Sabine Charles - Education Committee Chair


Committee Members

Michael Maertz

Vasanthi Ramkumar

Scott Lubliner

Jomol Peter

Maria Lopez

Vasanthi Ramkumar

Daisy Maldonado

Upcoming Onsite Course


Full time students and veterans are eligible for 25% discount of membership rates, upon presentation of current class schedules or valid student/veteran ID. Please be sure to register early for the upcoming classes. Unless registration is open, date and topics maybe changed at a later date.



GDPR: Assessment, Implementation and Auditing Approaches – May 1, 2018

Location: Colliers International New York, 666 Fifth Avenue, 4th floor, New York, NY  10103

Training Course Description
This GDPR seminar has been restructured to provide attendees a consolidated view of how to implement, assess and audit the project. This seminar is intended to provide attendees the base level knowledge required to (1) conduct a “point-in-time” Assessment to provide a basis to determine the current stage of GDPR compliance and identify the remaining project initiatives, (2) manage the implementation of the GDPR project, and (3) conduct a GDPR Pre-Implementation Audit. Audit Serve has completed three GDPR Impact Analysis of organizations who are both Controllers and Processors and provides ongoing GDPR advisory services to these organizations. The experiences from these completed consulting projects along with its current GDPR project of performing all aspects of the GDPR Implementation for a multi-national Controller have been incorporated into this seminar.

Level: Intermediate, 7.5 CPE


Mitchell Levine is the founder of Audit Serve, Inc. which is an IT Audit & Systems consulting company. For the last 26 years at Audit Serve, Mr. Levine has split his time between traditional IT & Integrated Audit consulting projects, Restructuring IT Departments, PCI Implementations, and performing pre & post-implementation reviews of system migrations. Mr. Levine has also established an Integrated Audit framework that he has been using since 2002 which has been adapted for several audit organizations. Mr. Levine spends 220+ days per year consulting which is the basis for the material which is included in the seminars. Over the past eight years Mr. Levine has presented over 85 seminars to twenty different ISACA & IIA chapters.

Prior to establishing Audit Serve, Inc. in 1990, Mr. Levine was an IT Audit Manager at Citicorp where his duties included managing a team of IT Auditors who were responsible for auditing 25+ service bureaus and the corporate financial systems.

To register: PC Mobile


An Introduction to Auditing Anti Money Laundering Operations and Applications for IT Auditors May 15, 2018

Location: Michael Page International, 622 3rd Ave Floor 29, New York, New York 10017

Training Course Description
Section 352 of the PATRIOT Act, requires that every institution maintain an AML/CTF Program with an effective independent testing function. This highly interactive one-day course for IT Auditors of Financial
Institutions will provide an understanding of AML/CTF. After discussing the international and US legal and regulatory framework over AML/CFT, the course will suggest a risk-based audit approach with specific
examples of IT audit techniques to enhance efficiency and effectiveness. 
Each attendee will be provided with a copy of the White Paper “IT Audit Considerations When Designing Audit Coverage For AML Applications” written by Peter D. Wild FCA, CAMS Audit,

The Course will cover the following topics:

1.      AML/CFT Overview:

1.1.  The fundamentals of AML/CTF

1.2.  The International bodies providing AML/CTF guidance

1.3.  The significant Sections of the USA PATRIOT Act

1.4.  The components of a risk-based AML/CTF program

1.5.  The data flows supporting an AML/CTF program

1.6.  The operational components of an AML/CTF program

1.7.  The operational components of a Sanctions screening program

2.      An Audit Approach to AML/CFT:

2.1.  The components of an AML audit Approach and Program

2.2.  The major AML audit components

2.3.  A risk based approach to designing AML audit testing

3.      An introduction to IT Audit for AML/CFT:

3.1.  The AML data flow & management

3.2.  The IT Audit Control Categories

3.3.  How IT Audit techniques can contribute to AML Audit testing

Level: Intermediate, 7.5 CPE


Peter is a senior consultant specializing in Operational and Information Technology {IT} Auditing and Training covering the Anti-Money Laundering/Counter Financing of Terrorism {AML/CTF} and Sanctions business processes and supporting computer applications.

In 2016 he retired from J.P. Morgan as a Senior Audit Manager with over 10 years of experience of managing Operational and IT audits of AML/CTF and Sanctions. 

As a Senior Manager with Touche Ross in London he managed the IT and operational audit work for many UK and European clients.  Upon arriving in America in 1980, he was the IT Audit Director at Republic National Bank of New York, then a Senior Audit Manager with Coopers & Lybrand and later the IT Audit Director and Deputy CIO at Melville Corporation.

He is a Fellow of the Institute of Chartered Accountants in England & Wales {FCA}, a Past President of the NY ISACA Chapter.  He is also a recipient of the Wasserman Award for outstanding contributions to IT Audit and Security. 

As a founding member of the CAMS Audit Faculty, he frequently teaches the CAMS Audit Course. In 2016 he was a Task Force Vice Chair for the project to develop the current version of the CAMS Certification Examination and the related Study Guide and he frequently teaches the CAMS Examination Preparation Course.  He is a frequent speaker at ACAMS Conferences and he is the Co-Chair of the ACAMS New York Chapter and a recipient of the ACAMS Volunteer of the Year Award.


To register: - PC Mobile


Microsoft Office 365 Security and Compliance Workshop June 5, 2018

Location: 11 Times Sq, New York, NY 10036

Training Course Description

Microsoft has a unique perspective on security and compliance. Because of the scale of the technology we build and operate we are able to capture diversity of threat signals all the way from sensors through to clients and to the back-end cloud services. And we share that with our customers and partners.

Office 365 can help organizations meet their compliance obligations through robust set of tools and features. These capabilities can help customers first assess their compliance posture, then manage and control their data, then respond to auditor or legal requests. It doesn’t stop there our platform provides customers with continuous compliance of assessing, managing and responding to their compliance obligations to help organizations to maintain business continuity and reduce cost efficiently and intelligently. 

During the session Microsoft Cloud Solution Architects will walk you through a robust set of tools and technologies available within the Microsoft Office 365 solution. 

·       Advanced Threat Protection

·       Threat Intelligence

·       Data Loss Prevention

·       Cloud App Security / Shadow IT

·       Anti-Spam / Anti-Malware

·       Anomaly Detection Policies

·       Secure Score

·       Customer Lockbox

·       Compliance Manager

·       Microsoft Trust Center

·       Microsoft Service Assurance

·       Advanced Data Governance

·       Message Encryption

·       Access Controls / Digital Rights Management

·       Auditing Platform + Activity API

·       Advanced eDiscovery

·       Advanced Security Management

Level: Intermediate, 8 CPE

Instructors: Eric Lee is a seasoned Architect with 25+ years of industry experience that is intimately familiar with Unified Communications market technologies. Accomplished technologist, architect, and technology evangelist intimately involved in all aspects of Unified Communications including the definition of technology roadmaps and the evaluation of total-cost-of-ownership for Unified Communications solutions. Experience with designing solutions and offerings that transitions clients from legacy telephony to integrated Unified Communications tools and processes. Extensive background with the architecture, design, and deployment of Unified Communication platforms including Microsoft, Avaya, BroadSoft, and Cisco.

Robert Gates is a Cloud Solution Architect at Microsoft with over 20 years of experience across multiple verticals and a wide range of technology solutions. Robert spent many years as a Business and Technology Consultant helping to solve a diverse set of technology and business challenges. Experience spans across Infrastructure, Operations, Information Security, Transactional, Analytical, and Master Data, Business and User workflows, and various aspects of Software Development covering Design, Build, Testing, and Deployment. At Microsoft Robert focuses on being a translator of technology to identify trends and help organizations understand which solutions to adopt to meet their business goals.

To register: - PC  


Auditing Robotic Process Automation (RPA)June 5-6, 2018

Location: BNY Mellon 225 Liberty Street

Training Course Description

This two-day, interactive class covers the basics of what RPA is, what its component parts are, and what comprises emergent best practice in implementing, managing and auditing this new technology. Intended for those looking for an in-depth review of the methodology for implementing or managing RPA applications through their lifecycle.  The target audience includes:

·       Line of Business staff considering prototyping this technology

·       Internal auditors looking to expand their breadth

·       Technology auditors looking to deepen their knowledge base

·       Business and IT Strategy staff who want to more fully understand this technology’s impact on business

·       Risk management staff who need to understand the ways risk can be assessed and controlled when using this technology

·       Essentially, anyone who is curious about this new technology and what it can really do


Course Outline

What do we mean by RPA?

o    Definition

o    Current use cases

§  Mortgage processing

§  Credit card management

o    Future uses

§  Chatbots – KYC, Call centers, Credit Card, Loan recovery

§  Process only – Log monitoring; cybersecurity checks,

Packages and Platforms

o    Blue Prism

o    Automation Anywhere

o    UIPath


I.         Where does RPA fit within Risk and Audit Frameworks

o    Top-down (ERM/OpRisk/Tech risk/Process risk

o    Bottom-up (DevOps/ProdOps/Data/Architecture/IT Strategy

o    COSO/TOGAF/NIST/ Frameworks

o    Component-based Framework: What are you auditing?

§  The process

§  The ‘bots: synthetic people or not?

§  The transmission process & AIs

§  The source of change – the oracles

§  The controls

II.       Emerging Best Practice - The Must Haves and the Nice to Haves

o    Roles & Responsibilities

§  Business

§  Risk & Compliance

§  Audit

§  Board of Directors


o    Environment

§  Network security

§  Access control

§  Vulnerability management program

§  Data security

·       Stored

·       In transmission

III.     Governance

§  Documentation

·       Policies

·       Business Strategy

·       Business rules

·       Business use case(s)

·       Procedures

§  Escalation

§  Complaint resolution


IV.    Internal Controls

V.      Testing

o    Test bed issues:

§  Granularity

§  Stability

§  Independent review/validation


VI.    Oversight

§  Alignment between business goals and implementation strategy

§  Feedback between customer complaints & RPA process

§  Periodic reviews

§  Change reviews

§  Independent random testing

§  Logs & Monitoring

§  Integrating the information


VII.   Getting started with RPA using Agile development

§  Cyber-risk framework

§  Build versus buy

§  Vendor selection – learning to drive or taking a taxi?

§  Choosing your POC & prioritizing selections

§  Being Agile: Project Management & Effective Challenge

§  Assessing oprisk add-ons -increase or mitigation?

VIII. Reviewing the Audit Plan & Changes over Time

·       In development

·       In production – beginning

·       In production - BAU

IX.     Summary

·       Learning points

·       Final Q&A


Level: Intermediate, 16 CPE



Ms. Donna Howe is a global regulatory risk specialist and innovation business development professional who brings a breath of hands-on experience across businesses, risk types and model types. As well, she has a strong background in data including legacy controls and product hierarchy. Her experience includes breadth across banking products (core fixed income, equities, loans, credit cards, ABS, derivatives, futures, etc.) and clients (retail, commercial, HNW) combined with quantitative experience across model types including game theory, Monte-Carlo, simulation, ANOVA and regression models of various types. Furthermore, she is strong in test design and execution. She has designed and managed the implementation of risk systems including front office integration such as CDS and derivative clearing. She has also developed metrics and controls for emerging risk types including enhanced mortgage underwriting, model risk management, reputational risk and complaints controls, call center metrics and enhancements to credit processes. Excellent communication and team player skills in working with colleagues at all organizational levels.  Highly effective in:

* Multi-asset class expertise * Consensus building * Board training

* Product development * Managerial and supervisory skills * Operational workflow

* Regulatory capital * Cross-divisional initiatives * Compliance expertise

* System Implementation * Presentation skills * CCAR & DFAST

* Financial market regulations * Cost analysis and reduction * Workflow logistics

* Process optimization * Relationship Management * Anti-Money Laundering

* Model testing * Collaboration * Documentation



To register:  - PC


Operational Risk Management – June 13-14, 2018

Location: Cohn Reznick 1301 Avenue Of The Americas, New York, NY 10019

ISACA NY is hosting “Operational Risk Management”, a two day event

What Problem Does This Training Help Solve?

Provides training on operational risk assessment, management, risk mitigation, risk acceptance, risk management methodologies, modeling, stress testing, KRIs, KCIs, BASEL II, BASEL III, and many other aspects of operational risk management

Who Should Attend?

Professionals interested in learning about operational risk control objectives, controls, methodologies, and risk management from HR, IT, process management, business units, senior management, CRO’s office, ORM office, internal audit, big 4, and ORM consultants

This course evaluates operational risk exposures relating to the organization's governance, operations and information systems, in relation to: (a) Operational risk Governance (b) risk and control assessment (c) events and losses (d) indicators. Based on the results of the risk assessment, the student will be able to evaluate the adequacy and effectiveness of how risks are identified and managed and to assess other aspects such reporting, risk modeling, stress test, scenarios, business continuity, disaster recovery, insurance, internal audit, outsourcing risk, people risk, reputational risk, and strategic risk, communication of risk and control information within the organization in order to facilitate a good governance process.

Special emphasis will be paid to BASEL II capital requirements for Operational Risk.


The objective of the course is to develop professionals with an indepth understanding of the “Operational Risk Management” so that they will be able to provide necessary management skills regarding to provide assurance that:

·       ORM Internal controls are in place and are adequate to mitigate the risks,

·       Governance processes are effective and efficient, and

·       Organizational goals and objectives are met.



·       What is operational risk old definition and new definition of BIS/BASEL II

·       BASEL II Risk from people, failed processes, failed systems, and external events

·       Outside BASEL II strategic risk, reputational risk, 95 types of risks

·       Operations risk vs. operational risk

·       Business case BASEL II capital requirements for OR

·       Reserves, capital, and insurance based on L and I factors

·       ORM Framework Governance, ORM policy, risk appetite, R&R for ORM

·       Setting up timeline for ORM – from project to a program

·       Risk and control assessment risk owners, control owners

·       Events and losses data collection, data reporting, external loss databases, near misses, BASEL II classification

·       Indicators KRIs, KCIs, thresholds, targets, dashboards, leading and lagging indicators, periodicity

·       Reporting styles, know the audience, dashboard reporting

·       ORM modeling distributions, correlations, internal and external data, confidence level, capital Modeling, qualitative modeling

·       Eight business areas of BASEL II and seven types of ORM risks

·       Stress tests and scenarios analysis practical scenarios, near death experience, Gaussian curve, Outside 3standard deviations, Mandelbrot’s Chaos, black swan event, fat tail

·       Business continuity process, applications, infrastructure, service delivery

·       Insurance

·       Three lines of ORM defense management, oversight, and audit

·       Auditing ORM

·       ORM from outsourcing

·       People risk

·       Reputational risk

·       System failure risk IT DR

·       BASEL II and BASEL III considerations

·       OR and ERM 2017 (COSO FW)

·       ORM, Dodd Frank, and FSOC’s OFR

·       ORM and systemic risk


Jay Ranade, is a New York City-based management consultant and internationally-renowned expert on computers, communications, disaster recovery, IT Security, and IT controls.  He has written and published 37 IT-related books covering networks, security, operating systems, languages, systems, and more.  He also has an imprint with McGraw-Hill called J. Ranade IBM Series, which includes over 300 titles.  His publications have been translated into several languages including: German, Portuguese, Spanish, Korean, Japanese, and Mandarin.  He has written and published articles for various computer magazines such as Byte, LAN Magazine, and Enterprise Systems Journal.  He is also the author of The New York Times critically-acclaimed book, The Best of Byte.  He is currently working on a number of books on various subjects such as Audit, IT Security, Business Continuity, and IT Risk Management.

Jay has consulted and worked for Global and Fortune 500 companies in the U.S. and abroad including: American International Group, Time Life, Merrill Lynch, Dreyfus/Mellon Bank, Johnson & Johnson, Unisys, McGraw-Hill, Mobiltel Bulgaria, and Credit Suisse.  He was a member of ISACA International's Publications Committee from 2005 to 2007, and he currently serves as a member and advisor to the New York Metropolitan InfraGard, a partnership between the FBI and private sector institutions to safeguard America’s national infrastructure from hostile attacks.  He has been a speaker at the Federal Reserve Bank of New York on Global Financial Infrastructure Protection, and he maintains FBI-certified confidential-level clearance.

Jay also teaches graduate-level classes on Information Security Management, Operational Risk Management, and Ethical Risk Management at New York University, and Accounting Information Systems, IT Auditing, Operational Risk Management, and Internal Auditing at St. John’s University.  


Level: Intermediate, 15 CPE

To register: - PC


How to Audit Waterfall & Agile Development Methodologies – October 09, 2018

Location: Cohn Reznick 1301 Avenue Of The Americas, New York, NY 10019

ISACA NY is hosting “How to Audit Waterfall & Agile Development Methodologies” a one-day session.

Seminar Objective

This seminar is intended to provide an auditor the base level knowledge required to perform a pre & post implementation audit of the deployment of business systems.   This seminar is structured based the two most common development methodologies used in the industry; Agile and Waterfall. 

Traditional development used the Waterfall development methodology which provided an effective method to ensure that organizations were establishing functional requirements derived from user participation prior to proceeding with the design and construction phases.  These long project phases were always under scrutiny especially when project were continuously delivered late and never included all of the promised functionality.  These issues paved the way for the Agile development methodology approach of delivering smaller packages of functional code that can be used by productions users within shorter timeframes which are referred to as sprints.  The assembly of the Scrum teams which produced these sprints also provided the basis for establishing true quantitative measurements for the amount of work (user stories) that were to be delivered by these sprints.

The methods used for auditing a Waterfall development methodology is quite different from Auditing an Agile development methodology which will be one of the primary areas covered during this seminar.  Each of these development methodologies have their strengths and weakness as it relates to in-house development, companies operating third-party vendor products and those companies that are using SaaS solutions. 

Regardless of the level of experience of the attendee, the instructor’s experience of conducting audits of 4+ system migrations per year audit and extensive development experience will bring new insights to even the most experienced auditor.

Who Should Attend

This seminar is designed for IT, Integrated and Operation Auditors at all levels.


Mitchell Levine is the founder of Audit Serve, Inc. which is an IT Audit & Systems consulting company.   For the last 26 years at Audit Serve, Mr. Levine has split his time between traditional IT & Integrated Audit consulting projects, Restructuring IT Departments, PCI Implementations, and performing pre & post-implementation reviews of system migrations.  Mr. Levine spends 220+ days per year consulting which is the basis for the material which is included in the seminars.

Mr.  Levine has developed Waterfall Development Methodologies for three companies and has performed over 25 system migration reviews for companies which utilize both Waterfall and Agile development methodology over the past 8 years. 

Over the past seven years Mr. Levine has presented over 85 seminars to twenty different ISACA & IIA chapters.  Mr. Levine also was the primary writer and editor of Audit Vision which is published bi-monthly and has a subscription base of over 3,500 audit & security professionals.

Prior to establishing Audit Serve, Inc. in 1990, Mr. Levine was an IT Audit Manager at Citicorp where his duties included managing a team of IT Auditors who were responsible for auditing 25+ service bureaus and the corporate financial systems.


Level: All levels, 7.5 CPE


To register: - PC - Mobile