tuesday | august 15, 2017 8:30 a.m. 5:00 p.m. documents/2017-grc-abs-and... · tuesday | august 15,...
TRANSCRIPT
Tuesday | August 15, 2017 8:30 a.m. – 5:00 p.m.
Workshop 1: COBIT NIST Cybersecurity Framework
Mark Thomas, CGEIT, CRISC
President
Escoute Consulting
Marketing databases, customer analytics, and behavioral patterns are easier to manage with big data — but will these
data elements be safe from hackers? And what is the impact of the Internet of Things? You will learn how to harness the
power of big data and build your big data to achieve business goals while adding in safeguards to fight cybercriminals.
Explore how the Internet of Things may be the ultimate driver of global change.
As part of the knowledge, tools, and guidance provided through the Cybersecurity Nexus (CSX)™ program, ISACA has
developed a guide and course: Implementing NIST Cybersecurity Framework Using COBIT 5®. This workshop is a synopsis
of that course, focusing on the Cybersecurity Framework (CSF), its goals, the implementation steps, and the ability to
apply learnings.
In this session, participants will:
• Understand the goals of the Cybersecurity Framework (CSF).
• Learn and discuss the content of the CSF and what it means to align to it.
• Understand each of the seven CSF implementation steps.
• Be able to apply and evaluate the implementation steps using COBIT 5
• Discuss the progression and touch points of protecting big data – and what might happen if this is ignored.
• Learn about the Internet of Things and why it’s both feared and welcomed.
• Identify how COBIT and NIST can work together to create a customizable framework to stave off attacks.
Pre-requisites for attending this Workshop:
• Basic knowledge of COBIT
• Basic knowledge of security concepts
Mark Thomas is an internationally known governance, risk, and compliance expert in the areas of cybersecurity, IT
service management, assurance and audit, and IT controls. His background spans leadership roles from CIO to
management and IT consulting in several federal and state agencies, private firms, and Fortune 500 companies. With
over 25 years of professional experience, Thomas has led large IT teams, conducted information governance/risk
activities for major initiatives, managed enterprise applications implementations, and implemented cybersecurity and
governance processes across multiple industries. Additionally, he works as a consultative trainer and speaker, and
earned the ISACA John Kuyers award for Best Speaker/Conference contributor in 2016.
Workshop 2: ERM Can Now Work! Putting the Updated COSO ERM Framework and ISO 31000 Standards Into Practice
Doug Anderson
Managing Director, CAE Solutions
The Institute of Internal Auditors
Charlie Wright
Director, Enterprise Risk Solutions
BKD
ERM is not a process, a tool, a department, or a list of risks – it is how an organization makes better business decisions.
COSO recently updated the ERM Framework with increased emphasis on recognition that risk management is
fundamental for an organization to align its actions with its strategy. At the same time, ISO is nearly finished updating its
standard 31000. With the advent of these two significant updates, it is time to reconsider the foundations of risk and risk
management. Every organization is in the “risk management” business as managing risk is part of nearly everything an
organization does.
The workshop will use a combination of theory, small group discussions to unpack the theory into easily understandable
parts, and case studies to cover these topics.
In the session, participants will:
• Learn the fundamental elements of risk: its identification, measurement, responses, and reporting.
• Understand the best practices for a risk management process.
• Apply the concepts of risk management to the auditor’s task of using risk in planning, executing, and
reporting on audit work.
• Define the key attributes to be considered when performing an audit of an ERM process.
Doug Anderson joined The IIA in 2016 after serving as an assistant professor at Saginaw Valley State University. Until
2013 Anderson worked with The Dow Chemical Company for 22 years. His roles at Dow included 16 years in internal
audit (9 years as CAE), a global finance director in corporate controllers supporting acquisitions, divestitures, and joint
ventures, and the finance leader for the global Dow latex business. Previously he spent 10 years with
PriceWaterhouseCoopers.
Charlie Wright leads BKD’s enterprise risk management efforts on a national basis. From 2005 to 2016, he served as vice
president of internal audit at Devon Energy Corporation and prior to joining Devon, he was the general auditor at
American Airlines. Wright was recently elected to serve as the vice chairman of the Professional Guidance Committee on
The IIA’s Global Board of Directors.
Wednesday | August 16, 2017 8:30 – 9:45 a.m.
Opening Keynote: The Cyber Blacklist: Top Threats and Countermeasures for Data Security
John Sileo, CSP
CEO
The Sileo Group
At the heart of most data theft is lax cybersecurity: a broad term that will cease to intimidate you after this presentation.
This crash course forges a high-level, non-technical path through the sometimes confusing web of human decision
making, computer security, mobile technology, internet connectivity, online privacy, and cloud computing and will leave
you with an actionable list of steps to protect your sensitive data, mobile devices, social identity and, ultimately, your
wealth and profitability.
In this session, participants will:
• Learn techniques to overcome or at least deal with the fear of falling behind the digital curve. • Discuss why staying vigilant is key in helping you protect the data that underlies your organizational and
personal wealth. • Hear a real-life case study on the long road to recovery from an unfortunate incident and how to
transform risk into reward.
John Sileo founded his company which advises clients on balancing risk, defending privacy, and multiplying profits by
building a culture of deep trust. He is an award-winning author, trusted advisor, and leading speaker on managing
privacy and reputation in an economy plagued by digital overexposure. Sileo has appeared as a cybersecurity expert on
numerous television shows and he has been interviewed or quoted in multiple trade and consumer publications. He
leverages his story of transforming risk into reward and the emotional connections it creates to evoke the skills of
instinct, inquiry, and initiative that empower his clients to take control of their data exposure before it’s too late.
Wednesday | August 16, 2017 10:15 – 11:15 a.m.
CS 1-1: The Need for Change Enablement in Adopting Governance and Management Practices
Mark Thomas, CGEIT, CRISC
President
Escoute Consulting
Successful implementation or improvement initiatives depend on adopting the appropriate change (the good practices)
in best means possible. But frequently there isn’t enough emphasis on managing the human, behavioral, and cultural
aspects of the change and motivating stakeholders to buy into the change. Change enablement is one of the biggest
challenges to governance implementations.
In this session, participants will:
Explore a typical implementation methodology infused with leading practices in designing, executing, and
monitoring an organizational change enablement program.
Understand the seven phases of an implementation lifecycle that can meet organizational needs.
Associate critical change enablement inputs, outputs, and tasks with each of the seven phases of the
implementation lifecycle.
Learn how to develop strategies toward gaining proper stakeholder buy-in and support for key initiatives.
Mark Thomas is an internationally known governance, risk, and compliance expert in the areas of cybersecurity, IT
service management, assurance and audit, and IT controls. His background spans leadership roles from CIO to
management and IT consulting in several federal and state agencies, private firms, and Fortune 500 companies. With
over 25 years of professional experience, Thomas has led large IT teams, conducted information governance/risk
activities for major initiatives, managed enterprise applications implementations, and implemented cybersecurity and
governance processes across multiple industries. Additionally, he works as a consultative trainer and speaker, and
earned the ISACA John Kuyers award for Best Speaker/Conference contributor in 2016.
CS 1-2: NIST Cybersecurity Framework Assessment
Todd Marcinik, CISA, CRISC
IT Risk Manager
Sun Trust Banks, Inc.
NIST’s Framework for Improving Critical Infrastructure and Cybersecurity was released February 2014 and has since
been used to gauge the maturity of information security programs and align oversight and regulatory processes against
a common framework. This session will cover the components of the framework, assessment approaches, review
examples and reporting.
In this session, participants will:
• Receive a brief introduction to the NIST Cybersecurity Framework.
• Discuss associated control frameworks and the FFIEC Cybersecurity Assessment Tool.
• Assess your information security program against the framework.
• Review, analyze, and identify potential program gaps.
• Learn how to report and communicate results, implement remediation plans, and perform periodic
reviews.
Todd Marcinik provides guidance to help executives and management ask key questions, make better, more informed
risk-adjusted decisions and guides effective IT risk management for a large regional financial institution. He is
accountable for identifying, measuring, mitigating, monitoring, and reporting operational, technology, and compliance
risks and issues to senior management and appropriate governance structures. Marcinik has more than 20 years of
experience as a professional in IT administration, security, governance, risk, assurance, and compliance and has provided
leadership over high-priority IT security projects, compliance assessments, and issue mitigation. His early career was in
technical support, application, system, and database administration, and data warehouse implementation and support
with WESCO Distribution. Marcinik served as IT audit manager and senior IT compliance analyst with Coca-Cola
Enterprises, and as global IT audit manager for Exide Technologies. He has presented on various topics at local and
national conferences on a wide range of technical and audit topics.
CS 1-3: How Risk Culture Affects Compliance and Internal Controls
Joseph Mayo, CRISC, PMP, RMP
President
J.W. Mayo Consulting, LLC
This session will explore a case study where placing blind faith in the enterprise risk management (ERM) process led to
catastrophic results. We will explore an organization that had by all accounts a highly mature world-class ERM program.
However, the organization had a minor flaw in their ERM process that went undetected by internal controls and nearly
destroyed the organization.
In this session, participants will:
• Learn organizational culture traits that can lead to risk management disasters.
• Recognize when a heuristic audit approach is appropriate.
• Understand how loosely coupled risk management processes can benefit the organization.
• Recognize symptoms of a risk hurricane.
Joseph Mayo is an award-winning project manager, author, and internationally recognized risk management expert with
over 28 years of industry experience. He developed an IV&V program that was recognized by the U.S. Government
Accounting Office (GAO) as a model for large complex government programs. Mayo wrote Cultural Calamity: Culture
Drive Risk Management Disasters and How to Avoid Them featuring the introduction of the “Risk Hurricane,” and Chaos
to Clarity: The Tao of Risk Management. He has published other books and whitepapers and frequently speaks on the
topic of risk as he strives to further global risk management practices by volunteering for PMI and ISACA working groups.
CS 1-4: Data Analytics at Xerox: A Journey From Idea to Reality
Michael Bowen
Senior Manager, Analytics, Center for Enablement
Xerox Corporation
Kenneth Metz, CPA, CGMA
Chief Audit Executive
Xerox Corporation
Xerox’s internal audit department undertook a 2-year journey to turn the idea of better data analytics to the creation of
a Data Analytics Center of Enablement. This COE has partnered with the IT Business Intelligence group to deliver
analytics-driven audits using Tableau. These data analytics tools are left behind with audit clients allowing them to
perform their jobs better. This session will feature a demonstration of how data is transformed into usable audit
intelligence using Tableau.
In this session, participants will:
• Learn the actual steps Xerox took to implement a meaningful data analytics practice.
• Understand how the Data Analytics Center of Enablement was structured and functions.
• See real life examples of the Tableau data models created.
• Explore how data analytics results can create value-added audit recommendations.
Mike Bowen has more than 20 years of data and analytics experience within Xerox, most recently leading global
customer services’ business intelligence and analytics. He joined the internal audit department in 2016 to establish a
Center of Enablement for driving the use of analytics within the function. Previously, Bowen held leadership roles in
Xerox’s machine data connectivity, xerox.com, and applications development. He is a Certified Lean Six Sigma Black Belt.
Ken Metz has over 20 years of accounting, auditing, internal controls, and global business experience. He joined Xerox in
2013 as the director of accounting projects, working on technical accounting projects including revenue and leasing,
before ascending to his current role in 2014. Prior to joining Xerox, Metz worked for Bausch & Lomb for seven years in
leadership roles including corporate audit services, Asia regional controller and managing external reporting and
accounting projects. Prior to B&L, he worked in public accounting for 12 years primarily with PricewaterhouseCoopers
serving large clients including Bausch & Lomb, Carrier Corporation, and Xerox.
Wednesday | August 16, 2017 11:30 a.m. – 12:30 p.m.
CS 2-1: Chutes and Ladders of Internal Audit - How to Rise and Fall Due to Meeting or Failing to Meet Stakeholder
Expectations
Kayla Flanders, CIA, CRMA, CISA, CPA, CFE, CGMA
Senior Audit Manager
Pella Corporation
Different stakeholders have different expectations. Different people within common stakeholder groups may have
different expectations and how to identify and work with each. Some expectations may be driven by stereotypes of
internal auditors and strategies to overcome them. We will discuss how to challenge our past activities to quickly
identify and move beyond stereotypes and work to shape appropriate stakeholder expectations for the future.
In this session, participants will:
Explore how stereotypes for internal audit shape stakeholder expectations and examine how our client
perceptions of audit are our reality.
Determine internal audit's role in perpetuating or negating stereotypes and then meeting or changing those
expectations.
Gain techniques to combat common stereotypes and shape expectations for the future.
Challenge the "one size fits all" approach and develop understanding around individualized stakeholder
expectations.
Kayla Flanders has overall responsibility for the organization’s internal audit activities. Prior to joining Pella Corporation,
she was a senior audit manager at Wells Fargo on the finance and corporate activities team, chief compliance officer at
DuPont Pioneer, and director of internal audit at Layne Christensen Company. Flanders also served as a treasury
manager and manager of accounting research and policies. She began her career at Deloitte & Touche.
CS 2-2: Auditing the Cloud Environment: An Introduction
Remi Nel, CIA Senior Manager, Global Technology Audit Rackspace Jason Sechrist, CIA Director, Global Technology Audit Rackspace
Cloud‐based solutions are increasing in popularity and are being embraced by organizations of all sizes. Auditors must
understand the key concepts and risks inherent to this technology. This session provides information to help auditors
understand the technology and provide the basis for analyzing and assessing risks.
In this session, participants will:
Understand why risks are different in the cloud.
Explore audit activities to identify risks specific to cloud environments.
Identify internal audit’s role in an organization’s procurement/design phase.
Remi Nel has responsibility for managing the execution of a risk-based global IT audit plan for Rackspace’s global
footprint of data centers and office locations across the Americas, Europe, and Asia. Prior to joining Rackspace, Nel was
with EY working with banking, insurance, and IT hosting clients. He has delivered training presentations on cloud
computing and Software-as-a-Service (SaaS), educating and creating awareness among audit professionals on the
benefits and risks with technology.
Jason Sechrist has responsibility for developing and executing on a risk‐based audit plan for Rackspace’s global footprint
of data centers and office locations across the Americas, Europe, and Asia. Prior to joining Rackspace, he was with PwC
working with internet and cloud service provider clients, interacting directly with CTOs, CISOs, compliance managers,
and system engineers. His dynamic background includes leading the system life cycle of global aviation weather
visualization software as a service for the United States Air Force.
CS 2-3: GRC IQ: How Intelligent Is Your ERP Environment?
Scott Conner
Director, GRC Technology
KPMG
Learn how you stack up against top-performing organizations in terms of the maturity of your control environment, the
strength of your security design, and the level of your GRC integration. By introducing optimized controls and
sustainable processes while integrating GRC technology, organizations can reap more benefits from investments in ERP
technology and operate in an internal control environment that manages transactional risk and complies with regulatory
requirements.
In this session, participants will:
Walk through a maturity model that illustrates the core characteristics of top-performing
organizations.
Learn the degree of GRC technology adoption to support strong process and controls environments.
Understand what opportunities exist for improvement, allowing for better planning of future road
maps and building a business case for wider adoption.
Examine the results from of last year's process and controls IQ survey, conducted at GRC 2016.
Scott Conner has over 13 years of IT advisory and audit experience including providing ERP implementation services,
business process improvement, Sarbanes-Oxley 404 compliance assistance, and controls implementation services for
SAP to clients across multiple industries. Conner’s industry background includes oil and gas, manufacturing, and
consumer markets. He has managed projects to design and redesign SAP security roles as part of both an initial
implementation as well as SOD remediation, managed multiple implementations of SAP GRC Access Control 10.0 and
10.1, Super user process implementation, and user provisioning. He also managed multiple controls integration projects
for global SAP implementations that included designing, testing, and monitoring controls around the implementation.
Conner managed projects for a multi-billion dollar organizations to create and implement a controls framework for a
new worldwide SAP implementation, including core modules for ECC, SRM, SCM, XI, BI, and CUA.
CS 2-4: Measuring Effectiveness of a Risk-focused Third-party Risk Management Program
John Maynor, CRISC, CISA
Senior Leader, Third Party Risk Management
Vantiv
Third-party Risk Management programs, or TPRMs, as a best practice arguably encompass stages including Planning,
Due Diligence, Contracting, Ongoing Monitoring, and Termination. Interactive discussions are encouraged to allow
participants to share effective TPRM programs including key tools used to identify and measure the risks of utilizing third
parties and how to measure the effectiveness of these programs. Real-world stories and examples from tours of global
vendor sites will compare and contrast the differences between desktop and on-site evaluation of third parties.
In this session, participants will:
• Gain an understanding of the critical components of an effective third-party risk management program.
• Learn how to build effective audit programs to measure the soundness and effectiveness of third-party
risk management programs.
• Explore the tools that effective third-party risk management programs should use to provide a basis for
measuring and auditing TPRM programs.
John Maynor has extensive years of experience in the third party risk management (TPRM) space, having worked with
PwC for 11 years specializing in that as well as cybersecurity. His work has centered on taking a risk-based approach to
TPRM, helping organizations develop new or enhance current TPRM programs. Maynor has a depth of knowledge of
what makes a TPRM program effective and how to measure programs to ensure their effectiveness. He has performed
hundreds of on-site assessments of domestic and international third parties on engagements around the world.
Wednesday | August 16, 2017 1:30 – 2:30 p.m.
CS 3-1: Establishing and Maintaining an Effective Internal Audit Quality Assurance and Improvement Program: Tips,
Tricks, and Tools
David Kent, CIA, CRMA, CISA, CRISC, CGEIT, CGFM
Internal Audit Quality Assurance & Improvement Program (QAIP) Manager
SWIFT, Inc.
SWIFT/IA's journey began in early 2014 and continues today, working toward establishing a formal but "basic" QAIP and
then continuing to enhance it to better meet the underlying aspects of The IIA’s International Standards for the
Professional Practices of Internal Auditing’s 1300 series. Beginning with the results of an EQA conducted in 2013, the
session will trace the actions since taken to address observations including "lessons learned" — in the form of tips,
tricks, and tools — to form the primary focus of the discussion.
In this session, participants will:
• Gain insight into the key requirements of a successful QAIP, as prescribed by the 1300 series of The IIA’s
Standards.
• Examine key challenges facing an internal audit entity in establishing and maintaining an effective QAIP
and practical ways for meeting those challenges.
• Learn how to leverage everyday audit activities to serve as key QAIP components.
• Be introduced to several tools (including feedback mechanisms) proven to be especially valuable in
maintaining SWIFT/IA's QAIP.
David Kent is a seasoned audit practitioner with more than 40 years in the profession and has served in his current role
since 2014. Previously, he served as an audit manager for the organization, heading the company’s U.S.-based audit
team for about 10 years. Prior to joining SWIFT, Kent spent more than seven years as client service director with
PricewaterhouseCoopers’ U.S. federal government practice, providing oversight and direction to large, complex
automated information systems controls testing projects in various federal departments and agencies. Before PwC, Kent
spent over 26 years as a U.S. federal government auditor and audit manager at the U.S. General Accounting Office and
the U.S. Department of Transportation (DoT). His 12-year tenure with DoT’s Office of Inspector General (OIG) included
seven years of executive experience as a member of the federal senior executive service. During his federal career, he
received 12 awards for his work and testified before the U.S. Congress on three occasions. Kent has served on four
ISACA international committees/boards and as chair for their Information Technology Control Practices Committee. He
also co-developed a CISA examination review course for ISACA’s National Capital Area Chapter and served as instructor
for several course offerings. Kent has served as an instructor for corporate compliance seminars since 2016.
CS 3-2: A Real-life Practical Internal Audit Approach to Cyber Security
Gurmit Aujla, CIA, CRMA, CPA, CRISC, CA, CITP
Director, Internal Audit
British Columbia Lottery Corp.
Cory Strumecki, CISA, CISM, CIPT
Manager Internal Audit
British Columbia Lottery Corp.
Cybersecurity is an emerging/changing risk where traditional internal audit departments and previous approaches may
not be adequate, but using the complex cyber risk environment provides us with an opportunity to showcase the value
we bring to our organizations. Walk through one organization’s journey in developing a strategic approach to cyber risk
and the steps they took to reach that point.
In this session, participants will:
• Learn a practical way to get started on implementing an audit approach to address cyber risk.
• Identify steps to communicate cyber risk to key stakeholders such as the audit committee and executive
management.
• Obtain tools to build cyber risk into your audit plan.
• Discuss practical challenges that may arise as you explore this area as a way to showcase your function’s
value.
Gurmit Aujla has more than 15 years of experience in internal audit, risk management, internal controls, finance, and
corporate functions. He has served in his current role since 2009 where he was responsible for the transformation of the
internal audit group from a traditional compliance-based practice to a proactive, value-driven group that works
collaboratively with the organization. Aujla established a leading IT audit capability within the internal audit department
and developed a pragmatic, risk-based approach to identifying, assessing, and managing IT risk. Prior to BCLC, he worked
in private industry in the international manufacturing, banking, and restaurant sectors, with a focus on governance, risk
management, and implementing Sarbanes-Oxley. Aujla has delivered numerous presentations and webinars for
professional and trade organizations on topics including internal audit, governance, and risk management.
Cory Strumecki starting his gaming career as a slot machine revenue auditor 17 years ago and his career path included
stints as a casino trainer, QA system analyst, and innovator, and eventually into the world of internal audit, particularly
into the area of IT auditing. Strumecki originally trained as a chef but transitioned into accounting and has found his
passion in the gambling industry.
CS 3-3: Best Practices for Proactive IT Governance
Berk Algan, CISA, CGEIT, CRISC, CIPP
Director, IT Governance
Silicon Valley Bank
The session will feature an information sharing session covering 5 topics focused on how to build and evolve a First Line
of Defense function and an IT governance framework by providing specific real-life examples drawn from the speaker’s
experience working at a financial institution, including pitfalls and lessons learned. Attendees will have an opportunity to
pose questions at the end of the session.
In this session, participants will:
• Learn about a practical approach to creating an IT governance framework.
• Understand the cornerstones of a proactive First Line of Defense model.
• Gain tools and knowledge to build an effective IT governance framework and a proactive First Line of
Defense model.
• Learn how to avoid common pitfalls when implementing proactive First Line of Defense model.
Berk Algan leads the IT GRC group and has extensive experience in implementing governance, risk, and security
frameworks; improving business processes; setting business and IT strategies; leading risk assessments; performing
compliance audits; and facilitating organizational change. His primary goal is to promote a risk-based culture and
decision-making process, and instill governance best practices across the bank. Prior to joining SVB, Algan was a senior
manager at EY’s advisory services group where he audited and advised numerous high-tech companies.
CS 3-4: Auditing the Cloud Environment: Advanced
Remi Nel, CIA Senior Manager, Global Technology Audit Rackspace Jason Sechrist, CIA Director, Global Technology Audit Rackspace
Cloud‐based solutions are increasing in popularity and are being embraced by organizations of all sizes. Auditors must
understand the key concepts and risks inherent to this technology. This hands-on session will explore an SaaS solution
case study to help auditors identify possible risk areas that can be leveraged to perform an assessment of the cloud tools
within their organization.
In this session, participants will:
• Understand and interpret Service Organization Control (SOC) reports for IT risks.
• Evaluate control frameworks and apply them to simulated environments.
• Examine Service Level Agreement (SLA) requirements that auditors should engage with cloud service
providers during the procurement/design phase.
Remi Nel has responsibility for managing the execution of a risk-based global IT audit plan for Rackspace’s global
footprint of data centers and office locations across the Americas, Europe, and Asia. Prior to joining Rackspace, Nel was
with EY working with banking, insurance, and IT hosting clients. He has delivered training presentations on cloud
computing and Software-as-a-Service (SaaS), educating and creating awareness among audit professionals on the
benefits and risks with technology.
Jason Sechrist has responsibility for developing and executing on a risk‐based audit plan for Rackspace’s global footprint
of data centers and office locations across the Americas, Europe, and Asia. Prior to joining Rackspace, he was with PwC
working with internet and cloud service provider clients, interacting directly with CTOs, CISOs, compliance managers,
and system engineers. His dynamic background includes leading the system life cycle of global aviation weather
visualization software as a service for the United States Air Force.
Wednesday | August 16, 2017 2:45 – 3:45 p.m.
CS 4-1: Critical Thinking for Results
Devin Claus, CPA, CFE
Finance Manager, Internal Adult
Conagra Brands
Critical thinking is a skill vital for auditors but takes time and practice to develop. To maintain a competitive advantage,
we must utilize our critical thinking skills to be insightful, to be forward looking, to make good decisions quickly, and to
create value for our organization.
In this session, participants will:
• Discuss why critical thinking is important on all audit engagements to drive impactful results.
• Learn a framework that can be used to help you think critically.
• Apply the framework to audit engagements.
Devin Claus has led internal audit engagements for the company, including the corporate controller’s group audit,
several consumer and private brand plant audits, a construction audit, procure to pay, IT general controls, and an
international code of conduct investigation. Prior to working at Conagra, Claus worked in external audit at Deloitte for
3+ years, serving various large and mid-size SEC clients.
CS 4-2: Hunting for Hackers: How to Turn the Tables on Attackers
Adam Brand
Director, Security and Privacy Practice
Protiviti
Would you know if your organization has been hacked? Publicly available data suggests that the odds are not in your
favor. In this session, you will learn from an experienced threat hunter about the challenges organizations face in
detecting breaches. You’ll also learn what threat hunting is, and how threat hunting can be leveraged in an internal audit
context to evaluate an organization’s breach-detection capabilities.
In this session, participants will:
• Understand the challenges involved in detecting breaches
• Define key types of detection technologies and understand their strengths and limitations
• Understand what threat hunting is, and how it can help decrease breach detection time
• Understand how threat hunting concepts can be used in an internal audit context to evaluate an
organization’s breach detection capabilities, and provide a point-in-time view on what signs exist of a
breach
• Identify the key technology areas and attributes that are relevant to threat hunting, and how signs of a
breach can be revealed
Adam Brand has over 17 years of experience in IT and security, in areas ranging from compliance to incident response.
He has worked closely with internal audit organizations across many industries in conducting information security
reviews, and brings a unique perspective as someone who has been “on the ground” in major breach investigations.
Brand is a frequent speaker on information security topics at both IIA and information security industry events.
CS 4-3: Integrated Audits for Business Processes
Gregory Haake, CIA, CISA, CFSA
IT Audit Manager
MetLife
Integrated audits can be valuable when used at the right time. How do you determine the right time for this type of
audit? Who do you include in this audit and what are your next steps? In this session we will learn how to determine the
scope of integrated audits and discuss the tools and planning needed for a successful engagement. We will explain why
it is key to streamline agendas for productive meetings with the audit clients.
In this session, participants will:
• Learn what integrated auditing should encompass.
• Discuss how to plan and conduct efficient integrated audits
• Develop tools to keep integrated audits organized.
• Identify ways to maximize productive audit client interactions.
Greg Haake has been internal auditing for half of his 20-year career, which has encompassed some of the largest
companies in the world including AXA Equitable, Credit Suisse, MetLife, and Blue Cross Blue Shield of North Carolina.
During his auditing career, Haake has held progressively responsible positions and grown his skills through collaboration
and education. His unique position of working as a business auditor and IT auditor has given him valuable insight on how
to manage engagements, clients, and planning activities.
CS 4-4: Implementing ERM in a Small to Medium Enterprise
Jessica Perkins, CIA, CRMA, CISA
Director, Risk Management and Internal Audit
International Development Research Center
This interactive session offers practical advice on establishing and improving ERM in a small- to medium-sized
organization modeled from a real-life experience at IDRC, featuring successes, lessons learned, tools, and practical
examples. Participants should have an intermediate level of risk management knowledge and a good understanding of
key definitions, and come armed with questions, challenges, and success stories to share.
In this session, participants will:
Understand internal audit’s role in ERM as per IIA Standards and Guidance.
Become familiar with a principles-based framework for ERM suitable for small- to medium-sized organizations.
Develop an understanding of practical procedures and tools that can be applied to enhance ERM.
Jessica Perkins has more than 14 years of experience in audit, risk management, and corporate finance functions. Over
the last four years, she has been leading the transformation of the risk management and internal audit practices at IDRC
to become a value-added activity, integral to management and audit committee decision making. Prior to IDRC, Perkins
worked in the government and private sector as an external auditor and consultant in several different industries.
Wednesday | August 16, 2017 4:05 – 5:05 p.m.
CS 5-1: Voice of the Customer: Stakeholders Messages From the CBOK Global Internal Audit Study
Pam Short Jenkins, CIA, CRMA, CPA
Vice President, Global Audit Services
Fossil Group Inc.
Brad Rachmiel, CPA
Managing Director
Protiviti
In collaboration with Protiviti, The IIA’s Internal Audit Foundation conducted the CBOK Stakeholder Study in 2015 to gain
a global perspective and better understanding of stakeholders’ expectations of internal audit’s purpose, function, and
performance. The eye-opening results were distilled into individual reports covering numerous angles from the
stakeholder point of view.
In this session, participants will:
• Understand common themes from the five CBOK Stakeholder Study reports.
• Explore where CAEs can improve their relationship with stakeholders while also improving value
provided to organization.
• Identify key areas where internal audit can help the organization with the strategic risks.
• Discuss actionable ideas and recommendations to consider for both you and your key stakeholders.
Pam Short Jenkins is an innovative strategist who excels at building relationships with key stakeholders to effectively
lead transformation efforts and mission-critical business initiatives. She is skilled in linking enterprise risk assessment
with shareholder value, key objectives, and customer needs. Jenkins previously served as the CAE and and vice president
of the projective management office for company-wide strategic initiatives for US Foods, responsible for bringing
strategic focus and fast-paced tactical execution to the audit services department. She has more than 15 years of
executive level experience in internal audit with organizations such as The Wendy’s Company and The Home Depot.
Jenkins currently serves as the vice chair of professional development on The IIA’ North American Board of Directors.
Brad Rachmiel brings over 24 years of experience in public accounting, internal audit, and consulting services and
currently leads the organization’s internal audit and advisory practice for the Central region as well as their public
company transformation service, assisting companies with their private-to-public transformation around finance and
accounting, IT, and corporate governance/compliance. Prior to joining Protiviti, Rachmiel was a senior manager in Arthur
Andersen’s Chicago office. He also spent several years as the chief financial officer of a manufacturing and distribution
company.
CS 5-2: Operationalizing Cybersecurity with Risk-based Governance
Steven Minsky
CEO
LogicManager, Inc.
Many departments within an organization – information security, vendor management, finance, human resources, and
more – hold pieces of cybersecurity information. Unfortunately, most organizations lack the ability to put the full risk
picture together. Companies react to external threats by spending billions on technology solutions, without addressing
root-cause governance issues, such as operationalizing employee and vendor password policies.
It's important to recognize that the governance of information security and technology is a tenet of risk management,
and is most effective when implemented with a holistic, cross-functional approach.
In this session, participants will:
• Learn how to operationalize cybersecurity policies across departments and levels.
• Determine clear cross-functional accountability for cybersecurity responsibilities.
• Explore metrics that monitor the effectiveness of cybersecurity programs.
• Discuss best practices for reporting cybersecurity progress and effectiveness to the board and
regulators.
Steven Minsky has overseen the organization that provides an integrated, intuitive software-as-a-service platform to
help companies make better decisions through risk intelligence for more effective corporate governance, risk, and
compliance management, for over 12 years. He is the author of the popular RIMS Risk Maturity Model and frequently
teaches and contributes to blogs and the press across a range of risk management topics. Minsky is also a patent author
of risk and process management technology.
CS 5-3: Stop Fraud Before It Starts: New Guidance for Managing Fraud Risks
Marc Kokosky, CIA, CCSA, CRMA, CFE
Global Anti-Fraud and Investigations Manager
Population Services International
Bryan Moser, CPA, CFF, ABV, CFE
Partner, Advisory Services Practice
Grant Thornton LLP
New guidance features techniques to more effectively assess and mitigate fraud risk. Participants will learn about
forming a strategy for a full-scope assessment of fraud risk, including use of both qualitative and data analytic
approaches and how to respond to those risks once identified. Topics will be discussed in the context of prevailing
standards for fraud risk management.
In this session, participants will:
• Describe the components of a holistic and effective fraud risk assessment.
• Discuss a framework and techniques for conducting fraud risk assessments.
• Learn about anti-fraud controls based on the Fraud Reduction and Data Analytics Act of 2015.
• Identify ways to deter fraud based on the COSO Fraud Risk Management Guide.
• Explore guidelines in GAO’s Framework for Managing Fraud Risks in Federal Programs.
Marc Kokosky is responsible for overseeing PSI’s anti-fraud program and has conducted and managed more than 400
international fraud investigations in more than 40 countries that have resulted in the recovery of funds and several
criminal convictions. He has extensive work experience in Africa, Asia, Latin America, and the former Soviet Union.
Kokosky’s experience in the last 13 years has been primarily within the non-profit and NGO sectors with a focus on
internal audit, fraud, compliance, and business ethics. Prior to his internal audit and investigation work, he was a grants
and contracts manager overseeing various U.S.-funded programs aimed at preventing the emigration of former Soviet
weapons scientists and the promotion of civilian and commercial scientific research projects.
Bryan Moser has assisted clients with compliance, investigations and litigation for nearly 25 years. He conducted
numerous government and internal fraud investigations and frequently consults on compliance. He investigates billing
fraud, embezzlement, improper vendor arrangements, misappropriation of grant funding, and compliance with
regulations. Moser assists clients with assessing risks and implementing preventive measures designed to prevent fraud
and advises clients during critical business situations and developing operational improvements. He has assessed
internal controls and regulatory compliance of businesses and consulted on anti-corruption/FCPA compliance, along
with SEC, DOJ, and internal fraud investigations around the world. Prior to joining Grant Thornton, Moser was an
industry analyst for the Bureau of Labor Statistics and worked 15 years at PricewaterhouseCoopers. He frequently
speaks on issues related to investigations and compliance and conducts training to clients and at industry organizations.
CS 5-4: How Vanguard's Fund Process Excellence Team Is Building an Effective Controls Culture
Robert Freiling, CTP
Senior Manager
Vanguard
In today’s environment of increasing complexities, changing regulations, global expansion, product and competitive
landscape change, Fund Financial Services created a Process Excellence (PE) team to lead fund-centric risk and controls
advisory services. Learn how the PE team successfully established and built out a purposeful integrated controls
framework based on four key priorities.
In this session, participants will:
• Discuss the four key priorities that drove the framework’s underpinnings.
• Learn real methods, tools, and approaches to build an effective controls culture.
• Review the process followed to establish and implement a risk and control integrated purpose/mission
statement and core team competencies.
• Discover concepts supporting the build-out of the integrated controls framework, including data-driven
risk dashboards, scorecards, and heat maps’ control self-assessment methods; monitoring methods; and
more.
Robert Freiling is an 18-year Vanguard veteran, with more than 10 years of experience managing Vanguard’s fund
treasury department, Six Sigma program, and risk and controls groups. He currently leads a global fund-centric risk and
controls department, which includes resiliency and logical access span, with departmental team members in the U.S.
and abroad. Freiling has sponsored five Vanguard corporate Initiative of the Year winners, one which competed at the
American Society of Quality International Finalist competition. He has been invited to speak at national and regional
Association of Financial Professional conferences and holds Vanguard’s Six Sigma Specialist certification.
Thursday | August 17, 2017 8:30 – 9:45 a.m.
General Session 1: Internal Audit in a World of Change
Larry Harrington, CIA, QIAL, CPA, CRMA
Vice President, Internal Audit
Raytheon Company
Change — self-driving vehicles, nano-technology, artificial intelligence, geopolitical changes, etc. — is impacting the
world at an accelerating pace which impacts organizations, stakeholders, and internal auditors. Are we adapting? To be
relevant and add value requires we audit at the speed of risk, and that means assessing risks in a world of change
disrupters will become a new must-have competency.
In this session, participants will:
• Discuss key disrupters of change affecting internal audit.
• Identify what to audit and when in a world of change and disrupters.
• Review competencies needed to adapt to change.
• Explore strategies to retain those with the needed range of skills to conduct audits at the speed of risk.
Larry Harrington has more than 25 years of experience in auditing and finance. He started his career in public
accounting and has served in the fields of retail, financial services, insurance, manufacturing, and technology. Harrington
has held key leadership roles in finance, human resources, and operations, and has been chief audit executive for
several Fortune 500 companies including Staples, Aetna, and LTV. He is an active volunteer for The IIA, currently serving
as chairman of the Global Board of Directors. He previously served as senior vice chair of the Global Board of Directors,
and as chairman of The IIA's North American Board of Directors. Harrington is a frequent speaker at seminars on
auditing, change management, negotiation, and people development and motivation.
Thursday | August 17, 2017 10:10 – 11:10 a.m.
CS 6-1: External Quality Assessments: The Benefits of and Leading Practices to Exceed Stakeholder Expectations
Greg Jaynes, CIA, CRMA
Chief Audit Executive & Director, Internal Audit
The Institute of Internal Auditors
Bailey Jordan, CIA, CRMA, CISA, CPA
Partner, Business Risk Services
Grant Thornton, LLP
Not only is it required by The IIA’s Standards for an internal audit department to conduct external quality assessments, it
just makes good business sense. If you are conducting periodic internal assessments, then the external assessment
should be a piece of cake and enable you to prove your department’s inherent value to your stakeholders. In this
session, participants will examine the process and results of The IIA’s own internal audit function EQA.
In this session, participants will:
Learn the fundamental EQA requirements.
Examine one approach to execute an EQA.
Discuss the value of an EQA to management and the audit committee.
Find out how an EQA raises the quality of the internal audit function.
Explore lessons learned and leading practices.
Greg Jaynes has over 30 years of internal audit, accounting, and financial management experience, including a long
career in public sector internal auditing before joining The IIA in 2011. His public service tenure included 24 years in the
Office of the Inspector General, Tennessee Valley Authority. Jaynes has served as an advisor on numerous enterprise risk
management and operational process improvement panels/committees. He also has extensive experience in the
investigation of ethics and fraud related issues.
Bailey Jordan has 30 years of consulting experience covering a wide range of engagements, including projects in
enterprise risk management, internal audit co-sourcing/outsourcing, quality assurance reviews, internal audit
transformation, and Sarbanes-Oxley. He is an advisory council member of COSO’s ERM – Integrated Framework Update
Project and advisory board member of N.C. State University’s College of Management ERM Initiative. Jordan frequently
speaks on topics including trends in internal audit, ERM, EQA, internal controls, and consulting and soft skills for the
internal auditor. He currently serves as a member of The IIA’s North American Advocacy Committee.
CS 6-2: Cloud Computing Controls: Managing Risk
Princy Jain, CIA, CCSA, CRMA, CA
Partner
PwC
Abhi Pandit, CISA, CPA
Senior Director, Head of Technology Audit & Assurance
Adobe
Explore how Adobe and other tech companies view cloud compliance risks and how one organization adopted a
common controls framework. This approach facilitates efficiency and reduces the compliance risks including providing
visibility through one common model.
In this session, participants will:
Learn types of risks and compliance frameworks in a cloud environment.
Discuss how to establish a common control framework model.
Explore how to test and monitor controls on an ongoing basis.
Share leading practices in making the program successful.
Princy Jain serves as the leader of controls testing and monitoring solution within the Risk Assurance practice and has
been serving globally diversified Fortune 500 companies for more than 22 years. His experience includes public and
venture-backed companies by providing his expertise within internal audit, Sarbanes-Oxley compliance, risk
management, enterprisewide strategic risk management, business transformation, merger integration, finance and
business process improvement, and auditing and accounting. Jain is an active public speaker on these topics and has
contributed as a co-author on several guidance publications produced by The IIA. He is an active volunteer at The IIA,
serving on The IIA’s North American and Global Boards. He also serves on the Northern California’s Board of Ascend, an
organization dedicated to leveraging the leadership and global business potential of Pan-Asians.
Abhi Pandit oversees a team that focuses on providing risk management, security compliance, audit and assurance
services to Adobe’s engineering, IT, finance and sales organizations. Prior to joining Adobe, Pandit worked at various
firms including Deloitte’s enterprise risk services group providing advisory, audit, compliance, product development, and
product management services.
CS 6-3: COSO's Revised ERM Framework: It's Final!
Robert Hirth
Chairman
COSO
Frank Martens
CPA
PwC
The COSO ERM framework has now been released in final form. Learn about the process, what key changes resulted
from from the public exposure draft and understand what the final version attempts to communicate and accomplish.
This session will help auditors consider how it can best use it in their organizations to add value.
In this session, participants will:
Understand the background to the project and The IIA's and ISACA's role in the revision.
See the final framework structure and contents.
Learn about its key message points.
Understand major changes from the exposure draft version.
Identify ways to best apply the framework with an organization.
Robert Hirth was unanimously elected by the board of COSO’s sponsoring organizations in 2013. His experience includes
all of COSO’s mission disciplines; ERM, internal control, and fraud deterrence. He has worked on assignments and made
presentations in over 20 countries, serving more than 50 organizations and working closely with board members, C-level
executives, finance and accounting personnel as well as public accounting firm partners and employees. Most recently,
Hirth served as a senior managing director of Protiviti and prior to that, he was executive vice president of global
internal audit and a member of the firm’s executive management team for the first 10 years of Protiviti’s development.
In 2017, he became a board member of the Sustainability Accounting Standards Board (SASB) and previously served a
lengthy term on the Standing Advisory Group of the Public Company Accounting Oversight Board (PCAOB). In 2013, Hirth
was inducted into The IIA’s American Hall of Distinguished Audit Practitioners. In 2014 and 2015, he served as the
chairman of The IIA’s IPPF re-look task force.
Frank Martens serves as the firm’s global risk framework and methodology leader, providing thought leadership on
enterprise risk management and support to client teams across geographies and a wide range of companies. Martens is
the project lead director on the COSO Enterprise Risk Management–Integrating with Strategy and Performance. He has
met with large and smaller companies, organizations, and government organizations from around the world.
CS 6-4: Change Management Best Practices for ERP Systems: A Case Study From Audits of Oracle E-Business Suite
Installations
Jeffrey Hare, CPA CIA CISA
CEO
ERP Risk Advisors
Change management is a multi-faceted topic. Like the various sides of a gem, having mature change management
processes and controls requires various approaches. One can think of change management in four buckets – object
oriented changes, security, patching, and configurations. This session explores what it takes to build and implement a
first-class change management process for organizations running ERP systems.
In this session, participants will:
• Evaluate change management best practices in conjunction with The IIA’s GTAG, Change and Patch
Management Controls: Critical for Organizational Success, 2nd edition.
• Understand how these standards apply to ERP systems.
• Discuss various examples of organizational maturity in change management controls.
• Explore common issues organizations struggle with related to the change management process.
Jeffrey Hare is a top expert, having worked around the world in the Oracle ERP space with an extensive background in
public accounting (including Big 4 experience), industry, and Oracle applications consulting experience. He has been
working in the Oracle applications space since 1998 with implementation, upgrade, and support experience. Hare
currently teaches the MISTI class "Auditing Oracle's E-Business Suite" and has written two books on security and controls
for Oracle E-Business Suite. Hare is working updated editions of both titles, which are expected to be released in 2017.
He has written whitepapers and articles that have been published by major trade and industry organizations.
Thursday | August 17, 2017 11:25 a.m. – 12:25 p.m.
CS 7-1: Adding Value by Managing the Perception Gap
Jeremy White, CISA
Senior Director, Assurance and IT Audit - Audit Services
LifePoint Health
The environment in which we work and the expectations under which we operate require that we shift to meet the
definition of not just what we do, but of who we are as auditors. A key factor in successfully making that shift is
managing perception. We all have a “reality” of who we are and what we do, but too often our “reality” is smashed on
the rocks of someone else’s perception. It will be to the auditor’s benefit to identify and manage the perception gap that
exists in their organization.
In this session, participants will:
• Explore the shift that every audit department is trying to make from a compliance and regulatory
function to a value-adding business partner.
• Discuss a very important — if not the most important — factor in that shift: Perception.
• Identify ways to determine the current perception of your department and compare it with your defined
reality or expectation.
• Determine ways to manage the gap that exists between those two places — perception and reality —
leading to adding value.
Jeremy White has been involved in numerous facets of auditing over the past 16 years, beginning his professional career
with Deloitte & Touche as an enterprise risk services consultant. After several years at Deloitte, he transitioned from
public accounting into industry, particularly health care. In addition to corporate roles, White owned his own consulting
practice for several years. In addition, he serves on the Accounting and Advisory Board at Tennessee Tech.
CS 7-2: Auditing Network Security
Ashish Jain, CIA, CPA, CISA, CA, ACDA
Director of Internal Audit
University System of New Hampshire
Considering today's cybersecurity risks, strong network security practices are essential and critical to secure the
organization's data and IT infrastructure. Numerous network devices are available, but it is the technical configuration
settings of these devices and identifying security opportunities that result in an uphill task for auditors and management
alike. Network security is measured based on the weakest point in the network, which can put the entire organization's
IT infrastructure at risk.
In this session, participants will:
• Review top key areas to audit network devices, ideas to benchmark against best practices, and common
network security requirements.
• Identify risk areas for a network device audit.
• Locate resources for common security practices.
• Plan a basic network device security audit.
• Discuss common audit issues in this area.
Ashish Jain is responsible for developing, organizing, and directing the organization’s internal audit plan. He manages
financial, operational, IT, and compliance audits to determine the adequacy of the systems of internal control and the
degree of compliance with these controls. Jain is also charged with conducting special investigations as requested, and
making recommendations for improved controls, operating procedures, and systems designs. Prior to joining USNH in
2016, he worked in the internal audit departments at Boston College and MIT.
CS 7-3: Collaborative Risk Management: Audit and the 2nd Line of Defense
Dan Clayton, CIA, CPA, CKM
System Audit Office Director of Strategy and KM
University of Texas System
Risk silos are naturally created within an organization — explained best by the different objectives of the 3 Lines of
Defense and their unique perspectives and tools. Collaborating effectively around risk requires common understanding
supported by common taxonomy and shared technology. Communality is found in defining what business objectives are
at risk. This presentation focuses on organizing and sharing risk data across all lines of defense as the starting point in
breaking down organizational risk silos and establishing a stronger relationship with management and governance.
In this session, participants will:
• Explore how we got here with risk and risk management; a review of definitions, frameworks, and
perspectives.
• Exchange ideas on collaborating on risk across goals and perspectives; a discussion of defining risk
components from a general business use perspective.
• Discuss the ideal should we strive for, organizing risk data to leverage comparison while maximizing
input from each of the 3LoD perspectives.
Dan Clayton has spent the last 10 years in internal audit professional practices and function development, staying
abreast of the governance, risk, and internal audit industries and topics, along with developing frameworks, models, and
procedures to elevate internal audit practices. His field of interest is risk assessment and ERM. Over the last 10 years, he
has led or participated in updating risk assessment models, audit and audit committee reporting deliverables, and audit
and consulting methodologies. Clayton built a knowledge management structure for a team of 300+ auditors, including
resource development processes that captured research, audit planning, and other data to elevate and codify a standard
library of materials. Clayton has published articles in trade publications including Internal Auditor magazine and
currently serves on The IIA’s CREA Committee, which reviews research and content development for the Internal Audit
Foundation and IIA Bookstore. He also serves on Utah Valley University’s Internal Audit Advisory Board.
CS 7-4: FCPA: Are You Risk Focused and Audit Ready?
Chian Boen, CAMS
Sr. Manager, Forensics & Compliance
Johnson & Johnson
Aditya Misra, CPA, CFE
Senior Manager, Corporate Internal Audit
Johnson & Johnson
Go on the journey with J&J as we explore their internal audit department’s recent foray into data analytics and goals,
types of FCPA/Anti-Bribery and Corruption risks in the health care industry and how to identify and mitigate them, and
an audit methodology that is geared for emerging risks.
In this session, participants will:
• Walk the path J&J followed to implement data analytics for identifying risks related to FCPA/Anti-Bribery
and Corruption.
• Identify the types of risks in the health care industry and how to identify and mitigate them.
• Discuss develop an audit methodology and monitoring plan that helps identify risks and red flags in
increase audit effectiveness.
Chian Boen joined J&J in 2008 and manages the sensitive issue investigations within the organization’s internal audit
department. He has also participated in FCPA process reviews. Boen has more than 20 years in investigations and
government/law enforcement experience having worked for the Manhattan District Attorney’s Office, the NYS Office of
the State Inspector General (OIG), and the forensic practice of a Big Four accounting firm. Prior to coming to J&J, he was
the director of anti-money laundering investigations and transaction surveillance at a large international bank.
Aditya Misra has been with J&J since 2008, managing cross-sector (pharmaceutical, medical devices, and consumer)
financial audits/internal control and Sarbanes-Oxley reviews related to worldwide operations and conducting internal
company investigations globally with focus on FCPA/Anti-bribery and corruption audits globally. He has also been
instrumental in implementing data analytics in J&J internal audit to help deliver better outcomes and enhance audit
capabilities. Misra has also extensive experience in risk consulting, internal audit, and controls assessments with KPMG
and CohnReznick. He began his career in India with the TATA group and later at General Motors India as manager of
corporate affairs and corporate secretary with responsibilities for internal audit and risk management. Misra is a
recognized industry speaker having presented on internal audit, fraud, and data analytics. His article in Internal Auditor
magazine, Proactive Fraud Analysis, appeared on the list of Top 10 features for 2016.
Thursday | August 17, 2017 1:25 – 2:25 p.m.
CS 8-1: Activate Your Internal Auditing Awesomeness™
Robert Berry, CIA, CPA, CISA, CCEP
Executive Director Internal Audit
University of South Alabama
Internal auditors are awesome people. That’s something we don’t hear in most business environments. Oftentimes we
are called necessary evils, the group that bayonets the wounded … you get the point. Several years ago, after a tough
audit engagement, a client referred to this presenter’s company as awesome. Then another. And another. Pretty soon,
they started to believe they were actually awesome. But they didn’t know what they were doing to create the
perception, so they asked. Surprisingly, it has little to do with actually auditing.
In this session, participants will:
• Learn three critical components to becoming — and staying — awesome.
• Discover how to find your awesome attributes and apply them to auditing.
• Find the courage to activate your awesomeness.
Robert Berry is an advocate for better business environments. For almost 20 years, he has worked as an accountant,
auditor, business process specialist, and business consultant helping organizations save millions while reducing
redundancies. He writes frequently about risk, audit, and compliance and presents on these topics at industry
conferences. He is a Six Sigma Greenbelt.
CS 8-2: Cyber Resilience Framework for the 21st Century Executive
Jeff Welgan, PMP
Executive Director
CyberVista
Understanding cybersecurity-related risks and opportunities is now a critical component to the oversight, governance,
and management responsibilities for all business leaders. Corporate leaders and board members must have the
expertise to ask and understand cybersecurity questions to lead their organizations toward a sturdy, resilient posture.
This session will guide the audience through preparing, monitoring, and responding to cyber risks, as well as provide
actionable steps that promote cyber resiliency.
In this session, participants will:
• Recognize the importance of identifying and managing cyber risk across the organization and with
stakeholders.
• Learn how to manage cyber risk through accepting, avoiding, mitigating, or transferring risk.
• Create a scorecard to effectively communicate and provide strategic guidance to your organization.
• Apply strategies for determining costs and benefits of cybersecurity programs and services.
• Identify the key considerations related to enterprise risk to prioritize during a cyber incident.
Jeffrey Welgan directs and oversees CyberVista’s executive training programs. His cyber expertise is rooted in all-source,
strategic analysis of cyber threat actors, as well as nation-state cyber capabilities and doctrines. He previously managed
a cyber threat intelligence capability at Booz Allen Hamilton, focusing primarily on specialized cyber threat studies for
Fortune 100 commercial clients and for multiple government agencies, including the DIA, CIA, NSA, FBI, U.S. Cyber
Command, U.S. Special Operations Command, and more. Welgan served in the U.S. Navy as both an intelligence
specialist and a search and rescue (SAR) swimmer and served during two overseas deployments.
CS 8-3: Auditing Business Continuity
Seth Davis, CIA, CPA, CFA, CPCU, CISA
Vice President, Internal Audit Services
RLI Corporation
Ben Getz, CIA, CISA, CPA, CPCU, ARe
Senior Auditor
RLI Corporation
How effective is your company’s business continuity plan? You may not have the opportunity to find out how effective it
is until you need to deploy it and then, it’s too late. Together, we will discuss the key considerations for an audit of BCP
covering both the enterprise and business-unit levels.
In this sessions, participants will:
• Learn keys areas to consider in an audit of business continuity planning.
• Review the elements of BCP governance and corporate plan coordination.
• Discuss a business impact analysis and alternative procedures at the business-unit level.
• Talk about the importance of alignment of the business and IT.
• Explore third-party considerations and plan testing.
Seth Davis oversees the development and execution of the audit plan providing assurance and advisory services, and
coordinates efforts with Sarbanes-Oxley assessments and corporate business continuity as well as model risk
governance. Davis has been with RLI since 2004, and his prior experience includes working as an audit director at CNA as
well as working in claims and underwriting management at State Farm.
Ben Getz has experience working with business continuity, vendor management, and IT security in addition to
substantive financial statement work. His background is accounting but he transitioned two internal auditing and IT
auditing for the past several years. Prior to joining RLI five years ago, Getz spent two years working in external audit with
Clifton Gunderson LLP (now Clifton Larson Allen). He has previously presented on the topic of business continuity and
co-authored an article the topic for Internal Auditor magazine in 2014.
CS 8-4: When Life Gives You Lemons: Five Ways to Turn GRC Struggles Into Success
Ina Cheatem, CRMA, CCSA, PMP
Supervisor, Global GRC Technology
General Motors Company
Rob Simkow
Manager, Global GRC Technology
General Motors Company
Get ready for an interactive case study and knowledge-sharing session on an innovative approach to GRC
implementation. Throughout the session, participants will be engaged in contributing to a lively discussion via polling,
collaborative brainstorming, short video clips followed by lessons learned reviews, and culminating in a Q&A period.
In this session, participants will:
• Elaborate on the definition of GRC and understand different interpretations among companies.
• Explore how General Motors approached an innovative GRC implementation.
• Understand key lessons learned that may assist other companies in similar implementations.
Ina Cheatem supports the implementation of a global, cross-functional GRC technology based in IBM OpenPages. She
has over five years progressive GRC experience. At Rolls Royce Power System, she was a member of the global internal
controls office and supported the rollout of a global internal controls framework and the supporting technology.
Cheatem also led a large regulatory compliance project for Fortune 500 utility organization. She has several years of
experience in risk management, CSA, internal controls, operational auditing, finance, and project management across
several industries including manufacturing, automotive, energy/utility, and travel.
Rob Simkow is responsible for managing the implementation of a global, cross-functional GRC technology solution
spanning multiple organizations, including audit services, Sarbanes-Oxley, strategic risk management, operational risk
management, as well as other risk and control organizations. Prior to his current role, he has had multiple roles at GM.
Beginning as an IT auditor 10 years ago, Simkow transitioned to a finance controllership role in a manufacturing plant,
followed by a finance role in audit, and then a management role in IT finance.
Thursday | August 17, 2017 2:40 – 3:40 p.m.
CS 9-1: Why Emotional Intelligence and Critical Thinking Skills Are Essential
Bret Kobel
Managing Partner
Empower Audit
Internal auditors spend most their time communicating: speaking with and interviewing clients, preparing information
for distribution and deciphering information they have gathered. Those communications are frequently strained
because auditors regularly encounter conflict, difficult situations, and at times, difficult people. Enhanced emotional
intelligence (EQ) and critical thinking skills can turn these situations into opportunities to build positive relationships and
end conflict to improve an auditor’s effectiveness.
In this session, participants will:
• Understanding what emotional intelligence is and how it helps or hurts us.
• Learn strategies to improve emotional intelligence and in turn, better perform the role of internal
auditor.
• Understand the levels of thinking and what constitutes critical thinking.
• Discover methods to increase critical thinking and ways to identify when you are not thinking critically.
• Examine the ways emotional intelligence and critical thinking together improve communication,
specifically in interviewing audit clients.
Bret Kobel has more than 20 years of professional finance, accounting, audit, risk, and compliance experience. He
specializes in internal controls, process improvement, process transformation, and implementation with organizations
operating under GAAP and/or IFRS Standards. Kobel brings a diverse background to the organization from venture-
backed startups to global Fortune 500 companies.
CS 9-2: Ransomware in the Enterprise
Derek Parke, CISSP
Cybersecurity Consulting Manager
Crowe Horwath
Per the 2016 Symantec Internet Security Threat Report (ISTR) on ransomware, 38% of businesses in the U.S. e dealt with
ransomware between January 2015 and April 2016. Attackers are continuously crafting new techniques to deploy
ransomware, and organizations are falling prey to these attacks on a regular basis. This session will cover the overall
threat landscape of ransomware in enterprise environments discussing types of attacks, steps of a successful
ransomware attack, and how organizations can detect, respond, and prevent these types of attacks.
In this session, participants will:
• Define what ransomware is and why it has been so successful. • Understand the impact of ransomware and the real risks. • Help attendees understand methods of preventing these attacks in their environment. • Provide guidance on the methods of detecting an attack. • Identifying how to respond to a ransomware attack, aside from paying the ransom.
Derek Parker is a manager within Crowe Horwath’s Cybersecurity Risk group with an industry expertise in financial
institutions.
CS 9-3: The Transformational Internal Auditor: Improving Compliance by Improving Process
Nydia Torres
Supervisor of Internal Audit
El Paso Electric Company
Gabe Zubizarrta, CPA, CGMA
CEO and Founding Principal
Silicon Valley Accountants
The IIA’x CEO Richard Chambers has called on internal auditors to become "Agents of Change," interested not just in
counting the beans, but in "how the beans are grown, how they are harvested, and how they are taken to market.” This
new approach inspired more than one organization to make substantial adjustments to the traditional audit model,
leveraging the change as an opportunity to improve processes, making them more efficient and effective. Demonstrable
results included effective controls, and reducing risk and cost while increasing confidence in the reporting.
In this session, participants will:
• Explore the role of the internal auditor as an agent of change, improving compliance, increasing
efficiency, and reducing risk through continuous improvement.
• Identify the moral dilemma preparers are placed in when business conditions or regulatory
requirements change, while controls have not kept pace.
• Learn how to leverage change to create a culture of continuous improvement.
• Examine the relationship between high quality, efficient processes and compliance.
• Learn how to build controls into the process, rather than bolt them on later.
Nydia Torres has been with El Paso Electric since 2007 and has held various positions, including senior compliance and
financial analyst and financial accountant. Prior to joining the El Paso Electric Company, Torres served as a senior
external auditor with Ernst & Young. Nydia currently sits on the IIA El Paso board as the Treasurer.
Gabriel Zubizarreta had more than 10 years of experience with PwC, held various controller positions, and led several
merger integration projects before founding his own company. His experience is from external audit and industry
perspectives, including Sarbanes-Oxley compliance, technical accounting topics, process optimization, and a strong
knowledge of systems. Zubizarreta designed a framework, based on a balanced approach of training, leadership, process
improvement, and system optimization, that delivers continuous improvement-based results to optimize financial
processes.
CS 9-4: Utilize the STAR Model in Auditing Governance
Robert Alexander, CPA, CIA, CRMA, CGMA Senior Manager, Internal Audit Raytheon Company Ellen Lux Senior Manager, Internal Audit Raytheon Company The STAR model was created by an expert who specializes in matrix organizations that can be adapted to an audit department. Participants will learn how to apply the STAR model with Six Sigma root cause analysis and process improvement tools for auditing governance in order to realize an ROI for their stakeholders. In this session, participants will:
• Explore the STAR model concept (strategy, structure, process, rewards, people). • Learn how to apply the STAR model with Six Sigma tools in audit situations.
• Understand how to recognize symptoms associated with dysfunction or disconnects in the different
aspects of governance. • Combine these skills with root cause analysis and other Six Sigma process improvement techniques to
ensure a robust ROI on audits.
Bob Alexander has over 30 years of domestic and international experience in the internal audit profession covering
financial, operational, and critical risks audit. Prior to joining Raytheon, he worked for Nissan North America as senior
manager of internal audit for financial and operational audit. He was instrumental in the start-up of Nissan’s internal
audit department, the coordination of global audit, and the development of consolidated financial statements for
Nissan’s North American operations. Previously, Alexander worked with Deloitte & Touche and has experience in a
variety of industries, most notably in the automotive manufacturing, retail areas, aerospace, and defense. He is a
certified Raytheon Six Sigma expert.
Ellen Lux has over 25 years of domestic and international experience in the aerospace and defense industry. She joined
Raytheon in 2000 and has demonstrated leadership in a variety of roles within operations, supply chain, program
management, and quality. Lux has served in several aerospace industry associations: as the chair of the conflict minerals
working group in the Aerospace Industry Association (AIA) as well as leading an international pilot for collecting supplier
part provenance in the International Aerospace Environmental Group (IAEG). Prior to joining Raytheon, she was the
chief administrative and executive officer of a chamber of commerce in Texas. Lux is an Air Force veteran, having spent
time on active duty and reserves as a communications officer serving during Desert Shield/Desert Storm and Bosnia
operations. She is a certified Raytheon Six Sigma Expert and a Master Raytheon Six Sigma Expert in training.
Thursday | August 17, 2017 4:00 – 5:00 p.m.
CS 10-1: Getting the Boss to Listen to You: Becoming a Trusted Strategic Advisor
James Lukaszewski, ABC
President
The Lukaszewski Group
This powerful presentation will teach, inspire, and motivate participants to increase the personal impact they have
within their organizations, on clients and help them become trusted strategic advisors. It’s also about having a happier,
more important, influential, and successful career.
In this session, participants will:
• Demonstrate a more strategic perspective on the relationship between advisor and operating executives
and managers.
• Create a personal strategy to revise personal habits, approaches, and practices to be more effective and
influential.
• Exercise innovative and powerful advice-giving strategies that are more managerially and operationally
friendly, rather than technical and jargonistic.
Jim Lukaszewski is one of America’s most visible corporate go-to people for senior executives when there is trouble in
the room or on the horizon. As America’s Crisis Guru®, Lukaszewski is known for his ability to help executives look at
problems from a variety of sensible, constructive and principled perspectives. Lukaszewski is frequently recognized by
professional and industrial organizations for his contributions to the practice of crisis management. He has written 13
books and hundreds of articles and monographs.
CS 10-2: Post-merger Cyber Considerations
Jacob Gregg, CISA, CISSP
Senior Manager
Deloitte
Elvia Novak
Managing Director, Risk & Financial Advisory
Deloitte
Consolidation within the corporate landscape and industries presents both opportunities and risks for those involved in mergers and acquisitions, particularly as it relates to cyber issues. This presentation will cover post-merger cyber considerations that address key risks and opportunities to exceed common business performance goals.
In this session, participants will:
Integrate operations and technologies across multiple and varying IT environments.
Identify and normalize cyberrisks from the “as-is” environment and consider how they will be addressed in the
“to-be” environment, including cloud, mobile, and on-premise technology.
Organize teams and manage communications to move toward the common IT, security, and business goals.
Jacob Gregg oversees the organization’s risk and financial advisory’s cyber risk services practice with over 12 years of
experience assessing, designing, and implementing general computer controls, business process controls, application
security controls, and segregation of duties (SoD) with special emphasis in the SAP environment. He has served as the
security and controls team lead for multiple full lifecycle ERP implementations; is a leader in Deloitte’s SAP GRC practice
assisting clients with their compliance initiatives. Gregg serves in Deloitte’s quality control group assisting engagements
with their internal risk management activities. As a cyber risk practitioner, he has assisted clients in developing IT policy
frameworks, classifying data, and helping clients determine cost beneficial data protection techniques. Gregg is a
Deloitte training facilitator for SAP GRC and delivers training nationally.
Elvia Novak has over 25 years of experience with 19 years focused on ERP and internal controls for implementations,
audits, and assessments in the life and health sciences, manufacturing and consumer products industries. Her industry
experience includes procurement, planning, manufacturing, and supply chain management. Novak’s areas of specialty
include security, controls, and enterprise risk assessments, as well as project management.
CS 10-3: Vendor Risk Management: Responsibility Cannot Be Outsourced
Jennifer L. Donaldson, CRISC
Vendor Risk Advisor
FedEx Corporation
Kimberly Lofties, CRISC
Senior Vendor Risk Analyst
FedEx Corporation
Does your organization outsource services to a third-party? Does your organization have a Vendor Risk Management
Program? As organizations outsource business critical processes and services, the need for this is more apparent than
ever. Executive buy-in and stakeholder investment are necessary for the foundation of a risk aware culture. As
awareness is heightened, Vendor Risk Management and stakeholders collaborate in a joint effort to identify and
mitigate risks.
In this session, participants will:
• Gain a better understanding of the role of a Vendor Risk Management Program when outsourcing.
• Understand the necessity of executive buy-in and stakeholder involvement with the program.
• Learn how to identify the inherent risk of outsourcing/offshoring.
• Identify the appropriate actions to mitigate the risk.
Kimberly Lofties is part of a team responsible for the development and growth of the FedEx Vendor Risk Management
(VRM) program. With over 12 years of experience in VRM, accounting, and compliance, she has led numerous efforts to
align VRM activities with key business partners to drive process improvement and efficiencies. Lofties co-authored
“Reinforcing the Links to Strengthen the Chain: Vendor Risk Management” for US Cyber Security Magazine.
Jennifer Donaldson has 17 years of vendor and contract compliance experience and contributed to the start-up of
FedEx’s Vendor Risk Management program. She supports third-party risk assessments and is responsible for training
efforts related to vendor risk awareness, mitigation, and contract management and volunteers on the company’s
Women-In-Leadership resource team. Donaldson co-authored an article titled “Reinforcing the Links to Strengthen the
Chain: Vendor Risk Management” for US Cyber Security Magazine.
CS 10-4: Diamond in the Rough: Maximizing Synergies of Global Governance and Investigation
Jesse Daves, CPA, CFF, CFE
BDO Consulting Managing Director
BDO USA, LLP
Dawn Wiliford, CIA, CMRA
South Region Leader, Risk Advisory Services
BDO USA, LLP
This story has it all: Diamond necklaces, excessive entertainment, mislabeled products, and an unsuspecting home office. This real-life case study is a sparkling example of process and control failures, corruption, cultural differences, unethical behavior including illicit diamond gifts, and lessons learned that can help auditors identify similar situations, get to the root of the problems, and implement changes and controls to move from a toxic environment to a diamond standard in governance.
In this session, participants will:
Gain an understanding of risk factors of conducting business globally, specifically as it relates to doing business
in developing countries.
Acquire an understanding of cultural issues and lack of home office oversight that contributed to control
failures, misaligned business practices, declines in product quality, and loss of market share.
Obtain knowledge to recognize organizational triggers and audit techniques to uncover the depth and breadth
of these issues.
Learn about leadership, processes, and controls changes that can drive behavioral change to shift an unhealthy
organization to one that aligns with values, laws, and expectations of the home office.
Jesse Daves has 20 years of experience providing audit, forensic accounting and investigative services to clients across a wide range of industries including, energy, retail, real estate, and manufacturing. Daves has conducted fraud-related investigations involving numerous issues, including alleged violations of the Foreign Corrupt Practices Act (FCPA), embezzlement, kickbacks, Ponzi schemes, conflicts of interest, and variations employment matters.
Dawn Williford has over 17 years of experience in delivering internal audit, compliance, and consulting solutions to Fortune 500 and middle market companies. Prior to joining BDO, Williford was at UHY Advisors TX, LLC for 12 years and before that, she was with PwC. She has assisted newly public companies successfully achieve year-one Sarbanes-Oxley
compliance and been heavily involved in all aspects of business process evaluation and documentation, corporate governance, Sarbanes-Oxley readiness and ongoing compliance, risk assessments, root cause analysis, and internal audit outsourcing and cosourcing. Williford has managed large-scale internal audit, internal controls consulting, and Sarbanes-Oxley engagements. She has assisted clients with design and implementation of their internal controls framework, and led teams that developed the firm’s COSO 2013 methodology. Williford assists clients with the development of their internal audit department and served as the CAE for her outsourced internal audit clients. She has managed construction, vendor, joint venture, and large scale multi-vendor audit programs that have identified millions of dollars in cost recoveries for her clients.
Friday | August 18, 2017 8:30 – 9:30 a.m.
General Session 2: Using Multiple Guidance Systems for the Governance of Enterprise IT
Mark Thomas, CGEIT, CRISC
President
Escoute Consulting
As GRC activities are increasingly integrated into enterprises, it is critical to ensure a healthy balance between
performance and conformance. This session will discuss how it is crucial to use multiple GPS-like systems to effectively
steer GRC activities and focus on creating value. Using multiple viewpoints can help improve decision-making and
strengthen an enterprise.
In this session, participants will:
• Recognize the importance of having multiple guidance systems to navigate GRC efforts in a holistic
manner.
• Learn how to leverage multiple perspectives and techniques in balancing performance and conformance
when determining GRC priorities.
• Gain insight into how to implement tactics and apply them to create value for your enterprise.
Mark Thomas is an internationally known governance, risk, and compliance expert in the areas of cybersecurity, IT
service management, assurance and audit, and IT controls. His background spans leadership roles from CIO to
management and IT consulting in several federal and state agencies, private firms, and Fortune 500 companies. With
over 25 years of professional experience, Thomas has led large IT teams, conducted information governance/risk
activities for major initiatives, managed enterprise applications implementations, and implemented cybersecurity and
governance processes across multiple industries. Additionally, he works as a consultative trainer and speaker, and
earned the ISACA John Kuyers award for Best Speaker/Conference contributor in 2016.
Friday | August 18, 2017 10:15 – 11:30 a.m.
Closing Keynote: Which Leadership Quality Matters Most With Stakeholders and Employees
Dick Finnegan
CEO
C-Suite Analytics
We usually hear leadership qualities in bunches with no established top one. Coaching? Career Development?
Communication? Or might recognition come in first since we hear so much about it?
There IS a clear leader: building trust. Think of it like this. Did your best-boss-ever build trust but your worst-boss-ever
did not? And did your best boss have weaknesses you easily accepted? And might your worst boss have had strengths
which were invisible to you? This pattern is clear: Once anyone in our lives crosses the boundary to trustworthiness,
they can do little wrong. And the opposite is true once they cross the other way. Trust-breakers are hard to forgive.
Which trust skills matter most?
1. Be transparent.
2. Apologize when you should.
3. Hold others accountable.
These same trust-building skills apply to our stakeholders, too, as small-but-strong indicators go a long way to believing
in our competence and integrity. And those two words — competence and integrity — are (or should be) in the first
sentence of any auditor job description.
Leaders who build trust excel at our two most important goals: create respected relationships with stakeholders and
produce more work from their teams.
In this session, participants will:
• Understand why trust is the key leadership attribute in building relationships.
• Review which trust skills matter most and why.
• Discuss strategies to build trust.
• Discuss the value of building trust.
Dick Finnegan founded his firm that provides employee engagement and retention solutions including STAYview, a
guaranteed solution. His experience includes solving turnover and engagement issues in Siberian banks, African gold
mines, multinational corporations in China, and for the CIA, as well as for health care, call centers, manufacturing, and
other industries in the United States. Finnegan has written a number of books, including SHRM’s all-time best seller The
Power of Stay Interviews for Engagement and Retention and Rethinking Retention in Good Times and Bad. His newest
titles are The Stay Interview: A Manager’s Guide to Keeping the Best and Brightest, published in over 20 languages and
available as an audio book, and HR’s Greatest Challenge: Driving the C-Suite to Improve Employee Engagement and
Retention. Finnegan is a popular, humorous, and insightful speaker for conference and corporate events. The Orlando
Sentinel’s editorial board recognized Finnegan for donating his professional services to non-profit organizations.