The Arizona Biltmore Hotel, Phoenix, AZ Documents/2015-GRC-Abs-and... · The Arizona Biltmore...

2015 GRC Conference August. 17-19, 2015

The Arizona Biltmore Hotel, Phoenix, AZ

Sunday Aug. 16, 2015 8:30 AM - 5:10 PM

WRK-1 Intersecting IT and Audit by Leveraging COBIT5 Mark Thomas, CGEIT, CRISC President Escoute Consulting In this session, participants will:

• Recognize the applicable products in the COBIT5 product family needed to develop a holistic approach to assurance.

• Understand the elements of creating a risk-based approach to developing an assurance strategy for IT.

• Appreciate the intersection of balancing performance and conformance with respect to assurance of IT services.

Mark Thomas is a nationally known ITIL and COBIT expert with more than 20 years of professional experience. His 5+3background spans leadership roles from CIO to management and IT consulting. Thomas has led large teams in outsourced IT arrangements, conducted PMOs, led service management and governance activities for major project teams, managed enterprise applications implementations, and implemented governance processes across multiple industries. Thomas is a consultative trainer and speaker in several disciplines, providing training services for major training firms and consulting clients in disciplines including business analysis, ITIL, COBIT, MOF, ISO20000, TOGAF, and IT strategy areas. Learning Level: Advanced Learning Field: Auditing WRK-2 Increasing Auditor Effectiveness in Recognizing & Detecting Fraud Courtenay Thompson, Jr. Consultant Courtenay Thompson & Associates In this session, participants will:

• Understand why fraud goes undetected by auditors and management. • Learn a five step approach to build fraud detection into routine audit activity. • Explore the impact and uses of technology on risk and fraud. • Recognize exposures, symptoms of occurrence, and behavioral red flags of

fraud.



• Learn purchasing related exposures including fraud in technology contracting. Courtenay Thompson designs and presents courses on fraud prevention, detection, and investigation for business and government organizations worldwide. His experience prior to entering the consulting field included public accounting, internal auditing, and investigations with exposure to cases ranging from fraudulent financial reporting to embezzlement and insurance fraud, loan fraud, kickbacks, and bribery. For 13 years, Thompson served as editor of Internal Auditor magazine’s "Fraud Findings" column. In addition to fraud-related training, he offers courses on construction auditing, health benefits, data mining, internal auditing, and increasing personal effectiveness. Learning Level: Intermediate Learning Field: Auditing

Sunday Aug. 16, 2015 2:00 - 5:00 PM

Focus Group: Data Analytics: Maximizing Value for Internal Audit (Sponsored by Grant Thornton) The IIA Research Foundation (IIARF) Today’s audit leader struggles with creating an integrated, efficient approach to data mining that maximizes the impact and value the audit department delivers. Join Grant Thornton and The IIARF for a focus group to share your experience and insights on data analytics with your peers and discuss best-in-class applications of data analytics. This focus group is part of an ongoing data analytics research project led by Grant Thornton and The IIARF, which will culminate in a published report in early 2016. Reception to follow. Learning Field: No available CPE



Monday Aug. 17, 2015 8:30 – 9:45 AM Opening Comments GS 1 Fast Forward: Risks and Opportunities in Data Eric Riz Founder & Chief Executive Officer Empty Cubicle Inc. In this session, participants will:

• Learn techniques and skills to help keep the world secure — as well as your bank accounts.

• Separate fads from trends, highlighting ways organizations can become hybrid. • Position yourself as a credible risk, governance, and opportunity expert with your

clients. Eric Riz is a sought-after international speaker, strategist, and author. He addresses Fortune 500 companies on business adoption, change management, and deployment strategies to ensure they maximize the rewards and mitigate the risks in our data-driven world. In 2014, Riz started Empty Cubicle, a job search platform focused on verifying candidate data to maximize employers’ effectiveness finding the perfect, verified match. A thought leader in the IT world, Riz is a regular contributor to many industry journals and newsletters. He’s currently writing “SharePoint for Decision Makers.” Learning Level: Intermediate Learning Field: Business Management & Organization

Monday Aug. 17, 2015 10:15 - 11:30 AM

CS 1-1 Strategic GRC: The Necessity of Holistic Views for Enterprise and Point Solution Approaches Eric C. Parker, CISA, CRMA Director, Risk Consulting, ERM & GRC KPMG LLP Karl Bender Vice President, Enterprise Risk Management


The Arizona Biltmore Hotel, Phoenix, AZ Citizens Bank In this session, participants will:

• Gain an understanding of the pros and cons to enterprisewide GRC and point solution implementations.

• Examine key steps performed within both types of implementations. • Hear how organizations have assessed options for their GRC implementations

and come to consensus on the right fit for their environment Eric Parker has more than 15 years of ERM, GRC, IT advisory, and audit experience. His background includes assisting organizations in the execution of enterprise risk assessments, development of governance programs, risk management process alignment, and holistic GRC services ranging from vendor selection to business requirements and testing. Parker’s clients include leading firms in the financial services, industrial manufacturing, and energy industries. Karl Bender is responsible for the GRC platform and program at Citizens Bank. Prior to joining Citizens Bank, he held a similar role at a large insurance company. He has more than 10 years of experience in operational risk management. Bender has led the design/deployment of many core and custom RSA Archer solutions for business functions in the insurance and banking industries. Learning Field: Intermediate Learning Level: Management Advisory Services CS 1-2 Data Analytics: A Framework for Internal Audit Matt Petrich Senior Manager and National Forensic Technology Services Leader Grant Thornton Skip Westfall Managing Director Grant Thornton In this session, participants will:

• Learn about the joint research project on data analytics currently underway partnering Grant Thornton with The IIA Research Foundation.

• Identify the challenge that precipitated the project – that audit leaders struggle with creating an integrated, efficient approach to data mining.

• Discuss the project’s objective which is to design a data analytics framework encompassing a spectrum of concepts.



• Explore how this framework could apply to areas such as financial risk, compliance, and fraud to help auditors broaden their risk coverage and enhance audit efficiency.

Matt Petrich has more than 20 years of professional experience, specializing in data mining/business analytics and data visualization. He has worked with many of the largest and most complex organizations around the world, including law firms, IP departments and others, for legal related technology strategy, selection, and implementation. Additionally, he has worked with retailers, health care organizations, banks, wealth management firms, and securities trading organizations, in the areas of fraud detection, data analytics, data visualization, predictive analytics, and various technology strategy, selection, and implementation projects. Skip Westfall is the leader of the Forensic Technology Services Practice of the company’s Forensic, Investigative & Dispute Services unit and co-chair for the firm’s cybersecurity practice. A management and litigation consultant, Westfall specializes in cybersecurity, computer forensics, electronic discovery and data analytics in support of cyber investigations and civil litigation. Learning Level: Intermediate Learning Field: Auditing CS 1-3 Cyber Insecurity and Developing an Effective Risk Mitigation Program Chris Reffkin Senior Manager Crowe Horwath Raj Chauhary, CGEIT, CRISC Principal Crowe Horwath In this session, participants will:

• Describe effective approaches to address cyber threat and risk assessments. • Identify key components of a robust cybersecurity strategy and tactical plan. • Explore metrics and reporting approaches. • Share approaches for breach preparation and breach management.

Chris Reffkin advises clients across multiple industries on information security/privacy focusing on governance and strategy. He is a senior manager in the risk consulting business unit of Crowe Horwath and a national leader for information security services at CHAN Healthcare. Through his more than 10 years' experience, he has assisted


The Arizona Biltmore Hotel, Phoenix, AZ clients across a spectrum of information security services from penetration testing to board-level education. Raj Chaudhary has more than 30 years’ experience in the field of information systems. In addition to his role with Crowe Horwath, he serves as senior vice president of risk consulting at CHAN Healthcare. He has been the global solution lead for cybersecurity solutions since 2006 and has presented at industry meetings around the world on this topic. Learning Level: Intermediate Learning Field: Management Advisory Service CS 1-4 Fraud and the Forensic Matrix Gary German Managing Director Alba Advisors, LLC In this session, participants will:

• Learn to define fraud and explore how big it really is. • Understand why fraud isn’t prosecuted and why external audits do not find

instances of fraud. • Discover a “matrix approach” to forensic accounting: a combination of financial

analysis and the related inferential context to detect and investigate fraud. • Explore the future of Forensic Accounting.

Gary German has extensive expertise in areas including audit, forensic accounting, and fraud investigation. He joined Price Waterhouse & Co. out of college and developed a broad base of experience including both manufacturing and financial services. He spent 25 years in the insurance segment and held senior management positions with some of the most respected names in the industry. German has worked with state and federal law enforcement as the lead forensic investigator in major fraud investigations. He has also designed and implemented internal audit functions for major companies. Martin is a frequent presenter on the topic of fraud and his audiences have included various CPA groups, the U.S. Secret Service, and the Federal Reserve. Learning Level: Intermediate Learning Field: Behavioral Ethics



Monday Aug. 17, 2015 12:45 - 2:00 PM CS 2-1 ISO/IEC 29100 Privacy Framework Overview David G Wood, CISA, CISM, CGEIT, CRISC Senior Managing Consultant IBM Corporation In this session, participants will:

• Preview a variety of privacy frameworks used around the world. • Focus on ISO/IEC 29100, its scope, importance, and specific clauses. • Discover ways to implement ISO 29100 in your organization • Learn how to obtain the ISO 29100 standard, along with resources and key

takeaways. David Wood is the team leader of the Data Privacy and Protection Office, responsible for leading privacy assessments in delivery centers around the world. He is a seasoned professional and has been with IBM for nearly 35 years. Wood's major strengths are in the areas of data privacy, information security, high availability consulting, internal controls, and auditing. Learning Level: Advanced Learning Field: Business Management and Organization

CS 2-2 Organizational Political Pressure and the Impact on CAEs Patricia Miller, QIAL, CIA, CISA, CRMA Partner (Retired) Deloitte & Touche In this session, participants will:

• Learn about the nature and breadth of political pressure, with personal stories from research participants and the results of a survey of nearly 500 CAEs.

• Hear about the practices of leading CAEs to proactively manage organizational political pressure.

• Learn strategies to apply in your organization to address the risk (or existence) of organizational political pressure.

Patty Miller is experienced in governance, risk and control subjects, with significant consulting and managerial experience in finance, accounting, auditing, and risk management areas. She worked with Deloitte for 14 years, providing risk management,


The Arizona Biltmore Hotel, Phoenix, AZ internal audit, control consulting, Sarbanes-Oxley, and related professional services. Miller joined Deloitte after a 14-year career with Pacific Bell where she held numerous management positions in diverse management and finance areas, as well as internal audit. She has served The IIA as a volunteer leader for many years in key roles including serving on the global board of directors, the executive committee, and as board chair 2008–09. Miller currently chairs the International Internal Audit Standards Board. She is a frequent speaker on governance, risk management, and control topics, and has co-authored research projects for The IIA Research Foundation (IIARF) and articles for Internal Auditor magazine. Miller recently co-authored "The Politics of Internal Auditing" research report with Dr. Larry Rittenberg. Learning Level: Intermediate Learning Field: Business Management & Organization CS 2-3 Attesting IT Assets and Key Configuration Items as a Pre-audit Measure: The Why and The How Neville Lee Director IT Asset & Configuration Management A Fortune 100 financial services organization Ram Ramdattan, CISM Industry Principal Infosys In this session, participants will:

• Discover an innovative approach to minimize and avoid IT asset-related pain. • Learn how IT asset attestation can provide a repeatable process to validate the

state of IT assets. • Understand the basic framework, procedures, and business benefits of asset

attestation. • Explore a case study involving the implementation of asset and configuration

attestation at a large financial services company. Neville Lee serves as an architectural steward for both business and technology solutions for a Fortune 100 organization, providing technical direction and consulting expertise to support governance and IT service management platform strategies. He has many years of extensive experience aligning strategic goals and objectives for products and services; working with partners and vendors; collaborating with cross functional organizations to ensure delivery of capabilities that align with key business and IT initiatives.


The Arizona Biltmore Hotel, Phoenix, AZ Ram Ramdattan is responsible for evolving strategic partnerships with clients and positioning solutions. An acknowledged thought leader and strategist, he is experienced at practice development, IT consulting, delivery engagements, and alliances. Over the last 15 years, his contributions have resulted in successful initiatives across Fortune 100 organizations in the areas of IT services, governance and compliance management, service automation, enterprise and cloud infrastructure, and data center transformation. Learning Level: Intermediate Learning Field: Auditing CS 2-4 Internal Audit and Crisis Management: Essential to Preserving Reputational Integrity Sanjay Patel Chief Operating Officer Illinois Power Agency In this session, participants will:

• Learn to appreciate the meaning behind a crisis situation and the value of pre-planning.

• Explore the fundamental tenets of effective crisis management. • Discuss ways internal audit can add value in organizational crisis management

planning. • Identify strategies and tools to successfully address and manage crisis situations

to preserve organizational reputation and credibility. Sanjay Patel has more than 20 years of progressive experience in the public and private sectors, spanning regulatory compliance, finance/budgeting, risk/internal controls/audit, corporate tax compliance, training, and graduate-level teaching. Previously, he served as CFO for the Illinois Governor's Office of Health Information Technology. Patel has assisted state agencies address compliance/reporting requirements of the 2009 Recovery Act. He has also assisted numerous clients address Sarbanes-Oxley, Section 404 compliance requirements. Learning Level: Intermediate Learning Field: Business Management and Organization



Monday Aug. 17, 2015 2:30-3:45 PM CS 3-1 Devising Internal Controls for Enterprise SaaS Chong Ee, CISA, CGEIT Senior Finance Systems Manager Twilio In this session, participants will: Whether your efforts are focused on becoming internal control-ready or compliant with external regulations, this session will help you harness the power of enterprise software as a service (SaaS) to address the control objectives of validity, accuracy and completeness.

• Distinguish SaaS from on-premise software. • Identify different types of controls that focus on outcome, behavior, and analysis. • Understand the ease of customizations through fields, records and roles and

implications for configuration controls. • Realize the importance of interface controls that trace a transaction end to end in

an ecosystem of myriad SaaS. Chong Ee focuses on optimizing the use and integration of financial cloud applications. Most recently, Ee served as senior manager of financial systems for Trulia where he implemented financial SaaS to support the company’s growth from startup through IPO and then as a public company. Before this, Ee spent 13 years in various compliance, audit, and consultant capacities for Big Four firms, Fortune 500 companies, and startups. Chong is a certified NetSuite ERP Consultant and NetSuite Administrator. Learning Level: Intermediate Learning Field: Auditing CS 3-2 Enhancing Your Approach to ERM Allen Still, CIA Manager Blue & Co., LLC. In this session, participants will:

• Expand your understanding of ERM and how it fits in your organization. • Discuss how ERM affects more than just compliance. • Hear how other organizations have tackled ERM — both successfully and

unsuccessfully.



• Learn important strategies and insights for enhancing your approach to ERM, making it sustainable and driving value.

Allen Still has nearly 10 years of risk consulting experience serving clients in industries across the private and public sectors. He has significant experience in risk management, internal audit, controls development, and other governance services. Still currently serves organizations, providing risk assessment and consultative control services to leadership. Throughout his experiences, he has helped clients assess and manage risk, identify areas for process improvement, and enhance the effectiveness of internal controls. Still also serves his clients by providing internal audit, performance audit, leading practices assessment, and benchmarking services. Learning Field: Advanced Learning Level: Specialized Knowledge and Applications CS 3-3 Next Level Cybersecurity PKI Auditing Nathan Mason Internal Auditor Booz Allen Hamilton In this session, participants will:

• Learn the value of policy and standard governance as it relates to PKI digital certificates, keys, and cryptographic protocols.

• Explore the role internal audit can play in enabling organizations to effectively manage the risk of known and unknown PKI vulnerabilities.

• Discuss an effective and immediate PKI audit action plan internal audit can implement within their organization.

Nathan Mason has nearly 12 years of experience as a cybersecurity engineer currently serving in the IT arena for his organization. He oversees and directs several comprehensive internal audit functions within his role. Prior to joining Booz Allen Hamilton’s internal audit team, he worked for various federal government entities providing PKI software engineering expertise to include PKI implementation and vulnerability assessment research. Mason also developed and taught an in-depth Information Assurance PKI training course to CERT, forensic, penetration testing teams and senior leadership with a focus on PKI exploitation, access control techniques, and integrating risk management methodologies within the network. Learning Level: Intermediate Learning Field: Business Management & Organization


The Arizona Biltmore Hotel, Phoenix, AZ CS 3-4 Anti-bribery and Corruption: Internal Audit's Role Nancy Haig, CIA, CFSA, CRMA, CCSA, CRISC Director of Internal Audit and Compliance Alvarez & Marsal In this session, participants will:

• Understand the risks of bribery and corruption, and the consequences of non-compliance with global regulations.

• Learn how to effectively collaborate with the compliance and ethics function to determine whether risks are adequately mitigated.

• Practice designing an internal audit program to assess effectiveness of your anti-bribery and corruption compliance program.

Nancy Haig implemented and heads both the internal audit and compliance functions of a global consulting firm. Previously she was the vice president of internal audit, North America, for a global pharmaceutical manufacturer, where she led a team focused on strategic; regulatory compliance; IT; operational; financial; and environment, health, and safety risks to the company. She currently serves as a member of The IIA's North Amercan Board, the Publications Advisory Committee, and Editorial Board. Recently she was appointed to her local municipality's financial advisory committee, to focus on improvement of financial internal controls after a significant defalcation was publicized. Learning Level: Intermediate Learning Field: Business Management & Organization

Monday Aug. 17, 2015 3:55 - 5:10 PM CS 4-1 A Practical Approach for Integrating Critical SCADA/IC Systems Risk Management With Enterprise GRC Oscar Viniegra Lira, CRMA, CISA, CRISC Chief Executive Officer ISM In this session, participants will:

• Understand the need to address SCADA/IC Systems risk within the enterprise’s GRC.

• Learn the main elements of a High Performance Risk Management Model (HPRMM) and how to apply it for SCADA/IC systems.



• Understand what is needed to integrate risk management efforts of the technological platform to the enterprise GRC.

• Take away a set of key questions to determine if there are gaps in the integration of SCADA/IC Systems Risk Management with the enterprise GRC.

Oscar Viniegra Lira has more thanr 20 years of experience in governance, risk management, internal control, compliance, information security, and IT. He has advised companies around the world on risk management and cybersecurity of SCADA/ICS systems defining risk strategies and models, executing assessments, and defining risk treatment. For more than 15 years, Viniegra Lira has participated in international forums imparting courses, workshops, and conferences in Latin America, USA and New Zealand on: governance, risk management, fraud prevention, compliance, and information security. He is an official OCEG and (ISC)2 Instructor. Learning Level: Intermediate Learning Field: Business Management & Organization CS 4-2 Risk as an Enabler of Growth Brian Schwartz US Performance Governance Risk and Compliance Leader PwC Kimberly H. Johnson Senior Vice President and Deputy Chief Risk Officer Fannie Mae In this session, particpants will:

• Learn how organizations can better integrate risk management into the business. • Understand how risks interconnect and impact business performance. • Achieve greater alignment across business units, including strategic planning. • Apply more sophisticated techniques to manage/monitor risks to protect the

business while enabling it. • Identify methods to shift from risk assessment, to ERM, to strategic risk

management. • Share leading practices from PwC's 2015 Risk in Review survey.

Brian Schwartz oversees all GRC service offerings, including corporate governance, risk management, compliance, GRC tools enablement, and business continuity management. He is responsible for setting strategy, overseeing resources, developing methods, and developing thought leadership for the company’s GRC practice. His governance and risk management experiences and competencies have been developed over the past 25-plus years, working with his clients in building, assessing


The Arizona Biltmore Hotel, Phoenix, AZ and transforming their governance structures, risk management capabilities, and compliance efforts. Schwartz focuses on aligning governance and risk management to internal stakeholder expectations, business performance drivers, and regulatory expectations. He has hands-on experience with setting up and evaluating risk management programs, operational risk management activities, and board committee governance. Prior to joining PwC, Schwartz led the Global and Americas internal audit and controls practice for another Big Four firm. He spent 10 years in the banking industry prior to joining professional services. While in the banking industry, Schwartz served as CAE, head of loan/credit review, co-chair of the risk management oversight committee, and corporate compliance officer. He has spoken on risk management and audit topics at numerous professional conferences and has authored articles for internal audit and risk management publications. Kimberly H. Johnson is responsible for aggregate credit risk management, including setting corporate level credit policies, limits, and delegations. Her leadership of credit risk management enterprise includes single-family, multifamily, and counterparty. Johnson also is a member of the Operating Committee, Fannie Mae’s leadership team. Previously, Johnson was senior vice president of multifamily capital markets and pricing, responsible for establishing credit pricing terms to maximize the profitability of the multifamily credit book and for overseeing Multifamily Delegated Underwriting and Servicing (DUS) securities trading and the Guaranteed Multifamily Structures (GeMS) resecuritization program. Earlier, she served as vice president for capital markets– multifamily and vice president–credit risk, ERM. Before joining Fannie Mae in 2006, Johnson was a director at Credit Suisse, where her responsibilities included financial institution fixed-income sales coverage, hedge funds, money managers, and U.S. government-sponsored entities. Previously, she was a U.S. Equity Trader at D.E. Shaw & Co. Learning Field: Management Advisory Services Learning Level: Intermediate CS 4-3 How to Minimize Your Fraud Exposure Through Effective ERP SOD Controls Adam Harpool, CISA Manager, Approva National Leader McGladrey Luke Leaon, CISA Manager & Approval Security and Quality Leader; Risk Advisory Services McGladrey In this session, participants will:



• Learn why checking a compliance box shouldn't be the main objective of an Segregation of Duties program.

• Learn how increases in functionality and complexity in major ERP packages has amplified the need for effective automated controls.

• Explore the risks around the lack of regular maintenance of your rule sets. • Discover how a poorly managed solution can impact your ability manage risk and

prevent/detect fraud. • See real-world examples of how effective SOD controls can mitigiate fraud risk.

Adam Harpool is a technology risk advisory manager and a SAP subject matter specialist for the firm, including serving as national leader for the firm's Approva ERP security controls monitoring (ESCM) platform. Prior to joining McGladrey, Harpool served as an advisor and management consultant in the Big 4 for leading Fortune 500 and mid-market enterprises, with a focus on developing and leading teams in enterprise resource planning (ERP) advisory services, IT strategy and performance consulting, IT internal audit, and performance improvement/business process enhancement engagements. Luke Leaon is a technology risk advisor and regional ERP leader. Prior to joining McGladrey, he work for a large public utility and spent four years at one of the Big 4 professional service firms. With more than 10 years of industry experience, he has extensive knowledge in leading and working in diverse teams, developing people, and managing a wide variety of consulting and assurance engagements. His area of expertise is around SAP, segregation of duties testing, SOD rule set assessment, control redesign, business process improvement, IT risk assessments, IT Sarbanes-Oxley testing, Service Organization Control (SOC) and technical application, operating system and database assessments Learning Field: Business Management & Organization Learning Level: Intermediate CS 4-4 Privacy Is Not a 4-letter Word: The Relationship Between US and Them - and Emerging Issues K Royal Privacy Counsel Align Technology, Inc. In this session, participants will:

• Learn how to partner across disciplines to leverage the expertise and influence of each side.



• Identify areas of common interest, such as audits, whistleblowing, vendor oversight, and global concerns.

• Review and discuss emerging privacy issues (including new legislation and technologies).

K Royal has more than 20 years of experience in the legal and health-related fields, which provides her a thorough perspective with global programs. She is experienced in privacy/data protection, cross-border transfers of data, training, and program development, with particular interest in technology along with its challenges and opportunities. As an attorney, Royal has been recognized as a Forty-under-40 honoree (Phoenix), as an educational leader through the YWCA, and most recently as a finalist in Silicon Valley Corporate Counsel, Rising Star category. Learning Level: Intermediate Learning Field: Business Management & Organization

Tuesday Aug. 18, 2015 8:30 - 9:45 AM GS 2 Driving Success in a Changing World: 10 Imperatives For Internal Audit Richard Chambers, CIA, QIAL, CGAP, CCSA, CRMA President and Chief Executive Officer The IIA In this session, participants will:

• Examine 10 areas where internal audit practitioners can focus as we respond to the unprecedented risks and opportunities that lie before us.

• Identify strategies for how internal auditors can play a leading role in our organizations by providing courageous and forward-looking advice and guidance to key stakeholders.

• Assess tips for how to address the expectations gap between how stakeholders view internal audit’s performance and how we rate our own work.

• Explore tactics for how to invest in excellence, especially by investing in our own professional development, and by recruiting, motivating, and retaining great team members.

Richard Chambers has more than four decades of internal audit and related experience. Previously, he was national practice leader in Internal Audit Advisory Services at PricewaterhouseCoopers; inspector general of the Tennessee Valley Authority; deputy inspector general of the U.S. Postal Service; and director of the U.S. Army Worldwide Internal Review Organization at the Pentagon. Chambers currently


The Arizona Biltmore Hotel, Phoenix, AZ serves on the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Board of Directors; the International Integrated Reporting Council (IIRC); and The IIA Board of Directors. Previously, he served on the U.S. President’s Council on Integrity and Efficiency; the Audit Board of the City of Orlando, Fla.; The IIA Internal Audit Standards Board; and The IIA North American Board. Chambers received the Association of Government Accountants (AGA) Frank Greathouse Distinguished Leadership Award and the National Association of Black Accountants (NABA) Legacy Award. Accounting Today named him one of the Top 100 Most Influential People in Accounting as well as one of 10 tweeters worth following. The National Association of Corporate Directors (NACD) named him one of the most influential leaders in corporate governance. Chambers authored the award-winning book, Lessons Learned on the Audit Trail. Learning Level: Intermediate Learning Field: Business Management & Organization

Tuesday Aug. 18, 2015 10:15 – 11:30 AM CS 5-1 Implementing an AnyTime, AnyDevice, AnyWhere Audit Approach At Waters Shannon Murray Internal Audit Manager Waters Corporation In this session, participants will:

• Learn how the latest technologies can fuel your audit approach to do more with less.

• Understand how Waters Corporation enabled "Governance as a Service.” • Discover the power of collaboration techniques including file sharing, version

control, and real time transparency on audit results and tests. • Find out how to enable real-time dashboards and reporting directly to the Audit

Committee over traditional methods of Word, Powerpoint, and Excel. • Learn how to make your audit and GRC function paperless and nimble.

Shannon Murray is responsible for managing the audit team at Waters and the external co-sourced auditors around the world. She has led the small audit function to real time data, anytime, anywhere, and on any device. Murray has seven years of internal audit experience in the life science industry and implemented the utilization of technology to create transparency between the internal audit team, co-sourced auditors, and their CAE as well as having supervised/executed numerous domestic and international risk-based internal audits and business process reviews designed to assess and recommend improvements to internal controls, policies, and procedures for


The Arizona Biltmore Hotel, Phoenix, AZ compliance, effectiveness, and efficiency. Murray has collaborated with business teams to assist in process reviews/improvements and audit work around trade compliance, conflict minerals, data privacy, and anti-bribery/FCPA. Learning Level: Intermediate Learning Field: Business Management & Organization CS 5-2 Resiliency: A New Approach and Industry Perspective for Traditional BC/DR Programs Asheesh Bajaj Senior Manager Ernst & Young Nazir Vellani Senior Manager Ernst & Young Paul Sussex, CRISC, CISA Principal, IT Advisory Services EY In this session, participants will:

• Get familiar with relevant jargon and acronyms: TDR, RTO, TRP, BIA, RTC, and more.

• Explore a potential chain of events that might trigger an organization’s walk through this alphabet soup.

• Identify what is missing from this logical progression of recognition of a potential disaster through to recovery: Resiliency.

• Learn a structured approach to resiliency programs designed to enhance and complement the traditional methodology.

. Asheesh Bajaj has more than 15 years of IT experience, with the last 10 years as IT strategy and service management advisor focusing on IT service management gap analysis and strategic roadmap planning; ROI and TCO analysis; IT operating model design, process design and deployment; business continuity; IT application migration and management; balanced scorecard; and IT controls and governance. Nazir Vellani has more than 22 years of technology and business consulting experience in process re-engineering, risk and resiliency, business continuity, disaster recovery strategy and planning, IT strategies and transformation, and cloud computing focusing on leveraging current and emerging technologies for the financial and hi-tech


The Arizona Biltmore Hotel, Phoenix, AZ service industries. Vellani has experience in advising senior executives in linking business requirements to technology strategies focused on reducing and mitigating risk and increasing the resiliency of the application services and business landscape for clients around the world. Paul Sussex has more than 20 years of professional services experience working with Fortune 100 companies in the financial services industry. For EY, he specializes in complex IT transformation programs, helping clients improve how their IT capability adds value to their business, delivers efficiently, and manages risk. Sussex has extensive experience in IT infrastructure and operations, business resiliency, identity and access management (IAM), IT service management, and IT risk management disciplines. He is a veteran of the U.S. Navy and specialized in various shipboard radar, missile, and fire control systems. Sussex is contributed as a co-author for the book Identity and Access Management: Business Performance Through Connected Intelligence and currently serves on the advisory committee of the Wall Street Technology Association (WSTA). Learning Level: Intermediate Learning Field: Business Management & Organization CS 5-3 Information Goverance and the Cloud Benjamin Page-Fort Risk Analytics IBM In this session, participants will:

• Learn how governance practices and principles apply in today’s cloud and hybrid cloud/on-premises data environments.

• Separate the wheat from the chaff in the abundance of rhetoric about the proverbial cloud: from “it’s the future” to “it’s opened the door to complete privacy invasion.”

• Discuss how organizations can realize financial benefits of the cloud while ensuring information culled from public cloud sources is secure and trustworthy.

Benjamin Page-Fort is is responsible for IBM's suite of GRC and financial risk analytics software and has experience with financial services technology. His client base spans from mid-market firms to the Fortune 50. Page-Fort helps clients break down the barriers within their ERM structures while maintaining the highest levels of governance, as well as consulting with executive management on matters of governance, risk, and compliance. Learning Level: Intermediate


The Arizona Biltmore Hotel, Phoenix, AZ Learning Field: Business Management & Organization CS 5-4 Third-Party Vendor Risk: A Study Comparing Health Care and Banking Industries Robert Ramsay, CISA Sr. Manager Barnes Dennig In this session, participants will:

• Compare and contrast compliance requirements of HIPAA and OCC 20113-29 as it relates to third-party vendor management practices.

• Go into how unique vulnerabilities guide regulation and compliance. • Debate what business model differences influence risk. • Explore various methods used by vendors to approach these industries. • Discuss the influence both The IIA and ISACA have played in this discussion.

Robert Ramsay leads the IT audit and controls services team, helping clients such as middle market companies and their service providers ensure their systems are safe, secure, and compliant. Prior to joining Barnes Dennig, Ramsey worked with PwC, a dot.com start-up, and for technology consulting firm TechBridge. Learning Level: Intermediate Learning Field: Specialized Knowledge and Application

Tuesday Aug. 18, 2015 12:45 – 2:00 PM CS 6-1 Moving Beyond AP & Payroll with Data Analytics Mary Breslin, CIA President Empower Audit Training and Consulting Keith Barber, CISA Director, Data Analytics Insight Empower Audit In this session, participants will:

• Explore how data analytics can be applied throughout an audit function. • Learn how to use data analytics in risk assessments and planning.



• See various applications of data analytics in performance and operational auditing

• Identify ways that data analytics can be leveraged in the fight against fraud. Mary Breslin specializes in internal audit transformations, operational and financial auditing, fraud auditing and investigations, and corporate accounting. Her career spans more than 20 years in internal auditing, management, and accounting for companies such as ConocoPhillips, Barclays Capital, Costco Wholesale, Jefferson Wells, and Boart Longyear. With significant international experience, she has managed audit programs in more than 30 countries. Additionally Breslin has extensive fraud audit and Investigation experience and has conducted fraud investigations around the world. Keith Barber has built a world class data analytics program encompassing real-time risk analysis scorecards, sophisticated continuous auditing and monitoring, automated action item tracking and automated large swaths of Sarbanes-Oxley testing. Additionally Barber has trained and developed hundreds of data analysts through training courses he teaches and within the organizations in which he led data teams. Learning Level: Intermediate Learning Field: Auditing CS 6-2 Internal Audit's Role in ERM Ram Balakrishnan, CRMA, CISA, CGEIT Director Protiviti In this session, particpants will:

• Review setting organizational expectations, working with management and ERM critical success factors.

• Understand how internal audit and ERM can work together, including division of labor, roles, and responsibilities.

• Discuss the value internal audit can deliver to the ERM process. Ram Balakrishnan has more than 20 years of experience providing internal audit and risk consulting services. His client base spans companies ranging in size from mid-market to the Global 1000. Balakrishnan has both industry and public practice experience, including positions with the Workplace Safety and Insurance Board (WSIB) as vice president of internal audit and as director of risk performance and audit at BlackBerry. He has extensive consulting and audit experience working with Big 4 public accounting firms where his responsibilities included developing risk assessments and executing internal audit plans, assessing and implementing finance, operations and IT


The Arizona Biltmore Hotel, Phoenix, AZ process improvements, and consulting with executive management and board committees on matters of governance, risk, and control. Learning Level: Intermediate Learning Field: Business Management & Organization CS 6-3 Millennials, Technology, and Audit Effectiveness In this session, participants will:

• Gain insights from a panel of successful millennials and their supervisor on how they helped their organization adopt the latest technology and tools.

• Explore techniques such as dynamic dashboarding, social media type collaboration, agile scalability and how to take auditing to next level.

• Discover how to do more with less with the emerging technologies. • Understand the innovative spirit of today’s modern internal auditor.

Bhavesh Bhagat, CISA, CISM Chairman EnCrisp Garrett R McGhee Senior Internal Auditor Raytheon Shannon Murray Internal Audit Manager Waters Corporation Susan A. Holleran Vice President, Audit and Risk Management Waters Corporation Bhavesh C. Bhagat has vast global expertise in cybersecurity, risk management, emerging technologies, and governance and he brings knowledge of his other disciplines to innovate new ideas in the fast changing and evolving risk and compliance. As a CIT GAP 50 Awardee, he has been recognized by the Commonwealth of Virginia for his entrepreneurship leadership. Bhagat is the chairman of Confident Governance–GEW 50 award-winning software innovator delivering the assurance of safe and sustainable governance-as-a-service® for enterprises of all sizes. He is co-founder at EnCrisp LLC and sits on the Emerging Technology Committee of Board of Directors for ISACA. Bhagat has also been on the Board of Advisors to The Commonwealth of Virginia Joint Commission on Technology (JCOTS). He has been featured in numerous


The Arizona Biltmore Hotel, Phoenix, AZ respected business and industry journals and was recognized as a TiE-Smith University of Maryland Fellow in Entrepreneurship for his successful bootstrapped ventures. Garrett McGhee came to Raytheon in 2015 after working in audit with Waters Corporation, a publicly traded laboratory analytical instrument and software company, for four years. Shannon Murray is responsible for managing the audit team at Waters and the external co-sourced auditors around the world. She has led the small audit function to real time data, anytime, anywhere, and on any device. Murray has seven years of internal audit experience in the life science industry and implemented the utilization of technology to create transparency between the internal audit team, co-sourced auditors, and their CAE as well as having supervised/executed numerous domestic and international risk-based internal audits and business process reviews designed to assess and recommend improvements to internal controls, policies, and procedures for compliance, effectiveness, and efficiency. Murray has collaborated with business teams to assist in process reviews/improvements and audit work around trade compliance, conflict minerals, data privacy, and anti-bribery/FCPA. Susan Holleran has more than 30 years of audit (external and internal), tax, and finance experience serving manufacturing, sales, service, and financial services industries. She has practical experience and keen interest in understanding and deploying new processes and techniques to make her team efficient as well as to audit emerging technologies and processes more effectively. Holleran has successfully implemented Sarbanes-Oxley documentation of key business processes, testing of key controls and ongoing control procedures for current organization, and continues to oversee ongoing testing and compliance. She supervised/executed numerous domestic and international risk-based internal audit and business process reviews designed to assess and recommend improvements to internal controls, policies, and procedures for compliance, effectiveness, and efficiency, as well as responsibility for internal investigations. Holleran has developed and delivered training sessions on subjects including Sarbanes-Oxley, ERM, FCPA and Anti-Bribery. She has spoken at numerous industry seminars and conferences on topics of GRC, ERM, internal controls, going global, and small audit functions. Holleran is currently serving as co-chair of the Enterprise Risk Management Project. Learning Level: Intermediate Learning Field: Business Management & Organization CS 6-4 Creating and Implementing an Effective Institutional Compliance Program David Cutri, CIA, CISA


The Arizona Biltmore Hotel, Phoenix, AZ Director of Internal Audit and Chief Compliance Officer University of Toledo In this session, participants will:

• Understand who needs a compliance program, why, and how to start with an action plan to ensure compliance.

• Examine the elements of a successful compliance program. • Explore the tools and techniques for developing a code of conduct and general

compliance training. • Practice developing risk assessment and monitoring plans.

Dave Cutri oversees a comprehensive internal auditing and institutional compliance function for the University of Toledo and its medical center, where he is also a faculty member. He has 25 years of auditing, finance, operations, and systems experience with NiSource, BNSF, PNC, and EY. He serves on the audit committee of Toledo Public Schools and on the boards of Rescue Incorporated and his ISACA chapter. In addition to his professional certifications, Cutri is also a Six Sigma Master Black Belt.

Learning Level: Intermediate Learning Field: Business Management & Organization

Tuesday Aug. 18, 2015 2:30 – 3:45 PM CS 7-1 Case Study: Code Security for the Supply Chain John Martin, CISM Program Manager The Boeing Company In this session, participants will:

• Receive a review of a case study on a project in which any kind of lapse could result in extreme consequences.

• Learn why it’s crucial to identify security defects in code or configuration. • Explore the concept of a “kill chain.” • Discuss key factors in the Boeing program includingrisk-based criteria, contract

management, vulnerability identification and remediation, and an SDL alternative to code scanning.

John Martin, CISM, is a 25-year information security veteran specializing in vulnerability analysis and remediation. He is Boeing's program manager for COTS software security and a frequent speaker on the subject of commercial software security. Prior to his current role, Martin developed many of the Boeing security


The Arizona Biltmore Hotel, Phoenix, AZ assessments teams and worked as a consultant to a broad range of industry and finance clients. Learning Level: Intermediate Learning Field: Specialized Knowledge & Applications CS 7-2 Protecting Your Brand: Auditing Reputation Controls Bradley W. Brooks, Ph.D. Professor of Marketing McColl School of Business Queens University of Charlotte Kenneth Ramaley, CIA, CRMA Managing Director Ramaley Group, LLC In this session, participants will:

• Understand key drivers of reputation risk. • Discuss recent reputation disasters and why internal audit must play a proactive

role in preventive reputation risk management. • Learn a standard framework for analyzing reputation-impacting events and apply

it to recent well-known cases of reputational peril. Brad Brooks brings an educational background in financial management to his specialization in marketing, which emphasizes customer behavior and strategy. He conducts extensive research in managing corporate reputations and has published in academic journals such as the Journal of Marketing Theory and Practice and Industrial Marketing Management. Brooks has also published in industry practitioner journals such as the Risk Management Association, and the College and University Auditor Journal. Ken Ramaley focuses on audit process efficiency and developing innovative techniques to audit emerging risks such as reputation and customer experience. Previously, he served at Bank of America as audit director and Six Sigma Master Black Belt. Ramaley challenges traditional risk management methods, conceiving and implementing an innovative customer experience audit function. His process overlays operational risk audit methods with Six Sigma methodologies, and has driven the adoption of sophisticated reputation risk measurement approaches. Learning Level: Intermediate Learning Field: Management Advisory Services


The Arizona Biltmore Hotel, Phoenix, AZ CS 7-3 A Prepper's Guide to the Incident Response Go Bag Reg Harnish CISM, CISA Chief Security Strategist GreyCastle Security In this session, participants will:

• Identify what constitutes an incident requiring a sound strategic plan with tactical procedures in place.

• Review what “first responders” need to deal with an incident, including the right tactics, techniques, and tools to contain, counteract, and continue.

• Discuss the necessity of the “Incident Response Go Bag” and what it should include.

Reg Harnish is an entrepreneur, speaker, and security specialist. With nearly 15 years of security experience in financial services, health care, higher education, and other industries, he focuses on security solutions ranging from risk management, incident handling, and regulatory compliance to network, application, and physical security. Harnish is a frequent speaker and has presented at prominent industry events. He has been featured in leading industry journals, including Software Magazine, ComputerWorld and InfoWorld. Harnish is a fellow of the National Cybersecurity Institute, located in Washington, D.C., and currently serves on the advisory board for ITT Technical Institute. Learning Level: Intermediate Learning Field: Management Advisory Services CS 7-4 COSO 2013: Lessons Learned Robert Hirth COSO Chairman In this session, participants will:

• Receive a brief overview of the need for the 2013 update of COSO’s 1992 internal control framework.

• Review the numbers of companies that conformed with the new framework by the December 2014 deadline versus those that did not…and why.



• Discuss the experiences some companies had in the transition and how they approached the change.

• Identify and explore the lessons learned. • Learn what’s next for COSO with regard to the 2004 ERM framework.

Bob Hirth serves as COSO chair and was unanimously elected by the board of its sponsoring organizations to serve a three-year term beginning June 1, 2013. His experience includes all of COSO’s mission disciplines: ERM, internal control, and fraud deterrence. He has worked on assignments and made presentations in over 15 countries, serving more than 50 organizations and working closely with board members, C-level executives, finance and accounting personnel, and accounting firm partners and employees. Hirth is a recognized leader in the internal audit profession, having been inducted into The IIA’s American Hall of Distinguished Audit Practitioners in 2013. He has served as a volunteer leader for The IIA Research Foundation. Learning Level: Intermediate Learning Field: Auditing

Tuesday Aug. 18, 2015 3:55 – 5:10 PM CS 8-1 The GRC Value Proposition: A Pathway to Principled Performance Carole Switzer Co-Founder and President Open Compliance & Ethics Group (OCEG) In this session, participants will:

• Learn how to make the case for the value proposition of improving GRC maturity to gain business confidence needed for strategic planning and execution.

• Discover wyas to use the guidance of the new version of OCEG's GRC Capability Model to achieve objectives while addressing uncertainty and acting with integrity

• Understand how to provide assurance that GRC in your organization supports business objectives by ensuring that the right controls are in place to address risk and requirements.

Carole Switzer runs OCEG, a nonprofit think tank that provides open source standards to help organizations achieve principled performance by integrating the governance, assurance, and management of performance, risk, and compliance (GRC). She is a recognized leader in corporate governance, risk management, and compliance (GRC). She hold a GRC Professonal Certification (GRCP), is frequently published in leading business magazines, and lectures on GRC internationally. In 2010, Switzer was


The Arizona Biltmore Hotel, Phoenix, AZ honored with a lifetime membership in the Institute for Risk Management. She has held the top level AV rating for outstanding attorneys for more than 25 years and is identified as such in the Martindale-Hubbell Bar Register of Preeminent Women Lawyers. Learning Level: Intermediate Learning Field: Auditing CS 8-2 Budget-friendly, yet effective ERM (Enterprise Risk Management) Bruce Carpenter Vice President, Internal Audit NVIDIA Steve Biskie Managing Director High Water Advisors Steve Biskie specializes in transforming inefficient processes and technologies to optimize GRC and audit performance. A leader in the audit and compliance space for more than 20 years, Biskie has become known for his work helping Fortune 500 organizations understand and manage the risks within complex ERP systems such as SAP. He is a thought leader and strategic expert on implementing high-value sustainable analytics and continuous auditing programs. He has authored dozens of articles and published a book on SAP audit. Learning Level: Intermediate Learning Field: Management Advisory Services CS 8-3 Understanding the Challenge and Incredible Potential of IT Governance Steven Romero IT Governance Evangelist Romero Consulting In this session, participants will:

• Gain a comprehensive understanding of IT governance from the perspectives of the topic’s most prominent authorities.

• Explore a radical view of IT governance that challenges conventional wisdom while providing an alternative perspective that can change the way an organization looks at IT governance and dramatically increase the potential for realizing incredible business value.



• Leave with a sound foundation in IT governance and new ideas for immediate implementation.

Steve Romero is a published and globally recognized IT governance evangelist and IT business value activist, speaking around the world to companies in all sectors including federal and state government agencies, industry organizations, students, and IT, and business luminaries to identify and communicate leading advances in business governance and business management of IT. Romero is a recognized expert in business governance of IT, project and portfolio management (PPM), business process management, and IT business management processes. He is the author of Eliminating “Us and Them”: Making IT and the Business One. Learning Level: Intermediate Learning Field: Business Management & Organization CS 8-4 BYOD: Audit Concerns John Gatto, CISA, CRISC Divisional Vice President, IT Audit & Advisory Services (retired) Health Care Service Corp In this session, participants will:

• Discuss risks associated with allowing employees to use personal devices for business activities.

• Understand the controls needed in this environment. • Learn how to audit or participate in the pilot of a BYOD initiative. • Discern what management needs to be made aware of in a BYOD scenario and

how to provide meaningful recommendations. John Gatto retired from HCSC earlier this year after nearly 10 years with the company. In his last role, he was responsible for IT audit for the five Blue Cross Blue Shield Plans comprising HCSC, encompassing NAIC/MAR compliance and testing, risk-based audits, advisory engagements for new development projects, coordination of SOC-1 and SOC-2 reviews, and E&Y year-end financial audits. Gatto served on numerous IT steering committees of HCSC. Prior to HCSC, he worked at Federal-Mogul as the Sarbanes-Oxley coordination supervisor; Avery Dennison as a project manager; and spent 13 years with Horizon BlueCross BlueShield of New Jersey as director of systems audit, customer audit, and operations audit. Gatto has more than 45 years of audit experience, mostly in the IT audit arena. He is a frequent speaker for professional organizations on his subjects of expertise and in 2010, he was named “Educator of the Year” by IIA–Chicago Chapter.


The Arizona Biltmore Hotel, Phoenix, AZ Learning Level: Advanced Learning Field: Auditing

Wednesday Aug. 18, 2015 8:30 – 9:45 AM GS3 Readiness—Is There Such a Thing? Matt Loeb Chief Executive Officer and Chief Audit Executive ISACA/ITGI In this session, participants will:

• Discuss the built-in obsolescence in many of today’s technological “advances.” • Learn ways to get up-to-speed on the rapid changes in technology. • Debate the concept of “emerging” technological trends being a misnomer. • Identify the disruptions and transformations that have and will continue to

change the way we work and live.

Matt Loeb joined ISACA after a 20-year career as a staff executive for the Institute of Electrical and Electronics Engineers (IEEE) and executive director of the IEEE Foundation. His experience includes enterprise strategy, corporate development, global business operations, governance, publishing, sales, market, product development, and acquisitions functions in a variety of for-profit and nonprofit organizations. Learning Level: Intermediate Learning Field: Personal Development

Wednesday Aug. 18, 2015 10:15 – 11:30 AM

GS4 The Real Truth About Sticks & Stones: Self-audit, Self-security, and the Path to Professional Success Michael Brandwein, J.D. Michael Brandwein LLC. In this session, participants will:

• Discover how to use a practical “non-touch-feely” way to assess and analyze the source of self-beliefs, and take immediate control of how they affect professional growth.



• Learn how “reverse engineering” can be used for leadership and professional skill enhancement, including more than 200 examples of behaviors that lead to success in working with others.

• Expand your own ability to deal with change and learn exactly what to say and do to build a team environment of more open communication, continuous improvement, and creative collaboration.

Michael Brandwein is recognized as an international expert and trainer in communication, management, service, and leadership. He has made presentations in all 50 U.S. states and on 6 of the 7 continents of the world. Brandwein has presented three EMMY® award-winning television programs on communication and has written five best-selling books on training, management, and leadership. He has conducted training and speaking engagements for Fortune 500 companies as welll as hundreds of non-profit and professional associations. Learning Level: Intermediate Learning Field: Personal Development

The Arizona Biltmore Hotel, Phoenix, AZ Documents/2015-GRC-Abs-and... · The Arizona Biltmore...

Documents

Transcript of The Arizona Biltmore Hotel, Phoenix, AZ Documents/2015-GRC-Abs-and... · The Arizona Biltmore...