9:25 AM — 10:50 AM
Fraud and Ethics
Best Practices and
Professional
Development
Risk Management and
Emerging Risks
Information
Technology
Why Audits Fail to Find Fraud Fighting to Focus: How to Stay
Motivated
Risk Management
Fundamentals
IT Governance – What
Effective Really Means and
Allen Brown
AFB Consulting
Danielle Crough
Silverstone Group
Terri-Anne Wallen
CSG
Gordon Braun
Protiviti
The fact that financial audits
fail to find fraud is an ongoing
issue faced by auditors around
the world. In general, the
Standards require that audits
be designed to identify fraud
that would be material to the
financial statements. Howev-
er, there are occasions when
fraud is not material to the
financial statements, but is
large enough to cause serious
concern to the users and the
general public. This is an even
greater concern when the
auditors held the fraud in their
hands and did not see it. This
session will use real examples
to uncover factors leading to
audit failure in the context of
fraud identification.
In a world where we encounter
74 gigabytes of information
every day (the equivalent of 9
full-length DVDs), it can be
hard to stay focused, much
less motivated. In this session,
we will unpack how to maxim-
ize our motivators to drive
ourselves to achieve more as
well as understand how to
help others around us reach
their own potential. By sharing
findings from motivation re-
search in a practical manner,
audience members will gather
useful tools for their profes-
sional and personal benefit.
Implementing and facilitating a
risk management program is
much more than a theoretical
exercise of measuring risk sig-
nificance and likelihood. Are
you looking to further your risk
management program involve-
ment as Internal Audit to assist
your company and its manage-
ment in seeing the strategic
value of a risk management
program? This session will
focus on how to align with
your company’s risk manage-
ment program, the importance
of evaluating critical risks, cata-
strophic risks and reputational
risks, and related risk ac-
ceptance or mitigation.
Effective IT governance leads
to the efficient and effective
deployment of IT resources in
alignment with key business
objectives. On the surface,
many IT governance structures
and processes can appear
effective. How do we critically
evaluate and work with man-
agement to provide feedback,
perspective, and take ad-
vantage of what can be the
biggest opportunity to add
value within our company?
This session will provide con-
crete examples of effective
and ineffective IT governance
elements. We will consider
the utilization of key, but sel-
dom utilized techniques, such
as benefit realization. We will
also explore two case studies
of organizations that failed to
deliver an effective IT govern-
ance function, leading to ex-
pensive and critical
project failures.
8:00 AM — 9:20 AM
Keynote: Mike Fucilli, CAE, New York Metropolitan Transit Authority
“Raise the Bar – How to Promote the Profession and Yourself”
AGENDA—MONDAY, AUGUST 24
11:05 AM — 12:30 PM
Fraud and Ethics
Best Practices and
Professional
Development
Risk Management and
Emerging Risks
Information
Technology
Investigating a Kickback
Scheme: A Case Study
Talent Management in Internal
Audit
Transforming the Internal
Audit Model
Mobile Devices – Controls and
Security
Allen Brown,
AFB Consulting
Teresa Hecker
ConAgra
Andy Schweik
Crowe Horwath LLC
Aaron Grothe
NebraskaCert
This session will start with a
discussion of red flags that
may indicate a kickback
scheme and then proceed into
an actual case. The case is the
investigation into a kickback
scheme that had been going
on for years within the Louisi-
ana Department of Elections.
The discussion will include
how the scheme was discov-
ered and the methods used to
fully expose the scheme and
prosecute those involved. The
result of the investigation was
the prosecution of 28 people
in three different states and
the Louisiana Legislature’s
decision to close the depart-
ment. Participants should
come away with an under-
standing of the various red
flags that indicate a possible
kickback scheme, as well as
the methods that were suc-
cessful in the investigation.
This session will focus on the
elements of finding and grow-
ing talent in the Internal Audit
profession. The speaker will
discuss the Talent Manage-
ment processes in place at
ConAgra Foods' Internal Audit
and the impacts that it has had
on their results.
Internal Audit Departments
continue to experience chal-
lenges related to an expanding
audit universe, external market
forces, changes in laws and
regulations, greater technology
risks, and increased budget
pressures. At the same time,
Audit Committees, Executive
Management and key stake-
holders are asking internal
auditors to do more with less
and expand their competen-
cies and skill sets. A trans-
formed internal audit model
can help meet these challeng-
es, accomplish key internal
audit objectives, and assist
Executive Management and
the Board of Directors with
their governance responsibili-
ties.
What an auditor should know
about Mobile Device Security,
from the management/policy
perspective down to the de-
vice level. This session pre-
sents an overview of the tools
needed for Mobile Device
Management (MDM) and Mo-
bile Application Management
(MAM). Tools and techniques
for protecting the data on
devices will be demonstrated.
AGENDA—MONDAY, AUGUST 24
1:30 PM — 2:55 PM
Fraud and Ethics
Best Practices and
Professional
Development
Risk Management and
Emerging Risks
Information
Technology
Identifying and Protecting
Against Fraud through
Continuous Auditing
International Professional Prac-
tices Framework (IPPF) –
Methods a Small Audit Depart-
ment Can Use to Comply
Implementing a World-Class
Operational Risk Management
Framework
Auditing Social Media
Jeff Sebree
Union Pacific
Skip Langlois
Brick Street Mutual Insurance
Company
Vladimir Liska & Sarah Brackle
TD Ameritrade
TBD
Deloitte & Touche LLP
This session will cover a multi-
tude of issues, from how to
improve employee compliance
with policies to the process of
starting and maintaining a
continuous auditing program.
Additionally, fraud prevention
processes will be covered.
Participants will work with
audit colleagues to brainstorm
how continuous audit could fit
within their organization.
Over 90% of Internal Audit
Departments have 10 or fewer
employees. The International
Professional Practices Frame-
work (IPPF) provides mandato-
ry guidance for Internal Audit
functions. It is possible for a
small audit department to
comply, even with the require-
ments of the Quality Assurance
and Improvement Program.
Methods for implementing
these Best Practices will be
discussed in this session.
This session provides a case
study of the journey undertak-
en by TD Ameritrade to imple-
ment an Operational Risk Man-
agement framework. This
includes bringing together key
framework components and
tools around loss data capture,
issue tracking, risk & control
assessments, and risk indicator
monitoring. We will also cover
the governance and reporting
structures established to allow
the organization to achieve its
objectives within an accepta-
ble risk and control structure.
Social media has increasingly
become a prominent form of
communication and collabora-
tion by organizations and indi-
viduals. The convergence of
social media and mobile devic-
es, as well as an expectation of
transparency, is fundamentally
changing the interaction be-
tween customers and brands.
This session focuses on inter-
nal audit’s role in assessing
and managing social media
risks within their organiza-
tions.
AGENDA—MONDAY, AUGUST 24
3:10 PM — 4:35 PM
Fraud and Ethics
Best Practices and
Professional
Development
Risk Management and
Emerging Risks
Information
Technology
Fraud – How Could it Have
Been Prevented? Real Lessons
from Real Cases
Critical Thinking Skills for
Auditors
A Risk Management Evolution
at its Best
ISACA Standards, From The
Person Who Managed Their
Creation
Skip Langlois
Brick Street Mutual Insurance
Company
Carrie Weber
Ameritas
Mary Peter
Eide Bailly CPAs & Business
Advisors
Steve Sizemore
ISACA
Several types of fraud cases
will be reviewed in this ses-
sion. Breakdowns in internal
controls will be identified
along with actions taken to
mitigate those breakdowns .
This session will cover back-
ground information on critical
thinking, the importance of
critical thinking skills to the
workplace, how to utilize these
skills in auditing and decision
making, and an example
framework for practical appli-
cation. Participants will further
develop or refresh familiar
concepts of critical thinking,
professional skepticism, and
professional judgment, and
apply these concepts to inter-
nal auditing.
Organizations are facing an
unprecedented number of
risks that challenge their busi-
ness and strategic objectives.
The introduction of enterprise
risk management (ERM) makes
it possible to obtain support
and structure to manage the
multiple, inter-related and
changing risks through an on-
going process. ERM looks to
the future for opportunity, as
well as learning from the past,
to create new risk response
plans supporting strategic ob-
jectives. We will explore the
evolution of risk management
from a traditional to an inte-
grated approach, learn the
elements needed to address
the current enterprise risk
profile, review sample risks,
and determine how ERM may
be of benefit.
ISACA updated the IS Audit
Standards in November 2013.
This session will feature an
overview of the updated
standards by the individual
leading the ISACA committee
responsible for their creation.
Additional insights will include
how the standard-setting pro-
cess works at ISACA, tips on
adoption and implementation
of the standards based on
feedback, and emerging topics
the committee is currently
reviewing.
AGENDA—MONDAY, AUGUST 24
9:25 AM — 10:50 AM
Fraud and Ethics
Best Practices and
Professional
Development
Risk Management and
Emerging Risks
Information
Technology
Disposition-Based Fraud Cycle:
Practical Implications for the
Internal Auditor
Transformational
Leadership
Vendor Risk Management /
SSAE 16
Secure Web Development –
What Internal Audit Should Do
Dr. Vasant Raval
Creighton University
Jeremy Wortman
HRD Initiatives LLC
Jordan Serre & Phil Nemmers
Ernst & Young LLP
Matt Hale
University of Nebraska Omaha
This session is devoted to the
discussion of the human side
of fraud, where an act of fraud
is visualized as an interaction
between human nature and
circumstances surrounding the
act. The nature of fraud is
represented in the form of
human disposition and the
circumstances eliciting the act
as moral temptations. Practi-
cal implications of the model
are discussed in terms of fraud
risk factors. The session con-
cludes with suggestions for the
internal audit function to pre-
vent or detect financial fraud.
This module explores the con-
tinuum of leadership styles
from ineffective to effective
with specific attention given to
the four I's of leadership .
The session will cover the ever-
changing regulatory environ-
ment, customer expectations,
and the EY point of view on
supplier risk management
from oversight through execu-
tion for all types of suppliers.
The discussion will also include
details on the advancing Ser-
vice Organization Control
(SOC) reporting environment
and how organizations are
increasing their use of the
different SOC report types to
better serve their users and
reduce audit fatigue on those
responsible for responding to
assessment requests.
This session will examine how
service level agreements
(SLAs) can be augmented with
security control information
from information security
compliance standards, such as
the NIST SP 800-53, Common
Criteria, or FedRAMP, and
used by compliance analysts to
measure compliance and miti-
gate compliance gaps. A cen-
tral topic of this session relates
to the nature of risk when
enterprises or government
organizations utilize cloud-
based web services. Emphasis
will be given to how security
SLAs can define measurable
Quality of Security Service
(QoSS) metrics that can be
monitored to determine if
service consumer certification
requirements are being met.
8:00 AM — 9:20 AM
Keynote: Jeremy Wortman, Founder HRD Initiatives LLC
“Psychology in the Workplace”
AGENDA—TUESDAY, AUGUST 25
11:05 AM — 12:30 PM
Fraud and Ethics
Best Practices and
Professional
Development
Risk Management and
Emerging Risks
Information
Technology
Evaluating your Ethics and
Compliance Function: One Size
Does Not Fit All
Friend or Foe: Is Your Message
Clear? Internal Audit’s Role in GRC
Cybersecurity Tips, Tools and
Techniques for Home and Work
Bruce Orr
Grant Thornton
Lael Holloway
Experis
Jason Coyle & Mike Boesch
Mutual of Omaha
Ron Woerner
Bellevue University
Many internal audit depart-
ments today are charged not
only with assessing risk in an
enterprise but also evaluating
the performance of various
corporate functions. The Eth-
ics and Compliance (E&C)
function itself is at the inter-
section of both these man-
dates since E&C is an im-
portant function and also a
vehicle to address risk. This
session will address each typi-
cal E&C activity and how an
internal audit department can
assess their E&C function via
performance indicators for
each activity while also giving
consideration for what might
work for some companies but
might not for others. In addi-
tion to taking an independent
view of your E&C function
performance, we will also
consider alignment of the
function with your organiza-
tion’s risk profile and its over-
all adaptability. Finally, we will
survey how the COSO 2013
Framework principles inte-
grate with your organization’s
overall evaluation.
This session will address how
to make verbal and non-verbal
communications work for ra-
ther than against you. The
topics are relevant to the new-
est auditor as a starting point,
or as a refresher for the sea-
soned auditor. Topics covered
include first impressions, body
language, appearance, verbal
language, and attitude. Tips for
effective reports, status up-
dates, and interviews will be
provided.
Formal "Governance Risk Con-
trol" programs continue to
mature within the business
environment. This session will
provide practical examples of
how Internal Audit can lever-
age and provide program over-
sight to ensure optimal benefit
realization from GRC.
In this session, common tools
used in cybersecurity assess-
ments, investigations, and
administration will be cov-
ered. Ways to use these tools
in both home and work envi-
ronments will be demonstrat-
ed. Tools include Kali Linux,
Windows PowerShell, Win-
dows SysInternal Suite, and
Wireshark. Techniques to opti-
mize their use based on the
need and circumstance will
also be addressed. This session
is open to all levels of tech-
nical ability.
AGENDA—TUESDAY, AUGUST 25
1:30 PM — 2:55 PM
Fraud and Ethics
Best Practices and
Professional
Development
Risk Management and
Emerging Risks
Information
Technology
Bitcoin – Decrypting the
Infamous Cryptocurrency
Auditing Governance – Beyond
Controls and Risk Management
Panel Discussion – Emerging
Risks
PCI - You Can’t Buy Compliance
and You Can’t Outsource It
Either
Tom Haldiman
BKD LLP
Hal Garyn
Institute of Internal Auditors
Moderator: Vladimir Liska
Danielle Crough
Ron Woerner
Terri-Anne Wallen
Barb Bergmeier
Kreg Weigand
Denise Mainquist
ITPAC Consulting, LLC
Upon completion of this ses-
sion, participants will be able
to:
• Describe the fundamental
mechanics of Bitcoin, including
how to obtain, store and use
bitcoins
• Explain the benefits and risks
of Bitcoin and other cryptocur-
rencies
• Discuss some of the lawsuits
involving Bitcoin
• Identify key websites that
provide current information
on Bitcoin
• Recognize the potential of
the technology beyond its use
as a monetary exchange.
The globally acknowledged
definition of internal auditing
includes a statement of bring-
ing "a systematic, disciplined
approach to evaluate and im-
prove the effectiveness of risk
management, control, and
governance processes." Over-
all, as a profession, we excel at
providing assurance and con-
sulting activities over internal
controls, getting significantly
better at doing the same with
regard to risk management …
but what about governance?
Do we spend much time au-
diting governance? This ses-
sion will:
- Discuss what is or can be
meant by governance
- Identify areas in a company
where "governance" audits can
be performed
- Challenge you to potentially
rethink your annual audit plan,
and
- Share ideas on ways to suc-
cessfully audit governance.
Today’s organizations face
cyber security, changing regu-
lations, geopolitical threats,
climate change, and countless
other risks that impact the
people, process, and technolo-
gy necessary to conduct busi-
ness. Some of these risks are
well known and well mitigated.
Others seemingly come out of
the blue, forcing quick assess-
ment and prompt action to
mitigate the business impact.
This session will bring together
a cross-functional panel of
leaders in the risk community
for an interactive discussion on
the emerging risks facing or-
ganizations now and in the
near future. As risk profession-
als we often ask the question
“what’s keeping you up at
night?” This session will pro-
vide valuable insight on “what
SHOULD be keeping you up at
night.”
Most organizations accept
credit card payments through
a variety of channels, but it is
rare that the systems are im-
plemented to meet the re-
quirements of the PCI Data
Security Standard. This ses-
sion will look at the different
system and service configura-
tions of credit card systems
and services and some of the
common pitfalls with each
setup. It will also explain why
compliance cannot be pur-
chased or outsourced and that
most cybersecurity insurance
will not protect the organiza-
tion if it does not meet compli-
ance requirements.
3:10 PM — 4:30 PM
Keynote: Weston Smith, President, ChalkLine Solutions
“Crossing the Line: An Insider’s Story of Fraud”
AGENDA—TUESDAY, AUGUST 25
HOTEL ACCOMMODATIONS
The 2015 Midwest District Conference will be held at the Ramada Plaza Omaha Hotel and Convention Center, located at 3321 South 72nd Street, just north of Interstate 80. Room reservations may be made by calling 888-288-4982. Be sure to mention that you are attending the Institute of Internal Auditors Midwest District Conference to receive our group rate of $84/night.
Room rate includes two passes to CoCo Key Water Resort, located
within the conference center.
http://ramadaplazaomaha.com/coco-key/
Reservations must be made by August 10, 2015, to receive the discounted group rate.
Hotel rates are subject to state and local taxes at the time of checkout.
Free parking is available on site, and the hotel features a variety of full-service amenities. Hotel information is available on the property website: http://www.ramada.com/hotels/nebraska/omaha/ramada-plaza-omaha-hotel
-and-convention-center/hotel-overview.