tuesday | august 15, 2017 8:30 a.m. 5:00 p.m. documents/2017-grc-abs-and... · tuesday | august 15,...

Tuesday | August 15, 2017 8:30 a.m. – 5:00 p.m.

Workshop 1: COBIT NIST Cybersecurity Framework

Mark Thomas, CGEIT, CRISC

President

Escoute Consulting

Marketing databases, customer analytics, and behavioral patterns are easier to manage with big data — but will these

data elements be safe from hackers? And what is the impact of the Internet of Things? You will learn how to harness the

power of big data and build your big data to achieve business goals while adding in safeguards to fight cybercriminals.

Explore how the Internet of Things may be the ultimate driver of global change.

As part of the knowledge, tools, and guidance provided through the Cybersecurity Nexus (CSX)™ program, ISACA has

developed a guide and course: Implementing NIST Cybersecurity Framework Using COBIT 5®. This workshop is a synopsis

of that course, focusing on the Cybersecurity Framework (CSF), its goals, the implementation steps, and the ability to

apply learnings.

In this session, participants will:

• Understand the goals of the Cybersecurity Framework (CSF).

• Learn and discuss the content of the CSF and what it means to align to it.

• Understand each of the seven CSF implementation steps.

• Be able to apply and evaluate the implementation steps using COBIT 5

• Discuss the progression and touch points of protecting big data – and what might happen if this is ignored.

• Learn about the Internet of Things and why it’s both feared and welcomed.

• Identify how COBIT and NIST can work together to create a customizable framework to stave off attacks.

Pre-requisites for attending this Workshop:

• Basic knowledge of COBIT

• Basic knowledge of security concepts

Mark Thomas is an internationally known governance, risk, and compliance expert in the areas of cybersecurity, IT

service management, assurance and audit, and IT controls. His background spans leadership roles from CIO to

management and IT consulting in several federal and state agencies, private firms, and Fortune 500 companies. With

over 25 years of professional experience, Thomas has led large IT teams, conducted information governance/risk

activities for major initiatives, managed enterprise applications implementations, and implemented cybersecurity and

governance processes across multiple industries. Additionally, he works as a consultative trainer and speaker, and

earned the ISACA John Kuyers award for Best Speaker/Conference contributor in 2016.

Workshop 2: ERM Can Now Work! Putting the Updated COSO ERM Framework and ISO 31000 Standards Into Practice

Doug Anderson

Managing Director, CAE Solutions

The Institute of Internal Auditors

Charlie Wright

Director, Enterprise Risk Solutions

BKD

ERM is not a process, a tool, a department, or a list of risks – it is how an organization makes better business decisions.

COSO recently updated the ERM Framework with increased emphasis on recognition that risk management is

fundamental for an organization to align its actions with its strategy. At the same time, ISO is nearly finished updating its

standard 31000. With the advent of these two significant updates, it is time to reconsider the foundations of risk and risk

management. Every organization is in the “risk management” business as managing risk is part of nearly everything an

organization does.

The workshop will use a combination of theory, small group discussions to unpack the theory into easily understandable

parts, and case studies to cover these topics.

In the session, participants will:

• Learn the fundamental elements of risk: its identification, measurement, responses, and reporting.

• Understand the best practices for a risk management process.

• Apply the concepts of risk management to the auditor’s task of using risk in planning, executing, and

reporting on audit work.

• Define the key attributes to be considered when performing an audit of an ERM process.

Doug Anderson joined The IIA in 2016 after serving as an assistant professor at Saginaw Valley State University. Until

2013 Anderson worked with The Dow Chemical Company for 22 years. His roles at Dow included 16 years in internal

audit (9 years as CAE), a global finance director in corporate controllers supporting acquisitions, divestitures, and joint

ventures, and the finance leader for the global Dow latex business. Previously he spent 10 years with

PriceWaterhouseCoopers.

Charlie Wright leads BKD’s enterprise risk management efforts on a national basis. From 2005 to 2016, he served as vice

president of internal audit at Devon Energy Corporation and prior to joining Devon, he was the general auditor at

American Airlines. Wright was recently elected to serve as the vice chairman of the Professional Guidance Committee on

The IIA’s Global Board of Directors.

Wednesday | August 16, 2017 8:30 – 9:45 a.m.

Opening Keynote: The Cyber Blacklist: Top Threats and Countermeasures for Data Security

John Sileo, CSP

CEO

The Sileo Group

At the heart of most data theft is lax cybersecurity: a broad term that will cease to intimidate you after this presentation.

This crash course forges a high-level, non-technical path through the sometimes confusing web of human decision

making, computer security, mobile technology, internet connectivity, online privacy, and cloud computing and will leave

you with an actionable list of steps to protect your sensitive data, mobile devices, social identity and, ultimately, your

wealth and profitability.


• Learn techniques to overcome or at least deal with the fear of falling behind the digital curve. • Discuss why staying vigilant is key in helping you protect the data that underlies your organizational and

personal wealth. • Hear a real-life case study on the long road to recovery from an unfortunate incident and how to

transform risk into reward.

John Sileo founded his company which advises clients on balancing risk, defending privacy, and multiplying profits by

building a culture of deep trust. He is an award-winning author, trusted advisor, and leading speaker on managing

privacy and reputation in an economy plagued by digital overexposure. Sileo has appeared as a cybersecurity expert on

numerous television shows and he has been interviewed or quoted in multiple trade and consumer publications. He

leverages his story of transforming risk into reward and the emotional connections it creates to evoke the skills of

instinct, inquiry, and initiative that empower his clients to take control of their data exposure before it’s too late.

Wednesday | August 16, 2017 10:15 – 11:15 a.m.

CS 1-1: The Need for Change Enablement in Adopting Governance and Management Practices


President

Escoute Consulting

Successful implementation or improvement initiatives depend on adopting the appropriate change (the good practices)

in best means possible. But frequently there isn’t enough emphasis on managing the human, behavioral, and cultural

aspects of the change and motivating stakeholders to buy into the change. Change enablement is one of the biggest

challenges to governance implementations.


Explore a typical implementation methodology infused with leading practices in designing, executing, and

monitoring an organizational change enablement program.

Understand the seven phases of an implementation lifecycle that can meet organizational needs.

Associate critical change enablement inputs, outputs, and tasks with each of the seven phases of the

implementation lifecycle.

Learn how to develop strategies toward gaining proper stakeholder buy-in and support for key initiatives.








CS 1-2: NIST Cybersecurity Framework Assessment

Todd Marcinik, CISA, CRISC

IT Risk Manager

Sun Trust Banks, Inc.

NIST’s Framework for Improving Critical Infrastructure and Cybersecurity was released February 2014 and has since

been used to gauge the maturity of information security programs and align oversight and regulatory processes against

a common framework. This session will cover the components of the framework, assessment approaches, review

examples and reporting.


• Receive a brief introduction to the NIST Cybersecurity Framework.

• Discuss associated control frameworks and the FFIEC Cybersecurity Assessment Tool.

• Assess your information security program against the framework.

• Review, analyze, and identify potential program gaps.

• Learn how to report and communicate results, implement remediation plans, and perform periodic

reviews.

Todd Marcinik provides guidance to help executives and management ask key questions, make better, more informed

risk-adjusted decisions and guides effective IT risk management for a large regional financial institution. He is

accountable for identifying, measuring, mitigating, monitoring, and reporting operational, technology, and compliance

risks and issues to senior management and appropriate governance structures. Marcinik has more than 20 years of

experience as a professional in IT administration, security, governance, risk, assurance, and compliance and has provided

leadership over high-priority IT security projects, compliance assessments, and issue mitigation. His early career was in

technical support, application, system, and database administration, and data warehouse implementation and support

with WESCO Distribution. Marcinik served as IT audit manager and senior IT compliance analyst with Coca-Cola

Enterprises, and as global IT audit manager for Exide Technologies. He has presented on various topics at local and

national conferences on a wide range of technical and audit topics.

CS 1-3: How Risk Culture Affects Compliance and Internal Controls

Joseph Mayo, CRISC, PMP, RMP

President

J.W. Mayo Consulting, LLC

This session will explore a case study where placing blind faith in the enterprise risk management (ERM) process led to

catastrophic results. We will explore an organization that had by all accounts a highly mature world-class ERM program.

However, the organization had a minor flaw in their ERM process that went undetected by internal controls and nearly

destroyed the organization.


• Learn organizational culture traits that can lead to risk management disasters.

• Recognize when a heuristic audit approach is appropriate.

• Understand how loosely coupled risk management processes can benefit the organization.

• Recognize symptoms of a risk hurricane.

Joseph Mayo is an award-winning project manager, author, and internationally recognized risk management expert with

over 28 years of industry experience. He developed an IV&V program that was recognized by the U.S. Government

Accounting Office (GAO) as a model for large complex government programs. Mayo wrote Cultural Calamity: Culture

Drive Risk Management Disasters and How to Avoid Them featuring the introduction of the “Risk Hurricane,” and Chaos

to Clarity: The Tao of Risk Management. He has published other books and whitepapers and frequently speaks on the

topic of risk as he strives to further global risk management practices by volunteering for PMI and ISACA working groups.

CS 1-4: Data Analytics at Xerox: A Journey From Idea to Reality

Michael Bowen

Senior Manager, Analytics, Center for Enablement

Xerox Corporation

Kenneth Metz, CPA, CGMA

Chief Audit Executive

Xerox Corporation

Xerox’s internal audit department undertook a 2-year journey to turn the idea of better data analytics to the creation of

a Data Analytics Center of Enablement. This COE has partnered with the IT Business Intelligence group to deliver

analytics-driven audits using Tableau. These data analytics tools are left behind with audit clients allowing them to

perform their jobs better. This session will feature a demonstration of how data is transformed into usable audit

intelligence using Tableau.


• Learn the actual steps Xerox took to implement a meaningful data analytics practice.

• Understand how the Data Analytics Center of Enablement was structured and functions.

• See real life examples of the Tableau data models created.

• Explore how data analytics results can create value-added audit recommendations.

Mike Bowen has more than 20 years of data and analytics experience within Xerox, most recently leading global

customer services’ business intelligence and analytics. He joined the internal audit department in 2016 to establish a

Center of Enablement for driving the use of analytics within the function. Previously, Bowen held leadership roles in

Xerox’s machine data connectivity, xerox.com, and applications development. He is a Certified Lean Six Sigma Black Belt.

Ken Metz has over 20 years of accounting, auditing, internal controls, and global business experience. He joined Xerox in

2013 as the director of accounting projects, working on technical accounting projects including revenue and leasing,

before ascending to his current role in 2014. Prior to joining Xerox, Metz worked for Bausch & Lomb for seven years in

leadership roles including corporate audit services, Asia regional controller and managing external reporting and

accounting projects. Prior to B&L, he worked in public accounting for 12 years primarily with PricewaterhouseCoopers

serving large clients including Bausch & Lomb, Carrier Corporation, and Xerox.

Wednesday | August 16, 2017 11:30 a.m. – 12:30 p.m.

CS 2-1: Chutes and Ladders of Internal Audit - How to Rise and Fall Due to Meeting or Failing to Meet Stakeholder

Expectations

Kayla Flanders, CIA, CRMA, CISA, CPA, CFE, CGMA

Senior Audit Manager

Pella Corporation

Different stakeholders have different expectations. Different people within common stakeholder groups may have

different expectations and how to identify and work with each. Some expectations may be driven by stereotypes of

internal auditors and strategies to overcome them. We will discuss how to challenge our past activities to quickly

identify and move beyond stereotypes and work to shape appropriate stakeholder expectations for the future.


Explore how stereotypes for internal audit shape stakeholder expectations and examine how our client

perceptions of audit are our reality.

Determine internal audit's role in perpetuating or negating stereotypes and then meeting or changing those

expectations.

Gain techniques to combat common stereotypes and shape expectations for the future.

Challenge the "one size fits all" approach and develop understanding around individualized stakeholder

expectations.

Kayla Flanders has overall responsibility for the organization’s internal audit activities. Prior to joining Pella Corporation,

she was a senior audit manager at Wells Fargo on the finance and corporate activities team, chief compliance officer at

DuPont Pioneer, and director of internal audit at Layne Christensen Company. Flanders also served as a treasury

manager and manager of accounting research and policies. She began her career at Deloitte & Touche.

CS 2-2: Auditing the Cloud Environment: An Introduction

Remi Nel, CIA Senior Manager, Global Technology Audit Rackspace Jason Sechrist, CIA Director, Global Technology Audit Rackspace

Cloud‐based solutions are increasing in popularity and are being embraced by organizations of all sizes. Auditors must

understand the key concepts and risks inherent to this technology. This session provides information to help auditors

understand the technology and provide the basis for analyzing and assessing risks.


Understand why risks are different in the cloud.

Explore audit activities to identify risks specific to cloud environments.

Identify internal audit’s role in an organization’s procurement/design phase.

Remi Nel has responsibility for managing the execution of a risk-based global IT audit plan for Rackspace’s global

footprint of data centers and office locations across the Americas, Europe, and Asia. Prior to joining Rackspace, Nel was

with EY working with banking, insurance, and IT hosting clients. He has delivered training presentations on cloud

computing and Software-as-a-Service (SaaS), educating and creating awareness among audit professionals on the

benefits and risks with technology.

Jason Sechrist has responsibility for developing and executing on a risk‐based audit plan for Rackspace’s global footprint

of data centers and office locations across the Americas, Europe, and Asia. Prior to joining Rackspace, he was with PwC

working with internet and cloud service provider clients, interacting directly with CTOs, CISOs, compliance managers,

and system engineers. His dynamic background includes leading the system life cycle of global aviation weather

visualization software as a service for the United States Air Force.

CS 2-3: GRC IQ: How Intelligent Is Your ERP Environment?

Scott Conner

Director, GRC Technology

KPMG

Learn how you stack up against top-performing organizations in terms of the maturity of your control environment, the

strength of your security design, and the level of your GRC integration. By introducing optimized controls and

sustainable processes while integrating GRC technology, organizations can reap more benefits from investments in ERP

technology and operate in an internal control environment that manages transactional risk and complies with regulatory

requirements.


Walk through a maturity model that illustrates the core characteristics of top-performing

organizations.

Learn the degree of GRC technology adoption to support strong process and controls environments.

Understand what opportunities exist for improvement, allowing for better planning of future road

maps and building a business case for wider adoption.

Examine the results from of last year's process and controls IQ survey, conducted at GRC 2016.

Scott Conner has over 13 years of IT advisory and audit experience including providing ERP implementation services,

business process improvement, Sarbanes-Oxley 404 compliance assistance, and controls implementation services for

SAP to clients across multiple industries. Conner’s industry background includes oil and gas, manufacturing, and

consumer markets. He has managed projects to design and redesign SAP security roles as part of both an initial

implementation as well as SOD remediation, managed multiple implementations of SAP GRC Access Control 10.0 and

10.1, Super user process implementation, and user provisioning. He also managed multiple controls integration projects

for global SAP implementations that included designing, testing, and monitoring controls around the implementation.

Conner managed projects for a multi-billion dollar organizations to create and implement a controls framework for a

new worldwide SAP implementation, including core modules for ECC, SRM, SCM, XI, BI, and CUA.

CS 2-4: Measuring Effectiveness of a Risk-focused Third-party Risk Management Program

John Maynor, CRISC, CISA

Senior Leader, Third Party Risk Management

Vantiv

Third-party Risk Management programs, or TPRMs, as a best practice arguably encompass stages including Planning,

Due Diligence, Contracting, Ongoing Monitoring, and Termination. Interactive discussions are encouraged to allow

participants to share effective TPRM programs including key tools used to identify and measure the risks of utilizing third

parties and how to measure the effectiveness of these programs. Real-world stories and examples from tours of global

vendor sites will compare and contrast the differences between desktop and on-site evaluation of third parties.


• Gain an understanding of the critical components of an effective third-party risk management program.

• Learn how to build effective audit programs to measure the soundness and effectiveness of third-party

risk management programs.

• Explore the tools that effective third-party risk management programs should use to provide a basis for

measuring and auditing TPRM programs.

John Maynor has extensive years of experience in the third party risk management (TPRM) space, having worked with

PwC for 11 years specializing in that as well as cybersecurity. His work has centered on taking a risk-based approach to

TPRM, helping organizations develop new or enhance current TPRM programs. Maynor has a depth of knowledge of

what makes a TPRM program effective and how to measure programs to ensure their effectiveness. He has performed

hundreds of on-site assessments of domestic and international third parties on engagements around the world.

Wednesday | August 16, 2017 1:30 – 2:30 p.m.

CS 3-1: Establishing and Maintaining an Effective Internal Audit Quality Assurance and Improvement Program: Tips,

Tricks, and Tools

David Kent, CIA, CRMA, CISA, CRISC, CGEIT, CGFM

Internal Audit Quality Assurance & Improvement Program (QAIP) Manager

SWIFT, Inc.

SWIFT/IA's journey began in early 2014 and continues today, working toward establishing a formal but "basic" QAIP and

then continuing to enhance it to better meet the underlying aspects of The IIA’s International Standards for the

Professional Practices of Internal Auditing’s 1300 series. Beginning with the results of an EQA conducted in 2013, the

session will trace the actions since taken to address observations including "lessons learned" — in the form of tips,

tricks, and tools — to form the primary focus of the discussion.


• Gain insight into the key requirements of a successful QAIP, as prescribed by the 1300 series of The IIA’s

Standards.

• Examine key challenges facing an internal audit entity in establishing and maintaining an effective QAIP

and practical ways for meeting those challenges.

• Learn how to leverage everyday audit activities to serve as key QAIP components.

• Be introduced to several tools (including feedback mechanisms) proven to be especially valuable in

maintaining SWIFT/IA's QAIP.

David Kent is a seasoned audit practitioner with more than 40 years in the profession and has served in his current role

since 2014. Previously, he served as an audit manager for the organization, heading the company’s U.S.-based audit

team for about 10 years. Prior to joining SWIFT, Kent spent more than seven years as client service director with

PricewaterhouseCoopers’ U.S. federal government practice, providing oversight and direction to large, complex

automated information systems controls testing projects in various federal departments and agencies. Before PwC, Kent

spent over 26 years as a U.S. federal government auditor and audit manager at the U.S. General Accounting Office and

the U.S. Department of Transportation (DoT). His 12-year tenure with DoT’s Office of Inspector General (OIG) included

seven years of executive experience as a member of the federal senior executive service. During his federal career, he

received 12 awards for his work and testified before the U.S. Congress on three occasions. Kent has served on four

ISACA international committees/boards and as chair for their Information Technology Control Practices Committee. He

also co-developed a CISA examination review course for ISACA’s National Capital Area Chapter and served as instructor

for several course offerings. Kent has served as an instructor for corporate compliance seminars since 2016.

CS 3-2: A Real-life Practical Internal Audit Approach to Cyber Security

Gurmit Aujla, CIA, CRMA, CPA, CRISC, CA, CITP

Director, Internal Audit

British Columbia Lottery Corp.

Cory Strumecki, CISA, CISM, CIPT

Manager Internal Audit

British Columbia Lottery Corp.

Cybersecurity is an emerging/changing risk where traditional internal audit departments and previous approaches may

not be adequate, but using the complex cyber risk environment provides us with an opportunity to showcase the value

we bring to our organizations. Walk through one organization’s journey in developing a strategic approach to cyber risk

and the steps they took to reach that point.


• Learn a practical way to get started on implementing an audit approach to address cyber risk.

• Identify steps to communicate cyber risk to key stakeholders such as the audit committee and executive

management.

• Obtain tools to build cyber risk into your audit plan.

• Discuss practical challenges that may arise as you explore this area as a way to showcase your function’s

value.

Gurmit Aujla has more than 15 years of experience in internal audit, risk management, internal controls, finance, and

corporate functions. He has served in his current role since 2009 where he was responsible for the transformation of the

internal audit group from a traditional compliance-based practice to a proactive, value-driven group that works

collaboratively with the organization. Aujla established a leading IT audit capability within the internal audit department

and developed a pragmatic, risk-based approach to identifying, assessing, and managing IT risk. Prior to BCLC, he worked

in private industry in the international manufacturing, banking, and restaurant sectors, with a focus on governance, risk

management, and implementing Sarbanes-Oxley. Aujla has delivered numerous presentations and webinars for

professional and trade organizations on topics including internal audit, governance, and risk management.

Cory Strumecki starting his gaming career as a slot machine revenue auditor 17 years ago and his career path included

stints as a casino trainer, QA system analyst, and innovator, and eventually into the world of internal audit, particularly

into the area of IT auditing. Strumecki originally trained as a chef but transitioned into accounting and has found his

passion in the gambling industry.

CS 3-3: Best Practices for Proactive IT Governance

Berk Algan, CISA, CGEIT, CRISC, CIPP

Director, IT Governance

Silicon Valley Bank

The session will feature an information sharing session covering 5 topics focused on how to build and evolve a First Line

of Defense function and an IT governance framework by providing specific real-life examples drawn from the speaker’s

experience working at a financial institution, including pitfalls and lessons learned. Attendees will have an opportunity to

pose questions at the end of the session.


• Learn about a practical approach to creating an IT governance framework.

• Understand the cornerstones of a proactive First Line of Defense model.

• Gain tools and knowledge to build an effective IT governance framework and a proactive First Line of

Defense model.

• Learn how to avoid common pitfalls when implementing proactive First Line of Defense model.

Berk Algan leads the IT GRC group and has extensive experience in implementing governance, risk, and security

frameworks; improving business processes; setting business and IT strategies; leading risk assessments; performing

compliance audits; and facilitating organizational change. His primary goal is to promote a risk-based culture and

decision-making process, and instill governance best practices across the bank. Prior to joining SVB, Algan was a senior

manager at EY’s advisory services group where he audited and advised numerous high-tech companies.

CS 3-4: Auditing the Cloud Environment: Advanced

Remi Nel, CIA Senior Manager, Global Technology Audit Rackspace Jason Sechrist, CIA Director, Global Technology Audit Rackspace

Cloud‐based solutions are increasing in popularity and are being embraced by organizations of all sizes. Auditors must

understand the key concepts and risks inherent to this technology. This hands-on session will explore an SaaS solution

case study to help auditors identify possible risk areas that can be leveraged to perform an assessment of the cloud tools

within their organization.


• Understand and interpret Service Organization Control (SOC) reports for IT risks.

• Evaluate control frameworks and apply them to simulated environments.

• Examine Service Level Agreement (SLA) requirements that auditors should engage with cloud service

providers during the procurement/design phase.

Remi Nel has responsibility for managing the execution of a risk-based global IT audit plan for Rackspace’s global

footprint of data centers and office locations across the Americas, Europe, and Asia. Prior to joining Rackspace, Nel was

with EY working with banking, insurance, and IT hosting clients. He has delivered training presentations on cloud

computing and Software-as-a-Service (SaaS), educating and creating awareness among audit professionals on the

benefits and risks with technology.

Jason Sechrist has responsibility for developing and executing on a risk‐based audit plan for Rackspace’s global footprint

of data centers and office locations across the Americas, Europe, and Asia. Prior to joining Rackspace, he was with PwC

working with internet and cloud service provider clients, interacting directly with CTOs, CISOs, compliance managers,

and system engineers. His dynamic background includes leading the system life cycle of global aviation weather

visualization software as a service for the United States Air Force.


CS 4-1: Critical Thinking for Results

Devin Claus, CPA, CFE

Finance Manager, Internal Adult

Conagra Brands

Critical thinking is a skill vital for auditors but takes time and practice to develop. To maintain a competitive advantage,

we must utilize our critical thinking skills to be insightful, to be forward looking, to make good decisions quickly, and to

create value for our organization.


• Discuss why critical thinking is important on all audit engagements to drive impactful results.

• Learn a framework that can be used to help you think critically.

• Apply the framework to audit engagements.

Devin Claus has led internal audit engagements for the company, including the corporate controller’s group audit,

several consumer and private brand plant audits, a construction audit, procure to pay, IT general controls, and an

international code of conduct investigation. Prior to working at Conagra, Claus worked in external audit at Deloitte for

3+ years, serving various large and mid-size SEC clients.

CS 4-2: Hunting for Hackers: How to Turn the Tables on Attackers

Adam Brand

Director, Security and Privacy Practice

Protiviti

Would you know if your organization has been hacked? Publicly available data suggests that the odds are not in your

favor. In this session, you will learn from an experienced threat hunter about the challenges organizations face in

detecting breaches. You’ll also learn what threat hunting is, and how threat hunting can be leveraged in an internal audit

context to evaluate an organization’s breach-detection capabilities.


• Understand the challenges involved in detecting breaches

• Define key types of detection technologies and understand their strengths and limitations

• Understand what threat hunting is, and how it can help decrease breach detection time

• Understand how threat hunting concepts can be used in an internal audit context to evaluate an

organization’s breach detection capabilities, and provide a point-in-time view on what signs exist of a

breach

• Identify the key technology areas and attributes that are relevant to threat hunting, and how signs of a

breach can be revealed

Adam Brand has over 17 years of experience in IT and security, in areas ranging from compliance to incident response.

He has worked closely with internal audit organizations across many industries in conducting information security

reviews, and brings a unique perspective as someone who has been “on the ground” in major breach investigations.

Brand is a frequent speaker on information security topics at both IIA and information security industry events.

CS 4-3: Integrated Audits for Business Processes

Gregory Haake, CIA, CISA, CFSA

IT Audit Manager

MetLife

Integrated audits can be valuable when used at the right time. How do you determine the right time for this type of

audit? Who do you include in this audit and what are your next steps? In this session we will learn how to determine the

scope of integrated audits and discuss the tools and planning needed for a successful engagement. We will explain why

it is key to streamline agendas for productive meetings with the audit clients.


• Learn what integrated auditing should encompass.

• Discuss how to plan and conduct efficient integrated audits

• Develop tools to keep integrated audits organized.

• Identify ways to maximize productive audit client interactions.

Greg Haake has been internal auditing for half of his 20-year career, which has encompassed some of the largest

companies in the world including AXA Equitable, Credit Suisse, MetLife, and Blue Cross Blue Shield of North Carolina.

During his auditing career, Haake has held progressively responsible positions and grown his skills through collaboration

and education. His unique position of working as a business auditor and IT auditor has given him valuable insight on how

to manage engagements, clients, and planning activities.

CS 4-4: Implementing ERM in a Small to Medium Enterprise

Jessica Perkins, CIA, CRMA, CISA

Director, Risk Management and Internal Audit

International Development Research Center

This interactive session offers practical advice on establishing and improving ERM in a small- to medium-sized

organization modeled from a real-life experience at IDRC, featuring successes, lessons learned, tools, and practical

examples. Participants should have an intermediate level of risk management knowledge and a good understanding of

key definitions, and come armed with questions, challenges, and success stories to share.


Understand internal audit’s role in ERM as per IIA Standards and Guidance.

Become familiar with a principles-based framework for ERM suitable for small- to medium-sized organizations.

Develop an understanding of practical procedures and tools that can be applied to enhance ERM.

Jessica Perkins has more than 14 years of experience in audit, risk management, and corporate finance functions. Over

the last four years, she has been leading the transformation of the risk management and internal audit practices at IDRC

to become a value-added activity, integral to management and audit committee decision making. Prior to IDRC, Perkins

worked in the government and private sector as an external auditor and consultant in several different industries.


CS 5-1: Voice of the Customer: Stakeholders Messages From the CBOK Global Internal Audit Study

Pam Short Jenkins, CIA, CRMA, CPA

Vice President, Global Audit Services

Fossil Group Inc.

Brad Rachmiel, CPA

Managing Director

Protiviti

In collaboration with Protiviti, The IIA’s Internal Audit Foundation conducted the CBOK Stakeholder Study in 2015 to gain

a global perspective and better understanding of stakeholders’ expectations of internal audit’s purpose, function, and

performance. The eye-opening results were distilled into individual reports covering numerous angles from the

stakeholder point of view.


• Understand common themes from the five CBOK Stakeholder Study reports.

• Explore where CAEs can improve their relationship with stakeholders while also improving value

provided to organization.

• Identify key areas where internal audit can help the organization with the strategic risks.

• Discuss actionable ideas and recommendations to consider for both you and your key stakeholders.

Pam Short Jenkins is an innovative strategist who excels at building relationships with key stakeholders to effectively

lead transformation efforts and mission-critical business initiatives. She is skilled in linking enterprise risk assessment

with shareholder value, key objectives, and customer needs. Jenkins previously served as the CAE and and vice president

of the projective management office for company-wide strategic initiatives for US Foods, responsible for bringing

strategic focus and fast-paced tactical execution to the audit services department. She has more than 15 years of

executive level experience in internal audit with organizations such as The Wendy’s Company and The Home Depot.

Jenkins currently serves as the vice chair of professional development on The IIA’ North American Board of Directors.

Brad Rachmiel brings over 24 years of experience in public accounting, internal audit, and consulting services and

currently leads the organization’s internal audit and advisory practice for the Central region as well as their public

company transformation service, assisting companies with their private-to-public transformation around finance and

accounting, IT, and corporate governance/compliance. Prior to joining Protiviti, Rachmiel was a senior manager in Arthur

Andersen’s Chicago office. He also spent several years as the chief financial officer of a manufacturing and distribution

company.

CS 5-2: Operationalizing Cybersecurity with Risk-based Governance

Steven Minsky

CEO

LogicManager, Inc.

Many departments within an organization – information security, vendor management, finance, human resources, and

more – hold pieces of cybersecurity information. Unfortunately, most organizations lack the ability to put the full risk

picture together. Companies react to external threats by spending billions on technology solutions, without addressing

root-cause governance issues, such as operationalizing employee and vendor password policies.

It's important to recognize that the governance of information security and technology is a tenet of risk management,

and is most effective when implemented with a holistic, cross-functional approach.


• Learn how to operationalize cybersecurity policies across departments and levels.

• Determine clear cross-functional accountability for cybersecurity responsibilities.

• Explore metrics that monitor the effectiveness of cybersecurity programs.

• Discuss best practices for reporting cybersecurity progress and effectiveness to the board and

regulators.

Steven Minsky has overseen the organization that provides an integrated, intuitive software-as-a-service platform to

help companies make better decisions through risk intelligence for more effective corporate governance, risk, and

compliance management, for over 12 years. He is the author of the popular RIMS Risk Maturity Model and frequently

teaches and contributes to blogs and the press across a range of risk management topics. Minsky is also a patent author

of risk and process management technology.

CS 5-3: Stop Fraud Before It Starts: New Guidance for Managing Fraud Risks

Marc Kokosky, CIA, CCSA, CRMA, CFE

Global Anti-Fraud and Investigations Manager

Population Services International

Bryan Moser, CPA, CFF, ABV, CFE

Partner, Advisory Services Practice

Grant Thornton LLP

New guidance features techniques to more effectively assess and mitigate fraud risk. Participants will learn about

forming a strategy for a full-scope assessment of fraud risk, including use of both qualitative and data analytic

approaches and how to respond to those risks once identified. Topics will be discussed in the context of prevailing

standards for fraud risk management.


• Describe the components of a holistic and effective fraud risk assessment.

• Discuss a framework and techniques for conducting fraud risk assessments.

• Learn about anti-fraud controls based on the Fraud Reduction and Data Analytics Act of 2015.

• Identify ways to deter fraud based on the COSO Fraud Risk Management Guide.

• Explore guidelines in GAO’s Framework for Managing Fraud Risks in Federal Programs.

Marc Kokosky is responsible for overseeing PSI’s anti-fraud program and has conducted and managed more than 400

international fraud investigations in more than 40 countries that have resulted in the recovery of funds and several

criminal convictions. He has extensive work experience in Africa, Asia, Latin America, and the former Soviet Union.

Kokosky’s experience in the last 13 years has been primarily within the non-profit and NGO sectors with a focus on

internal audit, fraud, compliance, and business ethics. Prior to his internal audit and investigation work, he was a grants

and contracts manager overseeing various U.S.-funded programs aimed at preventing the emigration of former Soviet

weapons scientists and the promotion of civilian and commercial scientific research projects.

Bryan Moser has assisted clients with compliance, investigations and litigation for nearly 25 years. He conducted

numerous government and internal fraud investigations and frequently consults on compliance. He investigates billing

fraud, embezzlement, improper vendor arrangements, misappropriation of grant funding, and compliance with

regulations. Moser assists clients with assessing risks and implementing preventive measures designed to prevent fraud

and advises clients during critical business situations and developing operational improvements. He has assessed

internal controls and regulatory compliance of businesses and consulted on anti-corruption/FCPA compliance, along

with SEC, DOJ, and internal fraud investigations around the world. Prior to joining Grant Thornton, Moser was an

industry analyst for the Bureau of Labor Statistics and worked 15 years at PricewaterhouseCoopers. He frequently

speaks on issues related to investigations and compliance and conducts training to clients and at industry organizations.

CS 5-4: How Vanguard's Fund Process Excellence Team Is Building an Effective Controls Culture

Robert Freiling, CTP

Senior Manager

Vanguard

In today’s environment of increasing complexities, changing regulations, global expansion, product and competitive

landscape change, Fund Financial Services created a Process Excellence (PE) team to lead fund-centric risk and controls

advisory services. Learn how the PE team successfully established and built out a purposeful integrated controls

framework based on four key priorities.


• Discuss the four key priorities that drove the framework’s underpinnings.

• Learn real methods, tools, and approaches to build an effective controls culture.

• Review the process followed to establish and implement a risk and control integrated purpose/mission

statement and core team competencies.

• Discover concepts supporting the build-out of the integrated controls framework, including data-driven

risk dashboards, scorecards, and heat maps’ control self-assessment methods; monitoring methods; and

more.

Robert Freiling is an 18-year Vanguard veteran, with more than 10 years of experience managing Vanguard’s fund

treasury department, Six Sigma program, and risk and controls groups. He currently leads a global fund-centric risk and

controls department, which includes resiliency and logical access span, with departmental team members in the U.S.

and abroad. Freiling has sponsored five Vanguard corporate Initiative of the Year winners, one which competed at the

American Society of Quality International Finalist competition. He has been invited to speak at national and regional

Association of Financial Professional conferences and holds Vanguard’s Six Sigma Specialist certification.

Thursday | August 17, 2017 8:30 – 9:45 a.m.

General Session 1: Internal Audit in a World of Change

Larry Harrington, CIA, QIAL, CPA, CRMA

Vice President, Internal Audit

Raytheon Company

Change — self-driving vehicles, nano-technology, artificial intelligence, geopolitical changes, etc. — is impacting the

world at an accelerating pace which impacts organizations, stakeholders, and internal auditors. Are we adapting? To be

relevant and add value requires we audit at the speed of risk, and that means assessing risks in a world of change

disrupters will become a new must-have competency.


• Discuss key disrupters of change affecting internal audit.

• Identify what to audit and when in a world of change and disrupters.

• Review competencies needed to adapt to change.

• Explore strategies to retain those with the needed range of skills to conduct audits at the speed of risk.

Larry Harrington has more than 25 years of experience in auditing and finance. He started his career in public

accounting and has served in the fields of retail, financial services, insurance, manufacturing, and technology. Harrington

has held key leadership roles in finance, human resources, and operations, and has been chief audit executive for

several Fortune 500 companies including Staples, Aetna, and LTV. He is an active volunteer for The IIA, currently serving

as chairman of the Global Board of Directors. He previously served as senior vice chair of the Global Board of Directors,

and as chairman of The IIA's North American Board of Directors. Harrington is a frequent speaker at seminars on

auditing, change management, negotiation, and people development and motivation.

Thursday | August 17, 2017 10:10 – 11:10 a.m.

CS 6-1: External Quality Assessments: The Benefits of and Leading Practices to Exceed Stakeholder Expectations

Greg Jaynes, CIA, CRMA

Chief Audit Executive & Director, Internal Audit

The Institute of Internal Auditors

Bailey Jordan, CIA, CRMA, CISA, CPA

Partner, Business Risk Services

Grant Thornton, LLP

Not only is it required by The IIA’s Standards for an internal audit department to conduct external quality assessments, it

just makes good business sense. If you are conducting periodic internal assessments, then the external assessment

should be a piece of cake and enable you to prove your department’s inherent value to your stakeholders. In this

session, participants will examine the process and results of The IIA’s own internal audit function EQA.


Learn the fundamental EQA requirements.

Examine one approach to execute an EQA.

Discuss the value of an EQA to management and the audit committee.

Find out how an EQA raises the quality of the internal audit function.

Explore lessons learned and leading practices.

Greg Jaynes has over 30 years of internal audit, accounting, and financial management experience, including a long

career in public sector internal auditing before joining The IIA in 2011. His public service tenure included 24 years in the

Office of the Inspector General, Tennessee Valley Authority. Jaynes has served as an advisor on numerous enterprise risk

management and operational process improvement panels/committees. He also has extensive experience in the

investigation of ethics and fraud related issues.

Bailey Jordan has 30 years of consulting experience covering a wide range of engagements, including projects in

enterprise risk management, internal audit co-sourcing/outsourcing, quality assurance reviews, internal audit

transformation, and Sarbanes-Oxley. He is an advisory council member of COSO’s ERM – Integrated Framework Update

Project and advisory board member of N.C. State University’s College of Management ERM Initiative. Jordan frequently

speaks on topics including trends in internal audit, ERM, EQA, internal controls, and consulting and soft skills for the

internal auditor. He currently serves as a member of The IIA’s North American Advocacy Committee.

CS 6-2: Cloud Computing Controls: Managing Risk

Princy Jain, CIA, CCSA, CRMA, CA

Partner

PwC

Abhi Pandit, CISA, CPA

Senior Director, Head of Technology Audit & Assurance

Adobe

Explore how Adobe and other tech companies view cloud compliance risks and how one organization adopted a

common controls framework. This approach facilitates efficiency and reduces the compliance risks including providing

visibility through one common model.


Learn types of risks and compliance frameworks in a cloud environment.

Discuss how to establish a common control framework model.

Explore how to test and monitor controls on an ongoing basis.

Share leading practices in making the program successful.

Princy Jain serves as the leader of controls testing and monitoring solution within the Risk Assurance practice and has

been serving globally diversified Fortune 500 companies for more than 22 years. His experience includes public and

venture-backed companies by providing his expertise within internal audit, Sarbanes-Oxley compliance, risk

management, enterprisewide strategic risk management, business transformation, merger integration, finance and

business process improvement, and auditing and accounting. Jain is an active public speaker on these topics and has

contributed as a co-author on several guidance publications produced by The IIA. He is an active volunteer at The IIA,

serving on The IIA’s North American and Global Boards. He also serves on the Northern California’s Board of Ascend, an

organization dedicated to leveraging the leadership and global business potential of Pan-Asians.

Abhi Pandit oversees a team that focuses on providing risk management, security compliance, audit and assurance

services to Adobe’s engineering, IT, finance and sales organizations. Prior to joining Adobe, Pandit worked at various

firms including Deloitte’s enterprise risk services group providing advisory, audit, compliance, product development, and

product management services.

CS 6-3: COSO's Revised ERM Framework: It's Final!

Robert Hirth

Chairman

COSO

Frank Martens

CPA

PwC

The COSO ERM framework has now been released in final form. Learn about the process, what key changes resulted

from from the public exposure draft and understand what the final version attempts to communicate and accomplish.

This session will help auditors consider how it can best use it in their organizations to add value.


Understand the background to the project and The IIA's and ISACA's role in the revision.

See the final framework structure and contents.

Learn about its key message points.

Understand major changes from the exposure draft version.

Identify ways to best apply the framework with an organization.

Robert Hirth was unanimously elected by the board of COSO’s sponsoring organizations in 2013. His experience includes

all of COSO’s mission disciplines; ERM, internal control, and fraud deterrence. He has worked on assignments and made

presentations in over 20 countries, serving more than 50 organizations and working closely with board members, C-level

executives, finance and accounting personnel as well as public accounting firm partners and employees. Most recently,

Hirth served as a senior managing director of Protiviti and prior to that, he was executive vice president of global

internal audit and a member of the firm’s executive management team for the first 10 years of Protiviti’s development.

In 2017, he became a board member of the Sustainability Accounting Standards Board (SASB) and previously served a

lengthy term on the Standing Advisory Group of the Public Company Accounting Oversight Board (PCAOB). In 2013, Hirth

was inducted into The IIA’s American Hall of Distinguished Audit Practitioners. In 2014 and 2015, he served as the

chairman of The IIA’s IPPF re-look task force.

Frank Martens serves as the firm’s global risk framework and methodology leader, providing thought leadership on

enterprise risk management and support to client teams across geographies and a wide range of companies. Martens is

the project lead director on the COSO Enterprise Risk Management–Integrating with Strategy and Performance. He has

met with large and smaller companies, organizations, and government organizations from around the world.

CS 6-4: Change Management Best Practices for ERP Systems: A Case Study From Audits of Oracle E-Business Suite

Installations

Jeffrey Hare, CPA CIA CISA

CEO

ERP Risk Advisors

Change management is a multi-faceted topic. Like the various sides of a gem, having mature change management

processes and controls requires various approaches. One can think of change management in four buckets – object

oriented changes, security, patching, and configurations. This session explores what it takes to build and implement a

first-class change management process for organizations running ERP systems.


• Evaluate change management best practices in conjunction with The IIA’s GTAG, Change and Patch

Management Controls: Critical for Organizational Success, 2nd edition.

• Understand how these standards apply to ERP systems.

• Discuss various examples of organizational maturity in change management controls.

• Explore common issues organizations struggle with related to the change management process.

Jeffrey Hare is a top expert, having worked around the world in the Oracle ERP space with an extensive background in

public accounting (including Big 4 experience), industry, and Oracle applications consulting experience. He has been

working in the Oracle applications space since 1998 with implementation, upgrade, and support experience. Hare

currently teaches the MISTI class "Auditing Oracle's E-Business Suite" and has written two books on security and controls

for Oracle E-Business Suite. Hare is working updated editions of both titles, which are expected to be released in 2017.

He has written whitepapers and articles that have been published by major trade and industry organizations.

Thursday | August 17, 2017 11:25 a.m. – 12:25 p.m.

CS 7-1: Adding Value by Managing the Perception Gap

Jeremy White, CISA

Senior Director, Assurance and IT Audit - Audit Services

LifePoint Health

The environment in which we work and the expectations under which we operate require that we shift to meet the

definition of not just what we do, but of who we are as auditors. A key factor in successfully making that shift is

managing perception. We all have a “reality” of who we are and what we do, but too often our “reality” is smashed on

the rocks of someone else’s perception. It will be to the auditor’s benefit to identify and manage the perception gap that

exists in their organization.


• Explore the shift that every audit department is trying to make from a compliance and regulatory

function to a value-adding business partner.

• Discuss a very important — if not the most important — factor in that shift: Perception.

• Identify ways to determine the current perception of your department and compare it with your defined

reality or expectation.

• Determine ways to manage the gap that exists between those two places — perception and reality —

leading to adding value.

Jeremy White has been involved in numerous facets of auditing over the past 16 years, beginning his professional career

with Deloitte & Touche as an enterprise risk services consultant. After several years at Deloitte, he transitioned from

public accounting into industry, particularly health care. In addition to corporate roles, White owned his own consulting

practice for several years. In addition, he serves on the Accounting and Advisory Board at Tennessee Tech.

CS 7-2: Auditing Network Security

Ashish Jain, CIA, CPA, CISA, CA, ACDA

Director of Internal Audit

University System of New Hampshire

Considering today's cybersecurity risks, strong network security practices are essential and critical to secure the

organization's data and IT infrastructure. Numerous network devices are available, but it is the technical configuration

settings of these devices and identifying security opportunities that result in an uphill task for auditors and management

alike. Network security is measured based on the weakest point in the network, which can put the entire organization's

IT infrastructure at risk.


• Review top key areas to audit network devices, ideas to benchmark against best practices, and common

network security requirements.

• Identify risk areas for a network device audit.

• Locate resources for common security practices.

• Plan a basic network device security audit.

• Discuss common audit issues in this area.

Ashish Jain is responsible for developing, organizing, and directing the organization’s internal audit plan. He manages

financial, operational, IT, and compliance audits to determine the adequacy of the systems of internal control and the

degree of compliance with these controls. Jain is also charged with conducting special investigations as requested, and

making recommendations for improved controls, operating procedures, and systems designs. Prior to joining USNH in

2016, he worked in the internal audit departments at Boston College and MIT.

CS 7-3: Collaborative Risk Management: Audit and the 2nd Line of Defense

Dan Clayton, CIA, CPA, CKM

System Audit Office Director of Strategy and KM

University of Texas System

Risk silos are naturally created within an organization — explained best by the different objectives of the 3 Lines of

Defense and their unique perspectives and tools. Collaborating effectively around risk requires common understanding

supported by common taxonomy and shared technology. Communality is found in defining what business objectives are

at risk. This presentation focuses on organizing and sharing risk data across all lines of defense as the starting point in

breaking down organizational risk silos and establishing a stronger relationship with management and governance.


• Explore how we got here with risk and risk management; a review of definitions, frameworks, and

perspectives.

• Exchange ideas on collaborating on risk across goals and perspectives; a discussion of defining risk

components from a general business use perspective.

• Discuss the ideal should we strive for, organizing risk data to leverage comparison while maximizing

input from each of the 3LoD perspectives.

Dan Clayton has spent the last 10 years in internal audit professional practices and function development, staying

abreast of the governance, risk, and internal audit industries and topics, along with developing frameworks, models, and

procedures to elevate internal audit practices. His field of interest is risk assessment and ERM. Over the last 10 years, he

has led or participated in updating risk assessment models, audit and audit committee reporting deliverables, and audit

and consulting methodologies. Clayton built a knowledge management structure for a team of 300+ auditors, including

resource development processes that captured research, audit planning, and other data to elevate and codify a standard

library of materials. Clayton has published articles in trade publications including Internal Auditor magazine and

currently serves on The IIA’s CREA Committee, which reviews research and content development for the Internal Audit

Foundation and IIA Bookstore. He also serves on Utah Valley University’s Internal Audit Advisory Board.

CS 7-4: FCPA: Are You Risk Focused and Audit Ready?

Chian Boen, CAMS

Sr. Manager, Forensics & Compliance

Johnson & Johnson

Aditya Misra, CPA, CFE

Senior Manager, Corporate Internal Audit

Johnson & Johnson

Go on the journey with J&J as we explore their internal audit department’s recent foray into data analytics and goals,

types of FCPA/Anti-Bribery and Corruption risks in the health care industry and how to identify and mitigate them, and

an audit methodology that is geared for emerging risks.


• Walk the path J&J followed to implement data analytics for identifying risks related to FCPA/Anti-Bribery

and Corruption.

• Identify the types of risks in the health care industry and how to identify and mitigate them.

• Discuss develop an audit methodology and monitoring plan that helps identify risks and red flags in

increase audit effectiveness.

Chian Boen joined J&J in 2008 and manages the sensitive issue investigations within the organization’s internal audit

department. He has also participated in FCPA process reviews. Boen has more than 20 years in investigations and

government/law enforcement experience having worked for the Manhattan District Attorney’s Office, the NYS Office of

the State Inspector General (OIG), and the forensic practice of a Big Four accounting firm. Prior to coming to J&J, he was

the director of anti-money laundering investigations and transaction surveillance at a large international bank.

Aditya Misra has been with J&J since 2008, managing cross-sector (pharmaceutical, medical devices, and consumer)

financial audits/internal control and Sarbanes-Oxley reviews related to worldwide operations and conducting internal

company investigations globally with focus on FCPA/Anti-bribery and corruption audits globally. He has also been

instrumental in implementing data analytics in J&J internal audit to help deliver better outcomes and enhance audit

capabilities. Misra has also extensive experience in risk consulting, internal audit, and controls assessments with KPMG

and CohnReznick. He began his career in India with the TATA group and later at General Motors India as manager of

corporate affairs and corporate secretary with responsibilities for internal audit and risk management. Misra is a

recognized industry speaker having presented on internal audit, fraud, and data analytics. His article in Internal Auditor

magazine, Proactive Fraud Analysis, appeared on the list of Top 10 features for 2016.

Thursday | August 17, 2017 1:25 – 2:25 p.m.

CS 8-1: Activate Your Internal Auditing Awesomeness™

Robert Berry, CIA, CPA, CISA, CCEP

Executive Director Internal Audit

University of South Alabama

Internal auditors are awesome people. That’s something we don’t hear in most business environments. Oftentimes we

are called necessary evils, the group that bayonets the wounded … you get the point. Several years ago, after a tough

audit engagement, a client referred to this presenter’s company as awesome. Then another. And another. Pretty soon,

they started to believe they were actually awesome. But they didn’t know what they were doing to create the

perception, so they asked. Surprisingly, it has little to do with actually auditing.


• Learn three critical components to becoming — and staying — awesome.

• Discover how to find your awesome attributes and apply them to auditing.

• Find the courage to activate your awesomeness.

Robert Berry is an advocate for better business environments. For almost 20 years, he has worked as an accountant,

auditor, business process specialist, and business consultant helping organizations save millions while reducing

redundancies. He writes frequently about risk, audit, and compliance and presents on these topics at industry

conferences. He is a Six Sigma Greenbelt.

CS 8-2: Cyber Resilience Framework for the 21st Century Executive

Jeff Welgan, PMP

Executive Director

CyberVista

Understanding cybersecurity-related risks and opportunities is now a critical component to the oversight, governance,

and management responsibilities for all business leaders. Corporate leaders and board members must have the

expertise to ask and understand cybersecurity questions to lead their organizations toward a sturdy, resilient posture.

This session will guide the audience through preparing, monitoring, and responding to cyber risks, as well as provide

actionable steps that promote cyber resiliency.


• Recognize the importance of identifying and managing cyber risk across the organization and with

stakeholders.

• Learn how to manage cyber risk through accepting, avoiding, mitigating, or transferring risk.

• Create a scorecard to effectively communicate and provide strategic guidance to your organization.

• Apply strategies for determining costs and benefits of cybersecurity programs and services.

• Identify the key considerations related to enterprise risk to prioritize during a cyber incident.

Jeffrey Welgan directs and oversees CyberVista’s executive training programs. His cyber expertise is rooted in all-source,

strategic analysis of cyber threat actors, as well as nation-state cyber capabilities and doctrines. He previously managed

a cyber threat intelligence capability at Booz Allen Hamilton, focusing primarily on specialized cyber threat studies for

Fortune 100 commercial clients and for multiple government agencies, including the DIA, CIA, NSA, FBI, U.S. Cyber

Command, U.S. Special Operations Command, and more. Welgan served in the U.S. Navy as both an intelligence

specialist and a search and rescue (SAR) swimmer and served during two overseas deployments.

CS 8-3: Auditing Business Continuity

Seth Davis, CIA, CPA, CFA, CPCU, CISA

Vice President, Internal Audit Services

RLI Corporation

Ben Getz, CIA, CISA, CPA, CPCU, ARe

Senior Auditor

RLI Corporation

How effective is your company’s business continuity plan? You may not have the opportunity to find out how effective it

is until you need to deploy it and then, it’s too late. Together, we will discuss the key considerations for an audit of BCP

covering both the enterprise and business-unit levels.

In this sessions, participants will:

• Learn keys areas to consider in an audit of business continuity planning.

• Review the elements of BCP governance and corporate plan coordination.

• Discuss a business impact analysis and alternative procedures at the business-unit level.

• Talk about the importance of alignment of the business and IT.

• Explore third-party considerations and plan testing.

Seth Davis oversees the development and execution of the audit plan providing assurance and advisory services, and

coordinates efforts with Sarbanes-Oxley assessments and corporate business continuity as well as model risk

governance. Davis has been with RLI since 2004, and his prior experience includes working as an audit director at CNA as

well as working in claims and underwriting management at State Farm.

Ben Getz has experience working with business continuity, vendor management, and IT security in addition to

substantive financial statement work. His background is accounting but he transitioned two internal auditing and IT

auditing for the past several years. Prior to joining RLI five years ago, Getz spent two years working in external audit with

Clifton Gunderson LLP (now Clifton Larson Allen). He has previously presented on the topic of business continuity and

co-authored an article the topic for Internal Auditor magazine in 2014.

CS 8-4: When Life Gives You Lemons: Five Ways to Turn GRC Struggles Into Success

Ina Cheatem, CRMA, CCSA, PMP

Supervisor, Global GRC Technology

General Motors Company

Rob Simkow

Manager, Global GRC Technology

General Motors Company

Get ready for an interactive case study and knowledge-sharing session on an innovative approach to GRC

implementation. Throughout the session, participants will be engaged in contributing to a lively discussion via polling,

collaborative brainstorming, short video clips followed by lessons learned reviews, and culminating in a Q&A period.


• Elaborate on the definition of GRC and understand different interpretations among companies.

• Explore how General Motors approached an innovative GRC implementation.

• Understand key lessons learned that may assist other companies in similar implementations.

Ina Cheatem supports the implementation of a global, cross-functional GRC technology based in IBM OpenPages. She

has over five years progressive GRC experience. At Rolls Royce Power System, she was a member of the global internal

controls office and supported the rollout of a global internal controls framework and the supporting technology.

Cheatem also led a large regulatory compliance project for Fortune 500 utility organization. She has several years of

experience in risk management, CSA, internal controls, operational auditing, finance, and project management across

several industries including manufacturing, automotive, energy/utility, and travel.

Rob Simkow is responsible for managing the implementation of a global, cross-functional GRC technology solution

spanning multiple organizations, including audit services, Sarbanes-Oxley, strategic risk management, operational risk

management, as well as other risk and control organizations. Prior to his current role, he has had multiple roles at GM.

Beginning as an IT auditor 10 years ago, Simkow transitioned to a finance controllership role in a manufacturing plant,

followed by a finance role in audit, and then a management role in IT finance.


CS 9-1: Why Emotional Intelligence and Critical Thinking Skills Are Essential

Bret Kobel

Managing Partner

Empower Audit

Internal auditors spend most their time communicating: speaking with and interviewing clients, preparing information

for distribution and deciphering information they have gathered. Those communications are frequently strained

because auditors regularly encounter conflict, difficult situations, and at times, difficult people. Enhanced emotional

intelligence (EQ) and critical thinking skills can turn these situations into opportunities to build positive relationships and

end conflict to improve an auditor’s effectiveness.


• Understanding what emotional intelligence is and how it helps or hurts us.

• Learn strategies to improve emotional intelligence and in turn, better perform the role of internal

auditor.

• Understand the levels of thinking and what constitutes critical thinking.

• Discover methods to increase critical thinking and ways to identify when you are not thinking critically.

• Examine the ways emotional intelligence and critical thinking together improve communication,

specifically in interviewing audit clients.

Bret Kobel has more than 20 years of professional finance, accounting, audit, risk, and compliance experience. He

specializes in internal controls, process improvement, process transformation, and implementation with organizations

operating under GAAP and/or IFRS Standards. Kobel brings a diverse background to the organization from venture-

backed startups to global Fortune 500 companies.

CS 9-2: Ransomware in the Enterprise

Derek Parke, CISSP

Cybersecurity Consulting Manager

Crowe Horwath

Per the 2016 Symantec Internet Security Threat Report (ISTR) on ransomware, 38% of businesses in the U.S. e dealt with

ransomware between January 2015 and April 2016. Attackers are continuously crafting new techniques to deploy

ransomware, and organizations are falling prey to these attacks on a regular basis. This session will cover the overall

threat landscape of ransomware in enterprise environments discussing types of attacks, steps of a successful

ransomware attack, and how organizations can detect, respond, and prevent these types of attacks.


• Define what ransomware is and why it has been so successful. • Understand the impact of ransomware and the real risks. • Help attendees understand methods of preventing these attacks in their environment. • Provide guidance on the methods of detecting an attack. • Identifying how to respond to a ransomware attack, aside from paying the ransom.

Derek Parker is a manager within Crowe Horwath’s Cybersecurity Risk group with an industry expertise in financial

institutions.

CS 9-3: The Transformational Internal Auditor: Improving Compliance by Improving Process

Nydia Torres

Supervisor of Internal Audit

El Paso Electric Company

Gabe Zubizarrta, CPA, CGMA

CEO and Founding Principal

Silicon Valley Accountants

The IIA’x CEO Richard Chambers has called on internal auditors to become "Agents of Change," interested not just in

counting the beans, but in "how the beans are grown, how they are harvested, and how they are taken to market.” This

new approach inspired more than one organization to make substantial adjustments to the traditional audit model,

leveraging the change as an opportunity to improve processes, making them more efficient and effective. Demonstrable

results included effective controls, and reducing risk and cost while increasing confidence in the reporting.


• Explore the role of the internal auditor as an agent of change, improving compliance, increasing

efficiency, and reducing risk through continuous improvement.

• Identify the moral dilemma preparers are placed in when business conditions or regulatory

requirements change, while controls have not kept pace.

• Learn how to leverage change to create a culture of continuous improvement.

• Examine the relationship between high quality, efficient processes and compliance.

• Learn how to build controls into the process, rather than bolt them on later.

Nydia Torres has been with El Paso Electric since 2007 and has held various positions, including senior compliance and

financial analyst and financial accountant. Prior to joining the El Paso Electric Company, Torres served as a senior

external auditor with Ernst & Young. Nydia currently sits on the IIA El Paso board as the Treasurer.

Gabriel Zubizarreta had more than 10 years of experience with PwC, held various controller positions, and led several

merger integration projects before founding his own company. His experience is from external audit and industry

perspectives, including Sarbanes-Oxley compliance, technical accounting topics, process optimization, and a strong

knowledge of systems. Zubizarreta designed a framework, based on a balanced approach of training, leadership, process

improvement, and system optimization, that delivers continuous improvement-based results to optimize financial

processes.

CS 9-4: Utilize the STAR Model in Auditing Governance

Robert Alexander, CPA, CIA, CRMA, CGMA Senior Manager, Internal Audit Raytheon Company Ellen Lux Senior Manager, Internal Audit Raytheon Company The STAR model was created by an expert who specializes in matrix organizations that can be adapted to an audit department. Participants will learn how to apply the STAR model with Six Sigma root cause analysis and process improvement tools for auditing governance in order to realize an ROI for their stakeholders. In this session, participants will:

• Explore the STAR model concept (strategy, structure, process, rewards, people). • Learn how to apply the STAR model with Six Sigma tools in audit situations.

• Understand how to recognize symptoms associated with dysfunction or disconnects in the different

aspects of governance. • Combine these skills with root cause analysis and other Six Sigma process improvement techniques to

ensure a robust ROI on audits.

Bob Alexander has over 30 years of domestic and international experience in the internal audit profession covering

financial, operational, and critical risks audit. Prior to joining Raytheon, he worked for Nissan North America as senior

manager of internal audit for financial and operational audit. He was instrumental in the start-up of Nissan’s internal

audit department, the coordination of global audit, and the development of consolidated financial statements for

Nissan’s North American operations. Previously, Alexander worked with Deloitte & Touche and has experience in a

variety of industries, most notably in the automotive manufacturing, retail areas, aerospace, and defense. He is a

certified Raytheon Six Sigma expert.

Ellen Lux has over 25 years of domestic and international experience in the aerospace and defense industry. She joined

Raytheon in 2000 and has demonstrated leadership in a variety of roles within operations, supply chain, program

management, and quality. Lux has served in several aerospace industry associations: as the chair of the conflict minerals

working group in the Aerospace Industry Association (AIA) as well as leading an international pilot for collecting supplier

part provenance in the International Aerospace Environmental Group (IAEG). Prior to joining Raytheon, she was the

chief administrative and executive officer of a chamber of commerce in Texas. Lux is an Air Force veteran, having spent

time on active duty and reserves as a communications officer serving during Desert Shield/Desert Storm and Bosnia

operations. She is a certified Raytheon Six Sigma Expert and a Master Raytheon Six Sigma Expert in training.


CS 10-1: Getting the Boss to Listen to You: Becoming a Trusted Strategic Advisor

James Lukaszewski, ABC

President

The Lukaszewski Group

This powerful presentation will teach, inspire, and motivate participants to increase the personal impact they have

within their organizations, on clients and help them become trusted strategic advisors. It’s also about having a happier,

more important, influential, and successful career.


• Demonstrate a more strategic perspective on the relationship between advisor and operating executives

and managers.

• Create a personal strategy to revise personal habits, approaches, and practices to be more effective and

influential.

• Exercise innovative and powerful advice-giving strategies that are more managerially and operationally

friendly, rather than technical and jargonistic.

Jim Lukaszewski is one of America’s most visible corporate go-to people for senior executives when there is trouble in

the room or on the horizon. As America’s Crisis Guru®, Lukaszewski is known for his ability to help executives look at

problems from a variety of sensible, constructive and principled perspectives. Lukaszewski is frequently recognized by

professional and industrial organizations for his contributions to the practice of crisis management. He has written 13

books and hundreds of articles and monographs.

CS 10-2: Post-merger Cyber Considerations

Jacob Gregg, CISA, CISSP

Senior Manager

Deloitte

Elvia Novak

Managing Director, Risk & Financial Advisory

Deloitte

Consolidation within the corporate landscape and industries presents both opportunities and risks for those involved in mergers and acquisitions, particularly as it relates to cyber issues. This presentation will cover post-merger cyber considerations that address key risks and opportunities to exceed common business performance goals.


Integrate operations and technologies across multiple and varying IT environments.

Identify and normalize cyberrisks from the “as-is” environment and consider how they will be addressed in the

“to-be” environment, including cloud, mobile, and on-premise technology.

Organize teams and manage communications to move toward the common IT, security, and business goals.

Jacob Gregg oversees the organization’s risk and financial advisory’s cyber risk services practice with over 12 years of

experience assessing, designing, and implementing general computer controls, business process controls, application

security controls, and segregation of duties (SoD) with special emphasis in the SAP environment. He has served as the

security and controls team lead for multiple full lifecycle ERP implementations; is a leader in Deloitte’s SAP GRC practice

assisting clients with their compliance initiatives. Gregg serves in Deloitte’s quality control group assisting engagements

with their internal risk management activities. As a cyber risk practitioner, he has assisted clients in developing IT policy

frameworks, classifying data, and helping clients determine cost beneficial data protection techniques. Gregg is a

Deloitte training facilitator for SAP GRC and delivers training nationally.

Elvia Novak has over 25 years of experience with 19 years focused on ERP and internal controls for implementations,

audits, and assessments in the life and health sciences, manufacturing and consumer products industries. Her industry

experience includes procurement, planning, manufacturing, and supply chain management. Novak’s areas of specialty

include security, controls, and enterprise risk assessments, as well as project management.

CS 10-3: Vendor Risk Management: Responsibility Cannot Be Outsourced

Jennifer L. Donaldson, CRISC

Vendor Risk Advisor

FedEx Corporation

Kimberly Lofties, CRISC

Senior Vendor Risk Analyst

FedEx Corporation

Does your organization outsource services to a third-party? Does your organization have a Vendor Risk Management

Program? As organizations outsource business critical processes and services, the need for this is more apparent than

ever. Executive buy-in and stakeholder investment are necessary for the foundation of a risk aware culture. As

awareness is heightened, Vendor Risk Management and stakeholders collaborate in a joint effort to identify and

mitigate risks.


• Gain a better understanding of the role of a Vendor Risk Management Program when outsourcing.

• Understand the necessity of executive buy-in and stakeholder involvement with the program.

• Learn how to identify the inherent risk of outsourcing/offshoring.

• Identify the appropriate actions to mitigate the risk.

Kimberly Lofties is part of a team responsible for the development and growth of the FedEx Vendor Risk Management

(VRM) program. With over 12 years of experience in VRM, accounting, and compliance, she has led numerous efforts to

align VRM activities with key business partners to drive process improvement and efficiencies. Lofties co-authored

“Reinforcing the Links to Strengthen the Chain: Vendor Risk Management” for US Cyber Security Magazine.

Jennifer Donaldson has 17 years of vendor and contract compliance experience and contributed to the start-up of

FedEx’s Vendor Risk Management program. She supports third-party risk assessments and is responsible for training

efforts related to vendor risk awareness, mitigation, and contract management and volunteers on the company’s

Women-In-Leadership resource team. Donaldson co-authored an article titled “Reinforcing the Links to Strengthen the

Chain: Vendor Risk Management” for US Cyber Security Magazine.

CS 10-4: Diamond in the Rough: Maximizing Synergies of Global Governance and Investigation

Jesse Daves, CPA, CFF, CFE

BDO Consulting Managing Director

BDO USA, LLP

Dawn Wiliford, CIA, CMRA

South Region Leader, Risk Advisory Services

BDO USA, LLP

This story has it all: Diamond necklaces, excessive entertainment, mislabeled products, and an unsuspecting home office. This real-life case study is a sparkling example of process and control failures, corruption, cultural differences, unethical behavior including illicit diamond gifts, and lessons learned that can help auditors identify similar situations, get to the root of the problems, and implement changes and controls to move from a toxic environment to a diamond standard in governance.


Gain an understanding of risk factors of conducting business globally, specifically as it relates to doing business

in developing countries.

Acquire an understanding of cultural issues and lack of home office oversight that contributed to control

failures, misaligned business practices, declines in product quality, and loss of market share.

Obtain knowledge to recognize organizational triggers and audit techniques to uncover the depth and breadth

of these issues.

Learn about leadership, processes, and controls changes that can drive behavioral change to shift an unhealthy

organization to one that aligns with values, laws, and expectations of the home office.

Jesse Daves has 20 years of experience providing audit, forensic accounting and investigative services to clients across a wide range of industries including, energy, retail, real estate, and manufacturing. Daves has conducted fraud-related investigations involving numerous issues, including alleged violations of the Foreign Corrupt Practices Act (FCPA), embezzlement, kickbacks, Ponzi schemes, conflicts of interest, and variations employment matters.

Dawn Williford has over 17 years of experience in delivering internal audit, compliance, and consulting solutions to Fortune 500 and middle market companies. Prior to joining BDO, Williford was at UHY Advisors TX, LLC for 12 years and before that, she was with PwC. She has assisted newly public companies successfully achieve year-one Sarbanes-Oxley

compliance and been heavily involved in all aspects of business process evaluation and documentation, corporate governance, Sarbanes-Oxley readiness and ongoing compliance, risk assessments, root cause analysis, and internal audit outsourcing and cosourcing. Williford has managed large-scale internal audit, internal controls consulting, and Sarbanes-Oxley engagements. She has assisted clients with design and implementation of their internal controls framework, and led teams that developed the firm’s COSO 2013 methodology. Williford assists clients with the development of their internal audit department and served as the CAE for her outsourced internal audit clients. She has managed construction, vendor, joint venture, and large scale multi-vendor audit programs that have identified millions of dollars in cost recoveries for her clients.

Friday | August 18, 2017 8:30 – 9:30 a.m.

General Session 2: Using Multiple Guidance Systems for the Governance of Enterprise IT


President

Escoute Consulting

As GRC activities are increasingly integrated into enterprises, it is critical to ensure a healthy balance between

performance and conformance. This session will discuss how it is crucial to use multiple GPS-like systems to effectively

steer GRC activities and focus on creating value. Using multiple viewpoints can help improve decision-making and

strengthen an enterprise.


• Recognize the importance of having multiple guidance systems to navigate GRC efforts in a holistic

manner.

• Learn how to leverage multiple perspectives and techniques in balancing performance and conformance

when determining GRC priorities.

• Gain insight into how to implement tactics and apply them to create value for your enterprise.








Friday | August 18, 2017 10:15 – 11:30 a.m.

Closing Keynote: Which Leadership Quality Matters Most With Stakeholders and Employees

Dick Finnegan

CEO

C-Suite Analytics

We usually hear leadership qualities in bunches with no established top one. Coaching? Career Development?

Communication? Or might recognition come in first since we hear so much about it?

There IS a clear leader: building trust. Think of it like this. Did your best-boss-ever build trust but your worst-boss-ever

did not? And did your best boss have weaknesses you easily accepted? And might your worst boss have had strengths

which were invisible to you? This pattern is clear: Once anyone in our lives crosses the boundary to trustworthiness,

they can do little wrong. And the opposite is true once they cross the other way. Trust-breakers are hard to forgive.

Which trust skills matter most?

1. Be transparent.

2. Apologize when you should.

3. Hold others accountable.

These same trust-building skills apply to our stakeholders, too, as small-but-strong indicators go a long way to believing

in our competence and integrity. And those two words — competence and integrity — are (or should be) in the first

sentence of any auditor job description.

Leaders who build trust excel at our two most important goals: create respected relationships with stakeholders and

produce more work from their teams.


• Understand why trust is the key leadership attribute in building relationships.

• Review which trust skills matter most and why.

• Discuss strategies to build trust.

• Discuss the value of building trust.

Dick Finnegan founded his firm that provides employee engagement and retention solutions including STAYview, a

guaranteed solution. His experience includes solving turnover and engagement issues in Siberian banks, African gold

mines, multinational corporations in China, and for the CIA, as well as for health care, call centers, manufacturing, and

other industries in the United States. Finnegan has written a number of books, including SHRM’s all-time best seller The

Power of Stay Interviews for Engagement and Retention and Rethinking Retention in Good Times and Bad. His newest

titles are The Stay Interview: A Manager’s Guide to Keeping the Best and Brightest, published in over 20 languages and

available as an audio book, and HR’s Greatest Challenge: Driving the C-Suite to Improve Employee Engagement and

Retention. Finnegan is a popular, humorous, and insightful speaker for conference and corporate events. The Orlando

Sentinel’s editorial board recognized Finnegan for donating his professional services to non-profit organizations.

tuesday | august 15, 2017 8:30 a.m. 5:00 p.m. documents/2017-grc-abs-and... · tuesday | august 15,...

Documents