16TH ANNUAL IIA and ISACA Spring Conference MARCH 9-11, 2015 University of Michigan-Dearborn Fairlane Center Welcome If you are responsible for your company's internal auditing, information systems security and integrity, accounting, finance, Sarbanes-Oxley compliance or other regulatory matters, or simply getting back to the basics, you will want to join us for the 16th annual Detroit Spring Conference. The Detroit Chapters of the IIA and ISACA are proud to co-sponsor the annual Spring Conference. Each year, the conference committee spends a considerable amount of time planning a comprehensive series of course offerings for our members and guest. The 2015 event is no exception. A number of classes sell out each year so register early. Don't miss this opportunity to network with your peers, enhance your skills, and learn about new products and services in the marketplace! Our goal is to provide a world-class caliber training conference tailored to your needs. Class size and materials are limited. To be fair and equitable to all, we operate on a first-come first-serve basis, and maintain a wait list for all sold out courses. Therefore, registrants are required to attend the course(s) for which they registered unless they receive prior written approval from the Conference Chair. Registrants attending unauthorized classes will not be awarded CPE credits. We look forward to seeing you at the Spring Conference. - The 2015 Spring Conference Committee RETURNING THIS YEAR–VENDOR EXPO! We have invited many audit and assurance vendors to set up displays during the conference giving you an opportunity to learn about products and partners that are in the marketplace, and their associated benefits for your organization. A Special Thanks to our Platinum Sponsors who continue to give generous support to this annual event! Monday Lunch– Experis Finance Tuesday Lunch – PwC Wednesday Lunch – Accretive Solutions 1 Special Thanks To our 2014 Vendors Platinum VENDORs Accretive Solutions Experis Finance PwC Gold Vendors BDO KPMG Orion Solutions Group Plante Moran Resources Global Professionals Thomson Reuters 2 2015 CONFERENCE PROGRAM TRACK A MON MARCH 9 TUES MARCH 10 WED MARCH 11 Embezzlement: Techniques to Detect, Investigate, and Remediate Loss of Assets Auditing for Fraud: Tools, Techniques, and Guidance Auditing Ethics and Compliance Programs & Controls (Paul Zikmund) (Paul Zikmund) B Communicating for Results (Don Levonius) C D (Jim Roth) (Jim Roth) Forensic Analytics: Methods & Techniques for Financial Investigations (Mark Nigirni) Project Management (Kathleen Crawford) Auditing ERM (Greg Duckert) Internal Audit University (Dr. Hernan Murdock) Auditing the Application System Development Process H L (Don Levonius) Risk-based Auditing and Reporting G K Mastering the Art of Facilitation Report Writing F J Critical Thinking: Evaluating & Presenting Arguments (Without Being Argumentative) (Don Levonius) E I (Paul Zikmund) (Tom Salzman) Windows 7 Security and Audit Cyber Security (John Tannahill) (John Tannahill) Compliance with PCI Planning an IT Security Strategy (Ken Cutler) (Jeff Kalwerisky) Threat Modeling Auditing Information Security Governance & Control (Jeff Kalwerisky) (Norm Kelson) Briefing on Current Technology Auditing the DMZ (Norm Kelson) (Ken Cutler) 3 TRACK A-1 EMBEZZLEMENT: TECHNIQUES TO DETECT, INVESTIGATE, AND REMEDIATE LOSS OF ASSETS (PAUL ZIKMUND, MONDAY) 7 CPEs Seminar Focus and Features Embezzlement is the act of wrongfully appropriating funds that have been entrusted into the care of another but which are owned by someone else. The most common example of embezzlement is by employees. Employee theft is also a significant problem for businesses, and both can drain a company of its assets, reduce employee morale and result in a disruption to business operations. This session is design to equip attendees with the skills and knowledge needed to deter, detect and respond to instances of employee embezzlement. Attendees will learn methods to investigate this fraud including evidence management, report writing and guidance on proper remediation including civil and criminal prosecution. Attendees will also learn methods to reduce the risk through proper controls, monitoring and programs designed to mitigate loss. Prerequisite: None Learning Level: Basic Field of Study: Auditing 4 TRACK A-2 AUDITING FOR FRAUD: TOOLS, TECHNIQUES, AND GUIDANCE (PAUL ZIKMUND, TUESDAY) 7 CPEs Seminar Focus and Features The reliance upon auditors to detect red flags of fraud continues to increase. Guidance related to internal and external auditors places more emphasis on professional skepticism, use of forensic procedures, and fraud detection techniques. Auditors are now faced with an increasing challenge to detect instances of fraud during the audit. This course covers the practical side of detecting red flags of fraud during the audit. Attendees will learn the art of fraud detection through lecture, case studies and in class breakout sessions designed to facilitate critical thinking skills to better detect red flags of fraud. Attendees are expected to develop an understanding of the following concepts: Elements of fraud, nature of why people commit fraud, fraud detection and deterrence; and elements of financial statement fraud & asset misappropriation schemes. Topics will include: Designing audit programs to detect red flags of fraud Fraud detection and investigation tools & techniques Case studies to enhance critical thinking skills Prerequisite: None Learning Level: Basic Field of Study: Auditing 5 TRACK A-3 AUDITING ETHICS AND COMPLIANCE PROGRAMS & CONTROLS (PAUL ZIKMUND, WEDNESDAY) 7 CPEs Seminar Focus and Features An organizational compliance program is an important mechanism to help improve effective governance. Auditing and evaluating compliance programs and controls are critical to the success of any program, and not performed only to keep the regulators happy. Compliance with regulatory requirements and the organization’s own policies are critical components of effective risk management. A well designed and effectively administered compliance program helps organizations achieve business goals, maintain ethical health, support long-term prosperity, and preserves and promotes organizational values. A well designed internal audit plays an important role for evaluating the effectiveness and efficiency of the organization’s compliance program. In this session, attendees will learn the following: 1. 2. 3. 4. 5. Hallmarks of an effective compliance program Auditing procedures for compliance programs Communicating results to obtain best results Determination of key compliance risks Leveraging strategic partnerships to ensure success Prerequisite: None Learning Level: Basic Field of Study: Auditing 6 About the Instructor Paul E. Zikmund, CFE, CFFA, CFD Paul E. Zikmund serves as Director, Global Ethics and Compliance, at Bunge in White Plains, NY. He is responsible for managing and conducting investigations of fraud and misconduct, implementing fraud detective techniques, administering the company’s fraud risk assessment process, and managing anti-fraud programs and controls designed to reduce the risk of fraud within the company. Prior to joining Bunge, Paul worked as the Senior Director Forensic Audit responsible for developing, implementing, and administering fraud risk management services at Tyco and to clients in Princeton, NJ, and as the Director Litigation Support Services at Amper, Politziner, & Mattia, LLP, in Philadelphia, PA. He possesses nearly 20 years of experience in this field and has effectively managed global fraud and forensic teams at various Fortune 500 companies. Paul, who is a Certified Fraud Examiner, Certified Fraud Deterrence Specialist, and Certified Forensic Financial Analyst, has designed and implemented programs to detect and investigate instances of fraud. Paul also conducts fraud risk assessments and fraud awareness training to help detect and deter fraud within organizations. His public and private sector experience includes the investigation of complex financial frauds, conducting forensic audit engagements, and providing litigation support for a variety of industries. Before joining Amper, Paul was a Principal, Fraud and Forensic Services at SolomonEdwardsGroup, LLC and a Senior Manager – Enterprise Risk Services with Deloitte and Touche, LLP. Prior to that, he served in a variety of in-house fraud and forensic investigative roles with The Dow Chemical Company, Nortel Networks, and Union Carbide Corporation. He began his career as a Municipal Police Officer, and then a State Trooper and Special Agent with the Attorney General’s Office for the Commonwealth of Pennsylvania. Paul received a Bachelor of Science degree in the Administration of Justice and a Certificate of Accountancy from The University of Pittsburgh. He continued his education with a Masters of Business Administration at the University of Connecticut and a Masters of Accountancy at Auburn University. Paul has authored various articles relating to fraud detection, prevention, and investigation. He speaks regularly at seminars and conferences on the topic of fraud and also teaches a graduate level fraud and forensic accounting course at Rider University in New Jersey and LaSalle University in Philadelphia. 7 TRACK B-1 COMMUNICATING FOR RESULTS (DON LEVONIUS – MONDAY) 7 CPEs Seminar Focus and Features According to research, communication is the number one competency sought by employers and a skill that separates leaders from losers. Average communicators experience miscommunication, misunderstanding, and missed opportunities. But effective communicators are like thought leader E.F. Hutton – when they talk, people listen – and when people listen to a thought leader, results are inevitable. This course helps learners recognize and overcome complex communication issues and enhance their verbal and non-verbal communication skills. By the end of this course, learners should be able to: Describe key elements, principles, and characteristics of communication Identify common root causes of personal and organizational miscommunication Recognize and compensate for factors that distort perception Convey information openly and listen and respond to others effectively Apply impromptu and persuasive communication techniques to influence others Prerequisite: None Learning Level: Basic Field of Study: Auditing 8 TRACK B-2 CRITICAL THINKING: EVALUATING & PRESENTING ARGUMENTS (WITHOUT BEING ARGUMENTATIVE) (DON LEVONIUS – TUESDAY) 7 CPEs Seminar Focus and Features Critical thinking is NOT about being critical of others, it is an essential skill that enables professionals to analyze problems and evaluate evidence in order to find reasoned solutions and make logical recommendations that help others. This course helps participants learn to view and apply critical thinking as a process that will help them focus on facts while avoiding emotions, errors, opinions, and fallacies. By the end of this course, learners should be able to: Differentiate between facts and opinions Recognize and avoid critical thinking errors and logical fallacies Identify underlying assumptions Evaluate evidence objectively Implement the critical thinking process in business situations Prerequisite: None Learning Level: Basic Field of Study: Auditing 9 TRACK B-3 MASTERING THE ART OF FACILITATION (DON LEVONIUS – WEDNESDAY) 7 CPEs Seminar Focus and Features Whether your work requires you to facilitate meetings, strategy sessions, training classes or control self-assessment workshops, your success is dependent on your ability to master the facilitation skills used by professionals. Based on years of professional facilitation experience, this course shares some of the lesser known “tricks of the trade” that will help even the most experienced facilitators get better results from the classroom to the boardroom. By the end of this course, learners should be able to: Describe essential elements of a conducive training or meeting environment Differentiate between informing and facilitating Explain why asking and listening is more constructive than telling Apply proven facilitation techniques to engage participants Demonstrate effective ways to manage disruptive behaviors Prerequisite: None Learning Level: Basic Field of Study: Auditing 10 About the Instructor Don Levonius Don Levonius, M.A., Principal Consultant, Victory Performance Consulting is a professional consultant, trainer, and national public speaker. Don draws on over 15 years of leadership experience, during which time he managed loss prevention and fraud investigations for two department store chains, five distribution centers, and two Disney theme parks, and led learning and development for 23 Disney hotels, 200 retail and dining locations, a large transportation system, a security division, an international college program, and a global internal audit association. Don also taught organizational communication and security for the University of Central Florida and Lake-Sumter State College. He holds a master’s degree in business and organizational security management and a second master’s degree in human resource development. Early in his 13-year Disney career, Don directed loss prevention and fraud investigations for Disney’s Magic Kingdom and Animal Kingdom theme parks. Following the 9/11 terrorist attacks, Don was asked to transform Disney security training to help the company combat the emerging threat of terrorism. Having succeeded in that role, Don was later promoted to lead operations and guest service training for all 23 Walt Disney World hotels, 200 retail and dining locations, monorails, watercraft, and buses. He subsequently became a senior leader of Disney University, the company’s corporate university, overseeing education for its college and international programs. Don was later hired by The Institute of Internal Auditors (IIA) to manage the design and development of internal audit related training, and was soon promoted to direct the delivery of over 200 seminars offered throughout the US annually. Today, Don is Principal Consultant with Victory Performance Consulting, which has been providing management consulting and training to business, law enforcement, and association management clients since 2009. 11 TRACK C-1 REPORT WRITING (JIM ROTH, MONDAY) 7 CPEs Seminar Focus and Features Learn a process that can improve your writing and cut your writing time in half. This session focuses on unlearning bad habits, and provides an opportunity to practice your report writing skills with hands-on exercises. It also discusses why writing is hard, barriers you can remove, and how to distinguish quality writing from personal style in audit report writing During this session you will learn: How to develop effective findings and recommendations using the five attribute approach and participative reporting. How to make good writing easy using the “smart” writing process. The three steps in the “smart” writing process and why keeping them separate is key to success. How to prepare an outline so simple and helpful you'll want to use it. How to use the paragraph model to cut your writing time in half. How to focus your writing on your most important readers. How to plan, organize, and write audit comments without editing using hands-on exercises. This session also discuss: Trends and Innovations in Audit Reports Trends and new approaches in alternate rating systems Techniques to give credit where credit is due Management action plan only Self-Editing How to read what you wrote, not what you think you wrote Getting the fog out - short sentences, simple words The four step approach to powerful self-editing Prerequisite: None Learning Level: Basic Field of Study: Auditing 12 TRACK C-2 RISK-BASED AUDITING AND REPORTING (JIM ROTH, TUESDAY-WEDNESDAY) 15 CPEs Seminar Focus and Features This session focuses on understanding an audit process used increasingly by world-class audit departments, practicing the key skills used in this process, and employing proven evaluation tools. This two day session will cover an introduction to the COSO challenge: How to evaluate soft controls and Participative auditing: Get your customer on the audit team. Topics will include: Tools for Evaluating Soft Controls: Evaluating the Corporate Culture A Better Audit Process: risk-based, participative, high-payback focus on evaluation of system design: Phase I - Planning: Planning steps for a participative audit, identifying and assessing risk, characteristics of well-defined audit objectives. Phase II - Evaluate the Adequacy of System Design: Emerging internal control concepts and evaluating design, teaching your audit customer the risk assessment process, documenting internal controls. Phase III - Evaluate the Effectiveness of Key Controls: Fieldwork purpose and methods, tools for evaluating effectiveness of soft controls, a risk and control matrix for evaluating the control environment. Phases I-III - Identify Opportunities for Improvement: Five attribute approach, how to get buy-in, developing and reporting opportunities for improvement. Phase IV – Reporting: Audit reports and criteria for risk-rated audit issues. Prerequisite: None Learning Level: Intermediate Field of Study: Auditing 13 About the Instructor James Roth, PhD, CIA, CSSA, CRMA James Roth, PhD, CIA, CCSA, CRMA, has three decades of progressive internal audit and teaching experience. After twelve years as a practitioner, Jim formed AuditTrends in 1993. Since then, Jim has focused on best practices in internal audit. His extensive research has led to seven books and seven other major IIA publications, as well as eight AuditTrends seminars and numerous articles and speeches. Jim is the 2008 recipient of the IIA's Bradford Cadmus Memorial Award, which honors "individuals making the greatest contribution to the advancement of the internal audit profession." Jim is one of the most highly rated speakers on internal audit, risk management, internal control, and corporate governance. He has presented papers at 11 of the last 16 IIA International Conferences, as well as regional and national conferences throughout North America and Asia. Jim's expertise is not limited to emerging best practices. There is no better developer or presenter of basic audit skills training on the market today. 14 TRACK D FORENSIC ANALYTIS: METHODS & TECHNIQUES FOR FINANCIAL INVESTIGATIONS (MARK NIGIRNI, MONDAY - WEDNESDAY) 22 CPEs Seminar Focus and Features This three-day workshop is a rare opportunity for an intensive real-world state-of-theart experience with a recognized expert in the forensic analytics field. This session will review many of the topics covered in Forensic Analytics by Mark Nigrini, and will be drawing much of his materials from the Master’s level Fraud Data Analysis class that he teaches at West Virginia University. The first day, Nigrini will review the cycle of tests that begin with high level overview tests designed to identify large errors and to give the analyst a better understanding of the data. The next set of tests is based on Benford’s Law where the goal is to evaluate the reasonableness of the data from a risk perspective and to identify abnormal duplications of leading and ending digits. This is followed by a series of drill down tests that identify small samples of transactions that are high risks for being fraudulent, erroneous, inefficient, or biased in some or other way. The lecture will also cover the risk scoring of forensic units, a technique designed to score transactions, employees, vendors, franchisees, and others based on their fraud likelihood. The second day will be hands-on time (using your data analysis software of choice such as Excel, Access, or IDEA) where you will be given an analytics task accompanied by the workbook, which includes step-by-step screenshots to guide you to the correct solution. On the third day, the analytics tasks will more closely resemble a real-world project or assignment without step-by-step guidance. The day will begin with a lecture on attributes of fraudulent numbers that make them different from authentic numbers. The remainder of the day will be spent analyzing the data of major fraud cases involving property tax refunds and employee purchasing card transactions. Attendees will be given requirements without step-by-step guidance. The requirements will be solvable using the techniques learned during the previous two days. No prior forensic or analytics experience will be assumed. Attendees do need to be familiar with the basics of data analysis such as importing data, the functions of Excel, and preparing graphs or tables from the results of calculations or queries. Bring your laptops, or attendees can work in teams and share laptops, if needed. Prerequisite: None Learning Level: Basic Field of Study: Auditing 15 About the Instructor Mark J. Nigrini, PhD Mark J. Nigrini, PhD, recently joined the faculty of the College of Business & Economics at West Virginia University. The accounting department has a forensic accounting program and also has the only Ph.D. program in forensic accounting in the United States. Benford’s Law has been his research passion since his time as a Ph.D. student. Frank Benford, a physicist in the 1930s, discovered that there were predictable patterns to the digits in lists of numbers. His research showed that the smaller digits (1s, 2s, and 3s) were expected to occur more often in scientific and financial data. Until 30 years ago Benford’s Law was a rather well-kept secret. Since then the phenomenon has proved itself to be valuable to more and more people (mainly auditors in their quest to uncover fraud in corporate data). Nigrini’s current research addresses advanced theoretical work on Benford’s Law, applications of forensic analytics to areas such the detection of Ponzi schemes, and the legal framework of fraud convictions. Nigrini is the author of Forensic Analytics (Wiley, 2011) which describes analytic tests to detect fraud, errors, estimates, and biases in financial data. He is also the author of Benford's Law (Wiley, 2012) which is the seminal work on applications of Benford’s Law. His next book The Employee Fraud Pandemic will be published in 2015. His work has been featured in national media including The Financial Times, New York Times, and The Wall Street Journal and he has published papers on Benford’s Law in accounting academic journals, scientific journals, and pure mathematics journals, as well as professional publications such as Internal Auditor and Journal of Accountancy. His radio interviews have included the BBC in London, and NPR in the United States. His television interviews have included an appearance on NBC's Extra and an interview on a fraud saga involving twins for the Investigation Discovery Channel. He regularly presents professional seminars for accountants and auditors in the U.S., Canada, Europe, and Asia with recent events in Singapore, Malaysia, and Switzerland and a forthcoming event in Bahrain. 16 TRACK E PROJECT MANAGEMENT (KATHLEEN CRAWFORD, MONDAY-WEDNESDAY) 22 CPEs Seminar Focus and Features An audit is simply a project, yet few auditors take advantage of techniques used by project managers to complete their projects on time and on budget. In three intensive days you will learn the basics of project management, including how you can achieve improved cost control, resource utilization, and more timely audit conclusions. You will then apply these techniques to improving productivity in the internal audit process. Using audit-specific examples, you will learn project planning, scheduling, control, and decision support concepts and methodologies – the basics of project management. Prerequisite: Fundamentals of Internal Auditing or equivalent experience. Learning Level: Intermediate Field of Study: Auditing About the Instructor Kathleen Crawford Kathleen Crawford is a Senior Consultant for MIS Training Institute, and President of Crawford Consulting and Communications, LLC, a firm specializing in assurance, investigative, and advisory projects for small firms without an internal audit function. Previously, Ms. Crawford was an Internal Auditor for Vinfen Corporation, where her responsibilities included assisting management in standardizing operations, developing policies and procedures, and improving processes. In addition, she investigated all suspected financial crimes, collecting evidence to ensure successful prosecution and recovery of company and client assets. Ms. Crawford trained other investigators in a methodology for detecting and documenting fraud that met the unique compliance requirements of MA Department of Health and Human Services. She began her career as a bank auditor, first with Bank of New England, then Eastern Bank, and State Street Bank. Her responsibilities in these institutions included internal audits and fraud investigations. A member of The Institute of Internal Auditors, Ms. Crawford is a past President of the Greater Boston Chapter of The IIA. She is also a member of the Association of Certified Fraud Examiners and the American Society for Training and Development. Ms. Crawford serves as Treasurer of the Board of Trustees of the Foxborough Regional Charter School and its foundation, Friends of FRCS. 17 TRACK F AUDITING ERM (GREG DUCKERT, MONDAY-WEDNESDAY) 22 CPEs Seminar Focus and Features With the advent of corporate governance strategies that must embrace the entire organization, enterprise-wide risk has taken on critical dimensions of importance. In addition, the SEC and PCAOB have concluded that the key to effective compliance is a “top-down, risk-based approach.” When properly defined and implemented, ERM provides the ideal baseline for this process. In this intensive three-day seminar you will cover alternative methods, structures and tools that can be used for establishing an ERM. You will learn how to define which aspects need to be audited and how to audit them, gain an understanding of the key qualities that an ERM should possess and discover why they are critical. You will explore the integration of controls and business risk and find out how an oversight tool can be created that can be owned by operations and that will yield real business returns. On the last day of this seminar you will work through a case study that will allow you to put into use what you learned as you are challenged to determine the most appropriate audit tools, techniques, and process for evaluating an ERM situation. You and your colleagues will design the audit process and apply it to your report on the issues of merit. You will leave this session with a solid understanding of how a wellstructured ERM process should operate, what is critical to its success or failure, and how to audit it to determine its efficacy. Prerequisite: Risk School, or equivalent risk assessment experience. Learning Level: Intermediate Field: Auditing About the Instructor Greg Duckert, CIA, CISA, CMA, CPA Greg Duckert is CEO of Audit, Inc., a consulting firm specializing in risk assessment models, operational analysis, and audit process methodologies designed to maximize returns to the organization. Mr. Duckert is also a Senior Consultant for MIS Training Institute and has over 30 years of national and international experience as an Internal/IS Audit Director. Mr. Duckert has held Audit Director positions in the manufacturing, construction and healthcare industries, assuming responsibilities for financial, operational, and information systems auditing functions. His information systems expertise includes application audits, software acquisition, systems development, controls, security design, adequacy and implementation, and systems operational efficiencies. He has performed consulting services in IS, financial, and operational audits, as well as in business acquisitions and start-ups. 18 TRACK G INTERNAL AUDIT UNIVERSITY (DR. HERNAN MURDOCK, MONDAY-WEDNESDAY) 22 CPEs Seminar Focus and Features In this intensive three-day seminar you will master fundamental operational auditing techniques and learn how to use a risk-based approach to enhance your audits of the Purchasing, Marketing, Human Resources, Information Technology (IT), Management, Finance / Treasury, and Accounting functions. You will explore the objectives of major business operation areas and learn how to identify the key risks threatening them. You will find out how to make your audits more efficient and effective and how to use data analytics to gain an in-depth understanding of business processes. You will cover critical areas such as the impact of SOX, ERM, and GRC on the organization, uncovering fraud schemes that threaten business operations, and the role of IA in helping management build strong risk management and strategic planning processes. You will leave this high-impact seminar with the skills necessary to go beyond outputs and to examine the organization’s ability to achieve the necessary outcomes. Prerequisite: None Learning Level: Basic Field of Study: Auditing About the Instructor Dr. Hernan Murdock, CIA, CRMA Dr. Hernan Murdock is a Senior Consultant with MIS Training Institute. Prior to MIS, he was the Director of Training at Control Solutions International where he oversaw the company's training and employee development program. Previously, he was a Senior Project Manager leading audit and consulting projects for clients in the manufacturing, transportation, high-tech, education, insurance, and power generation industries. He authored the books 10 Key Techniques to Improve Team Productivity and Using Surveys in Internal Auditing, and articles on whistleblowing programs, international auditing, mentoring programs, fraud, deception, corporate social responsibility, and behavioral profiling. 19 TRACK H AUDITING THE APPLICATION SYSTEM DEVELOPMENT PROCESS (TOM SALZMAN, MONDAY - WEDNESDAY) 21 CPEs Seminar Focus and Features In this three-day seminar you will explore proven audit strategies that will enable you to efficiently audit and evaluate applications systems development in a variety of technical environments. You will review common applications development risks, how to overcome them and what you must do to meet the new internal control and documentation requirements of SOX. You will drill down to the unique risks associated with purchased, in-house, and web-based applications and learn what you can do to minimize them. You will cover RAD, implementation and control change, design specifications, testing, project management, and application software inventory control. You will receive audit programs, questionnaires, and sample audit findings you can put to use immediately. Prerequisite: IT Auditing and Controls, IT Audit School, or equivalent experience. Learning Level: Intermediate Field: Auditing About the Instructor Thomas Salzman CISA Thomas Salzman, CISA, is IS Audit Manager for Illinois State University. Previously, Mr. Salzman was Director of Professional Services for ISACA. He also served as editor and co-author of the ISACA CISA Review Manual. Prior to joining ISACA, Mr. Salzman was with Coopers & Lybrand, heading their Technical Training and Information Security practices. 20 TRACK I-1 WINDOWS 7 SECURITY AND AUDIT (JOHN TANNAHILL, MONDAY) 7 CPEs Seminar Focus and Features This seminar will focus on the security and control issues related to Windows 7 Operating Systems and related technology and infrastructure components. This seminar will provide an understanding of key Windows 7 security components as well as an understanding of key Windows 7 security risks. The key features of this session include: Windows 7 Operating System Concepts Operating System Overview Key Differences from Windows 7; Windows XP Versions Windows 8 Security Overview Service Packs and Patch Levels Windows 7 Security Overview Local Security Policy User Accounts and Passwords Windows Defender User Access Control Security Event Logs Encryption Bitlocker Applocker Understanding Enterprise Components and Infrastructure Windows 2008/2012 Server security Key Active Directory security areas for Member Workstations Client Security Baselines Network Access Protection Remote Desktop Understanding Windows Firewall and advanced security features Securing Windows 7 operating system environment using security baselines Top 10 Windows 7 Security Risks: Case study to identify risks and develop control strategy Security Tools & Techniques: Demonstrations of Security Tools and Resource Sites and Information Prerequisite: None Learning Level: Basic Field of Study: Auditing 21 TRACK I-2 CYBER SECURITY (JOHN TANNAHILL, TUESDAY-WEDNESDAY) 15 CPEs Seminar Focus and Features This course will focus on the risk and control issues related to cyber security and emerging information security and technology. Key Learning Objectives include: Understanding cyber security risk and control issues: Key concepts and relationship to business organizations Cybercrime (Crime and Espionage) Cyber warfare and cyber terrorism (Nation to Nation attacks) Understanding emerging risk areas: Overview of Threat Landscape Malware: Eurograbber; Flame; Stuxnet; Command & Control; Botnets; Denial of Service; Fraud Other Malware Discussion of security and audit tools and techniques: Questions auditors should ask in relation to how the organization should protect IT infrastructure and corporate information from cyber security threats. Risk and Controls Areas and Key Control Requirements Malware Management and Application Whitelisting Incident Management Security Awareness Cyber Security and Cyber-warfare Advanced Persistent Threats (APT) Malware Prerequisite: None Learning Level: Intermediate Field of Study: Auditing 22 About the Instructor John Tannahill, CA, CISM, CGEIT, CRISC John Tannahill, CA, CISM, CGEIT, CRISC is a management consultant specializing in information security and audit services. His current focus is on information security management and control in large information systems environments and networks. His specific areas of technical expertise include UNIX and Windows operating system security, network security, and Oracle and Microsoft SQL Server security. John is a frequent speaker in Canada, Europe and the US on the subject of information security and audit. John is a member of the Toronto ISACA Chapter and has spoken at many ISACA Conferences and Chapter Events including ISACA Training Weeks; North America CACS; EuroCACS; Asia- Pacific CACS; International and Network and Information Security Conferences. 2008 Recipient of the ISACA John Kuyer Best Speaker/Best Conference Contributor Award 23 TRACK J-1 COMPLIANCE WITH PCI (KEN CUTLER, MONDAY) 7 CPEs Seminar Focus and Features The Payment Credit Card Industry Data Security Standard (PCI DSS) is designed to protect credit card information wherever and whenever it is processed, stored, or transmitted, and to ensure that members, merchants, and service providers maintain the highest security standards. Meeting the twelve (12) requirements of this evolving standard can be a daunting challenge… and non-compliance can result in costly fines, loss of valuable retail customers, and continued vulnerability to serious payment card data attacks. In this practical seminar, you will gain solid familiarity with the current PCI DSS and recent significant changes, and get proven tips on how best to overcome compliance challenges. You will examine a summary of the compliance requirements and cover practical solutions, potential risks, and common pitfalls. Highlights of the security controls necessary to satisfy PCI DSS requirements will be presented using a practical, commonsense methodology that emphasizes a top-down, structured implementation approach to day-to-day business operations. Prerequisite: How to Perform an IT General Controls Review or equivalent training. A basic understanding of IT audit controls and terminology is assumed Learning Level: Intermediate Field of Study: Auditing 24 About the Instructor Ken Cutler, CISSP, CISA, CISM Ken Cutler is a Senior Teaching Fellow with CPEi, specializing in Technical Audits of IT Security and related IT controls. He is the President and Principal Consultant for Ken Cutler & Associates (KCA) InfoSec Assurance, an independent consulting firm delivering a wide array of Information Security and IT Audit management and technical professional services. He is also the Director – Q/ISP (Qualified Information Security Professional) programs for Security University. An internationally recognized consultant and trainer in the Information Security and IT audit fields, he is certified and has conducted courses for: Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) and CompTIA Security+. In cooperation with Security University, he recently was featured in two full length training videos on CISSP and Security+. Ken was formerly Vice-President of Information Security for MIS Training Institute (MISTI), and Chief Information Officer of Moore McCormack Resources, a Fortune 500 company. He also directed company-wide IS programs for American Express Travel Related Services, Martin Marietta Data Systems, and Midlantic Banks, Inc. Ken has been a long-time active participant in international government and industry security standards initiatives, including: The President’s Commission on Critical Infrastructure Protection Generally Accepted System Security Principles (GSSP) Information Technology Security Evaluation Criteria (ITSEC) US Federal Criteria, and Department of Defense (DOD) Information Assurance Certification Initiative. He is a prolific author on information security topics. His publications include: Commercial International Security Requirements (CISR), a commercial alternative to military security standards for system security design criteria NIST SP 800-41, “Guidelines on Firewalls and Firewall Policy”, of which he was co-author, and Various works on security architecture, disaster recovery planning, wireless security, vulnerability testing, firewalls, single sign-on, and the Payment Card Industry Data Security Standard (PCI DSS). He has been frequently quoted in popular trade publications, including Computerworld, Information Security Magazine, Infoworld, InformationWeek, CIO Bulletin, and Healthcare Information Security Newsletter, and has been interviewed in radio programs My Technology Lawyer and Talk America. Ken received Bachelor of Science degree in Business Administration and Computer Science degree from SUNY Empire State College. 25 TRACK J-2 PLANNING AN IT SECURITY STRATEGY (JEFF KALWERISKY, TUESDAY-WEDNESDAY) 15 CPEs Seminar Focus and Features Historically, IT security was focused on physical security, preventing malware, and defending against the onslaught of spam. External security focused on firewalls and intrusion detection/prevention devices at the network level. The threat has metamorphosed into criminal attacks on the enterprise’s primary assets: its sensitive business information and its operations. In response to numerous cases of enterprises losing sensitive or proprietary information – customers’ or patients’ personal details, credit card numbers, social security numbers, medical histories, and more – the burden of privacy laws and regulations has also mushroomed, creating major compliance issues for the IT security function. The focus has changed from network protection at the least possible cost to the “WSJ Test” – no corporate executive wants to be on the front page of a major newspaper associated with yet another data breach or a significant operational disruption. IT security is now on the literal front line in the never-ending struggle to prevent data leakage and operational disruption. We will discuss: The real and present threats to the Enterprise with actual case studies What information is actually sensitive Why it is so difficult to know where that information is located The major areas to be included in a Best of Breed security strategy How data loss prevention has moved to the front of the bus Information security strategy in a Federated world Effective metrics to manage IT security and communicate with business management Making IT security a valued and proactive partner in the business Prerequisites: Understanding of risk management processes and basic information security concepts Learning Level: Intermediate Field of Study: Auditing 26 About the Instructor Jeff Kalwerisky, CA, CISA Jeff Kalwerisky, Vice President and Director, Information Security and Technical Training at CPE Interactive, has specialized in information security, information risk management and IT auditing for over 20 years. He currently focuses on information risk, IT security governance and frameworks, and secure software development. He has held executive positions in information security and risk management with Accenture and Booz Allen Hamilton consulting firms. In both of these capacities, he has consulted with Fortune 100 companies and national governments, assisting in their development and deployment of enterprise security governance policies and frameworks, and technology solutions that strengthen information security and data privacy/ protection. He served as infrastructure security architect on the world’s largest electronic health project on behalf of the British Government’s National Health Service, the world’s largest electronic medical records deployment project, where he developed security governance to oversee 1,500 software architects and developers. As manager of global security for VeriSign, he was responsible for ensuring that affiliate companies in 30 countries adhered to VeriSign’s military‐grade security standards appropriate to a global certification authority, which he helped to design and deploy. Jeff was a partner with a major audit firm in South Africa and a consultant with PricewaterhouseCoopers. He has published security and audit guides, and has developed training courses throughout the USA and internationally on a wide range of technical topics focusing on Windows security, secure e‐commerce, IT auditing, cryptography and biometric security. Jeff is originally from South Africa, where he received a Bachelor of Science in Physics and Math, a Masters of Science in Computer Science from University of Witwatersrand, Johannesburg, and Masters in Finance and Auditing from the University of South Africa, Pretoria. He is a Chartered Accountant (South Africa) and Certified Information Systems Auditor. 27 TRACK K-1 THREAT MODELING (JEFF KALWERISKY, MONDAY) 7 CPEs Seminar Focus and Features Threat Modeling is a methodology for documenting potential risks and vulnerabilities in information systems (applications, networks, etc.). It allows auditors and information security specialists to focus on, and document, specific classes of threats and control weaknesses together with relevant remediation or compensating controls. Using a standard form of data flow diagrams (DFDs), parts of applications to entire systems can easily be documented in a standard format which can be understood by developers, auditors, information security specialists, and management. All of this information can be stored in a database which forms an electronic trail, over the entire lifecycle (SDLC) of the application or system, of the vulnerabilities and control weaknesses inherent in the system and the corresponding resolution or corrective action. Review of the database records can then be mapped to continuous monitoring and continuous auditing processes. We will discuss: The major classes of threats, known by the acronym, STRIDE Building threat surfaces for applications and systems – in production or in development Data flow diagrams (DFDs) for documenting threat surfaces Building a threat model – hands-on case studies Creating a database of the threat surface for the life of the application/system Prerequisite: A basic understanding of information security, IT controls, and flowcharting techniques. Learning Level: Intermediate Field of Study: Auditing 28 TRACK K-2 AUDITING INFORMATION SECURITY GOVERNANCE AND CONTROL (NORM KELSON, TUESDAY-WEDNESDAY) 15 CPEs Seminar Focus and Features Many important IT controls are related to the protection of valuable information assets and increasingly demanding regulatory compliance requirements. In this highly practical workshop, you will cover the essential background information, resources, tools, and techniques necessary to plan and launch a wide range of hard-hitting, costeffective information security audits that should be performed by internal and external auditors, information security professionals, and IT staff. You will explore not only management and administrative controls, but also the fundamentals of important logical security controls for protecting valuable information assets and associated IT resources. You will receive a variety of invaluable checklists, matrices, and other worksheet tools. In this seminar, we will discuss: Major risks to information security Compliance targets Information security scope and components Tools and techniques for assessing administrative, physical, and technical information security controls Prerequisite: None Learning Level: Basic Field of Study: Auditing 29 About the Instructor Norm Kelson, CPA, CISA, CGEIT Norm Kelson, founder of CPE Interactive, specializes in building and disseminating best practices to assurance, risk, governance, and management stakeholders. With over 30 years of extensive experience in IT assurance and governance, he has served in a variety of capacities as a consultant with a Big 4 firm and an internal audit boutique, internal auditor executive, and industry advocate. He is the author of over 30 IT Audit/Assurance Programs for ISACA which are available as a resource to its members, and a series of case studies to support ISACA’s IT Governance Using COBIT® and VAL ITTM: Student Book 2nd Edition. Norm was Managing Director of IT Audit and Technical Seminars for MIS Training Institute. During his 12 year tenure he was responsible for creation and curriculum development of its global IT Audit training portfolio focusing on best practices in riskbased auditing. He has held positions as: Director of IT Audit for the US Subsidiary of Royal Ahold (Stop & Shop and Giant) and was a key member of the internal audit professional practices and standards and the global information security committees; Vice President of Internal Audit Services and National IT Audit Practice Director for CBIZ Harborview Partners; managed KPMG’s New England Region IT Auditing practice, and held positions in IT Audit management with Fannie Mae, CIGNA, and Loews Corporation. He began his career as a financial auditor with Laventhol and Horwath. Norm is an Adjunct Professor at Bentley University and a member of the Audit/AIS Curriculum Committee. He is a frequent speaker and subject matter expert at ISACA and Institute of Internal Auditors (IIA) conferences, is a former Executive Vice President of the New England ISACA Chapter and served on the Chapter’s Strategic Planning Committee. Norm received a Bachelor of Science in Business Administration from Boston University and an MBA from the University of Pennsylvania Wharton School. He is a Certified Public Accountant, Certified Information Systems Auditor, and Certified in the Governance of Enterprise Information Technology. 30 TRACK L-1 BRIEFING ON CURRENT TECHNOLOGY (NORM KELSON, MONDAY) 7 CPEs Seminar Focus and Features As we introduce new information technologies or approaches, our risks change, and, in many cases, have unintended consequences. This session focuses on four (4) key issues in the audit world: Transfer of computing resources to a utility model Proliferation of smart mobile devices Sophisticated communications and a 24 hour news cycle magnifying organizational missteps and outright errors Social media as a communications monitoring vehicle We will frame the risks, obtain an understanding of how these issues affect internal audit, and promote discussion on how we can effectively incorporate these issues into our audit universe. You will discuss IT management’s top issues relating to: Cloud computing Mobile data assets Crisis management Social Media Prerequisite: None Learning Level: Basic Field of Study: Auditing 31 TRACK L-2 AUDITING THE DMZ (KEN CUTLER, TUESDAY-WEDNESDAY) 15 CPEs Seminar Focus and Features Today’s Internet connections are typically shielded by a Demilitarized Zone (DMZ), a critical security buffer between your organization’s internal network and the outside world. Firewalls, intrusion detection/prevention systems, proxy servers, load balancers, filtering routers, VLANs, and VPNs all play a major role in regulating and restricting traffic flowing to and from the Internet. Failure to properly configure, maintain, and monitor a secure and efficient DMZ increases the risk of your organization being attacked by external intruders. This intensive seminar is designed to equip you to better protect and audit your network’s perimeter through a blend of practical, up-tothe minute knowledge transfer and audit case studies. Note: This course does not cover the details of audits of web application security and audit, which is covered in How to Audit Modern Web Applications (IT02). Prerequisite: Simplifying Audits of Network Security or equivalent training. Familiarity with TCP/IP concepts and terminology is assumed. Learning Level: Advanced Field of Study: Auditing 32 REGISTRATION INFORMATION Participation is limited so registration will be accepted on a first-come, first-served basis. Pricing has been established to provide the maximum educational benefit for the lowest cost. Therefore, we will not be offering discounts from the established prices for early registration, membership affiliation or groups. Dress code for the conference is business casual. Morning refreshments will be provided from 7:30 – 8:30 AM, and general sessions will be from 8:30 AM – 4:30 PM each day. Lunch will be provided daily with vegetarian options. Due to circumstances outside of our control, we may find it necessary to reschedule or cancel sessions, or change instructors. We will give registrants advance notice of such changes, if possible. Payment and Cancellation Policy Please note all times are stated in Eastern Standard Time (EST). All reservations must be made online at www.isaca-det.org or www.detroitiia.org. Telephone, fax, and mailin registrations will not be accepted. All payments must be received by midnight 2/24/15. Payments may be made at the time of registration using Visa, MasterCard, Discover, or American Express, or check payments may be mailed to the address listed below. Cancellations may be made online until midnight on Tuesday 2/24/15 without penalty. Any cancellation received after Tuesday midnight 2/24/15, and before Monday midnight 3/2/15 will be charged a non-refundable service fee based on the CPEs of the registered course being cancelled. No refunds will be given for registrations that are cancelled after midnight 3/2/15. CPEs 7 15 22 Non-Refundable Service Fee $25 $50 $75 Payments (payable to: IIA Detroit) should be mailed to the address below. Please do not remit payment to the ISACA Detroit Chapter. Conference or registration questions should be sent to [email protected]. IIA - ISACA Spring Conference Geralyn Jarmoluk – Administrator 78850 McKay Rd Romeo, MI 48065 Hotel Information The spring conference committee has arranged for a discounted rate at the Doubletree Hotel Detroit/Dearborn. Register by 2/1/2015 and request the “IIA & ISACA Spring Seminar Discount” to receive a rate of $108 per room per night. The Double Tree Hotel is located at 5801 Southfield Expressway, Detroit, MI 48228. Telephone: 1-313-336-3340. 33 TRACK INFORMATION Track Session Dates Fee A-1 Embezzlement: Techniques to Detect, Investigate, and Remediate Loss of Assets (7 CPEs) 3/9 $275 A-2 Auditing for Fraud: Tools, Techniques, and Guidance (7 CPEs) 3/10 $275 A-3 Auditing Ethics and Compliance Programs and Controls (7 CPEs) 3/11 $275 B-1 Communicating for Results (7 CPEs) 3/9 $275 B-2 Critical Thinking: Evaluating & Presenting Arguments (7 CPEs) 3/10 $275 B-3 Mastering the Art of Facilitation (7 CPEs) 3/11 $275 C-1 Report Writing (7 CPEs) 3/9 $275 C-2 Risk-based Auditing and Reporting (15 CPEs) 3/10-3/11 $550 D Forensic Analytics: Methods & Techniques for Financial Investigations (22 CPEs) 3/9-3/11 $825 E-1 Project Management (22 CPEs) 3/9-3/11 $825 F Auditing ERM (22 CPEs) 3/9-3/11 $825 G Internal Audit University (22 CPEs) 3/9-3/11 $825 H Auditing the Application System Development Process (22 CPEs) 3/9-3/11 $825 I-1 Windows 7 Security and Audit (7 CPEs) 3/9 $275 I-2 Cyber Security (15 CPEs) 3/10-3/11 $550 J-1 Compliance With PCI (7 CPEs) 3/9 $275 3/10-3/11 $550 J-2 Planning an IT Security Strategy (15 CPEs) K-1 Threat Modeling (7 CPEs) 3/9 $275 K-2 Auditing Information Security Governance and Control (15 CPEs) 3/10-3/11 $550 L-1 Briefing on Current Technology 7(CPEs) 3/9 $275 L-2 Auditing the DMZ 15 (CPEs) 3/10-3/11 $550 34 Conference Location University of Michigan Dearborn - Fairlane Center North 19000 Hubbard Dearborn MI 48126 (Park in rear lot – north end of complex) From the West Take I-94 East to Southfield (M-39) and exit north. Follow Southfield (North) to the Michigan Ave. (U.S. 12) exit. Stay on the Southfield Service Drive to Hubbard Drive and turn left. Follow Hubbard Drive and turn right into the Southern entrance of the UM-Dearborn/Fairlane Center (The marquis will reflect the following; The University of MichiganDearborn/Fairlane Center). Follow the entrance road to the back and turn left at the stop sign; the North Building will be located on your left hand side. Parking is directly across from the North Building. From the East Take I-94 West to Southfield (M-39) and exit north. Follow Southfield (North) to the Michigan Ave. (U.S. 12) exit. Stay on the Southfield Service Drive to Hubbard Drive and turn left. Follow Hubbard Drive and turn right into the Southern entrance of the UM-Dearborn/Fairlane Center (The marquis will reflect the following; The University of MichiganDearborn/Fairlane Center). Follow the entrance road to the back and turn left at the stop sign; the North Building will be located on your left hand side. Parking is directly across from the North Building. From the South Take Southfield (M-39) north to the Michigan Avenue exit. Stay on the Southfield Service Drive to Hubbard Drive and turn left. Follow Hubbard Drive and turn right into the Southern entrance of the UM-Dearborn/Fairlane Center (The marquis will reflect the following; The University of Michigan-Dearborn/Fairlane Center). Follow the entrance road to the back and turn left at the stop sign; the North Building will be located on your left hand side. Parking is directly across from the North Building. From the North Take Southfield (M-39) south to the Ford Road exit. Stay on the Ford Road Service Drive to Hubbard Drive and turn right. Follow Hubbard Drive and turn right into the Southern entrance of the UM-Dearborn/Fairlane Center (The marquis will reflect the following; The University of Michigan-Dearborn/Fairlane Center). Follow the entrance road to the back and turn left at the stop sign; the North Building will be located on your left hand side. Parking is directly across from the North Building 35
© Copyright 2024