IIA and ISACA Spring Conference - The Institute of Internal Auditors
IIA and ISACA Spring Conference - The Institute of Internal Auditors IIA and ISACA Spring Conference - The Institute of Internal Auditors
15TH ANNUAL IIA and ISACA Spring Conference MARCH 10-12, 2014 University of Michigan-Dearborn Fairlane Center
- Page 2 and 3: Welcome If you are responsible for
- Page 4 and 5: TRACK A -1 LISTENING AND POSITIVE I
- Page 6 and 7: TRACK A -3 MANAGING RESISTANCE AND
- Page 8 and 9: TRACK B-1 ORGANIZATIONAL ETHICS AND
- Page 10 and 11: TRACK B - 3 FORENSIC INTERVIEWING A
- Page 12 and 13: TRACK C INTERNAL AUDIT UNIVERSITY (
- Page 14 and 15: TRACK E INTERMEDIATE ACL (OPHER JAC
- Page 16 and 17: About the Instructor Norm Kelson, C
- Page 18 and 19: About the Instructor John W. Beveri
- Page 20 and 21: TRACK G-2 ETHICAL HACKING (JOHN TAN
- Page 22 and 23: TRACK H COSO 2013: IMPLEMENTING THE
- Page 24 and 25: Seminar Focus and Features TRACK J
- Page 26 and 27: TRACK K-1 PLANNING FOR A SECURED AN
- Page 28 and 29: TRACK K-2 HOW TO PERFORM A GENERAL
- Page 30 and 31: TRACK INFORMATION Track Session Dat
15TH ANNUAL<br />
<strong>IIA</strong> <strong>and</strong> <strong>ISACA</strong> <strong>Spring</strong> <strong>Conference</strong><br />
MARCH 10-12, 2014<br />
University <strong>of</strong> Michigan-Dearborn<br />
Fairlane Center
Welcome<br />
If you are responsible for your company's internal auditing, information systems<br />
security <strong>and</strong> integrity, accounting, finance, Sarbanes-Oxley compliance or other<br />
regulatory matters, or simply getting back to the basics, you will want to join us for<br />
the 15 th annual Detroit <strong>Spring</strong> <strong>Conference</strong>.<br />
<strong>The</strong> Detroit Chapters <strong>of</strong> the <strong>IIA</strong> <strong>and</strong> <strong>ISACA</strong> are proud to co-sponsor the annual <strong>Spring</strong><br />
<strong>Conference</strong>. Each year, the conference committee spends a considerable amount <strong>of</strong><br />
time planning a comprehensive series <strong>of</strong> course <strong>of</strong>ferings for our members <strong>and</strong> guest.<br />
<strong>The</strong> 2014 event is no exception.<br />
A number <strong>of</strong> classes sell out each year. Don't miss this opportunity to network with<br />
your peers, enhance your skills, <strong>and</strong> learn about new products <strong>and</strong> services in the<br />
marketplace! Our goal is to provide a training conference <strong>of</strong> world-class caliber<br />
tailored to your needs.<br />
We look forward to seeing you at the <strong>Spring</strong> <strong>Conference</strong>.<br />
- <strong>The</strong> 2014 <strong>Spring</strong> <strong>Conference</strong> Committee<br />
RETURNING THIS YEAR! – VENDOR EXPO<br />
We have invited many audit <strong>and</strong> assurance vendors to set up displays during the<br />
conference giving you an opportunity to learn about products <strong>and</strong> partners that are<br />
in the marketplace, <strong>and</strong> their associated benefits for your organization.<br />
A Special Thanks to our Platinum Sponsors who continue<br />
to give generous support to this annual event!<br />
TBD<br />
TBD<br />
TBD<br />
1
2014 CONFERENCE PROGRAM<br />
TRACK MON MARCH 10 TUES MARCH 11 WED MARCH 12<br />
A<br />
Listening <strong>and</strong> Positive<br />
Influencing Skills<br />
(Dr. Joan Pastor)<br />
Effective Interviewing<br />
Skills<br />
(Dr. Joan Pastor)<br />
Managing Resistance <strong>and</strong><br />
Conflict Before, During <strong>and</strong><br />
After an Audit<br />
(Dr. Joan Pastor)<br />
B<br />
Organizational Ethics <strong>and</strong><br />
Compliance<br />
Procurement Fraud:<br />
Tools <strong>and</strong> Techniques<br />
Forensic Interview <strong>and</strong><br />
Interrogation<br />
(Paul Zikmund)<br />
(Paul Zikmund)<br />
(Paul Zikmund)<br />
C<br />
<strong>Internal</strong> Audit University<br />
(Hernan Murdock)<br />
D<br />
Risk-Based Auditing<br />
(Greg Duckert)<br />
E<br />
Intermediate ACL<br />
(Opher Jackson)<br />
F<br />
G<br />
H<br />
Auditing IT Outsourcing<br />
(Norm Kelson)<br />
Cyber Security <strong>and</strong><br />
Emerging Risks<br />
(John Tannahill)<br />
Assessing Data Integrity<br />
(John Beveridge)<br />
Ethical Hacking<br />
(John Tannahill)<br />
COSO 2013: Implementing the Framework<br />
(Kathleen Crawford)<br />
I<br />
COBIT 5<br />
(Mark Edmead)<br />
J<br />
K<br />
Planning for a Secure<br />
<strong>and</strong> Controlled IPV6<br />
Implementation<br />
(Jeff Kalwerisky)<br />
Identity <strong>and</strong> Access Management<br />
(Ken Cutler)<br />
How to Perform an IT General Controls Review<br />
(Norm Kelson)<br />
2
TRACK A -1<br />
LISTENING AND POSITIVE INFLUENCING SKILLS<br />
(DR. JOAN PASTOR, MONDAY)<br />
7 CPEs<br />
Seminar Focus <strong>and</strong> Features<br />
Anyone who has to audit or conduct interviews, or who manages others as part <strong>of</strong> their<br />
work, knows how important listening skills are. This is especially true in Western<br />
countries, where we are known to have the worst listening skills <strong>of</strong> all cultures. Yet<br />
little time is spent actually learning what exactly to do in order to listen well!<br />
And, in order to influence really well, guess what? You have to first be an outst<strong>and</strong>ing<br />
listener!<br />
In this one-day session, you will learn how to listen! You will also learn that listening is<br />
actually a very active mental <strong>and</strong> physical process, <strong>and</strong> you will practice the single most<br />
important behavior that will guarantee your ability to listen will increase exponentially.<br />
You will also learn how to break any <strong>and</strong> all bad habits related to poor listening:<br />
interrupting, daydreaming, poor rapport-building, <strong>and</strong> more. And as you learn how to<br />
overcome these bad habits, you will at the same time learn all the secrets to building<br />
the best collaborative audit relationship possible. Many <strong>of</strong> these skills can be applied at<br />
the management level too – where ever you need to influence others to listen to you,<br />
<strong>and</strong> to seriously consider what you have to say. This session will be tailored to the<br />
specific roles <strong>and</strong> responsibilities <strong>of</strong> the participants. Again, when you leave, you will<br />
not only know how to listen, but you will clearly underst<strong>and</strong> the powerful connection<br />
between listening <strong>and</strong> influencing, <strong>and</strong> you will know how <strong>and</strong> when to do both!<br />
Prerequisite: None<br />
Learning Level: Basic<br />
Field <strong>of</strong> Study: Auditing<br />
3
TRACK A -2<br />
EFFECTIVE INTERVIEWING SKILLS<br />
(DR. JOAN PASTOR, TUESDAY)<br />
7 CPEs<br />
Seminar Focus <strong>and</strong> Features<br />
This one-day program focuses on the skills needed for a typical audit process<br />
(interviewing in situations <strong>of</strong> suspected fraud is not the focus here, please refer to<br />
Track B-3 for fraud interrogation <strong>and</strong> interviewing skills). <strong>The</strong> workshop lays out a<br />
step-by-step process for conducting an interview that focuses on several key<br />
principles. It is especially helpful to those performing collaborative, risk-based <strong>and</strong><br />
process focused audits, or for interviewing those in similar, technical types <strong>of</strong><br />
pr<strong>of</strong>essions.<br />
Role-plays are an important part <strong>of</strong> the training, <strong>and</strong> other exercises occur throughout<br />
the day.<br />
Program topics include:<br />
1. <strong>The</strong> Collaborative Approach to Interviewing<br />
2. Where Interviewing <strong>and</strong> Interviewing Skills Fit Into the Overall Audit Process<br />
3. Six Steps <strong>of</strong> the Collaborative Interviewing Process<br />
4. Planning a step-by-step process that is critical<br />
5. <strong>The</strong> Initial Meeting (Opening the Interview)<br />
6. Information Gathering <strong>and</strong> all about questions<br />
7. Information Clarification <strong>and</strong> the secrets to probing deeper<br />
8. How to Read Your Interviewee (discussed throughout the day)<br />
9. H<strong>and</strong>ling Resistant Individuals During Interviews<br />
10. Dozens <strong>of</strong> subtle tactics to use during interviewing others<br />
11. Ending the Interview<br />
12. Documenting <strong>and</strong> Evaluating the Interview<br />
13. Actual interview practice<br />
14. Close <strong>and</strong> Action Plans<br />
Prerequisite: None<br />
Learning Level: Basic<br />
Field <strong>of</strong> Study: Auditing<br />
4
TRACK A -3<br />
MANAGING RESISTANCE AND CONFLICT BEFORE,<br />
DURING, AND AFTER AN AUDIT<br />
(DR. JOAN PASTOR, WEDNESDAY)<br />
7 CPEs<br />
Seminar Focus <strong>and</strong> Features<br />
A change-agent is one who uses his or her leadership position <strong>and</strong> expertise to assist<br />
others in making necessary changes to increase efficiency <strong>and</strong> effectiveness in a work<br />
function. <strong>Auditors</strong> don’t <strong>of</strong>ten realize that they are indeed in leadership positions, <strong>and</strong><br />
to the degree that you require others to change their thinking <strong>and</strong> their previous ways<br />
<strong>of</strong> working, you are also a change agent.<br />
We will focus on one key skill that must be mastered in order to make change happen -<br />
people’s natural resistance to change, to suggestions <strong>and</strong> what are perceived as<br />
corrections from others, <strong>and</strong> their resistance to “outsiders” coming into their territory<br />
<strong>and</strong> asking them questions on how they do their work!<br />
In this one-day workshop, you will learn:<br />
1. <strong>The</strong> psychology behind resistance<br />
2. How people become more or less resistance, <strong>and</strong> the specific places where you can<br />
intervene in order to reduce resistance<br />
3. How resistance is related to change, how that impacts their perception <strong>of</strong> you, <strong>and</strong><br />
how you can change that perception from adversary <strong>and</strong> troublemaker to<br />
collaborator <strong>and</strong> partner<br />
4. How resistance shows up at the various stages in an audit, <strong>and</strong> a step-by-step<br />
process for minimizing resistance in each stage.<br />
5. A special focus on managing resistance in the opening meeting so that you can<br />
vastly reduce resistance <strong>and</strong> conflict throughout the rest <strong>of</strong> the audit as much as<br />
possible (<strong>and</strong> what to do when you can’t)<br />
6. <strong>The</strong> psychology <strong>of</strong> resistance in yourself (yep- you have it big-time <strong>and</strong> it gets<br />
in your way), <strong>and</strong> how to greatly reduce your own stress around what you perceive<br />
as their resistance to you!<br />
7. Exercises teaching you what resistance looks like <strong>and</strong> feels like so that you can<br />
catch it early, plus an exercise to help you <strong>and</strong> your audit team to plan in advance<br />
for how to h<strong>and</strong>le resistance that you suspect will arise<br />
Prerequisite: None<br />
Learning Level: Basic<br />
Field <strong>of</strong> Study: Auditing<br />
5
About the Instructor<br />
Joan Pastor, PhD<br />
Joan Pastor, Ph.D., is president <strong>of</strong> JPA International, Inc., <strong>and</strong> has been a pr<strong>of</strong>essional<br />
international speaker, trainer <strong>and</strong> coach since 1979. She is well-known for her training,<br />
facilitation, <strong>and</strong> consulting skills, <strong>and</strong> has worked with numerous organizations to<br />
develop their vision <strong>and</strong> then apply the strategies <strong>and</strong> processes to achieve it. Joan is a<br />
certified speaking pr<strong>of</strong>essional (CSP) <strong>and</strong> also a certified mediator, <strong>and</strong> has mediated<br />
numerous workplace <strong>and</strong> business conflicts over the years. Her book, “Conflict<br />
Management <strong>and</strong> Negotiation Skills for <strong>Internal</strong> <strong>Auditors</strong>” was published in 2007 by <strong>The</strong><br />
<strong>Institute</strong> <strong>of</strong> <strong>Internal</strong> <strong>Auditors</strong>. Her article “<strong>The</strong> Eight Habits <strong>of</strong> Highly Effective Audit<br />
Committees” received the AICPA Excellence in Journalism Award in 2008.<br />
<strong>The</strong> recipient <strong>of</strong> numerous awards, Joan has been working with the <strong>IIA</strong> chapters,<br />
congresses <strong>and</strong> conferences since 1987 <strong>and</strong> with the AICPA <strong>and</strong> ACFE since 1998.<br />
Joan <strong>and</strong> her associates focus on developing all the people, communication,<br />
organizational <strong>and</strong> leadership skills associated with these pr<strong>of</strong>essions. She has also<br />
made pioneering contributions related to fraud <strong>and</strong> the white collar criminal, ethics,<br />
fraud risk-assessment <strong>and</strong> business process management <strong>and</strong> its application to<br />
organizational change (downsizing, fast growth, mergers & acquisitions). Her<br />
consulting projects in collaboration with audit departments have ranged from<br />
redesigning the major business processes for a major airline, redesigning a faulty 360-<br />
degree performance management process, facilitating the acquisition <strong>and</strong> merger <strong>of</strong><br />
several hospitals <strong>and</strong> a college with another major university, <strong>and</strong> assisting in reengineering<br />
risk assessment programs.<br />
When the Enron debacle blew open, Joan unleashed the model that she had been<br />
working on for over 10 years on the psychology behind fraud <strong>and</strong> unethical people in<br />
business. It has been extremely well received from CFEs to Audit Committees to the<br />
FBI to senior executive teams. Joan <strong>of</strong>ten works alongside legal counsel, audit <strong>and</strong><br />
executives on potential or discovered fraud situations, <strong>and</strong> has uncovered three<br />
embezzlement <strong>and</strong> fraudulent schemes on her own as well.<br />
6
TRACK B-1<br />
ORGANIZATIONAL ETHICS AND COMPLIANCE<br />
(PAUL ZIKMUND – MONDAY)<br />
7 CPEs<br />
Seminar Focus <strong>and</strong> Features<br />
An organizational compliance program is an important mechanism to help ensure<br />
effective governance. Auditing <strong>and</strong> evaluating compliance programs <strong>and</strong> controls is<br />
critical to the success <strong>of</strong> any program, <strong>and</strong> not performed only to keep the regulators<br />
happy. Compliance with regulatory requirements <strong>and</strong> the organization’s own policies is<br />
a critical component <strong>of</strong> effective risk management. A well designed <strong>and</strong> effectively<br />
administered compliance program helps organizations achieve business goals, maintain<br />
ethical health, support long-term prosperity, <strong>and</strong> preserve <strong>and</strong> promote organizational<br />
values.<br />
A well designed internal audit plays an important role for evaluating the effectiveness<br />
<strong>and</strong> efficiency <strong>of</strong> the organization’s compliance program.<br />
In this session, attendees will learn the following:<br />
1. Hallmarks <strong>of</strong> an effective compliance program<br />
2. Auditing procedures for compliance programs<br />
3. Communicating results to obtain best results<br />
4. Determination <strong>of</strong> key compliance risks<br />
5. Leveraging strategic partnerships to ensure success<br />
Prerequisite: None<br />
Learning Level: Basic<br />
Field <strong>of</strong> Study: Auditing<br />
7
TRACK B - 2<br />
PROCUREMENT FRAUD: TOOLS AND TECHNIQUES<br />
(PAUL ZIKMUND – TUESDAY)<br />
7 CPEs<br />
Seminar Focus <strong>and</strong> Features<br />
Procurement <strong>of</strong> goods <strong>and</strong> services creates an increase in procurement fraud, which can<br />
occur at any stage <strong>of</strong> the contracting <strong>and</strong> procurement process. Appropriate controls,<br />
fraud detection & prevention strategies, <strong>and</strong> proper programs <strong>and</strong> controls related to<br />
the tendering processes are necessary in the fight against procurement fraud. This<br />
course provides tools <strong>and</strong> techniques related to practices for preventing, detecting <strong>and</strong><br />
investigating contract <strong>and</strong> procurement fraud.<br />
Organizations are <strong>of</strong>ten defrauded through various procurement fraud schemes<br />
including bid rigging, kickbacks, conflicts <strong>of</strong> interest, <strong>and</strong> fictitious invoicing schemes.<br />
Consequently, you need to be aware <strong>of</strong> the vulnerabilities <strong>and</strong> risks associated with<br />
these fraud schemes, which impact the purchasing, procurement <strong>and</strong> contract<br />
functions.<br />
In this course, attendees will learn the following:<br />
1. Defining the procurement process<br />
2. Laws <strong>and</strong> regulations impacting the procuring <strong>of</strong> goods <strong>and</strong> services<br />
3. Techniques for detection, investigation <strong>and</strong> prevention <strong>of</strong> procurement fraud<br />
4. Red flags <strong>of</strong> procurement fraud<br />
5. Case studies<br />
Prerequisite: None<br />
Learning Level: Basic<br />
Field <strong>of</strong> Study: Auditing<br />
8
TRACK B - 3<br />
FORENSIC INTERVIEWING AND INTERROGATION<br />
(PAUL ZIKMUND – WEDNESDAY)<br />
7 CPEs<br />
Seminar Focus <strong>and</strong> Features<br />
<strong>The</strong> increase <strong>of</strong> corporate fraud during the past several years has directed the attention<br />
<strong>of</strong> the government, company boards, <strong>and</strong> shareholders to the auditing pr<strong>of</strong>ession. Both<br />
internal <strong>and</strong> external audit st<strong>and</strong>ards prescribe "forensic-type" procedures on every<br />
audit to enhance the auditor's ability to uncover red flags for fraud.<br />
Interviewing is a forensic tool available to auditors <strong>and</strong>, when conducted effectively,<br />
can successfully uncover indicators <strong>of</strong> fraud during the audit. A successful interviewer<br />
should possess basic interviewing skills to afford themselves the opportunity to observe<br />
deceptive behavior. <strong>Auditors</strong> who are able to conduct focused discussions <strong>and</strong> alert<br />
themselves to suspicious behavior are more likely to detect fraud.<br />
Attendees will learn the following:<br />
1. Uncovering signs <strong>of</strong> deception<br />
2. Properly preparing for an interview<br />
3. Investigative interviewing skills<br />
4. Facts about lying <strong>and</strong> why they are important to an auditor<br />
5. Trusting your intuition<br />
Prerequisite: None<br />
Learning Level: Basic<br />
Field <strong>of</strong> Study: Auditing<br />
9
About the Instructor<br />
Paul E. Zikmund, CFE, CFFA, CFD<br />
Paul E. Zikmund serves as Director, Global Ethics <strong>and</strong> Compliance, at Bunge in White<br />
Plains, NY. He is responsible for managing <strong>and</strong> conducting investigations <strong>of</strong> fraud <strong>and</strong><br />
misconduct, implementing fraud detective techniques, administering the company’s<br />
fraud risk assessment process, <strong>and</strong> managing anti-fraud programs <strong>and</strong> controls<br />
designed to reduce the risk <strong>of</strong> fraud within the company.<br />
Prior to joining Bunge, Paul worked as the Senior Director Forensic Audit responsible for<br />
developing, implementing, <strong>and</strong> administering fraud risk management services at Tyco<br />
<strong>and</strong> to clients in Princeton, NJ, <strong>and</strong> as the Director Litigation Support Services at<br />
Amper, Politziner, & Mattia, LLP, in Philadelphia, PA.<br />
He possesses nearly 20 years <strong>of</strong> experience in this field <strong>and</strong> has effectively managed<br />
global fraud <strong>and</strong> forensic teams at various Fortune 500 companies.<br />
Paul, who is a Certified Fraud Examiner, Certified Fraud Deterrence Specialist, <strong>and</strong><br />
Certified Forensic Financial Analyst, has designed <strong>and</strong> implemented programs to detect<br />
<strong>and</strong> investigate instances <strong>of</strong> fraud. Paul also conducts fraud risk assessments <strong>and</strong> fraud<br />
awareness training to help detect <strong>and</strong> deter fraud within organizations. His public <strong>and</strong><br />
private sector experience includes the investigation <strong>of</strong> complex financial frauds,<br />
conducting forensic audit engagements, <strong>and</strong> providing litigation support for a variety <strong>of</strong><br />
industries.<br />
Before joining Amper, Paul was a Principal, Fraud <strong>and</strong> Forensic Services at<br />
SolomonEdwardsGroup, LLC <strong>and</strong> a Senior Manager – Enterprise Risk Services with<br />
Deloitte <strong>and</strong> Touche, LLP. Prior to that, he served in a variety <strong>of</strong> in-house fraud <strong>and</strong><br />
forensic investigative roles with <strong>The</strong> Dow Chemical Company, Nortel Networks, <strong>and</strong><br />
Union Carbide Corporation. He began his career as a Municipal Police Officer, <strong>and</strong> then<br />
a State Trooper <strong>and</strong> Special Agent with the Attorney General’s Office for the<br />
Commonwealth <strong>of</strong> Pennsylvania.<br />
Paul received a Bachelor <strong>of</strong> Science degree in the Administration <strong>of</strong> Justice <strong>and</strong> a<br />
Certificate <strong>of</strong> Accountancy from <strong>The</strong> University <strong>of</strong> Pittsburgh. He continued his<br />
education with a Masters <strong>of</strong> Business Administration at the University <strong>of</strong> Connecticut<br />
<strong>and</strong> a Masters <strong>of</strong> Accountancy at Auburn University. Paul has authored various articles<br />
relating to fraud detection, prevention, <strong>and</strong> investigation. He speaks regularly at<br />
seminars <strong>and</strong> conferences on the topic <strong>of</strong> fraud <strong>and</strong> also teaches a graduate level fraud<br />
<strong>and</strong> forensic accounting course at Rider University in New Jersey <strong>and</strong> LaSalle University<br />
in Philadelphia.<br />
10
TRACK C<br />
INTERNAL AUDIT UNIVERSITY<br />
(HERNAN MURDOCK – MONDAY - WEDNESDAY)<br />
22 CPEs<br />
Seminar Focus <strong>and</strong> Features<br />
In this intensive three-day seminar you will master fundamental operational auditing<br />
techniques <strong>and</strong> learn how to use a risk-based approach to enhance your audits <strong>of</strong> the<br />
Purchasing, Marketing, Human Resources, Information Technology (IT), Management,<br />
Finance/Treasury, <strong>and</strong> Accounting functions.<br />
You will explore the objectives <strong>of</strong> major business operation areas <strong>and</strong> learn how to<br />
identify the key risks threatening them. You will find out how to make your audits more<br />
efficient <strong>and</strong> effective <strong>and</strong> how to use data analytics to gain an in-depth underst<strong>and</strong>ing<br />
<strong>of</strong> business processes. You will cover such critical areas as the impact <strong>of</strong> SOX, ERM, <strong>and</strong><br />
GRC on the organization, uncovering fraud schemes that threaten business operations,<br />
<strong>and</strong> the role <strong>of</strong> IA in helping management build strong risk management <strong>and</strong> strategic<br />
planning processes. You will leave this high-impact seminar with the skills necessary to<br />
go beyond outputs <strong>and</strong> to examine the organization’s ability to achieve the necessary<br />
outcomes.<br />
Prerequisite: None<br />
Learning Level: Basic<br />
Field <strong>of</strong> Study: Auditing<br />
About the Instructor<br />
Dr. Hernan Murdock, CIA, CRMA<br />
Dr. Hernan Murdock is a Senior Consultant with MIS Training <strong>Institute</strong>. Prior to MIS, he<br />
was the Director <strong>of</strong> Training at Control Solutions International where he oversaw the<br />
company's training <strong>and</strong> employee development program. Previously, he was a Senior<br />
Project Manager leading audit <strong>and</strong> consulting projects for clients in the manufacturing,<br />
transportation, high-tech, education, insurance, <strong>and</strong> power generation industries. He<br />
authored the books 10 Key Techniques to Improve Team Productivity <strong>and</strong> Using<br />
Surveys in <strong>Internal</strong> Auditing, <strong>and</strong> articles on whistleblowing programs, international<br />
auditing, mentoring programs, fraud, deception, corporate social responsibility, <strong>and</strong><br />
behavioral pr<strong>of</strong>iling.<br />
11
TRACK D<br />
RISK-BASED INTERNAL AUDITING<br />
(GREG DUCKERT – MONDAY - WEDNESDAY)<br />
22 CPEs<br />
Seminar Focus <strong>and</strong> Features<br />
With the increasing emphasis on corporate governance initiatives <strong>and</strong> the release <strong>of</strong><br />
recent ERM guides <strong>and</strong> pronouncements, there has never been a more critical time for<br />
auditors to exp<strong>and</strong> their knowledge <strong>of</strong> risk management <strong>and</strong> assessment.<br />
In this intensive three-day seminar you will learn the underlying concepts <strong>of</strong> a riskbased<br />
audit methodology. You will cover all aspects <strong>of</strong> risk assessment, including the<br />
fundamentals <strong>of</strong> risk-based auditing, defining risk in business terms, identifying key risk<br />
areas, evaluating global risk, <strong>and</strong> conducting a detailed risk analysis at the engagement<br />
level. You will explore a strategy for transitioning the department to a risk-based<br />
function as well as for re-educating management <strong>and</strong> the audit committee. Throughout<br />
the seminar you will work through risk drills that will allow you to put into practice what<br />
you have learned. You will leave this high-impact seminar with audit efficiencies <strong>and</strong><br />
business insights that will maximize Audit’s contributions to the organization, <strong>and</strong> cast<br />
IA as a value-adding member <strong>of</strong> the team.<br />
Prerequisite: None<br />
Learning Level: Intermediate<br />
Field <strong>of</strong> Study: Auditing<br />
About the Instructor<br />
Greg Duckert, CIA, CISA, CMA, CPA<br />
Greg Duckert is CEO <strong>of</strong> Audit, Inc., a consulting firm specializing in risk assessment<br />
models, operational analysis, <strong>and</strong> audit process methodologies designed to maximize<br />
returns to the organization. Mr. Duckert is also a Senior Consultant for MIS Training<br />
<strong>Institute</strong> <strong>and</strong> has over 30 years <strong>of</strong> national <strong>and</strong> international experience as an<br />
<strong>Internal</strong>/IS Audit Director. Mr. Duckert has held Audit Director positions in the<br />
manufacturing, construction <strong>and</strong> healthcare industries, assuming responsibilities for<br />
financial, operational, <strong>and</strong> information systems auditing functions. His information<br />
systems expertise includes application audits, s<strong>of</strong>tware acquisition, systems<br />
development, controls, security design, adequacy <strong>and</strong> implementation, <strong>and</strong> systems<br />
operational efficiencies. He has performed consulting services in IS, financial, <strong>and</strong><br />
operational audits, as well as in business acquisitions <strong>and</strong> start-ups.<br />
12
TRACK E<br />
INTERMEDIATE ACL<br />
(OPHER JACKSON – MONDAY - WEDNESDAY)<br />
22 CPEs<br />
Seminar Focus <strong>and</strong> Features<br />
This three-day program introduces participants to the ACL lifecycle that helps them<br />
develop simple scripts <strong>and</strong> the documentation required to support their audit<br />
objectives. Techniques used to resolve complex file import issues are covered.<br />
Participants will also be introduced to complex ACL expressions <strong>and</strong> advanced functions<br />
to help them identify anomalies in transaction streams. Finally, participants are<br />
introduced to presentation techniques supported by ACL that make their findings more<br />
meaningful.<br />
This h<strong>and</strong>s-on training program uses an ongoing case study to reinforce the concepts<br />
presented during the program. <strong>The</strong> program concludes with a final case study that<br />
forces participants to resolve complex data import problems <strong>and</strong> create ACL scripts to<br />
meet the audit objectives.<br />
Prerequisite: ACL Concepts or 4-18 months experience using ACL. Attendees should<br />
bring a laptop with ACL installed.<br />
Learning Level: Intermediate<br />
Field <strong>of</strong> Study: Auditing<br />
About the Instructor<br />
Opher Jackson<br />
Opher Jackson is a retired Executive Director from Ernst & Young. At Ernst & Young his<br />
primary focus was information management <strong>and</strong> data analysis including Data<br />
Governance. Opher held a leadership role in the National <strong>of</strong>fice where he helped start<br />
the firm's data analysis practice <strong>and</strong> created the firm's data analysis infrastructure. He<br />
was one <strong>of</strong> the firm's subject matter resources for the support, execution <strong>and</strong> design <strong>of</strong><br />
audit sampling.<br />
Opher developed <strong>and</strong> led data analysis training <strong>and</strong> provided national <strong>and</strong> global<br />
support. He helped create the firm's data analysis methodology used at audit clients;<br />
was part <strong>of</strong> an International Task Force that helped develop the ACL for Windows<br />
product sold by ACL Services, Ltd., <strong>and</strong> led, performed <strong>and</strong> evaluated data analysis <strong>and</strong><br />
data conversion projects for clients across the country. Opher has more than 25 years<br />
<strong>of</strong> data analysis experience.<br />
13
Seminar Focus <strong>and</strong> Features<br />
TRACK F-1<br />
AUDITING IT OUTSOURCING<br />
(NORM KELSON – MONDAY)<br />
7 CPEs<br />
Most organizations have adopted some form <strong>of</strong> outsourcing. Whether it includes<br />
outsourcing IT operations, application maintenance, systems development, applications<br />
services, information security, or networking, they all constitute outsourcing.<br />
<strong>The</strong> process <strong>and</strong> results are fraught with risks, but also have rewards. As an auditor, it<br />
is essential to underst<strong>and</strong> the life cycle <strong>of</strong> an outsourcing project from initial due<br />
diligence to implementation, <strong>and</strong> the ongoing operational issues after implementation.<br />
<strong>The</strong> decision to <strong>and</strong> the ultimate execution <strong>of</strong> the outsourcing effects the audit universe,<br />
compliance (e.g. SOX), as well as the processes affecting the business.<br />
Learning Objectives:<br />
Execute an audit <strong>of</strong> the various phases <strong>of</strong> the initial IT outsource project<br />
Perform a post implementation review <strong>of</strong> the effectiveness <strong>of</strong> the IT outsource<br />
contract<br />
Plan <strong>and</strong> execute operational audits <strong>of</strong> the outsourced processes<br />
Evaluate specific concerns for compliance audits<br />
Evaluate common issues that have arisen, i.e. service level agreements, failure to<br />
comply, company preparedness <strong>and</strong> ownership <strong>of</strong> processes, <strong>and</strong> escalation<br />
processes<br />
Assess additional issues where processes are distributed to foreign entities<br />
(<strong>of</strong>fshoring)<br />
Use <strong>of</strong> SSAE16 reports (SOC1)<br />
Prerequisite: None<br />
Learning Level: Basic<br />
Field <strong>of</strong> Study: Auditing<br />
14
About the Instructor<br />
Norm Kelson, CPA, CISA, CGEIT<br />
Norm Kelson, founder <strong>of</strong> CPE Interactive, specializes in building <strong>and</strong> disseminating best<br />
practices to assurance, risk, governance, <strong>and</strong> management stakeholders. With over 30<br />
years <strong>of</strong> extensive experience in IT assurance <strong>and</strong> governance, he has served in a<br />
variety <strong>of</strong> capacities as a consultant with a Big 4 firm <strong>and</strong> an internal audit boutique,<br />
internal auditor executive, <strong>and</strong> industry advocate.<br />
He is the author <strong>of</strong> over 30 IT Audit/Assurance Programs for <strong>ISACA</strong> which are available<br />
as a resource to its members, <strong>and</strong> a series <strong>of</strong> case studies to support <strong>ISACA</strong>’s IT<br />
Governance Using COBIT® <strong>and</strong> VAL IT TM : Student Book 2nd Edition.<br />
Norm was Managing Director <strong>of</strong> IT Audit <strong>and</strong> Technical Seminars for MIS Training<br />
<strong>Institute</strong>. During his 12 year tenure he was responsible for creation <strong>and</strong> curriculum<br />
development <strong>of</strong> its global IT Audit training portfolio focusing on best practices in riskbased<br />
auditing.<br />
He has held positions as: Director <strong>of</strong> IT Audit for the US Subsidiary <strong>of</strong> Royal Ahold (Stop<br />
& Shop <strong>and</strong> Giant) <strong>and</strong> was a key member <strong>of</strong> the internal audit pr<strong>of</strong>essional practices<br />
<strong>and</strong> st<strong>and</strong>ards <strong>and</strong> the global information security committees; Vice President <strong>of</strong><br />
<strong>Internal</strong> Audit Services <strong>and</strong> National IT Audit Practice Director for CBIZ Harborview<br />
Partners; managed KPMG’s New Engl<strong>and</strong> Region IT Auditing practice, <strong>and</strong> held positions<br />
in IT Audit management with Fannie Mae, CIGNA, <strong>and</strong> Loews Corporation. He began<br />
his career as a financial auditor with Laventhol <strong>and</strong> Horwath.<br />
Norm is an Adjunct Pr<strong>of</strong>essor at Bentley University <strong>and</strong> a member <strong>of</strong> the Audit/AIS<br />
Curriculum Committee.<br />
He is a frequent speaker <strong>and</strong> subject matter expert at <strong>ISACA</strong> <strong>and</strong> <strong>Institute</strong> <strong>of</strong> <strong>Internal</strong><br />
<strong>Auditors</strong> (<strong>IIA</strong>) conferences, is a former Executive Vice President <strong>of</strong> the New Engl<strong>and</strong><br />
<strong>ISACA</strong> Chapter <strong>and</strong> served on the Chapter’s Strategic Planning Committee.<br />
Norm received a Bachelor <strong>of</strong> Science in Business Administration from Boston University<br />
<strong>and</strong> an MBA from the University <strong>of</strong> Pennsylvania Wharton School. He is a Certified<br />
Public Accountant, Certified Information Systems Auditor, <strong>and</strong> Certified in the<br />
Governance <strong>of</strong> Enterprise Information Technology.<br />
15
TRACK F-2<br />
ASSESSING DATA INTEGRITY<br />
(JOHN BEVERIDGE – TUESDAY - WEDNESDAY)<br />
15 CPEs<br />
Seminar Focus <strong>and</strong> Features<br />
Assessing the integrity <strong>and</strong> reliability <strong>of</strong> computer generated data is an important step<br />
in audit planning as well as addressing specific objectives. Data is aggregated from<br />
various sources, processed using automated rules, <strong>and</strong> stored in databases, data<br />
warehouses, etc. Applications <strong>and</strong> business users extract or retrieve data as the basis<br />
for strategic decisions, reporting, day-to-day operations, <strong>and</strong> auditing. <strong>The</strong> reliability<br />
<strong>and</strong> integrity <strong>of</strong> data may be at significant risk when placed in operational <strong>and</strong> IT<br />
environments lacking processing, transmission, storage <strong>and</strong> security controls.<br />
Misinterpretation <strong>of</strong> reliability risk factors may result in misdirected audit effort or<br />
incorrect conclusions.<br />
<strong>The</strong> session will provide you with the concepts <strong>and</strong> tools to effectively evaluate the<br />
reliability <strong>and</strong> integrity <strong>of</strong> data processed <strong>and</strong> available for analysis <strong>and</strong> decision<br />
making.<br />
Learning Objectives:<br />
Underst<strong>and</strong>ing the requirements <strong>of</strong> data relevance <strong>and</strong> data integrity<br />
Evaluating data classification<br />
How to introduce good practices for data management<br />
Identifying data integrity requirements<br />
Assessing security <strong>and</strong> availability requirements<br />
Evaluating factors that impact data reliability <strong>and</strong> integrity<br />
Determining the impact <strong>of</strong> data reliability assessment on developing audit objectives<br />
Establishing audit evidence requirements<br />
Using data reliability assessment in developing audit procedures<br />
Prerequisite: None<br />
Learning Level: Basic<br />
Field <strong>of</strong> Study: Auditing<br />
16
About the Instructor<br />
John W. Beveridge, CGFM, CISA, CISM, CFE, CGEIT, CRISC<br />
John Beveridge is Director <strong>of</strong> IT Audit Training for CPE Interactive, <strong>and</strong> his pr<strong>of</strong>essional<br />
career spans over twenty‐five years in government <strong>and</strong> private industry in the United<br />
States <strong>and</strong> Engl<strong>and</strong>, including over twenty years in IT audit management.<br />
John is the former Deputy Auditor for the Commonwealth <strong>of</strong> Massachusetts, where he<br />
was responsible for the Information Technology Audit Division for the Massachusetts<br />
Office <strong>of</strong> the State Auditor <strong>and</strong> served as Co‐Chair <strong>of</strong> the Commonwealth’s Enterprise<br />
Security Board <strong>and</strong> member <strong>of</strong> the IT Advisory Board. He had served as a member <strong>of</strong><br />
the Massachusetts Government Technology’s Advisory Board, 2003 through 2009,<br />
Governor's Commission on Computer Crime, Governor's Commission on Computer<br />
Technology <strong>and</strong> Law, Governor’s Task Force on E‐Commerce, <strong>and</strong> the Governor’s IT<br />
Commission.<br />
He is a member <strong>of</strong> the adjunct faculty <strong>of</strong> Bentley University <strong>and</strong> Northeastern<br />
University, where he has taught courses in accounting information systems <strong>and</strong> IT<br />
auditing.<br />
John has served as <strong>ISACA</strong>’s International President, Vice President for St<strong>and</strong>ards,<br />
member <strong>of</strong> various boards <strong>and</strong> committees including the COBIT® Steering Committee,<br />
Information Systems Auditing St<strong>and</strong>ards Board, Education Board, Assurance Board, IT<br />
Governance Credentialing Committee, <strong>and</strong> the Advisory Committee to the Task Force<br />
on Model Curriculum for IT Auditing. John was instrumental in the development <strong>of</strong><br />
COBIT’s Control Objectives <strong>and</strong> Management Guidelines, co‐authored a Control<br />
Practices Guideline for Information Systems Continuity Planning, <strong>and</strong> has authored<br />
pr<strong>of</strong>essional st<strong>and</strong>ards for information systems auditing <strong>and</strong> work‐related publications.<br />
He is a frequent lecturer on the implementation <strong>of</strong> COBIT®, IT auditing, planning <strong>and</strong><br />
performing application system audits, <strong>and</strong> audit management.<br />
He received a Bachelors <strong>of</strong> Science in economics from the University <strong>of</strong> Massachusetts<br />
<strong>and</strong> a Masters in Public Administration (MPA) with a major in Finance from Suffolk<br />
University. John is a Certified Governmental Financial Manager, Certified Information<br />
Systems Auditor, Certified Information Security Manager, Certified Fraud Examiner,<br />
Certified in Risk <strong>and</strong> Information Control Assurance specialist, <strong>and</strong> Certified in the<br />
Governance <strong>of</strong> Enterprise IT.<br />
17
TRACK G-1<br />
CYBER SECURITY AND EMERGING RISKS<br />
(JOHN TANNAHILL – MONDAY - TUESDAY)<br />
15 CPEs<br />
Seminar Focus <strong>and</strong> Features<br />
This course will focus on the risk <strong>and</strong> control issues related to cyber security <strong>and</strong><br />
emerging information security <strong>and</strong> technology.<br />
Key Learning Objectives<br />
Underst<strong>and</strong> cyber security risk <strong>and</strong> control issues<br />
Key concepts <strong>and</strong> relationship to business organizations<br />
Cybercrime (Crime <strong>and</strong> Espionage)<br />
Cyber warfare <strong>and</strong> cyber terrorism (Nation to Nation attacks)<br />
Underst<strong>and</strong> emerging risk areas<br />
Overview <strong>of</strong> Threat L<strong>and</strong>scape<br />
Malware: Eurograbber; Flame; Stuxnet;<br />
Comm<strong>and</strong> & Control; Botnets; Denial <strong>of</strong> Service; Fraud<br />
Other Malware<br />
Discussion <strong>of</strong> security <strong>and</strong> audit tools <strong>and</strong> techniques<br />
Questions auditors should ask in relation to how the organization should<br />
protect IT infrastructure <strong>and</strong> corporate information from cyber security<br />
threats.<br />
Risk <strong>and</strong> Controls Areas <strong>and</strong> Key Control Requirements<br />
o Malware management <strong>and</strong> Application Whitelisting<br />
o Incident Management<br />
o Security Awareness<br />
o Cyber Security <strong>and</strong> Cyber-warfare<br />
o Advanced Persistent Threats (APT)<br />
o Malware<br />
Prerequisite: None<br />
Learning Level: Intermediate<br />
Field <strong>of</strong> Study: Auditing<br />
18
TRACK G-2<br />
ETHICAL HACKING<br />
(JOHN TANNAHILL – WEDNESDAY)<br />
15 CPEs<br />
Seminar Focus <strong>and</strong> Features<br />
Participants will learn a practical methodology <strong>and</strong> approach to performing network<br />
penetration / ethical hacking assessments. Based on a specific architecture,<br />
participants will be provided with information gathered from network discovery tools<br />
<strong>and</strong> techniques. This information will be used as a base to identify the scope <strong>and</strong><br />
methodology used to perform a detailed network penetration assessment. <strong>The</strong> course<br />
will also include detailed discussion <strong>and</strong> demonstration <strong>of</strong> tools <strong>and</strong> techniques used<br />
that will allow the participant to evaluate the network vulnerabilities <strong>and</strong> identify key<br />
control recommendations that should be implemented to address the issues. We will<br />
also review a sample network penetration assessment report.<br />
Areas <strong>of</strong> Coverage<br />
Part I – Network Discovery <strong>and</strong> Footprint<br />
Network Address Spaces (DNS, IP Address Blocks, Whois Information)<br />
Ping Sweep Techniques.<br />
Information Gathering Tools (e.g. SNMP information)<br />
Use <strong>of</strong> Search Engines such as SHODAN, Google <strong>and</strong> other Web-based resources<br />
Building network architecture diagrams<br />
Part II – TCP/IP Service Identification <strong>and</strong> Enumeration<br />
Port Scanning Techniques (tcp; udp <strong>and</strong> icmp scanning)<br />
Use <strong>of</strong> Nmap (including NSE – Nmap Scripting Engine)<br />
Other Port Scanning, Fingerprinting <strong>and</strong> Service Identification Tools such as amap<br />
(application fingerprinting) <strong>and</strong> netcat (‘swiss army knife’ tool)<br />
Use <strong>of</strong> Cain & Abel for enumeration <strong>of</strong> hosts <strong>and</strong> services<br />
Advanced scanning techniques <strong>and</strong> tools (including use <strong>of</strong> Hping <strong>and</strong> other packet<br />
crafting tools) including building packets from port scanning; source port scanning<br />
Part III – Ethical Hacking Assessment<br />
Network Penetration Testing Tools <strong>and</strong> Techniques (including configuration <strong>and</strong> use<br />
<strong>of</strong> Backtrack5 / Kali)<br />
Use <strong>of</strong> NIST National Vulnerability Database (NVD) <strong>and</strong> related resources<br />
Testing firewalls<br />
Testing specific TCP/IP Services e.g. web servers (using Nikto <strong>and</strong> related tools)<br />
Testing web applications (OWASP ZAP Proxy <strong>and</strong> similar tools)<br />
Testing vulnerabilities in Unix <strong>and</strong> Windows operating systems using tailored scripts<br />
<strong>and</strong> OS-specific tools<br />
Using the Metasploit Framework<br />
Effective reporting <strong>and</strong> risk-ranking <strong>of</strong> assessment results<br />
Learning Level: Intermediate<br />
Field <strong>of</strong> Study: Auditing<br />
19
About the Instructor<br />
John Tannahill, CA, CISM, CGEIT, CRISC<br />
John Tannahill, CA, CISM, CGEIT, CRISC is a management consultant specializing in<br />
information security <strong>and</strong> audit services. His current focus is on information security<br />
management <strong>and</strong> control in large information systems environments <strong>and</strong> networks. His<br />
specific areas <strong>of</strong> technical expertise include UNIX <strong>and</strong> Windows operating system<br />
security, network security, <strong>and</strong> Oracle <strong>and</strong> Micros<strong>of</strong>t SQL Server security. John is a<br />
frequent speaker in Canada, Europe <strong>and</strong> the US on the subject <strong>of</strong> information security<br />
<strong>and</strong> audit.<br />
John is a member <strong>of</strong> the Toronto <strong>ISACA</strong> Chapter <strong>and</strong> has spoken at many <strong>ISACA</strong><br />
<strong>Conference</strong>s <strong>and</strong> Chapter Events including <strong>ISACA</strong> Training Weeks; North America CACS;<br />
EuroCACS; Asia- Pacific CACS; International <strong>and</strong> Network <strong>and</strong> Information Security<br />
<strong>Conference</strong>s.<br />
2008 Recipient <strong>of</strong> the <strong>ISACA</strong> John Kuyer Best Speaker/Best <strong>Conference</strong> Contributor<br />
Award<br />
20
TRACK H<br />
COSO 2013: IMPLEMENTING THE FRAMEWORK<br />
(KATHLEEN CRAWFORD – TUESDAY - WEDNESDAY)<br />
15 CPEs<br />
Seminar Focus <strong>and</strong> Features<br />
COSO released an updated Integrated Control Framework (IC-IF) in 2013. In this<br />
interactive two-day seminar you will learn how the new principles-based approach can<br />
be designed effectively <strong>and</strong> deployed successfully within organizations. Participants will<br />
also examine the implications for business leaders, process owners, <strong>and</strong> internal<br />
auditors, who can use the framework to add value while providing audit <strong>and</strong> consulting<br />
services.<br />
During this course, participants will review the differences between the 1992 <strong>and</strong> the<br />
updated 2013 models, the implications on the system <strong>of</strong> internal controls, <strong>and</strong> acquire<br />
the tools necessary to effectively design, implement, <strong>and</strong> evaluate their organization’s<br />
system <strong>of</strong> internal controls. You will leave with the skills necessary to perform an<br />
assessment <strong>of</strong> your organization, <strong>and</strong> know how to apply the seventeen principles<br />
representing the fundamental concepts associated with the components <strong>of</strong> the<br />
framework.<br />
Prerequisite: Familiarity with 1992 COSO Model<br />
Learning Level: Basic<br />
Field <strong>of</strong> Study: Auditing<br />
About the Instructor<br />
Kathleen Crawford<br />
Kathleen Crawford is a Senior Consultant for MIS Training <strong>Institute</strong>, <strong>and</strong> President <strong>of</strong><br />
Crawford Consulting <strong>and</strong> Communications, LLC, a firm specializing in assurance,<br />
investigative, <strong>and</strong> advisory projects for small firms without an internal audit function.<br />
Previously, Ms. Crawford was an <strong>Internal</strong> Auditor for Vinfen Corporation, where her<br />
responsibilities included assisting management in st<strong>and</strong>ardizing operations, developing<br />
policies <strong>and</strong> procedures, <strong>and</strong> improving processes. In addition, she investigated all<br />
suspected financial crimes, collecting evidence to ensure successful prosecution <strong>and</strong><br />
recovery <strong>of</strong> company <strong>and</strong> client assets. Ms. Crawford trained other investigators in a<br />
methodology for detecting <strong>and</strong> documenting fraud that met the unique compliance<br />
requirements <strong>of</strong> MA Department <strong>of</strong> Health <strong>and</strong> Human Services. She began her career<br />
as a bank auditor, first with Bank <strong>of</strong> New Engl<strong>and</strong>, then Eastern Bank, <strong>and</strong> State Street<br />
Bank. Her responsibilities in these institutions included internal audits <strong>and</strong> fraud<br />
investigations. A member <strong>of</strong> <strong>The</strong> <strong>Institute</strong> <strong>of</strong> <strong>Internal</strong> <strong>Auditors</strong>, Ms. Crawford is a past<br />
President <strong>of</strong> the Greater Boston Chapter <strong>of</strong> <strong>The</strong> <strong>IIA</strong>. She is also a member <strong>of</strong> the<br />
Association <strong>of</strong> Certified Fraud Examiners <strong>and</strong> the American Society for Training <strong>and</strong><br />
Development. Ms. Crawford serves as Treasurer <strong>of</strong> the Board <strong>of</strong> Trustees <strong>of</strong> the<br />
Foxborough Regional Charter School <strong>and</strong> its foundation, Friends <strong>of</strong> FRCS.<br />
21
TRACK I<br />
COBIT 5<br />
(MARK EDMEAD – MONDAY - WEDNESDAY)<br />
22 CPEs<br />
Seminar Focus <strong>and</strong> Features<br />
With the current emphasis on enterprise governance, successful organizations are<br />
integrating IT with business strategies to achieve their objectives, optimize information<br />
value, <strong>and</strong> capitalize on today’s technologies. To that end, Control Objectives for<br />
Information <strong>and</strong> related Technology (COBIT®), the internationally recognized set <strong>of</strong> IT<br />
management best practices <strong>and</strong> control objectives, provides a powerful framework for IT<br />
governance, control <strong>and</strong> audit.<br />
In this two day seminar you will review the new COBIT®5 Framework <strong>and</strong> focus on how<br />
you can use this newly released globally-recognized framework for evaluating the<br />
effectiveness <strong>of</strong> IT controls. You will explore the significant changes incorporated in the new<br />
COBIT®5 that can be utilized in executing IT audits. You will also discover how to use<br />
COBIT®5 in conjunction with other internationally recognized st<strong>and</strong>ards <strong>and</strong> frameworks,<br />
including the ISO-27001, ISO-27002, ISO-27005 Security St<strong>and</strong>ards <strong>and</strong> NIST 800-53<br />
Recommended Security Controls for Federal Systems. As examples during the seminar you<br />
will explore using COBIT®5 to plan <strong>and</strong> execute audits for risk management, security<br />
management, business continuity <strong>and</strong> IT governance. As a result <strong>of</strong> these exercises, you<br />
will fully underst<strong>and</strong> how to use COBIT®5 in conjunction with other internationally<br />
recognized st<strong>and</strong>ards to provide a comprehensive <strong>and</strong> effective audit approach.<br />
Prerequisite: Familiarity with the COBIT Framework<br />
Learning Level: Basic<br />
Field <strong>of</strong> Study: Auditing<br />
About the Instructor<br />
Mark T. Edmead, MBA, CISA, CISSP, COBIT 5.0<br />
Mark Edmead is the Managing Director at MTE Advisors <strong>and</strong> a Senior Instructor for MIS<br />
Training <strong>Institute</strong>. He is a 30-year-veteran <strong>of</strong> computer systems architecture, information<br />
security, <strong>and</strong> project management. Mr. Edmead has extensive knowledge <strong>of</strong> IT <strong>and</strong><br />
application audits, IT governance, <strong>and</strong> SOX compliance auditing. His expertise in the areas<br />
<strong>of</strong> information security <strong>and</strong> protection includes access controls, cryptography, security<br />
management practices, network <strong>and</strong> Internet security, computer security law <strong>and</strong><br />
investigations, <strong>and</strong> physical security. He has consulted with Fortune 500 <strong>and</strong> 1000<br />
companies <strong>and</strong> worked with a number <strong>of</strong> international firms. Mr. Edmead has authored<br />
articles in Compliance Advisor Magazine, IT Compliance Journal, <strong>IIA</strong> Insights, <strong>and</strong> <strong>The</strong><br />
Auditor. In addition, he is an adjunct pr<strong>of</strong>essor at the Keller Graduate School <strong>of</strong><br />
Management.<br />
22
Seminar Focus <strong>and</strong> Features<br />
TRACK J<br />
IDENTITY AND ACCESS MANAGEMENT<br />
(KEN CUTLER – MONDAY - WEDNESDAY)<br />
22 CPEs<br />
<strong>The</strong> road to reliable internal control <strong>and</strong> information security compliance can be very<br />
treacherous, full <strong>of</strong> potholes <strong>and</strong> rocks…<strong>and</strong> many forks to ponder. Compliance<br />
requirements come from all directions, shapes, <strong>and</strong> sizes…not to mention heightened<br />
attention to the protection <strong>of</strong> payment card data, personally identifiable information<br />
(PII), identity theft, <strong>and</strong> security breach disclosure legislation. Logical access controls<br />
represent the single most significant security safeguard to protect valuable data from<br />
unauthorized access…<strong>and</strong> the most common area <strong>of</strong> important audit findings by internal<br />
<strong>and</strong> external auditors.<br />
In this widely applicable workshop, we will provide a framework for consistent <strong>and</strong><br />
effective auditing <strong>of</strong> logical access controls. Case studies will be used to demonstrate<br />
real examples <strong>of</strong> common access controls <strong>and</strong> data collection methods for operating<br />
systems, database servers, <strong>and</strong> other s<strong>of</strong>tware environments, emphasizing free <strong>and</strong>/or<br />
low-cost audit s<strong>of</strong>tware procedures. Attendees will receive sample work programs <strong>and</strong><br />
checklists that can be used to perform effective logical access audits in any context.<br />
In this seminar, we will discuss:<br />
Assessing common risks <strong>and</strong> regulatory compliance requirements associated with<br />
identity <strong>and</strong> access control management<br />
Identifying the key building blocks <strong>of</strong> logical access controls: identification <strong>and</strong><br />
authentication, access authorization, privileged authority, system integrity, audit<br />
logs<br />
Locating technical <strong>and</strong> administrative access controls in today’s complex IT<br />
application environments: network, operating systems, database management<br />
systems, directory services, single sign-on<br />
Dealing with s<strong>of</strong>tware bugs, patch management, <strong>and</strong> change control issues that can<br />
undermine effective access controls<br />
Defining the audit work program: Tools <strong>and</strong> techniques for reviewing access controls<br />
in prominent system s<strong>of</strong>tware <strong>and</strong> application environments<br />
Sources <strong>of</strong> industry best practice audit frameworks <strong>and</strong> checklists<br />
Learning Objectives:<br />
Key risks <strong>and</strong> compliance requirements associated with logical access control<br />
Key building blocks <strong>of</strong> logical access control<br />
Locating typical logical access control points in infrastructure <strong>and</strong> applications<br />
Industry best practices for logical access controls<br />
Tools <strong>and</strong> techniques for auditing logical access controls<br />
Prerequisite: Introduction to IT Controls or equivalent experience<br />
Learning Level: Intermediate<br />
Field <strong>of</strong> Study: Auditing<br />
23
About the Instructor<br />
Ken Cutler, CISSP, CISA, CISM,<br />
Ken Cutler is a Senior Teaching Fellow with CPEi, specializing in Technical Audits <strong>of</strong> IT<br />
Security <strong>and</strong> related IT controls. He is the President <strong>and</strong> Principal Consultant for Ken<br />
Cutler & Associates (KCA) InfoSec Assurance, an independent consulting firm delivering<br />
a wide array <strong>of</strong> Information Security <strong>and</strong> IT Audit management <strong>and</strong> technical<br />
pr<strong>of</strong>essional services. He is also the Director – Q/ISP (Qualified Information Security<br />
Pr<strong>of</strong>essional) programs for Security University.<br />
An internationally recognized consultant <strong>and</strong> trainer in the Information Security <strong>and</strong> IT<br />
audit fields, he is certified <strong>and</strong> has conducted courses for: Certified Information<br />
Systems Security Pr<strong>of</strong>essional (CISSP), Certified Information Security Manager (CISM),<br />
Certified Information Systems Auditor (CISA) <strong>and</strong> CompTIA Security+. In cooperation<br />
with Security University, he recently was featured in two full length training videos on<br />
CISSP <strong>and</strong> Security+.<br />
Ken was formerly Vice-President <strong>of</strong> Information Security for MIS Training <strong>Institute</strong><br />
(MISTI), <strong>and</strong> Chief Information Officer <strong>of</strong> Moore McCormack Resources, a Fortune 500<br />
company. He also directed company-wide IS programs for American Express Travel<br />
Related Services, Martin Marietta Data Systems, <strong>and</strong> Midlantic Banks, Inc.<br />
Ken has been a long-time active participant in international government <strong>and</strong> industry<br />
security st<strong>and</strong>ards initiatives, including:<br />
<strong>The</strong> President’s Commission on Critical Infrastructure Protection<br />
Generally Accepted System Security Principles (GSSP)<br />
Information Technology Security Evaluation Criteria (ITSEC)<br />
US Federal Criteria, <strong>and</strong><br />
Department <strong>of</strong> Defense (DOD) Information Assurance Certification Initiative.<br />
He is a prolific author on information security topics. His publications include:<br />
Commercial International Security Requirements (CISR), a commercial<br />
alternative to military security st<strong>and</strong>ards for system security design criteria<br />
NIST SP 800-41, “Guidelines on Firewalls <strong>and</strong> Firewall Policy”, <strong>of</strong> which he was<br />
co-author, <strong>and</strong><br />
Various works on security architecture, disaster recovery planning, wireless<br />
security, vulnerability testing, firewalls, single sign-on, <strong>and</strong> the Payment Card<br />
Industry Data Security St<strong>and</strong>ard (PCI DSS).<br />
He has been frequently quoted in popular trade publications, including Computerworld,<br />
Information Security Magazine, Infoworld, InformationWeek, CIO Bulletin, <strong>and</strong><br />
Healthcare Information Security Newsletter, <strong>and</strong> has been interviewed in radio<br />
programs My Technology Lawyer <strong>and</strong> Talk America.<br />
Ken received Bachelor <strong>of</strong> Science degree in Business Administration <strong>and</strong> Computer<br />
Science degree from SUNY Empire State College.<br />
24
TRACK K-1<br />
PLANNING FOR A SECURED AND CONTROLLED IPV6 IMPLEMENTATION<br />
(JEFF KALWERISKY, MONDAY)<br />
7 CPEs<br />
Seminar Focus <strong>and</strong> Features<br />
When the current Internet Protocol, version 4, known as IPv4, was designed in the<br />
early days <strong>of</strong> the Internet, it was intended for a relatively small number <strong>of</strong> users in<br />
academia. <strong>The</strong> resulting design allowed for a maximum <strong>of</strong> a few billion addresses <strong>and</strong><br />
completely ignored security. <strong>The</strong> security issue has, <strong>of</strong> course, been an ongoing <strong>and</strong><br />
very costly problem for processing confidential data. With the exponential growth in<br />
the numbers <strong>of</strong> Internet users over the past decade, we are out <strong>of</strong> IP addresses!<br />
<strong>The</strong> Internet architects designed IPv6 to provide a virtually unlimited number <strong>of</strong><br />
addresses; eliminate the need for Network Address Translation (NAT); strong data<br />
security <strong>and</strong> packet authentication via m<strong>and</strong>atory IPSec.<br />
Given the lack <strong>of</strong> new IP addresses, enterprises face an imminent conversion to IPv6.<br />
This will impact every aspect <strong>of</strong> their networks, internal <strong>and</strong> external, including routers,<br />
firewalls, desktops, laptops, <strong>and</strong> mobile devices.<br />
Learning Objectives<br />
Underst<strong>and</strong>ing IPV6 concepts<br />
Learn how to assess conversion issues<br />
Prepare information security for IPV6<br />
Develop IPV6 related policies <strong>and</strong> procedures<br />
Prerequisite: Detailed underst<strong>and</strong>ing <strong>of</strong> networking, DNS, network routing, the OSI<br />
layer, <strong>and</strong> working knowledge <strong>of</strong> network security.<br />
Learning Level: Advanced<br />
Field <strong>of</strong> Study: Auditing<br />
25
About the Instructor<br />
Jeff Kalwerisky, CA, CISA<br />
Jeff Kalwerisky, Vice President <strong>and</strong> Director, Information Security <strong>and</strong> Technical<br />
Training at CPE Interactive, has specialized in information security, information risk<br />
management <strong>and</strong> IT auditing for over 20 years. He currently focuses on information<br />
risk, IT security governance <strong>and</strong> frameworks, <strong>and</strong> secure s<strong>of</strong>tware development.<br />
He has held executive positions in information security <strong>and</strong> risk management with<br />
Accenture <strong>and</strong> Booz Allen Hamilton consulting firms. In both <strong>of</strong> these capacities, he has<br />
consulted with Fortune 100 companies <strong>and</strong> national governments, assisting in their<br />
development <strong>and</strong> deployment <strong>of</strong> enterprise security governance policies <strong>and</strong><br />
frameworks, <strong>and</strong> technology solutions that strengthen information security <strong>and</strong> data<br />
privacy/ protection. He served as infrastructure security architect on the world’s largest<br />
electronic health project on behalf <strong>of</strong> the British Government’s National Health Service,<br />
the world’s largest electronic medical records deployment project, where he developed<br />
security governance to oversee 1,500 s<strong>of</strong>tware architects <strong>and</strong> developers.<br />
As manager <strong>of</strong> global security for VeriSign, he was responsible for ensuring that affiliate<br />
companies in 30 countries adhered to VeriSign’s military‐grade security st<strong>and</strong>ards<br />
appropriate to a global certification authority, which he helped to design <strong>and</strong> deploy.<br />
Jeff was a partner with a major audit firm in South Africa <strong>and</strong> a consultant with<br />
PricewaterhouseCoopers.<br />
He has published security <strong>and</strong> audit guides, <strong>and</strong> has developed training courses<br />
throughout the USA <strong>and</strong> internationally on a wide range <strong>of</strong> technical topics focusing on<br />
Windows security, secure e‐commerce, IT auditing, cryptography <strong>and</strong> biometric<br />
security.<br />
Jeff is originally from South Africa, where he received a Bachelor <strong>of</strong> Science in Physics<br />
<strong>and</strong> Math, a Masters <strong>of</strong> Science in Computer Science from University <strong>of</strong> Witwatersr<strong>and</strong>,<br />
Johannesburg, <strong>and</strong> Masters in Finance <strong>and</strong> Auditing from the University <strong>of</strong> South Africa,<br />
Pretoria. He is a Chartered Accountant (SA) <strong>and</strong> Certified Information Systems Auditor.<br />
26
TRACK K-2<br />
HOW TO PERFORM A GENERAL IT CONTROLS REVIEW<br />
(NORM KELSON, TUESDAY-WEDNESDAY)<br />
15 CPEs<br />
Seminar Focus <strong>and</strong> Features<br />
<strong>The</strong> basis for all auditing is the reliance on a control environment. <strong>The</strong> general controls<br />
review assesses the IT control environment, <strong>and</strong> through the evaluation <strong>of</strong> specific<br />
controls activities, monitoring <strong>and</strong> communications, <strong>and</strong> risk assessment, provides the<br />
basis for the assessment’s conclusion. <strong>The</strong> process itself focuses on numerous areas<br />
affecting IT management, data integrity, accuracy, <strong>and</strong> security, as well as availability.<br />
This session focuses on the planning, execution, <strong>and</strong> reporting <strong>of</strong> general IT controls<br />
reviews. Recognizing that the scope <strong>of</strong> the review is too wide to perform as one<br />
omnibus review, we will provide you with an approach to assessing the highest risk<br />
areas, focusing on these on a routine basis, <strong>and</strong> developing a cycle approach to the less<br />
significant control processes. In addition, the course utilizes a maturity model, an<br />
objective repeatable assessment basis to provide management with a measurement<br />
that can show improvement <strong>of</strong> controls over time.<br />
Learning Objectives:<br />
Plan <strong>and</strong> execute a general controls review<br />
Utilize risk assessment techniques to address the highest risk control issues<br />
Provide management with a meaningful assessment <strong>of</strong> the maturity <strong>of</strong> the controls.<br />
Prerequisite: None<br />
Learning Level: Basic<br />
Field <strong>of</strong> Study: Auditing<br />
27
REGISTRATION INFORMATION<br />
Participation is limited. Registration will be accepted on a first-come, first-served basis.<br />
Pricing has been established to provide the maximum educational benefit for the lowest<br />
cost. <strong>The</strong>refore, we will not be <strong>of</strong>fering discounts from the established prices for early<br />
registration, membership affiliation or groups. Dress code for the conference is<br />
business casual.<br />
Morning refreshments will be provided from 7:30 – 8:30 AM, <strong>and</strong> general sessions will<br />
be from 8:30 AM – 4:30 PM each day. Lunch will be provided daily with vegetarian<br />
options.<br />
Due to circumstances outside <strong>of</strong> our control, we may find it necessary to reschedule or<br />
cancel sessions, or change instructors. We will give registrants advance notice <strong>of</strong> such<br />
changes, if possible.<br />
Payment <strong>and</strong> Cancellation Policy<br />
Please note all times are stated in Eastern St<strong>and</strong>ard Time (EST). All reservations must<br />
be made online at www.isaca-det.org or www.detroitiia.org. Telephone, fax, <strong>and</strong> mailin<br />
registrations will not be accepted.<br />
All payments must be received by midnight 2/25/14. Payments may be made at the<br />
time <strong>of</strong> registration using Visa, MasterCard, Discover, or American Express, or check<br />
payments may be mailed to the address listed below.<br />
Cancellations may be made online until midnight on Tuesday 2/25/14 without penalty.<br />
Any cancellation received after Tuesday midnight 2/25/14, <strong>and</strong> before Monday midnight<br />
3/3/14 will be charged a non-refundable service fee based on the CPEs <strong>of</strong> the<br />
registered course being cancelled. No refunds will be given for registrations that are<br />
cancelled after midnight 3/3/14.<br />
Non-Refundable<br />
CPEs Service Fee<br />
7 $25<br />
15 $50<br />
22 $75<br />
Payments (payable to: <strong>IIA</strong> Detroit) should be mailed to the address below. Please do<br />
not remit payment to the <strong>ISACA</strong> Detroit Chapter. <strong>Conference</strong> or registration questions<br />
should be sent to administrator@isaca-det.org.<br />
<strong>IIA</strong> - <strong>ISACA</strong> <strong>Spring</strong> <strong>Conference</strong><br />
Geralyn Jarmoluk – Administrator<br />
78850 McKay Rd<br />
Romeo, MI 48065<br />
Hotel Information<br />
<strong>The</strong> spring conference committee has arranged for a discounted rate at the Doubletree Hotel<br />
Detroit/Dearborn. Register by 2/1/2014 <strong>and</strong> request the “<strong>IIA</strong> & <strong>ISACA</strong> <strong>Spring</strong> Seminar<br />
Discount” to receive a rate <strong>of</strong> $108 per room per night. <strong>The</strong> Double Tree Hotel is located at<br />
5801 Southfield Expressway, Detroit, MI 48228. Telephone: 1-313-336-3340.<br />
28
TRACK INFORMATION<br />
Track Session Dates Fee<br />
A-1<br />
Listening <strong>and</strong> Positive Influencing Skills<br />
(7 CPEs)<br />
3/10 $275<br />
A-2 Effective Interviewing Skills<br />
(7 CPEs)<br />
A-3<br />
B-1<br />
B-2<br />
B-3<br />
C<br />
D<br />
E<br />
F-1<br />
F-2<br />
G-1<br />
G-2<br />
H<br />
I<br />
J<br />
K-1<br />
Managing Resistance <strong>and</strong> Conflict Before, During, <strong>and</strong> After<br />
an Audit<br />
(7 CPEs)<br />
Organizational Ethics <strong>and</strong> Compliance: Auditing to Ensure a<br />
World-class Program<br />
(7 CPEs)<br />
Procurement Fraud: Tools <strong>and</strong> Techniques to Detect,<br />
Investigate <strong>and</strong> Manage this Growing Risk<br />
(7 CPEs)<br />
Forensic Interview <strong>and</strong> Interrogation: Learning the Path to<br />
Effective Truth Telling<br />
(7 CPEs)<br />
<strong>Internal</strong> Audit University<br />
(22 CPEs)<br />
Risk-Based Auditing<br />
(22 CPEs)<br />
3/11 $275<br />
3/12 $275<br />
3/10 $275<br />
3/11 $275<br />
3/12 $275<br />
3/10-3/12 $825<br />
3/10-3/12 $825<br />
Intermediate ACL<br />
(22 CPEs)<br />
3/10-3/12 $825<br />
Auditing IT Outsourcing<br />
(7 CPEs) 3/10 $275<br />
Assessing Data Integrity<br />
(15 CPEs) 3/11-3/12 $550<br />
Cyber Security <strong>and</strong> Emerging Risks<br />
(7 CPEs) 3/10 $275<br />
Ethical Hacking<br />
(15 CPEs) 3/11-3/12 $550<br />
COSO<br />
(15 CPEs) 3/11-3/12 $550<br />
COBIT 5<br />
(22 CPEs) 3/10-3/12 $825<br />
Identity <strong>and</strong> Access Management<br />
(22 CPEs) 3/10-3/12 $825<br />
Planning for a Secure <strong>and</strong> Controlled IPV6 Implementation<br />
(7 CPEs) 3/10 $275<br />
K-2 How to Perform an IT General Controls Review<br />
(15 CPEs)<br />
29<br />
3/11-3/12 $550
<strong>Conference</strong> Location<br />
University <strong>of</strong> Michigan Dearborn - Fairlane Center North<br />
19000 Hubbard<br />
Dearborn MI 48126<br />
(Park in rear lot – north end <strong>of</strong> complex)<br />
From the West<br />
Take I-94 East to Southfield (M-39) <strong>and</strong> exit north. Follow Southfield (North) to the Michigan Ave. (U.S. 12) exit. Stay<br />
on the Southfield Service Drive to Hubbard Drive <strong>and</strong> turn left. Follow Hubbard Drive <strong>and</strong> turn right into the Southern<br />
entrance <strong>of</strong> the UM-Dearborn/Fairlane Center (<strong>The</strong> marquis will reflect the following; <strong>The</strong> University <strong>of</strong> Michigan-<br />
Dearborn/Fairlane Center). Follow the entrance road to the back <strong>and</strong> turn left at the stop sign; the North Building will<br />
be located on your left h<strong>and</strong> side. Parking is directly across from the North Building.<br />
From the East<br />
Take I-94 West to Southfield (M-39) <strong>and</strong> exit north. Follow Southfield (North) to the Michigan Ave. (U.S. 12) exit. Stay<br />
on the Southfield Service Drive to Hubbard Drive <strong>and</strong> turn left. Follow Hubbard Drive <strong>and</strong> turn right into the Southern<br />
entrance <strong>of</strong> the UM-Dearborn/Fairlane Center (<strong>The</strong> marquis will reflect the following; <strong>The</strong> University <strong>of</strong> Michigan-<br />
Dearborn/Fairlane Center). Follow the entrance road to the back <strong>and</strong> turn left at the stop sign; the North Building will<br />
be located on your left h<strong>and</strong> side. Parking is directly across from the North Building.<br />
From the South<br />
Take Southfield (M-39) north to the Michigan Avenue exit. Stay on the Southfield Service Drive to Hubbard Drive <strong>and</strong><br />
turn left. Follow Hubbard Drive <strong>and</strong> turn right into the Southern entrance <strong>of</strong> the UM-Dearborn/Fairlane Center (<strong>The</strong><br />
marquis will reflect the following; <strong>The</strong> University <strong>of</strong> Michigan-Dearborn/Fairlane Center). Follow the entrance road to the<br />
back <strong>and</strong> turn left at the stop sign; the North Building will be located on your left h<strong>and</strong> side. Parking is directly across<br />
from the North Building.<br />
From the North<br />
Take Southfield (M-39) south to the Ford Road exit. Stay on the Ford Road Service Drive to Hubbard Drive <strong>and</strong> turn<br />
right. Follow Hubbard Drive <strong>and</strong> turn right into the Southern entrance <strong>of</strong> the UM-Dearborn/Fairlane Center (<strong>The</strong> marquis<br />
will reflect the following; <strong>The</strong> University <strong>of</strong> Michigan-Dearborn/Fairlane Center). Follow the entrance road to the back<br />
<strong>and</strong> turn left at the stop sign; the North Building will be located on your left h<strong>and</strong> side. Parking is directly across from<br />
the North Building<br />
30