GRC Presentations and Descriptions 

 
 

Track 1—Cyber (Security, Resilience, Mitigation)

CS 1-1: Auditing Identity Access Management

Monday, August 13 | 10:15AM – 11:15AM

Donald Gallien, CPA, CISA, CISM
Vice President, Assurance Leader
American Express, lnternal Audit Group

 

 

Jeevaka Somaratne, CISA, CAMS
Director, Audit Team Leader
American Express, Internal Audit Group

Identity Access Management (IAM) strives to provide “the right individuals access to the right resources at the right times.” IAM tools promise integrated and holistic security management capabilities, including automated access provisioning and revocation, linkage to user certification processes, password management, policy enforcement, compliance reporting, and analytics. IAM implementation changes the access management paradigm completely. Previously disjointed and manual processes will now be integrated and automated, which requires changing audit design to focus on testing of IAM application controls, IAM configuration and workflow, and the integration of HR systems, directory services, and IAM data analytics.

In this session, participants will:

  • Understand the impact of IAM systems on data access and information security.
  • Create and execute a new audit approach addressing key IAM concepts and system configurations.
  • Identify legacy test approaches they may need to retire, and data analytics they may want to add to their audits of access management.

CS 2-1: Cybersecurity Is Not an IT Problem: Creating a Resilient Security Culture Through Human Intervention

Monday, August 13 | 11:30AM – 12:30PM

Sharon Smith, CISSP
Founder and Principal Consultant
C-Suite Results

Employees, vendors, and third parties are not going out of their way to create cyber incidents, but despite training, policies, and compliance initiatives, security incidents and data breaches keep happening. By creating a culture of security and the right communication and awareness strategy, user error can be reduced, incidents can be identified faster, and organizations can get back to what’s important, their customers.

In this session, participants will:

  • Understand the human factor in cybersecurity and how people are the first line of defense in enabling resiliency against cyberattacks, phishing attacks, and social engineering.
  • Determine whether they have a culture of security and identify how security and business leaders can be more strategic in order to create such a culture.
  • Learn how to engage and motivate employees to prevent cybersecurity incidents.

CS 3-1: Preventing the Next Digital Black Swan: The Auditor, The CISO, and The C-Suite

Monday, August 13 | 1:45PM – 2:45PM

Jeffrey Welgan, PMP
Executive Director, Head of Executive Training
CyberVista

Equifax, Yahoo, Anthem, Uber; these massive cyber breaches affected millions of customers and served as ‘digital black swans’ that put each company on the back of their heels. But it didn’t have to be that way: with proper controls, governance, and communication to leadership these events could have been prevented. This session will focus on identifying critical controls that increase cyber resilience, decrease likelihood of black swans, and how to get senior leadership buy-in.

In this session, participants will:

  • Recognize the root causes and commonalities of former digital black swan events
  • Identify key critical controls that, if implemented, would significantly reduce the likelihood or impact of a cyber breach
  • Understand effective communication techniques when justifying or explaining cybersecurity-related information to the CISO and then the C-Suite.

CS 4-1: For Whom The Web Trolls: Social Media Risk in Your Organization

Monday, August 13 | 3:00PM – 4:00PM

Nejolla Korris
CEO
InterVeritas International

At the same time that our organizations are under attack by industrialized threats from highly skilled adversaries, we’re drowning in information, facing a growing skills shortage, and often dealing with security infrastructures from the dark ages. It’s no wonder that the industry is looking for the latest magic bullet, and cognitive security is now the king of the hype curve. We’ll try to get beyond the marketing and hype to understand this fundamental shift coming our way.

In this session, participants will:

  • Understand how security is fundamentally an information management problem.
  • Investigate how cognitive technology can help with security in real organizations today.
  • Discuss threats in more detail, as well as the growing migration from compliance to risk-focused security.
  • Learn how to incorporate cognitive technology to help secure your organization.

CS 5-1: Auditing Mobile Device Management

Monday, August 13 | 4:30PM – 5:30PM

Michael Deeming, QSA, CISA, CPA
Director
Protiviti

The session will explain how to perform an assessment of Mobile Device Security for mobile devices and the processes for compliance with established policies and procedures, regulations, and best practices. The presenters will use the National Institute of Standards and Technology (NIST) Special Publication 800-124, Guidelines for Managing the Security of Mobile Devices in the Enterprise, as a baseline for mobile device configuration and life cycle processes.

In this session, participants will:

  • Evaluate existing Mobile Device Security policies for the risks associated to mobile devices
  • Validate mobile management platforms and configurations control access to enterprise resources
  • Verify mobile device lifecycle processes are acceptable and operating correctly
  • Evaluate the monitoring and reporting capabilities of mobile devices accessing enterprise resources

CS 6-1: No Silver Bullets: Cybersecurity in the Cognitive Era

Tuesday, August 14 | 10:15AM – 11:15AM

Doug Lhotka, CISSP-ISSAP
Cybersecurity Architect
IBM

Your employees are on Facebook, Twitter, and LinkedIn every day. Every day, personal and professional information makes its way online. Social media is big data and it now embodies the leading and largest source of consumer data. It is helpful to be cognizant of the dangers associated with the growth of social networking, big data, and social engineering to protect both the corporation and the employee.

In this session, participants will:

  • Discuss fallout from real-life cases of cybersecurity breaches from social media.
  • Gain tips on cybersecurity strategies and social media policies.
  • Discuss a pragmatic approach toward combating cyber threats.
  • Define the requirements of social media policy.

CS 7-1: Increase the Trust in Internet of Things (IoT) Through Auditing

Tuesday, August 14 | 11:30AM – 12:30PM

Avani Desai , CPA, CISSP, CISA, CRISC, PMP
Partner, Executive Vice President
Schellman & Company

 

 

Jeremy Holley, CIA, CISA, CRISC, PMP
Audit Director for Technology
Regions Bank.

Organizations are increasingly relying on third-party vendors to perform critical functions on their behalf, such as delivering products and services to consumers, preparing disclosures, and hosting data. However, outsourcing presents compliance-related risks that must be managed. Panel members will highlight risks associated with using third-party relationships and ways to manage and monitor the relationships to mitigate specific risks. They will also reveal several common vendor relationship challenges, benefits, contract considerations, and compliance initiatives.

In this session, participants will:

  • Receive an overview of the vendor management process.
  • Understand the typical gaps in privacy and security processes.
  • Learn legal and contractual requirements.
  • Examine different compliance initiatives.

CS 8-1: Measuring and Improving Your Security Effectiveness

Tuesday, August 14 | 1:45PM – 2:45PM

Brian Contos, CISSP
Chief Information Security Officer
Verodin

The Harvard Business Review article, “Are You Accurately Measuring Your Company’s Digital Strength?” states that digital signals are being missed, which is a problem because digital metrics are essential to understanding the business. Security instrumentation allows you to trend security effectiveness over time to see more strategically where investments are failing versus where investments are paying off with empiric, repeatable results that can be supplied to a wide range of stakeholders.

In this session, participants will:

  • Understand how to measure security effectiveness automatically and continuously.
  • Learn how to improve security tools and make people and processes more effective.
  • Be able to prioritize security resources and investments and align security with the business mission.
  • Gain knowledge to communicate security effectiveness with empiric data to stakeholders, including offensive/defensive security analysts, CISOs, CIOs, CFOs, CEOs, boards, and auditors.

CS 9-1: Advancing IT Audit’s Capabilities to Conduct Cybersecurity Audits

Tuesday, August 14 | 3:00PM – 4:00PM

Jon Coughlin, CISA, CISSP
Technology Audit Director, Infrastructure and Security
PNC Financial Services

 

 

David Dunn, CIA, CPA, CITP, CGMA
Executive Vice President, Assistant General Auditor
PNC Financial Services

Participants will receive practical tips and examples of how to strengthen audit’s coverage of cybersecurity risk through testing techniques that go beyond traditional coverage of policies, procedures, and governance focused controls. This training will encompass traditional approaches to cybersecurity audit and opportunities for improvement; the evolution that may be required to address emerging laws and regulations in a timely manner; and the use of alternate approaches to add incremental value to audit’s output.

In this session, participants will:

  • Understand the inherent limitations in applying traditional audit testing techniques to cyber security areas of focus, and the need to evolve to respond to emerging laws and regulations.
  • Identify specific areas where alternate testing approaches from audit can increase the value provided within cybersecurity audit activities.
  • Develop ideas for implementing value added security testing based on examples of data loss prevention, firewall rule auditing, and vulnerability management analysis.
  • Understand a potential model for successfully building an ethical hacking team directly within the audit function.

CS 10-1: Shedding Light on the Dark Web

Tuesday, August 14 | 4:30PM – 5:30PM

Wanda Archy, CISSP, CEH, Security+
Cyber Threat Intelligence Specialist
RSM US LLP

 

 

Andrei Barysevich
Director of Advanced Collection
Recorded Future

The Deep and Dark Web is the part of the Internet not accessible through conventional search engines. Nation states, cybercriminal gangs, and individuals thrive in this underground economy. Illegal activity takes place on the Dark Web, including the sale of personal information, financial goods, and illicit services. This session will seek to educate attendees on these dark parts of the Internet.

In this session, participants will:

  • Understand the differences between the Dark Web and the open Internet, different types of threat actors present on the criminal underground, and what websites exist in these communities.
  • Learn how to protect sensitive data and distinguish between the different types of datasets that are stolen.
  • Gain tools to protect their businesses through security best practices provided by speakers and methodologies to determine what information is exposed.
  • Determine how to use threat intelligence services to reduce the risk of their organization being successfully attacked.
  • Gain knowledge of how threat intelligence services can make incident response more effective.


Return to Event Page >>
 

Track 2—Governance, Risk and Compliance

CS 1-2: How to Design and Implement an Adaptive IT Compliance Function

Monday, August 13 | 10:15AM – 11:15AM

Ralph Villanueva, CISA, CISM, CIA, CRMA, ITIL
IT Security and Compliance Analyst
Diamond Resorts International

A huge problem for both internal and IT auditors is the continuing emergence of new and revised IT compliance regulations. Aside from updates to existing regulations such as PCI-DSS v3.2, there are new international ones such as GDPR, as well as updates of existing state or local privacy requirements. Even a dedicated IT compliance department will have a hard time keeping pace. The solution is to find commonalities in all these regulations. Every law and regulation pertaining to digital privacy has three objectives — confidentiality, integrity availability — and impacts three IT compliance components — people, process, technology (PPT). Hence, finding a common thread amongst these regulations and looking at the regulations from a PPT perspective will simplify IT compliance with these privacy and information security regulations.

In this session, participants will:

  • Learn a process for looking for common requirements amongst difference regulations
  • Enable the audience to use this process to "future-proof" IT compliance
  • Point out a cost effective and feasible way to adapt this process across different regulations and avoid duplication of solutions for the same requirement

CS 2-2: Does Auditing Governance Mean Auditing Culture?

Monday, August 13 | 11:30AM – 12:30PM

Dr. Sri Ramamoorti, CIA, CCSA, CFSA, CGAP, CRMA
Associate Professor
University of Dayton

 

 

Alan Siegfried, CIA, CCSA, CFSA, CGAP, CRMA
Board Member and Audit Committee Financial Expert
MidAtlantic Farm Credit Bank

The two authors of the 2016-2017 IIA/CBOK report on "Promoting and Supporting Effective Organizational Governance: Internal Audit’s Role" (based on the global CBOK survey in 166 countries administered in 23 languages) and an article in Internal Auditor will discuss the practical implications and best practices for auditing organizational governance and culture. The focus of the session will be on how an audit of organizational governance needs to integrate an audit of the organization's culture. The speakers will provide both real world examples of how this can be successfully accomplished.

In this session, participants will:

  • Discuss current and implementable internal audit best practices in: Governance/Culture Audit, internal audit’s critical roles in promoting and supporting effective risk management and organizational governance / culture
  • Describe Need for Specialized Competencies: To be effective in providing value-added services in the risk management and governance areas, internal auditors need leadership skills, as well as a high level of technical competence as well as soft skills
  • Follow Geographic and industry diversity of Internal Audit’s risk management and governance roles, and the prevalence of appropriate skill sets and competencies for internal auditors to excel, i.e. culture
  • Describe Future Prospects: how internal audit can provide practical advice on improving organizational governance/culture, and risk management insights, future trends and strategies.

CS 3-2: Auditing Third-Party Business Partners for Fraud and Corruption Across the Globe

Monday, August 13 | 1:45PM – 2:45PM

Natasha Williams, CIA, CFE
Senior Manager, Global Compliance
Bio-Rad Laboratories

An increasing number of ABAC (Anti-Bribery, Anti-Corruption) laws across the globe require organizations to not only control fraud and corruption internally, but also with respect to the conduct of their 3rd Party Business partners globally. This session focuses on detecting and mitigating 3rd party fraud and corruption risks across the channel through establishing a viable and effective audit and monitoring program.

In this session, participants will:

  • Learn techniques to assess the Company’s risk appetite when dealing with a multitude of 3rd party business partner
  • Obtain skills to create a quick, yet effective risk assessment that gets results
  • Create an effective audit program that is moldable to different sized organizations
  • Achieve effective third-party management with a focus on how to gain access to books and records information

CS 4-2: Digital Transformation: Is Internal Audit Ready?

Monday, August 13 | 3:00PM – 4:00PM

Christine Fitzgerald, CPA
Director
Protiviti

 

 

Brad Morick
Senior Director, Internal Audit
Hilton Hotels Worldwide

 

 

Lorraine Peoples
Vice President, Global Internal Audit
Hilton Hotels Worldwide

According to Executive Perspectives on Top Risks in 2018, the rapid speed of disruptive innovations and new technologies, and resistance to change are two of the biggest risks today. A forward-looking audit function should provide insight, oversight, and foresight around the organization’s current and future risks and controls, including those related to the changing digital world. Because of this, internal audit must form an opinion on how effectively risks surrounding digitalization are being managed.

In this session, participants will:

  • Be able to define digital transformation.
  • Discuss the role of internal audit teams in digital transformation initiatives.
  • See how digitalization is transforming the audit plan.
  • Gain a full understanding of the digital assessment process.

CS 5-2: Using Data to Perform Corporate Risk Assessments

Monday, August 13 | 4:30PM – 5:30PM

Ben Getz, CIA, CISA, CPA, CPCU
Audit Manager
RLI Corporation

 

 

Evan Webber, CPCU
Auditor II
RLI Corporation

Speakers will discuss how to use both qualitative and quantitative factors to perform more effective risk assessments. Discussion will include assessing inherent risk, change risk, control impact, and residual risk for all entities in your organization’s audit universe.

In this session, participants will:

  • Learn how to more effectively assess risk across the organization.
  • Understand how they can leverage existing data from their organization to assist in risk assessment.
  • Gain tools to be more strategic in prioritizing what areas to audit in their organizations.

CS 6-2: Breaking Down the Walls: ERM at the U.S. Marshals Service

Tuesday, August 14 | 10:15AM – 11:15AM

Chad Nieboer
Chief Strategy and Risk Officer
U.S. Marshals Service

Kiran Sreepada
Senior Associate
Grant Thornton LLP

The U.S. Marshals Service has a long and proud tradition of serving the public through its judicial protection, prisoner transport and management, child protection, fugitive apprehension, and witness protection services, among others. In moving along the path of enterprise risk management, the agency successfully transcended the silos of these distinct missions in order to highlight the importance of risk-based planning and decision making. The cultural change in the agency, instilled by senior leadership, was complemented by innovative solutions to maximize existing capabilities without increasing burden.

In this session, participants will:

  • Discuss challenges within law enforcement such as silos, territorial divisions, information sharing, and redundancy as multiple groups aim to fulfill one mission.
  • Understand cultural challenges within federal law enforcement (by-the-book, immediate-mission-oriented officers), HR challenges (staffing, clearances), and the focus on what has worked vs. how it could be improved.
  • Gain insights into overcoming organizational and cultural challenges through cross-divisional activities such as quarterly performance reports, the strategic plan, and annual reports.
  • Hear how ERM and the use of data can benefit the U.S. Marshals Service going forward.

CS 7-2: Business Interruption Study Recommendations: Redundant Capacity vs. Resilience

Tuesday, August 14 | 11:30AM – 12:30PM

Thoppil Varghese, CIA, CRMA
Senior Risk Analyst
Kuwait Oil Company

 

 

Raad Gharibam
Team Leader
Kuwait Oil Company

In our company, a severe risk is one that causes a loss of 500 million USD or more. A few highly unlikely but not unimaginable events are of considerably higher risk — 20 to 60 billion USD. As expected, we had already done everything reasonable to cover such risks. Was the option of building redundancy or a new central mixing manifold at high cost (225 million USD) going to present just another target? What were the viable alternatives?

In this session, participants will:

  • Gain insights into how innovative ideas on design, cost of capital, master planning, etc. are brought together to develop a business solution to enterprise risk.
  • Develop key issues to audit with respect to business interruption.
  • Gain the confidence to assess business decisions about strategic organizational resilience.
  • Learn how to defend business needs vs. consultant opinions.
  • Investigate the impact of key but very low probability business exposures.

CS 8-2: Meet Multiple Regulatory Requirements and Utilize Best Practices More Effectively and Efficiently With a Common Control Framework

Tuesday, August 14 | 1:45PM – 2:45PM

Lynn Heiberger, CISA
Chief Operating Officer
Unified Compliance

 

 

Jason Mefford
Lead Singer
Rock N Roll Risk Management

Satisfying regulatory compliance requirements and fulfilling obligations imposed by regulations, standards, and governmental guidance is challenging, but essential to meeting GRC goals. You must identify and interpret each of the Citations and their Mandates that apply to your organization. Then the Mandates must be reconciled across a range of resources, geographies, and operations so they can be applied and audited for compliance. This can be accomplished using a Common Control Framework.

In this session, participants will:

  • Hear about a case study with OCEG’s Red Book, the foremost authority on GRC maturity models.
  • Understand the three steps they need to follow (identify, interpret, apply/audit) to implement the Mandates, as well as one more step (de-duplication of control sets).
  • Learn which requirements to follow and best practices to align with.
  • Provide an auditing methodology to prove their implementation.

CS 9-2: GDPR: The Deadline Has Passed — How Did You Do?

Tuesday, August 14 | 3:00PM – 4:00PM

Nancy Haig, CIA, CFSA, CRMA
Global Director, Internal Audit and Compliance
Alvarez & Marsal

Does your organization process “personal data” of European Union residents/citizens? Then this session is for you. Participants will become familiar with the General Data Protection Regulation (GDPR) and the key policies, procedures, and training that should be in place to evidence a GDPR compliance program.

In this session, participants will:

  • Understand the GDPR.
  • Identify auditable activities related to GDPR.
  • Develop a GDPR internal audit program.
  • Formulate an internal audit report.

CS 10-2: Agile and Compliance

Tuesday, August 14 | 4:30PM – 5:30PM

Pam Nigro, CRMA, CISA, CGEIT, CRISC
Senior Director, Information Security/GRC
Blue Cross Blue Shield of Illinois

Finding harmony and balance between the Agile accelerator and the brakes of your DevOps processes — can software delivery in a highly governed industry reap the benefits of Agile and DevOps while maintaining required compliance?

In this session, participants will:

  • Understand governance as an enabler of agility.
  • Develop non-burdensome ways to collect data.
  • Learn how to build governance in rather than bolting it on.
  • Focus on a risk-based governance approach.


Return to Event Page >>
 

Track 3—Leadership, Career, and Communication Development

CS 1-3: Building Your Brand and Exceeding Stakeholder Expectations

Monday, August 13 | 10:15AM – 11:15AM

Julie Scammahorn, CIA, CRMA
Chief Auditor of Citibank, N.A., North America
Compliance and Anti-Money Laundering

Citibank


 

Sriram Padmanabhan
Chief Auditor, Technology
Citigroup

This session will highlight the importance of building your professional brand. This includes showcasing key tactics to build and enhance your brand and sharing best practices you can implement to exceed stakeholder expectations within your role.

In this session, participants will:

  • Understand the importance of defining one’s brand.
  • Gain an awareness of the key tactics one can use to build their brand, regardless of their seniority level or firm size.
  • Learn how to meet and exceed stakeholder expectations to strengthen your brand.

CS 2-3: Leading With Emotional Intelligence

Monday, August 13 | 11:30AM – 12:30PM

Raoul Ménès, CIA, CRMA, CCSA
Chief Audit Executive
AV Homes, Inc.

Intelligence quotient (IQ) is useful in academia, but what about in our work environments? Is there something missing that IQ doesn’t address? Emotional Intelligence (EI) allows us to identify, assess, and manage our own emotions and understand those of others. This presentation will help you recognize and understand emotions while guiding your actions.

In this session, participants will:

  • Understanding Emotional Intelligence and its usefulness in the workplace.
  • Identify ways to improve perception and social skills.
  • Learn about Emotional Intelligence for CAEs.

CS 3-3: The War on Talent: Attracting, Developing, and Retaining Top Talent

Monday, August 13 | 1:45PM – 2:45PM

Ebony Carey, CIA
Director, Business Manager
TIAA

Replacing departing personnel is difficult and costly, from both financial and team morale perspectives. Retaining resources is increasingly challenging, and internal audit departments in the financial services sector have historically faced annual attrition rates of 15–20%. In 2015, our leadership team sought to leverage our firm’s unique heritage and brand ourselves as an organization focused on our biggest asset — our people. We deployed a three-year strategy, with objectives to be regarded as a great place to work, recognized as an exceptional developer of people, and known as business experts within the organization.

In this session, participants will:

  • Achieve a solid understanding of how to initiate and deploy a multi-year people strategy focused on enhancing culture and building business acumen.
  • Learn how to position their department in the marketplace and attract qualified professionals to their organization.
  • Gain insights into some of the roadblocks and challenges of building a team across an international footprint.
  • Evaluate team success measures related to turnover, culture, and business acumen.

CS 4-3: Using Diversity as a Strategic Advantage

Monday, August 13 | 3:00PM – 4:00PM

Clayton Barlow-Wilcox, CRISC, GGEIT, CISSP
Vice President, Risk Services and Growth
ACTIVECYBER, LLC

 

 

Summer Fowler
Technical Director, Cybersecurity, Risk, and Resilience
Carnegie Mellon University

Sharon Smith, CISSP
Founder and Principal Consultant
C-Suite Results

 

 

Helen Brooks
Senior Director of Risk Management
Freddie Mac

Participate in our panel discussion to learn how to build a strong and diverse security, risk, and compliance team to better monitor and audit the controls across the organization. Having a diverse team will strengthen your skill sets and execution in addressing the threats hitting your organization.

In this session, participants will:

  • Develop a framework for creating a diverse team.
  • Utilize differing perspectives to develop models, use cases, and attack scenarios.
  • Understand self-awareness, self-management, emotional intelligence, and relationship management in developing a high-performing team.
  • Institute feedback loops that get to root cause and empower well-rounded decision making.

CS 5-3: Unlocking Team Collaboration

Monday, August 13 | 4:30PM – 5:30PM

Jacquelyn Wieland
Founder
Solutions Provided LLC

Influence, Insight, and Impact are critical leadership skills. We will do a deep dive on the importance of influence and specific shifts you can make to unlock your influence potential. We will focus on three specific areas that will enhance your leadership and management ability as you drive change and transformation in your role.

In this session, participants will:

  • Understand how to lead and communicate with influence so that they will be able connect and engage at meaningful levels.
  • Expand their knowledge of how to be more insightful and perceptive when interacting with individuals, allowing them to connect and engage in more meaningful conversations.
  • Expand their ability to be impactful and agile while working with various stakeholders to maximize results.

CS 6-3: Evaluating the Ethical Risks of AI Implementation for Your Organization

Tuesday, August 14 | 10:15AM – 11:15AM

Kirsten Lloyd
Associate
Booz Allen Hamilton

 

 

Josh Elliot, CGEIT
Director of Machine Intelligence
Booz Allen Hamilton

With the recent acceleration in development and deployment of machine intelligence (MI) technologies, many executives do not realize that the greatest risk lies in ignoring MI’s ethical problems, which are already affecting business and society. Based on real-world examples, the session focuses on key ethical challenges associated with MI implementations and provides a framework for evaluating risk before deploying MI to ensure the technology’s use preserves human dignity and protects organizations from undue risk.

In this session, participants will:

  • Understand the dimensions of MI ethical risks and the potential impact to business.
  • Identify the necessary stakeholders to include in the governance and management of MI deployments.
  • Apply a holistic risk assessment framework and approach to evaluate potential ethical risks of MI implementations.
  • Prepare to govern and manage existing MI engagements and future deployments.

CS 7-3: The Psychology of Successful Internal Auditing: Navigating Stakeholder Relationships for Optimal Business and Career Results

Tuesday, August 14 | 11:30AM – 12:30PM

Neil Simpson, CPA
Vice President, Internal Audit
Goodman Manufacturing

Technical skills and knowledge provide the foundation, but the way you communicate and navigate relationships will make a big difference in your career success and work/life balance. This presentation addresses many of the areas above: communication, critical thinking, ethics, marketing the audit function, meeting stakeholder expectations, personal brand management, and persuasion and collaboration.

In this session, participants will:

  • Gain tools to clearly communicate with and influence key stakeholders, including board members, senior management, audit clients, peers, and employees.
  • Learn how to build trust.
  • Understand how to gracefully market the internal audit value proposition.

CS 8-3: Storytelling: Improving the Audit Process to Communicate Better

Tuesday, August 14 | 1:45PM – 2:45PM

Ross Wescott, CIA, CISA, CCP, CUERME
Principal
Wescott and Associates

 

 

Brad Zolkoske, CPA
Internal Audit Director
UCOR

IIA Standard 2330 stipulates: “Internal auditors must document sufficient, reliable, relevant, and useful information to support the engagement results and conclusions.” Though many seminars, conference sessions, and articles have defined quality and how to achieve it, many auditors still struggle with organizing their work into effectual documentation and presentations that their stakeholders can understand and embrace. To clearly tell the story of the work performed, auditors need to approach their organization and writing of documentation differently.

In this session, participants will:

  • Learn how to develop and organize audit work using storytelling elements.
  • Distinguish the audit story (strategic) from detailed audit work (tactical) to improve communication to the client and to internal stakeholders.
  • Follow storytelling elements to better deliver audit documentation and improve communications.

CS 9-3: Why Don't They Listen? You Aren't Persuading!

Tuesday, August 14 | 3:00PM – 4:00PM

Brian Tremblay, CIA, CISA
Chief Audit Executive
Acacia Communications

In the GRC world, we often ask ourselves why our colleagues simply won’t do what in some cases is required of them, either due to laws, regulations, or company policy. GRC employees continually struggle not only with getting required actions from their stakeholders, but also with getting the best recommendations implemented. Why? It comes down to one word – persuasion. Why do we need to persuade? And how do we utilize persuasion to deliver value to our stakeholders?

In this session, participants will:

  • Understand why stakeholders resist recommendations from GRC professionals.
  • Learn why an ability to persuade is a core competency all GRC professionals need.
  • Identify tactics that can help them persuade stakeholders to their ‘side.’
  • Hear real-world examples of these tactics in action.

CS 10-3: The Bridge of Integrity: Am I All In?

Tuesday, August 14 | 4:30PM – 5:30PM

James Molenaar, J.D.
Attorney and Internal Audit Manager
Clerk of the Circuit Court, Collier County, Florida

Integrity and ethics go far beyond doing the right thing. Integrity and identification of ethical dilemmas are critical skills for any internal auditor. This engaging session will include relevant and entertaining audio and video clips, hypothetical scenarios, group problem solving exercises, pop quizzes, and opportunities to ask questions and provide feedback. Finally, the instructor will speak about interesting ethical dilemmas he has encountered in his three decades of public service.

In this session, participants will:

  • Be reminded why a code of ethics helps the profession of internal auditing uphold the trust placed in its objective assurance about governance, risk management, and control.
  • Learn from examples of principles relevant to the profession and practices of internal auditing.
  • Understand the Rules of Conduct that describe behavior norms expected of internal auditors.
  • Be enlightened on the expectations and application of the following IPPF and Code of Ethics principles: (1) Integrity; (2) Objectivity; (3) Confidentiality; and (4) Competency.


Return to Event Page >>
 

Track 4—Deep Dive Learning Labs

CS 1-4: Building and Maintaining a Sustainable ERM Framework, Part 1

Monday, August 13 | 10:15AM – 11:15AM

Tanya Bullock, CIA, CRMA, CPA
Vice President, Governance, Risk, Compliance, and Controls
Community Care of North Carolina

 

 

Sabrina Hilber, CIA, CISA, CHP
Director of Compliance and IT Assurance
Community Care of North Carolina

 

 

Roberto Rodriguez, CIA, CISA, CPA
GRC Manager
Community Care of North Carolina

Many organizations encounter obstacles while implementing an Enterprise Risk Management (ERM) framework. In the years following implementation, as the ERM process matures, risk managers then face the challenge of demonstrating ERM’s value to the organization. What’s the secret of successful implementation? How do you get the most out of your ERM process? Are you ready to take your ERM function to the next level?

In this session, participants will:

  • Determine the value proposition of ERM.
  • Develop a strategy to successfully implement ERM.
  • Focus on challenges that can hinder successful implementation of ERM across industries and explore solutions that can help risk managers overcome these issues.
  • Formulate a roadmap that engages all levels of management while embedding ERM.

CS 2-4: Building and Maintaining a Sustainable ERM Framework, Part 2

Monday, August 13 | 11:30AM – 12:30PM

Tanya Bullock, CIA, CRMA, CPA
Vice President, Governance, Risk, Compliance, and Controls
Community Care of North Carolina

 

 

Sabrina Hilber, CIA, CISA, CHP
Director of Compliance and IT Assurance
Community Care of North Carolina

 

 

Roberto Rodriguez, CIA, CISA, CPA
GRC Manager
Community Care of North Carolina

Many organizations encounter obstacles while implementing an Enterprise Risk Management (ERM) framework. In the years following implementation, as the ERM process matures, risk managers then face the challenge of demonstrating ERM’s value to the organization. What’s the secret of successful implementation? How do you get the most out of your ERM process? Are you ready to take your ERM function to the next level?

In this session, participants will:

  • Navigate the terrain of ERM obstacles and challenges.
  • Learn how to perform a live facilitated risk assessment and compile the results to report to various levels of management.
  • Determine the best approach for conducting value-added risk assessments for their organization and utilize the results to take ERM to the next level.
  • Walk through the process of linking ERM to the organization’s strategy and objectives for maximum results.

CS 3-4: Intelligent Information Management: The Created Risk, Part 1

Monday, August 13 | 1:45PM – 2:45PM

Stephanie Carter, CISM, CISA, CISSP
Lead Information System Security Officer
Department of Justice/Office of Justice Programs

 

 

Stacey Lee-Corbean
Senior Technician
Open Text Corporation

Information management within an organization is comprised of three components — Intelligent Information Management (IIM), Engineering Information Management (EIM), and Enterprise Risk Management (ERM). IIM helps organizations manage unstructured data; once unstructured data is structured, EIM principles should be implemented to drive a total information management solution. ERM is only achieved when an organization knows what it is protecting: the confidentiality, integrity, and availability of the information. A combined IIM, EIM, and ERM solution reduces cost and enables organizations to manage risk effectively.

In this session, participants will:

  • Learn why IIM is a vital factor for organizations to understand what information should be protected.
  • Gain insights into how information management is achieved through IIM, EIM, and ERM.
  • Discuss why information management must consider more factors than the traditional risk assessment.

CS 4-4: Intelligent Information Management: The Created Risk, Part 2

Monday, August 13 | 3:00PM – 4:00PM

Stephanie Carter, CISM, CISA, CISSP
Lead Information System Security Officer
Department of Justice/Office of Justice Programs

 

 

Stacey Lee-Corbean
Senior Technician
Open Text Corporation

It is predicted that by 2020, there will be over 20 billion devices connected to the Internet of Things (IoT), over 44 trillion gigabytes of data in cyberspace, and 1.7 megabytes of new information will be created every second for every human on the planet. Businesses, which account for only 37% of the 500 gigabytes of data produced per minute today, are predicted to spend 57% of a forecasted $2.9 trillion on endpoint security by 2020. Why? Because organizations are still trying to protect their physical networks from being hacked, rather than protecting their information from being breached.

In this session, participants will:

  • Understand why protecting threats from getting in does not protect information from getting out.
  • Take away best practices for protecting the confidentiality, integrity, and availability of information.
  • Learn why information management is vital to managing risk in organizations.

CS 5-4: Auditing the Cloud: A Practical Approach, Part 1

Monday, August 13 | 4:30PM – 5:30PM

Mark Knight, CPA, CISA
IT Audit Senior Manager
Holtzman Partners

 

 

Joseph LoSurdo, CPA, CISA
Internal Controls Senior Manager
Holtzman Partners

Cloud computing is more than a buzzword. It has fundamentally shifted how companies of all sizes run. Auditors who fail to grasp the reality of this seismic shift in IT management risk being left behind. They must be comfortable interacting with a cloud-based environment as well as navigating common compliance requirements using readily available tools and techniques. Part I will present a case study that identifies the common computing, security, and storage solutions found in the cloud.

In this session, participants will:

  • Identify the common risks shared between traditional and cloud hosting providers.
  • Build the skills necessary to perform a basic review of compliance requirements in a cloud environment.
  • Conduct a basic hands-on audit of IT security configurations in a live cloud-based system.
  • Develop a toolkit for evaluating controls specific to cloud environments.

CS 6-4: Auditing the Cloud: A Practical Approach, Part 2

Tuesday, August 14 | 10:15AM – 11:15AM

Mark Knight, CPA, CISA
IT Audit Senior Manager
Holtzman Partners

 

 

Joseph LoSurdo, CPA, CISA
Internal Controls Senior Manager
Holtzman Partners

Cloud computing is more than a buzzword. It has fundamentally shifted how companies of all sizes run. Auditors who fail to grasp the reality of this seismic shift in IT management risk being left behind. They must be comfortable interacting with a cloud-based environment as well as navigating common compliance requirements using readily available tools and techniques. Part II will allow participants to have hands-on interaction with a leading cloud services platform.

In this session, participants will:

  • Identify the common risks shared between traditional and cloud hosting providers.
  • Build the skills necessary to perform a basic review of compliance requirements in a cloud environment.
  • Conduct a basic hands-on audit of IT security configurations in a live cloud-based system.
  • Develop a toolkit for evaluating controls specific to cloud environments.

CS 7-4: The Keys to the Kingdom: Access Controls and Ways to Improve, Part 1

Tuesday, August 14 | 11:30AM – 12:30PM

Matthew Kipp, CISA, CIS-LI
Director of Risk
The Mako Group, LLC

 

 

Nate Miller, CSX
Senior IT Manager
Cooper Standard Automotive

 

 

Shane O'Donnell, CPA, CISA, CCSFP
Chief Audit Executive
The Mako Group, LLC

Access controls are among the most understood and utilized controls within an IT framework, but they are also some of the oldest and least updated controls. In many cases, these controls, which are also some of the most important for reducing risk in a company, have not changed in many years and are in dire need of an update. With all the new technology available, automation can be incorporated into many aspects of these controls. However, automation brings risk.

In this session, participants will:

  • Discuss items to consider when updating access controls and implementing tools for automation.
  • Reflect on SOX implications, reoccurring access reviews, complete and accurate user access files, admin access, and third-party access rights.
  • Learn why admin access should be treated differently from base user access.

CS 8-4: The Keys to the Kingdom: Access Controls and Ways to Improve, Part 2

Tuesday, August 14 | 1:45PM – 2:45PM

Matthew Kipp, CISA, CIS-LI
Director of Risk
The Mako Group, LLC

 

 

Nate Miller, CSX
Senior IT Manager
Cooper Standard Automotive

 

 

Shane O'Donnell, CPA, CISA, CCSFP
Chief Audit Executive
The Mako Group, LLC

Building upon the lessons learned from Part 1, this session will incorporate actual case studies from the field, along with real-world testimonials of this process. Audience members will be polled on their experiences within the user access field and engage in a constructive discussion on how to tackle risks in this area.

In this session, participants will:

  • Learn questions to ask before automating access controls.
  • Understand verification over user listing completeness and accuracy.
  • Discuss compliance concerns around user access, and also risks around compliance driving a user access program.
  • Address risks, challenges, and common pitfalls associated with third-party access.

CS 9-4: Applying Lean Six Sigma to ERM, Part 1

Tuesday, August 14 | 3:00PM – 4:00PM

Charlie Wright, CIA, CISA, CPA
Director, Enterprise Solutions
BKD CPAs and Advisors

 

 

Jeff Lovern, ARM
Chief Risk Officer, Principal International
Principal Financial Group

As Enterprise Risk Management (ERM) programs continue to mature, risk managers face the continual challenge of adding value to the organization. By focusing on corporate objectives and using practical analytical approaches, risk managers can identify key risk indicators that executive management and the board will find important and useful.

In this session, participants will:

  • Review the key components of an effective ERM program.
  • Learn to leverage important aspects of their organization’s ERM framework, such as emerging risk identification.
  • Compare mechanisms to identify emerging risks and evaluate the benefits of using appropriate key risk indicators to add value to the organization.
  • Assess various approaches for integrating corporate objectives into the ERM process.

CS 10-4: Applying Lean Six Sigma to ERM, Part 2

Tuesday, August 14 | 4:30PM – 5:30PM

Charlie Wright, CIA, CISA, CPA
Director, Enterprise Solutions
BKD CPAs and Advisors

 

 

Jeff Lovern, ARM
Chief Risk Officer, Principal International
Principal Financial Group

As Enterprise Risk Management (ERM) programs continue to mature, risk managers face the continual challenge of adding value to the organization. By focusing on corporate objectives and using practical analytical approaches, risk managers can identify key risk indicators that executive management and the board will find important and useful.

In this session, participants will:

  • Learn how to apply a Six Sigma tool called Failure Modes and Effects Analysis (FMEA) to identify meaningful key risk indicators.
  • Gain insights into how one organization used analytical approaches like root cause analysis and FMEA to identify key risk indicators for their ERM process.
  • Receive instruction on asking the right questions in order to identify relevant and important key risk indicators, starting with the organization’s corporate objectives.


Return to Event Page >>
 

Workshops

Workshop 1: COBIT NIST Cybersecurity Framework

Sunday, August 12 | 8:30AM – 5:00PM

Mark Thomas, CGEIT, CRISC
President
Escoute Consulting 

As part of the knowledge, tools, and guidance provided through the Cybersecurity Nexus (CSX)™ program, ISACA has developed a guide and course: Implementing NIST Cybersecurity Framework Using COBIT 5. This workshop is a synopsis of that course, focusing on the Cybersecurity Framework (CSF), its goals, the implementation steps, and the ability to apply learnings.

In this session, participants will:

  • Understand the goals of the Cybersecurity Framework (CSF).
  • Learn and discuss the content of the CSF and what it means to align to it.
  • Understand each of the seven CSF implementation steps.
  • Be able to apply and evaluate the implementation steps using COBIT 5

Pre-requisites for attending this Workshop:

  • Basic knowledge of COBIT
  • Basic knowledge of security concepts

Workshop 2: Auditing Technology Disruptors

Sunday, August 12 | 8:30AM – 5:00PM

Thomas Sanglier, CIA, CPA, CRMA
Senior Director, Internal Audit
Raytheon Company

 

 

Jennifer Allen
Manager II, Internal Audit
Raytheon Company

New and emerging technologies are revolutionizing the way work gets done. This will require internal auditors to rapidly transform what we audit, how we audit, and the skills we need. Audit leaders must be able to sort through multiple technology initiatives, identify accelerating innovation, and reshape internal audit. This collaborative workshop will share one department’s lessons learned and ongoing journey in this endeavor.

In the session, participants will:

  • Discuss emerging technologies and the potential impact they can have on organizations, including governance, risk, and controls.
  • Review how to prepare their organizations and teams for the audits of the future.
  • Exchange strategies and tools for leveraging these same disruptors as audit tools to foster positive outcomes.


Return to Event Page >>
 

Keynotes and General Sessions

Opening Keynote

Disruptive Thinking: How to Prepare for What's Coming Next

Monday, August 13 | 8:30AM – 9:45AM

Luke Williams
Clinical Associate Professor of Marketing
Executive Director, W.R. Berkley Innovation Labs, Stern School of Business, New York University

The future we face will not be predictable. The scale of the challenges we confront and the quickening speed of technological innovation demands a new way of opening minds to new strategies. Winning organizations in the next decade will need to rethink the habits that have made them successful in the past and incorporate a steady stream of unconventional ideas to stay ahead of their competitors.

In this session, participants will:

  • Learn of the link between innovation, growth, and the accelerating pace of disruptive change.
  • Discover how to apply new leadership principles to shape mindset and motivation.
  • Identify organization processes and behaviors needed to implement these leadership principles.

General Session 1: COSO ERM: Integrating With Strategy and Performance

Tuesday, August 14 | 8:30AM – 9:45AM

Paul Sobel, CIA, QIAL, CRMA
Vice President and Chief Audit Executive
Georgia-Pacific, LLC

In 2017, COSO issued an updated ERM Framework, “Enterprise Risk Management—Integrating with Strategy and Performance,” which shifts the focus of ERM from managing downside risks to creating, protecting, and realizing value. Not surprisingly, there are many implications for internal auditors seeking to remain valued and relevant in the future.

In this session, participants will:

  • Hear about the components and principles that comprise the updated Framework.
  • Discover how the Framework impacts internal audit’s assurance and advisory activities.
  • Understand their role in managing risk in uncertain times.
  • Learn how to use the Framework to identify, assess, and manage specific groups of risks.
  • Explore ways to advance risk management in their organization.

General Session 2: Governance in These Digitally Shifting Times

Wednesday, August 15 | 8:30AM – 9:45AM

Rob Clyde, CISM
ISACA Vice-Chair
Managing Director
Clyde Consulting, LLC

Emerging technologies, which we must assess for opportunity and risk, will transform our businesses and how we live. Whether it is how we integrate machine learning and AI, or how we utilize IoT; whether it’s focusing on DevOps to ensure foundational security; or how we resolve the tensions of data privacy and security to protect our customers and organizations — how we transform with the technology will determine our success.

In this session, participants will:

  • Understand the relationship between strong governance and future innovation and agility.
  • Identify technologies that are leading the digital transformation and changing how we do business.
  • Learn about the COBIT governance framework’s past and current contributions to enterprise strategy, as well as its path forward.
  • Discuss what innovations and opportunities we may see in the future of governance.

Closing Keynote

Governance in the Age of Cyber

Wednesday, August 15 | 10:15AM – 11:30AM

Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CISSP, CPSA
ISACA Chair
Advisory Managing Director
Deloitte & Touche LLP

Every day, we hear news reports of another organization being breached. We find ourselves asking, “Who’s next?” The stakes are too high for the board, the C-suite, and internal audit to wait until after a breach occurs to conduct a post-mortem of the attack. To provide value — and to possibly protect our organizations from failure — governance bodies need to be proactive.

In this session, participants will:

  • Learn about cyber trends and classic breach tactics.
  • Gain an understanding of effective security and controls.
  • Discuss the evolving roles of the board, the C-suite, and internal audit in the age of cyber.


Return to Event Page >>