact the purchasing, procurement and contract functions.

In this course, attendees will learn the following: 1. Defining the procurement process

2. Laws and regulations impacting the procuring of goods and services 3. Techniques for detection, investigation and prevention of procurement fraud 4. Red flags of procurement fraud

5. Case studies

Prerequisite: None



9

TRACK B - 3 FORENSIC INTERVIEWING AND INTERROGATION

(PAUL ZIKMUND – WEDNESDAY) 7 CPEs


The increase of corporate fraud during the past several years has directed the attention of the government, company boards, and shareholders to the auditing profession. Both internal and external audit standards prescribe "forensic-type" procedures on every

audit to enhance the auditor's ability to uncover red flags for fraud.

Interviewing is a forensic tool available to auditors and, when conducted effectively, can successfully uncover indicators of fraud during the audit. A successful interviewer

should possess basic interviewing skills to afford themselves the opportunity to observe deceptive behavior. Auditors who are able to conduct focused discussions and alert themselves to suspicious behavior are more likely to detect fraud.

Attendees will learn the following:

1. Uncovering signs of deception 2. Properly preparing for an interview 3. Investigative interviewing skills

4. Facts about lying and why they are important to an auditor 5. Trusting your intuition

Prerequisite: None



10


Paul E. Zikmund, CFE, CFFA, CFD

Paul E. Zikmund serves as Director, Global Ethics and Compliance, at Bunge in White

Plains, NY. He is responsible for managing and conducting investigations of fraud and misconduct, implementing fraud detective techniques, administering the company’s fraud risk assessment process, and managing anti-fraud programs and controls

designed to reduce the risk of fraud within the company.

Prior to joining Bunge, Paul worked as the Senior Director Forensic Audit responsible for developing, implementing, and administering fraud risk management services at Tyco and to clients in Princeton, NJ, and as the Director Litigation Support Services at

Amper, Politziner, & Mattia, LLP, in Philadelphia, PA.

He possesses nearly 20 years of experience in this field and has effectively managed global fraud and forensic teams at various Fortune 500 companies.

Paul, who is a Certified Fraud Examiner, Certified Fraud Deterrence Specialist, and Certified Forensic Financial Analyst, has designed and implemented programs to detect

and investigate instances of fraud. Paul also conducts fraud risk assessments and fraud awareness training to help detect and deter fraud within organizations. His public and private sector experience includes the investigation of complex financial frauds,

conducting forensic audit engagements, and providing litigation support for a variety of industries.

Before joining Amper, Paul was a Principal, Fraud and Forensic Services at SolomonEdwardsGroup, LLC and a Senior Manager – Enterprise Risk Services with Deloitte and Touche, LLP. Prior to that, he served in a variety of in-house fraud and

forensic investigative roles with The Dow Chemical Company, Nortel Networks, and Union Carbide Corporation. He began his career as a Municipal Police Officer, and then a State Trooper and Special Agent with the Attorney General’s Office for the

Commonwealth of Pennsylvania.

Paul received a Bachelor of Science degree in the Administration of Justice and a Certificate of Accountancy from The University of Pittsburgh. He continued his

education with a Masters of Business Administration at the University of Connecticut and a Masters of Accountancy at Auburn University. Paul has authored various articles relating to fraud detection, prevention, and investigation. He speaks regularly at

seminars and conferences on the topic of fraud and also teaches a graduate level fraud and forensic accounting course at Rider University in New Jersey and LaSalle University

in Philadelphia.

11

TRACK C INTERNAL AUDIT UNIVERSITY

(HERNAN MURDOCK – MONDAY - WEDNESDAY) 22 CPEs


In this intensive three-day seminar you will master fundamental operational auditing techniques and learn how to use a risk-based approach to enhance your audits of the Purchasing, Marketing, Human Resources, Information Technology (IT), Management,

Finance/Treasury, and Accounting functions.

You will explore the objectives of major business operation areas and learn how to identify the key risks threatening them. You will find out how to make your audits more

efficient and effective and how to use data analytics to gain an in-depth understanding of business processes. You will cover such critical areas as the impact of SOX, ERM, and

GRC on the organization, uncovering fraud schemes that threaten business operations, and the role of IA in helping management build strong risk management and strategic planning processes. You will leave this high-impact seminar with the skills necessary to

go beyond outputs and to examine the organization’s ability to achieve the necessary outcomes.

Prerequisite: None




Dr. Hernan Murdock, CIA, CRMA

Dr. Hernan Murdock is a Senior Consultant with MIS Training Institute. Prior to MIS, he was the Director of Training at Control Solutions International where he oversaw the company's training and employee development program. Previously, he was a Senior

Project Manager leading audit and consulting projects for clients in the manufacturing, transportation, high-tech, education, insurance, and power generation industries. He

authored the books 10 Key Techniques to Improve Team Productivity and Using Surveys in Internal Auditing, and articles on whistleblowing programs, international auditing, mentoring programs, fraud, deception, corporate social responsibility, and

behavioral profiling.

12

TRACK D

RISK-BASED INTERNAL AUDITING (GREG DUCKERT – MONDAY - WEDNESDAY)

22 CPEs


With the increasing emphasis on corporate governance initiatives and the release of recent ERM guides and pronouncements, there has never been a more critical time for

auditors to expand their knowledge of risk management and assessment.

In this intensive three-day seminar you will learn the underlying concepts of a risk-based audit methodology. You will cover all aspects of risk assessment, including the fundamentals of risk-based auditing, defining risk in business terms, identifying key risk

areas, evaluating global risk, and conducting a detailed risk analysis at the engagement level. You will explore a strategy for transitioning the department to a risk-based

function as well as for re-educating management and the audit committee. Throughout the seminar you will work through risk drills that will allow you to put into practice what you have learned. You will leave this high-impact seminar with audit efficiencies and

business insights that will maximize Audit’s contributions to the organization, and cast IA as a value-adding member of the team.

Prerequisite: None

Learning Level: Intermediate



Greg Duckert, CIA, CISA, CMA, CPA

Greg Duckert is CEO of Audit, Inc., a consulting firm specializing in risk assessment models, operational analysis, and audit process methodologies designed to maximize

returns to the organization. Mr. Duckert is also a Senior Consultant for MIS Training Institute and has over 30 years of national and international experience as an

Internal/IS Audit Director. Mr. Duckert has held Audit Director positions in the manufacturing, construction and healthcare industries, assuming responsibilities for financial, operational, and information systems auditing functions. His information

systems expertise includes application audits, software acquisition, systems development, controls, security design, adequacy and implementation, and systems

operational efficiencies. He has performed consulting services in IS, financial, and operational audits, as well as in business acquisitions and start-ups.

13

TRACK E

INTERMEDIATE ACL

(OPHER JACKSON – MONDAY - WEDNESDAY) 22 CPEs


This three-day program introduces participants to the ACL lifecycle that helps them develop simple scripts and the documentation required to support their audit objectives. Techniques used to resolve complex file import issues are covered.

Participants will also be introduced to complex ACL expressions and advanced functions to help them identify anomalies in transaction streams. Finally, participants are

introduced to presentation techniques supported by ACL that make their findings more meaningful.

This hands-on training program uses an ongoing case study to reinforce the concepts presented during the program. The program concludes with a final case study that

forces participants to resolve complex data import problems and create ACL scripts to meet the audit objectives.

Prerequisite: ACL Concepts or 4-18 months experience using ACL. Attendees should bring a laptop with ACL installed.




Opher Jackson

Opher Jackson is a retired Executive Director from Ernst & Young. At Ernst & Young his primary focus was information management and data analysis including Data

Governance. Opher held a leadership role in the National office where he helped start the firm's data analysis practice and created the firm's data analysis infrastructure. He was one of the firm's subject matter resources for the support, execution and design of

audit sampling.

Opher developed and led data analysis training and provided national and global support. He helped create the firm's data analysis methodology used at audit clients;

was part of an International Task Force that helped develop the ACL for Windows product sold by ACL Services, Ltd., and led, performed and evaluated data analysis and data conversion projects for clients across the country. Opher has more than 25 years

of data analysis experience.

14

TRACK F-1 AUDITING IT OUTSOURCING

(NORM KELSON – MONDAY) 7 CPEs


Most organizations have adopted some form of outsourcing. Whether it includes outsourcing IT operations, application maintenance, systems development, applications

services, information security, or networking, they all constitute outsourcing.

The process and results are fraught with risks, but also have rewards. As an auditor, it is essential to understand the life cycle of an outsourcing project from initial due diligence to implementation, and the ongoing operational issues after implementation.

The decision to and the ultimate execution of the outsourcing effects the audit universe, compliance (e.g. SOX), as well as the processes affecting the business.

Learning Objectives: Execute an audit of the various phases of the initial IT outsource project

Perform a post implementation review of the effectiveness of the IT outsource contract

Plan and execute operational audits of the outsourced processes Evaluate specific concerns for compliance audits Evaluate common issues that have arisen, i.e. service level agreements, failure to

comply, company preparedness and ownership of processes, and escalation processes

Assess additional issues where processes are distributed to foreign entities (offshoring)

Use of SSAE16 reports (SOC1)

Prerequisite: None



15


Norm Kelson, CPA, CISA, CGEIT

Norm Kelson, founder of CPE Interactive, specializes in building and disseminating best practices to assurance, risk, governance, and management stakeholders. With over 30 years of extensive experience in IT assurance and governance, he has served in a

variety of capacities as a consultant with a Big 4 firm and an internal audit boutique, internal auditor executive, and industry advocate.

He is the author of over 30 IT Audit/Assurance Programs for ISACA which are available as a resource to its members, and a series of case studies to support ISACA’s IT

Governance Using COBIT® and VAL ITTM: Student Book 2nd Edition.

Norm was Managing Director of IT Audit and Technical Seminars for MIS Training Institute. During his 12 year tenure he was responsible for creation and curriculum development of its global IT Audit training portfolio focusing on best practices in risk-

based auditing.

He has held positions as: Director of IT Audit for the US Subsidiary of Royal Ahold (Stop & Shop and Giant) and was a key member of the internal audit professional practices and standards and the global information security committees; Vice President of

Internal Audit Services and National IT Audit Practice Director for CBIZ Harborview Partners; managed KPMG’s New England Region IT Auditing practice, and held positions

in IT Audit management with Fannie Mae, CIGNA, and Loews Corporation. He began his career as a financial auditor with Laventhol and Horwath.

Norm is an Adjunct Professor at Bentley University and a member of the Audit/AIS Curriculum Committee.

He is a frequent speaker and subject matter expert at ISACA and Institute of Internal Auditors (IIA) conferences, is a former Executive Vice President of the New England

ISACA Chapter and served on the Chapter’s Strategic Planning Committee.

Norm received a Bachelor of Science in Business Administration from Boston University and an MBA from the University of Pennsylvania Wharton School. He is a Certified

Public Accountant, Certified Information Systems Auditor, and Certified in the Governance of Enterprise Information Technology.

16

TRACK F-2 ASSESSING DATA INTEGRITY

(JOHN BEVERIDGE – TUESDAY - WEDNESDAY) 15 CPEs


Assessing the integrity and reliability of computer generated data is an important step in audit planning as well as addressing specific objectives. Data is aggregated from various sources, processed using automated rules, and stored in databases, data

warehouses, etc. Applications and business users extract or retrieve data as the basis for strategic decisions, reporting, day-to-day operations, and auditing. The reliability

and integrity of data may be at significant risk when placed in operational and IT environments lacking processing, transmission, storage and security controls. Misinterpretation of reliability risk factors may result in misdirected audit effort or

incorrect conclusions.

The session will provide you with the concepts and tools to effectively evaluate the reliability and integrity of data processed and available for analysis and decision making.

Learning Objectives:

Understanding the requirements of data relevance and data integrity Evaluating data classification How to introduce good practices for data management

Identifying data integrity requirements Assessing security and availability requirements

Evaluating factors that impact data reliability and integrity Determining the impact of data reliability assessment on developing audit objectives Establishing audit evidence requirements

Using data reliability assessment in developing audit procedures

Prerequisite: None



17


John W. Beveridge, CGFM, CISA, CISM, CFE, CGEIT, CRISC

John Beveridge is Director of IT Audit Training for CPE Interactive, and his professional

career spans over twenty‐five years in government and private industry in the United States and England, including over twenty years in IT audit management.

John is the former Deputy Auditor for the Commonwealth of Massachusetts, where he

was responsible for the Information Technology Audit Division for the Massachusetts

Office of the State Auditor and served as Co‐Chair of the Commonwealth’s Enterprise

Security Board and member of the IT Advisory Board. He had served as a member of the Massachusetts Government Technology’s Advisory Board, 2003 through 2009, Governor's Commission on Computer Crime, Governor's Commission on Computer

Technology and Law, Governor’s Task Force on E‐Commerce, and the Governor’s IT Commission.

He is a member of the adjunct faculty of Bentley University and Northeastern University, where he has taught courses in accounting information systems and IT

auditing.

John has served as ISACA’s International President, Vice President for Standards, member of various boards and committees including the COBIT® Steering Committee,

Information Systems Auditing Standards Board, Education Board, Assurance Board, IT Governance Credentialing Committee, and the Advisory Committee to the Task Force on Model Curriculum for IT Auditing. John was instrumental in the development of

COBIT’s Control Objectives and Management Guidelines, co‐authored a Control Practices Guideline for Information Systems Continuity Planning, and has authored

professional standards for information systems auditing and work‐related publications. He is a frequent lecturer on the implementation of COBIT®, IT auditing, planning and

performing application system audits, and audit management. He received a Bachelors of Science in economics from the University of Massachusetts

and a Masters in Public Administration (MPA) with a major in Finance from Suffolk University. John is a Certified Governmental Financial Manager, Certified Information

Systems Auditor, Certified Information Security Manager, Certified Fraud Examiner, Certified in Risk and Information Control Assurance specialist, and Certified in the Governance of Enterprise IT.

18

TRACK G-1 CYBER SECURITY AND EMERGING RISKS

(JOHN TANNAHILL – MONDAY - TUESDAY)

15 CPEs


This course will focus on the risk and control issues related to cyber security and emerging information security and technology.

Key Learning Objectives Understand cyber security risk and control issues

Key concepts and relationship to business organizations Cybercrime (Crime and Espionage)

Cyber warfare and cyber terrorism (Nation to Nation attacks) Understand emerging risk areas

Overview of Threat Landscape

Malware: Eurograbber; Flame; Stuxnet; Command & Control; Botnets; Denial of Service; Fraud

Other Malware Discussion of security and audit tools and techniques

Questions auditors should ask in relation to how the organization should

protect IT infrastructure and corporate information from cyber security threats.

Risk and Controls Areas and Key Control Requirements o Malware management and Application Whitelisting

o Incident Management o Security Awareness

o Cyber Security and Cyber-warfare o Advanced Persistent Threats (APT) o Malware

Prerequisite: None



19

TRACK G-2

ETHICAL HACKING (JOHN TANNAHILL – WEDNESDAY)

15 CPEs Seminar Focus and Features

Participants will learn a practical methodology and approach to performing network

penetration / ethical hacking assessments. Based on a specific architecture, participants will be provided with information gathered from network discovery tools and techniques. This information will be used as a base to identify the scope and

methodology used to perform a detailed network penetration assessment. The course will also include detailed discussion and demonstration of tools and techniques used

that will allow the participant to evaluate the network vulnerabilities and identify key control recommendations that should be implemented to address the issues. We will also review a sample network penetration assessment report.

Areas of Coverage

Part I – Network Discovery and Footprint Network Address Spaces (DNS, IP Address Blocks, Whois Information)

Ping Sweep Techniques. Information Gathering Tools (e.g. SNMP information)

Use of Search Engines such as SHODAN, Google and other Web-based resources Building network architecture diagrams

Part II – TCP/IP Service Identification and Enumeration Port Scanning Techniques (tcp; udp and icmp scanning)

Use of Nmap (including NSE – Nmap Scripting Engine) Other Port Scanning, Fingerprinting and Service Identification Tools such as amap

(application fingerprinting) and netcat (‘swiss army knife’ tool)

Use of Cain & Abel for enumeration of hosts and services Advanced scanning techniques and tools (including use of Hping and other packet

crafting tools) including building packets from port scanning; source port scanning

Part III – Ethical Hacking Assessment Network Penetration Testing Tools and Techniques (including configuration and use

of Backtrack5 / Kali)

Use of NIST National Vulnerability Database (NVD) and related resources Testing firewalls

Testing specific TCP/IP Services e.g. web servers (using Nikto and related tools) Testing web applications (OWASP ZAP Proxy and similar tools) Testing vulnerabilities in Unix and Windows operating systems using tailored scripts

and OS-specific tools Using the Metasploit Framework

Effective reporting and risk-ranking of assessment results



20


John Tannahill, CA, CISM, CGEIT, CRISC

John Tannahill, CA, CISM, CGEIT, CRISC is a management consultant specializing in information security and audit services. His current focus is on information security

management and control in large information systems environments and networks. His specific areas of technical expertise include UNIX and Windows operating system security, network security, and Oracle and Microsoft SQL Server security. John is a

frequent speaker in Canada, Europe and the US on the subject of information security and audit.

John is a member of the Toronto ISACA Chapter and has spoken at many ISACA

Conferences and Chapter Events including ISACA Training Weeks; North America CACS; EuroCACS; Asia- Pacific CACS; International and Network and Information Security

Conferences.

2008 Recipient of the ISACA John Kuyer Best Speaker/Best Conference Contributor

Award

21

TRACK H

COSO 2013: IMPLEMENTING THE FRAMEWORK

(KATHLEEN CRAWFORD – TUESDAY - WEDNESDAY) 15 CPEs


COSO released an updated Integrated Control Framework (IC-IF) in 2013. In this interactive two-day seminar you will learn how the new principles-based approach can

be designed effectively and deployed successfully within organizations. Participants will also examine the implications for business leaders, process owners, and internal auditors, who can use the framework to add value while providing audit and consulting

services.

During this course, participants will review the differences between the 1992 and the updated 2013 models, the implications on the system of internal controls, and acquire

the tools necessary to effectively design, implement, and evaluate their organization’s system of internal controls. You will leave with the skills necessary to perform an assessment of your organization, and know how to apply the seventeen principles

representing the fundamental concepts associated with the components of the framework.

Prerequisite: Familiarity with 1992 COSO Model




Kathleen Crawford

Kathleen Crawford is a Senior Consultant for MIS Training Institute, and President of

Crawford Consulting and Communications, LLC, a firm specializing in assurance, investigative, and advisory projects for small firms without an internal audit function. Previously, Ms. Crawford was an Internal Auditor for Vinfen Corporation, where her

responsibilities included assisting management in standardizing operations, developing policies and procedures, and improving processes. In addition, she investigated all

suspected financial crimes, collecting evidence to ensure successful prosecution and recovery of company and client assets. Ms. Crawford trained other investigators in a methodology for detecting and documenting fraud that met the unique compliance

requirements of MA Department of Health and Human Services. She began her career as a bank auditor, first with Bank of New England, then Eastern Bank, and State Street

Bank. Her responsibilities in these institutions included internal audits and fraud investigations. A member of The Institute of Internal Auditors, Ms. Crawford is a past President of the Greater Boston Chapter of The IIA. She is also a member of the

Association of Certified Fraud Examiners and the American Society for Training and Development. Ms. Crawford serves as Treasurer of the Board of Trustees of the

Foxborough Regional Charter School and its foundation, Friends of FRCS.

22

TRACK I

COBIT 5 (MARK EDMEAD – MONDAY - WEDNESDAY)

22 CPEs


With the current emphasis on enterprise governance, successful organizations are integrating IT with business strategies to achieve their objectives, optimize information

value, and capitalize on today’s technologies. To that end, Control Objectives for Information and related Technology (COBIT®), the internationally recognized set of IT management best practices and control objectives, provides a powerful framework for IT

governance, control and audit.

In this three day seminar you will review the new COBIT®5 Framework and focus on how you can use this newly released globally-recognized framework for evaluating the effectiveness of IT controls. You will explore the significant changes incorporated in the new

COBIT®5 that can be utilized in executing IT audits. You will also discover how to use COBIT®5 in conjunction with other internationally recognized standards and frameworks,

including the ISO-27001, ISO-27002, ISO-27005 Security Standards and NIST 800-53 Recommended Security Controls for Federal Systems. As examples during the seminar you will explore using COBIT®5 to plan and execute audits for risk management, security

management, business continuity and IT governance. As a result of these exercises, you will fully understand how to use COBIT®5 in conjunction with other internationally

recognized standards to provide a comprehensive and effective audit approach. Prerequisite: Familiarity with the COBIT Framework




Mark T. Edmead, MBA, CISA, CISSP, COBIT 5.0 Mark Edmead is the Managing Director at MTE Advisors and a Senior Instructor for MIS

Training Institute. He is a 30-year-veteran of computer systems architecture, information security, and project management. Mr. Edmead has extensive knowledge of IT and

application audits, IT governance, and SOX compliance auditing. His expertise in the areas of information security and protection includes access controls, cryptography, security management practices, network and Internet security, computer security law and

investigations, and physical security. He has consulted with Fortune 500 and 1000 companies and worked with a number of international firms. Mr. Edmead has authored

articles in Compliance Advisor Magazine, IT Compliance Journal, IIA Insights, and The Auditor. In addition, he is an adjunct professor at the Keller Graduate School of Management.

23

TRACK J

IDENTITY AND ACCESS MANAGEMENT (KEN CUTLER – MONDAY - WEDNESDAY)

22 CPEs


The road to reliable internal control and information security compliance can be very treacherous, full of potholes and rocks…and many forks to ponder. Compliance

requirements come from all directions, shapes, and sizes…not to mention heightened attention to the protection of payment card data, personally identifiable information (PII), identity theft, and security breach disclosure legislation. Logical access controls

represent the single most significant security safeguard to protect valuable data from unauthorized access…and the most common area of important audit findings by internal

and external auditors.

In this widely applicable workshop, we will provide a framework for consistent and effective auditing of logical access controls. Case studies will be used to demonstrate real examples of common access controls and data collection methods for operating

systems, database servers, and other software environments, emphasizing free and/or low-cost audit software procedures. Attendees will receive sample work programs and

checklists that can be used to perform effective logical access audits in any context. In this seminar, we will discuss:

Assessing common risks and regulatory compliance requirements associated with identity and access control management

Identifying the key building blocks of logical access controls: identification and authentication, access authorization, privileged authority, system integrity, audit logs

Locating technical and administrative access controls in today’s complex IT application environments: network, operating systems, database management

systems, directory services, single sign-on Dealing with software bugs, patch management, and change control issues that can

undermine effective access controls

Defining the audit work program: Tools and techniques for reviewing access controls in prominent system software and application environments

Sources of industry best practice audit frameworks and checklists Learning Objectives:

Key risks and compliance requirements associated with logical access control Key building blocks of logical access control

Locating typical logical access control points in infrastructure and applications Industry best practices for logical access controls Tools and techniques for auditing logical access controls

Prerequisite: Introduction to IT Controls or equivalent experience



24


Ken Cutler, CISSP, CISA, CISM,

Ken Cutler is a Senior Teaching Fellow with CPEi, specializing in Technical Audits of IT

Security and related IT controls. He is the President and Principal Consultant for Ken Cutler & Associates (KCA) InfoSec Assurance, an independent consulting firm delivering

a wide array of Information Security and IT Audit management and technical professional services. He is also the Director – Q/ISP (Qualified Information Security Professional) programs for Security University.

An internationally recognized consultant and trainer in the Information Security and IT

audit fields, he is certified and has conducted courses for: Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) and CompTIA Security+. In cooperation

with Security University, he recently was featured in two full length training videos on CISSP and Security+.

Ken was formerly Vice-President of Information Security for MIS Training Institute (MISTI), and Chief Information Officer of Moore McCormack Resources, a Fortune 500

company. He also directed company-wide IS programs for American Express Travel Related Services, Martin Marietta Data Systems, and Midlantic Banks, Inc.

Ken has been a long-time active participant in international government and industry security standards initiatives, including:

The President’s Commission on Critical Infrastructure Protection Generally Accepted System Security Principles (GSSP)

Information Technology Security Evaluation Criteria (ITSEC) US Federal Criteria, and Department of Defense (DOD) Information Assurance Certification Initiative.

He is a prolific author on information security topics. His publications include: Commercial International Security Requirements (CISR), a commercial

alternative to military security standards for system security design criteria NIST SP 800-41, “Guidelines on Firewalls and Firewall Policy”, of which he was

co-author, and

Various works on security architecture, disaster recovery planning, wireless security, vulnerability testing, firewalls, single sign-on, and the Payment Card

Industry Data Security Standard (PCI DSS).

He has been frequently quoted in popular trade publications, including Computerworld, Information Security Magazine, Infoworld, InformationWeek, CIO Bulletin, and

Healthcare Information Security Newsletter, and has been interviewed in radio programs My Technology Lawyer and Talk America.

Ken received Bachelor of Science degree in Business Administration and Computer

Science degree from SUNY Empire State College.

25

TRACK K-1

PLANNING FOR A SECURED AND CONTROLLED IPV6 IMPLEMENTATION (JEFF KALWERISKY, MONDAY)

7 CPEs

Seminar Focus and Features When the current Internet Protocol, version 4, known as IPv4, was designed in the

early days of the Internet, it was intended for a relatively small number of users in academia. The resulting design allowed for a maximum of a few billion addresses and

completely ignored security. The security issue has, of course, been an ongoing and very costly problem for processing confidential data. With the exponential growth in the numbers of Internet users over the past decade, we are out of IP addresses!

The Internet architects designed IPv6 to provide a virtually unlimited number of

addresses; eliminate the need for Network Address Translation (NAT); strong data security and packet authentication via mandatory IPSec.

Given the lack of new IP addresses, enterprises face an imminent conversion to IPv6. This will impact every aspect of their networks, internal and external, including routers,

firewalls, desktops, laptops, and mobile devices. Learning Objectives

Understanding IPV6 concepts Learn how to assess conversion issues

Prepare information security for IPV6 Develop IPV6 related policies and procedures

Prerequisite: Detailed understanding of networking, DNS, network routing, the OSI layer, and working knowledge of network security.

Learning Level: Advanced


26


Jeff Kalwerisky, CA, CISA Jeff Kalwerisky, Vice President and Director, Information Security and Technical

Training at CPE Interactive, has specialized in information security, information risk management and IT auditing for over 20 years. He currently focuses on information

risk, IT security governance and frameworks, and secure software development. He has held executive positions in information security and risk management with

Accenture and Booz Allen Hamilton consulting firms. In both of these capacities, he has consulted with Fortune 100 companies and national governments, assisting in their

development and deployment of enterprise security governance policies and frameworks, and technology solutions that strengthen information security and data privacy/ protection. He served as infrastructure security architect on the world’s largest

electronic health project on behalf of the British Government’s National Health Service, the world’s largest electronic medical records deployment project, where he developed

security governance to oversee 1,500 software architects and developers. As manager of global security for VeriSign, he was responsible for ensuring that affiliate

companies in 30 countries adhered to VeriSign’s military‐grade security standards appropriate to a global certification authority, which he helped to design and deploy.

Jeff was a partner with a major audit firm in South Africa and a consultant with

PricewaterhouseCoopers. He has published security and audit guides, and has developed training courses

throughout the USA and internationally on a wide range of technical topics focusing on

Windows security, secure e‐commerce, IT auditing, cryptography and biometric

security.

Jeff is originally from South Africa, where he received a Bachelor of Science in Physics and Math, a Masters of Science in Computer Science from University of Witwatersrand, Johannesburg, and Masters in Finance and Auditing from the University of South Africa,

Pretoria. He is a Chartered Accountant (SA) and Certified Information Systems Auditor.

27

TRACK K-2

HOW TO PERFORM A GENERAL IT CONTROLS REVIEW (NORM KELSON, TUESDAY-WEDNESDAY)

15 CPEs


The basis for all auditing is the reliance on a control environment. The general controls review assesses the IT control environment, and through the evaluation of specific controls activities, monitoring and communications, and risk assessment, provides the

basis for the assessment’s conclusion. The process itself focuses on numerous areas affecting IT management, data integrity, accuracy, and security, as well as availability.

This session focuses on the planning, execution, and reporting of general IT controls reviews. Recognizing that the scope of the review is too wide to perform as one

omnibus review, we will provide you with an approach to assessing the highest risk areas, focusing on these on a routine basis, and developing a cycle approach to the less

significant control processes. In addition, the course utilizes a maturity model, an objective repeatable assessment basis to provide management with a measurement that can show improvement of controls over time.

Learning Objectives:

Plan and execute a general controls review Utilize risk assessment techniques to address the highest risk control issues Provide management with a meaningful assessment of the maturity of the controls.

Prerequisite: None



28

REGISTRATION INFORMATION

Participation is limited. Registration will be accepted on a first-come, first-served basis.

Pricing has been established to provide the maximum educational benefit for the lowest cost. Therefore, we will not be offering discounts from the established prices for early

registration, membership affiliation or groups. Dress code for the conference is business casual.

Morning refreshments will be provided from 7:30 – 8:30 AM, and general sessions will be from 8:30 AM – 4:30 PM each day. Lunch will be provided daily with vegetarian

options. Due to circumstances outside of our control, we may find it necessary to reschedule or

cancel sessions, or change instructors. We will give registrants advance notice of such changes, if possible.

Payment and Cancellation Policy

Please note all times are stated in Eastern Standard Time (EST). All reservations must

be made online at www.isaca-det.org or www.detroitiia.org. Telephone, fax, and mail-in registrations will not be accepted.

All payments must be received by midnight 2/25/14. Payments may be made at the time of registration using Visa, MasterCard, Discover, or American Express, or check

payments may be mailed to the address listed below.

Cancellations may be made online until midnight on Tuesday 2/25/14 without penalty. Any cancellation received after Tuesday midnight 2/25/14, and before Monday midnight 3/3/14 will be charged a non-refundable service fee based on the CPEs of the

registered course being cancelled. No refunds will be given for registrations that are cancelled after midnight 3/3/14.

CPEs

Non-Refundable

Service Fee

7 $25

15 $50

22 $75

Payments (payable to: IIA Detroit) should be mailed to the address below. Please do

not remit payment to the ISACA Detroit Chapter. Conference or registration questions should be sent to [email protected].

IIA - ISACA Spring Conference Geralyn Jarmoluk – Administrator

78850 McKay Rd Romeo, MI 48065

Hotel Information

The spring conference committee has arranged for a discounted rate at the Doubletree Hotel

Detroit/Dearborn. Register by 2/1/2014 and request the “IIA & ISACA Spring Seminar

Discount” to receive a rate of $108 per room per night. The Double Tree Hotel is located at

5801 Southfield Expressway, Detroit, MI 48228. Telephone: 1-313-336-3340.

http://www.isaca-det.org/

http://www.detroitiia.org/

mailto:[email protected]

29

TRACK INFORMATION

Track Session Dates Fee

A-1 Listening and Positive Influencing Skills

(7 CPEs) 3/10 $275

A-2 Effective Interviewing Skills (7 CPEs)

3/11 $275

A-3 Managing Resistance and Conflict Before, During, and After

an Audit (7 CPEs)

3/12 $275

B-1 Organizational Ethics and Compliance: Auditing to Ensure a

World-class Program

(7 CPEs)

3/10 $275

B-2 Procurement Fraud: Tools and Techniques to Detect,

Investigate and Manage this Growing Risk (7 CPEs)

3/11 $275

B-3 Forensic Interview and Interrogation: Learning the Path to

Effective Truth Telling

(7 CPEs)

3/12 $275

C Internal Audit University

(22 CPEs) 3/10-3/12 $825

D Risk-Based Auditing (22 CPEs)

3/10-3/12 $825

E Intermediate ACL (22 CPEs)

3/10-3/12 $825

F-1 Auditing IT Outsourcing

(7 CPEs) 3/10 $275

F-2 Assessing Data Integrity

(15 CPEs) 3/11-3/12 $550

G-1 Cyber Security and Emerging Risks

(7 CPEs) 3/10 $275

G-2 Ethical Hacking

(15 CPEs) 3/11-3/12 $550

H COSO

(15 CPEs) 3/11-3/12 $550

I COBIT 5

(22 CPEs) 3/10-3/12 $825

J Identity and Access Management

(22 CPEs) 3/10-3/12 $825

K-1 Planning for a Secure and Controlled IPV6 Implementation

(7 CPEs) 3/10 $275

K-2 How to Perform an IT General Controls Review

(15 CPEs) 3/11-3/12 $550

30

Conference Location University of Michigan Dearborn - Fairlane Center North

19000 Hubbard

Dearborn MI 48126 (Park in rear lot – north end of complex)

From the West Take I-94 East to Southfield (M-39) and exit north. Follow Southfield (North) to the Michigan Ave. (U.S. 12) exit. Stay on the Southfield Service Drive to Hubbard Drive and turn left. Follow Hubbard Drive and turn right into the Southern entrance of the UM-Dearborn/Fairlane Center (The marquis will reflect the following; The University of Michigan-Dearborn/Fairlane Center). Follow the entrance road to the back and turn left at the stop sign; the North Building will be located on your left hand side. Parking is directly across from the North Building. From the East Take I-94 West to Southfield (M-39) and exit north. Follow Southfield (North) to the Michigan Ave. (U.S. 12) exit. Stay on the Southfield Service Drive to Hubbard Drive and turn left. Follow Hubbard Drive and turn right into the Southern entrance of the UM-Dearborn/Fairlane Center (The marquis will reflect the following; The University of Michigan-Dearborn/Fairlane Center). Follow the entrance road to the back and turn left at the stop sign; the North Building will be located on your left hand side. Parking is directly across from the North Building. From the South Take Southfield (M-39) north to the Michigan Avenue exit. Stay on the Southfield Service Drive to Hubbard Drive and turn left. Follow Hubbard Drive and turn right into the Southern entrance of the UM-Dearborn/Fairlane Center (The marquis will reflect the following; The University of Michigan-Dearborn/Fairlane Center). Follow the entrance road to the

back and turn left at the stop sign; the North Building will be located on your left hand side. Parking is directly across from the North Building. From the North Take Southfield (M-39) south to the Ford Road exit. Stay on the Ford Road Service Drive to Hubbard Drive and turn right. Follow Hubbard Drive and turn right into the Southern entrance of the UM-Dearborn/Fairlane Center (The marquis will reflect the following; The University of Michigan-Dearborn/Fairlane Center). Follow the entrance road to the back and turn left at the stop sign; the North Building will be located on your left hand side. Parking is directly across from the North Building

15th annual iia and isaca spring conference a very active mental and physical process, and you will...

Documents