Fundamentals of IT Audit – IT Audit, Governance and Security

2013 Canadian Conference on IT Audit, Governance and SecurityMarch 26-27, 2013 (Optional Workshop March 28) • The Westin Harbour Castle – Toronto, ON12:15 pm LUNCH1:30 pm CONCURRENT SESSIONS – CHOOSE ONE OF THREEWhat Does It Take to Be an Effective IT Auditor –in the Brave New World?Marc Poirier and Michael Kostanecki, ProtivitiPractitioners need a combination of technicaland people skills to forge a career in auditingtechnology. Organizations are investing substantialsums in their computer systems, databases andsupply chains to compete and leverage customerrelationships. At the same time, they are beginningto recognize that IT auditors can assist them inunderstanding the constantly shifting risks of theinformation age.IT auditors focus on the governance of IT systemsand processes with audits ranging from businesscontinuity to development processes to informationsecurity. To be effective, IT auditors must acquirethe right hard and soft skills.Most IT auditors know about the hard skills requiredto meet professional requirements. This sessionwill focus on the key attributes that successfulIT auditors must have in their repertoire to beeffective, that is, the soft skills – in the brave newworld.OR How to Better Engage the CFO in IT Activities –Aligning CFO and CIO PrioritiesPeter A. Parsan, The Hospital For Sick ChildrenEnterprises today are facing unprecedenteduncertainty requiring a new level of agility to adaptquickly to changes in the business environment.Although IT cost savings are still a key focus forthe CFO, business agility requires a new focus,urgency and cooperation between the CFO andCIO for setting priorities and aligning IT strategiesto business strategies for achieving sustainablerevenue growth, profitability and competitiveness.This session will focus on how the CFO mustbecome more involved and work with the CIO onIT issues relating to: understanding IT cost drivers;improving business agility through IT solutions; andmitigating risk.ORNFC and RFID – Balancing Benefits and RisksBlake Lindsay, BCEHow and where are NFC and RFID used? What arethe benefits? What are some of the audit and riskconsiderations? NFC and RFID create a new wayof looking at how to audit and control financialand shipping records, for example, how you audit apaperless trail. There are also risk, governance, andsecurity considerations, such as: how to get youraudit information and how to ensure the securityand integrity of the data. In this session, insightsinto the benefits and risks for using NFC and RFIDwill be discussed and explored.2:30 pm COFFEE BREAK – EXHIBITS OPEN2:50 pm CONCURRENT SESSIONS – CHOOSE ONE OF THREEORLeveraging Continuous Monitoring to EnhanceOperational AuditingCharan Kumar Bommireddipalli, Collins Barrow LLPRobert D. Crawford, Ministry of Finance, Ontario InternalAudit DivisionThe successful achievement of an enterprise’s goalsand objectives is accomplished through the designand implementation of various business processesthroughout the organization. The effectivenessof these processes (desired outcomes) and theirefficiency (resources used economically) impactthe extent to which strategic goals are successfullyachieved.While operational auditing assists the enterprisein evaluating and improving the design of variousbusiness processes, continuous monitoring assists inensuring that the business processes are operatingas intended.This session will address: What is continuousmonitoring? How can it assist in operationalauditing? What is operational auditing and how canoperational auditing add value to your IT audit? Inaddition, this session will also provide a workingsolution for continuous monitoring in action.COBIT 5 – What’s New?Vishi Bindra, MNP LLPISACA recently released its COBIT 5 frameworkwith significant updates to its content and processes.Building on the previous versions, COBIT 5integrates several other components like VALIT and RISK IT. This session will provide a highleveloverview of the major changes in COBIT 5compared to COBIT 4.1. Existing users will gaininsights into planning their transition and non-userswill receive an overview of this latest IT framework.For the most current information and to register, visit: www.cpd.cica.ca/ITAudit 5

2013 Canadian Conference on IT Audit, Governance and SecurityMarch 26-27, 2013 (Optional Workshop March 28) • The Westin Harbour Castle – Toronto, ONORRise of the Cloud – Leveraging the Cloudfor ValueReza Kopaee, RiskView Inc.Richard Reiner, CC Stratus Capital Corp.Organizations are continuously under pressure tomake more efficient use of their IT resources whileenhancing their compliance with regulatory andlegal requirements. Cloud computing and its variousflavours offer an enormous opportunity; however,many organizations are reluctant to trust cloudservice providers with critical information.The purpose of this session is to understandpotential opportunities of cloud computing forenterprises of all sizes, in particular, small- andmedium-size-organizations. We will explore goodpractices from business requirements gatheringto design, implementation, and security ofcloud-based solutions.3:50 pm CHANGE BREAK4:00 pm Fraud – Social Engineering Attacks onSocial NetworksModerator:Charan Kumar Bommireddipalli, Collins Barrow LLPPanelists:Albert J. Marcella, Business Automation Consultants, LLCRonald E. Wretham, Investigative Solutions Network Inc.Lawyer TBDSocial networks have integrated into our sociallives and gained an influential role in society.More personal information is available for publicconsumption than ever before. Unfortunately, socialnetworks have increased our vulnerability to sociallyengineered attacks in which victims are tricked intodoing the attacker’s bidding.This session will address questions such as:What are the real risks to an organization? Whocan be victims? What is the technical anatomy ofa social engineering attack? What are the legalrights and obligations?Our panel consists of experienced veteranswho will share their war stories, views andexperiences and will provide an investigator andlaw enforcement perspective toward socialengineering risks.5:00 pm NETWORKING RECEPTION SPONSORED BYDay 2 • Wednesday, March 27, 20137:30 am CONTINENTAL BREAKFAST – EXHIBITS OPEN8:30 am Knowing Your Cyber Risks/Threats andMitigating ThemCraig Pattinson, BCESenior management and boards of directorshave a fiduciary responsibility to oversee all facetsof risk, including cyber risk. Cyber risk, in additionto being an IT risk, can impact the business’srevenues, expenses, strategy, brand and reputation.At this session, you will learn how a leadingCanadian information technology service providertakes an enterprise-risk approach to obtain acomprehensive understanding of the relatedexposures, how risks are communicated to keystakeholders and how they are mitigated.9:30 am Managing the Complex World of CompliancePanel of industry leaders moderated by David Craig, PwCEnsuring sustainable compliance with the largenumber of current regulations is considered to beone of the major risks facing all organizations today.How can risks associated with non-compliance andsustainability be managed?In this session, a panel of leaders from a varietyof industries will explore and discuss the commoncompliance issues that are currently being facedand the roles played by IT audit, governance andsecurity in ensuring sustainable compliance isachieved. The panel will also discuss some of thechallenges you face along with suggestions forovercoming them.10:45 am COFFEE BREAK – EXHIBITS OPEN11:15 am CONCURRENT SESSIONS – CHOOSE ONE OF THREEYou Can’t Do It All! Segregation of Non-CompatibleIT Duties – What Every IT Auditor Should KnowScott Page and Kevin Pengelly, Wajax CorporationSegregation of Duties (SoD) in IT plays a major rolein reducing IT risk in the areas of fraud, undetectederrors, sabotage and programming inefficiencies.This session addresses some of the key roles andfunctions that need to be segregated including:IT duties versus user departments; databaseadministration versus the rest of IT functions;application development and maintenanceversus application operations; new applicationdevelopment versus application maintenance;information security versus IT functions; ITorganizational structure for IT activities; andauditing for SoD.6For the most current information and to register, visit: www.cpd.cica.ca/ITAudit

2013 Canadian Conference on IT Audit, Governance and SecurityMarch 26-27, 2013 (Optional Workshop March 28) • The Westin Harbour Castle – Toronto, ONORORDemystifying ITAFChris Anderson, Grant Thornton LLPThe Information Technology Assurance Framework(ITAF) is a roadmap for IS auditors to makeeffective use of ISACA (and other relevant standardsetting bodies) standards and guidelines inperforming IT audits in a consistent, high-qualitymanner.This session will review ITAF at a high level, showparticipants how it ‘plugs in conceptually’ to internaland external audits and briefly work through anexample of how to use ITAF in performing an auditon an important IT process.Strategies for Securing the CloudReza Kopaee, RiskView Inc.Service models including applications, platforms,and infrastructure are some of the areas where anorganization can leverage the benefits of the cloud.However, benefits come with their fair share ofsecurity risks. Network dependency, complexitiesof hybrid systems, reliability and cross border legalimplications increase the complexities of adaptingto the cloud. Infrastructure, security framework andthe type of cloud configuration can significantlyinfluence security from a privacy, compliance andlegal stand point. In addition, evolving risks, newthreats, financial budget constraints and a lack ofskilled and experienced personnel create significantchallenges to mitigate these risks. Are you up to thechallenge?This session will explore current strategies and bestpractices on how to secure the “CLOUD”3:50 pm CHANGE BREAK4:00 pm Security, Risk and 21st Century Technology:A Tabletop ExerciseAlbert J. Marcella, Business Automation Consultants, LLCDo you ever wonder what the future of insiderthreats will look like? Will you or your organizationbe prepared? This closing session will challengeyour audit and control expertise, test your technicaland economic judgment and place you squarely inthe command hot seat. Bring what you know. Usewhat you learned at the Conference. Don’t attendthis session if you wish to relax, wrap up yourday and expect to listen to an hour of summarycomments. You can’t be a passive attendee in thissession. You are the session!5:00 pm CONFERENCE CONCLUDESDay 3 • Thursday, March 28, 2013Optional Post-Conference Workshop7:30 am REGISTRATION AND CONTINENTAL BREAKFAST8:30 am Introduction to COBIT 5Workshop Leader: Barry Lewis, Cerberus ISC Inc.This one-day workshop provides an overview ofCOBIT 5, ISACA’s new governance framework. Theworkshop will provide existing practitioners andpotential new COBIT users excellent insight into thenew framework and explain the differences betweenCOBIT 4.1 and COBIT 5.After completing this workshop, attendees will beable to:• discuss how IT management issues affectorganizations• understand the principles of the Governanceof Enterprise IT and explain the differencesbetween management and governance• assess how the COBIT 5 Processes help guidethe creation of the five basic Principles and theseven Governance and Management Enablers• discuss the COBIT 5 Enabler Guide, includingthe Goals Cascade and the Process ReferenceModel.• describe the basics of how to implementCOBIT 5• understand the differences between COBIT 4.1and COBIT 5 and what to consider whentransitioning• explain the benefits of using COBIT 5Who Should Attend?• current COBIT 4.1 users needing to decidewhether they want to adopt COBIT 5• new to COBIT and want to learn more aboutCOBIT 5• IT professionals working in audit, assurance, risk,security and governanceBarry Lewis, CISM, CGEIT, CRISC, CISSP, Cerberus, isone of North America’s pre-eminent experts in theinformation security field. Since 1980 he has beeninvolved in the security field, designing, developingand implementing security measures from high-levelstandards to detailed technical security controls.Barry received the prestigious John Kuyers BestSpeaker/Conference Contributor Award at theISACA 2008 International CACS Conference.8For the most current information and to register, visit: www.cpd.cica.ca/ITAudit

Fundamentals of IT Audit – A Three-Day WorkshopMarch 26-28, 2013 • The Westin Harbour Castle – Toronto, ONWorkshop runs from 8:30 a.m. to 4:30 p.m., each day with continental breakfast available at 7:30 a.m.Fundamentals of IT Audit – A Three-Day WorkshopWorkshop Leader:Craig R. McGuffin, C.R. McGuffin Consulting ServicesThis three-day workshop is designed to provide newIT assurance-and-control professionals with the coreskills needed by all information technology auditors.You will review and understand key audit and controlprinciples, as well as many practical techniques, whichare all necessary to complete a wide range of ITaudit assignments within today’s complex computingenvironments.Topics covered include overall IT audit planning andobjectives, as well as audit risk assessment. We’llalso examine the wide range of controls neededfor managing the IT function, system development/acquisition and implementation, IT operations, logicaland physical security and business resumption/disasterrecovery. Included are the vital business processcontrols found within specific financial trackingand reporting systems. In addition, we will considerimportant technology components IT auditors mustbe able to understand, use and evaluate.Key topics include:• understanding IT audit risks and defining audit scope• internal control concepts and the role of computercontrol standards• general controls protecting the IT environment• business process controls covering specific financialsystems• communicating audit findingsYour understanding will be facilitated by demonstrationsand discussions of current technology and audittechniques to help reinforce the key concepts. Aftercompleting the workshop, you will be able to takepart in many types of IT audit assignments and havea solid foundation on which to continue to build youraudit expertise.Attend this workshop and get a solid foundation tocontinue to build your IT audit expertise.Workshop Leader Craig McGuffin, CA, CISA, CISM, CGEIT, CRISC, Principal of C.R.McGuffin Consulting Services, has more than 25 years of experience in the field ofcomputer and network controls and security. He has a background in computerscience and has worked as an information systems auditor, security consultant andsecurity manager, obtaining experience in all major computing and networkingenvironments. He also is the co-author of two books on networking technology.Craig is an award-winning and extremely popular speaker on the use of computertechnology, controls and security, delivering core knowledge and practices throughuniversity courses, training seminars and conferences on six continents. He frequentlypresents on behalf of ISACA, IIA, and CICA.For the most current information and to register, visit: www.cpd.cica.ca/ITAudit 9

2013 Canadian Conference on IT Audit, Governance and SecurityAND Fundamentals of IT Audit – A Three-Day WorkshopRegistration Information and Conditions:Hotel Information:The Westin Harbour CastleOne Harbour SquareToronto, ONPhone 416-869-1600, 1-888-625-5144www.westin.com/TorontoThe Westin Harbour Castle, Toronto is a CAA/AAA Four Diamond hotel located in the heartof downtown Toronto. Guests can easily access the city’s most thrilling destinations, from thebustling financial district to the lively Lake Ontario waterfront.Hotel reservations are the responsibility of the participant. Conference/Fundamentals ofIT Audit Workshop participants can enjoy a rate of $169.00 (plus applicable taxes). Earlyreservations are recommended. After February 28, or until our room block is full, reservationsare accepted on a space and rate availability basis.Contact Starwood Reservations at Tel: 1-888-625-5144. Identify yourself as a 2013 CanadianConference on IT Audit, Governance and Security participant to qualify for the specialconference rate.To make your reservations on-line go to the conference website at www.cpd.cica.ca/ITAuditand click on Venue.Program Disclaimer:The Conference/Workshop may be cancelled and all fees refunded if the required minimumenrolment is not obtained. The speakers, topics, program format and events are correct at thetime of printing. If unforeseen circumstances occur, CICA reserves the right to alter or deleteitems from the program, or cancel the Conference/Workshop.Cancellation Policy:If you are unable to attend an event for any reason, you may substitute, by arrangementwith the Participant Coordinator, someone else from your organization, or, you may cancelup to 14 calendar days prior to the event start date for a full refund. Cancellations receivedwithin 14 calendar days of the event start date will be subject to a $150 administration fee(plus applicable taxes). All cancellation requests must be received by 5:00 p.m. ET on theday prior to the event start date. Refunds are not available after that point.PLEASE NOTE: All cancellations must be received in writing, either by mail toCICA Continuing Education, 277 Wellington Street West, Toronto, ON M5V 3H2,Attn: Liliia Dubko, Participant Coordinator, or faxed to (416) 204-3415, or emailed toregistration@cica.ca.Earn the CPD hours you need with low-costflexible elearning from the CA Learning Centre.Hear the latest insights and technical updates from industry andprofessional services leaders who are experts in their field.Go to www.calearningcentre.ca and choose “E-Learning”10For the most current information and to register, visit: www.cpd.cica.ca/ITAudit

2013 Canadian Conference on IT Audit, Governance and SecurityAND Fundamentals of IT Audit – A Three-Day WorkshopRegistration FormPlease register me for the following:q Conference* ONLY (March 26-27) $1,295 $_______________q Conference* PLUS Post-Conference Workshop (March 26-28) $1,695 $_______________q Post-Conference Workshop ONLY (March 28) $645 $_______________*Conference registration includes online access to recorded presentations.(Online access will be available approximately 6-8 weeks post-event.)ORq Fundamentals of IT Audit – A Three-day Workshop (March 26-28) $1,495 $_______________(Conference or online access to conference sessions not included.)plus 13% HST $_______________GST/HST # R10686 1578 RT0001 QST #1010544323TQ0001SS TOTAL PAYMENT $_______________First Name (preferred)________________________________________________ Middle Initial(s)___________________Badge Name (if different from above)_____________________________________________________________________Surname_____________________________________________________________________________________________Designation(s) ________________________________________________________________________________________Title_________________________________________________________________________________________________Firm/Employer________________________________________________________________________________________Department___________________________________________________________________________________________Business Address______________________________________________________________________________________City_______________________________________ Province_________________ Postal Code______________________Business Phone_____________________________________ Business Fax_______________________________________Email________________________________________________________________________________________________Special dietary or other requirements (needs, not preferences):________________________________________________YOU MUST HAVE AN ACCOUNT TO REGISTER:I have an up-to-date account/profile with CICAq YES q NOIf NO, visit the CA Store at www.castore.ca and click “my account”(top right-hand corner), and either Login and ensure your profileinformation is current, or create a profile if you do not have an account.PAYMENT OPTIONS:Credit Card: q Visa q MasterCard q AMEXCard No.____________________________________________Expiry Date__________________________________________Name of Cardholder___________________________________WAYS TOREGISTER:REGISTER ONLINE AT:www.cpd.cica.ca/ITAuditREGISTER BY PHONE:416-651-5086 ortoll-free 1-888-651-5086MAIL REGISTRATION FORM AND PAYMENT TO:CICA Conference Officec/o aNd Logistix1345 St. Clair Ave. W., 3 rd floorToronto, ON M6E 1C311