Sabine Charles - Education Committee Chair


Committee Members

Michael Maertz

Vasanthi Ramkumar

Scott Lubliner

Jomol Peter

Maria Lopez

Vasanthi Ramkumar

Daisy Maldonado

Upcoming Onsite Course


Full time students and veterans are eligible for 25% discount of membership rates, upon presentation of current class schedules or valid student/veteran ID. Please be sure to register early for the upcoming classes. Unless registration is open, date and topics maybe changed at a later date.


How to Audit MVS with RACF, ACF2, or Top-SecretApril 24 - 25, 2018

Location: TBD

ISACA NY is hosting “How to Audit MVS with RACF, ACF2, or Top Secret” a two-day session.

Mainframe security has two basic components: the MVS operating system and the security software (which is always one of RACF, ACF2, or Top Secret). A weakness in either component undermines the security of the other. In this two – day session Stu will show you how the security works for each component, and ten how to audit it. You will learn essential concepts and buzzwords for mainframe audits, what information to collect, and how to interpret it.

This session shows you how to audit the security of the MVS operating system, which is part of a software package called z/OS, used on IBM mainframe computers.

This session also shows you how the three-major security software packages (RACF, ACF2, and Top Secret) for MVS work. You will learn what they have in common as well as how they are different, and what you need to do to audit them.


Stu Henderson is an experienced system programmer, auditor, and consultant. His website at has a wealth of free, practical resources for security administrators and for auditors. He teaches seminars nation-wide and in-house.

Level: Intermediate, 15 CPE

To register: - PC - Mobile


An Introduction to Auditing Anti Money Laundering Operations and Applications for IT Auditors - May 15, 2018

Location: Michael Page International, 622 3rd Ave Floor 29, New York, New York 10017


Training Course Description 

Section 352 of the PATRIOT Act, requires that every institution maintain an AML/CTF Program with an effective independent testing function. This highly interactive one-day course for IT Auditors of Financial Institutions will provide an understanding of AML/CTF. After discussing the international and US legal and regulatory framework over AML/CFT, the course will suggest a risk-based audit approach with specific examples of IT audit techniques to enhance efficiency and effectiveness.

Each attendee will be provided with a copy of the White Paper "IT Audit Considerations When Designing Audit Coverage For AML Applications" written by Peter D. Wild FCA, CAMS Audit


The Course will cover the following topics:

1. AML/CFT Overview: 

1.1. The fundamentals of AML/CTF 

1.2. The International bodies providing AML/CTF guidance 

1.3. The significant Sections of the USA PATRIOT Act 

1.4. The components of a risk-based AML/CTF program 

1.5. The data flows supporting an AML/CTF program 

1.6. The operational components of an AML/CTF program 

1.7. The operational components of a Sanctions screening program 

2. An Audit Approach to AML/CFT: 

2.1. The components of an AML audit Approach and Program 

2.2. The major AML audit components 

2.3. A risk based approach to designing AML audit testing 

3. An introduction to IT Audit for AML/CFT: 

3.1. The AML data flow & management 

3.2. The IT Audit Control Categories 

3.3. How IT Audit techniques can contribute to AML Audit testing



Peter is a senior consultant specializing in Operational and Information Technology {IT} Auditing and Training covering the Anti-Money Laundering/Counter Financing of Terrorism {AML/CTF} and Sanctions business processes and supporting computer applications. In 2016 he retired from J.P. Morgan as a Senior Audit Manager with over 10 years of experience of managing Operational and IT audits of AML/CTF and Sanctions. As a Senior Manager with Touche Ross in London he managed the IT and operational audit work for many UK and European clients. Upon arriving in America in 1980, he was the IT Audit Director at Republic National Bank of New York, then a Senior Audit Manager with Coopers & Lybrand and later the IT Audit Director and Deputy CIO at Melville Corporation. He is a Fellow of the Institute of Chartered Accountants in England & Wales {FCA}, a Past President of the NY ISACA Chapter. He is also a recipient of the Wasserman Award for outstanding contributions to IT Audit and Security. As a founding member of the CAMS Audit Faculty, he frequently teaches the CAMS Audit Course. In 2016 he was a Task Force Vice Chair for the project to develop the current version of the CAMS Certification Examination and the related Study Guide and he frequently teaches the CAMS Examination Preparation Course. He is a frequent speaker at ACAMS Conferences and he is the Co-Chair of the ACAMS New York Chapter and a recipient of the ACAMS Volunteer of the Year Award.


Level: Intermediate, 7.5 CPE


To register - PC  - Mobile


Operational Risk Management – June 13-14, 2018

Location: TBD

ISACA NY is hosting “Operational Risk Management”, a two day event

What Problem Does This Training Help Solve?

Provides training on operational risk assessment, management, risk mitigation, risk acceptance, risk management methodologies, modeling, stress testing, KRIs, KCIs, BASEL II, BASEL III, and many other aspects of operational risk management

Who Should Attend?

Professionals interested in learning about operational risk control objectives, controls, methodologies, and risk management from HR, IT, process management, business units, senior management, CRO’s office, ORM office, internal audit, big 4, and ORM consultants

This course evaluates operational risk exposures relating to the organization's governance, operations and information systems, in relation to: (a) Operational risk Governance (b) risk and control assessment (c) events and losses (d) indicators. Based on the results of the risk assessment, the student will be able to evaluate the adequacy and effectiveness of how risks are identified and managed and to assess other aspects such reporting, risk modeling, stress test, scenarios, business continuity, disaster recovery, insurance, internal audit, outsourcing risk, people risk, reputational risk, and strategic risk, communication of risk and control information within the organization in order to facilitate a good governance process.

Special emphasis will be paid to BASEL II capital requirements for Operational Risk.


The objective of the course is to develop professionals with an indepth understanding of the “Operational Risk Management” so that they will be able to provide necessary management skills regarding to provide assurance that: 

  • ORM Internal controls are in place and are adequate to mitigate the risks,
  • Governance processes are effective and efficient, and
  • Organizational goals and objectives are met. 


  • What is operational risk‐ old definition and new definition of BIS/BASEL II
  • BASEL II ‐ Risk from people, failed processes, failed systems, and external events
  • Outside BASEL II‐ strategic risk, reputational risk, 95 types of risks
  • Operations risk vs. operational risk
  • Business case‐ BASEL II capital requirements for OR
  • Reserves, capital, and insurance based on L and I factors
  • ORM Framework‐ Governance, ORM policy, risk appetite, R&R for ORM
  • Setting up timeline for ORM – from project to a program
  • Risk and control assessment‐ risk owners, control owners
  • Events and losses‐ data collection, data reporting, external loss databases, near misses, BASEL II classification
  • Indicators‐ KRIs, KCIs, thresholds, targets, dashboards, leading and lagging indicators, periodicity
  • Reporting‐ styles, know the audience, dashboard reporting
  • ORM modeling‐ distributions, correlations, internal and external data, confidence level, capital Modeling, qualitative modeling
  • Eight business areas of BASEL II and seven types of ORM risks
  • Stress tests and scenarios analysis ‐ practical scenarios, near death experience, Gaussian curve, Outside 3‐standard deviations,
  • Mandelbrot’s Chaos, black swan event, fat tail
  • Business continuity‐ process, applications, infrastructure, service delivery
  • Insurance
  • Three lines of ORM defense‐ management, oversight, and audit
  • Auditing ORM
  • ORM from outsourcing
  • People risk
  • Reputational risk
  • System failure risk‐ IT DR
  • BASEL II and BASEL III considerations
  • OR and ERM 2017 (COSO FW)
  • ORM, Dodd Frank, and FSOC’s OFR
  • ORM and systemic risk 


Jay Ranade, is a New York City-based management consultant and internationally-renowned expert on computers, communications, disaster recovery, IT Security, and IT controls.  He has written and published 37 IT-related books covering networks, security, operating systems, languages, systems, and more.  He also has an imprint with McGraw-Hill called J. Ranade IBM Series, which includes over 300 titles.  His publications have been translated into several languages including: German, Portuguese, Spanish, Korean, Japanese, and Mandarin.  He has written and published articles for various computer magazines such as Byte, LAN Magazine, and Enterprise Systems Journal.  He is also the author of The New York Times critically-acclaimed book, The Best of Byte.  He is currently working on a number of books on various subjects such as Audit, IT Security, Business Continuity, and IT Risk Management.

Jay has consulted and worked for Global and Fortune 500 companies in the U.S. and abroad including: American International Group, Time Life, Merrill Lynch, Dreyfus/Mellon Bank, Johnson & Johnson, Unisys, McGraw-Hill, Mobiltel Bulgaria, and Credit Suisse.  He was a member of ISACA International's Publications Committee from 2005 to 2007, and he currently serves as a member and advisor to the New York Metropolitan InfraGard, a partnership between the FBI and private sector institutions to safeguard America’s national infrastructure from hostile attacks.  He has been a speaker at the Federal Reserve Bank of New York on Global Financial Infrastructure Protection, and he maintains FBI-certified confidential-level clearance.

Jay also teaches graduate-level classes on Information Security Management, Operational Risk Management, and Ethical Risk Management at New York University, and Accounting Information Systems, IT Auditing, Operational Risk Management, and Internal Auditing at St. John’s University.  

Level: Intermediate, 15 CPE

To register: - PC - Mobile


How to Audit Waterfall & Agile Development MethodologiesOctober 09, 2018

Location: TBD

ISACA NY is hosting “How to Audit Waterfall & Agile Development Methodologies” a one-day session.

Seminar Objective

This seminar is intended to provide an auditor the base level knowledge required to perform a pre & post implementation audit of the deployment of business systems.   This seminar is structured based the two most common development methodologies used in the industry; Agile and Waterfall. 

Traditional development used the Waterfall development methodology which provided an effective method to ensure that organizations were establishing functional requirements derived from user participation prior to proceeding with the design and construction phases.  These long project phases were always under scrutiny especially when project were continuously delivered late and never included all of the promised functionality.  These issues paved the way for the Agile development methodology approach of delivering smaller packages of functional code that can be used by productions users within shorter timeframes which are referred to as sprints.  The assembly of the Scrum teams which produced these sprints also provided the basis for establishing true quantitative measurements for the amount of work (user stories) that were to be delivered by these sprints.

The methods used for auditing a Waterfall development methodology is quite different from Auditing an Agile development methodology which will be one of the primary areas covered during this seminar.  Each of these development methodologies have their strengths and weakness as it relates to in-house development, companies operating third-party vendor products and those companies that are using SaaS solutions. 

Regardless of the level of experience of the attendee, the instructor’s experience of conducting audits of 4+ system migrations per year audit and extensive development experience will bring new insights to even the most experienced auditor.

Who Should Attend

This seminar is designed for IT, Integrated and Operation Auditors at all levels.


Mitchell Levine is the founder of Audit Serve, Inc. which is an IT Audit & Systems consulting company.   For the last 26 years at Audit Serve, Mr. Levine has split his time between traditional IT & Integrated Audit consulting projects, Restructuring IT Departments, PCI Implementations, and performing pre & post-implementation reviews of system migrations.  Mr. Levine spends 220+ days per year consulting which is the basis for the material which is included in the seminars.

Mr.  Levine has developed Waterfall Development Methodologies for three companies and has performed over 25 system migration reviews for companies which utilize both Waterfall and Agile development methodology over the past 8 years. 

Over the past seven years Mr. Levine has presented over 85 seminars to twenty different ISACA & IIA chapters.  Mr. Levine also was the primary writer and editor of Audit Vision which is published bi-monthly and has a subscription base of over 3,500 audit & security professionals.

Prior to establishing Audit Serve, Inc. in 1990, Mr. Levine was an IT Audit Manager at Citicorp where his duties included managing a team of IT Auditors who were responsible for auditing 25+ service bureaus and the corporate financial systems.

Level: All levels, 7.5 CPE

To register: - PC - Mobile