IIA and ISACA Spring Conference - The Institute of Internal Auditors

15TH ANNUAL
IIA and ISACA Spring Conference
MARCH 10-12, 2014
University of Michigan-Dearborn
Fairlane Center

Welcome
If you are responsible for your company's internal auditing, information systems
security and integrity, accounting, finance, Sarbanes-Oxley compliance or other
regulatory matters, or simply getting back to the basics, you will want to join us for
the 15 th annual Detroit Spring Conference.
The Detroit Chapters of the IIA and ISACA are proud to co-sponsor the annual Spring
Conference. Each year, the conference committee spends a considerable amount of
time planning a comprehensive series of course offerings for our members and guest.
The 2014 event is no exception.
A number of classes sell out each year. Don't miss this opportunity to network with
your peers, enhance your skills, and learn about new products and services in the
marketplace! Our goal is to provide a training conference of world-class caliber
tailored to your needs.
We look forward to seeing you at the Spring Conference.
- The 2014 Spring Conference Committee
RETURNING THIS YEAR! – VENDOR EXPO
We have invited many audit and assurance vendors to set up displays during the
conference giving you an opportunity to learn about products and partners that are
in the marketplace, and their associated benefits for your organization.
A Special Thanks to our Platinum Sponsors who continue
to give generous support to this annual event!
TBD
TBD
TBD
1

2014 CONFERENCE PROGRAM
TRACK MON MARCH 10 TUES MARCH 11 WED MARCH 12
A
Listening and Positive
Influencing Skills
(Dr. Joan Pastor)
Effective Interviewing
Skills
(Dr. Joan Pastor)
Managing Resistance and
Conflict Before, During and
After an Audit
(Dr. Joan Pastor)
B
Organizational Ethics and
Compliance
Procurement Fraud:
Tools and Techniques
Forensic Interview and
Interrogation
(Paul Zikmund)
(Paul Zikmund)
(Paul Zikmund)
C
Internal Audit University
(Hernan Murdock)
D
Risk-Based Auditing
(Greg Duckert)
E
Intermediate ACL
(Opher Jackson)
F
G
H
Auditing IT Outsourcing
(Norm Kelson)
Cyber Security and
Emerging Risks
(John Tannahill)
Assessing Data Integrity
(John Beveridge)
Ethical Hacking
(John Tannahill)
COSO 2013: Implementing the Framework
(Kathleen Crawford)
I
COBIT 5
(Mark Edmead)
J
K
Planning for a Secure
and Controlled IPV6
Implementation
(Jeff Kalwerisky)
Identity and Access Management
(Ken Cutler)
How to Perform an IT General Controls Review
(Norm Kelson)
2

TRACK A -1
LISTENING AND POSITIVE INFLUENCING SKILLS
(DR. JOAN PASTOR, MONDAY)
7 CPEs
Seminar Focus and Features
Anyone who has to audit or conduct interviews, or who manages others as part of their
work, knows how important listening skills are. This is especially true in Western
countries, where we are known to have the worst listening skills of all cultures. Yet
little time is spent actually learning what exactly to do in order to listen well!
And, in order to influence really well, guess what? You have to first be an outstanding
listener!
In this one-day session, you will learn how to listen! You will also learn that listening is
actually a very active mental and physical process, and you will practice the single most
important behavior that will guarantee your ability to listen will increase exponentially.
You will also learn how to break any and all bad habits related to poor listening:
interrupting, daydreaming, poor rapport-building, and more. And as you learn how to
overcome these bad habits, you will at the same time learn all the secrets to building
the best collaborative audit relationship possible. Many of these skills can be applied at
the management level too – where ever you need to influence others to listen to you,
and to seriously consider what you have to say. This session will be tailored to the
specific roles and responsibilities of the participants. Again, when you leave, you will
not only know how to listen, but you will clearly understand the powerful connection
between listening and influencing, and you will know how and when to do both!
Prerequisite: None
Learning Level: Basic
Field of Study: Auditing
3

TRACK A -2
EFFECTIVE INTERVIEWING SKILLS
(DR. JOAN PASTOR, TUESDAY)
7 CPEs
Seminar Focus and Features
This one-day program focuses on the skills needed for a typical audit process
(interviewing in situations of suspected fraud is not the focus here, please refer to
Track B-3 for fraud interrogation and interviewing skills). The workshop lays out a
step-by-step process for conducting an interview that focuses on several key
principles. It is especially helpful to those performing collaborative, risk-based and
process focused audits, or for interviewing those in similar, technical types of
professions.
Role-plays are an important part of the training, and other exercises occur throughout
the day.
Program topics include:
1. The Collaborative Approach to Interviewing
2. Where Interviewing and Interviewing Skills Fit Into the Overall Audit Process
3. Six Steps of the Collaborative Interviewing Process
4. Planning a step-by-step process that is critical
5. The Initial Meeting (Opening the Interview)
6. Information Gathering and all about questions
7. Information Clarification and the secrets to probing deeper
8. How to Read Your Interviewee (discussed throughout the day)
9. Handling Resistant Individuals During Interviews
10. Dozens of subtle tactics to use during interviewing others
11. Ending the Interview
12. Documenting and Evaluating the Interview
13. Actual interview practice
14. Close and Action Plans
Prerequisite: None
Learning Level: Basic
Field of Study: Auditing
4

TRACK A -3
MANAGING RESISTANCE AND CONFLICT BEFORE,
DURING, AND AFTER AN AUDIT
(DR. JOAN PASTOR, WEDNESDAY)
7 CPEs
Seminar Focus and Features
A change-agent is one who uses his or her leadership position and expertise to assist
others in making necessary changes to increase efficiency and effectiveness in a work
function. Auditors don’t often realize that they are indeed in leadership positions, and
to the degree that you require others to change their thinking and their previous ways
of working, you are also a change agent.
We will focus on one key skill that must be mastered in order to make change happen -
people’s natural resistance to change, to suggestions and what are perceived as
corrections from others, and their resistance to “outsiders” coming into their territory
and asking them questions on how they do their work!
In this one-day workshop, you will learn:
1. The psychology behind resistance
2. How people become more or less resistance, and the specific places where you can
intervene in order to reduce resistance
3. How resistance is related to change, how that impacts their perception of you, and
how you can change that perception from adversary and troublemaker to
collaborator and partner
4. How resistance shows up at the various stages in an audit, and a step-by-step
process for minimizing resistance in each stage.
5. A special focus on managing resistance in the opening meeting so that you can
vastly reduce resistance and conflict throughout the rest of the audit as much as
possible (and what to do when you can’t)
6. The psychology of resistance in yourself (yep- you have it big-time and it gets
in your way), and how to greatly reduce your own stress around what you perceive
as their resistance to you!
7. Exercises teaching you what resistance looks like and feels like so that you can
catch it early, plus an exercise to help you and your audit team to plan in advance
for how to handle resistance that you suspect will arise
Prerequisite: None
Learning Level: Basic
Field of Study: Auditing
5

About the Instructor
Joan Pastor, PhD
Joan Pastor, Ph.D., is president of JPA International, Inc., and has been a professional
international speaker, trainer and coach since 1979. She is well-known for her training,
facilitation, and consulting skills, and has worked with numerous organizations to
develop their vision and then apply the strategies and processes to achieve it. Joan is a
certified speaking professional (CSP) and also a certified mediator, and has mediated
numerous workplace and business conflicts over the years. Her book, “Conflict
Management and Negotiation Skills for Internal Auditors” was published in 2007 by The
Institute of Internal Auditors. Her article “The Eight Habits of Highly Effective Audit
Committees” received the AICPA Excellence in Journalism Award in 2008.
The recipient of numerous awards, Joan has been working with the IIA chapters,
congresses and conferences since 1987 and with the AICPA and ACFE since 1998.
Joan and her associates focus on developing all the people, communication,
organizational and leadership skills associated with these professions. She has also
made pioneering contributions related to fraud and the white collar criminal, ethics,
fraud risk-assessment and business process management and its application to
organizational change (downsizing, fast growth, mergers & acquisitions). Her
consulting projects in collaboration with audit departments have ranged from
redesigning the major business processes for a major airline, redesigning a faulty 360-
degree performance management process, facilitating the acquisition and merger of
several hospitals and a college with another major university, and assisting in reengineering
risk assessment programs.
When the Enron debacle blew open, Joan unleashed the model that she had been
working on for over 10 years on the psychology behind fraud and unethical people in
business. It has been extremely well received from CFEs to Audit Committees to the
FBI to senior executive teams. Joan often works alongside legal counsel, audit and
executives on potential or discovered fraud situations, and has uncovered three
embezzlement and fraudulent schemes on her own as well.
6

TRACK B-1
ORGANIZATIONAL ETHICS AND COMPLIANCE
(PAUL ZIKMUND – MONDAY)
7 CPEs
Seminar Focus and Features
An organizational compliance program is an important mechanism to help ensure
effective governance. Auditing and evaluating compliance programs and controls is
critical to the success of any program, and not performed only to keep the regulators
happy. Compliance with regulatory requirements and the organization’s own policies is
a critical component of effective risk management. A well designed and effectively
administered compliance program helps organizations achieve business goals, maintain
ethical health, support long-term prosperity, and preserve and promote organizational
values.
A well designed internal audit plays an important role for evaluating the effectiveness
and efficiency of the organization’s compliance program.
In this session, attendees will learn the following:
1. Hallmarks of an effective compliance program
2. Auditing procedures for compliance programs
3. Communicating results to obtain best results
4. Determination of key compliance risks
5. Leveraging strategic partnerships to ensure success
Prerequisite: None
Learning Level: Basic
Field of Study: Auditing
7

TRACK B - 2
PROCUREMENT FRAUD: TOOLS AND TECHNIQUES
(PAUL ZIKMUND – TUESDAY)
7 CPEs
Seminar Focus and Features
Procurement of goods and services creates an increase in procurement fraud, which can
occur at any stage of the contracting and procurement process. Appropriate controls,
fraud detection & prevention strategies, and proper programs and controls related to
the tendering processes are necessary in the fight against procurement fraud. This
course provides tools and techniques related to practices for preventing, detecting and
investigating contract and procurement fraud.
Organizations are often defrauded through various procurement fraud schemes
including bid rigging, kickbacks, conflicts of interest, and fictitious invoicing schemes.
Consequently, you need to be aware of the vulnerabilities and risks associated with
these fraud schemes, which impact the purchasing, procurement and contract
functions.
In this course, attendees will learn the following:
1. Defining the procurement process
2. Laws and regulations impacting the procuring of goods and services
3. Techniques for detection, investigation and prevention of procurement fraud
4. Red flags of procurement fraud
5. Case studies
Prerequisite: None
Learning Level: Basic
Field of Study: Auditing
8

TRACK B - 3
FORENSIC INTERVIEWING AND INTERROGATION
(PAUL ZIKMUND – WEDNESDAY)
7 CPEs
Seminar Focus and Features
The increase of corporate fraud during the past several years has directed the attention
of the government, company boards, and shareholders to the auditing profession. Both
internal and external audit standards prescribe "forensic-type" procedures on every
audit to enhance the auditor's ability to uncover red flags for fraud.
Interviewing is a forensic tool available to auditors and, when conducted effectively,
can successfully uncover indicators of fraud during the audit. A successful interviewer
should possess basic interviewing skills to afford themselves the opportunity to observe
deceptive behavior. Auditors who are able to conduct focused discussions and alert
themselves to suspicious behavior are more likely to detect fraud.
Attendees will learn the following:
1. Uncovering signs of deception
2. Properly preparing for an interview
3. Investigative interviewing skills
4. Facts about lying and why they are important to an auditor
5. Trusting your intuition
Prerequisite: None
Learning Level: Basic
Field of Study: Auditing
9

About the Instructor
Paul E. Zikmund, CFE, CFFA, CFD
Paul E. Zikmund serves as Director, Global Ethics and Compliance, at Bunge in White
Plains, NY. He is responsible for managing and conducting investigations of fraud and
misconduct, implementing fraud detective techniques, administering the company’s
fraud risk assessment process, and managing anti-fraud programs and controls
designed to reduce the risk of fraud within the company.
Prior to joining Bunge, Paul worked as the Senior Director Forensic Audit responsible for
developing, implementing, and administering fraud risk management services at Tyco
and to clients in Princeton, NJ, and as the Director Litigation Support Services at
Amper, Politziner, & Mattia, LLP, in Philadelphia, PA.
He possesses nearly 20 years of experience in this field and has effectively managed
global fraud and forensic teams at various Fortune 500 companies.
Paul, who is a Certified Fraud Examiner, Certified Fraud Deterrence Specialist, and
Certified Forensic Financial Analyst, has designed and implemented programs to detect
and investigate instances of fraud. Paul also conducts fraud risk assessments and fraud
awareness training to help detect and deter fraud within organizations. His public and
private sector experience includes the investigation of complex financial frauds,
conducting forensic audit engagements, and providing litigation support for a variety of
industries.
Before joining Amper, Paul was a Principal, Fraud and Forensic Services at
SolomonEdwardsGroup, LLC and a Senior Manager – Enterprise Risk Services with
Deloitte and Touche, LLP. Prior to that, he served in a variety of in-house fraud and
forensic investigative roles with The Dow Chemical Company, Nortel Networks, and
Union Carbide Corporation. He began his career as a Municipal Police Officer, and then
a State Trooper and Special Agent with the Attorney General’s Office for the
Commonwealth of Pennsylvania.
Paul received a Bachelor of Science degree in the Administration of Justice and a
Certificate of Accountancy from The University of Pittsburgh. He continued his
education with a Masters of Business Administration at the University of Connecticut
and a Masters of Accountancy at Auburn University. Paul has authored various articles
relating to fraud detection, prevention, and investigation. He speaks regularly at
seminars and conferences on the topic of fraud and also teaches a graduate level fraud
and forensic accounting course at Rider University in New Jersey and LaSalle University
in Philadelphia.
10

TRACK C
INTERNAL AUDIT UNIVERSITY
(HERNAN MURDOCK – MONDAY - WEDNESDAY)
22 CPEs
Seminar Focus and Features
In this intensive three-day seminar you will master fundamental operational auditing
techniques and learn how to use a risk-based approach to enhance your audits of the
Purchasing, Marketing, Human Resources, Information Technology (IT), Management,
Finance/Treasury, and Accounting functions.
You will explore the objectives of major business operation areas and learn how to
identify the key risks threatening them. You will find out how to make your audits more
efficient and effective and how to use data analytics to gain an in-depth understanding
of business processes. You will cover such critical areas as the impact of SOX, ERM, and
GRC on the organization, uncovering fraud schemes that threaten business operations,
and the role of IA in helping management build strong risk management and strategic
planning processes. You will leave this high-impact seminar with the skills necessary to
go beyond outputs and to examine the organization’s ability to achieve the necessary
outcomes.
Prerequisite: None
Learning Level: Basic
Field of Study: Auditing
About the Instructor
Dr. Hernan Murdock, CIA, CRMA
Dr. Hernan Murdock is a Senior Consultant with MIS Training Institute. Prior to MIS, he
was the Director of Training at Control Solutions International where he oversaw the
company's training and employee development program. Previously, he was a Senior
Project Manager leading audit and consulting projects for clients in the manufacturing,
transportation, high-tech, education, insurance, and power generation industries. He
authored the books 10 Key Techniques to Improve Team Productivity and Using
Surveys in Internal Auditing, and articles on whistleblowing programs, international
auditing, mentoring programs, fraud, deception, corporate social responsibility, and
behavioral profiling.
11

TRACK D
RISK-BASED INTERNAL AUDITING
(GREG DUCKERT – MONDAY - WEDNESDAY)
22 CPEs
Seminar Focus and Features
With the increasing emphasis on corporate governance initiatives and the release of
recent ERM guides and pronouncements, there has never been a more critical time for
auditors to expand their knowledge of risk management and assessment.
In this intensive three-day seminar you will learn the underlying concepts of a riskbased
audit methodology. You will cover all aspects of risk assessment, including the
fundamentals of risk-based auditing, defining risk in business terms, identifying key risk
areas, evaluating global risk, and conducting a detailed risk analysis at the engagement
level. You will explore a strategy for transitioning the department to a risk-based
function as well as for re-educating management and the audit committee. Throughout
the seminar you will work through risk drills that will allow you to put into practice what
you have learned. You will leave this high-impact seminar with audit efficiencies and
business insights that will maximize Audit’s contributions to the organization, and cast
IA as a value-adding member of the team.
Prerequisite: None
Learning Level: Intermediate
Field of Study: Auditing
About the Instructor
Greg Duckert, CIA, CISA, CMA, CPA
Greg Duckert is CEO of Audit, Inc., a consulting firm specializing in risk assessment
models, operational analysis, and audit process methodologies designed to maximize
returns to the organization. Mr. Duckert is also a Senior Consultant for MIS Training
Institute and has over 30 years of national and international experience as an
Internal/IS Audit Director. Mr. Duckert has held Audit Director positions in the
manufacturing, construction and healthcare industries, assuming responsibilities for
financial, operational, and information systems auditing functions. His information
systems expertise includes application audits, software acquisition, systems
development, controls, security design, adequacy and implementation, and systems
operational efficiencies. He has performed consulting services in IS, financial, and
operational audits, as well as in business acquisitions and start-ups.
12

TRACK E
INTERMEDIATE ACL
(OPHER JACKSON – MONDAY - WEDNESDAY)
22 CPEs
Seminar Focus and Features
This three-day program introduces participants to the ACL lifecycle that helps them
develop simple scripts and the documentation required to support their audit
objectives. Techniques used to resolve complex file import issues are covered.
Participants will also be introduced to complex ACL expressions and advanced functions
to help them identify anomalies in transaction streams. Finally, participants are
introduced to presentation techniques supported by ACL that make their findings more
meaningful.
This hands-on training program uses an ongoing case study to reinforce the concepts
presented during the program. The program concludes with a final case study that
forces participants to resolve complex data import problems and create ACL scripts to
meet the audit objectives.
Prerequisite: ACL Concepts or 4-18 months experience using ACL. Attendees should
bring a laptop with ACL installed.
Learning Level: Intermediate
Field of Study: Auditing
About the Instructor
Opher Jackson
Opher Jackson is a retired Executive Director from Ernst & Young. At Ernst & Young his
primary focus was information management and data analysis including Data
Governance. Opher held a leadership role in the National office where he helped start
the firm's data analysis practice and created the firm's data analysis infrastructure. He
was one of the firm's subject matter resources for the support, execution and design of
audit sampling.
Opher developed and led data analysis training and provided national and global
support. He helped create the firm's data analysis methodology used at audit clients;
was part of an International Task Force that helped develop the ACL for Windows
product sold by ACL Services, Ltd., and led, performed and evaluated data analysis and
data conversion projects for clients across the country. Opher has more than 25 years
of data analysis experience.
13

Seminar Focus and Features
TRACK F-1
AUDITING IT OUTSOURCING
(NORM KELSON – MONDAY)
7 CPEs
Most organizations have adopted some form of outsourcing. Whether it includes
outsourcing IT operations, application maintenance, systems development, applications
services, information security, or networking, they all constitute outsourcing.
The process and results are fraught with risks, but also have rewards. As an auditor, it
is essential to understand the life cycle of an outsourcing project from initial due
diligence to implementation, and the ongoing operational issues after implementation.
The decision to and the ultimate execution of the outsourcing effects the audit universe,
compliance (e.g. SOX), as well as the processes affecting the business.
Learning Objectives:
Execute an audit of the various phases of the initial IT outsource project
Perform a post implementation review of the effectiveness of the IT outsource
contract
Plan and execute operational audits of the outsourced processes
Evaluate specific concerns for compliance audits
Evaluate common issues that have arisen, i.e. service level agreements, failure to
comply, company preparedness and ownership of processes, and escalation
processes
Assess additional issues where processes are distributed to foreign entities
(offshoring)
Use of SSAE16 reports (SOC1)
Prerequisite: None
Learning Level: Basic
Field of Study: Auditing
14

About the Instructor
Norm Kelson, CPA, CISA, CGEIT
Norm Kelson, founder of CPE Interactive, specializes in building and disseminating best
practices to assurance, risk, governance, and management stakeholders. With over 30
years of extensive experience in IT assurance and governance, he has served in a
variety of capacities as a consultant with a Big 4 firm and an internal audit boutique,
internal auditor executive, and industry advocate.
He is the author of over 30 IT Audit/Assurance Programs for ISACA which are available
as a resource to its members, and a series of case studies to support ISACA’s IT
Governance Using COBIT® and VAL IT TM : Student Book 2nd Edition.
Norm was Managing Director of IT Audit and Technical Seminars for MIS Training
Institute. During his 12 year tenure he was responsible for creation and curriculum
development of its global IT Audit training portfolio focusing on best practices in riskbased
auditing.
He has held positions as: Director of IT Audit for the US Subsidiary of Royal Ahold (Stop
& Shop and Giant) and was a key member of the internal audit professional practices
and standards and the global information security committees; Vice President of
Internal Audit Services and National IT Audit Practice Director for CBIZ Harborview
Partners; managed KPMG’s New England Region IT Auditing practice, and held positions
in IT Audit management with Fannie Mae, CIGNA, and Loews Corporation. He began
his career as a financial auditor with Laventhol and Horwath.
Norm is an Adjunct Professor at Bentley University and a member of the Audit/AIS
Curriculum Committee.
He is a frequent speaker and subject matter expert at ISACA and Institute of Internal
Auditors (IIA) conferences, is a former Executive Vice President of the New England
ISACA Chapter and served on the Chapter’s Strategic Planning Committee.
Norm received a Bachelor of Science in Business Administration from Boston University
and an MBA from the University of Pennsylvania Wharton School. He is a Certified
Public Accountant, Certified Information Systems Auditor, and Certified in the
Governance of Enterprise Information Technology.
15

TRACK F-2
ASSESSING DATA INTEGRITY
(JOHN BEVERIDGE – TUESDAY - WEDNESDAY)
15 CPEs
Seminar Focus and Features
Assessing the integrity and reliability of computer generated data is an important step
in audit planning as well as addressing specific objectives. Data is aggregated from
various sources, processed using automated rules, and stored in databases, data
warehouses, etc. Applications and business users extract or retrieve data as the basis
for strategic decisions, reporting, day-to-day operations, and auditing. The reliability
and integrity of data may be at significant risk when placed in operational and IT
environments lacking processing, transmission, storage and security controls.
Misinterpretation of reliability risk factors may result in misdirected audit effort or
incorrect conclusions.
The session will provide you with the concepts and tools to effectively evaluate the
reliability and integrity of data processed and available for analysis and decision
making.
Learning Objectives:
Understanding the requirements of data relevance and data integrity
Evaluating data classification
How to introduce good practices for data management
Identifying data integrity requirements
Assessing security and availability requirements
Evaluating factors that impact data reliability and integrity
Determining the impact of data reliability assessment on developing audit objectives
Establishing audit evidence requirements
Using data reliability assessment in developing audit procedures
Prerequisite: None
Learning Level: Basic
Field of Study: Auditing
16

About the Instructor
John W. Beveridge, CGFM, CISA, CISM, CFE, CGEIT, CRISC
John Beveridge is Director of IT Audit Training for CPE Interactive, and his professional
career spans over twenty‐five years in government and private industry in the United
States and England, including over twenty years in IT audit management.
John is the former Deputy Auditor for the Commonwealth of Massachusetts, where he
was responsible for the Information Technology Audit Division for the Massachusetts
Office of the State Auditor and served as Co‐Chair of the Commonwealth’s Enterprise
Security Board and member of the IT Advisory Board. He had served as a member of
the Massachusetts Government Technology’s Advisory Board, 2003 through 2009,
Governor's Commission on Computer Crime, Governor's Commission on Computer
Technology and Law, Governor’s Task Force on E‐Commerce, and the Governor’s IT
Commission.
He is a member of the adjunct faculty of Bentley University and Northeastern
University, where he has taught courses in accounting information systems and IT
auditing.
John has served as ISACA’s International President, Vice President for Standards,
member of various boards and committees including the COBIT® Steering Committee,
Information Systems Auditing Standards Board, Education Board, Assurance Board, IT
Governance Credentialing Committee, and the Advisory Committee to the Task Force
on Model Curriculum for IT Auditing. John was instrumental in the development of
COBIT’s Control Objectives and Management Guidelines, co‐authored a Control
Practices Guideline for Information Systems Continuity Planning, and has authored
professional standards for information systems auditing and work‐related publications.
He is a frequent lecturer on the implementation of COBIT®, IT auditing, planning and
performing application system audits, and audit management.
He received a Bachelors of Science in economics from the University of Massachusetts
and a Masters in Public Administration (MPA) with a major in Finance from Suffolk
University. John is a Certified Governmental Financial Manager, Certified Information
Systems Auditor, Certified Information Security Manager, Certified Fraud Examiner,
Certified in Risk and Information Control Assurance specialist, and Certified in the
Governance of Enterprise IT.
17

TRACK G-1
CYBER SECURITY AND EMERGING RISKS
(JOHN TANNAHILL – MONDAY - TUESDAY)
15 CPEs
Seminar Focus and Features
This course will focus on the risk and control issues related to cyber security and
emerging information security and technology.
Key Learning Objectives
Understand cyber security risk and control issues
Key concepts and relationship to business organizations
Cybercrime (Crime and Espionage)
Cyber warfare and cyber terrorism (Nation to Nation attacks)
Understand emerging risk areas
Overview of Threat Landscape
Malware: Eurograbber; Flame; Stuxnet;
Command & Control; Botnets; Denial of Service; Fraud
Other Malware
Discussion of security and audit tools and techniques
Questions auditors should ask in relation to how the organization should
protect IT infrastructure and corporate information from cyber security
threats.
Risk and Controls Areas and Key Control Requirements
o Malware management and Application Whitelisting
o Incident Management
o Security Awareness
o Cyber Security and Cyber-warfare
o Advanced Persistent Threats (APT)
o Malware
Prerequisite: None
Learning Level: Intermediate
Field of Study: Auditing
18

TRACK G-2
ETHICAL HACKING
(JOHN TANNAHILL – WEDNESDAY)
15 CPEs
Seminar Focus and Features
Participants will learn a practical methodology and approach to performing network
penetration / ethical hacking assessments. Based on a specific architecture,
participants will be provided with information gathered from network discovery tools
and techniques. This information will be used as a base to identify the scope and
methodology used to perform a detailed network penetration assessment. The course
will also include detailed discussion and demonstration of tools and techniques used
that will allow the participant to evaluate the network vulnerabilities and identify key
control recommendations that should be implemented to address the issues. We will
also review a sample network penetration assessment report.
Areas of Coverage
Part I – Network Discovery and Footprint
Network Address Spaces (DNS, IP Address Blocks, Whois Information)
Ping Sweep Techniques.
Information Gathering Tools (e.g. SNMP information)
Use of Search Engines such as SHODAN, Google and other Web-based resources
Building network architecture diagrams
Part II – TCP/IP Service Identification and Enumeration
Port Scanning Techniques (tcp; udp and icmp scanning)
Use of Nmap (including NSE – Nmap Scripting Engine)
Other Port Scanning, Fingerprinting and Service Identification Tools such as amap
(application fingerprinting) and netcat (‘swiss army knife’ tool)
Use of Cain & Abel for enumeration of hosts and services
Advanced scanning techniques and tools (including use of Hping and other packet
crafting tools) including building packets from port scanning; source port scanning
Part III – Ethical Hacking Assessment
Network Penetration Testing Tools and Techniques (including configuration and use
of Backtrack5 / Kali)
Use of NIST National Vulnerability Database (NVD) and related resources
Testing firewalls
Testing specific TCP/IP Services e.g. web servers (using Nikto and related tools)
Testing web applications (OWASP ZAP Proxy and similar tools)
Testing vulnerabilities in Unix and Windows operating systems using tailored scripts
and OS-specific tools
Using the Metasploit Framework
Effective reporting and risk-ranking of assessment results
Learning Level: Intermediate
Field of Study: Auditing
19

About the Instructor
John Tannahill, CA, CISM, CGEIT, CRISC
John Tannahill, CA, CISM, CGEIT, CRISC is a management consultant specializing in
information security and audit services. His current focus is on information security
management and control in large information systems environments and networks. His
specific areas of technical expertise include UNIX and Windows operating system
security, network security, and Oracle and Microsoft SQL Server security. John is a
frequent speaker in Canada, Europe and the US on the subject of information security
and audit.
John is a member of the Toronto ISACA Chapter and has spoken at many ISACA
Conferences and Chapter Events including ISACA Training Weeks; North America CACS;
EuroCACS; Asia- Pacific CACS; International and Network and Information Security
Conferences.
2008 Recipient of the ISACA John Kuyer Best Speaker/Best Conference Contributor
Award
20

TRACK H
COSO 2013: IMPLEMENTING THE FRAMEWORK
(KATHLEEN CRAWFORD – TUESDAY - WEDNESDAY)
15 CPEs
Seminar Focus and Features
COSO released an updated Integrated Control Framework (IC-IF) in 2013. In this
interactive two-day seminar you will learn how the new principles-based approach can
be designed effectively and deployed successfully within organizations. Participants will
also examine the implications for business leaders, process owners, and internal
auditors, who can use the framework to add value while providing audit and consulting
services.
During this course, participants will review the differences between the 1992 and the
updated 2013 models, the implications on the system of internal controls, and acquire
the tools necessary to effectively design, implement, and evaluate their organization’s
system of internal controls. You will leave with the skills necessary to perform an
assessment of your organization, and know how to apply the seventeen principles
representing the fundamental concepts associated with the components of the
framework.
Prerequisite: Familiarity with 1992 COSO Model
Learning Level: Basic
Field of Study: Auditing
About the Instructor
Kathleen Crawford
Kathleen Crawford is a Senior Consultant for MIS Training Institute, and President of
Crawford Consulting and Communications, LLC, a firm specializing in assurance,
investigative, and advisory projects for small firms without an internal audit function.
Previously, Ms. Crawford was an Internal Auditor for Vinfen Corporation, where her
responsibilities included assisting management in standardizing operations, developing
policies and procedures, and improving processes. In addition, she investigated all
suspected financial crimes, collecting evidence to ensure successful prosecution and
recovery of company and client assets. Ms. Crawford trained other investigators in a
methodology for detecting and documenting fraud that met the unique compliance
requirements of MA Department of Health and Human Services. She began her career
as a bank auditor, first with Bank of New England, then Eastern Bank, and State Street
Bank. Her responsibilities in these institutions included internal audits and fraud
investigations. A member of The Institute of Internal Auditors, Ms. Crawford is a past
President of the Greater Boston Chapter of The IIA. She is also a member of the
Association of Certified Fraud Examiners and the American Society for Training and
Development. Ms. Crawford serves as Treasurer of the Board of Trustees of the
Foxborough Regional Charter School and its foundation, Friends of FRCS.
21

TRACK I
COBIT 5
(MARK EDMEAD – MONDAY - WEDNESDAY)
22 CPEs
Seminar Focus and Features
With the current emphasis on enterprise governance, successful organizations are
integrating IT with business strategies to achieve their objectives, optimize information
value, and capitalize on today’s technologies. To that end, Control Objectives for
Information and related Technology (COBIT®), the internationally recognized set of IT
management best practices and control objectives, provides a powerful framework for IT
governance, control and audit.
In this two day seminar you will review the new COBIT®5 Framework and focus on how
you can use this newly released globally-recognized framework for evaluating the
effectiveness of IT controls. You will explore the significant changes incorporated in the new
COBIT®5 that can be utilized in executing IT audits. You will also discover how to use
COBIT®5 in conjunction with other internationally recognized standards and frameworks,
including the ISO-27001, ISO-27002, ISO-27005 Security Standards and NIST 800-53
Recommended Security Controls for Federal Systems. As examples during the seminar you
will explore using COBIT®5 to plan and execute audits for risk management, security
management, business continuity and IT governance. As a result of these exercises, you
will fully understand how to use COBIT®5 in conjunction with other internationally
recognized standards to provide a comprehensive and effective audit approach.
Prerequisite: Familiarity with the COBIT Framework
Learning Level: Basic
Field of Study: Auditing
About the Instructor
Mark T. Edmead, MBA, CISA, CISSP, COBIT 5.0
Mark Edmead is the Managing Director at MTE Advisors and a Senior Instructor for MIS
Training Institute. He is a 30-year-veteran of computer systems architecture, information
security, and project management. Mr. Edmead has extensive knowledge of IT and
application audits, IT governance, and SOX compliance auditing. His expertise in the areas
of information security and protection includes access controls, cryptography, security
management practices, network and Internet security, computer security law and
investigations, and physical security. He has consulted with Fortune 500 and 1000
companies and worked with a number of international firms. Mr. Edmead has authored
articles in Compliance Advisor Magazine, IT Compliance Journal, IIA Insights, and The
Auditor. In addition, he is an adjunct professor at the Keller Graduate School of
Management.
22

Seminar Focus and Features
TRACK J
IDENTITY AND ACCESS MANAGEMENT
(KEN CUTLER – MONDAY - WEDNESDAY)
22 CPEs
The road to reliable internal control and information security compliance can be very
treacherous, full of potholes and rocks…and many forks to ponder. Compliance
requirements come from all directions, shapes, and sizes…not to mention heightened
attention to the protection of payment card data, personally identifiable information
(PII), identity theft, and security breach disclosure legislation. Logical access controls
represent the single most significant security safeguard to protect valuable data from
unauthorized access…and the most common area of important audit findings by internal
and external auditors.
In this widely applicable workshop, we will provide a framework for consistent and
effective auditing of logical access controls. Case studies will be used to demonstrate
real examples of common access controls and data collection methods for operating
systems, database servers, and other software environments, emphasizing free and/or
low-cost audit software procedures. Attendees will receive sample work programs and
checklists that can be used to perform effective logical access audits in any context.
In this seminar, we will discuss:
Assessing common risks and regulatory compliance requirements associated with
identity and access control management
Identifying the key building blocks of logical access controls: identification and
authentication, access authorization, privileged authority, system integrity, audit
logs
Locating technical and administrative access controls in today’s complex IT
application environments: network, operating systems, database management
systems, directory services, single sign-on
Dealing with software bugs, patch management, and change control issues that can
undermine effective access controls
Defining the audit work program: Tools and techniques for reviewing access controls
in prominent system software and application environments
Sources of industry best practice audit frameworks and checklists
Learning Objectives:
Key risks and compliance requirements associated with logical access control
Key building blocks of logical access control
Locating typical logical access control points in infrastructure and applications
Industry best practices for logical access controls
Tools and techniques for auditing logical access controls
Prerequisite: Introduction to IT Controls or equivalent experience
Learning Level: Intermediate
Field of Study: Auditing
23

About the Instructor
Ken Cutler, CISSP, CISA, CISM,
Ken Cutler is a Senior Teaching Fellow with CPEi, specializing in Technical Audits of IT
Security and related IT controls. He is the President and Principal Consultant for Ken
Cutler & Associates (KCA) InfoSec Assurance, an independent consulting firm delivering
a wide array of Information Security and IT Audit management and technical
professional services. He is also the Director – Q/ISP (Qualified Information Security
Professional) programs for Security University.
An internationally recognized consultant and trainer in the Information Security and IT
audit fields, he is certified and has conducted courses for: Certified Information
Systems Security Professional (CISSP), Certified Information Security Manager (CISM),
Certified Information Systems Auditor (CISA) and CompTIA Security+. In cooperation
with Security University, he recently was featured in two full length training videos on
CISSP and Security+.
Ken was formerly Vice-President of Information Security for MIS Training Institute
(MISTI), and Chief Information Officer of Moore McCormack Resources, a Fortune 500
company. He also directed company-wide IS programs for American Express Travel
Related Services, Martin Marietta Data Systems, and Midlantic Banks, Inc.
Ken has been a long-time active participant in international government and industry
security standards initiatives, including:
The President’s Commission on Critical Infrastructure Protection
Generally Accepted System Security Principles (GSSP)
Information Technology Security Evaluation Criteria (ITSEC)
US Federal Criteria, and
Department of Defense (DOD) Information Assurance Certification Initiative.
He is a prolific author on information security topics. His publications include:
Commercial International Security Requirements (CISR), a commercial
alternative to military security standards for system security design criteria
NIST SP 800-41, “Guidelines on Firewalls and Firewall Policy”, of which he was
co-author, and
Various works on security architecture, disaster recovery planning, wireless
security, vulnerability testing, firewalls, single sign-on, and the Payment Card
Industry Data Security Standard (PCI DSS).
He has been frequently quoted in popular trade publications, including Computerworld,
Information Security Magazine, Infoworld, InformationWeek, CIO Bulletin, and
Healthcare Information Security Newsletter, and has been interviewed in radio
programs My Technology Lawyer and Talk America.
Ken received Bachelor of Science degree in Business Administration and Computer
Science degree from SUNY Empire State College.
24

TRACK K-1
PLANNING FOR A SECURED AND CONTROLLED IPV6 IMPLEMENTATION
(JEFF KALWERISKY, MONDAY)
7 CPEs
Seminar Focus and Features
When the current Internet Protocol, version 4, known as IPv4, was designed in the
early days of the Internet, it was intended for a relatively small number of users in
academia. The resulting design allowed for a maximum of a few billion addresses and
completely ignored security. The security issue has, of course, been an ongoing and
very costly problem for processing confidential data. With the exponential growth in
the numbers of Internet users over the past decade, we are out of IP addresses!
The Internet architects designed IPv6 to provide a virtually unlimited number of
addresses; eliminate the need for Network Address Translation (NAT); strong data
security and packet authentication via mandatory IPSec.
Given the lack of new IP addresses, enterprises face an imminent conversion to IPv6.
This will impact every aspect of their networks, internal and external, including routers,
firewalls, desktops, laptops, and mobile devices.
Learning Objectives
Understanding IPV6 concepts
Learn how to assess conversion issues
Prepare information security for IPV6
Develop IPV6 related policies and procedures
Prerequisite: Detailed understanding of networking, DNS, network routing, the OSI
layer, and working knowledge of network security.
Learning Level: Advanced
Field of Study: Auditing
25

About the Instructor
Jeff Kalwerisky, CA, CISA
Jeff Kalwerisky, Vice President and Director, Information Security and Technical
Training at CPE Interactive, has specialized in information security, information risk
management and IT auditing for over 20 years. He currently focuses on information
risk, IT security governance and frameworks, and secure software development.
He has held executive positions in information security and risk management with
Accenture and Booz Allen Hamilton consulting firms. In both of these capacities, he has
consulted with Fortune 100 companies and national governments, assisting in their
development and deployment of enterprise security governance policies and
frameworks, and technology solutions that strengthen information security and data
privacy/ protection. He served as infrastructure security architect on the world’s largest
electronic health project on behalf of the British Government’s National Health Service,
the world’s largest electronic medical records deployment project, where he developed
security governance to oversee 1,500 software architects and developers.
As manager of global security for VeriSign, he was responsible for ensuring that affiliate
companies in 30 countries adhered to VeriSign’s military‐grade security standards
appropriate to a global certification authority, which he helped to design and deploy.
Jeff was a partner with a major audit firm in South Africa and a consultant with
PricewaterhouseCoopers.
He has published security and audit guides, and has developed training courses
throughout the USA and internationally on a wide range of technical topics focusing on
Windows security, secure e‐commerce, IT auditing, cryptography and biometric
security.
Jeff is originally from South Africa, where he received a Bachelor of Science in Physics
and Math, a Masters of Science in Computer Science from University of Witwatersrand,
Johannesburg, and Masters in Finance and Auditing from the University of South Africa,
Pretoria. He is a Chartered Accountant (SA) and Certified Information Systems Auditor.
26

TRACK K-2
HOW TO PERFORM A GENERAL IT CONTROLS REVIEW
(NORM KELSON, TUESDAY-WEDNESDAY)
15 CPEs
Seminar Focus and Features
The basis for all auditing is the reliance on a control environment. The general controls
review assesses the IT control environment, and through the evaluation of specific
controls activities, monitoring and communications, and risk assessment, provides the
basis for the assessment’s conclusion. The process itself focuses on numerous areas
affecting IT management, data integrity, accuracy, and security, as well as availability.
This session focuses on the planning, execution, and reporting of general IT controls
reviews. Recognizing that the scope of the review is too wide to perform as one
omnibus review, we will provide you with an approach to assessing the highest risk
areas, focusing on these on a routine basis, and developing a cycle approach to the less
significant control processes. In addition, the course utilizes a maturity model, an
objective repeatable assessment basis to provide management with a measurement
that can show improvement of controls over time.
Learning Objectives:
Plan and execute a general controls review
Utilize risk assessment techniques to address the highest risk control issues
Provide management with a meaningful assessment of the maturity of the controls.
Prerequisite: None
Learning Level: Basic
Field of Study: Auditing
27

REGISTRATION INFORMATION
Participation is limited. Registration will be accepted on a first-come, first-served basis.
Pricing has been established to provide the maximum educational benefit for the lowest
cost. Therefore, we will not be offering discounts from the established prices for early
registration, membership affiliation or groups. Dress code for the conference is
business casual.
Morning refreshments will be provided from 7:30 – 8:30 AM, and general sessions will
be from 8:30 AM – 4:30 PM each day. Lunch will be provided daily with vegetarian
options.
Due to circumstances outside of our control, we may find it necessary to reschedule or
cancel sessions, or change instructors. We will give registrants advance notice of such
changes, if possible.
Payment and Cancellation Policy
Please note all times are stated in Eastern Standard Time (EST). All reservations must
be made online at www.isaca-det.org or www.detroitiia.org. Telephone, fax, and mailin
registrations will not be accepted.
All payments must be received by midnight 2/25/14. Payments may be made at the
time of registration using Visa, MasterCard, Discover, or American Express, or check
payments may be mailed to the address listed below.
Cancellations may be made online until midnight on Tuesday 2/25/14 without penalty.
Any cancellation received after Tuesday midnight 2/25/14, and before Monday midnight
3/3/14 will be charged a non-refundable service fee based on the CPEs of the
registered course being cancelled. No refunds will be given for registrations that are
cancelled after midnight 3/3/14.
Non-Refundable
CPEs Service Fee
7 $25
15 $50
22 $75
Payments (payable to: IIA Detroit) should be mailed to the address below. Please do
not remit payment to the ISACA Detroit Chapter. Conference or registration questions
should be sent to administrator@isaca-det.org.
IIA - ISACA Spring Conference
Geralyn Jarmoluk – Administrator
78850 McKay Rd
Romeo, MI 48065
Hotel Information
The spring conference committee has arranged for a discounted rate at the Doubletree Hotel
Detroit/Dearborn. Register by 2/1/2014 and request the “IIA & ISACA Spring Seminar
Discount” to receive a rate of $108 per room per night. The Double Tree Hotel is located at
5801 Southfield Expressway, Detroit, MI 48228. Telephone: 1-313-336-3340.
28

TRACK INFORMATION
Track Session Dates Fee
A-1
Listening and Positive Influencing Skills
(7 CPEs)
3/10 $275
A-2 Effective Interviewing Skills
(7 CPEs)
A-3
B-1
B-2
B-3
C
D
E
F-1
F-2
G-1
G-2
H
I
J
K-1
Managing Resistance and Conflict Before, During, and After
an Audit
(7 CPEs)
Organizational Ethics and Compliance: Auditing to Ensure a
World-class Program
(7 CPEs)
Procurement Fraud: Tools and Techniques to Detect,
Investigate and Manage this Growing Risk
(7 CPEs)
Forensic Interview and Interrogation: Learning the Path to
Effective Truth Telling
(7 CPEs)
Internal Audit University
(22 CPEs)
Risk-Based Auditing
(22 CPEs)
3/11 $275
3/12 $275
3/10 $275
3/11 $275
3/12 $275
3/10-3/12 $825
3/10-3/12 $825
Intermediate ACL
(22 CPEs)
3/10-3/12 $825
Auditing IT Outsourcing
(7 CPEs) 3/10 $275
Assessing Data Integrity
(15 CPEs) 3/11-3/12 $550
Cyber Security and Emerging Risks
(7 CPEs) 3/10 $275
Ethical Hacking
(15 CPEs) 3/11-3/12 $550
COSO
(15 CPEs) 3/11-3/12 $550
COBIT 5
(22 CPEs) 3/10-3/12 $825
Identity and Access Management
(22 CPEs) 3/10-3/12 $825
Planning for a Secure and Controlled IPV6 Implementation
(7 CPEs) 3/10 $275
K-2 How to Perform an IT General Controls Review
(15 CPEs)
29
3/11-3/12 $550

Conference Location
University of Michigan Dearborn - Fairlane Center North
19000 Hubbard
Dearborn MI 48126
(Park in rear lot – north end of complex)
From the West
Take I-94 East to Southfield (M-39) and exit north. Follow Southfield (North) to the Michigan Ave. (U.S. 12) exit. Stay
on the Southfield Service Drive to Hubbard Drive and turn left. Follow Hubbard Drive and turn right into the Southern
entrance of the UM-Dearborn/Fairlane Center (The marquis will reflect the following; The University of Michigan-
Dearborn/Fairlane Center). Follow the entrance road to the back and turn left at the stop sign; the North Building will
be located on your left hand side. Parking is directly across from the North Building.
From the East
Take I-94 West to Southfield (M-39) and exit north. Follow Southfield (North) to the Michigan Ave. (U.S. 12) exit. Stay
on the Southfield Service Drive to Hubbard Drive and turn left. Follow Hubbard Drive and turn right into the Southern
entrance of the UM-Dearborn/Fairlane Center (The marquis will reflect the following; The University of Michigan-
Dearborn/Fairlane Center). Follow the entrance road to the back and turn left at the stop sign; the North Building will
be located on your left hand side. Parking is directly across from the North Building.
From the South
Take Southfield (M-39) north to the Michigan Avenue exit. Stay on the Southfield Service Drive to Hubbard Drive and
turn left. Follow Hubbard Drive and turn right into the Southern entrance of the UM-Dearborn/Fairlane Center (The
marquis will reflect the following; The University of Michigan-Dearborn/Fairlane Center). Follow the entrance road to the
back and turn left at the stop sign; the North Building will be located on your left hand side. Parking is directly across
from the North Building.
From the North
Take Southfield (M-39) south to the Ford Road exit. Stay on the Ford Road Service Drive to Hubbard Drive and turn
right. Follow Hubbard Drive and turn right into the Southern entrance of the UM-Dearborn/Fairlane Center (The marquis
will reflect the following; The University of Michigan-Dearborn/Fairlane Center). Follow the entrance road to the back
and turn left at the stop sign; the North Building will be located on your left hand side. Parking is directly across from
the North Building
30