tuesday june 6, 2017 8:00 am 5:00 pm documents... · tuesday june 6, 2017 7:30 – 10:00 am chief...

Tuesday June 6, 2017 8:00 AM – 5:00 PM

WRK 1: Fraud Issues & Answers for Internal Auditors Workshop

John Hall, CPA, Certified Board Advisor President

Hall Consulting, Inc. This “how-to” workshop for audit and anti-fraud professionals will help participants be more

effective in their fraud prevention, detection, and handling responsibilities. Participants will

learn action steps for elevating their fraud risk management skills. We’ll make heavy use of case

examples and their lessons for auditors as well as individual and group brainstorming exercises

and discussion.

In this seminar, participants will:

Learn “next-step” practices in prevention, early detection, and effective incident response.

Learn how to assist management in creating an anti-fraud business environment. Learn three-step fraud detection and develop lists of fraud red flags, indicators, and

symptoms.

Understand the special challenges in contracting, procurement, and related-party relationships.

Develop high-impact fraud risk management audit techniques.

John Hall specializes in skills training programs and conference presentations for internal

auditors, CPAs, management groups, and professional associations. He also coaches internal

audit professionals in how to increase their effectiveness, clarify and meet their business and

personal goals, and move their careers forward. Hall has 40 years of experience as a consultant,

speaker, auditor, and business coach and owner. He has worked in senior leadership positions

in large corporations and international public accounting firms. He wrote The Anti-Fraud Toolkit

and the award-winning book Do What You Can! Simple Steps – Extraordinary Results.

Additionally, he created and facilitates Fraud Detection, Deterrence & Incident Response for Internal Auditors, an IIA seminar.

WRK 2: Start Your Analytics Engine With the Right Foot: Analytics and Visualization

Alex Fung

Director, Analytics Adoption ACL Services, Ltd.

ACL is the leading tool in the market for data analytics geared towards Risk and Audit Professional. In this full-day workshop, learn the basic usage of the tool including importing data, combining data from multiple sources, and performing basic analysis to kick-start your journey to becoming the most sought-after resource within your team and within the entire organization! Besides the basic technical use, you’ll learn to apply ACL to solve analysis objectives using scenario-based case studies. Towards the end, we will cover how you can leverage newly-released capabilities to drive results and adoption: Analysis Apps – get the non-techies up and running without learning all the technical scripting; and Visualizations – immediately spot

anomalies just by looking at the data, literally. In this session, participants will:

Develop and apply planning methodology within the phases of data analysis. Leverage hundreds of built-in data analysis commands, functions, and tools to achieve

analysis objectives.

Import various source files into ACL

Combine data from multiple systems

Encourage knowledge and content-sharing with your colleagues through Analysis Apps.

Engage stakeholders with stimulating, interactive visualizations. Alex Fung oversees the data analytics delivery team in the Customer Success Organization and

manage client portfolios. Prior to being promoted to director, he served as a senior solution

lead, providing solution architecture recommendations for the data analytics products to integrate with the GRC platform for data-driven GRC solutions, ensuring various systems work

with ACL’s products. With over eight years of experience helping clients configure effective audit solutions and management systems, Fung has managed more than 100 projects and

worked on more than 200 engagements across multiple industries including banking, retail, government, insurance, manufacturing, energy, education and more. For the past five years, he

was a key leader/designer and infrastructure architect in one of the largest engagement

projects consisting of accounts payable, purchasing cards, travel and entertainment, general

ledger, property plant and equipment, and central disbursement data analysis.

WRK 3: IDEA - Data Analytics: A Deeper Dive Into Key Functions

Fred Wechselberger Industry Relations Executive Audimation Services, Inc. This session will allow internal auditors with a basic knowledge of data analytics software

(specifically IDEA) to increase their knowledge of key IDEA functions and their uses, to apply the

knowledge to specific audit scenarios, and determine the datasets and data elements needed

perform data-driven analysis. Participants will have a chance to practice audit tests they

developed and discuss next steps to perform with the results of their analysis.

In this session, participants will:

Expand their knowledge of key IDEA functions.

Gain experience on identifying data analytic approaches to several audit test scenarios.

Practice applying data analytic techniques to several datasets commonly received in an internal audit.

Fred Wechselberger has more than 20 years of experience helping organizations implement and use data extraction and analysis software. He brings unique perspectives on the use of CAATs having experience with federal and state bodies including the SEC, Ministries of Finance in Austria and Greece, Central Bank of Nigeria, Government Uganda, in addition to corporate

bodies such as GE, GM, American Express, MMC, Safaricom, Prudential, and many globally recognized CPA firms. As a seasoned speaker, Wechselberger has presented at numerous

industry and trade events across North America and Europe.

Tuesday June 6, 2017 7:30 – 10:00 AM

Chief Audit Executive Roundtable (By Invitation Only)

Tom Austin, CIA

Vice President, Governance Risk & Control

Cisco

This session is an open forum for chief audit executives (or the most senior auditor in an

organization) to bring up topics for discussion among peers. Topics may be submitted in

advance for discussion as well, and these conversations will not be communicated outside of

the session. This format will allow for a free-flowing expression of ideas and opinions on each

topic. Discussion time will be limited, resulting in a fast-paced event to allow time to touch on

all topics raised. Participants will have the opportunity to network and share ideas with fellow

CAEs who may have found effective solutions.


Evolving impact of PCAOB focus areas on management's internal controls work

Cybersecurity and product security involvement by Internal Audit

Fraud risk assessment enhancements

Tom Austin oversees Cisco’s governance, risk, and controls organization that partners with

internal business units. Previously, Austin worked at Applied Materials for 16 years, most

recently as vice president and CFO for the display and solar business segments. Prior to Applied

Materials, Austin worked with PriceWaterhouseCoopers in business assurance and with Merrill

Lynch & Co. in investment banking.

Tuesday June 6, 2017 1:00 – 5:00 PM

WRK 4: The Corporate Culture Check Up

Danny Goldberg, CIA, CCSA, CGEIT, CISA, CRISC, CRMA, CPA

Founder

GoldSRD

The IIA has recently highlighted assessing/auditing corporate culture as a key area that should

be addressed in 2016 and future years. The long list of recent corporate scandals reinforces the

need for executives to keep an eye on organizational culture. At its finest, culture helps an

organization retain great employees and motivates them to do their best and most productive

work. This webinar will take attendees through assessing corporate culture and the pitfalls in

assessing a subjective area.


Learn and understand what corporate culture is

Understand the challenges in assessing a subjective area and how to address this

subjectivity

Discover how corporate culture can significantly impact many areas in an organization,

including internal audit

Danny Goldberg oversees his firm which is a leading provider of staff augmentation, executive

recruiting, and professional development services. He has nearly 20 years of audit experience,

including five as a CAE/audit director at two diverse companies and has been speaking and

training for seven years. Goldberg was named as one of the Fort Worth Business Press 40 Under

40 for 2014, and is the author of People-Centric© Skills: Communication and Interpersonal

Skills for Internal Auditors.

WRK 5: CIA Exam Preparation Course: Part 3 — Internal Audit Knowledge Elements

Raven Catlin, CIA, CFSA, CRMA

Trainer and Owner

Raven Global Training

This Part 3 CIA course is designed to give candidates a high level introduction and overview of

the topics covered on the new Part 3 CIA exam. The course will reinforce your CIA knowledge,

clarify topics, and build exam-day confidence. Taught by CIA-certified instructors, each

attendee will have the opportunity to work through practice exam questions, learn test taking

tips, and will receive the most current version of The IIA’s CIA Learning System® self-study print

and online software materials for Part 3. An additional fee of US$315 will be required to attend

this course. A limited number of on-site registrations will be accepted, so please pre-register

for this course.

Course topics will include:

Governance/Business Ethics

Risk Management

Organizational Structure/Business Processes and Risks

Communication

Management/Leadership Principles

IT/Business Continuity

Financial Management

Global Business Environment

Please note: additional self-study time outside of the classroom will be necessary to prepare for

the exam.

Raven Catlin is an internationally recognized expert, speaker, and consultant in internal auditing. She has more than 15 years of auditing and seminar facilitation experience. Before

starting Raven Global Training, Catlin was a consultant for Experis and a senior manager at Protiviti. She held internal audit positions with Freddie Mac, Bank of America, and Philip Morris.

Catlin is a contributing author to The IIA’s CIA Learning System.

Wednesday June 7, 2017 8:30 – 9:45 AM

GS 1: Internal Auditors as Trusted Advisors – Leveraging Trust to Foster Organizational

Success

Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA President and Chief Executive Officer The IIA

In this session, IIA President and CEO Richard Chambers discusses the traits of great internal

audit leadership. Based on his new book, Trusted Advisors: Key Attributes of Outstanding

Internal Auditors, Chambers reviews the top character traits of gifted practitioners who have

gained the trust of stakeholders. Based on surveys and interviews of some of the profession’s

most-respected CAEs, Chambers crafts a compelling message on what it takes to become a true

trusted advisor.


• You will learn about the character and leadership traits of the best internal auditors.

• You will learn how to nurture leadership traits within yourself.

• You will hear how these traits are applied in real-world experiences.

Richard Chambers has more than four decades of internal audit and related experience. Chambers was national practice leader in Internal Audit Advisory Services at

PricewaterhouseCoopers; inspector general of the Tennessee Valley Authority; deputy inspector general of the U.S. Postal Service; and director of the U.S. Army Worldwide Internal

Review Organization at the Pentagon. He currently serves on the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Board of Directors; the International

Integrated Reporting Council (IIRC); and The IIA Board of Directors. Previously, he served on the U.S. President’s Council on Integrity and Efficiency; the Audit Board of the City of Orlando, Fla.;

The IIA’s International Internal Audit Standards Board; and The IIA North American Board. Chambers received the Association of Government Accountants (AGA) Frank Greathouse

Distinguished Leadership Award and the National Association of Black Accountants (NABA)

Legacy Award. Accounting Today named him one of the Top 100 Most Influential People in Accounting in 2012, 2013, 2014, and 2015, as well as one of 10 tweeters worth following. The

National Association of Corporate Directors (NACD) named him one of the most influential

leaders in corporate governance in 2013, 2014, and 2015. Chambers authored the award-

winning book, Lessons Learned on the Audit Trail, which is available in four languages.

Wednesday June 7, 2017 10:15 – 11:30 AM

CS 1-1: Emerging Technology Issues In Internal Audit

A. Michael Smith, CISA, CISSP, CPS

Partner

PwC

This session will address emerging technology issues in internal audit, including continuous

auditing, real time auditing, audit automation, blockchain, algorythmic sciences, and

cyber/social. It will consider the effects of these topics on the audit process, approach, and

methodologies and explore creative strategies for dealing with them.


Explore the emerging technology landscape and its impact on internal audit. Obtain key points from each emerging technology topic, but not a detailed audit plan or

approach to each topic. Learn to help change the way their organizations think about internal audit and the

audit process.

A. Michael Smith has over 25 years of experience in IT auditing, cybersecurity, privacy, and

regulatory requirements in the IT space. He is responsible for PwC's IT internal auditing services practice in the U.S. for financial services companies and has led projects in all financial services

sectors. His primary area of focus is designing strategies for deploying technology audit in large financial services organizations. Prior to joining PwC, Smith was the global director of

technology audit for the Bank of New York Mellon.

CS 1-2: Large-scale Cyber Breach, Fraud, and Insider Threat Incidents: Prevention and

Recovery

Matthew Miller

Senior Manager

EY

Defending against known threats is no longer sufficient. Attackers have increasingly turned to

exploiting people, not just technology. Attacks are capable of causing large-scale destruction to

the ecosystems of commercial organizations. The traditional protect-and-control mentality

doesn’t work anymore. It is the breadth of an attack’s impact, separate from an attack’s

sophistication that must drive the depth of response.


Hear about a real-world scenario, based on our team’s work in response to the largest media and entertainment industry hack in history.

Learn what to do in the first 24, 48, and 72 hours following a breach.

Discover the level of effort needed, and what a cross-disciplinary team would look like, to get an organization that is fully compromised back online and able to resume

business. Learn what different teams within the organization should know to prevent insider

threats, fraud, and cyber breaches.

Matthew Miller serves in the forensic technology and discovery services group within the fraud investigation and dispute services practice at EY, assisting organizations with electronically stored information challenges. He was the senior-most project manager for the EMEIA work stream of the largest corporate hacking and incident breach. Miller led a multi-country team providing cyber breach remediation services including: collection, scanning, cleansing, and

advanced forensic data recovery. Miller sits on the E-Discovery/Information Governance Board of Advisors at Benjamin N. Cardozo School of Law.

CS 1-3: Rising From the Ashes of Fraud: Building Stronger City Governance

Ruthe Holden, CIA, CGAP, CRMA, CISA, CPA

Internal Audit Manager

City of Pasadena

Deceitful employee or vendor misconduct damages reputations, reduces resources available to

provide services, and damages employee morale. During this presentation, the City of

Pasadena’s internal audit manager will discuss recent public-sector fraud cases, including the

City of Pasadena’s 11-year, US$6.4 million embezzlement. There have been several recent

government frauds throughout the U.S. Dissecting these frauds provides clues and best

practices to help avoid or mitigate potential frauds in government agencies. She will talk about Pasadena’s road map for responding to the embezzlement.


Understand governance failures by analyzing recent government fraud cases.

Raise their awareness of fraud risks specific to government agencies. Learn how to improve their agency’s fraud deterrence culture.

Be introduced to tools and techniques to detect fraud red flags.

Discuss their role as a fraud fighter.

Ruthe Holden has more than 30 years of experience in federal and local government with 24 years’ experience in internal audit. She has conducted operational, financial, IT, contract, and

regulatory compliance audits. Holden’s specialty areas include internal control assessments, third-party contract audits, defective pricing audits, performance audits, and providing

recommendations to improve programs and processes. Prior to accepting her role in 2015, she

was the chief auditor for Los Angeles County Metropolitan Transportation Authority.

CS 1-4: The Independent Broker-dealer and the Three Lines of Defense

Luis Padilla, CIA

Vice President, Internal Audit

LPL Financial

As an organization's control environment evolves and matures to adapt to complex regulatory

environments, and satisfy internal and external demands for testing and reporting on internal

controls over multiple areas, companies are presented with a “three lines of defense” control

model. This model promotes internal audit’s independence as a third line of defense, sets the

monitoring responsibility into a governance or risk function(s), and assigns control ownership to management.


Distinguish the differences within a “three lines of defense” model.

Identify common challenges and pitfalls during implementation of the model.

Discuss the characteristics and functions of each line.

Deliberate the benefits and challenges of the model.

Luis Padilla manages a team responsible for internal controls testing for Sarbanes -Oxley compliance, SSAE 16 testing, FICCA reporting, and SEC Rule 17a-5 compliance testing. He also leads financial and operational internal audits, as well as assists in special projects, FINRA compliance and enforcement actions, and other regulatory matters. Prior to his role at LPL, Padilla was a senior manager at Deloitte & Touche, LLP, where he was part of the faculty at Deloitte University. He also led assignments in Europe and Asia-Pacific, in the areas of internal audit, third-party contract compliance, royalty audits, inventory control, and finance transformation. Padilla led account reconciliation system selection and implementation

projects, financial close optimization projects, and business process outsourcing projects, among others. Before joining Deloitte, he worked for Capgemini E&Y as a group internal auditor

at offices around the world for compliance with company policies. He started his career with KPMG in financial external audit. Padilla is a volunteer course facilitator for The IIA.

CS 1-5: CIA Exam Preparation Course: Part 3 — Internal Audit Knowledge Elements

Raven Caitlin, CIA, CFSA, CRMA

Trainer and Owner









for this course.



Risk Management


Communication






the exam.

Raven Catlin is an internationally recognized expert, speaker, and consultant in internal auditing. She has more than 15 years of auditing and seminar facilitation experience. Before starting Raven Global Training, Catlin was a consultant for Experis and a senior manager at

Protiviti. She held internal audit positions with Freddie Mac, Bank of America, and Philip Morris. Catlin is a contributing author to The IIA’s CIA Learning System.

Wednesday June 7, 2017 12:45 – 2:00 PM

CS 2-1: Auditing the Internet of Things

Matt Stamper, CISA, CIPP-US

Research Director

Risk and Security Management Programs

We are just beginning to see the impact of the Internet of Things (IoT) and its pervasive

influence on our organizations. Beyond the operational effects of deploying the IoT, there are

important considerations related to cybersecurity and, critically for IIA members, how auditing

systems with an IoT scope are addressed. As internal auditors, our ability to retool our audit

programs to address this pervasive digital presence within our organizations will be a critical

competency for continued success in our field.


• Learn the key elements of IoT technologies.

• Understand how the IoT impacts business processes and operations. • Develop strategies for incorporating the IoT into broader audit programs.

• Understand the risk factors associated with the IoT as they relate to core assurance principles.

Matt Stamper brings a broad, multi-disciplinary understanding to cybersecurity best practices

to his clients and has experience with public and early-stage organizations. His diverse domain

knowledge spans IT service management (ITSM), cybersecurity, cloud services, control design

and assessment (Sarbanes-Oxley, HIPAA/HITECH), privacy, governance, ERM, sales

management and individual revenue contribution, and new product and service development.

Stamper is adept at conveying complex cybersecurity and IT concepts to boards of directors,

executive management, as well as professional service providers. His executive-level experience

with managed services, cybersecurity, data centers, networks services, and ITSM provides a

unique perspective on the fast-changing world of enterprise IT, IoT, and cloud services. He is a

co-author of the CISO Desk Reference Guide.

CS 2-2: The Evolving Cyber Threat

Bryan Willett

Supervisory Special Agent

Federal Bureau of Investigations

The cyber threat is constantly evolving; our adversaries change their tactics, techniques, and

procedures daily, leaving network defenders to guess what will be next. SSA Bryan Willett will

take a look at what the future holds, what tools our enemies may use, and what they are

looking to attack next.

In this session participants will:

Understand the future attack surface

Understand who will be targeted

Understand how advances in technology will change the landscape of cyber security

Bryan Willett has been a special agent for almost 13 years and holds several IT security certifications. He is also a licensed attorney. He has worked in several FBI field offices as well as their headquarters in the Cyber Division, investigating cyber crimes, including computer intrusions. Willett is the supervisory special agent for Los Angeles’s Cyber Squad attached to the

multi-agency Electronic Crimes Task Force.

CS 2-3: Auditing Collaboratively: Rethinking the Audit Process to Enhance Value

Jim Pelletier, CIA, CGAP Vice President, Professional Solutions The IIA

Taking the time to understand the personal impact an audit can have on those involved can

have positive results when managed correctly. We’ll cover some of the psychological dynamics

affecting those being audited as well as some aspects of how people think, both of which

auditors can leverage throughout the process. The session will wrap up with how four specific

audit tools can be used to produce long-term, positive impact with every audit.

Jim Pelletier has more than 15 years of internal auditing experience in both the public and

private sectors. In his current role as the Vice President of Professional Solutions for The IIA, he provides direction for The IIA’s Audit Executive Center, the Financial Services Audit Center, the

American Center for Government Auditing, the Environmental, Health and Safety Audit Center, and IIA Quality Services. Prior to joining The IIA, Jim served as City Auditor for the city of Palo

Alto, CA and was the Chief of Audits for the County of San Diego. His diverse auditing experience also includes roles at the California State University System, PETCO Animals Supplies, Inc., State Street Corporation, and General Electric. While serving as a senior audit manager for the County of San Diego, Jim won The IIA’s prestigious John B. Thurston Award for outstanding paper in the field of internal auditing for his article “Adding Risk Back into the Audit Process.” His new book titled “Collaborative Auditing” is available through The IIA Research Foundation.

CS 2-4: Travel and Expense Policy: Current Practices and Controls

Oren Geshuri

Director, Platform Integration Services and Senior Concur Project Manager

Lyndon Group

Travel and expense policies are very much in the spotlight for many organizations, from being

viewed by candidates as a key aspect of a job change and HR departments as a recruiting tool, to

audit committees concerned with organizational Duty of Care.


Learn how to ensure your Travel and Expense Policy addresses current travel-related

risks and reflects current travel trends

Ensure sound and reasonable controls while considering the “total cost” of travel

Benchmark your Travel and Expense Policy against common/best practices

Oren Geshuri has diverse experiences as a result of a variety of positions in the corporate world

and brings both business and legal perspectives to his work. His specialties include contract

negotiation; business process design; international strategy, law, and business; and

technical/functional process integration. Geshuri has applied his expertise with companies

including Paramount Pictures, OG Business Solutions, Warner Bros., and Universal Studios.

CS 2-5: CIA Exam Preparation Course: Part 3 — Internal Audit Knowledge Element


Trainer and Owner









for this course.



Risk Management


Communication






the exam.

Raven Catlin is an internationally recognized expert, speaker, and consultant in internal

auditing. She has more than 15 years of auditing and seminar facilitation experience. Before starting Raven Global Training, Catlin was a consultant for Experis and a senior manager at

Protiviti. She held internal audit positions with Freddie Mac, Bank of America, and Philip Morris. Catlin is a contributing author to The IIA’s CIA Learning System.


CS 3-1: Auditing Amazon Web Services

Loras Even Principal RSM US LLP

Laura Barnes

Manager, Technology Risk Advisory Services RSMUS LLP

The movement of business systems to cloud-based services continues and AWS is one of the

leading cloud solutions in the market. Business reasons for moving systems into AWS vary

among organizations, but AWS-hosted systems still must be audited from a security

perspective. To audit AWS, auditors must understand the AWS architecture and the tools

available to perform audits more efficiently, focusing more time on critical controls.


• Understand high-level AWS architecture and the three major models of cloud offerings. • Learn how to use AWS automation to provide real-time audit views.

• Explore using tools such as Nessus to capture snapshots of AWS configurations .

Loras Even serves as the security and privacy services leader for the organization’s West region.

He brings more than 37 years of experience in IT, which includes 17 years of focusing on

security and privacy. Even performs a variety of security consulting engagements for clients,

assisting in security planning, evaluating technologies, and recommending security solutions.

Laura Barnes is a manager with the organization’s technology risk advisory services group and

offers over 30 years of diverse complex technology experience in the areas of enterprise

architecture, systems development, systems administration, and database administration. In

addition to the hands-on technology background, she has 12 years of IT auditing experience

and 11 years of technology management experience, which includes holding the position of a

CIO in a large, international high-tech company.

CS 3-2: City of South Mountain: A Case Study of Forensic Audit in Small Government

David Wall, JD, CPA, CFE

Senior Manager CliftonLarsonAllen LLP

In a sleepy little California burg, allegations of fraud in the local government were the last thing

one would expect to find. However, evidence of fraud was encountered by the external auditor, causing him to suspend the annual audit of the City's financial statements, pending resolution

of the questionable transactions. Before long, a full-scale fraud audit was underway, and results revealed a disturbing picture of back-scratching, cons, and rackets worthy of big-city attention.

In this session, participants will: Study a forensic audit that addressed allegations of improprieties in the City's

contracting process, and the conduct of select City contractors.

Review detailed inside information regarding techniques and approaches employed in a government forensic audit.

Explore the bidding and engagement process and communication with the City's point of contact.

Discuss the format and content of findings and observations occurring in a politicized environment.

David Wall has been employed in the areas of financial investigation and fraud audit for over

25 years. He is a fraud specialist leading forensic investigations in governmental entities,

nonprofit organizations, and middle market corporations. He represents a number of

prosecutorial offices, including the Riverside County District Attorney, and works on behalf of

private litigants in state and federal litigation involving fraud, embezzlement, breach of fiduciary duty, fraudulent transfer, and similar claims.

CS 3-3: Understanding The Trustworthiness Equation

Barbara Martin, CIA, CPA, CRMA

Principal

Expert Audit Management, LLC

The trustworthiness equation includes four primary factors: credibility, reliability, relationship strength, and self-interest. This presentation will assist participants in developing a clear

understanding of each of these factors.


Review the components of each factor: o Credibility — technical skills and credentials. o Reliability and objectivity — fact-based presentations, honesty, and consistency. o Relationship strength — delivering meaningful findings and respectful. o Self-interest — putting the interest of the organization first.

Correlate these four factors to internal culture.

Define opportunities and challenges related to these factors.

Learn steps to facilitate the development of the audit function as a trusted adviser. Barbara Martin has more than 20 years of executive management and CAE experience and

founded her company which provides comprehensive internal audit services ranging from crisis management and forensic review to process facilitation in department setup and restructure, risk assessment implementation, and audit performance for a range of private companies and governmental entities Prior to starting her company, as CAE she established three new audit

departments and re-engineered two departments. Martin performs Quality Assurance Reviews for state governments and the Local Government Auditors Association and teaches seminars on

over 30 topics in North America.

CS 3-4: Empowered Professional Skepticism

Noel Haskins-Hafer, CIA, CRMA, CISA, CISM, CGEIT, CRISC, CFE

Compliance Technical Manager, Small Business Group

Intuit, Inc.

From the first day in the business, every auditor hears, “Professional skepticism is critical to

your success.” So why can’t more auditors define the term and identify the tools they use to

increase their ability to apply this core skill? Explore the elements of skepticism and learn some

tools that can increase audit relevance, quality, speed, and value.


Understand the elements of professional skepticism.

Recognize the intersection between skepticism and critical thinking.

Learn new tools for applying critical thinking to audit and consulting engagements.

Noel Haskins-Hafer advises senior leadership on building software that complies with U.S.,

international and industry laws, regulations, and standards. She has created award-winning

audit programs for emerging technologies, designed and overseen anti-money laundering and

fraud management programs, and developed a partner risk assessment methodology. Haskins -

Hafer has represented Intuit at numerous audit industry conferences and was the first industry

representative to San Diego State University’s Center for the Teaching of Critical and Creative

Thinking.

CS 3-5: CIA Exam Preparation Course: Part 3 —Internal Audit Knowledge Elements


Trainer and Owner









for this course.



Risk Management


Communication






the exam.





CS 4-1: Medical Device Security: The Transition From Patient Privacy To Patient Safety

Adam Brand

Director

Protiviti

Health care security has been heavily focused on patient privacy and protecting patient

information from breach or unauthorized access. But as health care professionals, do we have a

greater responsibility to focus on patient safety? In an effort to increase quality of care, we

have begun to network medical devices and have increased our adoption of mobile and digital

health technology. What happens when our dependence on this life-saving technology

outpaces our ability to secure it?

Adam Brand is a director with Protiviti’s Security and Privacy practice. He has more than 17

years of experience in information technology and security, in areas ranging from compliance to

incident response. Brand has worked closely with internal audit organizations across many

industries in conducting information security reviews and is able to bring a unique perspective

as someone who has been “on the ground” in major breach investigations. He is a frequent

speaker on information security topics at both IIA and information security industry events.

CS 4-2: People-Centric Skills: Crisis Management

Danny Goldberg, CIA, CCSA, CGEIT, CISA, CRISC, CRMA, CPA Founder

GoldSRD

Crisis management is a unique practice that is only necessary at the most dire times. When it is

practiced appropriately, it can save a company from the worst outcomes. This session will take

attendees through the basics of crisis management, who does it well, and the risk/compliance

role in this process.


Learn lessons from companies that mishandled crisis management to the extreme. Discuss how to handle crisis messaging when social media has exposed every facet of

life.

Understand how to deal with the pervasiveness of social media.

Participate in a discussion on handling a significant personal crisis.

Danny Goldberg oversees his firm which is a leading provider of staff augmentation, executive recruiting, and professional development services. He has nearly 20 years of audit experience, including five as a CAE/audit director at two diverse companies and has been speaking and

training for seven years. Goldberg was named as one of the Fort Worth Business Press 40 Under 40 for 2014, and is the author of People-Centric© Skills: Communication and Interpersonal

Skills for Internal Auditors.

CS 4-3: Vendor Management and Information Technology Oversight

Greg Matayoshi

Principal Consultant

TAP International

IT-related vendor requirements, such as SOC1, SOC2, PCI, HIPAA, and Sarbanes-Oxley are often

overlooked in the procurement and vendor management process. This can result in increased

risk to the organization from both a financial and reputational perspective. What can an

organization do to minimize this risk and provide assurance that vendors are meeting their

requirements to manage company/organization information and transactions in a secure and

confidential manner?


Learn about the major IT-related requirement areas with which vendors should comply) SOC, PCI, HIPAA).

Describe the vendor acquisition process and how to mitigate the risk of IT oversight failure.

Discuss vendor monitoring and how to ensure vendors are complying with

requirements.

Greg Matayoshi has over 20 years of professional financial, accounting and IT auditing

experience, having conducted more than 125 audits of financial, retirement, tolling, purchasing,

e-commerce, permitting, and health care systems for state and local agencies. He has

conducted post implementation reviews of information system to identify root causes of

system inaccuracies and reporting issues, including developing logic modeling to enhance

financial reporting.

CS 4-4: Leveraging the COSO Framework Beyond Financial Reporting

Weston Nelson

Director

Moss Adams LLP

Have you considered how you would respond to questions of whether you have an appropriate

internal control framework over FCPA (Foreign Corrupt Practice Act), anti-bribery, anti-

corruption, third-party, or cybersecurity? Or any other compliance, regulatory, or operational

requirement that organizations face today? This session will explore how to practically apply a

consistent framework that can improve alignment between activities.


Acquire a thorough understanding of the COSO Framework.

Develop a flexible compliance approach that is easily adaptive using the COSO Framework.

Identify examples of where to begin using FCPA.

Discuss leveraging and linking into the organization’s larger ERM practice.

Weston Nelson has provided financial compliance, internal control, and risk management

services since 1996. His risk management services include internal audits; Sarbanes-Oxley

compliance, process, and control analysis; IT compliance and strategy; IT governance; ERP

solutions; and anti-bribery. Nelson has a broad-based collaborative approach to risk

management, working with stakeholders to understand business and compliance risks while

developing strategies to improve, remediate, and monitor compliance and risk management

efforts. He has helped companies develop appropriate strategies to address regulatory rules

and compliance with the Public Company Accounting Oversight Board (PCAOB), Control

Objectives for Information and Related Technology (COBIT), Foreign Corrupt Practice Act

(FCPA), and Sarbanes-Oxley. Nelson has led global compliance practices and strategy for

multinational companies in the Fortune 100, Big Four, and regional public accounting

environments. He began his career with a Big Four firm and was most recently the global

finance compliance director for Nike. Nelson previously spent two years at Moss Adams

providing business risk management and control solutions, helping clients implement and

manage Sarbanes-Oxley 404 engagements and internal controls over financial reporting.

CS 4-5: CIA Exam Preparation Course: Part 3 — Internal Audit Knowledge Elements


Trainer and Owner









for this course.



Risk Management


Communication






the exam.




Thursday June 8, 2017 8:30 – 9:45 AM

GS 2: Audit Never Sleeps

Angela Witzany, CIA, QIAL, CRMA

Head of Internal Audit

Sparkassen Versicherung AG Vienna Insurance Group

Internal audit practitioners must vigilantly identify and respond to the risks facing their organizations. IIA 2016–17 Global Chairman Angela Witzany will discuss her theme, “Audit Never Sleeps,” to highlight how internal auditors serve as trusted advisers and partners to boards, audit committees, and management by providing round-the-clock assurance on the

strategies and practices organizations adopt to address risks.

In this session, participants will learn the importance of: • Communicating well.

• Adopting an integrated mindset. • Operating transparently and ethically.

• Thinking strategically.

Angela Witzany has been an internal auditor in the insurance sector since 1997, when she

developed Sparkassen Versicherung’s new internal audit function. She has served there as head

of internal audit since 2001, and now has responsibility for internal audit activities in Austria

and Central Eastern Europe. Further, Witzany serves as the Austrian Insurance Association’s

vice president of the Committee of Internal Audit and Control. She is the 2016–17 chair of The

IIA’s Global Board of Directors and has served in numerous leadership roles for about 10 years,

including the Finance Committee, Professional Guidance Advisory Council and on the

Professional Certifications Board. She also served as a board member of the European

Confederation of Institutes of Internal Auditing (ECIIA) and completed a term as vice president

in 2015. Witzany is a frequent speaker and moderator at internal audit conferences and has

written about internal audit-related topics for a number of publications. She is a lecturer and

trainer on internal auditing in the insurance industry at Johannes Kepler University Linz in Austria.

Thursday June 8, 2017 10:15 – 11:30 AM

CS 5-1: Hunting for Hackers: How to Turn the Tables on Attackers

Adam Brand

Director

Protiviti

Would you know if your organization has been hacked? Publicly available data suggests that the

odds are not in your favor. In this session, you will learn from an experienced threat hunter

about the challenges organizations face in detecting breaches. You’ll also learn what threat

hunting is, and how threat hunting can be leveraged in an internal audit context to evaluate an

organization’s breach-detection capabilities.


• Understand the challenges involved in detecting breaches • Define key types of detection technologies and understand their strengths and

limitations • Understand what threat hunting is, and how it can help decrease breach detection time • Understand how threat hunting concepts can be used in an internal audit context to

evaluate an organization’s breach detection capabilities, and provide a point-in-time view on what signs exist of a breach

• Identify the key technology areas and attributes that are relevant to threat hunting, and how signs of a breach can be revealed

Adam Brand is a director with Protiviti’s Security and Privacy practice. He has more than 17

years of experience in information technology and security, in areas ranging from compliance to

incident response. Brand has worked closely with internal audit organizations across many

industries in conducting information security reviews and is able to bring a unique perspective

as someone who has been “on the ground” in major breach investigations. He is a frequent

speaker on information security topics at both IIA and information security industry events.

CS 5-2: Extracting Maximum ROI From Audit Data Analytics

Tom Austin, CIA

Vice President, Governance Risk and Control

Cisco Systems, Inc.

Data analytics is undeniably the present and future of audit. But user adoption has been mediocre

at best. What are some common pitfalls (cultural fit, methodology, quality, etc.) of data analytics

that lead to this phenomenon? Can data analytics be embedded within your audit methodology?

How do you maximize ROI on your data analytics investment?


• Identify barriers to adoption of data analytics. • Design an audit plan to drive analytics adoption.

• Lead the way with federated compliance analytics. • Empower not one but ALL three lines of defense.

Tom Austin oversees Cisco’s governance, risk, and controls organization that partners with

internal business units. Previously, Austin worked at Applied Materials for 16 years, most

recently as vice president and CFO for the display and solar business segments. Prior to Applied

Materials, Austin worked with PriceWaterhouseCoopers in business assurance and with Merrill

Lynch & Co. in investment banking.

CS 5-3: Investigating Contracting and Procurement Fraud

Robert Campbell, CIA, CRMA, CFS

Chief, Office of County Investigations

Los Angeles County Auditor-Controller

Fraud in contracting and procurement can result in significant losses, compromise the

competitive solicitation process, and impair confidence and trust in management's control over

operations. This seminar will examine recent trends in procurement and contracting fraud

through a discussion of real cases, and review the elements of common procurement and

contracting fraud schemes, bid rigging, and contractor-employee conflicts of interest.


Review the elements of common procurement, contracting fraud schemes, and bid rigging.

Discuss strategies for detecting procurement and contracting fraud.

Share investigative tips and lessons learned from real life cases proactive strategies for procurement fraud prevention.

Robert Campbell is responsible for administering the County’s fraud hotline and overseeing

criminal and administrative investigations of fraud, waste, and abuse within Los Angeles County

government. He also oversees the Office of the Chief Health Insurance Portability and

Accountability Act Privacy Officer, and the Office of the Children’s Group Home Ombudsman.

Campbell began his service with Los Angeles County in 1998 with the auditor-controller’s audit

division and has since served in a variety of assignments, including as a supervising investigator

in the Office of County Investigations, as assistant administrative deputy, as the audit chief, and

as assistant auditor-controller where he was responsible for overseeing various divisions

including accounting, disbursements, shared services, and the Office of Investigations.

CS 5-4: Internal Audit’s Role in Sustainability Accounting Disclosures

Doug Hileman, CRMA, CPEA

President

Douglas Hileman Consulting

There are several frameworks for non-financial reporting (NFR). The Sustainability Accounting

Standards Board’s mission is to focus on non-financial (or Sustainability) disclosures that should

be in companies’ financial filings in accordance with current SEC regulations. Whereas other

frameworks have been developed for a range of stakeholders, SASB’s focus is exclusively on the

investment community. SASB completed provisional standards for every sector and industry in

2016, and launched an information portal in 2017. SASB publications mention some roles for

Internal Audit.


Learn a high-level overview of SASB, risks and opportunities arising from Sustainability disclosures

Learn why 2017 is set to be a benchmark year for SASB

Review focus areas the SASB mentions for Internal Audit Learn other ways where Internal Audit can help organizations manage risks and leverage

opportunities in their organizations.

Douglas Hileman has 40 years of experience in compliance, operations, risk management, and

auditing. He has led his firm for nine years, after six years at PwC, nine years in industry, and

over 15 years in management consulting. His firm has clients nationwide and he has led conflict

minerals independent private sector audits (IPSAs) for the SEC conflict minerals rule for four

consecutive years. His firm has innovative approaches to nonfinancial (or “sustainability")

reporting, and safety program management. Hileman is a frequent speaker for IIA events and

other professional meetings nationwide.

CS 5-5: CIA Exam Preparation Course: Part 2 — Internal Audit Practice

Vicki McIntyre, CIA, CFSA, CRMA

President

FirstPlus Resolutions, Inc.


the topics covered on the Part 2 CIA exam. The course will reinforce your CIA knowledge,


attendee will have the opportunity to work through practice exam questions , learn test taking

tips, and will receive the updated Version 4.0 Part 2 IIA CIA Learning System™ self-study print,

e-book, and online materials. An additional fee of US$315 will be required to attend this

course. A limited number of on-site registrations will be accepted, so please pre-register for

this course.


Managing the Internal Audit Function Managing Individual Engagements

Fraud Risks and Controls


the exam.

Vicki McIntyre has helped CIA candidates successfully pass their exams for more than 7 years, having taught The IIA's CIA Learning System extensively. McIntyre manages her own internal audit and risk management consulting services firm, and has a combination of internal audit,

financial management, public accounting, regulatory supervision, and compliance management experience. With more than 20 years in the financial services industry, McIntyre has been a

regulatory bank examiner, and a vice president of both finance and risk management. She also performs quality assessments of internal audit activities on behalf of The IIA.

Thursday June 8, 2017 12:45 – 2:00 PM

CS 6-1: Beyond the Spreadsheet: The Use of Data Analytics to Achieve Excellency and

Efficiency

Scott Smith

Sales Engineer

Audimation Services

Data analytics has been around for more than 25 years, yet some professionals seem addicted

to pivot tables and spreadsheets. But data analytics tools are designed to handle large data

sets, have capabilities beyond the basic office software packages, and provide an additional

level of data integrity protection that spreadsheets can't offer. Learn how to apply data

analytics to your analysis and discuss data analytics applications and internal audit best practices.


Compare and contrast the use of data analytics through Excel and a data analytic software.

Understand the benefit and efficiency of the use of data analytics software.

Receive real-time examples of how data analytic software can help identify fraud. Be informed on the use of data analytic software as a core element of continuous

monitoring.

Scott Smith joined the organization in 2009 as an account manager and in 2014, migrated to

the sales engineer role, where he sharez his extensive technical background with prospective

clients who are evaluating IDEA. He presents solutions to key decision makers and helps

professionals determine how to apply data analytics to improve their work performance. Prior

to joining Audimation Services, Smith was the co-owner of a software development company

focused on technical sales, web-based front-end and database development, and also worked

for internet-based companies. Along with many years as a systems analyst and software

developer, Smith was a certified Oracle DBA and developer with emphasis on choosing the

industry leading tools for implementation into the development cycle.

CS 6-2: Emerging Trends in Fraud Investigations

Eugenia Wu

Manager

KPMG

Omid Yazdi

Partner

KPMG

This presentation will discuss the concept of fraud risk factors as well as types of fraud. Based

on a recent global survey, we will review the profile of a fraudster and discuss the approach to

investigating fraud. The session will conclude with an overview of an anti-fraud program and control framework.


Describe characteristics of fraud risk factors

Explain profile of a fraudster based on surveys performed

Provide an overview of types of fraud Discuss means of detection

Discuss recommendations on strong anti-fraud programs and controls.

Eugenia Wu serves in KPMG’s U.S. Forensic Advisory Services Practice. She has 10 years of

professional experience, including the last six years providing forensic accounting services. Wu’s

experience includes providing services in corporate fraud investigations, compliance, fraud and

misconduct risk management, and anti-bribery and corruption services.

Omid Yazdi has 25 years of international experience assisting KPMG’s clients with financial statement audits, fraud risk management, forensic accounting, economic recovery analysis, and litigation advisory services. He has served clients around the world and has led a number of large complex investigations. Yazdi has provided in-depth presentations to boards of directors, the Securities and Exchange Commission, the United States Attorney’s Office, the Federal Bureau of Investigation, and the Securities and Exchange Board of India.

CS 6-3: Culture: Can You Really Audit It?

Mike Fucilli, CIA, QIAL, CGAP, CRMA, CFE

Auditor General

Metropolitan Transportation Authority

In our fast-paced global economy, culture is now one of the top risks facing business leaders

and has a direct impact on financial performance, employee morale, and the achievement of

business goals. In essence audit the culture and you will be auditing the strategy of the

company. This session will explore the risks associated with culture and key ways auditors can

identify solutions to deal with them in their audits.


Define business culture.

Learn to practically incorporate culture concepts into risk assessments and audits.

Identify changing business cultural shifts and their effect on GRC.

Mike Fucilli leads a staff of 85 internal auditors at North America’s largest public transportation

agency, with an operating budget of $15 billion and a capital budget that exceeds $5 billion

annually. He has more than 35 years of internal audit experience, having started his career with

Manufacturers Hanover Trust (now Chase Bank) performing procurement audits of large

government contracts including audits of NASA, the U.S. Army and Air Force, and Voyager 1.

Fucilli has served in various leadership roles at the national and global level for The IIA,

currently serving as the vice president of development of the Internal Audit Foundation. He is

an adjunct professor for Pace University, teaching The IIA’s CIA Learning System for the

Certified Internal Auditor exam.

CS 6-4: Security and Dev Ops in the Financial Sector

Bob Justus

Managing Executive Director, Office of the CISO

OPTIV

Traditional application security approaches must evolve to accommodate more agile

development strategies. Guidelines that would allow the audit function to provide independent

assurance would be helpful, such as those covering application security architecture, trust

model, entry and exit points, data flow and specific areas of security pertaining to the

application (identity, authentication, authorization, roles, confidentiality, integrity, availability, input validation, configuration management, and more).


Reveal how to align the information security program with business goals and strategies, emphasizing application development.

Uncover steps for turning DevOps into Security DevOps.

Discuss maintaining agility for developers and the business with security helping rather than getting in the way.

Learn how audit participates and provides assurance from a third line of defense perspective.

Bob Justus brings more than 26 years of risk management experience to his role leading a team

of CISOs positioned to help clients with all aspects of cybersecurity. Prior to joining Optiv, Justus

served for more than 13 years as CISO and senior vice president of corporate information

security and IS/IT contingency planning for Union Bank-MUFG. In addition, Justus has held

positions in audit, operations, and architecture. Most recently, Justus was CSO and director of

GRC Services for Allgress and Siege Secure, which are governance, risk, and compliance software and services companies.

CS 6-5: CIA Exam Preparation Course: Part 2 — Internal Audit Practice Vicki McIntyre, CIA, CFSA, CRMA President FirstPlus Resolutions, Inc.








this course.





the exam.

Vicki McIntyre has helped CIA candidates successfully pass their exams for more than 7 years, having taught The IIA's CIA Learning System extensively. McIntyre manages her own internal audit and risk management consulting services firm, and has a combination of internal audit, financial management, public accounting, regulatory supervision, and compliance management experience. With more than 20 years in the financial services industry, McIntyre has been a regulatory bank examiner, and a vice president of both finance and risk management. She also performs quality assessments of internal audit activities on behalf of The IIA.

Thursday June 8, 2017 2:30 – 3:45 PM

CS 7-1: Conducting a Successful Business Continuity Audit

Dan Kushmak Vice President, Audit & Regulatory Response Manager Union Bank

Phillip Bigge

Vice President, Consulting Services Ripcord Solutions

For many companies, the thought of a business continuity audit is chilling. And one of the

reasons organizations freak out about audits is that many are struggling with their continuity

programs. In this program, you will learn how to audit and help ensure a well-defined and mature BC/DR program is in place (hint: it is not found in the plans).


Learn how to audit a BC/DR program and help turn it into a best-in-class BC/DR

program.

Discover steps to ensure the program has the capability to recover.

Gain an understanding of how to succeed at meeting regulatory and customer demands while meeting organizational objectives.

Daniel Kushmak has over 25 years of IT, information security, risk management, and IT audit

experience. He has held various technical and leadership roles for financial, health care,

insurance, manufacturing, and transportation industry leaders.

Philip Bigge has nearly 20 years of experience working with Fortune 500 companies to build sustainable business continuity, technology disaster recovery, vendor continuity, and crisis

management programs across the globe. He has successfully led these organizations through more than 35 major disasters, and successfully integrated many of these programs into IT risk management divisions.

CS 7-2: The Evolution of Privacy Risks

Eric Dieterich, CIPP, CISA, CISC, CHP Partner Focal-Point Data Risk

As the privacy landscape continues to mature, we need to ensure our privacy programs are

keeping pace. This session will focus on privacy risk assessment best practices and the

implications they can have on the maturity and oversight of your privacy program including

control identification and monitoring through privacy audits. Establishing a clear linkage

between these activities allows an organization to more effectively communicate the

identification of privacy risks, the importance of privacy controls implemented throughout

business operations, and how to monitor and report on the effectiveness of these activities. A

key highlight of the session will be an interactive walkthrough of various privacy risk assessment

activities, establishment of potential privacy controls, measurement of privacy risks, and

reporting mechanisms that can be followed by organizations across industries.


• Gain an understanding emerging privacy/cyber security trends

• Learn dissecting recent regulatory enforcement actions

• Identify privacy risk factors

• Perform a privacy risk assessment

• Learn Audit’s role in communicating privacy risk’s

Eric Dietrich has over 15 years of IT advisory and governance experience with regulatory and

industry standards including GLBA, HIPAA, GAPP and NIST 800-53. He has successfully

developed and implemented privacy programs for leading multinational organizations, assisting

in their efforts to become compliant with local and international data privacy laws. Dietrich has

also performed IT risk assessments, strategic business assessments and audits for org anizations

across various industries.

CS 7-3: Pulse of the Profession: A Focus on Government and the Public Sector

John Wszelaki, CIA, CRMA, CFE Director of ACGA, NA Services

The Institute of Internal Auditors, Global Headquarters Results from the North American Pulse of Internal Audit survey, focusing on the public sector and government auditor perspective, will be discussed in depth during this session. Attendees will learn how to lead courageously and instill confidence from within. In this session, participants will:

Consider risks from company communications not traditionally subject to independent assurance (e.g. analyst presentations, sustainability reporting, operational reporting, etc.).

Gain an understanding of environmental, health and safety risks. View how various internal audit functions are utilizing data analytics.

Consider interpersonal dynamics between internal audit and others in the organization and how that impacts reviews that are conducted.

John Wszelaki is the Director of the American Center for Government Auditing at The Institute

of Internal Auditors, the global professional association and standard-setting body for internal

auditors. Wszelaki is recognized as a long-time leader in advancing the internal audit profession

on the local and national levels, sharing best practice approaches and mentoring fellow

professionals. He also is deeply versed in risk management, internal control, governance, and investigative techniques.

CS 7-4: Expense Reports: Following the Road to Fraud

John Tonsick, CPA, CFE

Deputy General Auditor The Metropolitan Water District of Southern California Expense reports are trivial, right? Small dollars that don’t add up to much in the grand scheme

of things. A pain to prepare, a pain to review, hardly worth the time or attention of a world-

class internal audit function. ACFE’s 2016 Report to the Nations has abundantly proven

otherwise with some staggering statistics. So think again.


• Explore the findings of ACFE’s 2016 Report to the Nations, revealing that expense report fraud represented 14% of all asset misappropriations with median losses of

$40,000. • Discuss revealing details such as the propensity for expense-report fraudsters to be

involved in other, more damaging fraudulent schemes. • Learn how to identify and investigate fraudulent employee expenses.

• Discover effective techniques for minimizing your risk. John Tonsick is a leading expert on fraud, with his unique perspective shaped by more than 35 years of experience as a "Big 4" auditor, consultant, and Fortune 50 executive. He has published numerous articles on the subjects of fraud and corporate governance and is a contributing author to Fraud Casebook: Lessons from the Bad Side of Business. He has been interviewed by MSNBC, the Wall Street Journal, CFO Magazine and the Los Angeles Business Journal. CS 7-5: CIA Exam Preparation Course: Part 2 — Internal Audit Practice


President FirstPlus Resolutions, Inc. This Part 2 CIA course is designed to give candidates a high level introduction and overview of







this course.





the exam.

Vicki McIntyre has helped CIA candidates successfully pass their exams for more than 7 years, having taught The IIA's CIA Learning System extensively. McIntyre manages her own internal

audit and risk management consulting services firm, and has a combination of internal audit, financial management, public accounting, regulatory supervision, and compliance management experience. With more than 20 years in the financial services industry, McIntyre has been a regulatory bank examiner, and a vice president of both finance and risk management. She also performs quality assessments of internal audit activities on behalf of The IIA.

Thursday June 8, 2017 3:55 – 5:10 PM

CS 8-1: Privacy Program Accountability and Risk Management

Nancy L. Apolonio, CIPP/US, CIPT Manager II, Privacy Compliance

Hyundai Capital

Lincoln Guy, CIPP/US, CIPP/C, CIPT, CIPM, FIP Senior Manager, Privacy Compliance

Hyundai Capital America Billy Spears Chief Privacy Officer Hyundai Capital America

With such differences in privacy requirements across borders, it is challenging to determine the

maturity of a privacy program in a consistent manner. On a local level, it is challenging to

translate privacy concerns into business risks that can be measured, communicated, and

managed. This session will include a discussion and demonstration of how one organization

manages accountability with privacy program maturity and manages ongoing privacy risk.


Learn about the challenges and opportunities of making privacy accountability a global discussion.

See a unique, evidence-based approach to privacy program maturity assessments.

Learn the difference between inherent and residual risk and other key risk management terms.

Be introduced to tools and techniques for managing privacy risk.

Nancy Apolonio provides subject matter expertise and in-depth knowledge of privacy

compliance, conducts privacy risk reviews, and balances business needs and privacy risks to

advance business objectives. She is responsible for developing and managing HCA’s privacy

program framework and privacy risk register. Prior to joining HCA, Apolonio delivered a privacy

innovation initiative that saved her organization $1.2 million annually, which received an award

at the TFS’ Innovation Fair in 2015. She is an Oracle Certified Professional.

Lincoln Guy is a compliance professional who has worked for Hyundai Capital America for 12 years. For nearly the last four years, he focused on building a privacy compliance program from

the ground up. He has worked to establish and mature processes around privacy risk identification and mitigation at all stages of the information life cycle. Through risk

management efforts and internal business consultations, Guy advocates for consumer privacy while striving to enable company success.

Billy Spears is responsible for overseeing the information policy, privacy compliance, and

privacy governance practices. As a thought leader and advisor to executive leadership, he

regularly consults on various privacy and information security initiatives discovering methods to minimize cyberrisk and safeguard data. Spears leads HCA’s engagement for privacy related industry initiatives and has experience in both the public and private sectors. Prior to HCA, he held similar roles with General Electric, Dell, the U.S. Department of Homeland Security, and

the U.S. Marine Corps establishing himself as a collaborative business partner who uses technology to transform and simplify business processes.

CS 8-2: Fraud Risk Assessments/Anti-fraud Program

Mark Ruppert, CIA, CISA, CHFP, CPA, CHC, ACS

Director of Internal Audit Cedars-Sinai Health System

John Lefter, CIA, CRMA, CISA Director of Internal Audit Sharp HealthCare Does your organization expect fraud risk assessments? If not, why not? If they don’t, why as the

board or audit committee elected not to realize the importance of this service that internal

audit can provide? This session will provide you with insight into practices at two major health

care organizations with national reputations to protect.


Learn about two large organizations’ approaches to fraud risk management as well as their anti-fraud programs.

Discuss why it is important to perform a periodic overall assessment of the anti -fraud program.

Review a case study of an evaluation of programs to protect the organizations from significant acts of fraud through assessing the seven elements of an effective anti-fraud

program.

Mark Ruppert has more than 30 years of internal audit experience, the past 20+ in health care. He is active in the Association of Healthcare Internal Auditors where he served on the board for

a number of years and served as their chair in 2004. Ruppert has been speaking nationally since 2000, has been published in Compliance Today and New Perspectives on various audit and compliance topics, and has lectured on internal audit for the University of California Los Angeles and Riverside.

John Lefter joined Sharp in 2012 and is responsible for managing all operational, financial, and compliance audits. His previous experience includes positions in public accounting with EY as

well as internal audit experience in the defense and health care industries. Lefter serves on the audit committee for the Zoological Society of San Diego, and a Tech Talk committee member for the Association of Healthcare Internal Auditors.

CS 8-3: Auditing for Impact in the Government Environment

Mike Fucilli, CIA, QIAL, CGAP, CRMA, CFE

Auditor General

Metropolitan Transportation Authority

To be successful, internal auditing must be grounded in management support and acceptance

and on imaginative service to management. This session will explore ways auditors can mount a

continuing campaign to sell their products to executive management and the issues that they

raise will have the business impact that will capture and keep management’s interest.


Learn why audit departments need to focus on impact.

Discuss how auditing the strategy and auditing the business will dramatically increase your impact on your organization.

Learn how to add value through the use of COSO.

Mike Fucilli leads a staff of 85 internal auditors at North America’s largest public transportation

agency, with an operating budget of $15 billion and a capital budget that exceeds $5 billion

annually. He has more than 35 years of internal audit experience, having started his career with

Manufacturers Hanover Trust (now Chase Bank) performing procurement audits of large

government contracts including audits of NASA, the U.S. Army and Air Force, and Voyager 1.

Fucilli has served in various leadership roles at the national and global level for The IIA,

currently serving as the vice president of development of the Internal Audit Foundation. He is

an adjunct professor for Pace University, teaching The IIA’s CIA Learning System for the

Certified Internal Auditor exam.

CS 8-4: Affordable Care Act: Why Internal Audit Is Key in Helping Protect the Company

An Buchhagen, CIA

Director Internal Audit

Raytheon Company

Jennifer Allen

Senior Internal Auditor

Raytheon Company

Robert Alexander, CIA, CRMA

Senior Manager, Internal Audit

Raytheon Company

The first year of reporting under the Employer Mandate has passed, leaving some companies

breathing a sigh of relief. This year, the risks of failing to comply increases significantly as parts

of the ACA become active and penalties are indexed year over year. As the bar is raised,

internal audit needs to assess the company’s risk of not complying with ACA regulations.


Understand the reporting regulations and importance of compliance with the Employer Mandate of the ACA.

Explore internal audit's role in assessing risks, identifying gaps and potential areas impacted (Supply Chain, Human Resources, Timekeeping, Information Technology, Finance, Legal), and advising cross-functional management on potential exposures as the requirements get stricter and penalties increase each year.

Examine strategies to ensure compliance to avoid penalties assessed by the IRS.

Learn how failing to comply may be material to the financial statements. Discuss steps to take once a penalty is assessed by using the appeals process

An Buchhagen directs internal audit plan activities across the company. Her key focus areas

include strategic initiatives, accounting, shared services, supply chain, international business

and finance, human resources, regulatory compliance, and legal. Buchhagen has more than 25

years of business and audit experience.

Jennifer Allen has nearly 10 years of internal audit experience (five in health care) in assessing

the adequacy of internal controls, testing the operating efficiencies of operations, IT general

controls, the reliability of financial reporting, process improvement, and compliance with policies and procedures.

Bob Alexander has more than 25 years of comprehensive financial services and auditing

experience including management, analysis, financial reporting, Sarbanes -Oxley-like activities (nonpublic company) and productivity improvements, as well as conducting and providing

management reports of internal audits.

CS 8-5

CIA Exam Preparation Course: Part 2 — Internal Audit Practice


President









this course.


Managing the Internal Audit Function

Managing Individual Engagements Fraud Risks and Controls


the exam.

Vicki McIntyre has helped CIA candidates successfully pass their exams for more than 7 years,

having taught The IIA's CIA Learning System extensively. McIntyre manages her own internal audit and risk management consulting services firm, and has a combination of internal audit,

financial management, public accounting, regulatory supervision, and compliance management experience. With more than 20 years in the financial services industry, McIntyre has been a

regulatory bank examiner, and a vice president of both finance and risk management. She also performs quality assessments of internal audit activities on behalf of The IIA.

Friday June 9, 2017 8:30 – 9:45 AM

GS 3: Designing a Future-Focused Audit Engagement That Delivers Results That Matter

Norman Marks, CPA, CRMA

Evangelist

Norman Marks

The new Core Principles for the Effective Practice of Internal Audit talk about how we need to

be "proactive and future-focused". What does that mean and how is it achieved? In this

session, Norman Marks will talk about how internal auditors can design engagements that focus

on the risks of today and tomorrow. What he considers the "risks that matter".

Norman Marks is an advocate for “better run business,” focusing on risk management, internal audit, corporate governance, enterprise performance, and the value of information. He is also a

mentor to individuals and organizations around the world. Marks was the chief audit executive of major global corporations for 20 years and is a globally recognized thought leader in the

professions of internal auditing and risk management. In addition, he has served as chief risk officer, compliance officer, and ethics officer, and managed what would now be called the IT

governance function (information security, contingency planning, methodologies, standards,

etc.). He ran the Sarbanes-Oxley Section 404 programs and investigation units at several companies. Marks has authored four books: World-Class Risk Management; Management’s Guide to Sarbanes-Oxley Section 404: Maximize Value Within Your Organization; World-Class Internal Audit: Tales from my Journey; and How Good Is Your GRC? Twelve Questions to Guide

Executives, Boards, and Practitioners. He is a member of the review boards of several audit and risk management publications (including the magazines of The IIA and ISACA, a frequent

speaker, the author of award-winning articles, and a prolific blogger about better run business, consistently rating as one of a top global influencer.

Friday June 9, 2017 10:15 – 11:30 AM

GS 4: Practical Creativity: From Pie-in-the-Sky to Boots-on-the-Ground

Mike Jacka, CIA

Chief Creative Pilot

FPACTS

The concept of creative auditing is often thought of as an oxymoron. However, the application

of creativity is the cornerstone of innovation, and innovation is the cornerstone of internal

audit's ability to maintain relevance into the future. Based on real-life experiences, this session

will discuss how auditors can instill creativity within themselves and their departments while

also demonstrating how that creativity can be used to develop practical innovations within the

department and the organization.


Gain an understanding of why creativity is important to the profession

Learn techniques that can be used in building a creative environment

Gain an understanding of the roles of creativity and innovation

Learn practical applications for using innovation to improve the internal audit process

Mike Jacka is an award-winning columnist, top-rated presenter, and author known for his work

with Internal Auditor magazine, including the blog “From the Mind of Mike Jacka” and the

magazine’s lighter side pieces. After a 30-year career in internal audit, he is now the Chief

Creative Pilot for Flying Pig Audit, Consulting, and Training Solutions (FPACTS). He is the co-

author of Business Process Mapping: Improving Customer Satisfaction; Auditing Social Media: A

Governance and Risk Guide; and The Marketing Strategy: A Risk and Governance Guide to

Building a Brand. He also recently published Auditing Humor and Other Oxymorons.

Friday June 9, 2017 12:00 PM – 5:00 PM

Post Conference Workshop

CIA Exam Prep Course: Part 1 — Internal Audit Basics


President







e-book, and online materials. An additional fee of US$315 will be required to attend this course. A

limited number of on-site registrations will be accepted, so please pre-register for this course. Course

topics will include:

Mandatory Guidance Internal Control/Risk

Conducting Internal Audit Engagements – Audit Tools and Techniques

Please note: additional self-study time outside of the classroom will be necessary to prepare for the exam.

Vicki McIntyre has helped CIA candidates successfully pass their exams for more than 7 years, having taught The IIA's CIA Learning System extensively. McIntyre manages her own internal

audit and risk management consulting services firm, and has a combination of internal audit, financial management, public accounting, regulatory supervision, and compliance management

experience. With more than 20 years in the financial services industry, McIntyre has been a regulatory bank examiner, and a vice president of both finance and risk management. She also performs quality assessments of internal audit activities on behalf of The IIA.

tuesday june 6, 2017 8:00 am 5:00 pm documents... · tuesday june 6, 2017 7:30 – 10:00 am chief...

Documents