sunday | august 12, 2018 8:30 a.m. 5:00 p.m. documents/2018-grc... · 2018-08-13 · function....
TRANSCRIPT
Sunday | August 12, 2018 8:30 a.m. – 5:00 p.m.
Workshop 1: COBIT NIST Cybersecurity Framework
Mark Thomas, CGEIT, CRISC
President
Escoute Consulting
As part of the knowledge, tools, and guidance provided through the Cybersecurity Nexus (CSX) ™ program,
ISACA has developed a guide and course: Implementing NIST Cybersecurity Framework Using COBIT 5®. This
workshop is a synopsis of that course, focusing on the Cybersecurity Framework (CSF), its goals, the
implementation steps, and the ability to apply learnings.
In this session, participants will:
Understand the goals of the Cybersecurity Framework (CSF).
Learn and discuss the content of the CSF and what it means to align to it.
Understand each of the seven CSF implementation steps.
Be able to apply and evaluate the implementation steps using COBIT 5
Pre-requisites for attending this Workshop:
Basic knowledge of COBIT
Basic knowledge of security concepts
Mark Thomas is an internationally known governance, risk, and compliance expert in the areas of
cybersecurity, IT service management, assurance and audit, and IT controls. His background spans leadership
roles from CIO to management and IT consulting in several federal and state agencies, private firms, and
Fortune 500 companies. With over 25 years of professional experience, Thomas has led large IT teams,
conducted information governance/risk activities for major initiatives, managed enterprise applications
implementations, and implemented cybersecurity and governance processes across multiple industries.
Additionally, he works as a consultative trainer and speaker, and earned the ISACA John Kuyers award for Best
Speaker/Conference contributor in 2016.
Workshop 2: Auditing Technology Disruptors
Thomas Sanglier, CIA, CPA, CRMA
Senior Director, Internal Audit
Raytheon Company
Jennifer Allen, CIA, CISA, CFE
Manager II, Internal Audit
Raytheon Company
New and emerging technologies are revolutionizing the way work gets done. This will require internal auditors to rapidly transform what we audit, how we audit, and the skills we need. Audit leaders must be able to sort through multiple technology initiatives, identify accelerating innovation, and reshape internal audit. This collaborative workshop will share one department’s lessons learned and ongoing journey in this endeavor. In this session, participants will:
Discuss emerging technologies and the potential impact they can have on organizations, including governance, risk, and controls.
Review how to prepare their organizations and teams for the audits of the future.
Exchange strategies and tools for leveraging these same disruptors as audit tools to foster positive outcomes.
Thomas Sanglier is responsible for all internal audit risk assessments and the execution of projects. He joined
Raytheon in 2010 from EY, where he was a partner in its advisory services practice. Sanglier is a frequent
speaker at industry conferences on topics such as governance, risk assessment, anti-fraud and corruption,
internal control, and audit leadership. He is Vice-Chair for the IIA's Guidance Development Committee, a 2018
nominee for the North American Board and has been published in Internal Auditor magazine.
Jennifer Allen has nearly 10 years of internal audit experience (five in health care) in assessing the adequacy
of internal controls, testing the operating efficiencies of operations, IT general controls, the reliability of
financial reporting, process improvement, and compliance with policies and procedures.
Monday | August 13, 2018 8:30 – 9:45 a.m.
Opening Keynote: Disruptive Thinking: How to Prepare for What's Coming Next
Luke Williams
Clinical Associate Professor of Marketing
Executive Director, W.R. Berkley Innovation Labs, Stern School of Business, New York University
The future we face will not be predictable. The scale of the challenges we confront and the quickening speed of technological innovation demands a new way of opening minds to new strategies. Winning organizations in the next decade will need to rethink the habits that have made them successful in the past and incorporate a steady stream of unconventional ideas to stay ahead of their competitors.
In this session, participants will:
Learn of the link between innovation, growth, and the accelerating pace of disruptive change.
Discover how to apply new leadership principles to shape mindset and motivation.
Identify organization processes and behaviors needed to implement these leadership principles.
Luke Williams is a globally recognized authority on disruptive innovation and innovation business strategy. As founder and executive director of W.R. Berkley Innovation Labs, fellow at Frog Design, and professor of marketing at NYU Stern School of Business, he has worked with leading companies worldwide, lectured in 21 countries, and addressed both the United Nations General Assembly and the World Innovation Forum. Notably, Williams is the inventor of 30+ U.S. patents and has designed 100+ products in for the transportation, finance, healthcare, and consumer electronics industries. He wrote the international bestseller, Disrupt: Think the Unthinkable to Spark Transformation in Your Business, and his views are regularly featured in Bloomberg BusinessWeek, Fast Company, The Wall Street Journal, and The Economist.
Monday | August 13, 2018 10:15 – 11:15 a.m.
CS 1-1: Auditing Identity Access Management
Donald Gallien, CPA, CISA,CISM, CISSP, CRCM, CAMS
Vice President, Assurance Leader
American Express, lnternal Audit Group
Jeevaka Somaratne, CISA, CAMS
Director, Audit Team Leader
American Express, Internal Audit Group
Identity Access Management (IAM) strives to provide “the right individuals access to the right resources at the right times.” IAM tools promise integrated and holistic security management capabilities, including automated access provisioning and revocation, linkage to user certification processes, password management, policy enforcement, compliance reporting, and analytics. IAM implementation changes the access management paradigm completely. Previously disjointed and manual processes will now be integrated and automated, which requires changing audit design to focus on testing of IAM application controls, IAM configuration and workflow, and the integration of HR systems, directory services, and IAM data analytics. In this session, participants will:
Understand the impact of IAM systems on data access and information security.
Create and execute a new audit approach addressing key IAM concepts and system configurations.
Identify legacy test approaches they may need to retire, and data analytics they may want to add to their audits of access management.
Donald Gallien leads internal audit teams performing IT general control audits, integrated application control
audits, and data analytics as a vice president, assurance leader at American Express. Previously, as a senior
vice president, treasury systems at Countrywide Financial Corporation, he led the corporate treasury IT
function. Gallien was also a manager in Deloitte & Touche’s enterprise risk services practice, and held other
audit positions in industry and government. He has presented at numerous conferences for The IIA, ISACA,
and ACAMS on the topics of information security, data analytics, and anti-money laundering.
Jeevaka (Jee) Somaratne is responsible for leading operational, technology, and regulatory special projects as
a vice president and audit leader at American Express. Previously, he was a senior auditor within the risk
advisory services practice at Ernst & Young, where he performed financial statement and technology audits as
well as third-party assurance reviews.
CS 1-2: How to Design and Implement an Adaptive IT Compliance Function
Ralph Villanueva, CIA, CRMA, CISA, CISM, ITIL
IT Security and Compliance Analyst
Diamond Resorts International
A huge problem for both internal and IT auditors is the continuing emergence of new and revised IT compliance regulations. Aside from updates to existing regulations such as PCI-DSS v3.2, there are new international ones such as GDPR, as well as updates of existing state or local privacy requirements. Even a dedicated IT compliance department will have a hard time keeping pace. The solution is to find commonalities in all these regulations. Every law and regulation pertaining to digital privacy has three objectives — confidentiality, integrity availability — and impacts three IT compliance components — people, process, technology (PPT). Hence, finding a common thread amongst these regulations and looking at the regulations from a PPT perspective will simplify IT compliance with these privacy and information security regulations. In this session, participants will:
Learn a process for looking for common requirements amongst difference regulations
Enable the audience to use this process to "future-proof" IT compliance
Point out a cost effective and feasible way to adapt this process across different regulations and avoid duplication of solutions for the same requirement
Ralph Villanueva has been keeping his employers compliant with IT compliance requirements, including those
of the Nevada Gaming Control Board, payment card industry, Sarbanes-Oxley, and ISO 27001, since 2010. His
10-plus years of experience in auditing, accounting, and financial management enables him to bridge the
collaboration gap between IT and the rest of the organization with regards to communicating and enforcing IT
compliance requirements. Villanueva has spoken professionally at more than 20 national and international
conferences of The Institute of Internal Auditors (IIA), Information Systems Audit and Control Association
(ISACA), Association of Certified Fraud Examiners (ACFE), and Society of Corporate Compliance and Ethics
(SCCE).
CS 1-3: Building Your Brand and Exceeding Stakeholder Expectations
Julie Scammahorn, CIA, CRMA
Chief Auditor of Citibank, N.A., North America
Compliance and Anti-Money Laundering
Citibank
Sriram Padmanabhan, CIA, QIAL
Chief Auditor, Technology
Citigroup
This session will highlight the importance of building your professional brand. This includes showcasing key tactics to build and enhance your brand and sharing best practices you can implement to exceed stakeholder expectations within your role. In this session, participants will:
Understand the importance of defining one’s brand.
Gain an awareness of the key tactics one can use to build their brand, regardless of their seniority level or firm size.
Learn how to meet and exceed stakeholder expectations to strengthen your brand.
Julie Scammahorn is responsible for the ongoing assessment of businesses’ risk and control environment
through evaluation of financial, operational, and administrative controls; governance; and risk management
practices as well as adherence to laws, regulations, and Citigroup and Citibank, N.A. policies. She also is the
regional chief auditor for North America, overseeing the program assurance provided over Citi’s businesses
across the region. Prior to joining Citi in 2014, Scammahorn was the general auditor and senior vice president
of American Express Company, and also served as general auditor at Bank of America Corporation (legacy
Countrywide Financial Corporation). Scammahorn started her career in banking with NationsBank (Bank of
America) and was the senior vice president and audit director responsible for the global audits of Banc of
America Securities. She is a member of The IIA’s Financial Services Advisory Board.
Sriram Padmanabhan has 28+ years of financial services experience. He joined Citi in 2014 as chief auditor for Middle East and North Africa and became chief auditor of ICG technology and operations in 2016. He was appointed chief auditor of technology in 2017 to oversee internal audit’s delivery of assurance on governance, risk management, and control across the technology function globally. Previously, Padmanabhan served in senior leadership roles in EMEA and APAC at Standard Chartered Bank. In addition to directing operations and technology teams across multiple geographies to deliver IT infrastructure and services, he led teams to develop, test, and implement new systems as well as establish centralized processing and data centers. He was also a board member at Standard Chartered Bank Nigeria Ltd. and audit committee chair.
CS 1-4: Building and Maintaining a Sustainable ERM Framework, Part 1
Tanya Bullock, CIA, CRMA, CPA Vice President, Governance, Risk, Compliance, and Controls
Community Care of North Carolina
Sabrina Hilber, CIA, CISA, CHP
Director of Compliance and IT Assurance
Community Care of North Carolina
Roberto Rodriguez, CIA, CISA, CPA
GRC Manager
Community Care of North Carolina
Many organizations encounter obstacles while implementing an Enterprise Risk Management (ERM) framework. In the years following implementation, as the ERM process matures, risk managers then face the challenge of demonstrating ERM’s value to the organization. What’s the secret of successful implementation? How do you get the most out of your ERM process? Are you ready to take your ERM function to the next level? In this session, participants will:
Determine the value proposition of ERM.
Develop a strategy to successfully implement ERM.
Focus on challenges that can hinder successful implementation of ERM across industries and explore solutions that can help risk managers overcome these issues.
Formulate a roadmap that engages all levels of management while embedding ERM.
Tanya Bullock brings passion and creativity to the internal audit, enterprise risk management (ERM), and
compliance activities in her role as leader of the GRC department at Community Care of North Carolina.
Bullock worked in large internal audit shops during the first 15 years of her career, and she firmly believes that
a solid risk management foundation, complemented by a strong system of internal controls, is essential for the
ongoing success of any organization.
Sabrina Hilber has approximately 20 years of combined audit and risk management experience in large and small companies within the finance, insurance, and healthcare industries. She takes pride in partnering with management to develop solutions to address the challenging risks in the IT and compliance arena. As part of the GRC team at Community Care of North Carolina, she played an important role in developing and implementing the ERM framework.
Roberto Rodriguez has over 15 years of experience in accounting, internal/external audit, and risk management. He has held a variety of financial and audit positions in the pharmaceutical, retail, insurance, and healthcare industries. As GRC manager at Community Care of North Carolina, Rodriguez is responsible for financial and operational audits, the policy office, and records management, in addition building and maintaining the ERM framework. He is a creative problem solver who specializes in using technology to facilitate training sessions, report results, and design and implement processes.
Monday | August 13, 2018 11:30 a.m. – 12:30 p.m.
CS 2-1: Cybersecurity Is Not an IT Problem: Creating a Resilient Security Culture Through Human
Intervention
Sharon Smith, CISSP
Founder and Principal Consultant
C-Suite Results
Employees, vendors, and third parties are not going out of their way to create cyber incidents, but despite
training, policies, and compliance initiatives, security incidents and data breaches keep happening. By creating
a culture of security and the right communication and awareness strategy, user error can be reduced,
incidents can be identified faster, and organizations can get back to what’s important, their customers.
In this session, participants will:
Understand the human factor in cybersecurity and how people are the first line of defense in enabling resiliency against cyberattacks, phishing attacks, and social engineering.
Determine whether they have a culture of security and identify how security and business leaders can be more strategic in order to create such a culture.
Learn how to engage and motivate employees to prevent cybersecurity incidents.
Sharon Smith has worked globally with companies ranging from a single location to Fortune 100, providing
consulting, compliance, audit, and advisory services since 2005. Her past experience spanned a broad security
and compliance spectrum, including conducting assessments and audits for SOX, HIPAA, and PCI, along with
organizations’ internal compliance initiatives and general security controls. Smith has served as an internal IT
auditor as well as a federal auditor for the Department of Defense.
CS 2-2: Does Auditing Governance Mean Auditing Culture?
Dr. Sridhar Ramamoorti, CIA, CCSA, CFSA, CGAP, CRMA
Associate Professor
University of Dayton
Alan Siegfried, CIA, CCSA, CFSA, CGAP, CRMA
Board Member and Audit Committee Financial Expert
MidAtlantic Farm Credit Bank
The two authors of the 2016-2017 IIA/CBOK report on "Promoting and Supporting Effective Organizational Governance: Internal Audit’s Role" (based on the global CBOK survey in 166 countries administered in 23 languages) and an article in Internal Auditor will discuss the practical implications and best practices for auditing organizational governance and culture. The focus of the session will be on how an audit of organizational governance needs to integrate an audit of the organization's culture. The speakers will provide both real world examples of how this can be successfully accomplished. In this session, participants will:
Discuss current and implementable internal audit best practices in: Governance/Culture Audit, internal audit’s critical roles in promoting and supporting effective risk management and organizational governance / culture
Describe Need for Specialized Competencies: To be effective in providing value-added services in the risk management and governance areas, internal auditors need leadership skills, as well as a high level of technical competence as well as soft skills
Follow Geographic and industry diversity of Internal Audit’s risk management and governance roles, and the prevalence of appropriate skill sets and competencies for internal auditors to excel, i.e. culture
Describe Future Prospects: how internal audit can provide practical advice on improving organizational governance/culture, and risk management insights, future trends and strategies.
Dr. Sridhar Ramamoorti has 35+ years of experience in academia, auditing, and consulting. He is an associate
professor of accounting at the University of Dayton and was previously on the accounting faculty at Kennesaw
State University and the University of Illinois. Earlier, he was a principal with Andersen Worldwide, national EY
Sarbanes-Oxley advisor, corporate governance partner with Grant Thornton LLP, and principal of Infogix, Inc.
Dr. Ramamoorti has co-authored or authored numerous papers, articles, monographs, and books, including
Internal Auditing: Assurance and Advisory Services (2017, 4th ed.). He has presented and spoken at conferences
in 15 countries. From 2014–16, he served on the Standing Advisory Group of the U.S. Public Company
Accounting Oversight Board.
Alan Siegfried is an adjunct professor of internal auditing at the University of Maryland at College Park. He has
been a partner with two Big Four firms, and was previously auditor general of the Inter-American
Development Bank as well as the CAE at First Maryland Bancorp. Siegfried is a former chair of IIA‒North
America, and currently serves on the Board of Directors of the Mid-Atlantic Farm Credit Bank and UNICEF.
Additional designations Siegfried holds include CISA, CITP, CGMA, CBA, and CPA.
CS 2-3: Leading With Emotional Intelligence
Raoul Ménès, CIA, CRMA, CCSA
Chief Audit Executive
AV Homes, Inc.
Intelligence Quotient (IQ) is useful in academia, but what about in our work environments? Is there something missing that IQ doesn’t address? Emotional Intelligence (EI) allows us to identify, assess, and manage our own emotions and understand those of others. This presentation will help you recognize and understand emotions while guiding your actions. In this session, participants will:
Understand the meaning of an Intentional Leader.
Define Emotional Intelligence (EI).
Gain knowledge of how emotions affect people.
Understand the effect one has on their team’s emotional environment.
Follow four methods and expose a model to improve one’s emotional quotient (EQ).
Raoul Ménès has been delivering internal audit, risk management services for more than 24 years. His
experience includes optimizing internal audit and enterprise-wide risk management programs, and performing
risk assessments. Currently, he has established his organization’s internal audit activities and strengthened the
ERM and compliance functions to be value-added, risk-based, and strategically aligned throughout the
corporation. Ménès has deep expertise in fraud risk assessment, interview and interrogation, fraud detection,
investigation, and employee theft examinations. He is the author of numerous thought papers on IA, ERM, and
GRC and a frequent speaker on internal audit, risk management, ethics, compliance, and leadership.
CS 2-4: Building and Maintaining a Sustainable ERM Framework, Part 2
Tanya Bullock, CIA, CRMA, CPA
Vice President, GRC
Community Care of North Carolina
Sabrina Hilber, CIA, CISA, CHP
Director of Compliance and IT Assurance
Community Care of North Carolina
Robert Rodriguez, CIA, CISA, CPA
GRC Manager
Community Care of North Carolina
Many organizations encounter obstacles while implementing an Enterprise Risk Management (ERM) framework. In the years following implementation, as the ERM process matures, risk managers then face the challenge of demonstrating ERM’s value to the organization. What’s the secret of successful implementation? How do you get the most out of your ERM process? Are you ready to take your ERM function to the next level? In this session, participants will:
Navigate the terrain of ERM obstacles and challenges.
Learn how to perform a live facilitated risk assessment and compile the results to report to various levels of management.
Determine the best approach for conducting value-added risk assessments for their organization and utilize the results to take ERM to the next level.
Walk through the process of linking ERM to the organization’s strategy and objectives for maximum results.
Tanya Bullock brings passion and creativity to the internal audit, enterprise risk management (ERM), and
compliance activities in her role as leader of the GRC department at Community Care of North Carolina.
Bullock worked in large internal audit shops during the first 15 years of her career, and she firmly believes that
a solid risk management foundation, complemented by a strong system of internal controls, is essential for the
ongoing success of any organization.
Sabrina Hilber has approximately 20 years of combined audit and risk management experience in large and small companies within the finance, insurance, and healthcare industries. She takes pride in partnering with management to develop solutions to address the challenging risks in the IT and compliance arena. As part of the GRC team at Community Care of North Carolina, she played an important role in developing and implementing the ERM framework.
Robert Rodriguez has over 15 years of experience in accounting, internal/external audit, and risk management. He has held a variety of financial and audit positions in the pharmaceutical, retail, insurance, and healthcare industries. As GRC manager at Community Care of North Carolina, Rodriguez is responsible for financial and operational audits, the policy office, and records management, in addition building and maintaining the ERM framework. He is a creative problem solver who specializes in using technology to facilitate training sessions, report results, and design and implement processes.
Monday | August 13, 2018 1:45 – 2:45 p.m.
CS 3-1: Preventing the Next Digital Black Swan: The Auditor, The CISO, and The C-Suite
Jeffrey Welgan, PMP
Executive Director, Head of Executive Training
CyberVista
Equifax, Yahoo, Anthem, Uber; these massive cyber breaches affected millions of customers and served as ‘digital black swans’ that put each company on the back of their heels. But it didn’t have to be that way: with proper controls, governance, and communication to leadership these events could have been prevented. This session will focus on identifying critical controls that increase cyber resilience, decrease likelihood of black swans, and how to get senior leadership buy-in. In this session, participants will:
Recognize the root causes and commonalities of former digital black swan events
Identify key critical controls that, if implemented, would significantly reduce the likelihood or impact of a cyber breach
Understand effective communication techniques when justifying or explaining cybersecurity-related
information to the CISO and then the C-Suite.
Jeffrey Welgan brings a wealth of program management and threat intelligence experience to the CyberVista
team. He regularly briefs and trains senior leaders on governing and managing cyber risk. His cyber expertise is
rooted in all-source, strategic analysis of cyber threat actors, as well as nation-state cyber capabilities and
doctrines. Previously, Welgan led a cyber threat intelligence capability at Booz Allen Hamilton, focusing on
specialized cyber threat studies for Fortune 100 commercial clients and government agencies, including the
Defense Intelligence Agency, Central Intelligence Agency, National Security Agency, Federal Bureau of
Investigation, U.S. Cyber Command, U.S. Special Operations Command, and Department of the Treasury.
CS 3-2: Auditing Third-Party Business Partners for Fraud and Corruption Across the Globe
Natasha Williams, CIA, CFE
Senior Manager, Global Compliance
Bio-Rad Laboratories
An increasing number of ABAC (Anti-Bribery, Anti-Corruption) laws across the globe require organizations to not only control fraud and corruption internally, but also with respect to the conduct of their 3rd Party Business partners globally. This session focuses on detecting and mitigating 3rd party fraud and corruption risks across the channel through establishing a viable and effective audit and monitoring program. In this session, participants will:
Learn techniques to assess the Company’s risk appetite when dealing with a multitude of 3rd party business partner
Obtain skills to create a quick, yet effective risk assessment that gets results
Create an effective audit program that is moldable to different sized organizations
Achieve effective third-party management with a focus on how to gain access to books and records information
Natasha Williams has over 20 years of experience in auditing, banking, compliance, risk assessment and
management, accounting, and fraud examination, prevention, and detection. She worked on various
consulting and start-up SOX engagements at KPMG prior to joining Bio-Rad Laboratories, where she helped
design the internal control structure. Williams has led audits in more than 40 countries throughout Eastern
Europe, Latin America, Africa, the Middle East, and Asia Pacific. Currently, in addition to managing Bio-Rad’s
global compliance risk program, she oversees a global team monitoring and auditing over 1,000 third-party
business partners in more than 100 countries for fraud and corruption.
CS 3-3: The War on Talent: Attracting, Developing, and Retaining Top Talent
Ebony Carey, CIA
Director, Business Manager
TIAA
Replacing departing personnel is difficult and costly, from both financial and team morale perspectives. Retaining resources is increasingly challenging, and internal audit departments in the financial services sector have historically faced annual attrition rates of 15–20%. In 2015, our leadership team sought to leverage our firm’s unique heritage and brand ourselves as an organization focused on our biggest asset — our people. We deployed a three-year strategy, with objectives to be regarded as a great place to work, recognized as an exceptional developer of people, and known as business experts within the organization.
In this session, participants will:
Achieve a solid understanding of how to initiate and deploy a multi-year people strategy focused on enhancing culture and building business acumen.
Learn how to position their department in the marketplace and attract qualified professionals to their organization.
Gain insights into some of the roadblocks and challenges of building a team across an international footprint.
Evaluate team success measures related to turnover, culture, and business acumen.
Ebony Carey has more than 18 years of experience in risk and control evaluation. She is a committee lead for
TIAA’s Women Resource Group and directs internal audit’s three-year people strategy, focusing on
professional development and culture. In 2017, she drove initiatives that led to internal audit ranking the
highest in 16 of 17 categories in TIAA’s Culture Survey and integrated 38 professionals into the existing
internal audit program with minimal attrition. Carey began her career at the FDIC as a bank examiner and then
gained experience in conducting complex financial-related and performance audits for the U.S. Department of
Education, Office of Inspector General.
CS 3-4: Intelligent Information Management: The Created Risk, Part 1
Stephanie Carter, CISM, CISA, CISSP
Lead Information System Security Officer
Department of Justice/Office of Justice Programs
Stacey Lee-Curbean
Senior Technician
Open Text Corporation
Information management within an organization is comprised of three components — Intelligent Information
Management (IIM), Engineering Information Management (EIM), and Enterprise Risk Management (ERM). IIM
helps organizations manage unstructured data; once unstructured data is structured, EIM principles should be
implemented to drive a total information management solution. ERM is only achieved when an organization
knows what it is protecting: the confidentiality, integrity, and availability of the information. A combined IIM,
EIM, and ERM solution reduces cost and enables organizations to manage risk effectively.
In this session, participants will:
• Learn why IIM is a vital factor for organizations to understand what information should be
protected.
• Gain insights into how information management is achieved through IIM, EIM, and ERM.
• Discuss why information management must consider more factors than the traditional risk
assessment.
Dr. Stephanie Carter relocated to several states and countries while serving in the U.S. Army in such roles as
network engineer, network administrator, security analyst, information management officer, information
assurance security officer, information security officer, and certificate authority. She partnered on behalf of
the DoD with other agencies (DISA, NSA, FBI, FEMA), leading large-scale IT projects and spearheading security
for disaster recovery and incident response. Since retiring after 20 years of service, she has worked for and
with the DHS, DHA, USCERT Team, and DEA in senior cybersecurity/subject matter expert roles. Dr. Carter
presently manages a team of information system security officers for the DOJ and also teaches as a professor
in the University of Maryland University College’s Cybersecurity Graduate School.
Stacey Lee-Curbean is an award-winning senior consultant in enterprise content management with more than
25 years of experience in information technology. She is currently a lead technical consultant for a major
software vendor. Her previous roles included business analyst, software developer, technical consultant,
systems analyst, records manager, enterprise content manager, reports developer, technical trainer, security
analyst, and forensics investigator. Lee-Curbean has served clients globally in the healthcare, technology,
pharmaceutical, manufacturing, nuclear energy and logistics, oil and gas, and financial industries. She is the
owner of Picasso Global Technology Solutions, an enterprise content management and information security
provider.
Monday | August 13, 2018 3:00 – 4:00 p.m.
CS 4-1: For Whom The Web Trolls: Social Media Risk in Your Organization
Nejolla Korris
CEO
InterVeritas International
Human manipulation is the greatest risk for any corporation. Toss in social media and this risk multiplies
immensely. Your employees are on Facebook, Twitter and Linkedin every day. Every day, personal and
professional information makes its way online. Social media is big data and it now embodies the leading and
biggest source of consumer data.
There are many challenges associated with the growth of social networking, big data and social engineering. It
is helpful for employers and employees to be cognizant of the dangers associated with its use to protect both
the corporation and the employee.
In this session, participants will:
Discuss fallout from real life cases of cybersecurity breaches from social media.
Gain tips on cybersecurity strategies & social media policies.
Discuss a pragmatic approach toward combating cyber threats
Discuss what needs to be in the social media policy
Nejolla Korris is a highly sought after subject matter expert in the area of social media risk and fake news, and
provides consulting and training services in linguistic lie detection, social media risk, social engineering, fraud,
and ethics. Korris was awarded the Queen's Diamond Jubilee Medal in 2012 for her international work in
linguistic lie detection.
CS 4-2: Digital Transformation: Is Internal Audit Ready?
Christine Fitzgerald, CPA
Director
Protiviti
Brad Morick, CISA, CFE
Senior Director, Internal Audit
Hilton Hotels Worldwide
Lorraine Peoples, CCSA, CISA
Vice President, Global Internal Audit
Hilton Hotels Worldwide
According to Executive Perspectives on Top Risks in 2018, the rapid speed of disruptive innovations and new
technologies, and resistance to change are two of the biggest risks today. A forward-looking audit function
should provide insight, oversight, and foresight around the organization’s current and future risks and
controls, including those related to the changing digital world. Because of this, internal audit must form an
opinion on how effectively risks surrounding digitalization are being managed.
In this session, participants will:
Be able to define digital transformation.
Discuss the role of internal audit teams in digital transformation initiatives.
See how digitalization is transforming the audit plan.
Gain a full understanding of the digital assessment process.
Christine Fitzgerald is a director in the Internal Audit and Financial Advisory (IAFA) practice of Protiviti’s
Phoenix office. She currently leads the IAFA practice’s global digital transformation efforts and is part of the
core team responsible for developing digital solutions to help clients improve performance and increase the
efficiency and effectiveness of their operations, including assessing the digital maturity of organizations and
auditing digital technologies, such as robotic process automation. Fitzgerald’s 14-plus years of internal audit
and risk management experience in the technology, airline, consumer products, healthcare, and government
industries includes overall project management, annual risk assessment/internal audit planning, risk
management, audit plan development, and business process evaluation, improvement, and re-engineering.
Brad Morick has over 15 years of experience in auditing and data analytics. Currently, in addition to
overseeing Hilton’s IT audit and data analytics teams, he oversees the company’s property audit teams
internationally. Morick was also instrumental in Hilton’s effort to establish its loyalty program fraud
prevention team, which focuses on safeguarding both the company and its guests. Prior to joining Hilton, he
focused on IT audit, supporting numerous financial statement and SOX audits globally at KPMG, as well as
assisting companies with evaluating system implementation projects to help ensure successful deployments.
Lorraine Peoples is an innovative and versatile problem solver who applies a broad array of skills and
experiences to exceed objectives in challenging environments requiring creativity, cultural sensitivity, and
novel solutions. She has managed diverse groups of global clients, leading projects for business process
improvement, risk assessment/management, enterprise/financial system implementation, and change
management. Peoples has held leadership roles in two Fortune 500 companies focused on internal audit,
financial controllership, and global initiatives project oversight, adding significant value and improved risk
management capabilities. She has been Vice President of Global Internal Audit for Hilton Hotels Worldwide
since 2016. Previously, she worked at Estee Lauder and Deloitte.
CS 4-3: Using Diversity as a Strategic Advantage
Clayton Barlow-Wilcox, CRISC, GGEIT, CISSP
Vice President, Risk Services and Growth
ACTIVECYBER, LLC
Summer Fowler
Technical Director, Cybersecurity, Risk, and Resilience
Carnegie Mellon University
Sharon Smith, CISSP
Founder and Principal Consultant
C-Suite Results
Helen Brooks
Director of Risk Management
Freddie Mac
Participate in our panel discussion to learn how to build a strong and diverse security, risk, and compliance team to better monitor and audit the controls across the organization. Having a diverse team will strengthen your skill sets and execution in addressing the threats hitting your organization. In this session, participants will:
Develop a framework for creating a diverse team.
Utilize differing perspectives to develop models, use cases, and attack scenarios.
Understand self-awareness, self-management, emotional intelligence, and relationship management in developing a high-performing team.
Institute feedback loops that get to root cause and empower well-rounded decision making.
Clayton Barlow-Wilcox has worked in the public and private sector, concentrating on product management,
business development, risk management, compliance, organizational strategy, and cybersecurity. With
experience on the consulting, corporate, and product development side of things, he still finds the most
enjoyment in tackling high-priority business challenges using data and technology in effective ways to provide
tangible and immediate results. After working in companies both big and small, Barlow-Wilcox’s biggest focus
has become empowering teams to work in a highly focused and productive manner towards a greater goal.
Global business priorities continue to lead him down a path of helping address the growing cybersecurity
needs of different organizations.
Summer Fowler Bio Being Finalized
Sharon Smith has worked globally with companies ranging from a single location to Fortune 100, providing
consulting, compliance, audit, and advisory services since 2005. Her past experience spanned a broad security
and compliance spectrum, including conducting assessments and audits for SOX, HIPAA, and PCI, along with
organizations’ internal compliance initiatives and general security controls. Smith has served as an internal IT
auditor as well as a federal auditor for the Department of Defense.
Helen Brooks is a seasoned IT executive with the ability to lead large and small teams through a secure SDLC, focusing on quality delivery and layered security while motivating the team to meet goals and objectives. At Freddie Mac, she leads enterprise risk assessments and has helped develop an enterprise risk management tool to assess security, business continuity, and other operational risks for the company. Brooks previously served as director of product and information security at Comcast, where she led the cybersecurity and governance program. She enjoys coaching and enabling her teams to achieve a high degree of success with positive reinforcement and feedback.
CS 4-4: Enterprise Content Management: The Created Risk, Part 2
Stephanie Carter, CISM, CISA, CISSP
Lead Information System Security Officer
Department of Justice/Office of Justice Programs
Stacey Lee-Curbean
Senior Technician
Open Text Corporation
It is predicted that by 2020, there will be over 20 billion devices connected to the Internet of Things (IoT), over
44 trillion gigabytes of data in cyberspace, and 1.7 megabytes of new information will be created every second
for every human on the planet. Businesses, which account for only 37% of the 500 gigabytes of data produced
per minute today, are predicted to spend 57% of a forecasted $2.9 trillion on endpoint security by 2020. Why?
Because organizations are still trying to protect their physical networks from being hacked, rather than
protecting their information from being breached.
In this session, participants will:
• Understand why protecting threats from getting in does not protect information from getting out.
• Take away best practices for protecting the confidentiality, integrity, and availability of information.
• Learn why information management is vital to managing risk in organizations.
Dr. Stephanie Carter relocated to several states and countries while serving in the U.S. Army in such roles as
network engineer, network administrator, security analyst, information management officer, information
assurance security officer, information security officer, and certificate authority. She partnered on behalf of
the DoD with other agencies (DISA, NSA, FBI, FEMA), leading large-scale IT projects and spearheading security
for disaster recovery and incident response. Since retiring after 20 years of service, she has worked for and
with the DHS, DHA, USCERT Team, and DEA in senior cybersecurity/subject matter expert roles. Dr. Carter
presently manages a team of information system security officers for the DOJ and also teaches as a professor
in the University of Maryland University College’s Cybersecurity Graduate School.
Stacey Lee-Curbean is an award-winning senior consultant in enterprise content management with more than
25 years of experience in information technology. She is currently a lead technical consultant for a major
software vendor. Her previous roles included business analyst, software developer, technical consultant,
systems analyst, records manager, enterprise content manager, reports developer, technical trainer, security
analyst, and forensics investigator. Lee-Curbean has served clients globally in the healthcare, technology,
pharmaceutical, manufacturing, nuclear energy and logistics, oil and gas, and financial industries. She is the
owner of Picasso Global Technology Solutions, an enterprise content management and information security
provider.
Monday | August 13, 2018 4:30 – 5:30 p.m.
CS 5-1: Auditing Mobile Device Management
Michael Deeming, QSA, CISA, CPA
Director, Information Security
Protiviti
Vidya Majjigi, CISA
Senior Manager, Technology Compliance
Salesforce
The session will explain how to perform an assessment of Mobile Device Security for mobile devices and the processes for compliance with established policies and procedures, regulations, and best practices. The presenters will use the National Institute of Standards and Technology (NIST) Special Publication 800-124, Guidelines for Managing the Security of Mobile Devices in the Enterprise, as a baseline for mobile device configuration and life cycle processes. In this session, participants will:
Evaluate existing Mobile Device Security policies for the risks associated to mobile devices
Validate mobile management platforms and configurations control access to enterprise resources
Verify mobile device lifecycle processes are acceptable and operating correctly
Evaluate the monitoring and reporting capabilities of mobile devices accessing enterprise resources
Michael Deeming is a director with Protiviti’s San Francisco IT audit practice. Originally from the company’s
Philadelphia office, he also worked in Asia for over seven years as a member of the Protiviti Japan, Hong Kong,
and Singapore offices. He has experience in leading system assessments, evaluating and implementing
controls, and planning and executing systems testing. Deeming is well-versed in using a variety of tools to
support projects, including IT audits, PCI DSS engagements, SAP configuration audits, and SOX testing.
Vidya Majjigi is a senior leader in information security risk and compliance, with experience in executing large-
scale security/audit reviews and implementing both security and risk management programs. He has managed
engagements at a Big 4 audit firm, as well as large-scale consumer and business internet applications. Majjigi
has also led various compliance reviews, including SOX, CIS Top 20 Critical Security Controls, NIST, PCI DSS,
data privacy requirements, and ISO 27001/2. He is skilled in collaborating with executive and business teams
to deliver superior results that align with organizational strategy.
CS 5-2: Using Data to Perform Corporate Risk Assessments
Ben Getz, CIA, CISA, CISSP, CPA, CPCU
Audit Manager
RLI Corporation
Evan Webber, CPCU
Auditor II
RLI Corporation
Speakers will discuss how to use both qualitative and quantitative factors to perform more effective risk
assessments. Discussion will include assessing inherent risk, change risk, control impact, and residual risk for
all entities in your organization’s audit universe.
In this session, participants will:
Learn how to more effectively assess risk across the organization.
Understand how they can leverage existing data from their organization to assist in risk assessment.
Gain tools to be more strategic in prioritizing what areas to audit in their organizations.
Ben Getz has nine years of internal and external audit experience. As an audit manager at RLI Insurance in
Peoria, Illinois, he is responsible for IT audits, including leading audits and facilitating the organization’s
business continuity planning.
Evan Webber has three years of experience in internal audit. As a staff auditor at RLI Insurance in Peoria, Illinois, he is
responsible for leading audits as well as updating and maintaining the corporate risk assessment.
CS 5-3: Unlocking Team Collaboration
Jacquelyn Wieland
Founder
Solutions Provided LLC
Influence, Insight, and Impact are critical leadership skills. We will do a deep dive on the importance of
influence and specific shifts you can make to unlock your influence potential. We will focus on three specific
areas that will enhance your leadership and management ability as you drive change and transformation in
your role.
In this session, participants will:
Understand how to lead and communicate with influence so that they will be able connect and engage at meaningful levels.
Expand their knowledge of how to be more insightful and perceptive when interacting with individuals, allowing them to connect and engage in more meaningful conversations.
Expand their ability to be impactful and agile while working with various stakeholders to maximize results.
Jacquelyn Wieland founded her consulting firm which specializes in executive performance and high potential
individual and team coaching with a focus on the development of leadership behaviors that characterize
extraordinary leaders. She emphasizes leadership style, effective communication, and relationship building as
critical building blocks to driving change, innovation and strategy. Wieland has coached and facilitated for
organizations including NewsCorp, Moody’s Investor Services, Moody’s Analytics, AXA Insurance, C&A
Financial, Scotia Bank, and Crédit Agricole. She holds certifications in the Birkman Method, Lumina Spark and
Sales Personality Profiles, Metaplan Facilitation, and JMT certifications.
CS 5-4: Auditing the Cloud: A Practical Approach, Part 1
Mark Knight, CPA, CISA
IT Audit Senior Manager
Holtzman Partners
Joey LoSurdo, CPA, CISA
Internal Controls Senior Manager
Holtzman Partners
Cloud computing is more than a buzzword. It has fundamentally shifted how companies of all sizes run. Auditors who fail to grasp the reality of this seismic shift in IT management risk being left behind. They must be comfortable interacting with a cloud-based environment as well as navigating common compliance requirements using readily available tools and techniques. Part I will present a case study that identifies the common computing, security, and storage solutions found in the cloud.
In this session, participants will:
Identify the common risks shared between traditional and cloud hosting providers.
Build the skills necessary to perform a basic review of compliance requirements in a cloud environment.
Conduct a basic hands-on audit of IT security configurations in a live cloud-based system.
Develop a toolkit for evaluating controls specific to cloud environments.
Mark Knight is the senior manager in the IT and internal controls practice at Holtzman Partners after spending
several years at Deloitte. He applies broad knowledge of multifaceted IT systems, including cloud computing,
to perform a variety of engagements for over 30 clients, from start-ups to public companies. Throughout his
career, Knight has assisted clients in navigating the evolving realities of enterprise IT governance. He is a
regular speaker in the accounting information systems department at the University of Texas. Knight has spent
the last five years developing audit programs for IT compliance audits of companies who both use and offer
cloud computing services.
Joey LoSurdo is the senior manager in the IT and internal controls practice at Holtzman Partners after
spending several years at Deloitte. He has extensive experience auditing both IT and business controls. He
performs engagements for over 20 clients, from start-ups to public companies. Throughout his career,
LoSurdo has helped companies become SOX and SOC compliant. He is passionate about finding new, more
efficient ways to audit cloud IT environments. An accomplished speaker, he has addressed audiences ranging
from 200 to 2,000+. LoSurdo has spent the last five years developing audit programs for IT compliance audits
of companies who both use and offer cloud computing services.
Tuesday | August 14, 2018 8:30 – 9:45 a.m.
General Session 1: COSO ERM: Integrating With Strategy and Performance
Paul Sobel, CIA, QIAL, CRMA
Vice President and Chief Risk Officer
Georgia-Pacific, LLC
In 2017, COSO issued an updated ERM Framework, “Enterprise Risk Management—Integrating with Strategy and Performance,” which shifts the focus of ERM from managing downside risks to creating, protecting, and realizing value. Not surprisingly, there are many implications for internal auditors seeking to remain valued and relevant in the future.
In this session, participants will:
Learn about the 5 components and 20 principles that make up the updated Framework.
Understand how the Framework can be used to identify, assess, and manage specific groups of risks,
such as environmental, social, and governance-related risks (ESG).
Identify how the Framework impacts internal audit’s assurance and advisory roles, including assessing
the effectiveness of enterprise risk management.
Explore ways to advance risk management in their organization.
Paul Sobel is vice president and chief risk officer for Georgia-Pacific. He also serves as chairman of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). He’s authored or co-authored four books: Managing the Risk of Uncertainty; Auditor’s Risk Management Guide: Integrating Auditing and ERM; Internal Auditing: Assurance and Consulting Services; and Enterprise Risk Management: Achieving and Sustaining Success. Sobel has served in many IIA leadership roles, including Chairman of the Board in 2013–14. In 2012, he was recognized in Treasury & Risk magazine’s list of 100 Most Influential People in Finance. In 2017, he received The IIA’s Bradford Cadmus Memorial Award and was inducted into The IIA’s American Hall of Distinguished Audit Practitioners.
Tuesday | August 14, 2018 10:15 – 11:15 a.m.
CS 6-1: No Silver Bullets: Cybersecurity in the Cognitive Era
Doug Lhotka, CISSP-ISSAP
Cybersecurity Architect
IBM
Your employees are on Facebook, Twitter, and LinkedIn every day. Every day, personal and professional
information makes its way online. Social media is big data and it now embodies the leading and largest source
of consumer data. It is helpful to be cognizant of the dangers associated with the growth of social networking,
big data, and social engineering to protect both the corporation and the employee.
In this session, participants will:
Discuss fallout from real-life cases of cybersecurity breaches from social media.
Gain tips on cybersecurity strategies and social media policies.
Discuss a pragmatic approach toward combating cyber threats.
Define the requirements of social media policy.
Doug Lhotka leverages his expertise in cyber and cognitive security, IT governance, and enterprise
architecture to help organizations enable strategic business initiatives through their security program, address
industrialized threats, and improve the risk posture of the business. For more than 25 years, he has led
initiatives to optimize security and IT programs at large and mid-sized firms in most major industries. Lhotka
has developed formal methods for identifying and closing security gaps by advancing security programs. He
has written papers on cognitive science, IT governance and risk management, and user interface design. He
has several patents and co-authored a best-selling book on 3D printing for fine art. He speaks often on security
topics, including cognitive security.
CS 6-2: Breaking Down the Walls: ERM at the U.S. Marshals Service
Chad Nieboer
Chief Strategy and Risk Officer
U.S. Marshals Service
Kiran Sreepada
Senior Associate
Grant Thornton LLP
The U.S. Marshals Service has a long and proud tradition of serving the public through its judicial protection, prisoner transport and management, child protection, fugitive apprehension, and witness protection services, among others. In moving along the path of enterprise risk management, the agency successfully transcended the silos of these distinct missions in order to highlight the importance of risk-based planning and decision making. The cultural change in the agency, instilled by senior leadership, was complemented by innovative solutions to maximize existing capabilities without increasing burden. In this session, participants will:
Discuss challenges within law enforcement such as silos, territorial divisions, information sharing, and redundancy as multiple groups aim to fulfill one mission.
Understand cultural challenges within federal law enforcement (by-the-book, immediate-mission-oriented officers), HR challenges (staffing, clearances), and the focus on what has worked vs. how it could be improved.
Gain insights into overcoming organizational and cultural challenges through cross-divisional activities such as quarterly performance reports, the strategic plan, and annual reports.
Hear how ERM and the use of data can benefit the U.S. Marshals Service going forward.
Chad Nieboer is credited with building and implementing a dynamic Strategic Performance Management
System for the USMS that integrates strategy, performance, and risk to optimize agency performance. Nieboer
has transformed USMS culture by infusing strategic thinking, data-driven decision making, and enterprise risk
management agency-wide. He has also fostered innovation through leadership roles in judicial security,
investigative operations, human resources, financial services, and management support; in each of these
areas, Nieboer invigorated sluggish programs and transformed broken business processes by introducing
business process analysis, performance measurement, and risk management. As a change agent, he inspires
leaders to move away from the status quo, re-examine existing practices, redefine success, and continuously
improve performance.
Kiran Sreepada is a senior associate in Grant Thornton’s Public Sector practice. During his time at Grant Thornton, he has led enterprise and fraud risk management projects. Previously, he co-founded an international academic consulting firm. More recently, as an analyst at the Government Accountability Office, his projects focused on risk management, data analytics, and the DATA Act.
CS 6-3: Evaluating the Ethical Risks of AI Implementation for Your Organization
Kirsten Lloyd
Associate
Booz Allen Hamilton
Josh Elliot, CGEIT
Director of Machine Intelligence
Booz Allen Hamilton
With the recent acceleration in development and deployment of machine intelligence (MI) technologies, many
executives do not realize that the greatest risk lies in ignoring MI’s ethical problems, which are already
affecting business and society. Based on real-world examples, the session focuses on key ethical challenges
associated with MI implementations and provides a framework for evaluating risk before deploying MI to
ensure the technology’s use preserves human dignity and protects organizations from undue risk.
In this session, participants will:
Understand the dimensions of MI ethical risks and the potential impact to business.
Identify the necessary stakeholders to include in the governance and management of MI deployments.
Apply a holistic risk assessment framework and approach to evaluate potential ethical risks of MI implementations.
Prepare to govern and manage existing MI engagements and future deployments.
Kirsten Lloyd develops and delivers Booz Allen’s machine intelligence strategy service offering as an associate
in the Strategic Innovation Group. She works with both public and private sector leaders to understand the
opportunities and challenges associated with using machine intelligence-enabled technologies, including high-
performance computing, machine learning, natural language processing, and deep learning. Previously, Lloyd
analyzed emerging economic, technological, and environmental trends to identify new business opportunities;
made recommendations for advancing Booz Allen’s existing client capabilities; and proposed the development
of new capabilities. Lloyd also previously provided expertise in program management and process
improvements to clients like the IRS and NASA.
Josh Elliot has taken on a key role to help accelerate Booz Allen’s machine intelligence work, including artificial intelligence, machine learning, and quantum and deep learning solutions tied to both the firm and its clients’ challenges. He is passionate about driving new and evolving technologies in data science and machine intelligence, as well as forging industry partnerships. Elliot previously managed technical and business development for Booz Allen’s U.S. federal civilian aviation practice. He also co-led the establishment of the firm’s IT strategy center of excellence.
CS 6-4: Auditing the Cloud: A Practical Approach, Part 2
Mark Knight, CPA, CISA
IT Audit Senior Manager
Holtzman Partners
Joseph LoSurdo, CPA, CISA
Internal Controls Senior Manager
Holtzman Partners
Cloud computing is more than a buzzword. It has fundamentally shifted how companies of all sizes run. Auditors who fail to grasp the reality of this seismic shift in IT management risk being left behind. They must be comfortable interacting with a cloud-based environment as well as navigating common compliance requirements using readily available tools and techniques. Part II will allow participants to have hands-on interaction with a leading cloud services platform. In this session, participants will:
Identify the common risks shared between traditional and cloud hosting providers.
Build the skills necessary to perform a basic review of compliance requirements in a cloud environment.
Conduct a basic hands-on audit of IT security configurations in a live cloud-based system.
Develop a toolkit for evaluating controls specific to cloud environments.
Mark Knight is the senior manager in the IT and internal controls practice at Holtzman Partners after spending
several years at Deloitte. He applies broad knowledge of multifaceted IT systems, including cloud computing,
to perform a variety of engagements for over 30 clients, from start-ups to public companies. Throughout his
career, Knight has assisted clients in navigating the evolving realities of enterprise IT governance. He is a
regular speaker in the accounting information systems department at the University of Texas. Knight has spent
the last five years developing audit programs for IT compliance audits of companies who both use and offer
cloud computing services.
Joey LoSurdo is the senior manager in the IT and internal controls practice at Holtzman Partners after
spending several years at Deloitte. He has extensive experience auditing both IT and business controls. He
performs engagements for over 20 clients, from start-ups to public companies. Throughout his career,
LoSurdo has helped companies become SOX and SOC compliant. He is passionate about finding new, more
efficient ways to audit cloud IT environments. An accomplished speaker, he has addressed audiences ranging
from 200 to 2,000+. LoSurdo has spent the last five years developing audit programs for IT compliance audits
of companies who both use and offer cloud computing services.
Tuesday | August 14, 2018 11:30 a.m. – 12:30 p.m.
CS 7-1: Increase the Trust in Internet of Things (IoT) Through Auditing
Avani Desai, CIA, CPA, CISSP, CIPP
President
Schellman & Company
Jeremy Holley, CIA, CISA, CRISC, PMP
Executive Vice President & Executive Director, Internal Audit
Regions Bank
Organizations are increasingly relying on third-party vendors to perform critical functions on their behalf, such
as delivering products and services to consumers, preparing disclosures, and hosting data. However,
outsourcing presents compliance-related risks that must be managed. Panel members will highlight risks
associated with using third-party relationships and ways to manage and monitor the relationships to mitigate
specific risks. They will also reveal several common vendor relationship challenges, benefits, contract
considerations, and compliance initiatives.
In this session, participants will:
Receive an overview of the vendor management process.
Understand the typical gaps in privacy and security processes.
Learn legal and contractual requirements.
Examine different compliance initiatives.
Avani Desai led a team to oversee IT risk management and privacy across national service lines at a Big 4
accounting firm for over 10 years; she also oversaw development of internal and external privacy programs
and related practices, leveraging her deep knowledge of blockchain, cloud computing, artificial intelligence,
and virtualization. For the last five years, Desai has focused on growth strategies, strategic client and market
development, industry analysis, and new services at Schellman & Company. She has been featured in Forbes,
CIO.com, and The Wall Street Journal, and is a sought-after speaker on technology. Desai serves on the board
of Arnold Palmer Medical Center and the Central Florida Foundation, and she is the co-chair of 100 Women
Strong.
Jeremy Holley has more than 17 years of experience in audit and risk management in financial services. He has
been with Regions Bank since 2014 and serves as an executive vice president and as an executive director in
the internal audit department, with responsibility for audit coverage of technology, operations, digital
banking, BSA/AML, and data analytics. Prior to joining Regions, Holley was a director in KPMG’s advisory
services practice.
CS 7-2: Business Interruption Study Recommendations: Redundant Capacity vs. Resilience
Thoppil Varghese, CIA, CRMA
Senior Risk Analyst
Kuwait Oil Company
Raad Gharibam
Team Leader
Kuwait Oil Company
In our company, a severe risk is one that causes a loss of 500 million USD or more. A few highly unlikely but
not unimaginable events are of considerably higher risk — 20 to 60 billion USD. As expected, we had already
done everything reasonable to cover such risks. Was the option of building redundancy or a new central
mixing manifold at high cost (225 million USD) going to present just another target? What were the viable
alternatives?
In this session, participants will:
Gain insights into how innovative ideas on design, cost of capital, master planning, etc. are brought together to develop a business solution to enterprise risk.
Develop key issues to audit with respect to business interruption.
Gain the confidence to assess business decisions about strategic organizational resilience.
Learn how to defend business needs vs. consultant opinions.
Investigate the impact of key but very low probability business exposures.
Thoppil Varghese started his career as an industrial engineer in a heavy engineering company, then moved on to perform internal audit for companies in metals and mining. He is presently engaged in enterprise risk management (ERM) as a senior risk analyst for Kuwait Oil Company (KOC). His key duties include developing and implementing an ERM policy and framework for KOC, conducting business interruption studies, preparing and presenting the ERM risk profile to KOC’s leadership and board, and developing and maintaining key performance measures for ERM performance management.
Raad Gharibam joined the Kuwait Oil Company in 1992 as an instrumentation engineer, where he worked in the oil and gas field for 15 years. He then joined the planning team as a senior planner and worked for 5 years on strategies, budgets, and operational planning. Gharibam joined the ERM team as team leader in April 2016 and still serves in this role.
CS 7-3: The Psychology of Successful Internal Auditing: Navigating Stakeholder Relationships for Optimal
Business and Career Results
Neil Simpson, CPA
Vice President, Internal Audit
Goodman Manufacturing
Technical skills and knowledge provide the foundation, but the way you communicate and navigate
relationships will make a big difference in your career success and work/life balance. This presentation
addresses many of the areas above: communication, critical thinking, ethics, marketing the audit function,
meeting stakeholder expectations, personal brand management, and persuasion and collaboration.
In this session, participants will:
Gain tools to clearly communicate with and influence key stakeholders, including board members, senior management, audit clients, peers, and employees.
Learn how to build trust.
Understand how to gracefully market the internal audit value proposition.
Neil Simpson has a long track record of achieving stellar stakeholder and employee satisfaction and business
performance with groups in a variety of financial disciplines, including internal audit. He has a passion for
sharing the principles and tactics behind these results with others who want to achieve business goals for their
company, high satisfaction for their employees, and work/life balance and career progression for themselves.
Simpson has been vice president of internal audit at Goodman Manufacturing since 2005. He previously held
various positions during his 17 years at Compaq/HP, including portable division controller and supply chain
finance director. He was also a senior auditor at what is now Ernst & Young, where his largest client was Wal-
Mart.
CS 7-4: Privacy Deep Dive: Regulations, and How Privacy by Design Means Privacy by Default – Part 1
Harvey Nusz, CIPM, CISSP, CRISC, CISA, CGEIT
Manager, GDPR
Capgemini
America’s privacy landscape now includes General Data Protection Regulation (GDPR) and the New York
Department of Financial Services (NYDFS) Cybersecurity Regulation. The California Consumer Privacy Act,
which will affect an estimated 500-600,000 businesses, will go into effect January 1, 2020. The presentation
will cover the Privacy Shield framework that replaced the Safe Harbor agreement for personal data transfers
between the EU and the US, as well as how to build systems and processes that are based on Privacy by
Design.
In this session, participants will:
Learn what is required by GDPR and the NYDFS Cybersecurity Regulation.
Receive an overview of the California Consumer Privacy Act.
Identify where Privacy Shield stands now, and determine whether they should stay or move to Binding
Corporate Rules if they are Privacy Shield Certified.
Harvey Nusz has enabled companies to become compliant and secure in Sox, PCI-DSS, FISMA, HIPAA, NY
Department of Financial Services CRR500 Cybersecurity Regulation, Privacy Shield, and GDPR. He started
working on GDPR in August 2015, and managed a project to enable a company to achieve Privacy Shield
compliance. He focuses now on privacy, compliance, and security, and has also worked in auditing, risk
management, governance, IT disaster recovery and business continuity, identity access management and
access certification, and security architecture. Some of Nusz’s previous roles were with a wholesale grocery
SMB, public accounting firms (both local and Big 4), Options Clearing Corp., ExxonMobil, JP Morgan Chase, and
NASA.
Tuesday | August 14, 2018 1:45 – 2:45 p.m.
CS 8-1: Measuring and Improving Your Security Effectiveness
Brian Contos, CISSP
Chief Information Security Officer
Verodin
The Harvard Business Review article, “Are You Accurately Measuring Your Company’s Digital Strength?” states
that digital signals are being missed, which is a problem because digital metrics are essential to understanding
the business. Security instrumentation allows you to trend security effectiveness over time to see more
strategically where investments are failing versus where investments are paying off with empiric, repeatable
results that can be supplied to a wide range of stakeholders.
In this session, participants will:
Understand how to measure security effectiveness automatically and continuously.
Learn how to improve security tools and make people and processes more effective.
Be able to prioritize security resources and investments and align security with the business mission.
Gain knowledge to communicate security effectiveness with empiric data to stakeholders, including offensive/defensive security analysts, CISOs, CIOs, CFOs, CEOs, boards, and auditors.
Brian Contos has over two decades of security industry experience. After getting his start with the Defense
Information Systems Agency (DISA) and later Bell Labs, Contos began the process of building security startups
and taking multiple companies through successful IPOs and acquisitions, including Riptech, ArcSight, Imperva,
McAfee, and Solera Networks. He has worked in over 50 countries across six continents. He is a strategic
board advisor for multiple companies, including Cylance and Appdome. Contos has authored several security
books and presented at leading security events globally. He is a Distinguished Fellow of the Ponemon Institute
and has been featured in CNBC, C-SPAN, Fox, NPR, Forbes, The Wall Street Journal, The London Times, and
many others.
CS 8-2: Meet Multiple Regulatory Requirements and Utilize Best Practices More Effectively and Efficiently
With a Common Control Framework
Lynn Heiberger, CISA
Chief Operating Officer
Unified Compliance
Jason Mefford
Lead Singer
Rock N Roll Risk Management
Satisfying regulatory compliance requirements and fulfilling obligations imposed by regulations, standards,
and governmental guidance is challenging, but essential to meeting GRC goals. You must identify and interpret
each of the Citations and their Mandates that apply to your organization. Then the Mandates must be
reconciled across a range of resources, geographies, and operations so they can be applied and audited for
compliance. This can be accomplished using a Common Control Framework.
In this session, participants will:
Hear about a case study with OCEG’s Red Book, the foremost authority on GRC maturity models.
Understand the three steps they need to follow (identify, interpret, apply/audit) to implement the Mandates, as well as one more step (de-duplication of control sets).
Learn which requirements to follow and best practices to align with.
Provide an auditing methodology to prove their implementation.
Lynn Heiberger has over 20 years of IT application and infrastructure experience, spanning publishing,
insurance, and GRC. On the board of Unified Compliance since its inception in 2002, she returned as COO to
bring the Unified Compliance Framework® to multiple GRC platforms. She was previously the director of
infrastructure architecture and integrated services at AAA Insurance Exchange, where she implemented
successful compliance programs for PCI and other state regulatory requirements. Today, Heiberger is focused
on operationalizing compliance with the Department of Education, ARMA, OCEG, ServiceNow, IBM, and many
other partners of Unified Compliance.
Jason Mefford helps transform risk managers into rock stars as the lead singer of Rock N Roll Risk
Management. He helps individuals and organizations think differently by delivering programs through
speaking, training, and coaching. Mefford’s multi-disciplinary approach provides a more strategic, holistic,
proactive, and practical view of risk management. The goal is to avoid catastrophe, complexity, and copy-cat
syndrome so that organizations can make better decisions, improve culture, and focus resources on the risks
that really matter in order to achieve objectives.
CS 8-3: Storytelling: Improving the Audit Process to Communicate Better
Ross Wescott, CIA, CISA, CCP, CUERME
Principal
Wescott and Associates
Brad Zolkoske, CPA
Internal Audit Director
UCOR
IIA Standard 2330 stipulates: “Internal auditors must document sufficient, reliable, relevant, and useful
information to support the engagement results and conclusions.” Though many seminars, conference
sessions, and articles have defined quality and how to achieve it, many auditors still struggle with organizing
their work into effectual documentation and presentations that their stakeholders can understand and
embrace. To clearly tell the story of the work performed, auditors need to approach their organization and
writing of documentation differently.
In this session, participants will:
Learn how to develop and organize audit work using storytelling elements.
Distinguish the audit story (strategic) from detailed audit work (tactical) to improve communication to the client and to internal stakeholders.
Follow storytelling elements to better deliver audit documentation and improve communications.
Ross Wescott established Wescott and Associates to provide IT audit, risk, governance, and control consulting
to a variety of industries and government. For over 30 years, he worked in corporate internal audit shops,
performing a full scope of IT and general internal audit work, encompassing audit program development and
implementation using leading standards (including COBIT 5); internal audit strategy; policy, standards,
procedures, and guidelines development and maintenance; risk identification and assessment; controls
identification, design, and evaluation; and data analytics. Wescott has been published in major internal
auditing publications and has presented at conventions and conferences on many internal audit topics.
Brad Zolkoske is director of internal audit at UCOR, the Department of Energy’s prime contractor performing nuclear remediation work in Oak Ridge, Tennessee. During his 30-year internal audit career, he has led internal audit functions for multiple organizations, including International Coal Group, Nautilus (Bowflex, Stairmaster and Nautilus equipment brands), Louisiana-Pacific (top producer of OSB panel products in North America), and Freightliner (largest heavy-duty truck manufacturer in North America). Zolkoske specializes in developing and managing small audit departments. He is a frequent speaker for the MIS Training Institute.
CS 8-4: Privacy Deep Dive: Regulations, and How Privacy by Design Means Privacy by Default – Part 2
Harvey Nusz, CIPM, CISSP, CRISC, CISA, CGEIT
Manager, GDPR
Capgemini
America’s privacy landscape now includes General Data Protection Regulation (GDPR) and the New York
Department of Financial Services (NYDFS) Cybersecurity Regulation. The California Consumer Privacy Act,
which will affect an estimated 500-600,000 businesses, will go into effect January 1, 2020. The presentation
will cover the Privacy Shield framework that replaced the Safe Harbor agreement for personal data transfers
between the EU and the US, as well as how to build systems and processes that are based on Privacy by
Design.
In this session, participants will:
Understand what Privacy by Design to achieve Privacy by Default means.
Gain insights into building systems and processes that are based on Privacy by Design to achieve
Privacy by Design.
Harvey Nusz has enabled companies to become compliant and secure in Sox, PCI-DSS, FISMA, HIPAA, NY
Department of Financial Services CRR500 Cybersecurity Regulation, Privacy Shield, and GDPR. He started
working on GDPR in August 2015, and managed a project to enable a company to achieve Privacy Shield
compliance. He focuses now on privacy, compliance, and security, and has also worked in auditing, risk
management, governance, IT disaster recovery and business continuity, identity access management and
access certification, and security architecture. Some of Nusz’s previous roles were with a wholesale grocery
SMB, public accounting firms (both local and Big 4), Options Clearing Corp., ExxonMobil, JP Morgan Chase, and
NASA.
Tuesday | August 14, 2018 3:00 – 4:00 p.m.
CS 9-1: Advancing IT Audit’s Capabilities to Conduct Cyber Security Audits
Jon Coughlin, CISA, CISSP
Technology Audit Director, Infrastructure and Security
PNC Financial Services
David Dunn, CIA, CPA, CITP, CGMA
Executive Vice President, Assistant General Auditor
PNC Financial Services
Participants will receive practical tips and examples of how to strengthen audit’s coverage of cybersecurity risk
through testing techniques that go beyond traditional coverage of policies, procedures, and governance
focused controls. This training will encompass traditional approaches to cybersecurity audit and opportunities
for improvement; the evolution that may be required to address emerging laws and regulations in a timely
manner; and the use of alternate approaches to add incremental value to audit’s output.
In this session, participants will:
Understand the inherent limitations in applying traditional audit testing techniques to cyber security areas of focus, and the need to evolve to respond to emerging laws and regulations.
Identify specific areas where alternate testing approaches from audit can increase the value provided within cybersecurity audit activities.
Develop ideas for implementing value added security testing based on examples of data loss prevention, firewall rule auditing, and vulnerability management analysis.
Understand a potential model for successfully building an ethical hacking team directly within the audit function.
Jon Coughlin is responsible for leading audit coverage of the technology infrastructure and security functions at PNC Financial Services. Since joining PNC in 2012, he has had accountability for leading the audit team’s coverage of infrastructure, security, fraud, technology risk management, and technology project auditing at various points. Prior, he was senior manager within the enterprise risk services function at Deloitte & Touche. During his time in public accounting, Coughlin focused on technology audit (external and internal audit), technology risk management, and security governance. Throughout his 17+ years of broad, global experience, he has delivered technology, risk, and control related services in the financial services, healthcare, retail, and manufacturing industries. David Dunn leads the internal audit function for PNC’s information technology as assistant general auditor for The PNC Financial Services Group. Previously, he was senior vice president and senior audit director of global technology and operations for Bank of America. Dunn’s 24+ years of experience in technology, audit, and financial services includes The Royal Bank of Scotland, where he served as head of operational risk management and director of ORM technology and the Basel II program. Dunn’s early roles included executive vice president, head of operational risk management, technology executive, and director of information systems audit at Capital One Financial; director of quality assurance at PeopleSoft; and project manager at Corning.
CS 9-2: GDPR: The Deadline Has Passed — How Did You Do?
Nancy Haig, CIA, CCSA, CFSA, CRMA
Global Director, Internal Audit and Compliance
Alvarez & Marsal
Does your organization process “personal data” of European Union residents/citizens? Then this session is for
you. Participants will become familiar with the General Data Protection Regulation (GDPR) and the key
policies, procedures, and training that should be in place to evidence a GDPR compliance program.
In this session, participants will:
Understand the GDPR.
Identify auditable activities related to GDPR.
Develop a GDPR internal audit program.
Formulate an internal audit report.
Nancy Haig is the head of internal audit and compliance for a global consulting firm and previously served as
the vice president of internal audit for a global pharmaceutical manufacturer. Her expertise includes risk-
based internal audit and compliance experience in the financial services, health care, pharmaceutical, and
professional services industries. Haig is an advocate of the internal audit profession and works to mentor
those interested in pursuing a career in the industry. She serves as a volunteer leader for The IIA on the Global
and North American boards as well as the audit committee, publications advisory committee and editorial
board. She also serves on the internal audit advisory council of St. John’s University. She holds credentials
including Certified Compliance and Ethics Professional (CCEP), Certified Fraud Examiner (CFE), and Chartered
Bank Auditor (CBA).
CS 9-3: Why Don't They Listen? You Aren't Persuading!
Brian Tremblay, CIA, CISA
Chief Audit Executive
Acacia Communications
In the GRC world, we often ask ourselves why our colleagues simply won’t do what in some cases is required
of them, either due to laws, regulations, or company policy. GRC employees continually struggle not only with
getting required actions from their stakeholders, but also with getting the best recommendations
implemented. Why? It comes down to one word – persuasion. Why do we need to persuade? And how do we
utilize persuasion to deliver value to our stakeholders?
In this session, participants will:
Understand why stakeholders resist recommendations from GRC professionals.
Learn why an ability to persuade is a core competency all GRC professionals need.
Identify tactics that can help them persuade stakeholders to their ‘side.’
Hear real-world examples of these tactics in action.
Brian Tremblay leads all activities of the internal audit function at the high-tech semiconductor company. He
has spoken on the topic of branding at several conferences, believing a strong brand can be a significant asset
to an internal auditor’s success. Prior to joining Acacia, Tremblay was director of internal audit at Iron
Mountain, overseeing all audits and projects within North America as well as liaising with global quality
managers. Prior to Iron Mountain, he served as senior manager at Houghton Mifflin Harcourt, where he built
out an internal audit department and executed a Sarbanes-Oxley implementation. Tremblay also previously
worked at Raytheon and Deloitte.
CS 9-4: Improving Your ERM Program Using Six Sigma, Part 1
Charlie Wright, CIA, CISA, CPA
Director, Enterprise Solutions
BKD CPAs and Advisors
Jeffrey Lovern, ARM
Chief Risk Officer, Principal International
Principal Financial Group
As Enterprise Risk Management (ERM) programs continue to mature, risk managers face the continual challenge of adding value to the organization. By focusing on corporate objectives and using practical analytical approaches, risk managers can identify key risk indicators that executive management and the board will find important and useful. In this session, participants will:
Review the key components of an effective ERM program.
Learn to leverage important aspects of their organization’s ERM framework, such as emerging risk identification.
Compare mechanisms to identify emerging risks and evaluate the benefits of using appropriate key risk indicators to add value to the organization.
Assess various approaches for integrating corporate objectives into the ERM process.
Charlie Wright leads BKD’s enterprise risk management efforts on a national basis. From 2005 to 2016, he
served as vice president of internal audit at Devon Energy Corporation and prior to joining Devon, he was the
general auditor at American Airlines. Wright was recently elected to serve as the vice chairman of the
Professional Guidance Committee on The IIA’s Global Board of Directors.
Jeffrey Lovern has 23 years of finance and risk management experience within the insurance and financial services industries. He currently serves as chief risk officer of Principal International, a division of the Principal Financial Group. Previously, he was chief risk officer for American Fidelity Corporation’s group of insurance companies. From 2002 to 2016, Lovern held various risk management roles for GE Insurance/Genworth Financial, including vice president of enterprise risk management for Genworth’s Global Mortgage Insurance division. As a member of GE Capital’s Risk Management Leadership Program, he completed various assignments across GE businesses. Prior, Lovern was a risk management consultant and insurance broker for Arthur J. Gallagher & Co.
Tuesday | August 14, 2018 4:30 – 5:30 p.m.
CS 10-1: Shedding Light on the Dark Web
Wanda Archy, CISSP, CEH, Security+
Cyber Threat Intelligence Specialist
RSM US LLP
Andrei Barysevich
Director of Advanced Collection
Recorded Future
The Deep and Dark Web is the part of the Internet not accessible through conventional search engines. Nation
states, cybercriminal gangs, and individuals thrive in this underground economy. Illegal activity takes place on
the Dark Web, including the sale of personal information, financial goods, and illicit services. This session will
seek to educate attendees on these dark parts of the Internet.
In this session, participants will:
Understand the differences between the Dark Web and the open Internet, different types of threat actors present on the criminal underground, and what websites exist in these communities.
Learn how to protect sensitive data and distinguish between the different types of datasets that are stolen.
Gain tools to protect their businesses through security best practices provided by speakers and methodologies to determine what information is exposed.
Determine how to use threat intelligence services to reduce the risk of their organization being successfully attacked.
Gain knowledge of how threat intelligence services can make incident response more effective.
Wanda Archy is a cyber threat intelligence specialist focused on Dark Web investigations. She has experience with performing intelligence analysis, tracking Russian threat actors, and conducting due diligence reconnaissance. Her background has spanned clients across the financial, health, government, retail, entertainment, and technology industries. Archy is a native Russian speaker and wrote her master’s thesis on Russian nation-state sponsorship of cyberattacks.
Andrei Barysevich is the Director of Advanced Collection at Recorded Future. He specializes in threat
intelligence on highly restrictive criminal communities and he oversees proactive intelligence operations. A
native Russian speaker, Andrei was previously an independent e-commerce fraud researcher, and a private
consultant for the FBI's New York Cybercrime field office. Andrei’s work and commentary has been featured in
The Wall Street Journal, Motherboard, The Atlantic, and numerous other publications. For the past 13 years,
he has been involved in multiple high-profile international cases resulting in successful convictions of
members of crime syndicates operating global reshipping, money laundering, and bank fraud schemes.
CS 10-2: Agile and Compliance
Pam Nigro, CRMA, CISA, CGEIT, CRISC
Senior Director, Information Security/GRC
Blue Cross Blue Shield of Illinois
Finding harmony and balance between the Agile accelerator and the brakes of your DevOps processes — can
software delivery in a highly governed industry reap the benefits of Agile and DevOps while maintaining
required compliance?
In this session, participants will:
Understand governance as an enabler of agility.
Develop non-burdensome ways to collect data.
Learn how to build governance in rather than bolting it on.
Focus on a risk-based governance approach.
Pam Nigro is a multifaceted IT audit and IT controls leader with unique experience in external Big 4 auditing
and cost-effective management of corporate risk and regulatory compliance. Presently, she is responsible for
IT risk and compliance testing for the five Blue Cross Blue Shield Plans (Illinois, Texas, New Mexico, Oklahoma,
Montana) comprising Health Care Service Corporation. Nigro teaches courses on ethics, risk, IT governance
and compliance, and information security for MSIS and MBA programs as an adjunct professor at Lewis
University. She also speaks frequently at industry conferences as well as local ISACA and IIA chapter meetings.
CS 10-3: The Bridge of Integrity: Am I All In?
James Molenaar, J.D., Esq., CFE
Attorney and Internal Audit Manager
Clerk of the Circuit Court, Collier County, Florida
Integrity and ethics go far beyond doing the right thing. Integrity and identification of ethical dilemmas are
critical skills for any internal auditor. This engaging session will include relevant and entertaining audio and
video clips, hypothetical scenarios, group problem solving exercises, pop quizzes, and opportunities to ask
questions and provide feedback. Finally, the instructor will speak about interesting ethical dilemmas he has
encountered in his three decades of public service.
In this session, participants will:
Be reminded why a code of ethics helps the profession of internal auditing uphold the trust placed in its objective assurance about governance, risk management, and control.
Learn from examples of principles relevant to the profession and practices of internal auditing.
Understand the Rules of Conduct that describe behavior norms expected of internal auditors.
Be enlightened on the expectations and application of the following IPPF and Code of Ethics principles: (1) Integrity; (2) Objectivity; (3) Confidentiality; and (4) Competency.
James Molenaar has over 30 years of experience, beginning as a law enforcement explorer, emergency medical
technician, police officer, government attorney, and prosecutor. He successfully leads a team of seven internal
auditors who audit the Collier County Board of Commissioners, which has a budget of $1 billion. Previously, he
was an attorney with the Illinois Office of Inspector General as a Medicaid prosecutor, and a prosecutor for the
economic crimes unit at the State’s Attorney Office in Southwest Florida.
CS 10-4: Improving Your ERM Program Using Six Sigma, Part 2
Charlie Wright, CIA, CISA, CPA
Director, Enterprise Solutions
BKD CPAs and Advisors
Jeff Lovern, ARM
Vice President, Chief Risk Officer
American Fidelity Corporation
As Enterprise Risk Management (ERM) programs continue to mature, risk managers face the continual challenge of adding value to the organization. By focusing on corporate objectives and using practical analytical approaches, risk managers can identify key risk indicators that executive management and the board will find important and useful. In this session, participants will:
Learn how to apply a Six Sigma tool called Failure Modes and Effects Analysis (FMEA) to identify meaningful key risk indicators.
Gain insights into how one organization used analytical approaches like root cause analysis and FMEA to identify key risk indicators for their ERM process.
Receive instruction on asking the right questions in order to identify relevant and important key risk indicators, starting with the organization’s corporate objectives.
Charlie Wright leads BKD’s enterprise risk management efforts on a national basis. From 2005 to 2016, he
served as vice president of internal audit at Devon Energy Corporation and prior to joining Devon, he was the
general auditor at American Airlines. Wright was recently elected to serve as the vice chairman of the
Professional Guidance Committee on The IIA’s Global Board of Directors.
Jeffrey Lovern has 23 years of finance and risk management experience within the insurance and financial services industries. He currently serves as chief risk officer of Principal International, a division of the Principal Financial Group. Previously, he was chief risk officer for American Fidelity Corporation’s group of insurance companies. From 2002 to 2016, Lovern held various risk management roles for GE Insurance/Genworth Financial, including vice president of enterprise risk management for Genworth’s Global Mortgage Insurance division. As a member of GE Capital’s Risk Management Leadership Program, he completed various assignments across GE businesses. Prior, Lovern was a risk management consultant and insurance broker for Arthur J. Gallagher & Co.
Wednesday | August 15, 2018 8:30 – 9:45 a.m.
General Session 2: Governance in These Digitally Shifting Times
Rob Clyde, CISM
ISACA Vice-Chair
Managing Director
Clyde Consulting, LLC
Emerging technologies, which we must assess for opportunity and risk, will transform our businesses and how we live. Whether it is how we integrate machine learning and AI, or how we utilize IoT; whether it’s focusing on DevOps to ensure foundational security; or how we resolve the tensions of data privacy and security to protect our customers and organizations — how we transform with the technology will determine our success.
In this session, participants will:
Understand the relationship between strong governance and future innovation and agility.
Identify technologies that are leading the digital transformation and changing how we do business.
Learn about the COBIT governance framework’s past and current contributions to enterprise strategy, as well as its path forward.
Discuss what innovations and opportunities we may see in the future of governance. Rob Clyde is vice-chair of ISACA’s board of directors, executive chair of the board of directors for White Cloud Security, and independent board director for Titus. He is the managing director of Clyde Consulting LLC. He serves as an executive advisor to HyTrust and BullGuard Software. Clyde also chaired the board-level ISACA finance committee and served on ISACA’s Strategic Advisory Council, Conference and Education Board, and IT Governance Institute (ITGI) Advisory Panel. Previously, he was CEO of Adaptive Computing, CTO at Symantec, and a co-founder of Axent Technologies. Clyde is a frequent speaker at ISACA, cyber security conferences, and for the National Association of Corporate Directors (NACD). He also serves on the industry advisory council for the Management Information Systems (MIS) Department of Utah State University.
Wednesday | August 15, 2018 10:15 – 11:30 a.m.
Closing Keynote: Governance in the Age of Cyber
Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CISSP, CPSA
ISACA Chair
Advisory Managing Director
Deloitte & Touche LLP
Every day, we hear news reports of another organization being breached. We find ourselves asking, “Who’s
next?” The stakes are too high for the board, the C-suite, and internal audit to wait until after a breach occurs
to conduct a post-mortem of the attack. To provide value — and to possibly protect our organizations from
failure — governance bodies need to be proactive.
In this session, participants will:
Learn about cyber trends and classic breach tactics.
Gain an understanding of effective security and controls.
Discuss the evolving roles of the board, the C-suite, and internal audit in the age of cyber.
Theresa Grafenstine serves Deloitte & Touche’s internal auditing and federal practices as advisory managing
director. Previously, as inspector general of the US House of Representatives Office of Inspector General (OIG),
she planned and led independent, non-partisan audits, advisories, and investigations of the financial and
administrative functions of the House. Prior, at the Department of Defense OIG, Grafenstine led acquisition
audits of major weapon systems and responded to high-profile Congressional audit requests. She is chairman
of ISACA’s International Board of Directors and a past president of the ISACA Greater Washington DC Chapter.
Grafenstine serves on the board of directors of the American Institute of Certified Public Accountants and as
audit committee chair for Pentagon Federal Credit Union. Her accolades include Golden Gov: Federal
Executive of the Year as well as ISACA’s John W. Lainhart IV Common Body of Knowledge Award and John
Kuyers Best Speaker/Conference Contributor Award.