1. Ingeniería

16TH ANNUAL
IIA and ISACA Spring Conference
MARCH 9-11, 2015
University of Michigan-Dearborn
Fairlane Center
Welcome
If you are responsible for your company's internal auditing, information systems
security and integrity, accounting, finance, Sarbanes-Oxley compliance or other
regulatory matters, or simply getting back to the basics, you will want to join us for
the 16th annual Detroit Spring Conference.
The Detroit Chapters of the IIA and ISACA are proud to co-sponsor the annual Spring
Conference. Each year, the conference committee spends a considerable amount of
time planning a comprehensive series of course offerings for our members and guest.
The 2015 event is no exception.
A number of classes sell out each year so register early. Don't miss this opportunity to
network with your peers, enhance your skills, and learn about new products and
services in the marketplace! Our goal is to provide a world-class caliber training
conference tailored to your needs.
Class size and materials are limited. To be fair and equitable to all, we operate on a
first-come first-serve basis, and maintain a wait list for all sold out courses. Therefore,
registrants are required to attend the course(s) for which they registered unless they
receive prior written approval from the Conference Chair. Registrants attending
unauthorized classes will not be awarded CPE credits.
We look forward to seeing you at the Spring Conference.
-
The 2015 Spring Conference Committee
RETURNING THIS YEAR–VENDOR EXPO!
We have invited many audit and assurance vendors to set up displays during the
conference giving you an opportunity to learn about products and partners that are in
the marketplace, and their associated benefits for your organization.
A Special Thanks to our Platinum Sponsors who continue to
give generous support to this annual event!
Monday Lunch– Experis Finance
Tuesday Lunch – PwC
Wednesday Lunch – Accretive Solutions
1
Special Thanks
To our
2014 Vendors
Platinum VENDORs
Accretive Solutions
Experis Finance
PwC
Gold Vendors
BDO
KPMG
Orion Solutions Group
Plante Moran
Resources Global Professionals
Thomson Reuters
2
2015 CONFERENCE PROGRAM
TRACK
A
MON MARCH 9
TUES MARCH 10
WED MARCH 11
Embezzlement: Techniques to
Detect, Investigate, and
Remediate Loss of Assets
Auditing for Fraud: Tools,
Techniques, and Guidance
Auditing Ethics and Compliance
Programs & Controls
(Paul Zikmund)
(Paul Zikmund)
B
Communicating for Results
(Don Levonius)
C
D
(Jim Roth)
(Jim Roth)
Forensic Analytics: Methods & Techniques for Financial Investigations
(Mark Nigirni)
Project Management
(Kathleen Crawford)
Auditing ERM
(Greg Duckert)
Internal Audit University
(Dr. Hernan Murdock)
Auditing the Application System Development Process
H
L
(Don Levonius)
Risk-based Auditing and Reporting
G
K
Mastering the Art of Facilitation
Report Writing
F
J
Critical Thinking: Evaluating &
Presenting Arguments (Without
Being Argumentative)
(Don Levonius)
E
I
(Paul Zikmund)
(Tom Salzman)
Windows 7 Security and Audit
Cyber Security
(John Tannahill)
(John Tannahill)
Compliance with PCI
Planning an IT Security Strategy
(Ken Cutler)
(Jeff Kalwerisky)
Threat Modeling
Auditing Information Security Governance & Control
(Jeff Kalwerisky)
(Norm Kelson)
Briefing on Current Technology
Auditing the DMZ
(Norm Kelson)
(Ken Cutler)
3
TRACK A-1
EMBEZZLEMENT: TECHNIQUES TO DETECT, INVESTIGATE,
AND REMEDIATE LOSS OF ASSETS
(PAUL ZIKMUND, MONDAY)
7 CPEs
Seminar Focus and Features
Embezzlement is the act of wrongfully appropriating funds that have been entrusted
into the care of another but which are owned by someone else. The most common
example of embezzlement is by employees. Employee theft is also a significant problem
for businesses, and both can drain a company of its assets, reduce employee morale
and result in a disruption to business operations.
This session is design to equip attendees with the skills and knowledge needed to deter,
detect and respond to instances of employee embezzlement. Attendees will learn
methods to investigate this fraud including evidence management, report writing and
guidance on proper remediation including civil and criminal prosecution. Attendees will
also learn methods to reduce the risk through proper controls, monitoring and
programs designed to mitigate loss.
Prerequisite: None
Learning Level: Basic
Field of Study: Auditing
4
TRACK A-2
AUDITING FOR FRAUD: TOOLS, TECHNIQUES, AND GUIDANCE
(PAUL ZIKMUND, TUESDAY)
7 CPEs
Seminar Focus and Features
The reliance upon auditors to detect red flags of fraud continues to increase. Guidance
related to internal and external auditors places more emphasis on professional
skepticism, use of forensic procedures, and fraud detection techniques. Auditors are
now faced with an increasing challenge to detect instances of fraud during the audit.
This course covers the practical side of detecting red flags of fraud during the audit.
Attendees will learn the art of fraud detection through lecture, case studies and in class
breakout sessions designed to facilitate critical thinking skills to better detect red flags
of fraud.
Attendees are expected to develop an understanding of the following concepts:
Elements of fraud, nature of why people commit fraud, fraud detection and deterrence;
and elements of financial statement fraud & asset misappropriation schemes.
Topics will include:



Designing audit programs to detect red flags of fraud
Fraud detection and investigation tools & techniques
Case studies to enhance critical thinking skills
Prerequisite: None
Learning Level: Basic
Field of Study: Auditing
5
TRACK A-3
AUDITING ETHICS AND COMPLIANCE PROGRAMS & CONTROLS
(PAUL ZIKMUND, WEDNESDAY)
7 CPEs
Seminar Focus and Features
An organizational compliance program is an important mechanism to help improve
effective governance. Auditing and evaluating compliance programs and controls are
critical to the success of any program, and not performed only to keep the regulators
happy. Compliance with regulatory requirements and the organization’s own policies
are critical components of effective risk management. A well designed and effectively
administered compliance program helps organizations achieve business goals, maintain
ethical health, support long-term prosperity, and preserves and promotes
organizational values.
A well designed internal audit plays an important role for evaluating the effectiveness
and efficiency of the organization’s compliance program. In this session, attendees will
learn the following:
1.
2.
3.
4.
5.
Hallmarks of an effective compliance program
Auditing procedures for compliance programs
Communicating results to obtain best results
Determination of key compliance risks
Leveraging strategic partnerships to ensure success
Prerequisite: None
Learning Level: Basic
Field of Study: Auditing
6
About the Instructor
Paul E. Zikmund, CFE, CFFA, CFD
Paul E. Zikmund serves as Director, Global Ethics and Compliance, at Bunge in White
Plains, NY. He is responsible for managing and conducting investigations of fraud and
misconduct, implementing fraud detective techniques, administering the company’s
fraud risk assessment process, and managing anti-fraud programs and controls
designed to reduce the risk of fraud within the company.
Prior to joining Bunge, Paul worked as the Senior Director Forensic Audit responsible for
developing, implementing, and administering fraud risk management services at Tyco
and to clients in Princeton, NJ, and as the Director Litigation Support Services at
Amper, Politziner, & Mattia, LLP, in Philadelphia, PA.
He possesses nearly 20 years of experience in this field and has effectively managed
global fraud and forensic teams at various Fortune 500 companies.
Paul, who is a Certified Fraud Examiner, Certified Fraud Deterrence Specialist, and
Certified Forensic Financial Analyst, has designed and implemented programs to detect
and investigate instances of fraud. Paul also conducts fraud risk assessments and fraud
awareness training to help detect and deter fraud within organizations. His public and
private sector experience includes the investigation of complex financial frauds,
conducting forensic audit engagements, and providing litigation support for a variety of
industries.
Before joining Amper, Paul was a Principal, Fraud and Forensic Services at
SolomonEdwardsGroup, LLC and a Senior Manager – Enterprise Risk Services with
Deloitte and Touche, LLP. Prior to that, he served in a variety of in-house fraud and
forensic investigative roles with The Dow Chemical Company, Nortel Networks, and
Union Carbide Corporation. He began his career as a Municipal Police Officer, and then
a State Trooper and Special Agent with the Attorney General’s Office for the
Commonwealth of Pennsylvania.
Paul received a Bachelor of Science degree in the Administration of Justice and a
Certificate of Accountancy from The University of Pittsburgh.
He continued his
education with a Masters of Business Administration at the University of Connecticut
and a Masters of Accountancy at Auburn University. Paul has authored various articles
relating to fraud detection, prevention, and investigation. He speaks regularly at
seminars and conferences on the topic of fraud and also teaches a graduate level fraud
and forensic accounting course at Rider University in New Jersey and LaSalle University
in Philadelphia.
7
TRACK B-1
COMMUNICATING FOR RESULTS
(DON LEVONIUS – MONDAY)
7 CPEs
Seminar Focus and Features
According to research, communication is the number one competency sought by
employers and a skill that separates leaders from losers. Average communicators
experience miscommunication, misunderstanding, and missed opportunities. But
effective communicators are like thought leader E.F. Hutton – when they talk, people
listen – and when people listen to a thought leader, results are inevitable. This course
helps learners recognize and overcome complex communication issues and enhance
their verbal and non-verbal communication skills.
By the end of this course, learners should be able to:





Describe key elements, principles, and characteristics of communication
Identify common root causes of personal and organizational miscommunication
Recognize and compensate for factors that distort perception
Convey information openly and listen and respond to others effectively
Apply impromptu and persuasive communication techniques to influence others
Prerequisite: None
Learning Level: Basic
Field of Study: Auditing
8
TRACK B-2
CRITICAL THINKING: EVALUATING & PRESENTING
ARGUMENTS (WITHOUT BEING ARGUMENTATIVE)
(DON LEVONIUS – TUESDAY)
7 CPEs
Seminar Focus and Features
Critical thinking is NOT about being critical of others, it is an essential skill that enables
professionals to analyze problems and evaluate evidence in order to find reasoned
solutions and make logical recommendations that help others. This course helps
participants learn to view and apply critical thinking as a process that will help them
focus on facts while avoiding emotions, errors, opinions, and fallacies.
By the end of this course, learners should be able to:





Differentiate between facts and opinions
Recognize and avoid critical thinking errors and logical fallacies
Identify underlying assumptions
Evaluate evidence objectively
Implement the critical thinking process in business situations
Prerequisite: None
Learning Level: Basic
Field of Study: Auditing
9
TRACK B-3
MASTERING THE ART OF FACILITATION
(DON LEVONIUS – WEDNESDAY)
7 CPEs
Seminar Focus and Features
Whether your work requires you to facilitate meetings, strategy sessions, training
classes or control self-assessment workshops, your success is dependent on your ability
to master the facilitation skills used by professionals. Based on years of professional
facilitation experience, this course shares some of the lesser known “tricks of the trade”
that will help even the most experienced facilitators get better results from the
classroom to the boardroom.
By the end of this course, learners should be able to:





Describe essential elements of a conducive training or meeting environment
Differentiate between informing and facilitating
Explain why asking and listening is more constructive than telling
Apply proven facilitation techniques to engage participants
Demonstrate effective ways to manage disruptive behaviors
Prerequisite: None
Learning Level: Basic
Field of Study: Auditing
10
About the Instructor
Don Levonius
Don Levonius, M.A., Principal Consultant, Victory Performance Consulting is a
professional consultant, trainer, and national public speaker. Don draws on over 15
years of leadership experience, during which time he managed loss prevention and
fraud investigations for two department store chains, five distribution centers, and two
Disney theme parks, and led learning and development for 23 Disney hotels, 200 retail
and dining locations, a large transportation system, a security division, an international
college program, and a global internal audit association. Don also taught organizational
communication and security for the University of Central Florida and Lake-Sumter State
College. He holds a master’s degree in business and organizational security
management and a second master’s degree in human resource development.
Early in his 13-year Disney career, Don directed loss prevention and fraud
investigations for Disney’s Magic Kingdom and Animal Kingdom theme parks. Following
the 9/11 terrorist attacks, Don was asked to transform Disney security training to help
the company combat the emerging threat of terrorism. Having succeeded in that role,
Don was later promoted to lead operations and guest service training for all 23 Walt
Disney World hotels, 200 retail and dining locations, monorails, watercraft, and buses.
He subsequently became a senior leader of Disney University, the company’s corporate
university, overseeing education for its college and international programs.
Don was later hired by The Institute of Internal Auditors (IIA) to manage the design
and development of internal audit related training, and was soon promoted to direct the
delivery of over 200 seminars offered throughout the US annually.
Today, Don is Principal Consultant with Victory Performance Consulting, which has been
providing management consulting and training to business, law enforcement, and
association management clients since 2009.
11
TRACK C-1
REPORT WRITING
(JIM ROTH, MONDAY)
7 CPEs
Seminar Focus and Features
Learn a process that can improve your writing and cut your writing time in half. This
session focuses on unlearning bad habits, and provides an opportunity to practice your
report writing skills with hands-on exercises. It also discusses why writing is hard,
barriers you can remove, and how to distinguish quality writing from personal style in
audit report writing
During this session you will learn:
 How to develop effective findings and recommendations using the five attribute
approach and participative reporting.
 How to make good writing easy using the “smart” writing process. The three
steps in the “smart” writing process and why keeping them separate is key to
success.
 How to prepare an outline so simple and helpful you'll want to use it.
 How to use the paragraph model to cut your writing time in half.
 How to focus your writing on your most important readers.
 How to plan, organize, and write audit comments without editing using hands-on
exercises.
This session also discuss:
 Trends and Innovations in Audit Reports
 Trends and new approaches in alternate rating systems
 Techniques to give credit where credit is due
 Management action plan only
 Self-Editing
 How to read what you wrote, not what you think you wrote
 Getting the fog out - short sentences, simple words
 The four step approach to powerful self-editing
Prerequisite: None
Learning Level: Basic
Field of Study: Auditing
12
TRACK C-2
RISK-BASED AUDITING AND REPORTING
(JIM ROTH, TUESDAY-WEDNESDAY)
15 CPEs
Seminar Focus and Features
This session focuses on understanding an audit process used increasingly by world-class
audit departments, practicing the key skills used in this process, and employing proven
evaluation tools.
This two day session will cover an introduction to the COSO challenge: How to evaluate
soft controls and Participative auditing: Get your customer on the audit team.
Topics will include:
 Tools for Evaluating Soft Controls: Evaluating the Corporate Culture
 A Better Audit Process: risk-based, participative, high-payback focus on evaluation
of system design:
 Phase I - Planning: Planning steps for a participative audit, identifying and
assessing risk, characteristics of well-defined audit objectives.
 Phase II - Evaluate the Adequacy of System Design: Emerging internal
control concepts and evaluating design, teaching your audit customer the
risk assessment process, documenting internal controls.
 Phase III - Evaluate the Effectiveness of Key Controls: Fieldwork purpose
and methods, tools for evaluating effectiveness of soft controls, a risk and
control matrix for evaluating the control environment.
 Phases I-III - Identify Opportunities for Improvement: Five attribute
approach, how to get buy-in, developing and reporting opportunities
for improvement.
 Phase IV – Reporting: Audit reports and criteria for risk-rated audit issues.
Prerequisite: None
Learning Level: Intermediate
Field of Study: Auditing
13
About the Instructor
James Roth, PhD, CIA, CSSA, CRMA
James Roth, PhD, CIA, CCSA, CRMA, has three decades of progressive internal audit and
teaching experience. After twelve years as a practitioner, Jim formed AuditTrends in 1993.
Since then, Jim has focused on best practices in internal audit. His extensive research has
led to seven books and seven other major IIA publications, as well as eight AuditTrends
seminars and numerous articles and speeches.
Jim is the 2008 recipient of the IIA's Bradford Cadmus Memorial Award, which honors
"individuals making the greatest contribution to the advancement of the internal audit
profession."
Jim is one of the most highly rated speakers on internal audit, risk management, internal
control, and corporate governance. He has presented papers at 11 of the last 16 IIA
International Conferences, as well as regional and national conferences throughout North
America and Asia. Jim's expertise is not limited to emerging best practices. There is no
better developer or presenter of basic audit skills training on the market today.
14
TRACK D
FORENSIC ANALYTIS: METHODS & TECHNIQUES FOR
FINANCIAL INVESTIGATIONS
(MARK NIGIRNI, MONDAY - WEDNESDAY)
22 CPEs
Seminar Focus and Features
This three-day workshop is a rare opportunity for an intensive real-world state-of-theart experience with a recognized expert in the forensic analytics field. This session will
review many of the topics covered in Forensic Analytics by Mark Nigrini, and will be
drawing much of his materials from the Master’s level Fraud Data Analysis class that he
teaches at West Virginia University.
The first day, Nigrini will review the cycle of tests that begin with high level overview
tests designed to identify large errors and to give the analyst a better understanding of
the data. The next set of tests is based on Benford’s Law where the goal is to evaluate
the reasonableness of the data from a risk perspective and to identify abnormal
duplications of leading and ending digits. This is followed by a series of drill down tests
that identify small samples of transactions that are high risks for being fraudulent,
erroneous, inefficient, or biased in some or other way. The lecture will also cover the
risk scoring of forensic units, a technique designed to score transactions, employees,
vendors, franchisees, and others based on their fraud likelihood.
The second day will be hands-on time (using your data analysis software of choice such
as Excel, Access, or IDEA) where you will be given an analytics task accompanied by
the workbook, which includes step-by-step screenshots to guide you to the correct
solution.
On the third day, the analytics tasks will more closely resemble a real-world project or
assignment without step-by-step guidance. The day will begin with a lecture on
attributes of fraudulent numbers that make them different from authentic numbers.
The remainder of the day will be spent analyzing the data of major fraud cases
involving property tax refunds and employee purchasing card transactions. Attendees
will be given requirements without step-by-step guidance. The requirements will be
solvable using the techniques learned during the previous two days.
No prior forensic or analytics experience will be assumed. Attendees do need to be
familiar with the basics of data analysis such as importing data, the functions of Excel,
and preparing graphs or tables from the results of calculations or queries. Bring your
laptops, or attendees can work in teams and share laptops, if needed.
Prerequisite: None
Learning Level: Basic
Field of Study: Auditing
15
About the Instructor
Mark J. Nigrini, PhD
Mark J. Nigrini, PhD, recently joined the faculty of the College of Business &
Economics at West Virginia University. The accounting department has a forensic
accounting program and also has the only Ph.D. program in forensic accounting in the
United States. Benford’s Law has been his research passion since his time as a Ph.D.
student. Frank Benford, a physicist in the 1930s, discovered that there were predictable
patterns to the digits in lists of numbers. His research showed that the smaller digits
(1s, 2s, and 3s) were expected to occur more often in scientific and financial data. Until
30 years ago Benford’s Law was a rather well-kept secret. Since then the phenomenon
has proved itself to be valuable to more and more people (mainly auditors in their
quest to uncover fraud in corporate data). Nigrini’s current research addresses
advanced theoretical work on Benford’s Law, applications of forensic analytics to areas
such the detection of Ponzi schemes, and the legal framework of fraud convictions.
Nigrini is the author of Forensic Analytics (Wiley, 2011) which describes analytic tests
to detect fraud, errors, estimates, and biases in financial data. He is also the author of
Benford's Law (Wiley, 2012) which is the seminal work on applications of Benford’s
Law. His next book The Employee Fraud Pandemic will be published in 2015. His work
has been featured in national media including The Financial Times, New York Times,
and The Wall Street Journal and he has published papers on Benford’s Law in
accounting academic journals, scientific journals, and pure mathematics journals, as
well as professional publications such as Internal Auditor and Journal of Accountancy.
His radio interviews have included the BBC in London, and NPR in the United States. His
television interviews have included an appearance on NBC's Extra and an interview on a
fraud saga involving twins for the Investigation Discovery Channel. He regularly
presents professional seminars for accountants and auditors in the U.S., Canada,
Europe, and Asia with recent events in Singapore, Malaysia, and Switzerland and a
forthcoming event in Bahrain.
16
TRACK E
PROJECT MANAGEMENT
(KATHLEEN CRAWFORD, MONDAY-WEDNESDAY)
22 CPEs
Seminar Focus and Features
An audit is simply a project, yet few auditors take advantage of techniques used by
project managers to complete their projects on time and on budget. In three intensive
days you will learn the basics of project management, including how you can achieve
improved cost control, resource utilization, and more timely audit conclusions. You will
then apply these techniques to improving productivity in the internal audit process.
Using audit-specific examples, you will learn project planning, scheduling, control, and
decision support concepts and methodologies – the basics of project management.
Prerequisite: Fundamentals of Internal Auditing or equivalent experience.
Learning Level: Intermediate
Field of Study: Auditing
About the Instructor
Kathleen Crawford
Kathleen Crawford is a Senior Consultant for MIS Training Institute, and President of
Crawford Consulting and Communications, LLC, a firm specializing in assurance,
investigative, and advisory projects for small firms without an internal audit function.
Previously, Ms. Crawford was an Internal Auditor for Vinfen Corporation, where her
responsibilities included assisting management in standardizing operations, developing
policies and procedures, and improving processes. In addition, she investigated all
suspected financial crimes, collecting evidence to ensure successful prosecution and
recovery of company and client assets. Ms. Crawford trained other investigators in a
methodology for detecting and documenting fraud that met the unique compliance
requirements of MA Department of Health and Human Services.
She began her career as a bank auditor, first with Bank of New England, then Eastern
Bank, and State Street Bank. Her responsibilities in these institutions included internal
audits and fraud investigations.
A member of The Institute of Internal Auditors, Ms. Crawford is a past President of the
Greater Boston Chapter of The IIA. She is also a member of the Association of Certified
Fraud Examiners and the American Society for Training and Development.
Ms. Crawford serves as Treasurer of the Board of Trustees of the Foxborough Regional
Charter School and its foundation, Friends of FRCS.
17
TRACK F
AUDITING ERM
(GREG DUCKERT, MONDAY-WEDNESDAY)
22 CPEs
Seminar Focus and Features
With the advent of corporate governance strategies that must embrace the entire
organization, enterprise-wide risk has taken on critical dimensions of importance. In
addition, the SEC and PCAOB have concluded that the key to effective compliance is a
“top-down, risk-based approach.” When properly defined and implemented, ERM
provides the ideal baseline for this process.
In this intensive three-day seminar you will cover alternative methods, structures and
tools that can be used for establishing an ERM. You will learn how to define which
aspects need to be audited and how to audit them, gain an understanding of the key
qualities that an ERM should possess and discover why they are critical. You will explore
the integration of controls and business risk and find out how an oversight tool can be
created that can be owned by operations and that will yield real business returns.
On the last day of this seminar you will work through a case study that will allow you to
put into use what you learned as you are challenged to determine the most appropriate
audit tools, techniques, and process for evaluating an ERM situation.
You and your colleagues will design the audit process and apply it to your report on the
issues of merit. You will leave this session with a solid understanding of how a wellstructured ERM process should operate, what is critical to its success or failure, and
how to audit it to determine its efficacy.
Prerequisite: Risk School, or equivalent risk assessment experience.
Learning Level: Intermediate
Field: Auditing
About the Instructor
Greg Duckert, CIA, CISA, CMA, CPA
Greg Duckert is CEO of Audit, Inc., a consulting firm specializing in risk assessment
models, operational analysis, and audit process methodologies designed to maximize
returns to the organization. Mr. Duckert is also a Senior Consultant for MIS Training
Institute and has over 30 years of national and international experience as an
Internal/IS Audit Director. Mr. Duckert has held Audit Director positions in the
manufacturing, construction and healthcare industries, assuming responsibilities for
financial, operational, and information systems auditing functions. His information
systems expertise includes application audits, software acquisition, systems
development, controls, security design, adequacy and implementation, and systems
operational efficiencies. He has performed consulting services in IS, financial, and
operational audits, as well as in business acquisitions and start-ups.
18
TRACK G
INTERNAL AUDIT UNIVERSITY
(DR. HERNAN MURDOCK, MONDAY-WEDNESDAY)
22 CPEs
Seminar Focus and Features
In this intensive three-day seminar you will master fundamental operational auditing
techniques and learn how to use a risk-based approach to enhance your audits of the
Purchasing, Marketing, Human Resources, Information Technology (IT), Management,
Finance / Treasury, and Accounting functions.
You will explore the objectives of major business operation areas and learn how to
identify the key risks threatening them. You will find out how to make your audits more
efficient and effective and how to use data analytics to gain an in-depth understanding
of business processes. You will cover critical areas such as the impact of SOX, ERM, and
GRC on the organization, uncovering fraud schemes that threaten business operations,
and the role of IA in helping management build strong risk management and strategic
planning processes. You will leave this high-impact seminar with the skills necessary to
go beyond outputs and to examine the organization’s ability to achieve the necessary
outcomes.
Prerequisite: None
Learning Level: Basic
Field of Study: Auditing
About the Instructor
Dr. Hernan Murdock, CIA, CRMA
Dr. Hernan Murdock is a Senior Consultant with MIS Training Institute. Prior to MIS, he
was the Director of Training at Control Solutions International where he oversaw the
company's training and employee development program. Previously, he was a Senior
Project Manager leading audit and consulting projects for clients in the manufacturing,
transportation, high-tech, education, insurance, and power generation industries. He
authored the books 10 Key Techniques to Improve Team Productivity and Using
Surveys in Internal Auditing, and articles on whistleblowing programs, international
auditing, mentoring programs, fraud, deception, corporate social responsibility, and
behavioral profiling.
19
TRACK H
AUDITING THE APPLICATION SYSTEM DEVELOPMENT PROCESS
(TOM SALZMAN, MONDAY - WEDNESDAY)
21 CPEs
Seminar Focus and Features
In this three-day seminar you will explore proven audit strategies that will enable you
to efficiently audit and evaluate applications systems development in a variety of
technical environments. You will review common applications development risks, how
to overcome them and what you must do to meet the new internal control and
documentation requirements of SOX. You will drill down to the unique risks associated
with purchased, in-house, and web-based applications and learn what you can do to
minimize them. You will cover RAD, implementation and control change, design
specifications, testing, project management, and application software inventory control.
You will receive audit programs, questionnaires, and sample audit findings you can put
to use immediately.
Prerequisite: IT Auditing and Controls, IT Audit School, or equivalent experience.
Learning Level: Intermediate
Field: Auditing
About the Instructor
Thomas Salzman CISA
Thomas Salzman, CISA, is IS Audit Manager for Illinois State University. Previously, Mr.
Salzman was Director of Professional Services for ISACA. He also served as editor and
co-author of the ISACA CISA Review Manual. Prior to joining ISACA, Mr. Salzman was
with Coopers & Lybrand, heading their Technical Training and Information Security
practices.
20
TRACK I-1
WINDOWS 7 SECURITY AND AUDIT
(JOHN TANNAHILL, MONDAY)
7 CPEs
Seminar Focus and Features
This seminar will focus on the security and control issues related to Windows 7
Operating Systems and related technology and infrastructure components. This
seminar will provide an understanding of key Windows 7 security components as well
as an understanding of key Windows 7 security risks. The key features of this session
include:

Windows 7 Operating System Concepts
 Operating System Overview
 Key Differences from Windows 7; Windows XP Versions
 Windows 8 Security Overview
 Service Packs and Patch Levels

Windows 7 Security Overview
 Local Security Policy
 User Accounts and Passwords
 Windows Defender
 User Access Control
 Security Event Logs
 Encryption
 Bitlocker
 Applocker

Understanding Enterprise Components and Infrastructure
 Windows 2008/2012 Server security
 Key Active Directory security areas for Member Workstations
 Client Security Baselines
 Network Access Protection
 Remote Desktop

Understanding Windows Firewall and advanced security features

Securing Windows 7 operating system environment using security baselines

Top 10 Windows 7 Security Risks: Case study to identify risks and develop control
strategy

Security Tools & Techniques: Demonstrations of Security Tools and Resource Sites
and Information
Prerequisite: None
Learning Level: Basic
Field of Study: Auditing
21
TRACK I-2
CYBER SECURITY
(JOHN TANNAHILL, TUESDAY-WEDNESDAY)
15 CPEs
Seminar Focus and Features
This course will focus on the risk and control issues related to cyber security and
emerging information security and technology.
Key Learning Objectives include:
Understanding cyber security risk and control issues:
 Key concepts and relationship to business organizations
 Cybercrime (Crime and Espionage)
 Cyber warfare and cyber terrorism (Nation to Nation attacks)
Understanding emerging risk areas:
 Overview of Threat Landscape
 Malware: Eurograbber; Flame; Stuxnet;
 Command & Control; Botnets; Denial of Service; Fraud
 Other Malware
Discussion of security and audit tools and techniques:
 Questions auditors should ask in relation to how the organization should protect
IT infrastructure and corporate information from cyber security threats.
 Risk and Controls Areas and Key Control Requirements
 Malware Management and Application Whitelisting
 Incident Management
 Security Awareness
 Cyber Security and Cyber-warfare
 Advanced Persistent Threats (APT)
 Malware
Prerequisite: None
Learning Level: Intermediate
Field of Study: Auditing
22
About the Instructor
John Tannahill, CA, CISM, CGEIT, CRISC
John Tannahill, CA, CISM, CGEIT, CRISC is a management consultant specializing in
information security and audit services. His current focus is on information security
management and control in large information systems environments and networks. His
specific areas of technical expertise include UNIX and Windows operating system
security, network security, and Oracle and Microsoft SQL Server security. John is a
frequent speaker in Canada, Europe and the US on the subject of information security
and audit.
John is a member of the Toronto ISACA Chapter and has spoken at many ISACA
Conferences and Chapter Events including ISACA Training Weeks; North America CACS;
EuroCACS; Asia- Pacific CACS; International and Network and Information Security
Conferences.
2008 Recipient of the ISACA John Kuyer Best Speaker/Best Conference Contributor
Award
23
TRACK J-1
COMPLIANCE WITH PCI
(KEN CUTLER, MONDAY)
7 CPEs
Seminar Focus and Features
The Payment Credit Card Industry Data Security Standard (PCI DSS) is designed to
protect credit card information wherever and whenever it is processed, stored, or
transmitted, and to ensure that members, merchants, and service providers maintain
the highest security standards. Meeting the twelve (12) requirements of this evolving
standard can be a daunting challenge… and non-compliance can result in costly fines,
loss of valuable retail customers, and continued vulnerability to serious payment card
data attacks.
In this practical seminar, you will gain solid familiarity with the current PCI DSS and
recent significant changes, and get proven tips on how best to overcome compliance
challenges. You will examine a summary of the compliance requirements and cover
practical solutions, potential risks, and common pitfalls. Highlights of the security
controls necessary to satisfy PCI DSS requirements will be presented using a practical,
commonsense methodology that emphasizes a top-down, structured implementation
approach to day-to-day business operations.
Prerequisite: How to Perform an IT General Controls Review or equivalent training. A
basic understanding of IT audit controls and terminology is assumed
Learning Level: Intermediate
Field of Study: Auditing
24
About the Instructor
Ken Cutler, CISSP, CISA, CISM
Ken Cutler is a Senior Teaching Fellow with CPEi, specializing in Technical Audits of IT
Security and related IT controls. He is the President and Principal Consultant for Ken
Cutler & Associates (KCA) InfoSec Assurance, an independent consulting firm delivering
a wide array of Information Security and IT Audit management and technical
professional services. He is also the Director – Q/ISP (Qualified Information Security
Professional) programs for Security University.
An internationally recognized consultant and trainer in the Information Security and IT
audit fields, he is certified and has conducted courses for: Certified Information
Systems Security Professional (CISSP), Certified Information Security Manager (CISM),
Certified Information Systems Auditor (CISA) and CompTIA Security+. In cooperation
with Security University, he recently was featured in two full length training videos on
CISSP and Security+.
Ken was formerly Vice-President of Information Security for MIS Training Institute
(MISTI), and Chief Information Officer of Moore McCormack Resources, a Fortune 500
company. He also directed company-wide IS programs for American Express Travel
Related Services, Martin Marietta Data Systems, and Midlantic Banks, Inc.
Ken has been a long-time active participant in international government and industry
security standards initiatives, including:
 The President’s Commission on Critical Infrastructure Protection
 Generally Accepted System Security Principles (GSSP)
 Information Technology Security Evaluation Criteria (ITSEC)
 US Federal Criteria, and
 Department of Defense (DOD) Information Assurance Certification Initiative.
He is a prolific author on information security topics. His publications include:
 Commercial International Security Requirements (CISR), a commercial
alternative to military security standards for system security design criteria
 NIST SP 800-41, “Guidelines on Firewalls and Firewall Policy”, of which he was
co-author, and
 Various works on security architecture, disaster recovery planning, wireless
security, vulnerability testing, firewalls, single sign-on, and the Payment Card
Industry Data Security Standard (PCI DSS).
He has been frequently quoted in popular trade publications, including Computerworld,
Information Security Magazine, Infoworld, InformationWeek, CIO Bulletin, and
Healthcare Information Security Newsletter, and has been interviewed in radio
programs My Technology Lawyer and Talk America.
Ken received Bachelor of Science degree in Business Administration and Computer
Science degree from SUNY Empire State College.
25
TRACK J-2
PLANNING AN IT SECURITY STRATEGY
(JEFF KALWERISKY, TUESDAY-WEDNESDAY)
15 CPEs
Seminar Focus and Features
Historically, IT security was focused on physical security, preventing malware, and
defending against the onslaught of spam. External security focused on firewalls and
intrusion detection/prevention devices at the network level. The threat has
metamorphosed into criminal attacks on the enterprise’s primary assets: its sensitive
business information and its operations. In response to numerous cases of enterprises
losing sensitive or proprietary information – customers’ or patients’ personal details,
credit card numbers, social security numbers, medical histories, and more – the burden
of privacy laws and regulations has also mushroomed, creating major compliance
issues for the IT security function.
The focus has changed from network protection at the least possible cost to the “WSJ
Test” – no corporate executive wants to be on the front page of a major newspaper
associated with yet another data breach or a significant operational disruption.
IT security is now on the literal front line in the never-ending struggle to prevent data
leakage and operational disruption.
We will discuss:
 The real and present threats to the Enterprise with actual case studies


What information is actually sensitive
Why it is so difficult to know where that information is located

The major areas to be included in a Best of Breed security strategy

How data loss prevention has moved to the front of the bus

Information security strategy in a Federated world

Effective metrics to manage IT security and communicate with business
management

Making IT security a valued and proactive partner in the business
Prerequisites: Understanding of risk management processes and basic information
security concepts
Learning Level: Intermediate
Field of Study: Auditing
26
About the Instructor
Jeff Kalwerisky, CA, CISA
Jeff Kalwerisky, Vice President and Director, Information Security and Technical
Training at CPE Interactive, has specialized in information security, information risk
management and IT auditing for over 20 years. He currently focuses on information
risk, IT security governance and frameworks, and secure software development.
He has held executive positions in information security and risk management with
Accenture and Booz Allen Hamilton consulting firms. In both of these capacities, he has
consulted with Fortune 100 companies and national governments, assisting in their
development and deployment of enterprise security governance policies and
frameworks, and technology solutions that strengthen information security and data
privacy/ protection. He served as infrastructure security architect on the world’s largest
electronic health project on behalf of the British Government’s National Health Service,
the world’s largest electronic medical records deployment project, where he developed
security governance to oversee 1,500 software architects and developers.
As manager of global security for VeriSign, he was responsible for ensuring that affiliate
companies in 30 countries adhered to VeriSign’s military‐grade security standards
appropriate to a global certification authority, which he helped to design and deploy.
Jeff was a partner with a major audit firm in South Africa and a consultant with
PricewaterhouseCoopers.
He has published security and audit guides, and has developed training courses
throughout the USA and internationally on a wide range of technical topics focusing on
Windows security, secure e‐commerce, IT auditing, cryptography and biometric
security.
Jeff is originally from South Africa, where he received a Bachelor of Science in Physics
and Math, a Masters of Science in Computer Science from University of Witwatersrand,
Johannesburg, and Masters in Finance and Auditing from the University of South Africa,
Pretoria. He is a Chartered Accountant (South Africa) and Certified Information
Systems Auditor.
27
TRACK K-1
THREAT MODELING
(JEFF KALWERISKY, MONDAY)
7 CPEs
Seminar Focus and Features
Threat Modeling is a methodology for documenting potential risks and vulnerabilities in
information systems (applications, networks, etc.). It allows auditors and information
security specialists to focus on, and document, specific classes of threats and control
weaknesses together with relevant remediation or compensating controls. Using a
standard form of data flow diagrams (DFDs), parts of applications to entire systems can
easily be documented in a standard format which can be understood by developers,
auditors, information security specialists, and management.
All of this information can be stored in a database which forms an electronic trail, over
the entire lifecycle (SDLC) of the application or system, of the vulnerabilities and
control weaknesses inherent in the system and the corresponding resolution or
corrective action. Review of the database records can then be mapped to continuous
monitoring and continuous auditing processes.
We will discuss:
 The major classes of threats, known by the acronym, STRIDE
 Building threat surfaces for applications and systems – in production or in
development
 Data flow diagrams (DFDs) for documenting threat surfaces
 Building a threat model – hands-on case studies
 Creating a database of the threat surface for the life of the application/system
Prerequisite:
A basic understanding of information security, IT controls, and
flowcharting techniques.
Learning Level: Intermediate
Field of Study: Auditing
28
TRACK K-2
AUDITING INFORMATION SECURITY
GOVERNANCE AND CONTROL
(NORM KELSON, TUESDAY-WEDNESDAY)
15 CPEs
Seminar Focus and Features
Many important IT controls are related to the protection of valuable information assets
and increasingly demanding regulatory compliance requirements. In this highly
practical workshop, you will cover the essential background information, resources,
tools, and techniques necessary to plan and launch a wide range of hard-hitting, costeffective information security audits that should be performed by internal and external
auditors, information security professionals, and IT staff. You will explore not only
management and administrative controls, but also the fundamentals of important
logical security controls for protecting valuable information assets and associated IT
resources. You will receive a variety of invaluable checklists, matrices, and other
worksheet tools.
In this seminar, we will discuss:
 Major risks to information security
 Compliance targets
 Information security scope and components
 Tools and techniques for assessing administrative, physical, and technical
information security controls
Prerequisite: None
Learning Level: Basic
Field of Study: Auditing
29
About the Instructor
Norm Kelson, CPA, CISA, CGEIT
Norm Kelson, founder of CPE Interactive, specializes in building and disseminating best
practices to assurance, risk, governance, and management stakeholders. With over 30
years of extensive experience in IT assurance and governance, he has served in a
variety of capacities as a consultant with a Big 4 firm and an internal audit boutique,
internal auditor executive, and industry advocate.
He is the author of over 30 IT Audit/Assurance Programs for ISACA which are available
as a resource to its members, and a series of case studies to support ISACA’s IT
Governance Using COBIT® and VAL ITTM: Student Book 2nd Edition.
Norm was Managing Director of IT Audit and Technical Seminars for MIS Training
Institute. During his 12 year tenure he was responsible for creation and curriculum
development of its global IT Audit training portfolio focusing on best practices in riskbased auditing.
He has held positions as: Director of IT Audit for the US Subsidiary of Royal Ahold (Stop
& Shop and Giant) and was a key member of the internal audit professional practices
and standards and the global information security committees; Vice President of
Internal Audit Services and National IT Audit Practice Director for CBIZ Harborview
Partners; managed KPMG’s New England Region IT Auditing practice, and held positions
in IT Audit management with Fannie Mae, CIGNA, and Loews Corporation. He began his
career as a financial auditor with Laventhol and Horwath.
Norm is an Adjunct Professor at Bentley University and a member of the Audit/AIS
Curriculum Committee.
He is a frequent speaker and subject matter expert at ISACA and Institute of Internal
Auditors (IIA) conferences, is a former Executive Vice President of the New England
ISACA Chapter and served on the Chapter’s Strategic Planning Committee.
Norm received a Bachelor of Science in Business Administration from Boston University
and an MBA from the University of Pennsylvania Wharton School. He is a Certified
Public Accountant, Certified Information Systems Auditor, and Certified in the
Governance of Enterprise Information Technology.
30
TRACK L-1
BRIEFING ON CURRENT TECHNOLOGY
(NORM KELSON, MONDAY)
7 CPEs
Seminar Focus and Features
As we introduce new information technologies or approaches, our risks change, and, in
many cases, have unintended consequences. This session focuses on four (4) key
issues in the audit world:
 Transfer of computing resources to a utility model
 Proliferation of smart mobile devices
 Sophisticated communications and a 24 hour news cycle magnifying organizational
missteps and outright errors
 Social media as a communications monitoring vehicle
We will frame the risks, obtain an understanding of how these issues affect internal
audit, and promote discussion on how we can effectively incorporate these issues into
our audit universe.
You will discuss IT management’s top issues relating to:
 Cloud computing
 Mobile data assets
 Crisis management
 Social Media
Prerequisite: None
Learning Level: Basic
Field of Study: Auditing
31
TRACK L-2
AUDITING THE DMZ
(KEN CUTLER, TUESDAY-WEDNESDAY)
15 CPEs
Seminar Focus and Features
Today’s Internet connections are typically shielded by a Demilitarized Zone (DMZ), a
critical security buffer between your organization’s internal network and the outside
world. Firewalls, intrusion detection/prevention systems, proxy servers, load balancers,
filtering routers, VLANs, and VPNs all play a major role in regulating and restricting
traffic flowing to and from the Internet. Failure to properly configure, maintain, and
monitor a secure and efficient DMZ increases the risk of your organization being
attacked by external intruders. This intensive seminar is designed to equip you to
better protect and audit your network’s perimeter through a blend of practical, up-tothe minute knowledge transfer and audit case studies.
Note: This course does not cover the details of audits of web application security and
audit, which is covered in How to Audit Modern Web Applications (IT02).
Prerequisite: Simplifying Audits of Network Security or equivalent training. Familiarity
with TCP/IP concepts and terminology is assumed.
Learning Level: Advanced
Field of Study: Auditing
32
REGISTRATION INFORMATION
Participation is limited so registration will be accepted on a first-come, first-served
basis. Pricing has been established to provide the maximum educational benefit for the
lowest cost. Therefore, we will not be offering discounts from the established prices for
early registration, membership affiliation or groups. Dress code for the conference is
business casual.
Morning refreshments will be provided from 7:30 – 8:30 AM, and general sessions will
be from 8:30 AM – 4:30 PM each day. Lunch will be provided daily with vegetarian
options.
Due to circumstances outside of our control, we may find it necessary to reschedule or
cancel sessions, or change instructors. We will give registrants advance notice of such
changes, if possible.
Payment and Cancellation Policy
Please note all times are stated in Eastern Standard Time (EST). All reservations must
be made online at www.isaca-det.org or www.detroitiia.org. Telephone, fax, and mailin registrations will not be accepted.
All payments must be received by midnight 2/24/15. Payments may be made at the
time of registration using Visa, MasterCard, Discover, or American Express, or check
payments may be mailed to the address listed below.
Cancellations may be made online until midnight on Tuesday 2/24/15 without penalty.
Any cancellation received after Tuesday midnight 2/24/15, and before Monday midnight
3/2/15 will be charged a non-refundable service fee based on the CPEs of the
registered course being cancelled. No refunds will be given for registrations that are
cancelled after midnight 3/2/15.
CPEs
7
15
22
Non-Refundable
Service Fee
$25
$50
$75
Payments (payable to: IIA Detroit) should be mailed to the address below. Please do
not remit payment to the ISACA Detroit Chapter. Conference or registration questions
should be sent to [email protected].
IIA - ISACA Spring Conference
Geralyn Jarmoluk – Administrator
78850 McKay Rd
Romeo, MI 48065
Hotel Information
The spring conference committee has arranged for a discounted rate at the Doubletree Hotel
Detroit/Dearborn.
Register by 2/1/2015 and request the “IIA & ISACA Spring Seminar
Discount” to receive a rate of $108 per room per night. The Double Tree Hotel is located at
5801 Southfield Expressway, Detroit, MI 48228. Telephone: 1-313-336-3340.
33
TRACK INFORMATION
Track
Session
Dates
Fee
A-1
Embezzlement: Techniques to Detect, Investigate, and Remediate Loss of
Assets
(7 CPEs)
3/9
$275
A-2
Auditing for Fraud: Tools, Techniques, and Guidance
(7 CPEs)
3/10
$275
A-3
Auditing Ethics and Compliance Programs and Controls
(7 CPEs)
3/11
$275
B-1
Communicating for Results
(7 CPEs)
3/9
$275
B-2
Critical Thinking: Evaluating & Presenting Arguments
(7 CPEs)
3/10
$275
B-3
Mastering the Art of Facilitation
(7 CPEs)
3/11
$275
C-1
Report Writing
(7 CPEs)
3/9
$275
C-2
Risk-based Auditing and Reporting
(15 CPEs)
3/10-3/11
$550
D
Forensic Analytics: Methods & Techniques for Financial Investigations
(22 CPEs)
3/9-3/11
$825
E-1
Project Management
(22 CPEs)
3/9-3/11
$825
F
Auditing ERM
(22 CPEs)
3/9-3/11
$825
G
Internal Audit University
(22 CPEs)
3/9-3/11
$825
H
Auditing the Application System Development Process
(22 CPEs)
3/9-3/11
$825
I-1
Windows 7 Security and Audit
(7 CPEs)
3/9
$275
I-2
Cyber Security
(15 CPEs)
3/10-3/11
$550
J-1
Compliance With PCI
(7 CPEs)
3/9
$275
3/10-3/11
$550
J-2
Planning an IT Security Strategy
(15 CPEs)
K-1
Threat Modeling
(7 CPEs)
3/9
$275
K-2
Auditing Information Security Governance and Control
(15 CPEs)
3/10-3/11
$550
L-1
Briefing on Current Technology
7(CPEs)
3/9
$275
L-2
Auditing the DMZ
15 (CPEs)
3/10-3/11
$550
34
Conference Location
University of Michigan Dearborn - Fairlane Center North
19000 Hubbard
Dearborn MI 48126
(Park in rear lot – north end of complex)
From the West
Take I-94 East to Southfield (M-39) and exit north. Follow Southfield (North) to the Michigan Ave. (U.S. 12) exit. Stay
on the Southfield Service Drive to Hubbard Drive and turn left. Follow Hubbard Drive and turn right into the Southern
entrance of the UM-Dearborn/Fairlane Center (The marquis will reflect the following; The University of MichiganDearborn/Fairlane Center). Follow the entrance road to the back and turn left at the stop sign; the North Building will
be located on your left hand side. Parking is directly across from the North Building.
From the East
Take I-94 West to Southfield (M-39) and exit north. Follow Southfield (North) to the Michigan Ave. (U.S. 12) exit. Stay
on the Southfield Service Drive to Hubbard Drive and turn left. Follow Hubbard Drive and turn right into the Southern
entrance of the UM-Dearborn/Fairlane Center (The marquis will reflect the following; The University of MichiganDearborn/Fairlane Center). Follow the entrance road to the back and turn left at the stop sign; the North Building will
be located on your left hand side. Parking is directly across from the North Building.
From the South
Take Southfield (M-39) north to the Michigan Avenue exit. Stay on the Southfield Service Drive to Hubbard Drive and
turn left. Follow Hubbard Drive and turn right into the Southern entrance of the UM-Dearborn/Fairlane Center (The
marquis will reflect the following; The University of Michigan-Dearborn/Fairlane Center). Follow the entrance road to the
back and turn left at the stop sign; the North Building will be located on your left hand side. Parking is directly across
from the North Building.
From the North
Take Southfield (M-39) south to the Ford Road exit. Stay on the Ford Road Service Drive to Hubbard Drive and turn
right. Follow Hubbard Drive and turn right into the Southern entrance of the UM-Dearborn/Fairlane Center (The marquis
will reflect the following; The University of Michigan-Dearborn/Fairlane Center). Follow the entrance road to the back
and turn left at the stop sign; the North Building will be located on your left hand side. Parking is directly across from
the North Building
35