North America CACS Presentations and Descriptions 


Attendee has limited or no prior knowledge or experience or are new to the subject matter. Beginner sessions are geared toward attendees who are new to the field and seeking to learn basic concepts. Beginner’s sessions are intended to help attendees who seek to build foundational knowledge in an effort to gain a working knowledge of the topic.

Attendee has a working knowledge of the topic covered but is not yet an advanced practitioner. Intermediate sessions are geared toward delegates who have some competence in the subject under discussion resulting from prior training, education and/or work experience. Delegates who seek to build upon foundational knowledge, refine and better hone their skills, and advance their understanding of the topic may wish to consider intermediate-level sessions.

Advanced Technical
Attendee has a high level of technical understanding of the topic under discussion. Advanced technical sessions are geared toward delegates that have already achieved a high degree of technical competence in the subject of discussion resulting from extensive training in the area and supplemental work experience. Delegates, who wish to build upon intermediate knowledge, achieve mastery in a specific technical area, or build upon existing technical skills may wish to consider advanced technical sessions.

Advanced Managerial
Attendee has a high level of understanding of managerial concepts. Advanced managerial sessions are geared toward attendees that have already achieved a high degree of leadership competence in the subject of discussion resulting from extensive training in the area and several years of work experience. Attendees, who wish to build upon intermediate knowledge, achieve mastery in a specific managerial area, or build upon existing leadership skills may wish to consider advanced managerial sessions.


Track 1—Audit & Assurance

111–SCADA and IoT

Robert Findlay
Global Head of IT Audit

With the lines between traditional IT and industrial control systems blurring, the addition of Internet of things technology means IT auditors need to focus on SCADA and related technologies in the light of greater connectivity.

After completing this session, you will be able to:

  • Plan ICS based audits
  • Understand difference between SCADA, HMI, PLCs
  • Review controls over ICS technologies
  • Understand issues with IoT and SCADA

121–The Rise of Fintech and the Impact on IA

Michael Juergens, CISA, CGEIT, CRISC
Deloitte & Touche, LLP



Parag Raje, CISA
Advisory Managing Director
Deloitte & Touche LLP

Financial Technologies (Fintech) are disrupting financial institutions in a variety of areas, from digital currencies to robotics. Learn more about the emerging disruption in Fintech and how it is expected to impact internal audit.

After completing this session, you will be able to:

  • Recognize attributes of maturing Fintech market
  • Position IA to participate in strategic decisions
  • IA considerations for mktplc lending & blockchain
  • Reference use cases of expected impact on IA

131–The IoT: What does this mean to IA?

Anthony Chalker, CISA
Managing Director

The Internet of Things (IoT) also brings disruptive change to the forefront, and the security and data management challenges are significant. Why is this important to internal audit?

After completing this session, you will be able to:

  • Define what is IoT
  • Know the importance to audit professionals
  • New disruptive opportunities (and risks)
  • Impact different industries

141–Auditing Network Devices

Director of Internal Audit

This presentation will give an overview of top key areas to audit network devices, and will introduce attendees to network security risks, ideas to benchmark against best practices, and common network security requirement.

After completing this session, you will be able to:

  • Identify risk areas for a network device audit.
  • Locate resources for common security practices.
  • Plan a basic network device security audit.
  • Identify common audit issues in this area.

211–Agile & Compliance

Pamela Nigro, CISA, CGEIT, CRISC
Senior Director of Information Security/GRC
Blue Cross Blue Shield of Illinois

Finding Harmony and Balance between the Agile Accelerator and the Brakes of your DevOps Processes -- Can software delivery in a highly-governed industry reap the benefits of Agile and DevOps while maintaining required compliance?

After completing this session, you will be able to:

  • Understand governance as an enabler of agility
  • Develop non-burdensome ways to collect data
  • Building governance in rather than 'bolting on'
  • Focus on a risk based governance approach

221–Machine Learning for Auditors

Andrew Clark
IT Auditor
Astec Industries

Machine learning is permeating our world. As it gains wider adoption, what does it mean for assurance professionals? This session will help you cut through the buzzwords and discover how machine learning can be leveraged in audit and compliance work.

After completing this session, you will be able to:

  • Understand the two groups of ML algorithms
  • Understand machine learning use cases
  • Describe use cases in assurance and compliance
  • Know where to learn more about machine learning

231–Auditing Cybersecurity

Jesse Fernandez, CISA
Senior IS Auditor

Executive management is expecting more than ever before from Internal Auditing to provide assurance that the organization’s cybersecurity program is effective. We can provide the value our executives are demanding if we audit cybersecurity properly.

After completing this session, you will be able to:

  • Identify how attackers plan and carry out attacks
  • Identify the financial impact of a breach
  • Identify cybersecurity frameworks that can be used
  • Identify scope/audit procedures IA should perform

241–Auditing for HIPAA Compliance

Jeremy Price, CISA



Jennifer Brandt, CISA
Stinnett & Associates LLC

Learn how to audit an organization's HIPAA compliance, including the 45 Code of Federal Regulations standards that establish a security and privacy management framework for protecting the confidentiality, integrity, and availability of PHI and EPHI.

After completing this session, you will be able to:

  • Understand the HIPAA Act and its applications
  • Understand the PHI Privacy & EPHI Security Rules
  • Learn to audit for the 45 federal HIPAA standards
  • Leave with useful tips for conducting HIPAA audits

251–Leverage Data Analytics in Internal Audit

Michael Kostanecki, CISA
Senior IT Consulting Manager

Leverage the power of Data Analytics and tools such as ACL Analytics to review the entire population against various criteria to quickly find irregularities or patterns in transactions that could indicate control weaknesses or fraud.

After completing this session, you will be able to:

  • Create automated processes for manual analysis
  • Translate data into a “story”
  • Combine different data sources for insight
  • Understand various Data Analytic techniques

311–NIST Cybersecurity Audit/Assurance Program

Russell Horn, CISA, CRISC

ISACA recently released a NIST Cybersecurity Framework Audit Template as part of the IS Audit/Assurance Program resources. During this session, we will review the NIST Cybersecurity Framework and examine the new ISACA Audit/Assurance Program.

After completing this session, you will be able to:

  • Review the NIST Cybersecurity Framework
  • Become aware of ISACA's Audit/Assurance Program
  • Use the Cybersecurity Audit/Assurance Work Program
  • Conduct a Cybersecurity Audit with ISACA's Program

Return to Event Page


Track 2—Audit & Assurance, Advanced

112–Navigating Third Party Risk Management

Richard Sowalsky, CISA
Baker Tilly Virchow Krause, LLP

Third party risk is higher than ever given the rise in outsourcing of functions to service providers. As such, vendor management is becoming increasingly complex and stakeholders need to be aware of the compliance options around data security.

After completing this session, you will be able to:

  • SOC, new changes & appropriate 3rd party reporting
  • How SOC 2+ enhances third party oversight
  • How SOC2+ HIPAA & HITRUST CSF impacts datasec.
  • New CS Risk Management Attest & future of VM

122–Cloud Security Strategy & Considerations

Rob LaMagna-Reiter
Sr. Director, Information Security
First National Technology Solutions

Organizations in all industries can securely operate in the cloud. With proper planning & due diligence, it's possible to securely operate in the cloud regardless of your organization size, or risk appetite.

After completing this session, you will be able to:

  • Develop a cloud security strategy & risk appetite
  • Identify governance & audit considerations
  • Determine the right cloud provider
  • Understand the importance of data visibility

132–Zero Trust Networks for Audit and Compliance

Kevin Saucier
Conventus Corporation

Auditing groups have always struggled with Security Operations ability to provide accurate and up-to-date information about assets, users, and data. The Zero Trust Network is the answer to this problem.

After completing this session, you will be able to:

  • Understand the challenges of traditional networks
  • Understand the purpose of Zero Trust Networks
  • Comprehend why subject chose this architecture
  • Evangelize need for this in their own audits

142–Protecting Sensitive Data in the Cloud

Ricardo Lafosse, CISA, CISM
Chief Info Security Officer
Cook County



Yilmaz Bal, CISA
Information Security Manager Risk and Compliance
Cook County

Due to probing new vulnerabilities in systems and users, and cloud environments which add whole new complexities to the equation. The session focuses on how to monitor risk factors, shore up defenses and sleep better at night.

After completing this session, you will be able to:

  • Identify cloud computing deployment models
  • Benefits and Risks of utilizing a cloud solution
  • Start Early in the contract process or phase
  • Identify key data security contractual controls

212–IT Audit, From Big Brother to Big Partner

Daniel Jones, CISA, CISM
IT Audit Professional
Devon Energy

Information Technology is changing, so should how we audit it. No longer can audit swoop in with the big hammer, just to look for nails. Budgets, resources, and shareholders require us to partner and become more proactive, while remaining independent.

After completing this session, you will be able to:

  • See the value added by partnering
  • Communicate with the CISO around real risks
  • Explain to their CAE the value of partnership
  • Utilize real world examples in their discussions

222–Impact of AI on Audit and Assurance

Dan French
Consider Solutions

Looking into the future, at emerging techniques being introduced to audit and assurance through AI and Machine Learning.

After completing this session, you will be able to:

  • Understand current best practice data analytics
  • Understand emerging data science techniques
  • Understand impact of machine learning
  • Analyze new approaches for audit and assurance

232–An Auditor's Guide to Assessing Crypto

Edward Moyle

This session will provide a primer for assessors on the key elements of evaluating cryptographic implementations; it will cover supporting policy elements (e.g. key mgmt.), common vulnerabilities (e.g. cloudpiercer, POODLE), "gotchas" and techniques.

After completing this session, you will be able to:

  • Understand the key elements of assessing cryptographic implementations
  • Understand common vulnerabilities that might arise
  • Evaluate key components of a cryptographic system
  • Know authoritative resources for more information

242–AICPA Cyber-Risk Mgmt Reporting Framework

Chris Halterman
Executive Director
Ernst & Young

Organizations are looking to report on their cybersecurity risk management programs to boost stakeholders' confidence. The AICPA has developed a framework for a company to describe its cybersecurity risk management program and CPAs to report on it.

After completing this session, you will be able to:

  • Apply the AICPA framework for cybersec. reporting.
  • Understand key elements of description criteria.
  • Understand value and key aspects of the reports.
  • Begin preparing for cybersecurity examinations.

252–How Analytics Can Transform Internal Audit

Dave Hildebrand
IT Senior Manager Accenture

Companies are just beginning to apply analytics techniques to internal audit. But analytics has the potential to change the way we audit in fundamental ways. This presentation studies the strategic business impact of analytics on internal audit.

After completing this session, you will be able to:

  • Integrate the use of analytics in internal audit.
  • Use analytics in planning and conduct of audits.
  • Define a strategy for application of analytics.
  • Use analytics to improve internal audits.

312–Compliance in the Clouds

Andrew Plato, CISM
President / CEO

The cloud is now. Many of the compliance practices we currently use were designed for an era before the cloud. This presentation addressed the complexities of making public and private cloud environments (such as AWS or Azure) compliant.

After completing this session, you will be able to:

  • Identify their cloud compliance responsibilities
  • Differentiate on-premise and cloud requirements
  • Implement cloud compliance strategies
  • Explain the value of disposable infrastructure

Return to Event Page


Track 3—Security/Cybersecurity – Managerial

113–Threats and Challenges in Healthcare

Kenneth Vander Wal, CISA
Chief Compliance Officer

This session will explore the threats and challenges facing healthcare organizations as it relates to securing and protecting electronic protected health information (ePHI). it will also discuss the tools and approaches to addressing the challenges.

After completing this session, you will be able to:

  • Articulate threats facing the healthcare industry
  • Understand why healthcare data is being targeted
  • Discuss leading practices for protecting ePHI
  • Describe ways to demonstrate regulatory compliance

123–Using Internal Audit for Info Security

David Malcom
Managing Director, Global IT Internal Audit Lead



Jason Maslan
Managing Director

The internal audit (IA) function can play an integral role in strengthening information security across the enterprise. By expanding IA's purview to cyber policies and practices, executives can apply the rigor reserved for accounting to cyber defense.

After completing this session, you will be able to:

  • Understanding the cyber landscape
  • Defining internal audit’s role in cyber security
  • Interpreting cyber security assessment results
  • Educating the Audit Committee and Board on cyber security risk
  • How IA can become a trusted cyber advisor

133–Top 10-Cyber Risks

Tara Kissoon, CISA
Managing Director, Head of IT Risk Management, Corporate Support Areas
Bank of Montreal

This session will explore the top ten cyber security risks facing organizations in today's changing environment. It will share recommendations and industry best practices in managing these types of risks.

After completing this session, you will be able to:

  • Understand the cyber security landscape
  • Identify risk exposures to the organization
  • Identify control deficiencies
  • Leverage industry best practices

143–Enterprise Cybersecurity Governance

Michael Addo-Yobo, CISA, CGEIT, CRISC
Senior Director, Cyber Risk Advisory

Cybersecurity incidents and breaches are on the rise, despite enterprise investments in security. The cost of data breaches will see 4-fold increase from 2015 to 2019. This raises concerns about the overall value of enterprise cybersecurity efforts.

After completing this session, you will be able to:

  • Learn why cybersecurity initiatives fail at times
  • The role of governance in enterprise cybersecurity
  • Strategies for cybersecurity value assurance
  • Understand the merits of cybersecurity governance

213–Internet of Things

Salar Atrizadeh
Attorney At Law
Law Offices of Salar Atrizadeh

The speaker will discuss "Internet of Things" and how privacy and security is affected by using it. He will discuss the government's involvement, European Commission's approach, judiciary's overview, and laws or regulations.

After completing this session, you will be able to:

  • Understand the Internet of Things
  • Privacy, security, and regulations
  • The Regulatory Agencies
  • Understand the relevant laws

223–Technical Implementation of NIST/FFIEC CSF

Jeffrey Roth, CISA, CGEIT
Regional Director
NCC Group

Attendees will walk through the fundamental NIST CSF concepts and dive into the more technical challenges within the NIST CSF. Takeaways from this session will be references and templates attendees can use to further their use of the NIST CSF.

After completing this session, you will be able to:

  • Use Security Content Automation Protocol (SCAP)
  • Identify Mobile Code controls
  • Understand File Integrity Management tools
  • Understand NIST CSF implementation processes

233–What Auditors Need to Know: Mobile Security

Tara Kissoon
Managing Director, Head of IT Risk Management, Corporate Support Areas
Bank of Montreal

Identify control deficiencies and areas of risk exposure to the organization.

After completing this session, you will be able to:

  • Understand the mobile ecosystem
  • Identify control deficiencies
  • Identify areas of risk exposure
  • Utilize industry best practices

243–Practical Approach to Cyber Security

David Ramirez, CISA, CISM

A cyber security program consists of a wide range of components (governance, risk management, reporting, controls, compliance, standards); this presentation provides a practical approach to managing your program based on two decades of experiences.

After completing this session, you will be able to:

  • Describe challenges for CIOs/CFOs overseeing Cyber
  • Understand the universe of security frameworks
  • Translate security goals into maturity matrices
  • Learn how to better prioritize security efforts

253–Security Monitoring and Attack Detection

Sushila Nair, CISA, CISM, CRISC
Security Specialist
NTT Security

Is your ability to protect, detect, and respond to threats keeping pace with the risks posed by a determined, persistent intruder? Learn how to design a measurable security alerting framework that keeps pace with evolving organizational risk.

After completing this session, you will be able to:

  • Contrast different models for security monitoring
  • Create use cases to build an alerting framework
  • Use kill chains for building alert priorities
  • Use metrics to measure effectiveness of monitoring

313–Cybersecurity: Threat to Banks

Alejandro Mijares, CISA, CRISC
Risk Manager
Kaufman, Rossin & Co

Due to the rapidly changing threats and vulnerabilities, a bank’s inherent risk profile will change over time; therefore, the cybersecurity Risk Assessment should be completed at least once a year, or any time significant changes occur.

After completing this session, you will be able to:

  • Evaluate cyber threats and risk to banks
  • Identify controls to mitigate cyber risks
  • Explain the bank's cybersecurity inherent risk
  • Evaluate the bank's residual risk

Return to Event Page


Track 4—Security/Cybersecurity – Technical

114–Conducting a Phishing Awareness Program

Todd Fitzgerald
SVP, Chief Administrative Officer (CAO) Information Security and Technology Risk
Northern Trust

Phishing simulations are shown to be effective tools to increase user awareness in information security issues. This session will convey experiences in setting up an automated phishing program and delivering game-based 15 minute training modules.

After completing this session, you will be able to:

  • How to effectively implement a Phishing Campaign
  • Metrics that can move a security program forward
  • Behavioral based techniques to reinforce learning
  • Develop a project plan to rollout phishing program

124–Encryption: Policy to Practice

Ali Pabrai

The risk from breaches today can be a seven-figure risk. Encryption protocols, key strengths, choices across mobile devices, e-mail, etc. may all seem confusing and overwhelming. Understand how to simplify the use of encryption in your organization.

After completing this session, you will be able to:

  • Examine encryption mandates.
  • Review areas that encryption can have an impact
  • Step through core elements of an encryption policy
  • Mandates defined in HIPAA Security, PCI and more.

134–Threat Intelligence - Exploiting Hackers

Alex Holden
President & CISO
Hold Security, LLC

Hackers are winning by exploiting our systems and stealing our data. What better way to deter the bad guys than understanding their motivations and techniques? Learn to stop the hackers by using threat intelligence to outsmart them.

After completing this session, you will be able to:

  • Gain better understanding of hackers' motivation
  • Understand mitigation techniques to latest attacks
  • Build effective defenses against real threats
  • Learn how to outsmart hackers in their own game

144–Canaries in a Coal Mine…

Principal Cyber Engineer

Cyber-canaries are invaluable in detecting lateral movement on enterprise networks. With the barrage of breaches occurring, organizations must focus on early detection beyond their network perimeter to stave off attacks and further data loss.

After completing this session, you will be able to:

  • To understand the use of honeypots/canaries.
  • Deploy OpenCanary to detect lateral movement.
  • Develop use-cases using OpenCanary
  • Understand various attack scenarios

214–Your Responsibility in Cloud Security

Nihat Guven
Vice President
PurpleBox, Inc.

Companies benefit from the security controls when they use a cloud service. However, CIOs, CISOs, and cloud users in general have to also understand their responsibilities in this new paradigm called “The Shared Responsibility Model”.

After completing this session, you will be able to:

  • Explain the different cloud computing models
  • Explain security controls in cloud services
  • Explain the shared responsibility model
  • Explain cloud security tools and best practices

224–Cybersecurity Kill Chain

William Crowe, CISA, CISM, CRISC
IT Security Manager
Citizens Property Insurance Corporation

Based off military doctrine, Lockheed Martin’s Computer Incident Response Team has created an intelligence-driven defense process, Cyber Kill Chain® This session also reviews the contributions of ISACA CSX and ENISA Cybersecurity kill chains.

After completing this session, you will be able to:

  • Define an Advanced Persistent Threat (APT)
  • Identify the phases of a Cybersecurity kill chain
  • Identify attacks via the ENISA cyber kill chain.
  • Importance of breaking the kill chain for security

234–Prioritize Vulnerability Remediation

Amol Sarwate
Director of Vulnerability Labs

In this presentation, we will discuss a year-long study of exploits kits, attacks and vulnerability attributes and learn how to use them for prioritization. We will share best practices for improving remediation and reducing risk.

After completing this session, you will be able to:

  • Understand how attacks happen in real world
  • Understand Exploits and Vulnerabilities
  • Understand how to prioritize remediation.
  • Reduce overall risk.

244–Learning From Failure

Ira Winkler
Secure Mentem

When there is a security incident, everyone believes that all is lost. However, if handled properly, it can lead to strengthening the current security program. This presentation discusses a methodology to accomplish this.

After completing this session, you will be able to:

  • Analyze security failures in a systematic way.
  • Determine the root vulnerabilities exploited.
  • Determine the enabling governance failures.
  • Identify the appropriate countermeasures.

254–Application Security & Why You Should Care

Stuart Smith, CISM
Group Vice President, Executive Security Advisor
SunTrust Banks, Inc



Ashley Spangler, CISA, CISM, CRISC
AVP, Information Security
SunTrust Banks, Inc

App vulnerabilities and insecure software are undermining our nation’s critical infrastructure. This presentation will explore the problem, offer some solutions, and will give a live demo that shows how vulnerabilities like SQL injection, etc. work.

After completing this session, you will be able to:

  • Understand the problem of insecure software
  • Identify common software vulnerabilities
  • Understand how common vulnerabilities work
  • Discuss mitigation of app security vulnerabilities

314–FFIEC Cybersecurity Assessment Tool

Stephanie Chaumont, CISA



After completing this session, you will be able to:

  • Examine the FFIEC Cybersecurity Assessment Tool
  • Understand the assessment inherent risk profile and cybersecurity maturity model
  • Interpret and analyze assessment results to improve cybersecurity preparedness
  • Explore threat intelligence and collaboration including intelligence gathering, monitoring and analyzing, and information sharing

Return to Event Page


Track 5—Integrated Risk Management

115–Cyber Risk is Biz Risk

Ali Pabrai

In this brief we discuss the approach the business must address to develop a credible cyber security program that is inclusive of an appropriate combination of policies, plans, and security controls.

After completing this session, you will be able to:

  • Establish an audit ready compliance program
  • Know Cyber attacks compromise enterprise assets
  • Analyze areas in an enterprise security plan
  • That Cyber Security controls are vital to business

125–Managing ERP Cloud Risks and Controls

Matt Bonser
Risk Assurance Director



Jim Willis
Risk Assurance Director

Cloud solutions continue to emerge as the next generation of business-enabling platforms. These solutions offer certain advantages; however, they introduce enterprise risks. Understanding, and mitigating, the risks is critical to solution efficacy.

After completing this session, you will be able to:

  • Understand cloud or hybrid solution deployments
  • Highlight cloud implementation risks and impacts
  • Highlight specific IT risks that should be managed
  • Discuss lessons learned and considerations

135–Managing Emerging Technology Risk

Phil Lageschulte

Mobile, connected devices, blockchain, cognitive intelligence, 3-D printing, drones--these are all technologies that are or will be transforming enterprise business platforms. Transformation also introduces risks that enterprises must consider. 

After completing this session, you will be able to:

  • Provide an overview of emerging technologies
  • Describe the unique risks to consider
  • Learn how to balance the risk & reward equation.
  • Explain what emerging technologies to watch for

145–Creating a Risk Resilient Culture

Dustin Class, CISA, CISM
Head of Operational Risk

Innovation is shaping our world at an ever-increasing pace. The risks we face are rapidly evolving. To thrive in this new world, our organizations must develop risk resilience through improving our collective Risk iQ and agility to change.

After completing this session, you will be able to:

  • Understand the upside to risk.
  • Learn the culture of effective risk management.
  • Improve their team's agility to change.
  • Enhance their organization's Risk iQ.

215–Resilient ERM Framework - Startup to Listed

Annu Warikoo, CISA, CRISC
Global Lead Enterprise Risk Information
Wells Fargo



Stephanie Losi, CISA
219 Labs Inc.

From selecting effective KRIs to gaining buy-in at all levels, institutions face many challenges when implementing ERM frameworks. This talk will address these challenges and provide a road map for building a scalable, resilient ERM program.

After completing this session, you will be able to:

  • Define a business case for ERM
  • Know the building blocks of an ERM framework
  • Understand elements of risk reporting to Board
  • Define relationship between 3 lines of defense

225–Transactional Security Risk Assessment

Michael Heiken, CISA
Director - Enterprise Systems Risk and Control
PricewaterhouseCoopers LLP

New advances in technology and approach have proven very effective in reducing the amount of effort needed to mitigate SOD conflicts while also increasing the effectiveness of mitigating activities. This course covers those approaches.

After completing this session, you will be able to:

  • Monitor the right SOD risks for your business.
  • Design mitigating ctrls with appropriate precision
  • Base SOD monitoring on executed transactions.
  • Continuously improve assessment algorithms

235–Raising the Bar: Cyber Risk Management Oversight and Reporting

John Clark, CISA
Deloitte & Touche, LLP



Gaurav Kumar
Deloitte & Touche, LLP

It’s not a matter of if, but when, a cyberattack will occur. How can your organization implement a Secure.Vigilant.Resilient.™ cyber risk management program? And how can you demonstrate the effectiveness of that program to your stakeholders?

After completing this session, you will be able to:

  • Understand the evolving cyber threat landscape
  • Learn the board's role in cyber risk oversight
  • Understand the proposed AICPA guidance
  • Know how to prepare for a future engagement

245–Modeling an Asset Risk Management Program

Sudhakar Sathiyamurthy, CISA, CGEIT, CRISC
Director, Cyber Risk
Grant Thornton LLP



Jeff Recor
Grant Thornton LLP

Accurate, credible, and timely intelligence on the risk posture of crown jewel assets is essential for making risk based decisions. Organizations often find it difficult to unravel the puzzles of asset risk management. The session explores modelling asset risk management program with real life use cases and demonstration.

After completing this session, you will be able to:

  • Understand core pillars of asset risk management
  • Appreciate the role of assets in risk management
  • Model asset risk management using COBIT 5 for risk
  • Operate an asset risk management program

255–Consequences That Matter - IT Risk

Manager, ITRM Operations

Explaining IT Risk across the enterprise is a complicated affair and requires a nuanced approach to evoke change in both IT, business, and leadership. Join a discussion on techniques to broaden IT Risk's message and give it meaningful consequences.

After completing this session, you will be able to:

  • Identify the audiences that IT Risk speaks to.
  • Understand IT Risk's role in growing awareness
  • Tailor their messages to various audiences
  • Track the effectiveness of their communications

315–Audit & Security: Combating Emerging Threats

McKell Gomm, CISA
Sr. Security Architect



David Cross




Henry Schein

In this presentation, we'll discuss how audit and security can work together against emerging threats. We'll then discuss five threats in detail: Web Defense, Third-party Security, Insider Threats, Malware and Mitigating Overall Risk.

After completing this session, you will be able to:

  • Better protect their web presence.
  • Stand up a third-party security program.
  • Mitigate the risk of compromise.
  • Work together to protect the business.

Return to Event Page


Track 6—Data Analytics & Big Data

116–Evolution of Risk Assessments with D&A

Brian Greenberg, CISA



Chris Harding

In this session, we will walk through examples to illustrate how data and analytics can be effectively used throughout the risk assessment process lifecycle to deliver timely insights.

After completing this session, you will be able to:

  • Explain use of network theory & scientific methods
  • Demonstrate how systemic risks can be quantified
  • Highlight ways to monitor changes to risks
  • Understand risk assessment techniques

126–Fraud Detection Using Data Analysis

Richard Fowler, CISA
Senior Audit Specialist
Huntington Ingalls Industries

Our systems are pretty secure, yet every year about 6% of company revenue is lost to fraud. It is very difficult to prevent fraud but it is not so hard to detect it. Data analysis can help detect fraud in business reviews and in IT reviews.

After completing this session, you will be able to:

  • Identify types of potential fraud scenarios
  • Assess how to analyze data for fraud indicators
  • Work with the business to determine fraud risk
  • Review system, configuration and transaction files

136–Analytics Success: Why Now & How To?

Geoffrey Kovesdy, CISA, CRISC
Senior Manager
Deloitte and Touche

As internal auditors seek new ways to innovate in their roles, analytics is proving to be a key differentiator. By capitalizing on the wealth of data now available, internal audit can generate valuable insights that improve business performance.

After completing this session, you will be able to:

  • Understand from CAE's the case for analytics
  • Develop a multifunctional, insight-driven approach
  • Reference use cases of other leading organizations

146–Transforming IT Audit with Analytics

Stephen Fleming, CISA
Expert Audit Specialist
Federal Reserve Bank of Richmond



Elizabeth Krize, CISA, CISM, CRISC
Expert Audit Specialist
Federal Reserve Bank – Richmond

This session will focus on the integration and impact of analytics on the IT audit strategy. Key topics will include foundational components needed for a successful program, utilizing results in audits, and shaping the IT audit strategy.

After completing this session, you will be able to:

  • Grasp key considerations for an analytics program
  • Use analytics to help drive an audit
  • Leverage analytics to enhance audit strategy
  • Identify future applications of analytics in Audit

216–Why Analytics Fails and How to Fix It

Melanie Mecca
Director, Data Mgmt Products & Svcs
CMMI Institute



James Halcomb
CMMI Institute

Analytics is essential to achieve competitive advantage and to mine data assets for insight into operational and business process performance. Data challenges impede analytics success. We address the key issues and offer a path to fix them.

After completing this session, you will be able to:

  • Learn how data management impacts analytics
  • Employ the Data Management Maturity Model
  • Leverage governance to improve data quality
  • Synthesize a path to improve analytics activities

226–Cross-Functional Methodology for Analytics

Andrew Kumiega, CISA, CISM, CGEIT, CRISC
Illinois Institute of Technology

Firms in analytics-driven industries have two goals: developing their custom analytics, developing their business model to capitalize on their custom analytics through technology. A proven unique framework that combines these goals will be presented.

After completing this session, you will be able to:

  • Analytic systems have four development cycles.
  • Vetting mathematics is different than auditing.
  • Dynamic monitoring of data for real time systems
  • SPC is required to monitor the algorithm output

236–Proactive Compliance Data Analytics Program

Marko Kuzmanovic
Project Assurance Manager



Alan Gibson
Enterprise Architect

Proactive Compliance Data Analytics Program enables organizations to better understand compliance risks using advanced data analytics and machine learning. The solution correlates multiple risk factors and data sets to extract meaningful insights.

After completing this session, you will be able to:

  • Build world-class compliance programs.
  • Understand the untapped potential of their data.
  • Make data their most effective compliance tool.
  • Focus on solving the problem, not identifying it.

246–Where Audit Analytics Meets Open Source

Andrew Clark
IT Auditor
Astec Industries

Open source software is taking the computer science community by storm, allowing for open idea exchange and rapid development. This Open Data Science movement can be harassed to propel your audit analytics program to the next level.

After completing this session, you will be able to:

  • What is open source software and its key benefits
  • The benefits of using open source software
  • How to begin using open source analytics
  • How to implement basic analytics tests in Python

256–Creative Visualization for Data Analytics

Keith Barber, CISA
Director, Business Analytics Insight
Empower Audit



Mary Breslin
Empower Audit

Data Analytics is a very powerful tool which has become a best practice the industry is moving towards, but now we face the next level of the challenge – interpreting, understanding and presenting the data. The best way to do this? Visualization.

After completing this session, you will be able to:

  • Understand the “what, why, how” of visualization
  • Identify areas of opportunity for visualizations
  • See how visualization improves understanding
  • Learn how visualization improves presentations

316–Building a Fraud & Spend Review Program

Nathan Anderson, CISA, CRISC
Divisional Vice President
Sears Holdings

There is an opportunity in our organizations to reduce fraud and waste in high risk areas such as travel & expense and purchasing. During this session, Sears will share how we built fraud & waste monitoring with our offshore team and software.

After completing this session, you will be able to:

  • Identify opportunities for fraud & waste reduction
  • Audit fraud and waste reduction programs
  • Implement fraud and waste reduction IT solution
  • Focus on the right metrics for fraud & waste

Return to Event Page


Track 7—Leadership Development and Career Management

117–Soft Skills: The Key to Employee Success

Diane Hamilton
Dr. Diane Hamilton LLC

Dr. Diane Hamilton, a certified emotional intelligence expert and qualified Myers Briggs expert, explains the importance of soft skills for the success at work. Find out why employees are hired for hard skills and fired for lack of soft skills.

After completing this session, you will be able to:

  • Differentiate hard skills from soft skills
  • Incorporate behaviors that demonstrate a high EQ
  • Demonstrate empathy and understanding
  • Recognize how to develop soft skills in others

127–How to Prepare to Pass CISA Exam

Ken Schmidt, CISA
R&M Consulting

To learn practical and effective strategies for successfully passing the Certified Information Systems Auditor (CISA) examination on the first attempt.

After completing this session, you will be able to:

  • Understand the CISA Exam objectives and content
  • Highlights on how to master the content for the five Domains (chapters)
  • Review proven strategies to analyze and understand what the exam writer is looking for
  • ISACA resources available to help prepare for success

137–10 Must Have Skills for the 2020 CISO

Todd Fitzgerald
SVP, Chief Administrative Officer (CAO) Information Security and Technology Risk
Northern Trust

The role of the CISO has been evolving for the past 20 years and has now attained a level in most organizations that is deemed business critical. How will the CISO of tomorrow survive? What skills are needed? This session will explore these skills.

After completing this session, you will be able to:

  • Examine top skills needed for CISO effectiveness
  • Discuss causes of security program failure
  • Focus learning in on key relevant technologies
  • Develop a CISO career roadmap for success

147–How to Build and Grow Your IT Security Team

Tammy Moskites

Today, there are more IT security jobs than people to fill them. With few options, how do you find the right people for your IT security team? Get guidance on hiring, retaining, growing, and rewarding your team—customized for your company culture.

After completing this session, you will be able to:

  • Know what to look for when hiring
  • How to focus on team strengths
  • Grow the team using competency-based training
  • Develop a team culture that encourages growth

217–Tips for Effective Presenting

Paul Phillips, CISA, CISM
IT Director



Check back for updates.


227–How to Effectively Communicate During an Audit Engagement

Animesh Mathur, CISA
Internal Audit Director
Fannie Mae



Anthony Pantano, CISA, CTPRP
Internal Auditor IV
Fannie Mae

This training will provide best practices in effective communication during an audit engagement. The training will include techniques on how to communicate and organize information when presenting to all levels of management.

After completing this session, you will be able to:

  • Understand the importance of effective communication
  • Use optimal verbal techniques and body language during communication
  • Communicate complex information
  • Develop others in effective communication.

237–Geek Speak to Business Speak, 2.0

Mary Breslin
Empower Audit

Communication is key to success for any professional but miscommunication in audit and technology can lead to costly mistakes and issues. Learn how to tear down communication barriers and make communication your greatest strength.

After completing this session, you will be able to:

  • Why words matter and how they impact your career
  • Flip language from a barrier to an advantage
  • How to identify and eliminate geek speak
  • Communicate with anyone and everyone effectively

247–Digital Skills and Talent Management

Matthew Burrows
Director & Principal Consultant
BSM Impact Limited

We constantly hear about skills shortages, but this session will explain what organizations can do about these challenges, answering the critical questions "what skills do we have, and what skills do we need?".

After completing this session, you will be able to:

  • Quickly and accurately assess current skills
  • Confirm required skills and levels for success
  • Identify skill gaps and risk/focus areas
  • Know how to address the skills challenges

257–IS Audit Tips in Dealing with the IT Crowd

Ralph Villanueva, CISA, CISM
IT Security and Compliance Analyst
Las Vegas Sands Corp

This presentation aims to provide useful tips that IS auditors can immediately use in their organizations, by analyzing and discussing the gulf between the IS audit and the IT Departments.

After completing this session, you will be able to:

  • See reasons behind difficulty in dealing with IT
  • Resolve collaborative issues with the IT Dept
  • See how IS auditors can collaborate with IT
  • See how management can promote IT collaboration

317–Security Strategies - Rally the Workforce

Randall Zigabarra, CISA, CISM
Chief Information Security Officer

Employees have to be members of the Security team. Are they and how? This discussion explores effective strategies to entice the workforce – enlisting at all levels – reinforcing Security program effectiveness.

After completing this session, you will be able to:

  • Mutually align Security and Workforce objectives
  • Instill a desire for an employee's participation
  • Raise self-esteem through contribution recognition
  • Rally a workforce, enhance alerting & reduce risk

Return to Event Page


Track 8—Governance

118–Why Help Management Understand SOC Reports?

Martin Langlois, CISA
BrickStreet Mutual Insurance



Deepesh Randeri, CISSP
Brick Street Mutual Insurance

SOC reports are requested from third party vendors that are significant to our financial statements. What about vendors who are critical but not financially significant? Management doesn't understand the reports or control obligations. Can we help?

After completing this session, you will be able to:

  • Show why they are most qualified to help.
  • Effectively summarize key report information.
  • Communicate responsibilities to management.
  • Integrate the SOC information into corporate ERM.

128–What’s Missing in IT Security Governance?

Tammy Moskites

With IT security governance, most neglect the basics. See how to avoid common pitfalls and implement a 4-step framework that successfully applies security strategies to broader risk and compliance considerations and overall business objectives.

After completing this session, you will be able to:

  • Know what’s missing in IT Security Governance
  • Align with regulations and business objectives
  • Know the prerequisites to each framework step
  • Achieve prerequisites in enterprise environments

138–Using COBIT 5 in Support of RMF

William Matthey, CISM
Consultant / Trainer
P&M Consultants

Overview and discuss the mapping of COBIT 5 as a blueprint for meeting the Federal objectives or RMF in DOD and Non-DOD Federal Enterprises. All Executive Branch Departments including DOD and NIA are transitioning from DIACAP to RMF.

After completing this session, you will be able to:

  • See the RMF Requirements for the Executive Branch.
  • Map NIST RMF to COBIT 5 and the SDLC.
  • Use COBIT 5 to meet the NIST RMF requirement.
  • Carry away project guideline for meeting RMF goals

148–BIA: The Root of Security & Recovery Plans

Herbert McMorris, CISA, CISM, CRISC
I.T. Security Analyst

The Business Impact Analysis (BIA) is the root of security, risk & recovery programs, yet it is often performed incorrectly. How does the BIA drive risk management process, security programs, and recovery efforts, and who should perform the analysis?

After completing this session, you will be able to:

  • Explain the purpose of a Business Impact Analysis
  • How the BIA applies to risk and recovery programs
  • Determine the critical outputs from the analysis
  • How outputs apply to risk, security, and recovery

218–"GEAR" Up with a new GRC Model & Benefits

Elvis Moreland, CISM, CGEIT
VP Cybersecurity

Traditional GRC isn't good enough when facing modern cyber threats. We must integrate the best of GRC, Engineering, Assessment, Risk & Continuous Monitoring to win on the threat & risk battlefield while reporting leading KPIs to the CEO and Board. 

After completing this session, you will be able to:

  • Comprehensively define a new "GEAR Up" GRC Model
  • Identify the elements of the new GEAR UP Model
  • Integrate GRC, Engineering & Continuous Monitoring
  • Implement the new "GEAR Up" Model

228–Understanding and Evaluating SOC Reports

Richard Lucy, CISA
Practice Director
Paragon Audit & Consulting

Understanding and Evaluating Service Organization Controls (SOC) Reports: An integral part of an effective vendor risk management program.

After completing this session, you will be able to:

  • Understand why SOC Reports are important.
  • Understand the differences between SOC 1,2, and 3
  • How to read a SOC Report and document a review
  • Understand Carve-Outs and Inclusions

238–How to Apply COBIT 5 in Govt: The CBN Story

Mariam Bala
Project Management Officer



Nsuhoridem Okon
Enterprise Architect
Central Bank of Nigeria

For IT leaders struggling with IT governance requirements in government, this shows how to successfully implement COBIT 5 in a federal financial regulatory organization - a case study of the Central Bank of Nigeria, the apex regulatory body for banks

After completing this session, you will be able to:

  • Fit COBIT 5 into existing corporate governance
  • Avoid pitfalls by managing culture change required
  • Achieve the most in each phase of COBIT 5 cycle
  • Replicate the journey, without the tears

248–Using COBIT 5 to Solve Real World Problems

Peter Tessin, CISA, CGEIT, CRISC
Technical Research Manager

Solve business problems with COBIT 5 in a practical exercise. Get past the theory and go straight to solving problems!

After completing this session, you will be able to:

  • Diagnose problems through interviewing
  • Apply the goals cascade
  • Map requirements to available resources
  • Construct metrics and performance reporting

258–Vendor Management with COBIT 5

William Crowe, CISA, CISM, CRISC
IT Security Manager
Citizens Property Insurance Corporation

Vendor's especially CSP's constitute an important part of an enterprise’s external environment. Vendor Management using COBIT 5 provides detailed practical guidance and facilitates the vendor management process for IT and business professionals.

After completing this session, you will be able to:

  • Describe the lifecycle phases of vendor management
  • Describe common threats in vendor management
  • Describe financial impact of inadequate management
  • Using a handout describe binding documents

318–A Risk-based Approach to Data Governance

Lisa Young, CISA, CISM
Vice President
Axio Global

According to COBIT 5, information is effective if it meets the needs of the stakeholders. Ensuring that your enterprise has considered data in the context of its business objectives will maximize business benefits and your competitive edge.

After completing this session, you will be able to:

  • The critical success factors for data governance.
  • How to determine requirements for managing data.
  • Know why data governance is key to metrics.
  • Define your information management process.

Return to Event Page


Track 9—Industry Trends & Insights

119–Ransomware on the Mainframe

Brian Marshall
Vice President, Research & Development
Vanguard Integrity Professionals

Today’s mainframe is just another server in the data center, accessible internally and externally like every Windows, Unix, Linux or other server. Not only are mainframe environments vulnerable to internal malicious users, but also to external hacktivists, criminals, and competitors. To ensure critical assets are properly protected, organizations should perform regular mainframe security assessments.

After completing this session, you will be able to:

  • Understand known vulnerabilities for the mainframe
  • Understand known tools that are publicly available that can be used to elevate authority or penetrate a system without any access
  • Understand how a security team can protect against such attacks

129–Agree to Agree: Tips for a Healthier, Happier, Risk Management Program

Mason Karrer
Product Marketing Manager

Risk management is a lot like therapy. Initially the effort can be unnatural and downright awkward. But with patience, trust, and some helpful guidance along the way the results can be spectacular.

After completing this session, you will be able to:

  • Understand the current landscape of cyber and business risk
  • Apply new techniques for uncovering pockets of risk
  • Establish a meaningful dialog in your organization using a risk language that anyone can understand

139–Managing Risk from the Front Line

Stephen Zawoyski

In a fast-changing business environment, adaptable risk defenses are imperative. Risk in review examines the trend toward shifting certain risk management activities to the business units - the "front line" - where many risks are born and live. Companies making this move have the clear upper hand, showing greater ability to anticipate and mitigate risk, and greater growth expectations.

After completing this session, you will be able to understand:

  • How leading organizations are shifting risk management activities to the business units or “front line” in order to make sure risk decisions are properly informed
  • The connectivity between organizational tone and risk culture
  • How organizations that correctly integrate risk governance and oversight across the lines of defense are better positioned for success.

149–Adobe’s Compliance Journey

Abhi Pandit
Sr. Director, Risk Advisory & Assurance

Innovation is at the core of Adobe’s DNA enabling its successful transformation from a perpetual software giant to a cloud services leader within a short span of 5 years. Adobe’s Cloud Compliance strategy via the Adobe Common Controls Framework (CCF) played a critical role in this successful transformation. Organizations esp. security and compliance teams have to deal with the relentless onslaught of security attacks, complexities of protecting dynamic infrastructure, ever increasing stakeholder expectations and constantly shrinking budgets.

This is further exacerbated by the countless regulatory requirements, competing priorities, and organizational silos and acquisitions resulting in compliance chaos. Compliance programs often struggle for relevance in such challenging circumstances, are routinely branded as a check-list driven function that does not add much value and find it difficult to attract, retain top talent.

The Adobe Case Study addresses the following questions faced by compliance programs:

  • How do you strategically position your program to overcome these challenges, provide career growth opportunities for your team?
  • How do you transform your function from being perceived as a cost burden into a program that drives competitive advantage?
  • How do you shift the mindset at the Board, Executive levels to gain on-going support for your program?

After completing this session, you will be able to:

  • Understand how to align your compliance program to company strategy
  • Receive practical tips on how to utilize your compliance program to improve efficiencies and help drive down operational costs
  • Learn how to change the perception of your compliance program from a Cost Center into a value adding function which helps your organization gain competitive advantage
  • Receive a free copy of the Adobe CCF that maps to SOC2 (Security, Availability)

219–Zen and the Art of IT Risk Management

Steve Bartolotta
Community Health Network of Connecticut

Learn from Steve Bartolotta CISO Community health Network of Connecticut (CHNC) best practices, what works and what doesn’t with regard to IT Risk managment. Through first-hand examples, learn how to get out of the confusion and into the clear regarding your IT risk management strategy.

After completing this session, you will be able to understand:

  • Understand the top lessons learned in IT risk management from an experienced CISO
  • Gain insight into best-practices from first-hand examples
  • Know what to avoid when building a successful IT Risk Program

229–Managing Risk in Digital Labor

Martin Sokalski
Managing Director



Kelly Combs

As organizations embark on transforming their business models enabled by Digital Labor and Robotics, key questions emerge and effective risk management takes on a critical role. How do you effectively manage an army of bots in your environment? What are the key risks when deploying Robotic and Cognitive Process Automation? How do you build and integrate risk, governance, and controls in the Digital Labor program to help ensure timely and effective risk identification, evaluation, mitigation, and in some cases, acceptance? This session will help explore answers to these questions as well as key use cases for how Digital Labor can help 2nd and 3rd lines of defense.

After completing this session, you will be able to:

  • Understand how organizations are transforming business models leveraging Digital Labor and Robotic Process Automation
  • Understand key considerations for building and integrating risk, governance, and controls in the Digital Labor program to help ensure timely and effective risk identification, evaluation, mitigation, and in some cases, acceptance
  • Understand key risks associated with implementation of Robotic Process Automation and strategies and methods for mitigating them
  • Understand the role of 2nd and 3rd lines of defense in evaluating and mitigating risk associated with Digital Labor as well as explore how Internal Audit can benefit from RPA enabled use cases

239–Driving Productivity & Resilience Through Ecosystem Integration

Dr. Mike Lloyd

Digital resilience is the new imperative for a robust cyber security strategy. What are the guiding principles that we must look to in order deliver resilience within the reality in which we operate? We are short-staffed, have an overwhelming number of applications and tools to deploy, and must deal with growing complexity in the network infrastructure itself. Looking for areas of productivity and efficiency that will also accelerate incident response is crucial.

After completing this session, you will be able to:

  • Identify the three fundamental elements of resilience
  • Understand how to leverage ecosystem integration to drive overall productivity
  • Understand how ecosystem integration can drive accelerated incident response

249–Hackers & The Crown Jewels – How to Fight the Good Fight

Glenn Wilson
Senior Manager
Deloitte & Touche LLP

The game has changed. Pick up any newspaper, go to any news website and there it is: “Hackers break in and steal data!” It is a sad fact that we live in a world where some of the best computer programmers and penetration testers don’t work for good, they work to find flaws in technology that allow them to steal data and make money. Join us in a conversation focused on the top three things a hacker doesn’t want you to know, how to better protect the crown jewels, and what information security professionals should be doing to help their organizations manage cyber risk more effectively.

After completing this session, you will be able to:

  • Demonstrate the three core principles of security and understand why #1 is #1
  • Understand the current threat landscape
  • Identify leading practices to measure the performance of a cybersecurity program
  • Present straightforward metrics to senior management

259–Protecting Cloud Assets Against Advanced Threats

Chris Maroun
National Director

Accelerating cloud migration requires organizations to implement more effective risk management strategies from the start to better protect their cloud assets against advanced threats.

After completing this session, you will be able to:

  • Understand the security risks posed by advanced threats, including those perpetrated by insiders
  • Learn steps to secure cloud applications and meet compliance requirements
  • Gain insight into shared responsibility concepts for cloud security
  • Hear use cases to illustrate the importance of mitigating privileged account-related risk to reduce the cloud’s attack surface


Spotlight Sessions

SS1-COMPLIANCE on Z/OS Using Vanguard Multifactor

Brian Marshall
Vice President, Research & Development
Vanguard Integrity Professionals

How Vanguard Multifactor can help you meet Compliance standards such as PCI

After completing this session, you will be able to:

  • Come learn about Vanguard Multi-Factor Authentication
  • How to meet MFA requirements for the mainframe
  • Learn about the numerous different choices available including; RSA, Yubikey, OATH tokens, Ping, Duo, PIV and Tokenless authentication
  • Technical/Product Detail

SS2-It is ALL about the Data!

Fouad Khalil
VP of Compliance
SSH Communitcations Security

GRC, Regulations, IoT, Cybersecurity and much more organizations are presenting organizations with compliance challenges for 2017 and beyond.

After completing this session, you will be able to:

  • The term “Protected Data” is intended to encompass all data governed by regulations, laws and standards.
  • Financial institutions are facing even more stringent controls especially considering the continued expansion into the cloud, after years of saying “Never will.”
  • The health industry since 2015, has endured active audits by HHS and OCR who has collected more than $27 million in penalties for non-compliance. The common theme for these penalties was that an organization suffered a breach.

SS3-Intelligent Risk Management, Automated

Carlos Krause
Director of Professional Services, IT GRC & Digital Risk
SAI Global

IT Risk management is just a small part of intelligently managing risk. The market is shifting, and including IT Risk management into a broader intelligent risk approach is now a necessity. In this presentation Carlos offers real life examples of successful IT risk programs, and how IT Risk Manager (formerly Modulo) fits in the current risk management landscape.

After completing this session, you will be able to:

  • Learn how to successfully include IT Risk into a broader intelligent risk strategy
  • Gain best-practice information on how to automate your processes
  • Gain perpective on the direction of IT Risk in the future

SS4-Requirements to Implement a Robust ERM/ORM Program

Ketan Dholakia



Jay Friedman
Sr. Director of Risk Management

Many ERM/ORM programs fail because there is no support from the executives. Within this session we will discuss garnering support from your leadership teams and avoiding pitfalls to implementing an effective ERM/ORM program.

After completing this session, you will be able to:

  • Understand how to communicate the importance of ERM/ORM to your leadership team
  • Implement a governance process that will break down communication barriers between departments
  • Define how ERM/ORM can function with Audit

SS5-Managing Third Party Identity Risk

Wade Chmielinski
VP, Information Risk

Vendors and partners introduce higher risk of data disclosure to your organizations. So why do we assess the risk of these identities after accounts are created and access is granted? Organizations should assess the risk of these identities during the onboarding process, before damage can be done.

After completing this session, you will be able to:

  • What gaps exist in the current way organizations manage third party risk
  • What are some of the risks third parties (vendors, partners) introduce
  • Why is it important to quantify risk to identities at the earliest point in its relationship with your organization
  • How can organizations use the risk rating assigned to an identity before accounts and access are created
  • How NEProfile and NEAccess are addressing the risk of third party identities

SS6-Improving Productivity & Resilience Through Ecosystem Integration

Dr. Mike Lloyd

As a security industry – we’ve outdone ourselves. There are over 1400 solutions to choose from and more popping up every day. Billions of dollars are being invested by venture firms and now there are even executive orders dedicated to solving the problem. Yet we are still losing the battle – more than $1T was recorded as losses in 2016 from cyber-attacks. While there are a lot of issues contributing to the gap, clearly, we’ve lost sight of the holistic view of our ecosystem – the network itself, all the devices, applications and tools that are in place to prevent attacks. We need to understand the battlefield, and look for ways to integrate and model our overall ecosystem to be more resilient – and ultimately to accelerate response to attack.

After completing this session, you will be able to:

  • Core techniques for understanding the overall ecosystem: modeling and scoring
  • Why integration is crucial to increasing situational awareness, risk-based vulnerability prioritization, and accelerating incident response
  • The foundation for ecosystem integration: network context

SS7-Raising Internal Audit’s Game: IT Audit Trends in the Digital Age

Khalid Wasti
Partner, Internal Technology Audit Solutions

This session will focus on trends in Information Technology Audit and will focus on the impact of evolving technologies on Internal Audit and Risk Management.

After completing this session, you will be able to:

  • Understand areas where internal audit functions can elevate their maturity to help the business identify risks and opportunities
  • How to formalize a roadmap to develop an innovative technology audit capability
  • Understand the differences between continuous auditing and continuous monitoring
  • Effectively utilize analytics in a comprehensive audit automation strategy
  • Recognize the impact of emerging technologies on your audit strategy (i.e. cybersecurity, social media etc.)

SS8-Continuous Compliance in the Cloud Era

Amit Saha

As cloud adoption continues to gain momentum, many of the critical enterprise assets such like financially significant applications, data and workloads now reside beyond the traditional perimeter. Organizations are under pressure to deliver these cloud platforms that meet security needs and auditors face challenges they’ve never encountered before. At the same time, on-premise systems will remain for several years to come, making Hybrid IT a reality. In this session, Saviynt will discuss unique security challenges that both organizations & auditors face in the cloud era, and the need to move towards a continuous compliance approach to bridge these gaps.

After completing this session, you will be able to:

  • Understand impact of technological changes on audit and compliance
  • Effectively employing Unified Compliance Framework
  • Leveraging analytics to drive compliance
  • Enabling organizations to move from compliance to risk-based security

SS9-How to Scale Your Business Using a More Secure and Compliant Container Platform

Prasant Vadlamudi
Sr. Manager, Risk Advisory & Assurance Services

Adobe continues to grow as a business, and scaling up new and existing services in a compliant and more secure way is critical for its growth. Adobe uses containerization to help with scalability, operational efficiency, and productivity. One of key aspects with hosting service applications on containers is to align them with our security and compliance policies. This session will discuss the key issues and how containers have emerged as part of the solution to these issues.

After completing this session, you will be able to:

  • How scalable container platforms have been built with integrated security controls, that help in maintaining compliance.
  • How to best leverage automation to help implement standard security controls for the service applications running on containers.



WS1-COBIT 5 Foundation

Mark Thomas, CGEIT, CRISC

COBIT 5 is the only business framework for the governance and management of enterprise IT. Launched in April 2012, COBIT 5 helps maximize the value of information by incorporating the latest thinking in enterprise governance and management techniques, and provides globally accepted principles, practices, analytical tools and models to help increase the trust in, and value from, information systems.

Learn the importance of an effective framework to enable business value. Delve into the elements of ISACA’s evolutionary framework to understand how COBIT 5 covers the business end-to-end and helps you effectively govern and manage enterprise IT. Developed for anyone interested in obtaining foundation-level knowledge of COBIT, the course explains the COBIT framework and supporting materials in a logical and example-driven approach.

After completing this session, you will be able to:

  • How IT management issues are affecting organizations
  • The need for an effective framework to govern and manage enterprise IT
  • How COBIT meets the requirement for an IT governance framework
  • How COBIT is used with other standards and best practices
  • The functions that COBIT provides and the benefits of using COBIT
  • The COBIT Framework and all the components of COBIT
  • How to apply COBIT in a practical situation

COBIT 5 Foundation Exam

Monday, 1 May 2017 | 7:30 – 9:00AM
Earn the COBIT 5 Foundation Certificate! Attendees can take the COBIT 5 Foundation Exam for an additional US $150! For those who have registered to take the COBIT 5 Foundation Exam onsite, please note that this exam will begin promptly at 8:00AM. Please allow yourself extra time to get breakfast and check in for the exam before the start time.

Exam information:

  • Bring a picture ID to the exam
  • This is an unassisted (closed book) paper based exam
  • Exams, answer sheets, and pencils will be provided
  • Computers, tablets, and phones are not needed
  • Drinks are allowed; however, food is prohibited
  • Your exam proctor will provide any additional instructions the day of the exam

WS2-Cybersecurity Fundamentals

Todd Fitzgerald
SVP, Chief Administrative Officer (CAO) Information Security and Technology Risk
Northern Trust

Why become a cyber security professional? The protection of information is a critical function for all enterprises. Cyber security is a growing and rapidly changing field, and it is crucial that the central concepts that frame and define this increasingly pervasive field are understood by professionals who are involved and concerned with the security implications of Information Technologies (IT). The CSX Fundamentals workshop is designed for this purpose, as well as to provide insight into the importance of cyber security, and the integral role of cyber security professionals. This workshop will also prepare learners for the CSX Fundamentals Exam.

After completing this session, you will be able to:

  • Understand basic cyber security concepts and definitions
  • Define network security architecture concepts
  • Recognize malware analysis concepts and methodology
  • Identify computer network defense (CND) and vulnerability assessment tools, including open source tools and their capabilities
  • Explain network systems management principles, models, methods, and tools
  • Distinguish system and application security threats and vulnerabilities
  • Classify types of incidents (categories, responses, and timelines for responses)
  • Outline disaster recovery and business continuity planning
  • Comprehend incident response and handling methodologies
  • Understand security event correlation tools, and how different file types can be used for atypical behavior
  • Be aware of the basic concepts, practices, tools, tactics, techniques, and procedures for processing digital forensic data
  • Recognize new and emerging information technology and information security technologies

WS3-Applied Data Analytics

*Participation in this workshop requires you to bring a laptop that allows you administrator privileges for installing software. You must have permission to read data and copy it from a USB (or an optical DVD drive) on your laptop.

Geoff Kovesdy
Senior Manager
Deloitte & Touche LLP

Josh Smith
Deloitte & Touche LLP

Internal Audit Analytics is the new hot topic! Discover how you can utilize internal audit analytics across your organization to improve audit quality and manage risk more effectively. In this course, you will obtain hands-on, practical experience with audit analytics use cases, giving you a deeper understanding of how analytics continues to emerge in the marketplace, the technologies supporting analytics, and how organizations can effectively begin the journey to implementing an internal audit analytics capability. You will be able to discuss analytics driven audit strategies with knowledgeable Deloitte instructors and your peers, and arm yourself with tools, techniques and thoughtware that will help guide you on your journey to integrating analytics into your audit processes.

After completing this session, you will be able to:

  • Define analytics in the context of internal audit – common uses, benefits, and impact on business, risk and controls
  • Understand the technologies used to perform effective data analytics
  • Explain various uses of analytics, including monitoring, detection, dashboarding
  • Identify areas in your enterprise where internal audit analytics can be effectively leveraged
  • Plan and perform an audit utilizing analytics concepts

WS4-CISA Prep Course

Kenneth Schmidt, CISA
R&M Consulting



After completing this session, you will be able to:

  • Learn the specific requirements for passing the CISA Exam and attaining your Certification
  • Utilize ISACA materials to prepare for and pass the CISA Exam
  • Learn successful methods of "how to" evaluate Exam questions and answers, including analysis and explanations
  • Review useful, proven information on study and exam time management
  • Complete and review a mock exam, with every question and answer explained

WS5-The Intersection of IT and Assurance by Leveraging COBIT 5

Mark Thomas, CGEIT, CRISC


The purpose of this course is to gain an understanding of various activities involved when determining an assurance approach to IT using the COBIT 5 product family.

After completing this session, you will be able to:

  • Recognize the applicable products in the COBIT 5 product family needed to develop a holistic approach to assurance.
  • Understand the elements of creating a value-based approach to developing an assurance strategy for IT.
  • Appreciate the intersection of balancing performance and conformance with respect to assurance of IT services.

WS6-Using Risk Scenarios

Lisa Young, CISA, CISM
Vice President, Service Delivery
Axio Global



After completing this session, you will be able to:

  • Understand the context for risk management in business terms.
  • Define Risk scenarios and risk factors
  • Understand when to use or develop risk scenarios
  • Express and describe the impact of risks in business terms
  • Determine if your risk management process/program mature enough for using risk scenarios

WS7-Cybersecurity for Auditors

This workshop is currently at capacity.  Please contact to be placed on the waitlist.

Russell Horn, CISA, CRISC



John Edward McMurray, CISA
Asst. Director, Security Services

Stephanie Alexis Chaumont, CISA
Security and Compliance Consultant

Cyber security focus is a requirement for any organization today, but how can a company know and understand what their cyber security posture is? A strong cyber security audit program with qualified, capable auditors and a robust work program or standard is a must. During this workshop, we will dig into the details of cyber security audit. We will evaluate the ISACA NIST Cybersecurity Framework Audit Work Program as well as various cyber security frameworks and tools including the NIST Cybersecurity Framework and the FFIEC Cybersecurity Assessment Tool.

Please note: this workshop will provide an overview of cyber security and spend the majority of time focusing on the auditing of cyber security concepts. Therefore, an understanding of the fundamental concepts of cyber security is required. ISACA strongly encourages attending the CSX Fundamentals 2-Day workshop prior to attending this Cybersecurity for Auditors workshop in order to gain a full base understanding for cyber security. Cybersecurity Fundamentals is being offered as a pre-workshop (see WS2 above).

After completing this session, you will be able to:

  • Audit an organization’s cyber security posture
  • Evaluate cyber security inherent risk
  • Define audit evidence requests needed to evaluate an institution’s cyber security controls
  • Be aware of basic policies, practices, technologies, tools and controls used to enhance cyber security
  • Examine ways to assess an organization’s cyber security maturity
  • Recognize new and emerging cyber-attacks, threats, and vulnerabilities
  • Discuss cyber security frameworks and assessment tools currently available
  • Understand and use the ISACA NIST Cybersecurity Framework Audit Work Program

WS8-IT Audit Leadership: Advancing your Career

Nathan A. Anderson, CISA, CRISC
Divisional Vice President, Internal Audit
Sears Holding Corporation

 Nathan switched from IT Audit consulting to IT Audit Manager in industry several years ago. The learning curve was high and he learned as part of an excellent team as he progressed from manager to director, and eventually to divisional vice president. In this session, he’ll give his insights on how to succeed in the critical roles performed by IT Audit leaders.

After completing this session, you will be able to:

  • Conducting risk assessments and developing the audit plan
  • Milestones and metrics for managing operational audits and compliance activities
  • How to effectively communicate with leadership including:
    • writing impactful audit reports
    • managing outstanding audit issues
    • reporting to the audit committee
  • Understand measures and metrics for successfully governing internal audit
  • Consider strategies for:
    • Optimizing and enhancing Internal Audit workpapers
    • Optimizing compliance activities
  • Hiring and developing an effective team

Return to Event Page


Innovation Stage

IN1-Achieving Uniform Compliance and Risk Managament Through Harmonized GRC

Mark Holub
Security Solutions Architect, Policy Compliance

Heightened compliance and security environments require organizations to comply with multiple regulations while managing a security baseline. Top-down GRC provides structure but little evidence data, while bottom-up approaches miss links to the bigger GRC picture. In this talk, Qualys will discuss the 'harmonized approach,' a uniform way customers address many compliance and risk requirements.

After completing this session, you will be able to:

  • Have insights on using a harmonized GRC approach as a uniform way to address multiple compliance and risk requirements.
  • Understand methods to easily automate security control assessment.
  • Know basic principles of using remediation prioritization to improve security.
  • Understand strategies to reduce compliance cost while boosting auditors’ trust.

IN3-3..2..1..Ignition! How to launch a Successful Risk Management Program in 20 Minutes or Less

Mason Karrer
Product Marketing Manager

Learn about RSA's ignition program, a fast track approach to implementing the fundamentals that drive a successful risk management program.

After completing this session, you will be able to:

  • Discuss risk management fundamentals
  • Understand current trends, pitfalls
  • Utilize proven techniques to explore risk areas in your organization

IN5-Keeping Pace with Technology – Evolution of an Audit Department

Chris Kyriakakis
Managing Vice President, Corporate Audit Services
Capital One



Michael Kirchoff
Senior Director, Corporate Audit Services
Capital One

Technological advancements are not only occurring at an exponential rate, but organizations across industries are expanding technology frontiers and adopting emerging technologies to stay relevant. This ever-accelerating technology adoption is having a profound impact on the industry, and influencing the future of the Internal Audit profession. Come hear how an audit department has adapted their delivery approach to increase responsiveness to emerging technologies, such as the use of public cloud.

After completing this session, you will be able to:

  • Understand the rapid adoption of emerging technologies
  • Describe changes made within the Audit department to adapt
  • Detail how the audit department is engaged with cloud initiatives to provide assurance

IN7-Every Cloud has a Silver Lining

Shardul Singh
CEO & Founder

While Cloud Security and the associated risks have been one of the beloved topics for Governance, Risk & Compliance (GRC) professionals; in this session, we explore the positive side of the cloud technology. Specifically, the potential opportunities that the cloud technology brings to GRC professionals.

After completing this session, you will be able to:

  • Discuss the evolution of new technologies
  • Compare the conventional technology solutions used by GRC professionals against Cloud based solutions
  • Describe potential benefits and opportunities that cloud technology can bring to GRC professionals
  • Discuss the road ahead for technology innovation in GRC profession


Bonus Tracks

Session 1110 – Building a Data Analytics Program for Audit

Geoff Kovesdy
Josh Smith

Deloitte & Touche LLP

This session will look into maximizing the use of technology to increase coverage, quality, and business impact, while managing a finite audit budget. Looking at insights/findings from data analytics and integration of analytics to strengthen the business skills of auditors.

Session 1210  Climbing the Corporate Ladder

Mary Breslin
Empower Audit

Women face different challenges than men in advancing their careers. Some challenges are real, some perceived and some - self-imposed - but all can be overcome when we anticipate, prepare and are armed with the right skills.


After completing this session, you will be able to:

  • Know when to speak up and when to shut up
  • Understand the importance of quality over quantity
  • Understand what is required to build credibility

Session 1310 – Four Faces of IT Leadership

Jermaine Dykes

This presentation will be helpful for those who seek to understand and apply strategic leadership in an effective manner for success of IT Leaders. One must execute strategic leadership that looks before it leaps.



After completing this session, you will be able to:

  • Gain power and influence in IT
  • Motivate and lead your Team
  • Empower individual ownership
  • Build relationship within IT

Session 1410 – Panel: Quick Take: Women in Auditing

Avani Desai, CISA, CRISC
Principal, and Shareholder
Schellman & Company

Caroline K. Lowden, CISA, CIA
Vice President, Audit & Advisory Services

Dee Dee Owens
Risk Consulting Partner

Session 2110 – Panel: How to Become an IT Audit Director

Join us for a panel discussion with industry experts focused on learning from current and former IT Audit Directors the steps they took to advance their career.

Session 2210 – How to Create a Business Case for a Cybersecurity Program

Miguel Villegas

This session will provide a path for building a business case for cybersecurity. It will discuss how to establish a relationship with an active and passive board. It will identify the challenges and approach to building the cybersecurity program, board responsibilities and liabilities, regulatory cybersecurity requirements, State of Security reporting, skilled hiring shortages, cybersecurity vendor vetting, embedding cybersecurity into the business and IT process, and maintaining a strong presence.

Session 2310 – PCI Data Security Standard: Dealing with the Challenges of Evolving Standards

Rex Johnson
Alan Gutierrez-Arana


The Payment Card Industry Data Security Standard (PCI DSS) has introduced new requirements for merchants and service providers that operate in the payment card realm. In this presentation, we will discuss the implications of the new version of the PCI DSS and how entities that are required to comply can tackle the challenges presented by the evolution of the standard.

After completing this session, you will be able to:

  • Understand the different actors and elements of the card payment process
  • Understand the changes and updated present in the latest version of the PCI DSS
  • Identify and recognize technologies and solutions that could assist in reducing the scope of the PCI DSS assessment
  • Discuss the positive aspects of achieving PCI compliance

Session 2510 – How to be an ISACA Speaker

Chelsey Fowler
Paul Phillips


Have you ever wondered what the speaker selection process for ISACA conferences looks like? Join us to find out how to submit your abstract, what we look for during our speaker selection, and some tips and tricks. We will discuss the process from end-to-end and include some past feedback to help you when submitting your abstract.




Alchemy & Ale Steampunk Event

Tuesday, 2 May 2017; Chelsea Theater at the Cosmopolitan Hotel
6:30 – 9:00PM

Crank your ideas up a gear! Be inspired with a glimpse of the future through an imaginary past. Imagine the future through the eyes of H.G. Wells or Jules Verne. Join your fellow conference attendees for a fantastic journey that will stoke your curiosity as you network with innovators and professionals at North America CACS 2017’s Steampunk event.

Tickets will be required for admittance to this event. Tickets are complimentary for conference registrants. However, if you'd like to attend, you must select the event when you register in order to receive a ticket onsite. Guest tickets are available for purchase when you register for an additional $150.