16th annual iia and isaca spring conference...the 2015 event is no exception. ... this session is...

16TH ANNUAL

IIA and ISACA Spring Conference

MARCH 9-11, 2015

University of Michigan-Dearborn

Fairlane Center

1

If you are responsible for your company's internal auditing, information systems security and integrity, accounting, finance, Sarbanes-Oxley compliance or other

regulatory matters, or simply getting back to the basics, you will want to join us for the 16th annual Detroit Spring Conference.

The Detroit Chapters of the IIA and ISACA are proud to co-sponsor the annual Spring Conference. Each year, the conference committee spends a considerable amount of

time planning a comprehensive series of course offerings for our members and guest. The 2015 event is no exception.

A number of classes sell out each year so register early. Don't miss this opportunity to network with your peers, enhance your skills, and learn about new products and

services in the marketplace! Our goal is to provide a world-class caliber training conference tailored to your needs.

Class size and materials are limited. To be fair and equitable to all, we operate on a first-come first-serve basis, and maintain a wait list for all sold out courses. Therefore,

registrants are required to attend the course(s) for which they registered unless they receive prior written approval from the Conference Chair. Registrants attending

unauthorized classes will not be awarded CPE credits. We look forward to seeing you at the Spring Conference.

- The 2015 Spring Conference Committee

Welcome

RETURNING THIS YEAR–VENDOR EXPO!

We have invited many audit and assurance vendors to set up displays during the conference giving you an opportunity to learn about products and partners that are in

the marketplace, and their associated benefits for your organization.

A Special Thanks to our Platinum Sponsors who continue to

give generous support to this annual event!

Monday Lunch– Experis Finance Tuesday Lunch – PwC

Wednesday Lunch – Accretive Solutions

2

Special Thanks To our

2014 Vendors

Platinum VENDORs

Accretive Solutions

Experis Finance

PwC

Gold Vendors

BDO

KPMG

Orion Solutions Group

Plante Moran

Resources Global Professionals

Thomson Reuters

3

2015 CONFERENCE PROGRAM

TRACK MON MARCH 9 TUES MARCH 10 WED MARCH 11

A

Embezzlement: Techniques to Detect, Investigate, and Remediate Loss of Assets

(Paul Zikmund)

Auditing for Fraud: Tools, Techniques, and Guidance

(Paul Zikmund)

Auditing Ethics and Compliance Programs & Controls

(Paul Zikmund)

B Communicating for Results

(Don Levonius)

Critical Thinking: Evaluating & Presenting Arguments (Without

Being Argumentative)

(Don Levonius)

Mastering the Art of Facilitation

(Don Levonius)

C Report Writing

(Jim Roth)

Risk-based Auditing and Reporting

(Jim Roth)

D Forensic Analytics: Methods & Techniques for Financial Investigations

(Mark Nigirni)

E Project Management

(Kathleen Crawford)

F Auditing ERM

(Greg Duckert)

G Internal Audit University

(Dr. Hernan Murdock)

H Auditing the Application System Development Process

(Tom Salzman)

I Windows 7 Security and Audit

(John Tannahill)

Cyber Security

(John Tannahill)

J Compliance with PCI

(Ken Cutler)

Planning an IT Security Strategy

(Jeff Kalwerisky)

K Threat Modeling

(Jeff Kalwerisky)

Auditing Information Security Governance & Control

(Norm Kelson)

L Briefing on Current Technology

(Norm Kelson)

Auditing the DMZ

(Ken Cutler)

4

TRACK A-1 EMBEZZLEMENT: TECHNIQUES TO DETECT, INVESTIGATE,

AND REMEDIATE LOSS OF ASSETS (PAUL ZIKMUND, MONDAY)

7 CPEs

Seminar Focus and Features

Embezzlement is the act of wrongfully appropriating funds that have been entrusted

into the care of another but which are owned by someone else. The most common example of embezzlement is by employees. Employee theft is also a significant problem

for businesses, and both can drain a company of its assets, reduce employee morale and result in a disruption to business operations.

This session is design to equip attendees with the skills and knowledge needed to deter, detect and respond to instances of employee embezzlement. Attendees will learn

methods to investigate this fraud including evidence management, report writing and guidance on proper remediation including civil and criminal prosecution. Attendees will also learn methods to reduce the risk through proper controls, monitoring and

programs designed to mitigate loss.

Prerequisite: None

Learning Level: Basic

Field of Study: Auditing

5

TRACK A-2 AUDITING FOR FRAUD: TOOLS, TECHNIQUES, AND GUIDANCE

(PAUL ZIKMUND, TUESDAY)

7 CPEs


The reliance upon auditors to detect red flags of fraud continues to increase. Guidance

related to internal and external auditors places more emphasis on professional skepticism, use of forensic procedures, and fraud detection techniques. Auditors are now faced with an increasing challenge to detect instances of fraud during the audit.

This course covers the practical side of detecting red flags of fraud during the audit.

Attendees will learn the art of fraud detection through lecture, case studies and in class breakout sessions designed to facilitate critical thinking skills to better detect red flags of fraud.

Attendees are expected to develop an understanding of the following concepts:

Elements of fraud, nature of why people commit fraud, fraud detection and deterrence; and elements of financial statement fraud & asset misappropriation schemes.

Topics will include:

Designing audit programs to detect red flags of fraud Fraud detection and investigation tools & techniques Case studies to enhance critical thinking skills

Prerequisite: None



6

TRACK A-3 AUDITING ETHICS AND COMPLIANCE PROGRAMS & CONTROLS

(PAUL ZIKMUND, WEDNESDAY) 7 CPEs


An organizational compliance program is an important mechanism to help improve effective governance. Auditing and evaluating compliance programs and controls are

critical to the success of any program, and not performed only to keep the regulators happy. Compliance with regulatory requirements and the organization’s own policies are critical components of effective risk management. A well designed and effectively

administered compliance program helps organizations achieve business goals, maintain ethical health, support long-term prosperity, and preserves and promotes

organizational values.

A well designed internal audit plays an important role for evaluating the effectiveness and efficiency of the organization’s compliance program. In this session, attendees will

learn the following:

1. Hallmarks of an effective compliance program 2. Auditing procedures for compliance programs 3. Communicating results to obtain best results

4. Determination of key compliance risks 5. Leveraging strategic partnerships to ensure success

Prerequisite: None



7

About the Instructor

Paul E. Zikmund, CFE, CFFA, CFD Paul E. Zikmund serves as Director, Global Ethics and Compliance, at Bunge in White

Plains, NY. He is responsible for managing and conducting investigations of fraud and misconduct, implementing fraud detective techniques, administering the company’s

fraud risk assessment process, and managing anti-fraud programs and controls designed to reduce the risk of fraud within the company.

Prior to joining Bunge, Paul worked as the Senior Director Forensic Audit responsible for developing, implementing, and administering fraud risk management services at Tyco

and to clients in Princeton, NJ, and as the Director Litigation Support Services at Amper, Politziner, & Mattia, LLP, in Philadelphia, PA.

He possesses nearly 20 years of experience in this field and has effectively managed global fraud and forensic teams at various Fortune 500 companies.

Paul, who is a Certified Fraud Examiner, Certified Fraud Deterrence Specialist, and

Certified Forensic Financial Analyst, has designed and implemented programs to detect and investigate instances of fraud. Paul also conducts fraud risk assessments and fraud awareness training to help detect and deter fraud within organizations. His public and

private sector experience includes the investigation of complex financial frauds, conducting forensic audit engagements, and providing litigation support for a variety of

industries.

Before joining Amper, Paul was a Principal, Fraud and Forensic Services at SolomonEdwardsGroup, LLC and a Senior Manager – Enterprise Risk Services with Deloitte and Touche, LLP. Prior to that, he served in a variety of in-house fraud and

forensic investigative roles with The Dow Chemical Company, Nortel Networks, and Union Carbide Corporation. He began his career as a Municipal Police Officer, and then

a State Trooper and Special Agent with the Attorney General’s Office for the Commonwealth of Pennsylvania.

Paul received a Bachelor of Science degree in the Administration of Justice and a

Certificate of Accountancy from The University of Pittsburgh. He continued his education with a Masters of Business Administration at the University of Connecticut and a Masters of Accountancy at Auburn University. Paul has authored various articles

relating to fraud detection, prevention, and investigation. He speaks regularly at seminars and conferences on the topic of fraud and also teaches a graduate level fraud

and forensic accounting course at Rider University in New Jersey and LaSalle University in Philadelphia.

8

TRACK B-1

COMMUNICATING FOR RESULTS (DON LEVONIUS – MONDAY)

7 CPEs


According to research, communication is the number one competency sought by employers and a skill that separates leaders from losers. Average communicators

experience miscommunication, misunderstanding, and missed opportunities. But effective communicators are like thought leader E.F. Hutton – when they talk, people

listen – and when people listen to a thought leader, results are inevitable. This course helps learners recognize and overcome complex communication issues and enhance their verbal and non-verbal communication skills.

By the end of this course, learners should be able to:

Describe key elements, principles, and characteristics of communication Identify common root causes of personal and organizational miscommunication

Recognize and compensate for factors that distort perception Convey information openly and listen and respond to others effectively

Apply impromptu and persuasive communication techniques to influence others

Prerequisite: None



9

TRACK B-2

CRITICAL THINKING: EVALUATING & PRESENTING

ARGUMENTS (WITHOUT BEING ARGUMENTATIVE) (DON LEVONIUS – TUESDAY)

7 CPEs


Critical thinking is NOT about being critical of others, it is an essential skill that enables professionals to analyze problems and evaluate evidence in order to find reasoned solutions and make logical recommendations that help others. This course helps

participants learn to view and apply critical thinking as a process that will help them focus on facts while avoiding emotions, errors, opinions, and fallacies.


Differentiate between facts and opinions Recognize and avoid critical thinking errors and logical fallacies

Identify underlying assumptions Evaluate evidence objectively Implement the critical thinking process in business situations

Prerequisite: None



10

TRACK B-3

MASTERING THE ART OF FACILITATION

(DON LEVONIUS – WEDNESDAY) 7 CPEs


Whether your work requires you to facilitate meetings, strategy sessions, training classes or control self-assessment workshops, your success is dependent on your ability to master the facilitation skills used by professionals. Based on years of professional

facilitation experience, this course shares some of the lesser known “tricks of the trade” that will help even the most experienced facilitators get better results from the

classroom to the boardroom.


Describe essential elements of a conducive training or meeting environment

Differentiate between informing and facilitating Explain why asking and listening is more constructive than telling

Apply proven facilitation techniques to engage participants Demonstrate effective ways to manage disruptive behaviors

Prerequisite: None



11


Don Levonius Don Levonius, M.A., Principal Consultant, Victory Performance Consulting is a

professional consultant, trainer, and national public speaker. Don draws on over 15 years of leadership experience, during which time he managed loss prevention and

fraud investigations for two department store chains, five distribution centers, and two Disney theme parks, and led learning and development for 23 Disney hotels, 200 retail and dining locations, a large transportation system, a security division, an international

college program, and a global internal audit association. Don also taught organizational communication and security for the University of Central Florida and Lake-Sumter State

College. He holds a master’s degree in business and organizational security management and a second master’s degree in human resource development.

Early in his 13-year Disney career, Don directed loss prevention and fraud investigations for Disney’s Magic Kingdom and Animal Kingdom theme parks. Following

the 9/11 terrorist attacks, Don was asked to transform Disney security training to help the company combat the emerging threat of terrorism. Having succeeded in that role,

Don was later promoted to lead operations and guest service training for all 23 Walt Disney World hotels, 200 retail and dining locations, monorails, watercraft, and buses. He subsequently became a senior leader of Disney University, the company’s corporate

university, overseeing education for its college and international programs.

Don was later hired by The Institute of Internal Auditors (IIA) to manage the design and development of internal audit related training, and was soon promoted to direct the delivery of over 200 seminars offered throughout the US annually.

Today, Don is Principal Consultant with Victory Performance Consulting, which has been

providing management consulting and training to business, law enforcement, and association management clients since 2009.

12

TRACK C-1

REPORT WRITING (JIM ROTH, MONDAY)

7 CPEs


Learn a process that can improve your writing and cut your writing time in half. This session focuses on unlearning bad habits, and provides an opportunity to practice your

report writing skills with hands-on exercises. It also discusses why writing is hard, barriers you can remove, and how to distinguish quality writing from personal style in

audit report writing

During this session you will learn: How to develop effective findings and recommendations using the five attribute

approach and participative reporting.

How to make good writing easy using the “smart” writing process. The three

steps in the “smart” writing process and why keeping them separate is key to

success.

How to prepare an outline so simple and helpful you'll want to use it.

How to use the paragraph model to cut your writing time in half.

How to focus your writing on your most important readers.

How to plan, organize, and write audit comments without editing using hands-on

exercises.

This session also discuss: Trends and Innovations in Audit Reports

Trends and new approaches in alternate rating systems

Techniques to give credit where credit is due

Management action plan only

Self-Editing

How to read what you wrote, not what you think you wrote

Getting the fog out - short sentences, simple words

The four step approach to powerful self-editing

Prerequisite: None



13

TRACK C-2

RISK-BASED AUDITING AND REPORTING (JIM ROTH, TUESDAY-WEDNESDAY)

15 CPEs


This session focuses on understanding an audit process used increasingly by world-class

audit departments, practicing the key skills used in this process, and employing proven evaluation tools.

This two day session will cover an introduction to the COSO challenge: How to evaluate soft controls and Participative auditing: Get your customer on the audit team.

Topics will include: Tools for Evaluating Soft Controls: Evaluating the Corporate Culture

A Better Audit Process: risk-based, participative, high-payback focus on evaluation

of system design:

Phase I - Planning: Planning steps for a participative audit, identifying and

assessing risk, characteristics of well-defined audit objectives.

Phase II - Evaluate the Adequacy of System Design: Emerging internal

control concepts and evaluating design, teaching your audit customer the

risk assessment process, documenting internal controls.

Phase III - Evaluate the Effectiveness of Key Controls: Fieldwork purpose

and methods, tools for evaluating effectiveness of soft controls, a risk and

control matrix for evaluating the control environment.

Phases I-III - Identify Opportunities for Improvement: Five attribute

approach, how to get buy-in, developing and reporting opportunities

for improvement.

Phase IV – Reporting: Audit reports and criteria for risk-rated audit issues.

Prerequisite: None

Learning Level: Intermediate


14


James Roth, PhD, CIA, CSSA, CRMA

James Roth, PhD, CIA, CCSA, CRMA, has three decades of progressive internal audit and teaching experience. After twelve years as a practitioner, Jim formed AuditTrends in 1993.

Since then, Jim has focused on best practices in internal audit. His extensive research has led to seven books and seven other major IIA publications, as well as eight AuditTrends seminars and numerous articles and speeches.

Jim is the 2008 recipient of the IIA's Bradford Cadmus Memorial Award, which honors

"individuals making the greatest contribution to the advancement of the internal audit profession."

Jim is one of the most highly rated speakers on internal audit, risk management, internal control, and corporate governance. He has presented papers at 11 of the last 16 IIA

International Conferences, as well as regional and national conferences throughout North America and Asia. Jim's expertise is not limited to emerging best practices. There is no better developer or presenter of basic audit skills training on the market today.

15

TRACK D

FORENSIC ANALYTIS: METHODS & TECHNIQUES FOR

FINANCIAL INVESTIGATIONS (MARK NIGIRNI, MONDAY - WEDNESDAY)

22 CPEs


This three-day workshop is a rare opportunity for an intensive real-world state-of-the-

art experience with a recognized expert in the forensic analytics field. This session will review many of the topics covered in Forensic Analytics by Mark Nigrini, and will be drawing much of his materials from the Master’s level Fraud Data Analysis class that he

teaches at West Virginia University.

The first day, Nigrini will review the cycle of tests that begin with high level overview tests designed to identify large errors and to give the analyst a better understanding of the data. The next set of tests is based on Benford’s Law where the goal is to evaluate

the reasonableness of the data from a risk perspective and to identify abnormal duplications of leading and ending digits. This is followed by a series of drill down tests

that identify small samples of transactions that are high risks for being fraudulent, erroneous, inefficient, or biased in some or other way. The lecture will also cover the risk scoring of forensic units, a technique designed to score transactions, employees,

vendors, franchisees, and others based on their fraud likelihood.

The second day will be hands-on time (using your data analysis software of choice such as Excel, Access, or IDEA) where you will be given an analytics task accompanied by the workbook, which includes step-by-step screenshots to guide you to the correct

solution.

On the third day, the analytics tasks will more closely resemble a real-world project or assignment without step-by-step guidance. The day will begin with a lecture on attributes of fraudulent numbers that make them different from authentic numbers.

The remainder of the day will be spent analyzing the data of major fraud cases involving property tax refunds and employee purchasing card transactions. Attendees

will be given requirements without step-by-step guidance. The requirements will be solvable using the techniques learned during the previous two days.

No prior forensic or analytics experience will be assumed. Attendees do need to be familiar with the basics of data analysis such as importing data, the functions of Excel,

and preparing graphs or tables from the results of calculations or queries. Bring your laptops, or attendees can work in teams and share laptops, if needed.

Prerequisite: None



16


Mark J. Nigrini, PhD

Mark J. Nigrini, PhD, recently joined the faculty of the College of Business &

Economics at West Virginia University. The accounting department has a forensic accounting program and also has the only Ph.D. program in forensic accounting in the United States. Benford’s Law has been his research passion since his time as a Ph.D.

student. Frank Benford, a physicist in the 1930s, discovered that there were predictable patterns to the digits in lists of numbers. His research showed that the smaller digits

(1s, 2s, and 3s) were expected to occur more often in scientific and financial data. Until 30 years ago Benford’s Law was a rather well-kept secret. Since then the phenomenon has proved itself to be valuable to more and more people (mainly auditors in their

quest to uncover fraud in corporate data). Nigrini’s current research addresses advanced theoretical work on Benford’s Law, applications of forensic analytics to areas

such the detection of Ponzi schemes, and the legal framework of fraud convictions.

Nigrini is the author of Forensic Analytics (Wiley, 2011) which describes analytic tests to detect fraud, errors, estimates, and biases in financial data. He is also the author of Benford's Law (Wiley, 2012) which is the seminal work on applications of Benford’s

Law. His next book The Employee Fraud Pandemic will be published in 2015. His work has been featured in national media including The Financial Times, New York Times,

and The Wall Street Journal and he has published papers on Benford’s Law in accounting academic journals, scientific journals, and pure mathematics journals, as well as professional publications such as Internal Auditor and Journal of Accountancy.

His radio interviews have included the BBC in London, and NPR in the United States. His television interviews have included an appearance on NBC's Extra and an interview on a

fraud saga involving twins for the Investigation Discovery Channel. He regularly presents professional seminars for accountants and auditors in the U.S., Canada,

Europe, and Asia with recent events in Singapore, Malaysia, and Switzerland and a forthcoming event in Bahrain.

17

TRACK E PROJECT MANAGEMENT

(KATHLEEN CRAWFORD, MONDAY-WEDNESDAY) 22 CPEs


An audit is simply a project, yet few auditors take advantage of techniques used by project managers to complete their projects on time and on budget. In three intensive

days you will learn the basics of project management, including how you can achieve improved cost control, resource utilization, and more timely audit conclusions. You will

then apply these techniques to improving productivity in the internal audit process. Using audit-specific examples, you will learn project planning, scheduling, control, and decision support concepts and methodologies – the basics of project management.

Prerequisite: Fundamentals of Internal Auditing or equivalent experience. Learning Level: Intermediate



Kathleen Crawford

Kathleen Crawford is a Senior Consultant for MIS Training Institute, and President of Crawford Consulting and Communications, LLC, a firm specializing in assurance,

investigative, and advisory projects for small firms without an internal audit function.

Previously, Ms. Crawford was an Internal Auditor for Vinfen Corporation, where her responsibilities included assisting management in standardizing operations, developing policies and procedures, and improving processes. In addition, she investigated all

suspected financial crimes, collecting evidence to ensure successful prosecution and recovery of company and client assets. Ms. Crawford trained other investigators in a

methodology for detecting and documenting fraud that met the unique compliance requirements of MA Department of Health and Human Services.

She began her career as a bank auditor, first with Bank of New England, then Eastern Bank, and State Street Bank. Her responsibilities in these institutions included internal

audits and fraud investigations.

A member of The Institute of Internal Auditors, Ms. Crawford is a past President of the Greater Boston Chapter of The IIA. She is also a member of the Association of Certified Fraud Examiners and the American Society for Training and Development.

Ms. Crawford serves as Treasurer of the Board of Trustees of the Foxborough Regional

Charter School and its foundation, Friends of FRCS.

18

TRACK F

AUDITING ERM (GREG DUCKERT, MONDAY-WEDNESDAY)

22 CPEs


With the advent of corporate governance strategies that must embrace the entire organization, enterprise-wide risk has taken on critical dimensions of importance. In addition, the SEC and PCAOB have concluded that the key to effective compliance is a

“top-down, risk-based approach.” When properly defined and implemented, ERM provides the ideal baseline for this process.

In this intensive three-day seminar you will cover alternative methods, structures and tools that can be used for establishing an ERM. You will learn how to define which

aspects need to be audited and how to audit them, gain an understanding of the key qualities that an ERM should possess and discover why they are critical. You will explore

the integration of controls and business risk and find out how an oversight tool can be created that can be owned by operations and that will yield real business returns.

On the last day of this seminar you will work through a case study that will allow you to put into use what you learned as you are challenged to determine the most appropriate

audit tools, techniques, and process for evaluating an ERM situation. You and your colleagues will design the audit process and apply it to your report on the

issues of merit. You will leave this session with a solid understanding of how a well-structured ERM process should operate, what is critical to its success or failure, and

how to audit it to determine its efficacy.

Prerequisite: Risk School, or equivalent risk assessment experience. Learning Level: Intermediate

Field: Auditing


Greg Duckert, CIA, CISA, CMA, CPA

Greg Duckert is CEO of Audit, Inc., a consulting firm specializing in risk assessment models, operational analysis, and audit process methodologies designed to maximize

returns to the organization. Mr. Duckert is also a Senior Consultant for MIS Training Institute and has over 30 years of national and international experience as an Internal/IS Audit Director. Mr. Duckert has held Audit Director positions in the

manufacturing, construction and healthcare industries, assuming responsibilities for financial, operational, and information systems auditing functions. His information

systems expertise includes application audits, software acquisition, systems development, controls, security design, adequacy and implementation, and systems operational efficiencies. He has performed consulting services in IS, financial, and

operational audits, as well as in business acquisitions and start-ups.

19

TRACK G INTERNAL AUDIT UNIVERSITY

(DR. HERNAN MURDOCK, MONDAY-WEDNESDAY)

22 CPEs


In this intensive three-day seminar you will master fundamental operational auditing techniques and learn how to use a risk-based approach to enhance your audits of the

Purchasing, Marketing, Human Resources, Information Technology (IT), Management, Finance / Treasury, and Accounting functions.

You will explore the objectives of major business operation areas and learn how to

identify the key risks threatening them. You will find out how to make your audits more efficient and effective and how to use data analytics to gain an in-depth understanding of business processes. You will cover critical areas such as the impact of SOX, ERM, and

GRC on the organization, uncovering fraud schemes that threaten business operations, and the role of IA in helping management build strong risk management and strategic

planning processes. You will leave this high-impact seminar with the skills necessary to go beyond outputs and to examine the organization’s ability to achieve the necessary outcomes.

Prerequisite: None




Dr. Hernan Murdock, CIA, CRMA

Dr. Hernan Murdock is a Senior Consultant with MIS Training Institute. Prior to MIS, he was the Director of Training at Control Solutions International where he oversaw the

company's training and employee development program. Previously, he was a Senior Project Manager leading audit and consulting projects for clients in the manufacturing, transportation, high-tech, education, insurance, and power generation industries. He

authored the books 10 Key Techniques to Improve Team Productivity and Using Surveys in Internal Auditing, and articles on whistleblowing programs, international

auditing, mentoring programs, fraud, deception, corporate social responsibility, and behavioral profiling.

20

TRACK H

AUDITING THE APPLICATION SYSTEM DEVELOPMENT PROCESS (TOM SALZMAN, MONDAY - WEDNESDAY)

21 CPEs


In this three-day seminar you will explore proven audit strategies that will enable you to efficiently audit and evaluate applications systems development in a variety of

technical environments. You will review common applications development risks, how to overcome them and what you must do to meet the new internal control and documentation requirements of SOX. You will drill down to the unique risks associated

with purchased, in-house, and web-based applications and learn what you can do to minimize them. You will cover RAD, implementation and control change, design

specifications, testing, project management, and application software inventory control. You will receive audit programs, questionnaires, and sample audit findings you can put to use immediately.

Prerequisite: IT Auditing and Controls, IT Audit School, or equivalent experience.


Field: Auditing


Thomas Salzman CISA

Thomas Salzman, CISA, is IS Audit Manager for Illinois State University. Previously, Mr. Salzman was Director of Professional Services for ISACA. He also served as editor and

co-author of the ISACA CISA Review Manual. Prior to joining ISACA, Mr. Salzman was with Coopers & Lybrand, heading their Technical Training and Information Security practices.

21

TRACK I-1 WINDOWS 7 SECURITY AND AUDIT

(JOHN TANNAHILL, MONDAY) 7 CPEs


This seminar will focus on the security and control issues related to Windows 7

Operating Systems and related technology and infrastructure components. This seminar will provide an understanding of key Windows 7 security components as well as an understanding of key Windows 7 security risks. The key features of this session

include:

Windows 7 Operating System Concepts

Operating System Overview Key Differences from Windows 7; Windows XP Versions Windows 8 Security Overview

Service Packs and Patch Levels

Windows 7 Security Overview Local Security Policy User Accounts and Passwords

Windows Defender User Access Control

Security Event Logs Encryption Bitlocker

Applocker

Understanding Enterprise Components and Infrastructure Windows 2008/2012 Server security

Key Active Directory security areas for Member Workstations Client Security Baselines Network Access Protection

Remote Desktop Understanding Windows Firewall and advanced security features

Securing Windows 7 operating system environment using security baselines

Top 10 Windows 7 Security Risks: Case study to identify risks and develop control

strategy

Security Tools & Techniques: Demonstrations of Security Tools and Resource Sites and Information

Prerequisite: None



22

TRACK I-2

CYBER SECURITY (JOHN TANNAHILL, TUESDAY-WEDNESDAY)

15 CPEs


This course will focus on the risk and control issues related to cyber security and emerging information security and technology.

Key Learning Objectives include:

Understanding cyber security risk and control issues: Key concepts and relationship to business organizations

Cybercrime (Crime and Espionage) Cyber warfare and cyber terrorism (Nation to Nation attacks)

Understanding emerging risk areas: Overview of Threat Landscape

Malware: Eurograbber; Flame; Stuxnet; Command & Control; Botnets; Denial of Service; Fraud

Other Malware Discussion of security and audit tools and techniques:

Questions auditors should ask in relation to how the organization should protect IT infrastructure and corporate information from cyber security threats.

Risk and Controls Areas and Key Control Requirements Malware Management and Application Whitelisting

Incident Management Security Awareness

Cyber Security and Cyber-warfare Advanced Persistent Threats (APT) Malware

Prerequisite: None



23


John Tannahill, CA, CISM, CGEIT, CRISC

John Tannahill, CA, CISM, CGEIT, CRISC is a management consultant specializing in information security and audit services. His current focus is on information security management and control in large information systems environments and networks. His

specific areas of technical expertise include UNIX and Windows operating system security, network security, and Oracle and Microsoft SQL Server security. John is a frequent speaker in Canada, Europe and the US on the subject of information security

and audit.

John is a member of the Toronto ISACA Chapter and has spoken at many ISACA Conferences and Chapter Events including ISACA Training Weeks; North America CACS;

EuroCACS; Asia- Pacific CACS; International and Network and Information Security Conferences.

2008 Recipient of the ISACA John Kuyer Best Speaker/Best Conference Contributor Award

24

TRACK J-1 COMPLIANCE WITH PCI

(KEN CUTLER, MONDAY) 7 CPEs


The Payment Credit Card Industry Data Security Standard (PCI DSS) is designed to

protect credit card information wherever and whenever it is processed, stored, or transmitted, and to ensure that members, merchants, and service providers maintain

the highest security standards. Meeting the twelve (12) requirements of this evolving standard can be a daunting challenge… and non-compliance can result in costly fines, loss of valuable retail customers, and continued vulnerability to serious payment card

data attacks.

In this practical seminar, you will gain solid familiarity with the current PCI DSS and recent significant changes, and get proven tips on how best to overcome compliance

challenges. You will examine a summary of the compliance requirements and cover practical solutions, potential risks, and common pitfalls. Highlights of the security controls necessary to satisfy PCI DSS requirements will be presented using a practical,

commonsense methodology that emphasizes a top-down, structured implementation approach to day-to-day business operations.

Prerequisite: How to Perform an IT General Controls Review or equivalent training. A basic understanding of IT audit controls and terminology is assumed



25


Ken Cutler, CISSP, CISA, CISM

Ken Cutler is a Senior Teaching Fellow with CPEi, specializing in Technical Audits of IT Security and related IT controls. He is the President and Principal Consultant for Ken Cutler & Associates (KCA) InfoSec Assurance, an independent consulting firm delivering

a wide array of Information Security and IT Audit management and technical professional services. He is also the Director – Q/ISP (Qualified Information Security

Professional) programs for Security University. An internationally recognized consultant and trainer in the Information Security and IT

audit fields, he is certified and has conducted courses for: Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM),

Certified Information Systems Auditor (CISA) and CompTIA Security+. In cooperation with Security University, he recently was featured in two full length training videos on CISSP and Security+.

Ken was formerly Vice-President of Information Security for MIS Training Institute

(MISTI), and Chief Information Officer of Moore McCormack Resources, a Fortune 500 company. He also directed company-wide IS programs for American Express Travel

Related Services, Martin Marietta Data Systems, and Midlantic Banks, Inc. Ken has been a long-time active participant in international government and industry

security standards initiatives, including: The President’s Commission on Critical Infrastructure Protection

Generally Accepted System Security Principles (GSSP) Information Technology Security Evaluation Criteria (ITSEC) US Federal Criteria, and

Department of Defense (DOD) Information Assurance Certification Initiative.

He is a prolific author on information security topics. His publications include:

Commercial International Security Requirements (CISR), a commercial alternative to military security standards for system security design criteria

NIST SP 800-41, “Guidelines on Firewalls and Firewall Policy”, of which he was

co-author, and Various works on security architecture, disaster recovery planning, wireless

security, vulnerability testing, firewalls, single sign-on, and the Payment Card Industry Data Security Standard (PCI DSS).

He has been frequently quoted in popular trade publications, including Computerworld, Information Security Magazine, Infoworld, InformationWeek, CIO Bulletin, and

Healthcare Information Security Newsletter, and has been interviewed in radio programs My Technology Lawyer and Talk America.

Ken received Bachelor of Science degree in Business Administration and Computer Science degree from SUNY Empire State College.

26

TRACK J-2

PLANNING AN IT SECURITY STRATEGY (JEFF KALWERISKY, TUESDAY-WEDNESDAY)

15 CPEs

Seminar Focus and Features Historically, IT security was focused on physical security, preventing malware, and

defending against the onslaught of spam. External security focused on firewalls and intrusion detection/prevention devices at the network level. The threat has

metamorphosed into criminal attacks on the enterprise’s primary assets: its sensitive business information and its operations. In response to numerous cases of enterprises losing sensitive or proprietary information – customers’ or patients’ personal details,

credit card numbers, social security numbers, medical histories, and more – the burden of privacy laws and regulations has also mushroomed, creating major compliance

issues for the IT security function. The focus has changed from network protection at the least possible cost to the “WSJ

Test” – no corporate executive wants to be on the front page of a major newspaper associated with yet another data breach or a significant operational disruption.

IT security is now on the literal front line in the never-ending struggle to prevent data leakage and operational disruption.

We will discuss:

The real and present threats to the Enterprise with actual case studies

What information is actually sensitive

Why it is so difficult to know where that information is located

The major areas to be included in a Best of Breed security strategy

How data loss prevention has moved to the front of the bus

Information security strategy in a Federated world

Effective metrics to manage IT security and communicate with business management

Making IT security a valued and proactive partner in the business

Prerequisites: Understanding of risk management processes and basic information security concepts



27


Jeff Kalwerisky, CA, CISA

Jeff Kalwerisky, Vice President and Director, Information Security and Technical Training at CPE Interactive, has specialized in information security, information risk

management and IT auditing for over 20 years. He currently focuses on information risk, IT security governance and frameworks, and secure software development.

He has held executive positions in information security and risk management with Accenture and Booz Allen Hamilton consulting firms. In both of these capacities, he has

consulted with Fortune 100 companies and national governments, assisting in their development and deployment of enterprise security governance policies and frameworks, and technology solutions that strengthen information security and data

privacy/ protection. He served as infrastructure security architect on the world’s largest electronic health project on behalf of the British Government’s National Health Service,

the world’s largest electronic medical records deployment project, where he developed security governance to oversee 1,500 software architects and developers.

As manager of global security for VeriSign, he was responsible for ensuring that affiliate

companies in 30 countries adhered to VeriSign’s military‐grade security standards

appropriate to a global certification authority, which he helped to design and deploy.

Jeff was a partner with a major audit firm in South Africa and a consultant with PricewaterhouseCoopers.

He has published security and audit guides, and has developed training courses throughout the USA and internationally on a wide range of technical topics focusing on

Windows security, secure e‐commerce, IT auditing, cryptography and biometric security.

Jeff is originally from South Africa, where he received a Bachelor of Science in Physics and Math, a Masters of Science in Computer Science from University of Witwatersrand,

Johannesburg, and Masters in Finance and Auditing from the University of South Africa, Pretoria. He is a Chartered Accountant (South Africa) and Certified Information

Systems Auditor.

28

TRACK K-1

THREAT MODELING (JEFF KALWERISKY, MONDAY)

7 CPEs


Threat Modeling is a methodology for documenting potential risks and vulnerabilities in

information systems (applications, networks, etc.). It allows auditors and information security specialists to focus on, and document, specific classes of threats and control weaknesses together with relevant remediation or compensating controls. Using a

standard form of data flow diagrams (DFDs), parts of applications to entire systems can easily be documented in a standard format which can be understood by developers,

auditors, information security specialists, and management. All of this information can be stored in a database which forms an electronic trail, over

the entire lifecycle (SDLC) of the application or system, of the vulnerabilities and control weaknesses inherent in the system and the corresponding resolution or

corrective action. Review of the database records can then be mapped to continuous monitoring and continuous auditing processes.

We will discuss: The major classes of threats, known by the acronym, STRIDE

Building threat surfaces for applications and systems – in production or in

development

Data flow diagrams (DFDs) for documenting threat surfaces

Building a threat model – hands-on case studies

Creating a database of the threat surface for the life of the application/system

Prerequisite: A basic understanding of information security, IT controls, and flowcharting techniques.



29

TRACK K-2

AUDITING INFORMATION SECURITY GOVERNANCE AND CONTROL

(NORM KELSON, TUESDAY-WEDNESDAY) 15 CPEs


Many important IT controls are related to the protection of valuable information assets and increasingly demanding regulatory compliance requirements. In this highly practical workshop, you will cover the essential background information, resources,

tools, and techniques necessary to plan and launch a wide range of hard-hitting, cost-effective information security audits that should be performed by internal and external

auditors, information security professionals, and IT staff. You will explore not only management and administrative controls, but also the fundamentals of important logical security controls for protecting valuable information assets and associated IT

resources. You will receive a variety of invaluable checklists, matrices, and other worksheet tools.

In this seminar, we will discuss:

Major risks to information security

Compliance targets

Information security scope and components

Tools and techniques for assessing administrative, physical, and technical

information security controls

Prerequisite: None



30


Norm Kelson, CPA, CISA, CGEIT

Norm Kelson, founder of CPE Interactive, specializes in building and disseminating best

practices to assurance, risk, governance, and management stakeholders. With over 30 years of extensive experience in IT assurance and governance, he has served in a

variety of capacities as a consultant with a Big 4 firm and an internal audit boutique, internal auditor executive, and industry advocate.

He is the author of over 30 IT Audit/Assurance Programs for ISACA which are available as a resource to its members, and a series of case studies to support ISACA’s IT

Governance Using COBIT® and VAL ITTM: Student Book 2nd Edition. Norm was Managing Director of IT Audit and Technical Seminars for MIS Training

Institute. During his 12 year tenure he was responsible for creation and curriculum development of its global IT Audit training portfolio focusing on best practices in risk-based auditing.

He has held positions as: Director of IT Audit for the US Subsidiary of Royal Ahold (Stop

& Shop and Giant) and was a key member of the internal audit professional practices and standards and the global information security committees; Vice President of Internal Audit Services and National IT Audit Practice Director for CBIZ Harborview

Partners; managed KPMG’s New England Region IT Auditing practice, and held positions in IT Audit management with Fannie Mae, CIGNA, and Loews Corporation. He began his

career as a financial auditor with Laventhol and Horwath. Norm is an Adjunct Professor at Bentley University and a member of the Audit/AIS

Curriculum Committee.

He is a frequent speaker and subject matter expert at ISACA and Institute of Internal Auditors (IIA) conferences, is a former Executive Vice President of the New England ISACA Chapter and served on the Chapter’s Strategic Planning Committee.

Norm received a Bachelor of Science in Business Administration from Boston University and an MBA from the University of Pennsylvania Wharton School. He is a Certified

Public Accountant, Certified Information Systems Auditor, and Certified in the

Governance of Enterprise Information Technology.

31

TRACK L-1

BRIEFING ON CURRENT TECHNOLOGY (NORM KELSON, MONDAY)

7 CPEs


As we introduce new information technologies or approaches, our risks change, and, in many cases, have unintended consequences. This session focuses on four (4) key issues in the audit world:

Transfer of computing resources to a utility model

Proliferation of smart mobile devices

Sophisticated communications and a 24 hour news cycle magnifying organizational

missteps and outright errors

Social media as a communications monitoring vehicle

We will frame the risks, obtain an understanding of how these issues affect internal audit, and promote discussion on how we can effectively incorporate these issues into

our audit universe. You will discuss IT management’s top issues relating to:

Cloud computing

Mobile data assets

Crisis management

Social Media

Prerequisite: None



32

TRACK L-2 AUDITING THE DMZ

(KEN CUTLER, TUESDAY-WEDNESDAY) 15 CPEs


Today’s Internet connections are typically shielded by a Demilitarized Zone (DMZ), a critical security buffer between your organization’s internal network and the outside

world. Firewalls, intrusion detection/prevention systems, proxy servers, load balancers, filtering routers, VLANs, and VPNs all play a major role in regulating and restricting traffic flowing to and from the Internet. Failure to properly configure, maintain, and

monitor a secure and efficient DMZ increases the risk of your organization being attacked by external intruders. This intensive seminar is designed to equip you to

better protect and audit your network’s perimeter through a blend of practical, up-to-the minute knowledge transfer and audit case studies.

Note: This course does not cover the details of audits of web application security and audit, which is covered in How to Audit Modern Web Applications (IT02).

Prerequisite: Simplifying Audits of Network Security or equivalent training. Familiarity with TCP/IP concepts and terminology is assumed.

Learning Level: Advanced


33

REGISTRATION INFORMATION

Participation is limited so registration will be accepted on a first-come, first-served

basis. Pricing has been established to provide the maximum educational benefit for the lowest cost. Therefore, we will not be offering discounts from the established prices for

early registration, membership affiliation or groups. Dress code for the conference is business casual.

Morning refreshments will be provided from 7:30 – 8:30 AM, and general sessions will be from 8:30 AM – 4:30 PM each day. Lunch will be provided daily with vegetarian

options. Due to circumstances outside of our control, we may find it necessary to reschedule or

cancel sessions, or change instructors. We will give registrants advance notice of such changes, if possible.

Payment and Cancellation Policy

Please note all times are stated in Eastern Standard Time (EST). All reservations must

be made online at www.isaca-det.org or www.detroitiia.org. Telephone, fax, and mail-in registrations will not be accepted.

All payments must be received by midnight 2/24/15. Payments may be made at the time of registration using Visa, MasterCard, Discover, or American Express, or check

payments may be mailed to the address listed below.

Cancellations may be made online until midnight on Tuesday 2/24/15 without penalty. Any cancellation received after Tuesday midnight 2/24/15, and before Monday midnight 3/2/15 will be charged a non-refundable service fee based on the CPEs of the

registered course being cancelled. No refunds will be given for registrations that are cancelled after midnight 3/2/15.

CPEs

Non-Refundable

Service Fee

7 $25

15 $50

22 $75

Payments (payable to: IIA Detroit) should be mailed to the address below. Please do

not remit payment to the ISACA Detroit Chapter. Conference or registration questions should be sent to [email protected].

IIA - ISACA Spring Conference Geralyn Jarmoluk – Administrator

78850 McKay Rd Romeo, MI 48065

Hotel Information

The spring conference committee has arranged for a discounted rate at the Doubletree Hotel

Detroit/Dearborn. Register by 2/1/2015 and request the “IIA & ISACA Spring Seminar

Discount” to receive a rate of $108 per room per night. The Double Tree Hotel is located at

5801 Southfield Expressway, Detroit, MI 48228. Telephone: 1-313-336-3340.

http://www.isaca-det.org/

http://www.detroitiia.org/

mailto:[email protected]

34

TRACK INFORMATION

Track Session Dates Fee

A-1 Embezzlement: Techniques to Detect, Investigate, and Remediate Loss of

Assets

(7 CPEs)

3/9 $275

A-2 Auditing for Fraud: Tools, Techniques, and Guidance

(7 CPEs) 3/10 $275

A-3 Auditing Ethics and Compliance Programs and Controls

(7 CPEs) 3/11 $275

B-1 Communicating for Results

(7 CPEs) 3/9 $275

B-2 Critical Thinking: Evaluating & Presenting Arguments

(7 CPEs) 3/10 $275

B-3 Mastering the Art of Facilitation

(7 CPEs) 3/11 $275

C-1 Report Writing

(7 CPEs) 3/9 $275

C-2 Risk-based Auditing and Reporting

(15 CPEs) 3/10-3/11 $550

D Forensic Analytics: Methods & Techniques for Financial Investigations

(22 CPEs) 3/9-3/11 $825

E-1 Project Management

(22 CPEs) 3/9-3/11 $825

F Auditing ERM

(22 CPEs) 3/9-3/11 $825

G Internal Audit University

(22 CPEs) 3/9-3/11 $825

H Auditing the Application System Development Process

(22 CPEs) 3/9-3/11 $825

I-1 Windows 7 Security and Audit

(7 CPEs) 3/9 $275

I-2 Cyber Security

(15 CPEs) 3/10-3/11 $550

J-1 Compliance With PCI

(7 CPEs) 3/9 $275

J-2 Planning an IT Security Strategy

(15 CPEs) 3/10-3/11 $550

K-1 Threat Modeling

(7 CPEs) 3/9 $275

K-2 Auditing Information Security Governance and Control

(15 CPEs) 3/10-3/11 $550

L-1 Briefing on Current Technology

7(CPEs) 3/9 $275

L-2 Auditing the DMZ

15 (CPEs) 3/10-3/11 $550

35

Conference Location University of Michigan Dearborn - Fairlane Center North

19000 Hubbard

Dearborn MI 48126 (Park in rear lot – north end of complex)

From the West Take I-94 East to Southfield (M-39) and exit north. Follow Southfield (North) to the Michigan Ave. (U.S. 12) exit. Stay on the Southfield Service Drive to Hubbard Drive and turn left. Follow Hubbard Drive and turn right into the Southern entrance of the UM-Dearborn/Fairlane Center (The marquis will reflect the following; The University of Michigan-Dearborn/Fairlane Center). Follow the entrance road to the back and turn left at the stop sign; the North Building will be located on your left hand side. Parking is directly across from the North Building. From the East Take I-94 West to Southfield (M-39) and exit north. Follow Southfield (North) to the Michigan Ave. (U.S. 12) exit. Stay on the Southfield Service Drive to Hubbard Drive and turn left. Follow Hubbard Drive and turn right into the Southern entrance of the UM-Dearborn/Fairlane Center (The marquis will reflect the following; The University of Michigan-Dearborn/Fairlane Center). Follow the entrance road to the back and turn left at the stop sign; the North Building will be located on your left hand side. Parking is directly across from the North Building. From the South Take Southfield (M-39) north to the Michigan Avenue exit. Stay on the Southfield Service Drive to Hubbard Drive and turn left. Follow Hubbard Drive and turn right into the Southern entrance of the UM-Dearborn/Fairlane Center (The marquis will reflect the following; The University of Michigan-Dearborn/Fairlane Center). Follow the entrance road to the back and turn left at the stop sign; the North Building will be located on your left hand side. Parking is directly across from the North Building. From the North Take Southfield (M-39) south to the Ford Road exit. Stay on the Ford Road Service Drive to Hubbard Drive and turn right. Follow Hubbard Drive and turn right into the Southern entrance of the UM-Dearborn/Fairlane Center (The marquis will reflect the following; The University of Michigan-Dearborn/Fairlane Center). Follow the entrance road to the back and turn left at the stop sign; the North Building will be located on your left hand side. Parking is directly across from the North Building

16th annual iia and isaca spring conference...the 2015 event is no exception. ... this session is...

Documents