2017 GRC Presentations and Descriptions 



Track 1—Attributes for Professional Improvement and Advancement

CS 1-1: The Need for Change Enablement in Adopting Governance and Management Practices

Mark Thomas
Escoute Consulting

Successful implementation or improvement initiatives depend on adopting the appropriate change (the good practices) in best means possible. But frequently there isn’t enough emphasis on managing the human, behavioral, and cultural aspects of the change and motivating stakeholders to buy into the change. Change enablement is one of the biggest challenges to governance implementations.

In this session, participants will:

  • Explore a typical implementation methodology infused with leading practices in designing, executing, and monitoring an organizational change enablement program.
  • Understand the seven phases of an implementation lifecycle that can meet organizational needs.
  • Associate critical change enablement inputs, outputs, and tasks with each of the seven phases of the implementation lifecycle.
  • Learn how to develop strategies toward gaining proper stakeholder buy-in and support for key initiatives.

CS 2-1: Chutes and Ladders of Internal Audit - How to Rise and Fall Due to Meeting or Failing to Meet Stakeholder Expectations

Kayla Flanders, CIA, CRMA, CISA, CPA, CFE, CGMA
Senior Audit Manager
Pella Corporation

Different stakeholders have different expectations. Different people within common stakeholder groups may have different expectations and how to identify and work with each. Some expectations may be driven by stereotypes of internal auditors and strategies to overcome them. We will discuss how to challenge our past activities to quickly identify and move beyond stereotypes and work to shape appropriate stakeholder expectations for the future.

In this session, participants will:

  • Explore how stereotypes for internal audit shape stakeholder expectations and examine how our client perceptions of audit are our reality.
  • Determine internal audit's role in perpetuating or negating stereotypes and then meeting or changing those expectations.
  • Gain techniques to combat common stereotypes and shape expectations for the future.
  • Challenge the "one size fits all" approach and develop understanding around individualized stakeholder expectations.

CS 3-1: Establishing and Maintaining an Effective Internal Audit Quality Assurance and Improvement Program: Tips, Tricks, and Tools

Manager, Internal Audit Quality Assurance and Improvement Program: Tips, Tricks and Tools
Swift, Inc.

SWIFT/IA's journey began in early 2014 and continues today, working toward establishing a formal but "basic" QAIP and then continuing to enhance it to better meet the underlying aspects of The IIA’s International Standards for the Professional Practices of Internal Auditing’s 1300 series. Beginning with the results of an EQA conducted in 2013, the session will trace the actions since taken to address observations including "lessons learned" — in the form of tips, tricks, and tools — to form the primary focus of the discussion.

In this session, participants will:

  • Gain insight into the key requirements of a successful QAIP, as prescribed by the 1300 series of The IIA’s Standards.
  • Examine key challenges facing an internal audit entity in establishing and maintaining an effective QAIP and practical ways for meeting those challenges.
  • Learn how to leverage everyday audit activities to serve as key QAIP components.
  • Be introduced to several tools (including feedback mechanisms) proven to be especially valuable in maintaining SWIFT/IA's QAIP.

CS 4-1: Critical Thinking for Results

Devin Claus, CPA, CFE
Finance Manager, Internal Adult
Conagra Brands

Critical thinking is a skill vital for auditors but takes time and practice to develop. To maintain a competitive advantage, we must utilize our critical thinking skills to be insightful, to be forward looking, to make good decisions quickly, and to create value for our organization.

In this session, participants will:

  • Discuss why critical thinking is important on all audit engagements to drive impactful results.
  • Learn a framework that can be used to help you think critically.
  • Apply the framework to audit engagements.

CS 5-1: Voice of the Customer: Stakeholders Messages From the CBOK Global Internal Audit Study

Brad Rachmiel, CPA
Managing Director

Pam Short Jenkins, CIA, CRMA, CPA
Vice President, Global Audit Services
Fossil Group Inc.

In collaboration with Protiviti, The IIA’s Internal Audit Foundation conducted the CBOK Stakeholder Study in 2015 to gain a global perspective and better understanding of stakeholders’ expectations of internal audit’s purpose, function, and performance. The eye-opening results were distilled into individual reports covering numerous angles from the stakeholder point of view.

In this session, participants will:

  • Understand common themes from the five CBOK Stakeholder Study reports.
  • Explore where CAEs can improve their relationship with stakeholders while also improving value provided to organization.
  • Identify key areas where internal audit can help the organization with the strategic risks.
  • Discuss actionable ideas and recommendations to consider for both you and your key stakeholders.

CS 6-1: External Quality Assessments: The Benefits of and Leading Practices to Exceed Stakeholder Expectations

Bailey Jordan
Partner, Business Risk Services
Grant Thornton

Greg Jaynes, CIA, CRMA
Chief Audit Executive & Director, Internal Audit

Not only is it required by The IIA’s Standards for an internal audit department to conduct external quality assessments, it just makes good business sense. If you are conducting periodic internal assessments, then the external assessment should be a piece of cake and enable you to prove your department’s inherent value to your stakeholders. In this session, participants will examine the process and results of The IIA’s own internal audit function EQA.

In this session, participants will:

  • Learn the fundamental EQA requirements.
  • Examine one approach to execute an EQA.
  • Discuss the value of an EQA to management and the audit committee.
  • Find out how an EQA raises the quality of the internal audit function.
  • Explore lessons learned and leading practices.

CS 7-1: Adding Value by Managing the Perception Gap

Jeremy White, CISA
Senior Director, Assurance and IT Audit, Audit Services
LifePoint Health

The environment in which we work and the expectations under which we operate require that we shift to meet the definition of not just what we do, but of who we are as auditors. A key factor in successfully making that shift is managing perception. We all have a “reality” of who we are and what we do, but too often our “reality” is smashed on the rocks of someone else’s perception. It will be to the auditor’s benefit to identify and manage the perception gap that exists in their organization.

In this session, participants will:

  • Explore the shift that every audit department is trying to make from a compliance and regulatory function to a value-adding business partner.
  • Discuss a very important — if not the most important — factor in that shift: Perception.
  • Identify ways to determine the current perception of your department and compare it with your defined reality or expectation.
  • Determine ways to manage the gap that exists between those two places — perception and reality — leading to adding value.

CS 8-1: Activate Your Internal Auditing Awesomeness™

Robert Berry, CIA, CPA, CISA, CCEP
Executive Director Internal Audit
University of South Alabama

Internal auditors are awesome people. That’s something we don’t hear in most business environments. Oftentimes we are called necessary evils, the group that bayonets the wounded … you get the point. Several years ago, after a tough audit engagement, a client referred to this presenter’s company as awesome. Then another. And another. Pretty soon, they started to believe they were actually awesome. But they didn’t know what they were doing to create the perception, so they asked. Surprisingly, it has little to do with actually auditing.

In this session, participants will:

  • Learn three critical components to becoming — and staying — awesome.
  • Discover how to find your awesome attributes and apply them to auditing.
  • Find the courage to activate your awesomeness.

CS 9-1: Why Emotional Intelligence and Critical Thinking Skills Are Essential

Mary Breslin, CIA, CFR
Empower Audit

Internal auditors spend most their time communicating: speaking with and interviewing clients, preparing information for distribution and deciphering information they have gathered. Those communications are frequently strained because auditors regularly encounter conflict, difficult situations, and at times, difficult people. Enhanced emotional intelligence (EQ) and critical thinking skills can turn these situations into opportunities to build positive relationships and end conflict to improve an auditor’s effectiveness.

In this session, participants will:

  • Understanding what emotional intelligence is and how it helps or hurts us.
  • Learn strategies to improve emotional intelligence and in turn, better perform the role of internal auditor.
  • Understand the levels of thinking and what constitutes critical thinking.
  • Discover methods to increase critical thinking and ways to identify when you are not thinking critically.
  • Examine the ways emotional intelligence and critical thinking together improve communication, specifically in interviewing audit clients.

CS 10-1: Getting the Boss to Listen to You: Becoming a Trusted Strategic Advisor

James Lukaszewski
The Lukaszewski Group

This powerful presentation will teach, inspire, and motivate participants to increase the personal impact they have within their organizations, on clients and help them become trusted strategic advisors. It’s also about having a happier, more important, influential, and successful career.

In this session, participants will:

  • Demonstrate a more strategic perspective on the relationship between advisor and operating executives and managers.
  • Create a personal strategy to revise personal habits, approaches, and practices to be more effective and influential.
  • Exercise innovative and powerful advice-giving strategies that are more managerially and operationally friendly, rather than technical and jargonistic.

Return to Event Page >>

Track 2—Privacy/Security in the Technology World

CS 1-2: NIST Cybersecurity Framework Assessment

Todd Marcinik, CISA, CRISC
IT Risk Manager
Sun Trust Banks, Inc.

NIST’s Framework for Improving Critical Infrastructure and Cybersecurity was released February 2014 and has since been used to gauge the maturity of information security programs and align oversight and regulatory processes against a common framework. This session will cover the components of the framework, assessment approaches, review examples and reporting.

In this session, participants will:

  • Receive a brief introduction to the NIST Cybersecurity Framework.
  • Discuss associated control frameworks and the FFIEC Cybersecurity Assessment Tool.
  • Assess your information security program against the framework.
  • Review, analyze, and identify potential program gaps.
  • Learn how to report and communicate results, implement remediation plans, and perform periodic reviews.

CS 2-2: Auditing the Cloud Environment: An Introduction

Remi Nel, CIA
Manager, Global IT Audit

Jason Sechrist
Director, Global IT Audit

Cloud‐based solutions are increasing in popularity and are being embraced by organizations of all sizes. Auditors must understand the key concepts and risks inherent to this technology. This session provides information to help auditors understand the technology and provide the basis for analyzing and assessing risks.

In this session, participants will:

  • Understand why risks are different in the cloud.
  • Explore audit activities to identify risks specific to cloud environments.
  • Identify internal audit’s role in an organization’s procurement/design phase.

CS 3-2: A Real-life Practical Internal Audit Approach to Cyber Security

Director, Internal Audit
British Columbia Lottery Corp.

Cory Strumecki, CISA, CISM, CIPT
Manager Internal Audit
British Columbia Lottery Corp.

Cybersecurity is an emerging/changing risk where traditional internal audit departments and previous approaches may not be adequate, but using the complex cyber risk environment provides us with an opportunity to showcase the value we bring to our organizations. Walk through one organization’s journey in developing a strategic approach to cyber risk and the steps they took to reach that point.

In this session, participants will:

  • Learn a practical way to get started on implementing an audit approach to address cyber risk.
  • Identify steps to communicate cyber risk to key stakeholders such as the audit committee and executive management.
  • Obtain tools to build cyber risk into your audit plan.
  • Discuss practical challenges that may arise as you explore this area as a way to showcase your function’s value.

CS 4-2: Hunting for Hackers: How to Turn the Tables on Attackers

Adam Brand

Would you know if your organization has been hacked? Publicly available data suggests that the odds are not in your favor. In this session, you will learn from an experienced threat hunter about the challenges organizations face in detecting breaches. You’ll also learn what threat hunting is, and how threat hunting can be leveraged in an internal audit context to evaluate an organization’s breach-detection capabilities.

In this session, participants will:

  • Understand the challenges involved in detecting breaches
  • Define key types of detection technologies and understand their strengths and limitations
  • Understand what threat hunting is, and how it can help decrease breach detection time
  • Understand how threat hunting concepts can be used in an internal audit context to evaluate an organization’s breach detection capabilities, and provide a point-in-time view on what signs exist of a breach
  • Identify the key technology areas and attributes that are relevant to threat hunting, and how signs of a breach can be revealed

CS 5-2: Operationalizing Cybersecurity with Risk-based Governance

Steven Minsky
LogicManager, Inc.

Many departments within an organization – information security, vendor management, finance, human resources, and more – hold pieces of cybersecurity information. Unfortunately, most organizations lack the ability to put the full risk picture together. Companies react to external threats by spending billions on technology solutions, without addressing root-cause governance issues, such as operationalizing employee and vendor password policies.
It's important to recognize that the governance of information security and technology is a tenet of risk management, and is most effective when implemented with a holistic, cross-functional approach.

In this session, participants will:

  • Learn how to operationalize cybersecurity policies across departments and levels.
  • Determine clear cross-functional accountability for cybersecurity responsibilities.
  • Explore metrics that monitor the effectiveness of cybersecurity programs.
  • Discuss best practices for reporting cybersecurity progress and effectiveness to the board and regulators.

CS 6-2: Cloud Computing Controls: Managing Risk

Princy Jain

Abhi Pandit
Senior Director, Head of Technology Audit & Assurance

CS 7-2: Auditing Network Security

Ashish Jain, CIA, CPA,CISA, CA
Director of Internal Audit
University System of New Hampshire

Considering today's cybersecurity risks, strong network security practices are essential and critical to secure the organization's data and IT infrastructure. Numerous network devices are available, but it is the technical configuration settings of these devices and identifying security opportunities that result in an uphill task for auditors and management alike. Network security is measured based on the weakest point in the network, which can put the entire organization's IT infrastructure at risk.

In this session, participants will:

  • Review top key areas to audit network devices, ideas to benchmark against best practices, and common network security requirements.
  • Identify risk areas for a network device audit.
  • Locate resources for common security practices.
  • Plan a basic network device security audit.
  • Discuss common audit issues in this area.

CS 8-2: Cyber Resilience Framework for the 21st Century Executive

Jeff Welgan
Executive Director, Programs

Understanding cybersecurity-related risks and opportunities is now a critical component to the oversight, governance, and management responsibilities for all business leaders. Corporate leaders and board members must have the expertise to ask and understand cybersecurity questions to lead their organizations toward a sturdy, resilient posture. This session will guide the audience through preparing, monitoring, and responding to cyber risks, as well as provide actionable steps that promote cyber resiliency.

In this session, participants will:

  • Recognize the importance of identifying and managing cyber risk across the organization and with stakeholders.
  • Learn how to manage cyber risk through accepting, avoiding, mitigating, or transferring risk.
  • Create a scorecard to effectively communicate and provide strategic guidance to your organization.
  • Apply strategies for determining costs and benefits of cybersecurity programs and services.
  • Identify the key considerations related to enterprise risk to prioritize during a cyber incident.

CS 9-2: Ransomware in the Enterprise

Troy La Huis
Crowe Horwath

CS 10-2: Post-merger Cyber Considerations

Jacob Gregg, CISA, CISSP
Senior Manager

Elvia Novak
Managing Director

Consolidation within the corporate landscape and industries presents both opportunities and risks for those involved in mergers and acquisitions, particularly as it relates to cyber issues. This presentation will cover post-merger cyber considerations that address key risks and opportunities to exceed common business performance goals.

In this session, participants will:

  • Integrate operations and technologies across multiple and varying IT environments.
  • Identify and normalize cyberrisks from the “as-is” environment and consider how they will be addressed in the “to-be” environment, including cloud, mobile, and on-premise technology.
  • Organize teams and manage communications to move toward the common IT, security, and business goals.

Return to Event Page >>

Track 3—Integrated Auditing/GRC

CS 1-3: How Risk Culture Affects Compliance and Internal Controls

Joseph Mayo, CRISC, PMP, RMP
J.W. Mayo Consulting, LLC

This session will explore a case study where placing blind faith in the enterprise risk management (ERM) process led to catastrophic results. We will explore an organization that had by all accounts a highly mature world-class ERM program. However, the organization had a minor flaw in their ERM process that went undetected by internal controls and nearly destroyed the organization.

In this session, participants will:

  • Learn organizational culture traits that can lead to risk management disasters.
  • Recognize when a heuristic audit approach is appropriate.
  • Understand how loosely coupled risk management processes can benefit the organization.
  • Recognize symptoms of a risk hurricane.

CS 2-3: GRC IQ: How Intelligent Is Your ERP Environment?

Scott Conner
Director, GRC Technology

CS 3-3: Best Practices for Proactive IT Governance

Director, IT Governance
Silicon Valley Bank

The session will feature an information sharing session covering 5 topics focused on how to build and evolve a First Line of Defense function and an IT governance framework by providing specific real-life examples drawn from the speaker’s experience working at a financial institution, including pitfalls and lessons learned. Attendees will have an opportunity to pose questions at the end of the session.

In this session, participants will:

  • Learn about a practical approach to creating an IT governance framework.
  • Understand the cornerstones of a proactive First Line of Defense model.
  • Gain tools and knowledge to build an effective IT governance framework and a proactive First Line of Defense model.
  • Learn how to avoid common pitfalls when implementing proactive First Line of Defense model.

CS 4-3: Integrated Audits for Business Processes

Gregory Haake, CIA, CFSA, CISA
IT Audit Manager

Integrated audits can be valuable when used at the right time. How do you determine the right time for this type of audit? Who do you include in this audit and what are your next steps? In this session we will learn how to determine the scope of integrated audits and discuss the tools and planning needed for a successful engagement. We will explain why it is key to streamline agendas for productive meetings with the audit clients.

In this session, participants will:

  • Learn what integrated auditing should encompass.
  • Discuss how to plan and conduct efficient integrated audits
  • Develop tools to keep integrated audits organized.
  • Identify ways to maximize productive audit client interactions.

CS 5-3: Stop Fraud Before It Starts: New Guidance for Managing Fraud Risks

Marc Kokosky, CIA, CCSA, CRMA, CFE
Global Internal Audit Manager
Population Services International

Bryan Moser, CPA, CFF, ABV, CFE
Partner, Advisory Services Practice
Grant Thornton LLP

New guidance features techniques to more effectively assess and mitigate fraud risk. Participants will learn about forming a strategy for a full-scope assessment of fraud risk, including use of both qualitative and data analytic approaches and how to respond to those risks once identified. Topics will be discussed in the context of prevailing standards for fraud risk management.

In this session, participants will:

  • Describe the components of a holistic and effective fraud risk assessment.
  • Discuss a framework and techniques for conducting fraud risk assessments.
  • Learn about anti-fraud controls based on the Fraud Reduction and Data Analytics Act of 2015.
  • Identify ways to deter fraud based on the COSO Fraud Risk Management Guide.
  • Explore guidelines in GAO’s Framework for Managing Fraud Risks in Federal Programs.

CS 6-3: COSO's Revised ERM Framework: It's Final!

Robert Hirth

Frank Martens

CS 7-3: Collaborative Risk Management: Audit and the 2nd Line of Defense

Dan Clayton, CIA, CPA, CKM
System Audit Office Director of Strategy and KM
University of Texas System

Risk silos are naturally created within an organization — explained best by the different objectives of the 3 Lines of Defense and their unique perspectives and tools. Collaborating effectively around risk requires common understanding supported by common taxonomy and shared technology. Communality is found in defining what business objectives are at risk. This presentation focuses on organizing and sharing risk data across all lines of defense as the starting point in breaking down organizational risk silos and establishing a stronger relationship with management and governance.

In this session, participants will:

  • Explore how we got here with risk and risk management; a review of definitions, frameworks, and perspectives.
  • Exchange ideas on collaborating on risk across goals and perspectives; a discussion of defining risk components from a general business use perspective.
  • Discuss the ideal should we strive for, organizing risk data to leverage comparison while maximizing input from each of the 3LoD perspectives.

CS 8-3: Auditing Business Continuity

Vice President, Internal Audit Services
RLI Corporation

Senior Auditor
RLI Corporation

How effective is your company’s business continuity plan? You may not have the opportunity to find out how effective it is until you need to deploy it and then, it’s too late. Together, we will discuss the key considerations for an audit of BCP covering both the enterprise and business-unit levels.

In this session, participants will:

  • Learn keys areas to consider in an audit of business continuity planning.
  • Review the elements of BCP governance and corporate plan coordination.
  • Discuss a business impact analysis and alternative procedures at the business-unit level.
  • Talk about the importance of alignment of the business and IT.
  • Explore third-party considerations and plan testing.

CS 9-3: The Transformational Internal Auditor: Improving Compliance by Improving Process

Gabe Zubizarrta, CPA
CEO and Founding Principal
Silicon Valley Accountants

Nydia Torres
Supervisor of Internal Audit
El Paso Electric Company

The IIA’x CEO Richard Chambers has called on internal auditors to become "Agents of Change," interested not just in counting the beans, but in "how the beans are grown, how they are harvested, and how they are taken to market.” This new approach inspired more than one organization to make substantial adjustments to the traditional audit model, leveraging the change as an opportunity to improve processes, making them more efficient and effective. Demonstrable results included effective controls, and reducing risk and cost while increasing confidence in the reporting.

In this session, participants will:

  • Explore the role of the internal auditor as an agent of change, improving compliance, increasing efficiency, and reducing risk through continuous improvement.
  • Identify the moral dilemma preparers are placed in when business conditions or regulatory requirements change, while controls have not kept pace.
  • Learn how to leverage change to create a culture of continuous improvement.
  • Examine the relationship between high quality, efficient processes and compliance.
  • Learn how to build controls into the process, rather than bolt them on later.

CS 10-3: Vendor Risk Management: Responsibility Cannot Be Outsourced

Jennifer Donaldson, CRISC
Senior Vendor Risk Analyst
FedEx Corporation

Kimberly Lofties, CRISC
Senior Vendor Risk Analyst
FedEx Corporation

Does your organization outsource services to a third-party? Does your organization have a Vendor Risk Management Program? As organizations outsource business critical processes and services, the need for this is more apparent than ever. Executive buy-in and stakeholder investment are necessary for the foundation of a risk aware culture. As awareness is heightened, Vendor Risk Management and stakeholders collaborate in a joint effort to identify and mitigate risks.

In this session, participants will:

  • Gain a better understanding of the role of a Vendor Risk Management Program when outsourcing.
  • Understand the necessity of executive buy-in and stakeholder involvement with the program.
  • Learn how to identify the inherent risk of outsourcing/offshoring.
  • Identify the appropriate actions to mitigate the risk.

Return to Event Page >>

Track 4—Deep Dive Interactive Sessions

CS 1-4: Data Analytics at Xerox: A Journey From Idea to Reality

Michael Bowen
Senior Manager, Analytics, Center for Enablement
Xerox Corporatio

Kenneth Metz, CPA, CGMA
Chief Audit Executive
Xerox Corporation

Xerox’s internal audit department undertook a 2-year journey to turn the idea of better data analytics to the creation of a Data Analytics Center of Enablement. This COE has partnered with the IT Business Intelligence group to deliver analytics-driven audits using Tableau. These data analytics tools are left behind with audit clients allowing them to perform their jobs better. This session will feature a demonstration of how data is transformed into usable audit intelligence using Tableau.

In this session, participants will:

  • Learn the actual steps Xerox took to implement a meaningful data analytics practice.
  • Understand how the Data Analytics Center of Enablement was structured and functions.
  • See real life examples of the Tableau data models created.
  • Explore how data analytics results can create value-added audit recommendations.

CS 2-4: Measuring Effectiveness of a Risk-focused Third-party Risk Management Program

John Maynor, CRISC, CISA
Senior Leader, Third Party Risk Management

Third-party Risk Management programs, or TPRMs, as a best practice arguably encompass stages including Planning, Due Diligence, Contracting, Ongoing Monitoring, and Termination. Interactive discussions are encouraged to allow participants to share effective TPRM programs including key tools used to identify and measure the risks of utilizing third parties and how to measure the effectiveness of these programs. Real-world stories and examples from tours of global vendor sites will compare and contrast the differences between desktop and on-site evaluation of third parties.

In this session, participants will:

  • Gain an understanding of the critical components of an effective third-party risk management program.
  • Learn how to build effective audit programs to measure the soundness and effectiveness of third-party risk management programs.
  • Explore the tools that effective third-party risk management programs should use to provide a basis for measuring and auditing TPRM programs.

CS 3-4: Auditing the Cloud Environment: Advanced

Remi Nel, CIA
Manager, Global IT Audit

Jason Sechrist
Director, Global IT Audit

Cloud‐based solutions are increasing in popularity and are being embraced by organizations of all sizes. Auditors must understand the key concepts and risks inherent to this technology. This hands-on session will explore an SaaS solution case study to help auditors identify possible risk areas that can be leveraged to perform an assessment of the cloud tools within their organization.

In this session, participants will:

  • Understand and interpret Service Organization Control (SOC) reports for IT risks.
  • Evaluate control frameworks and apply them to simulated environments.
  • Examine Service Level Agreement (SLA) requirements that auditors should engage with cloud service providers during the procurement/design phase.

CS 4-4: Implementing ERM in a Small to Medium Enterprise

Jessica Perkins, CIA, CRMA, CISA
Director, Risk Management and Internal Audit
International Development Research Center

In today’s environment of increasing complexities, changing regulations, global expansion, product and competitive landscape change, Fund Financial Services created a Process Excellence (PE) team to lead fund-centric risk and controls advisory services. Learn how the PE team successfully established and built out a purposeful integrated controls framework based on four key priorities.

In this session, participants will:

  • Discuss the four key priorities that drove the framework’s underpinnings.
  • Learn real methods, tools, and approaches to build an effective controls culture.
  • Review the process followed to establish and implement a risk and control integrated purpose/mission statement and core team competencies.
  • Discover concepts supporting the build-out of the integrated controls framework, including data-driven risk dashboards, scorecards, and heat maps’ control self-assessment methods; monitoring methods; and more.

CS 5-4: How Vanguard's Fund Process Excellence Team Is Building an Effective Controls Culture

Robert Freiling, CTP
Senior Manager, Process Excellence

In today’s environment of increasing complexities, changing regulations, global expansion, product and competitive landscape change, Fund Financial Services created a Process Excellence (PE) team to lead fund-centric risk and controls advisory services. Learn how the PE team successfully established and built out a purposeful integrated controls framework based on four key priorities.

In this session, participants will:

  • Discuss the four key priorities that drove the framework’s underpinnings.
  • Learn real methods, tools, and approaches to build an effective controls culture.
  • Review the process followed to establish and implement a risk and control integrated purpose/mission statement and core team competencies.
  • Discover concepts supporting the build-out of the integrated controls framework, including data-driven risk dashboards, scorecards, and heat maps’ control self-assessment methods; monitoring methods; and more.

CS 6-4: Change Management Best Practices for ERP Systems: A Case Study From Audits of Oracle E-Business Suite Installations

Jeffrey Hare, CIA, CPA, CISA
ERP Risk Advisors

Change management is a multi-faceted topic. Like the various sides of a gem, having mature change management processes and controls requires various approaches. One can think of change management in four buckets – object oriented changes, security, patching, and configurations. This session explores what it takes to build and implement a first-class change management process for organizations running ERP systems.

In this session, participants will:

  • Evaluate change management best practices in conjunction with The IIA’s GTAG, Change and Patch Management Controls: Critical for Organizational Success, 2nd edition.
  • Understand how these standards apply to ERP systems.
  • Discuss various examples of organizational maturity in change management controls.
  • Explore common issues organizations struggle with related to the change management process.

CS 7-4: FCPA: Are You Risk Focused and Audit Ready?

Chian Boen, CAMS
Sr. Manager, Forensics & Compliance
Johnson & Johnson

Aditya Misra, CPA, CFE
Senior Manager, Corporate Internal Audit
Johnson & Johnson

Go on the journey with J&J as we explore their internal audit department’s recent foray into data analytics and goals, types of FCPA/Anti-Bribery and Corruption risks in the health care industry and how to identify and mitigate them, and an audit methodology that is geared for emerging risks.

In this session, participants will:

  • Walk the path J&J followed to implement data analytics for identifying risks related to FCPA/Anti-Bribery and Corruption.
  • Identify the types of risks in the health care industry and how to identify and mitigate them.
  • Discuss develop an audit methodology and monitoring plan that helps identify risks and red flags in increase audit effectiveness.

CS 8-4: When Life Gives You Lemons: Five Ways to Turn GRC Struggles Into Success

Ina Cheatem, PMP, CCSA, CRMA
Supervisor, Global GRC Technology
General Motors Company

Rob Simkow
Manager, Global GRC Technology
General Motors Company

Get ready for an interactive case study and knowledge-sharing session on an innovative approach to GRC implementation. Throughout the session, participants will be engaged in contributing to a lively discussion via polling, collaborative brainstorming, short video clips followed by lessons learned reviews, and culminating in a Q&A period.

In this session, participants will:

  • Elaborate on the definition of GRC and understand different interpretations among companies.
  • Explore how General Motors approached an innovative GRC implementation.
  • Understand key lessons learned that may assist other companies in similar implementations.

CS 9-4: Utilize the STAR Model in Auditing Governance

Robert Alexander, CPA, CIA, CRMA, CGMA
Senior Manager, Internal Audit
Raytheon Company

Ellen Lux
Senior Manager, Internal Audit
Raytheon Company

The STAR model was created by an expert who specializes in matrix organizations that can be adapted to an audit department. Participants will learn how to apply the STAR model with Six Sigma root cause analysis and process improvement tools for auditing governance in order to realize an ROI for their stakeholders.

In this session, participants will:

  • Explore the STAR model concept (strategy, structure, process, rewards, people).
  • Learn how to apply the STAR model with Six Sigma tools in audit situations.
  • Understand how to recognize symptoms associated with dysfunction or disconnects in the different aspects of governance.
  • Combine these skills with root cause analysis and other Six Sigma process improvement techniques to ensure a robust ROI on audits.

CS 10-4: Diamond in the Rough: Maximizing Synergies of Global Governance and Investigation

Jesse Daves, CPA, CFF, CFE
BDO Consulting Managing Director

Dawn Wiliford, CIA, CMRA
South Region Leader, Risk Advisory Services

Return to Event Page >>


Workshop 1: COBIT NIST Cybersecurity Framework SOLD OUT!

Mark Thomas, CGEIT, CRISC
Escoute Consulting 

Marketing databases, customer analytics, and behavioral patterns are easier to manage with big data — but will these data elements be safe from hackers? And what is the impact of the Internet of Things? You will learn how to harness the power of big data and build your big data to achieve business goals while adding in safeguards to fight cybercriminals. Explore how the Internet of Things may be the ultimate driver of global change.

As part of the knowledge, tools, and guidance provided through the Cybersecurity Nexus (CSX)™ program, ISACA has developed a guide and course: Implementing NIST Cybersecurity Framework Using COBIT 5. This workshop is a synopsis of that course, focusing on the Cybersecurity Framework (CSF), its goals, the implementation steps, and the ability to apply learnings.

In this session, participants will:

  • Understand the goals of the Cybersecurity Framework (CSF).
  • Learn and discuss the content of the CSF and what it means to align to it.
  • Understand each of the seven CSF implementation steps.
  • Be able to apply and evaluate the implementation steps using COBIT 5
  • Discuss the progression and touch points of protecting big data – and what might happen if this is ignored.
  • Learn about the Internet of Things and why it’s both feared and welcomed.
  • Identify how COBIT and NIST can work together to create a customizable framework to stave off attacks

Pre-requisites for attending this Workshop:

  • Basic knowledge of COBIT
  • Basic knowledge of security concepts

Workshop 2: ERM Can Now Work! Putting the Updated COSO ERM Framework and ISO 31,000 Standards Into Practice

Doug Anderson
Managing Director, CAE Solutions
The Institute of Internal Auditors

Charlie Wright
Director of Enterprise Risk Solutions, BKD
The Institute of Internal Auditors

ERM is not a process, a tool, a department, or a list of risks – it is how an organization makes better business decisions. COSO recently updated the ERM Framework with increased emphasis on recognition that risk management is fundamental for an organization to align its actions with its strategy. At the same time, ISO is nearly finished updating its standard 31000. With the advent of these two significant updates, it is time to reconsider the foundations of risk and risk management. Every organization is in the “risk management” business as managing risk is part of nearly everything an organization does.

The workshop will use a combination of theory, small group discussions to unpack the theory into easily understandable parts, and case studies to cover these topics.

In the session, participants will:

  • Learn the fundamental elements of risk: its identification, measurement, responses, and reporting.
  • Understand the best practices for a risk management process.
  • Apply the concepts of risk management to the auditor’s task of using risk in planning, executing, and reporting on audit work.
  • Define the key attributes to be considered when performing an audit of an ERM process.


Return to Event Page >>