North America CACS Presentations and Descriptions 


Attendee has limited or no prior knowledge or experience or are new to the subject matter. Beginner sessions are geared toward attendees who are new to the field and seeking to learn basic concepts. Beginner’s sessions are intended to help attendees who seek to build foundational knowledge in an effort to gain a working knowledge of the topic.

Attendee has a working knowledge of the topic covered but is not yet an advanced practitioner. Intermediate sessions are geared toward delegates who have some competence in the subject under discussion resulting from prior training, education and/or work experience. Delegates who seek to build upon foundational knowledge, refine and better hone their skills, and advance their understanding of the topic may wish to consider intermediate-level sessions.

Advanced Technical
Attendee has a high level of technical understanding of the topic under discussion. Advanced technical sessions are geared toward delegates that have already achieved a high degree of technical competence in the subject of discussion resulting from extensive training in the area and supplemental work experience. Delegates, who wish to build upon intermediate knowledge, achieve mastery in a specific technical area, or build upon existing technical skills may wish to consider advanced technical sessions.

Advanced Managerial
Attendee has a high level of understanding of managerial concepts. Advanced managerial sessions are geared toward attendees that have already achieved a high degree of leadership competence in the subject of discussion resulting from extensive training in the area and several years of work experience. Attendees, who wish to build upon intermediate knowledge, achieve mastery in a specific managerial area, or build upon existing leadership skills may wish to consider advanced managerial sessions.


Track 1—Audit & Assurance

111–SCADA and IoT

Robert Findlay
Global Head of IT Audit

With the lines between traditional IT and industrial control systems blurring, the addition of Internet of things technology means IT auditors need to focus on SCADA and related technologies in the light of greater connectivity.

After completing this session, you will be able to:

  • Plan ICS based audits
  • Understand difference between SCADA, HMI, PLCs
  • Review controls over ICS technologies
  • Understand issues with IoT and SCADA

121–The Rise of Fintech and the Impact on IA

Michael Juergens, CISA, CGEIT, CRISC
Deloitte & Touche, LLP

Parag Raje, CISA
Advisory Managing Director
Deloitte & Touche LLP

Financial Technologies (Fintech) are disrupting financial institutions in a variety of areas, from digital currencies to robotics. Learn more about the emerging disruption in Fintech and how it is expected to impact internal audit.

After completing this session, you will be able to:

  • Recognize attributes of maturing Fintech market
  • Position IA to participate in strategic decisions
  • IA considerations for mktplc lending & blockchain
  • Reference use cases of expected impact on IA

131–The IoT: What does this mean to IA?

Anthony Chalker, CISA
Managing Director

The Internet of Things (IoT) also brings disruptive change to the forefront, and the security and data management challenges are significant. Why is this important to internal audit?

After completing this session, you will be able to:

  • Define what is IoT
  • Know the importance to audit professionals
  • New disruptive opportunities (and risks)
  • Impact different industries

141–Auditing Network Devices

Ashish Jain, CISA
Director of Internal Audit

This presentation will give an overview of top key areas to audit network devices, and will introduce attendees to network security risks, ideas to benchmark against best practices, and common network security requirement.

After completing this session, you will be able to:

  • Identify risk areas for a network device audit.
  • Locate resources for common security practices.
  • Plan a basic network device security audit.
  • Identify common audit issues in this area.

211–Agile & Compliance

Pamela Nigro, CISA, CGEIT, CRISC
Senior Director of Information Security/GRC
Blue Cross Blue Shield of Illinois

Finding Harmony and Balance between the Agile Accelerator and the Brakes of your DevOps Processes -- Can software delivery in a highly-governed industry reap the benefits of Agile and DevOps while maintaining required compliance?

After completing this session, you will be able to:

  • Understand governance as an enabler of agility
  • Develop non-burdensome ways to collect data
  • Building governance in rather than 'bolting on'
  • Focus on a risk based governance approach

221–Machine Learning for Auditors

Andrew Clark
IT Auditor
Astec Industries

Machine learning is permeating our world. As it gains wider adoption, what does it mean for assurance professionals? This session will help you cut through the buzzwords and discover how machine learning can be leveraged in audit and compliance work.

After completing this session, you will be able to:

  • Understand the two groups of ML algorithms
  • Understand machine learning use cases
  • Describe use cases in assurance and compliance
  • Know where to learn more about machine learning

231–Auditing Cybersecurity

Jesse Fernandez, CISA
Senior IS Auditor

Executive management is expecting more than ever before from Internal Auditing to provide assurance that the organization’s cybersecurity program is effective. We can provide the value our executives are demanding if we audit cybersecurity properly.

After completing this session, you will be able to:

  • Identify how attackers plan and carry out attacks
  • Identify the financial impact of a breach
  • Identify cybersecurity frameworks that can be used
  • Identify scope/audit procedures IA should perform

241–Auditing for HIPAA Compliance

Jeremy Price, CISA



Jennifer Brandt, CISA
Stinnett & Associates LLC

Learn how to audit an organization's HIPAA compliance, including the 45 Code of Federal Regulations standards that establish a security and privacy management framework for protecting the confidentiality, integrity, and availability of PHI and EPHI.

After completing this session, you will be able to:

  • Understand the HIPAA Act and its applications
  • Understand the PHI Privacy & EPHI Security Rules
  • Learn to audit for the 45 federal HIPAA standards
  • Leave with useful tips for conducting HIPAA audits

251–Leverage Data Analytics in Internal Audit

Michael Kostanecki, CISA
Senior IT Consulting Manager

Leverage the power of Data Analytics and tools such as ACL Analytics to review the entire population against various criteria to quickly find irregularities or patterns in transactions that could indicate control weaknesses or fraud.

After completing this session, you will be able to:

  • Create automated processes for manual analysis
  • Translate data into a “story”
  • Combine different data sources for insight
  • Understand various Data Analytic techniques

311–NIST Cybersecurity Audit/Assurance Program

Russell Horn, CISA, CRISC

ISACA recently released a NIST Cybersecurity Framework Audit Template as part of the IS Audit/Assurance Program resources. During this session, we will review the NIST Cybersecurity Framework and examine the new ISACA Audit/Assurance Program.

After completing this session, you will be able to:

  • Review the NIST Cybersecurity Framework
  • Become aware of ISACA's Audit/Assurance Program
  • Use the Cybersecurity Audit/Assurance Work Program
  • Conduct a Cybersecurity Audit with ISACA's Program

Return to Event Page


Track 2—Audit & Assurance, Advanced

112–Navigating Third Party Risk Management

Richard Sowalsky, CISA
Baker Tilly Virchow Krause, LLP

Third party risk is higher than ever given the rise in outsourcing of functions to service providers. As such, vendor management is becoming increasingly complex and stakeholders need to be aware of the compliance options around data security.

After completing this session, you will be able to:

  • SOC, new changes & appropriate 3rd party reporting
  • How SOC 2+ enhances third party oversight
  • How SOC2+ HIPAA & HITRUST CSF impacts datasec.
  • New CS Risk Management Attest & future of VM

122–Cloud Security Strategy & Considerations

Rob LaMagna-Reiter
Sr. Director, Information Security
First National Technology Solutions

Organizations in all industries can securely operate in the cloud. With proper planning & due diligence, it's possible to securely operate in the cloud regardless of your organization size, or risk appetite.

After completing this session, you will be able to:

  • Develop a cloud security strategy & risk appetite
  • Identify governance & audit considerations
  • Determine the right cloud provider
  • Understand the importance of data visibility

132–Zero Trust Networks for Audit and Compliance

Kevin Saucier
Conventus Corporation

Auditing groups have always struggled with Security Operations ability to provide accurate and up-to-date information about assets, users, and data. The Zero Trust Network is the answer to this problem.

After completing this session, you will be able to:

  • Understand the challenges of traditional networks
  • Understand the purpose of Zero Trust Networks
  • Comprehend why subject chose this architecture
  • Evangelize need for this in their own audits

142–Protecting Sensitive Data in the Cloud

Ricardo Lafosse, CISA, CISM
Chief Info Security Officer
Cook County



Yilmaz Bal, CISA
Information Security Manager Risk and Compliance
Cook County

Due to probing new vulnerabilities in systems and users, and cloud environments which add whole new complexities to the equation. The session focuses on how to monitor risk factors, shore up defenses and sleep better at night.

After completing this session, you will be able to:

  • Identify cloud computing deployment models
  • Benefits and Risks of utilizing a cloud solution
  • Start Early in the contract process or phase
  • Identify key data security contractual controls

212–IT Audit, From Big Brother to Big Partner

Daniel Jones, CISA, CISM
IT Audit Professional
Devon Energy

Information Technology is changing, so should how we audit it. No longer can audit swoop in with the big hammer, just to look for nails. Budgets, resources, and shareholders require us to partner and become more proactive, while remaining independent.

After completing this session, you will be able to:

  • See the value added by partnering
  • Communicate with the CISO around real risks
  • Explain to their CAE the value of partnership
  • Utilize real world examples in their discussions

222–Impact of AI on Audit and Assurance

Dan French
Consider Solutions

Looking into the future, at emerging techniques being introduced to audit and assurance through AI and Machine Learning.

After completing this session, you will be able to:

  • Understand current best practice data analytics
  • Understand emerging data science techniques
  • Understand impact of machine learning
  • Analyze new approaches for audit and assurance

232–An Auditor's Guide to Assessing Crypto

Edward Moyle

This session will provide a primer for assessors on the key elements of evaluating cryptographic implementations; it will cover supporting policy elements (e.g. key mgmt.), common vulnerabilities (e.g. cloudpiercer, POODLE), "gotchas" and techniques.

After completing this session, you will be able to:

  • Understand the key elements of assessing cryptographic implementations
  • Understand common vulnerabilities that might arise
  • Evaluate key components of a cryptographic system
  • Know authoritative resources for more information

242–AICPA Cyber-Risk Mgmt Reporting Framework

Chris Halterman
Executive Director
Ernst & Young

Organizations are looking to report on their cybersecurity risk management programs to boost stakeholders' confidence. The AICPA has developed a framework for a company to describe its cybersecurity risk management program and CPAs to report on it.

After completing this session, you will be able to:

  • Apply the AICPA framework for cybersec. reporting.
  • Understand key elements of description criteria.
  • Understand value and key aspects of the reports.
  • Begin preparing for cybersecurity examinations.

252–How Analytics Can Transform Internal Audit

Dave Hildebrand
IT Senior Manager Accenture

Companies are just beginning to apply analytics techniques to internal audit. But analytics has the potential to change the way we audit in fundamental ways. This presentation studies the strategic business impact of analytics on internal audit.

After completing this session, you will be able to:

  • Integrate the use of analytics in internal audit.
  • Use analytics in planning and conduct of audits.
  • Define a strategy for application of analytics.
  • Use analytics to improve internal audits.

312–Compliance in the Clouds

Andrew Plato, CISM
President / CEO

The cloud is now. Many of the compliance practices we currently use were designed for an era before the cloud. This presentation addressed the complexities of making public and private cloud environments (such as AWS or Azure) compliant.

After completing this session, you will be able to:

  • Identify their cloud compliance responsibilities
  • Differentiate on-premise and cloud requirements
  • Implement cloud compliance strategies
  • Explain the value of disposable infrastructure

Return to Event Page


Track 3—Security/Cybersecurity – Managerial

113–Threats and Challenges in Healthcare

Kenneth Vander Wal, CISA
Chief Compliance Officer

This session will explore the threats and challenges facing healthcare organizations as it relates to securing and protecting electronic protected health information (ePHI). it will also discuss the tools and approaches to addressing the challenges.

After completing this session, you will be able to:

  • Articulate threats facing the healthcare industry
  • Understand why healthcare data is being targeted
  • Discuss leading practices for protecting ePHI
  • Describe ways to demonstrate regulatory compliance

123–Using Internal Audit for Info Security

David Malcom
Managing Director, Global IT Internal Audit Lead



Jason Maslan
Managing Director

Internal audit function can play an integral role in strengthening information security across the enterprise. By expanding IA's purview to cyber policies and practices, executives can apply the rigor reserved for accounting to cyber defense.

After completing this session, you will be able to:

  • Leverage internal audit for cyber security.
  • Define and measure risk profiles.
  • Analyze incidents to ensure policies are followed.
  • Apply IA to cyber policies and practices.

133–Top 10-Cyber Risks

Tara Kissoon, CISA
Managing Director, Head of IT Risk Management, Corporate Support Areas
Bank of Montreal

This session will explore the top ten cyber security risks facing organizations in today's changing environment. It will share recommendations and industry best practices in managing these types of risks.

After completing this session, you will be able to:

  • Understand the cyber security landscape
  • Identify risk exposures to the organization
  • Identify control deficiencies
  • Leverage industry best practices

143–Enterprise Cybersecurity Governance

Michael Addo-Yobo, CISA, CGEIT, CRISC
Senior Director, Cyber Risk Advisory

Cybersecurity incidents and breaches are on the rise, despite enterprise investments in security. The cost of data breaches will see 4-fold increase from 2015 to 2019. This raises concerns about the overall value of enterprise cybersecurity efforts.

After completing this session, you will be able to:

  • Learn why cybersecurity initiatives fail at times
  • The role of governance in enterprise cybersecurity
  • Strategies for cybersecurity value assurance
  • Understand the merits of cybersecurity governance

213–Internet of Things

Salar Atrizadeh
Attorney At Law
Law Offices of Salar Atrizadeh

The speaker will discuss "Internet of Things" and how privacy and security is affected by using it. He will discuss the government's involvement, European Commission's approach, judiciary's overview, and laws or regulations.

After completing this session, you will be able to:

  • Understand the Internet of Things
  • Privacy, security, and regulations
  • The Regulatory Agencies
  • Understand the relevant laws

223–Technical Implementation of NIST/FFIEC CSF

Jeffrey Roth, CISA, CGEIT
Regional Director
NCC Group

Attendees will walk through the fundamental NIST CSF concepts and dive into the more technical challenges within the NIST CSF. Takeaways from this session will be references and templates attendees can use to further their use of the NIST CSF.

After completing this session, you will be able to:

  • Use Security Content Automation Protocol (SCAP)
  • Identify Mobile Code controls
  • Understand File Integrity Management tools
  • Understand NIST CSF implementation processes

233–What Auditors Need to Know: Mobile Security

Tara Kissoon
Managing Director, Head of IT Risk Management, Corporate Support Areas
Bank of Montreal

Identify control deficiencies and areas of risk exposure to the organization.

After completing this session, you will be able to:

  • Understand the mobile ecosystem
  • Identify control deficiencies
  • Identify areas of risk exposure
  • Utilize industry best practices

243–Practical Approach to Cyber Security

David Ramirez, CISA, CISM

A cyber security program consists of a wide range of components (governance, risk management, reporting, controls, compliance, standards); this presentation provides a practical approach to managing your program based on two decades of experiences.

After completing this session, you will be able to:

  • Describe challenges for CIOs/CFOs overseeing Cyber
  • Understand the universe of security frameworks
  • Translate security goals into maturity matrices
  • Learn how to better prioritize security efforts

253–Security Monitoring and Attack Detection

Sushila Nair, CISA, CISM, CRISC
Security Specialist
NTT Security

Is your ability to protect, detect, and respond to threats keeping pace with the risks posed by a determined, persistent intruder? Learn how to design a measurable security alerting framework that keeps pace with evolving organizational risk.

After completing this session, you will be able to:

  • Contrast different models for security monitoring
  • Create use cases to build an alerting framework
  • Use kill chains for building alert priorities
  • Use metrics to measure effectiveness of monitoring

313–Cybersecurity: Threat to Banks

Alejandro Mijares, CISA, CRISC
Risk Manager
Kaufman, Rossin & Co

Due to the rapidly changing threats and vulnerabilities, a bank’s inherent risk profile will change over time; therefore, the cybersecurity Risk Assessment should be completed at least once a year, or any time significant changes occur.

After completing this session, you will be able to:

  • Evaluate cyber threats and risk to banks
  • Identify controls to mitigate cyber risks
  • Explain the bank's cybersecurity inherent risk
  • Evaluate the bank's residual risk

Return to Event Page


Track 4—Security/Cybersecurity – Technical

114–Conducting a Phishing Awareness Program

Todd Fitzgerald, CISA, CISM, CGEIT, CRISC
Global Director, Info Security
Grant Thornton International, Ltd

Phishing simulations are shown to be effective tools to increase user awareness in information security issues. This session will convey experiences in setting up an automated phishing program and delivering game-based 15 minute training modules.

After completing this session, you will be able to:

  • How to effectively implement a Phishing Campaign
  • Metrics that can move a security program forward
  • Behavioral based techniques to reinforce learning
  • Develop a project plan to rollout phishing program

124–Encryption: Policy to Practice

Ali Pabrai

The risk from breaches today can be a seven-figure risk. Encryption protocols, key strengths, choices across mobile devices, e-mail, etc. may all seem confusing and overwhelming. Understand how to simplify the use of encryption in your organization.

After completing this session, you will be able to:

  • Examine encryption mandates.
  • Review areas that encryption can have an impact
  • Step through core elements of an encryption policy
  • Mandates defined in HIPAA Security, PCI and more.

134–Threat Intelligence - Exploiting Hackers

Alex Holden
President & CISO
Hold Security, LLC

Hackers are winning by exploiting our systems and stealing our data. What better way to deter the bad guys than understanding their motivations and techniques? Learn to stop the hackers by using threat intelligence to outsmart them.

After completing this session, you will be able to:

  • Gain better understanding of hackers' motivation
  • Understand mitigation techniques to latest attacks
  • Build effective defenses against real threats
  • Learn how to outsmart hackers in their own game

144–Canaries in a Coal Mine…

Principal Cyber Engineer

Cyber-canaries are invaluable in detecting lateral movement on enterprise networks. With the barrage of breaches occurring, organizations must focus on early detection beyond their network perimeter to stave off attacks and further data loss.

After completing this session, you will be able to:

  • To understand the use of honeypots/canaries.
  • Deploy OpenCanary to detect lateral movement.
  • Develop use-cases using OpenCanary
  • Understand various attack scenarios

214–Your Responsibility in Cloud Security

Nihat Guven
Vice President
PurpleBox, Inc.

Companies benefit from the security controls when they use a cloud service. However, CIOs, CISOs, and cloud users in general have to also understand their responsibilities in this new paradigm called “The Shared Responsibility Model”.

After completing this session, you will be able to:

  • Explain the different cloud computing models
  • Explain security controls in cloud services
  • Explain the shared responsibility model
  • Explain cloud security tools and best practices

224–Cybersecurity Kill Chain

William Crowe, CISA, CISM, CRISC
IT Security Manager
Citizens Property Insurance Corporation

Based off military doctrine, Lockheed Martin’s Computer Incident Response Team has created an intelligence-driven defense process, Cyber Kill Chain® This session also reviews the contributions of ISACA CSX and ENISA Cybersecurity kill chains.

After completing this session, you will be able to:

  • Define an Advanced Persistent Threat (APT)
  • Identify the phases of a Cybersecurity kill chain
  • Identify attacks via the ENISA cyber kill chain.
  • Importance of breaking the kill chain for security

234–Prioritize Vulnerability Remediation

Amol Sarwate
Director of Vulnerability Labs

In this presentation, we will discuss a year-long study of exploits kits, attacks and vulnerability attributes and learn how to use them for prioritization. We will share best practices for improving remediation and reducing risk.

After completing this session, you will be able to:

  • Understand how attacks happen in real world
  • Understand Exploits and Vulnerabilities
  • Understand how to prioritize remediation.
  • Reduce overall risk.

244–Learning From Failure

Ira Winkler
Secure Mentem

When there is a security incident, everyone believes that all is lost. However, if handled properly, it can lead to strengthening the current security program. This presentation discusses a methodology to accomplish this.

After completing this session, you will be able to:

  • Analyze security failures in a systematic way.
  • Determine the root vulnerabilities exploited.
  • Determine the enabling governance failures.
  • Identify the appropriate countermeasures.

254–Application Security & Why You Should Care

Stuart Smith, CISM
Group Vice President, Executive Security Advisor
SunTrust Banks, Inc



Ashley Spangler, CISA, CISM, CRISC
AVP, Information Security
SunTrust Banks, Inc

App vulnerabilities and insecure software are undermining our nation’s critical infrastructure. This presentation will explore the problem, offer some solutions, and will give a live demo that shows how vulnerabilities like SQL injection, etc. work.

After completing this session, you will be able to:

  • Understand the problem of insecure software
  • Identify common software vulnerabilities
  • Understand how common vulnerabilities work
  • Discuss mitigation of app security vulnerabilities

314–FFIEC Cybersecurity Assessment Tool

Stephanie Chaumont, CISA

After completing this session, you will be able to:

  • Examine the FFIEC Cybersecurity Assessment Tool
  • Understand the assessment inherent risk profile and cybersecurity maturity model
  • Interpret and analyze assessment results to improve cybersecurity preparedness
  • Explore threat intelligence and collaboration including intelligence gathering, monitoring and analyzing, and information sharing

Return to Event Page


Track 5—Integrated Risk Management

115–Cyber Risk is Biz Risk

Ali Pabrai

In this brief we discuss the approach the business must address to develop a credible cyber security program that is inclusive of an appropriate combination of policies, plans, and security controls.

After completing this session, you will be able to:

  • Establish an audit ready compliance program
  • Know Cyber attacks compromise enterprise assets
  • Analyze areas in an enterprise security plan
  • That Cyber Security controls are vital to business

125–Managing ERP Cloud Risks and Controls

Patrick Connally

Cloud solutions continue to emerge as the next generation of business-enabling platforms. These solutions offer certain advantages; however, they introduce enterprise risks. Understanding, and mitigating, the risks is critical to solution efficacy.

After completing this session, you will be able to:

  • Understand cloud or hybrid solution deployments
  • Highlight cloud implementation risks and impacts
  • Highlight specific IT risks that should be managed
  • Discuss lessons learned and considerations

135–Managing Emerging Technology Risk

Phil Lageschulte

Mobile, connected devices, blockchain, cognitive intelligence, 3-D printing, drones--these are all technologies that are or will be transforming enterprise business platforms. Transformation also introduces risks that enterprises must consider.

After completing this session, you will be able to:

  • Provide an overview of emerging technologies
  • Describe the unique risks to consider
  • Learn how to balance the risk & reward equation.
  • Explain what emerging technologies to watch for

145–Creating a Risk Resilient Culture

Dustin Class, CISA, CISM
Head of Operational Risk

Innovation is shaping our world at an ever-increasing pace. The risks we face are rapidly evolving. To thrive in this new world, our organizations must develop risk resilience through improving our collective Risk iQ and agility to change.

After completing this session, you will be able to:

  • Understand the upside to risk.
  • Learn the culture of effective risk management.
  • Improve their team's agility to change.
  • Enhance their organization's Risk iQ.

215–Resilient ERM Framework - Startup to Listed

Annu Warikoo, CISA, CRISC
Global Lead Enterprise Risk Information
Wells Fargo



Stephanie Losi, CISA
219 Labs Inc.

From selecting effective KRIs to gaining buy-in at all levels, institutions face many challenges when implementing ERM frameworks. This talk will address these challenges and provide a road map for building a scalable, resilient ERM program.

After completing this session, you will be able to:

  • Define a business case for ERM
  • Know the building blocks of an ERM framework
  • Understand elements of risk reporting to Board
  • Define relationship between 3 lines of defense

225–Transactional Security Risk Assessment

Michael Heiken, CISA
Director - Enterprise Systems Risk and Control
PricewaterhouseCoopers LLP

New advances in technology and approach have proven very effective in reducing the amount of effort needed to mitigate SOD conflicts while also increasing the effectiveness of mitigating activities. This course covers those approaches.

After completing this session, you will be able to:

  • Monitor the right SOD risks for your business.
  • Design mitigating ctrls with appropriate precision
  • Base SOD monitoring on executed transactions.
  • Continuously improve assessment algorithms

235–Raising the Bar: Cyber Risk Management Oversight and Reporting

John Clark, CISA
Deloitte & Touche, LLP



Gaurav Kumar
Deloitte & Touche, LLP

It’s not a matter of if, but when, a cyberattack will occur. How can your organization implement a Secure.Vigilant.Resilient.™ cyber risk management program? And how can you demonstrate the effectiveness of that program to your stakeholders?

After completing this session, you will be able to:

  • Understand the evolving cyber threat landscape
  • Learn the board's role in cyber risk oversight
  • Understand the proposed AICPA guidance
  • Know how to prepare for a future engagement

245–Modeling an Asset Risk Management Program

Sudhakar Sathiyamurthy, CISA, CGEIT, CRISC
Director, Cyber Risk
Grant Thornton LLP



After completing this session, you will be able to:

  • Understand core pillars of asset risk management
  • Appreciate the role of assets in risk management
  • Model asset risk management using COBIT 5 for risk
  • Operate an asset risk management program

255–Consequences That Matter - IT Risk

Manager, ITRM Operations

Explaining IT Risk across the enterprise is a complicated affair and requires a nuanced approach to evoke change in both IT, business, and leadership. Join a discussion on techniques to broaden IT Risk's message and give it meaningful consequences.

After completing this session, you will be able to:

  • Identify the audiences that IT Risk speaks to.
  • Understand IT Risk's role in growing awareness
  • Tailor their messages to various audiences
  • Track the effectiveness of their communications

315–Audit & Security: Combating Emerging Threats

McKell Gomm, CISA
Sr. Security Architect

David Cross




Henry Schein

In this presentation, we'll discuss how audit and security can work together against emerging threats. We'll then discuss five threats in detail: Web Defense, Third-party Security, Insider Threats, Malware and Mitigating Overall Risk.

After completing this session, you will be able to:

  • Better protect their web presence.
  • Stand up a third-party security program.
  • Mitigate the risk of compromise.
  • Work together to protect the business.

Return to Event Page


Track 6—Data Analytics & Big Data

116–Evolution of Risk Assessments with D&A

Brian Greenberg, CISA



Chris Harding

In this session, we will walk through examples to illustrate how data and analytics can be effectively used throughout the risk assessment process lifecycle to deliver timely insights.

After completing this session, you will be able to:

  • Explain use of network theory & scientific methods
  • Demonstrate how systemic risks can be quantified
  • Highlight ways to monitor changes to risks
  • Understand risk assessment techniques

126–Fraud Detection Using Data Analysis

Richard Fowler, CISA
Senior Audit Specialist
Huntington Ingalls Industries

Our systems are pretty secure, yet every year about 6% of company revenue is lost to fraud. It is very difficult to prevent fraud but it is not so hard to detect it. Data analysis can help detect fraud in business reviews and in IT reviews.

After completing this session, you will be able to:

  • Identify types of potential fraud scenarios
  • Assess how to analyze data for fraud indicators
  • Work with the business to determine fraud risk
  • Review system, configuration and transaction files

136–Analytics Success: Why Now & How To?

Geoffrey Kovesdy, CISA, CRISC
Senior Manager
Deloitte and Touche

As internal auditors seek new ways to innovate in their roles, analytics is proving to be a key differentiator. By capitalizing on the wealth of data now available, internal audit can generate valuable insights that improve business performance.

After completing this session, you will be able to:

  • Understand from CAE's the case for analytics
  • Develop a multifunctional, insight-driven approach
  • Reference use cases of other leading organizations

146–Transforming IT Audit with Analytics

Stephen Fleming, CISA
Expert Audit Specialist
Federal Reserve Bank of Richmond



Elizabeth Krize, CISA, CISM, CRISC
Expert Audit Specialist
Federal Reserve Bank – Richmond

This session will focus on the integration and impact of analytics on the IT audit strategy. Key topics will include foundational components needed for a successful program, utilizing results in audits, and shaping the IT audit strategy.

After completing this session, you will be able to:

  • Grasp key considerations for an analytics program
  • Use analytics to help drive an audit
  • Leverage analytics to enhance audit strategy
  • Identify future applications of analytics in Audit

216–Why Analytics Fails and How to Fix It

Melanie Mecca
Director, Data Mgmt Products & Svcs
CMMI Institute



James Halcomb
CMMI Institute

Analytics is essential to achieve competitive advantage and to mine data assets for insight into operational and business process performance. Data challenges impede analytics success. We address the key issues and offer a path to fix them.

After completing this session, you will be able to:

  • Learn how data management impacts analytics
  • Employ the Data Management Maturity Model
  • Leverage governance to improve data quality
  • Synthesize a path to improve analytics activities

226–Cross-Functional Methodology for Analytics

Andrew Kumiega, CISA, CISM, CGEIT, CRISC
Illinois Institute of Technology

Firms in analytics-driven industries have two goals: developing their custom analytics, developing their business model to capitalize on their custom analytics through technology. A proven unique framework that combines these goals will be presented.

After completing this session, you will be able to:

  • Analytic systems have four development cycles.
  • Vetting mathematics is different than auditing.
  • Dynamic monitoring of data for real time systems
  • SPC is required to monitor the algorithm output

236–Proactive Compliance Data Analytics Program

Matthew Kral, CISA



Alan Gibson
Enterprise Architect

Proactive Compliance Data Analytics Program enables organizations to better understand compliance risks using advanced data analytics and machine learning. The solution correlates multiple risk factors and data sets to extract meaningful insights.

After completing this session, you will be able to:

  • Build world-class compliance programs.
  • Understand the untapped potential of their data.
  • Make data their most effective compliance tool.
  • Focus on solving the problem, not identifying it.

246–Where Audit Analytics Meets Open Source

Andrew Clark
IT Auditor
Astec Industries

Open source software is taking the computer science community by storm, allowing for open idea exchange and rapid development. This Open Data Science movement can be harassed to propel your audit analytics program to the next level.

After completing this session, you will be able to:

  • What is open source software and its key benefits
  • The benefits of using open source software
  • How to begin using open source analytics
  • How to implement basic analytics tests in Python

256–Creative Visualization for Data Analytics

Keith Barber, CISA
Director, Business Analytics Insight
Empower Audit



Mary Breslin
Empower Audit

Data Analytics is a very powerful tool which has become a best practice the industry is moving towards, but now we face the next level of the challenge – interpreting, understanding and presenting the data. The best way to do this? Visualization.

After completing this session, you will be able to:

  • Understand the “what, why, how” of visualization
  • Identify areas of opportunity for visualizations
  • See how visualization improves understanding
  • Learn how visualization improves presentations

316–Building a Fraud & Spend Review Program

Nathan Anderson, CISA, CRISC
Divisional Vice President
Sears Holdings

There is an opportunity in our organizations to reduce fraud and waste in high risk areas such as travel & expense and purchasing. During this session, Sears will share how we built fraud & waste monitoring with our offshore team and software.

After completing this session, you will be able to:

  • Identify opportunities for fraud & waste reduction
  • Audit fraud and waste reduction programs
  • Implement fraud and waste reduction IT solution
  • Focus on the right metrics for fraud & waste

Return to Event Page


Track 7—Leadership Development and Career Management

117–Soft Skills: The Key to Employee Success

Diane Hamilton
Dr. Diane Hamilton LLC

Dr. Diane Hamilton, a certified emotional intelligence expert and qualified Myers Briggs expert, explains the importance of soft skills for the success at work. Find out why employees are hired for hard skills and fired for lack of soft skills.

After completing this session, you will be able to:

  • Differentiate hard skills from soft skills
  • Incorporate behaviors that demonstrate a high EQ
  • Demonstrate empathy and understanding
  • Recognize how to develop soft skills in others

127–How to Prepare to Pass CISA Exam

Ken Schmidt, CISA
R&M Consulting

To learn practical and effective strategies for successfully passing the Certified Information Systems Auditor (CISA) examination on the first attempt.

After completing this session, you will be able to:

  • Understand the CISA Exam objectives and content
  • Highlights on how to master the content for the five Domains (chapters)
  • Review proven strategies to analyze and understand what the exam writer is looking for
  • ISACA resources available to help prepare for success

137–10 Must Have Skills for the 2020 CISO

Todd Fitzgerald, CISA, CISM, CGEIT, CRISC
Global Director, Info Security
Grant Thornton International, Ltd

The role of the CISO has been evolving for the past 20 years and has now attained a level in most organizations that is deemed business critical. How will the CISO of tomorrow survive? What skills are needed? This session will explore these skills.

After completing this session, you will be able to:

  • Examine top skills needed for CISO effectiveness
  • Discuss causes of security program failure
  • Focus learning in on key relevant technologies
  • Develop a CISO career roadmap for success

147–How to Build and Grow Your IT Security Team

Tammy Moskites

Today, there are more IT security jobs than people to fill them. With few options, how do you find the right people for your IT security team? Get guidance on hiring, retaining, growing, and rewarding your team—customized for your company culture.

After completing this session, you will be able to:

  • Know what to look for when hiring
  • How to focus on team strengths
  • Grow the team using competency-based training
  • Develop a team culture that encourages growth

217–Tips for Effective Presenting

Paul Phillips, CISA, CISM
IT Director



Check back for updates.


227–How to Effectively Communicate During an Audit Engagement

Animesh Mathur
Internal Audit Director
Fannie Mae



Anthony Pantano, CISA
Internal Auditor IV
Fannie Mae

This training provides public speaking best practices geared towards IT professionals. Includes techniques on how to structure and organize information when presenting to various audiences.

After completing this session, you will be able to:

  • Understand the importance of public speaking.
  • Effectively prepare for a speaking engagement.
  • Use optimal body language during communication
  • Know the best verbal techniques for communicating.

237–Geek Speak to Business Speak, 2.0

Mary Breslin
Empower Audit

Communication is key to success for any professional but miscommunication in audit and technology can lead to costly mistakes and issues. Learn how to tear down communication barriers and make communication your greatest strength.

After completing this session, you will be able to:

  • Why words matter and how they impact your career
  • Flip language from a barrier to an advantage
  • How to identify and eliminate geek speak
  • Communicate with anyone and everyone effectively

247–Digital Skills and Talent Management

Matthew Burrows
Director & Principal Consultant
BSM Impact Limited

We constantly hear about skills shortages, but this session will explain what organizations can do about these challenges, answering the critical questions "what skills do we have, and what skills do we need?".

After completing this session, you will be able to:

  • Quickly and accurately assess current skills
  • Confirm required skills and levels for success
  • Identify skill gaps and risk/focus areas
  • Know how to address the skills challenges

257–IS Audit Tips in Dealing with the IT Crowd

Ralph Villanueva, CISA, CISM
IT Security and Compliance Analyst
Las Vegas Sands Corp

This presentation aims to provide useful tips that IS auditors can immediately use in their organizations, by analyzing and discussing the gulf between the IS audit and the IT Departments.

After completing this session, you will be able to:

  • See reasons behind difficulty in dealing with IT
  • Resolve collaborative issues with the IT Dept
  • See how IS auditors can collaborate with IT
  • See how management can promote IT collaboration

317–Security Strategies - Rally the Workforce

Randall Zigabarra, CISA, CISM
Chief Information Security Officer

Employees have to be members of the Security team. Are they and how? This discussion explores effective strategies to entice the workforce – enlisting at all levels – reinforcing Security program effectiveness.

After completing this session, you will be able to:

  • Mutually align Security and Workforce objectives
  • Instill a desire for an employee's participation
  • Raise self-esteem through contribution recognition
  • Rally a workforce, enhance alerting & reduce risk

Return to Event Page


Track 8—Governance

118–Why Help Management Understand SOC Reports?

Martin Langlois
BrickStreet Mutual Insurance



Deepesh Randeri, CISM
Brick Street Mutual Insurance

SOC reports are requested from third party vendors that are significant to our financial statements. What about vendors who are critical but not financially significant? Management doesn't understand the reports or control obligations. Can we help?

After completing this session, you will be able to:

  • Show why they are most qualified to help.
  • Effectively summarize key report information.
  • Communicate responsibilities to management.
  • Integrate the SOC information into corporate ERM.

128–What’s missing in IT security governance?

Tammy Moskites

With IT security governance, most neglect the basics. See how to avoid common pitfalls and implement a 4-step framework that successfully applies security strategies to broader risk and compliance considerations and overall business objectives.

After completing this session, you will be able to:

  • Know what’s missing in IT Security Governance
  • Align with regulations and business objectives
  • Know the prerequisites to each framework step
  • Achieve prerequisites in enterprise environments

138–Using COBIT 5 in Support of RMF

William Matthey, CISM
Consultant / Trainer
P&M Consultants

Overview and discuss the mapping of COBIT 5 as a blueprint for meeting the Federal objectives or RMF in DOD and Non-DOD Federal Enterprises. All Executive Branch Departments including DOD and NIA are transitioning from DIACAP to RMF.

After completing this session, you will be able to:

  • See the RMF Requirements for the Executive Branch.
  • Map NIST RMF to COBIT 5 and the SDLC.
  • Use COBIT 5 to meet the NIST RMF requirement.
  • Carry away project guideline for meeting RMF goals

148–BIA: The Root of Security & Recovery Plans

Herbert McMorris, CISA, CISM, CRISC
I.T. Security Analyst

The Business Impact Analysis (BIA) is the root of security, risk & recovery programs, yet it is often performed incorrectly. How does the BIA drive risk management process, security programs, and recovery efforts, and who should perform the analysis?

After completing this session, you will be able to:

  • Explain the purpose of a Business Impact Analysis
  • How the BIA applies to risk and recovery programs
  • Determine the critical outputs from the analysis
  • How outputs apply to risk, security, and recovery

218–"GEAR" Up with a new GRC Model & Benefits

Elvis Moreland, CISM, CGEIT
VP Cybersecurity

Traditional GRC isn't good enough when facing modern cyber threats. We must integrate the best of GRC, Engineering, Assessment, Risk & Continuous Monitoring to win on the threat & risk battlefield while reporting leading KPIs to the CEO and Board.

After completing this session, you will be able to:

  • Comprehensively define a new "GEAR Up" GRC Model
  • Identify the elements of the new GEAR UP Model
  • Integrate GRC, Engineering & Continuous Monitoring
  • Implement the new "GEAR Up" Model

228–Understanding and Evaluating SOC Reports

Richard Lucy, CISA
Practice Director
Paragon Audit & Consulting

Understanding and Evaluating Service Organization Controls (SOC) Reports: An integral part of an effective vendor risk management program.

After completing this session, you will be able to:

  • Understand why SOC Reports are important.
  • Understand the differences between SOC 1,2, and 3
  • How to read a SOC Report and document a review
  • Understand Carve-Outs and Inclusions

238–How to Apply COBIT 5 in Govt: The CBN Story

Mariam Bala
Project Management Officer



Nsuhoridem Okon
Enterprise Architect
Central Bank of Nigeria

For IT leaders struggling with IT governance requirements in government, this shows how to successfully implement COBIT 5 in a federal financial regulatory organization - a case study of the Central Bank of Nigeria, the apex regulatory body for banks

After completing this session, you will be able to:

  • Fit COBIT 5 into existing corporate governance
  • Avoid pitfalls by managing culture change required
  • Achieve the most in each phase of COBIT 5 cycle
  • Replicate the journey, without the tears

248–Using COBIT 5 to Solve Real World Problems

Peter Tessin, CISA, CGEIT, CRISC
Technical Research Manager

Solve business problems with COBIT 5 in a practical exercise. Get past the theory and go straight to solving problems!

After completing this session, you will be able to:

  • Diagnose problems through interviewing
  • Apply the goals cascade
  • Map requirements to available resources
  • Construct metrics and performance reporting

258–Vendor Management with COBIT 5

William Crowe, CISA, CISM, CRISC
IT Security Manager
Citizens Property Insurance Corporation

Vendor's especially CSP's constitute an important part of an enterprise’s external environment. Vendor Management using COBIT 5 provides detailed practical guidance and facilitates the vendor management process for IT and business professionals.

After completing this session, you will be able to:

  • Describe the lifecycle phases of vendor management
  • Describe common threats in vendor management
  • Describe financial impact of inadequate management
  • Using a handout describe binding documents

318–A Risk-based Approach to Data Governance

Lisa Young, CISA, CISM
Vice President
Axio Global

According to COBIT 5, information is effective if it meets the needs of the stakeholders. Ensuring that your enterprise has considered data in the context of its business objectives will maximize business benefits and your competitive edge.

After completing this session, you will be able to:

  • The critical success factors for data governance.
  • How to determine requirements for managing data.
  • Know why data governance is key to metrics.
  • Define your information management process.

Return to Event Page



WS1-COBIT 5 Foundation

Mark Thomas, CGEIT, CRISC

COBIT 5 is the only business framework for the governance and management of enterprise IT. Launched in April 2012, COBIT 5 helps maximize the value of information by incorporating the latest thinking in enterprise governance and management techniques, and provides globally accepted principles, practices, analytical tools and models to help increase the trust in, and value from, information systems.

Learn the importance of an effective framework to enable business value. Delve into the elements of ISACA’s evolutionary framework to understand how COBIT 5 covers the business end-to-end and helps you effectively govern and manage enterprise IT. Developed for anyone interested in obtaining foundation-level knowledge of COBIT, the course explains the COBIT framework and supporting materials in a logical and example-driven approach.

After completing this session, you will be able to:

  • How IT management issues are affecting organizations
  • The need for an effective framework to govern and manage enterprise IT
  • How COBIT meets the requirement for an IT governance framework
  • How COBIT is used with other standards and best practices
  • The functions that COBIT provides and the benefits of using COBIT
  • The COBIT Framework and all the components of COBIT
  • How to apply COBIT in a practical situation

COBIT 5 Foundation Exam

Monday, 1 May 2017 | 7:30 – 9:00AM
Earn the COBIT 5 Foundation Certificate! Attendees can take the COBIT 5 Foundation Exam for an additional US $150! For those who have registered to take the COBIT 5 Foundation Exam onsite, please note that this exam will begin promptly at 8:00AM. Please allow yourself extra time to get breakfast and check in for the exam before the start time.

Exam information:

  • Bring a picture ID to the exam
  • This is an unassisted (closed book) paper based exam
  • Exams, answer sheets, and pencils will be provided
  • Computers, tablets, and phones are not needed
  • Drinks are allowed; however, food is prohibited
  • Your exam proctor will provide any additional instructions the day of the exam

WS2-Cybersecurity Fundamentals

Todd J. Fitzgerald, CISA, CISM, CGEIT, CRISC
Global Director, Info Security
Grant Thornton International, Ltd

Why become a cyber security professional? The protection of information is a critical function for all enterprises. Cyber security is a growing and rapidly changing field, and it is crucial that the central concepts that frame and define this increasingly pervasive field are understood by professionals who are involved and concerned with the security implications of Information Technologies (IT). The CSX Fundamentals workshop is designed for this purpose, as well as to provide insight into the importance of cyber security, and the integral role of cyber security professionals. This workshop will also prepare learners for the CSX Fundamentals Exam.

After completing this session, you will be able to:

  • Understand basic cyber security concepts and definitions
  • Define network security architecture concepts
  • Recognize malware analysis concepts and methodology
  • Identify computer network defense (CND) and vulnerability assessment tools, including open source tools and their capabilities
  • Explain network systems management principles, models, methods, and tools
  • Distinguish system and application security threats and vulnerabilities
  • Classify types of incidents (categories, responses, and timelines for responses)
  • Outline disaster recovery and business continuity planning
  • Comprehend incident response and handling methodologies
  • Understand security event correlation tools, and how different file types can be used for atypical behavior
  • Be aware of the basic concepts, practices, tools, tactics, techniques, and procedures for processing digital forensic data
  • Recognize new and emerging information technology and information security technologies

WS3-Applied Data Analysis

*Participation in this workshop requires you to bring a laptop that allows you administrator privileges for installing software. You must have permission to read data and copy it from a USB (or an optical DVD drive) on your laptop.



After completing this session, you will be able to:

  • Better understand which IS audit phases and which automated data analysis procedures will be beneficial, either in the planning phase, testing phase or follow-up phase
  • Learn techniques to apply data analysis to the IT event tracking systems to better understand the enterprise environment to aid annual planning, engagement planning and testing planning
  • Gain practice accessing and analyzing Active Directory data
  • Obtain techniques to analyze logical access data as it relates to segregation of duties, phantom access, access policy configuration and adherence
  • Compare system configuration files to determine drift
  • Apply analysis techniques to multiple files associated with change management

WS4-CISA Prep Course

Kenneth Schmidt, CISA
R&M Consulting



After completing this session, you will be able to:

  • Learn the specific requirements for passing the CISA Exam and attaining your Certification
  • Utilize ISACA materials to prepare for and pass the CISA Exam
  • Learn successful methods of "how to" evaluate Exam questions and answers, including analysis and explanations
  • Review useful, proven information on study and exam time management
  • Complete and review a mock exam, with every question and answer explained

WS5-The Intersection of IT and Assurance by Leveraging COBIT 5

Mark Thomas, CGEIT, CRISC


The purpose of this course is to gain an understanding of various activities involved when determining an assurance approach to IT using the COBIT 5 product family.

After completing this session, you will be able to:

  • Recognize the applicable products in the COBIT 5 product family needed to develop a holistic approach to assurance.
  • Understand the elements of creating a value-based approach to developing an assurance strategy for IT.
  • Appreciate the intersection of balancing performance and conformance with respect to assurance of IT services.

WS6-Using Risk Scenarios

Lisa Young, CISA, CISM
Vice President, Service Delivery
Axio Global



After completing this session, you will be able to:

  • Understand the context for risk management in business terms.
  • Define Risk scenarios and risk factors
  • Understand when to use or develop risk scenarios
  • Express and describe the impact of risks in business terms
  • Determine if your risk management process/program mature enough for using risk scenarios

WS7-Cybersecurity for Auditors

Russell Horn, CISA, CRISC

John Edward McMurray, CISA
Asst. Director, Security Services

Stephanie Alexis Chaumont, CISA
Security and Compliance Consultant

Cyber security focus is a requirement for any organization today, but how can a company know and understand what their cyber security posture is? A strong cyber security audit program with qualified, capable auditors and a robust work program or standard is a must. During this workshop, we will dig into the details of cyber security audit. We will evaluate the ISACA NIST Cybersecurity Framework Audit Work Program as well as various cyber security frameworks and tools including the NIST Cybersecurity Framework and the FFIEC Cybersecurity Assessment Tool.

Please note: this workshop will provide an overview of cyber security and spend the majority of time focusing on the auditing of cyber security concepts. Therefore, an understanding of the fundamental concepts of cyber security is required. ISACA strongly encourages attending the CSX Fundamentals 2-Day workshop prior to attending this Cybersecurity for Auditors workshop in order to gain a full base understanding for cyber security. Cybersecurity Fundamentals is being offered as a pre-workshop (see WS2 above).

After completing this session, you will be able to:

  • Audit an organization’s cyber security posture
  • Evaluate cyber security inherent risk
  • Define audit evidence requests needed to evaluate an institution’s cyber security controls
  • Be aware of basic policies, practices, technologies, tools and controls used to enhance cyber security
  • Examine ways to assess an organization’s cyber security maturity
  • Recognize new and emerging cyber-attacks, threats, and vulnerabilities
  • Discuss cyber security frameworks and assessment tools currently available
  • Understand and use the ISACA NIST Cybersecurity Framework Audit Work Program

WS8-IT Audit Leadership: Advancing your Career

Nathan A. Anderson, CISA, CRISC
Divisional Vice President, Internal Audit
Sears Holding Corporation

 Nathan switched from IT Audit consulting to IT Audit Manager in industry several years ago. The learning curve was high and he learned as part of an excellent team as he progressed from manager to director, and eventually to divisional vice president. In this session, he’ll give his insights on how to succeed in the critical roles performed by IT Audit leaders.

After completing this session, you will be able to:

  • Conducting risk assessments and developing the audit plan
  • Milestones and metrics for managing operational audits and compliance activities
  • How to effectively communicate with leadership including:
    • writing impactful audit reports
    • managing outstanding audit issues
    • reporting to the audit committee
  • Understand measures and metrics for successfully governing internal audit
  • Consider strategies for:
    • Optimizing and enhancing Internal Audit workpapers
    • Optimizing compliance activities
  • Hiring and developing an effective team

Return to Event Page



Alchemy & Ale Steampunk Event

Tuesday, 2 May 2017; Chelsea Theater at the Cosmopolitan Hotel
6:30 – 9:00PM

Crank your ideas up a gear! Be inspired with a glimpse of the future through an imaginary past. Imagine the future through the eyes of H.G. Wells or Jules Verne. Join your fellow conference attendees for a fantastic journey that will stoke your curiosity as you network with innovators and professionals at North America CACS 2017’s Steampunk event.

Tickets will be required for admittance to this event. Tickets are complimentary for conference registrants. However, if you'd like to attend, you must select the event when you register in order to receive a ticket onsite. Guest tickets are available for purchase when you register for an additional $150.