Collaborating for Greater Success
Governance, Security and Audit Conference
New York City, New York
October 26, 2012
Welcome Message from Brian Mannix, President, IIA New York Chapter
Welcome to Collaborating for Success, our joint conference from the New York Chapter of
the Institute of Internal Auditors and ISACA‟s New York Metropolitan Chapter. As emerging
technologies change the ways in which our organizations do business, it is of the utmost
importance that members of the internal audit profession stay on top of the associated risks.
To meet this demand, our two organizations have joined forces to bring you this intriguing
event today. Special thanks to those volunteers from both chapters who led the charge and
put in countless hours to make the event a success. As president of the New York Chapter,
I thank you for your interest in the event, and hope that you continue to consider the NY IIA and ISACA NY for
your training and networking needs.
Best regards,
Brian Mannix, CPA, CIA, CFSA
Welcome Message from James Ambrosini, President, ISACA New York Metropolitan Chapter
Dear ISACA and IIA Members and Guests,
It gives me great pleasure to welcome you to our first ISACA and IIA joint conference. This
has been a long standing goal of the ISACA chapter for some time and the result of a lot of
hard work and dedication by both organizations.
We are at a time when our roles in audit, risk management, governance and security are
more important than ever. We‟ve seen the devastating effects of when these functions take a
back seat to corporate goals and profits. It‟s nice to be part of organizations that imbue quality and standards that
are designed to benefit corporations by elevating the role and importance of what we do; while also adding value
to the membership.
I want to thank you for your participation today and look forward to seeing you at other events, as this will be the
first of several joint conferences we will have.
All the best,
James C. Ambrosini, CISA, CISSP, CRMA, CFE, CRISC
2
Agenda
08:30 AM - 09:00 AM
Registration and Breakfast - Sponsored by PwC
09:00 AM - 09:15 AM
Welcome
09:15 AM - 10:20 AM
Morning Keynote: IT Governance, IT Strategy Trends, Regulatory Impact, Agility
Alex Abramov, Moderator; Jennifer Bayuk, Terence Finn, Perry Menezes, Tom Patterson
-------------------------------------------------------------------------------------------------------------nd
Vendor Exhibits 2 Floor, Room A
-------------------------------------------------------------------------------------------------------------Audit:
Integrated Identity Management and its Impact on
Governance, Audit, and Security
John Lu, Senior Manager - Deloitte & Touche LLP
10:20 AM - 10:55 AM
10:55 AM - 11:45 AM
Governance:
Designing and Implementing a World Class Risk and Controls
Monitoring Function
Ray Purcell, Director-Financial Controls - Pfizer, Inc.
David Hodgson, Partner - Deloitte & Touche LLP
Security:
11:55 AM - 12:45 PM
Security Metrics that Matter: Improving Visibility and Effectiveness
Dr. Mike Lloyd, Chief Technology Officer - RedSeal Networks
-------------------------------------------------------------------------------------------------------------Audit:
Continuous Auditing/Monitoring - Transforming Technologies
Michael P. Cangemi, CPA, President and CEO - Cangemi Company LLC
Governance:
Data Security and Privacy - Regulations and Compliance
Michael Money, Director-Security & Privacy - Protiviti
Security:
12:45 PM - 01:30 PM
01:30 PM - 02:30 PM
02:30 PM - 03:00 PM
03:00 PM - 03:50 PM
Identity and Access Governance using Business Analytics
Morten Boel Sigurdsson, Chief Executive Officer - Omada
-------------------------------------------------------------------------------------------------------------nd
Buffet Lunch 2 Floor, Room C (Seating in Room B)
Lunch Keynote: Strategic Board Governance and the Role of Internal Audit
Denise Fletcher, CEO - Orienta-Royal, LLC
-------------------------------------------------------------------------------------------------------------nd
Vendor Exhibits 2 Floor, Room A
-------------------------------------------------------------------------------------------------------------Audit:
Finding the Sweet Spot - How do Fraud, Risk and AML fit together?
Vikas Agarwal, Managing Director - PWC
John Sabatini, Partner - PWC
Governance:
Emerging Technologies, Insecurity and their Effect on IT Controls
Michael Zboray, Chief Technology Officer - Gartner
Security:
04:00 PM - 04:50 PM
PCI Security and Internal Audit Best Practices
Hari Shah, Senior Director of Information Technology - Coach, Inc.
Parthiv Sheth, Senior Manager-Internal Audit - Coach, Inc.
-------------------------------------------------------------------------------------------------------------Audit:
Integrating the “Pieces” of High-Impact Risk Assurance
Dan Zitting, VP Product Management & Design - ACL
Governance:
COBIT 5 - Governance & Decision Making
Allen Ureta, Executive Director and Vice President - Deltamine Inc.
Security:
Security and Privacy Issues in iOS and Android - Top 5 Issues
Praveen Nallasamy, Senior Consultant-Security & Privacy - Protiviti
-------------------------------------------------------------------------------------------------------------04:50 PM - 06:00 PM
Cocktail Reception - Sponsored by Corero Network Security
3
Sessions
nd
08:30 AM - 09:00 AM
Registration and Breakfast
Lobby; Breakfast - 2 Floor, Room C (Seating in Room B)
nd
09:00 AM - 09:15 AM
Welcome
2 Floor, Room B
____________________________________________________________________________________________________
Keynotes
____________________________________________________________________________________________________
09:15 AM - 10:20 AM
nd
2 Floor, Room B
IT Governance, IT Strategy Trends, Regulatory Impact, Agility
Alex Abramov, Moderator, Jennifer Bayuk, Terence Finn, Perry Menezes, Tom Patterson
IT Governance is a critical component of business success, and yet, is often misunderstood by
many companies. ISACA New York Metropolitan Chapter Director, Alex Abramov, will moderate a
panel of IT Governance experts in a discussion of key trends and issues, and best practices. The
session will be interactive and panelists will answer attendees' questions.
____________________________________________________________________________________________________
01:30 PM - 02:30 PM
nd
2 Floor, Room B
Strategic Board Governance and the Role of Internal Audit
Denise Fletcher, CEO - Orienta-Royal, LLC
How can Chief Audit Executives and Chief Information Security Officers elevate their roles to better
serve the needs of Boards and Senior Management? How can these executives play a more
strategic role in corporate governance? Denise Fletcher, a renowned Corporate Board member and
former CFO and executive who ran operations at several top tier public companies, will share
thoughts that represent “white space” opportunities for CAEs and CISOs.
____________________________________________________________________________________________________
Audit Track
____________________________________________________________________________________________________
10:55 AM - 11:45 AM
th
19 Floor, Rooms D/E
Integrated Identity Management and its Impact on Governance, Audit, and Security
John Lu, Senior Manager - Deloitte & Touche LLP
As audit, compliance and regulatory requirements continue to drive organizational directives;
organizations are looking for ways to increase the effectiveness of their business through a
combination of security compliance initiatives and technology. This session discusses the evolution
of Identity & Access Management (IAM). It will highlight the intersection of IAM and governance,
and how IAM enables organizations to incorporate the management of risk and cost, while at the
same time improve service and align IT investment to business requirements, all with the end-goal
of improving security compliance and the management of the identity within the organization.
____________________________________________________________________________________________________
11:55 AM - 12:45 PM
th
19 Floor, Rooms D/E
Continuous Auditing/Monitoring - Transforming Technologies
Michael P. Cangemi, CPA, President and CEO - Cangemi Company LLC
This session will cover technology trends, such as BIG DATA, that are transforming business and
audit practices using analytics, continuous monitoring (CM) and business intelligence. We will
review the results of the research project the Benefits of CM research published by Financial
Executives Research Foundation in July 2011 and discuss views on expanding the use of analytics
and CM in audit as well as, company operations, with case study examples, and the role the audit
should be playing, to expand the implementation of CM for the benefit of the business.
____________________________________________________________________________________________________
03:00 AM - 03:50 PM
th
19 Floor, Rooms D/E
Finding the Sweet Spot - How do Fraud, Risk and AML fit together?
Vikas Agarwal, Managing Director - PWC
John Sabatini, Partner - PWC
Financial Services institutions currently face the perfect storm of pressures. Management is asking
risk and compliance departments to do more with less, regulators are expecting deeper analysis,
data is growing at exponential rates, and technology continues to grow more complex. To continue
to meet and exceed these challenges, institutions must begin to rationalize the processes, people,
and technology it uses to tackle surveillance issues within Fraud, Risk and AML.
4
Sessions
____________________________________________________________________________________________________
Audit Track continued
____________________________________________________________________________________________________
04:00 PM - 04:50 PM
th
19 Floor, Rooms D/E
Integrating the “Pieces” of High-Impact Risk Assurance
Dan Zitting, VP Product Management & Design - ACL
In this presentation, Dan Zitting will describe the four piece audit puzzle (which includes effective
risk assessment, effective audit management, detailed data analysis, and audit knowledge content)
and the specific steps an audit team can take to use these four fundamental ingredients in a recipe
for becoming leaders in providing focused assurance on the critical organizational risks.
____________________________________________________________________________________________________
Governance Track
____________________________________________________________________________________________________
10:55 AM - 11:45 AM
th
19 Floor, Rooms B/C
Designing and Implementing a World Class Risk and Controls Monitoring Function
Ray Purcell, Director-Financial Controls - Pfizer, Inc.
David Hodgson, Partner - Deloitte & Touche LLP
Most would agree that management should be responsible for assessing risks, implementing
controls and continuous monitoring of their ongoing effectiveness. But fulfilling these
responsibilities can be challenging in large, global enterprises, particularly in an uncertain economic
environment. Hear how Pfizer‟s ground-breaking Global Risk, Compliance and Control initiative is
helping the management team of a leading global pharmaceutical company to gain fresh, timely
insights into emerging risks and the ongoing quality of internal controls.
____________________________________________________________________________________________________
11:55 AM - 12:45 PM
th
19 Floor, Rooms B/C
Data Security and Privacy - Regulations and Compliance
Michael Money, Director-Security & Privacy - Protiviti
This session will focus on new regulations and framework that you may need to worry about and
includes recent case studies in security and privacy failure. Several agencies (e.g., FTC, HHS,
SEC) has ramped-up their compliance enforcement mechanisms and have had wide-reaching
impact that may affect your security and privacy programs.
____________________________________________________________________________________________________
03:00 AM - 03:50 PM
th
19 Floor, Rooms B/C
Emerging Technologies, Insecurity and their Effect on IT Controls
Michael Zboray, Chief Technology Officer - Gartner
World Wide adoption of new consumer oriented technologies: Tablets, Social Networking, Smart
Phones coupled with an expanding number of back office technologies and services is causing
enterprises to be exceptionally information porous and susceptible to exploits. In this session, we
will be reviewing the technologies that pose the greatest challenges to enterprises for integration
into their information systems environment and will discuss the challenges for creating suitable
controls.
____________________________________________________________________________________________________
04:00 PM - 04:50 PM
th
19 Floor, Rooms B/C
COBIT 5 - Governance & Decision Making
Allen Ureta, Executive Director and Vice President - Deltamine Inc.
With COBIT® 5, the new Evaluate, Direct & Monitor (EDM) domain was added in order to address
the governance of enterprise IT (GEIT). This webinar discusses the objectives of EDM and the
supporting processes.
5
X
Sessions
____________________________________________________________________________________________________
Security Track
____________________________________________________________________________________________________
10:55 AM - 11:45 AM
th
19 Floor, Room G
Security Metrics that Matter: Improving Visibility and Effectiveness
Dr. Mike Lloyd, Chief Technology Officer - RedSeal Networks
Security metrics for improving management have long been an issue of discussion and debate
across the industry. Some experts and practitioners contend that we need these key indicators if
we‟re ever going to drive down real-world risk, while others think that the concept can‟t be applied
practically. Some experts feel that we just haven‟t found the right numbers to measure security
effectiveness yet.
____________________________________________________________________________________________________
11:55 AM - 12:45 PM
th
19 Floor, Room G
Identity and Access Governance using Business Analytics
Morten Boel Sigurdsson, Chief Executive Officer - Omada
Organizations require control, deep access intelligence overview and compliance across onpremise and cloud applications/systems to be able to answer „who has access to what?‟ and „who
granted it?'
Learn:
o Why organizations have realized that Identity Management solutions do not provide the
deep access intelligence required for governance, control and auditing of IT systems and
entitlements.
o
A pragmatic and powerful approach to achieve deep access intelligence and closed loop
auditing by using Business Intelligence techniques.
____________________________________________________________________________________________________
03:00 AM - 03:50 PM
th
19 Floor, Room G
PCI Security and Internal Audit Best Practices
Hari Shah, Senior Director of Information Technology - Coach, Inc.
Parthiv Sheth, Senior Manager-Internal Audit - Coach, Inc.
Payment Card Industry (PCI) compliance is a complex and ever evolving subject affecting millions
of businesses - financial institutions, retail organizations, e-commerce merchants, payment
processors and consumers etc.
Learn about the key considerations for PCI Security implementation and leading internal audit
practices in providing assurance in this important area.
____________________________________________________________________________________________________
04:00 PM - 04:50 PM
th
19 Floor, Room G
Security and Privacy Issues in iOS and Android - Top 5 Issues
Praveen Nallasamy, Senior Consultant-Security & Privacy - Protiviti
Security and Privacy Issues in mobile applications have received and continue receiving great
attention in the media over the last couple of years. Various security issues have been identified on
many popular mobile applications. Due to the personal nature of these devices mobile apps have
access to plethora of user information which earlier wasn't available on desktop apps. Apps have
access to sensitive information like where the user is located, his contacts, emails, browsing habits,
shopping information, financial data and many more. However many of these apps are insecurely
built and some of them willfully violate user privacy.
We will be discussing the top five security and privacy issues that are commonly seen during our
penetration tests on mobile applications. The talk focuses on the iOS and Android platforms. The
following issues will be covered in the talk: Privacy violations and how apps track user behavior for
targeted advertising, Storage of sensitive information insecurely inside the devices, Excessive
permissions and secret application functionalities that risk user data, insecure transmission of
sensitive information and Web based vulnerabilities in mobile applications.
____________________________________________________________________________________________________
04:50 PM - 06:00 PM
Cocktail Reception 2
nd
Floor, Room C
6
Thank You to our Speakers
Alexander Abramov, IT Governance, Risk and Compliance Practitioner
Alex Abramov has over 20 years of experience in IT Governance, Risk, Audit, and Application
Development. Most recently Alex was a Technology Risk Controller at JPMorgan in New York,
responsible for technology risk and governance of the development process.
Previously he was a Practice Leader for IT Governance and Compliance at Ernst & Young, and an IT
Audit Manager / Senior Manager at Ernst & Young and BDO Seidman. Prior to joining E&Y, Alex was a
Head of IT Application Development and a DISO at Bristol-Myers Squibb.
Alex's certifications include CISA, CGEIT, and CRISC. He currently serves on the ISACA New York
Metropolitan Chapter Board of Directors and is Chair of Corporate Relations Committee. An
accomplished speaker, Alex has presented at over 20 conferences in North America and Europe on the
topics of Risk Management and IT Compliance.
____________________________________________________________________________________________________
Vikas Agarwal, Managing Director – PwC
Vikas is a Managing Director within the advanced risk and compliance analytics practice for Risk Assurance within PwC. Vikas
leads the financial services vertical within the practice focused on fraud, AML, risk, and regulatory reporting. He is responsible
for solution development and deploying business intelligence and analytical techniques using a myriad of vendors.
Prior to joining PwC, Vikas was the global head of analytics for Goldman Sachs where he served in the Internal Audit
department. There, he led a team responsible for utilizing analytics to conduct more effective and efficient analysis using
advanced analytics within risk assessments, audits, and continuous monitoring.
Vikas is currently a candidate for his M.B.A. from Columbia Business School. He has previously completed the Certified
Regulatory Professional program from the University of Pennsylvania, Wharton School of Business and has his B.S. degree in
Finance from Case Western Reserve University.
____________________________________________________________________________________________________
Jennifer L. Bayuk, Professor, Security Engineering – Stevens Institute of Technology
Jennifer Bayuk‟s experience in the information security industry has few rivals. Her work experience
includes Wall Street CISO, Big 4 Information Risk Management Consultant and Auditor, e-Commerce
Security Architect, Manager of Information Systems Internal Audit, Bell Labs Security Software
Engineer, Cyber Security Program Director at Stevens Institute of Technology, Cyber Security Expert
Witness, Enterprise Security Consultant, and Security and Privacy Advisory Board Member.
Jennifer has served on numerous information security committees for SIFMA, Metricon, and other
organizations, and she is an active member and contributor to ISACA and IEEE. Her certifications
include CISSP, CISA, CISM, CGEIT, and NJ State Private Investigator's License.
Jennifer‟s advanced education includes Master of the Arts in Philosophy, Master of Science in
Computer Science and Ph.D. in Systems Security Engineering.
____________________________________________________________________________________________________
Michael P. Cangemi, CPA, President and CEO – Cangemi Company LLC
Michael Cangemi, an author and business advisor, is the former President, CEO and Director of Etienne Aigner Inc. and
Financial Executives International. His experiences as a CAE were published in Managing the Audit Function, now in a third
edition and Chinese translation. He is a senior advisor to various companies and serves on the FEI Committee on Finance &
Technology and has served on the COSO Board and the FASB, IASB advisory boards.
A past President of both IIA and ISACA New York chapters, Michael has had a successful career with a long term significant
focus on technology, including continuous monitoring. He progressed from auditor/IT auditor to CAE, CFO, CEO and Board
member. He served as International President of ISACA and for two decades he was the Editor-in-Chief of the ISACA
Journal. At the IIA, he served in numerous professional capacities, including many years on IIARF BORA and the IIARF Board
of Trustees. In 2000, The Cangemi Audit & IT Audit Library was established at the University of Mississippi‟s Auditing Archival
Center to house his collection of over 250 books on Auditing and EDP Auditing. Among his many awards, in 2006 he was
awarded the Thomas Johnson Lifetime Achievement Award for contributions to IA by the IIA NY Chapter.
7
Thank You to our Speakers
Terence Finn, Business Focused & Strategic IT Executive
Terence Finn has 18 years of experience across all areas of IT operations including IT governance,
program management, application development, shared services and strategy. He is a strong
business partner, who gains credibility through his business knowledge and ability to create rapport.
Terence has experience in financial services and consumer products and has worked for General
Electric, Sony Electronics, IBM, Verizon and Kraft. He is on Pace University's Seidenberg School‟s
advisory board as well as the industry advisory board for the University of Bridgeport.
____________________________________________________________________________________________________
Denise Fletcher, CEO – Orienta-Royal, LLC and Member of Corporate Boards
Denise Fletcher is CEO of Orienta-Royal, an investment company. She has been a leader at public
and private global companies. She serves on the boards of Unisys Corporation, Mazars Group
(Paris), and Inovalon. Previous board service includes Sempra Energy, Orbitz, and Software Etc.,
and Stores and Hospital Group (private U.K).
Denise was EVP, Finance of Vulcan Inc., responsible for aviation and CFO operations, overseeing
Vulcan Real Estate and a member of the Investment Committee. Vulcan is Microsoft co-founder
Paul Allen‟s multi-billion dollar investment company. Previously she was SVP, CFO at DaVita, a
leader in kidney dialysis; EVP, CFO of MasterCard and ran Global Settlement Operations. She was
SVP, CFO of Bowne, CEO of FA Group, and Treasurer of New York Times Company. A Phi Beta
Kappa graduate of Wellesley, Denise holds an MCP from Harvard.
____________________________________________________________________________________________________
David Hodgson, Partner – Deloitte & Touche LLP
David has over 30 years of experience and currently serves as Deloitte & Touche LLP‟s Global Leader
of Enterprise Risk Services for Life Sciences. David‟s focus is on assisting organizations in improving
their risk management capabilities, by establishing and improving risk management processes and by
designing and implementing appropriate mechanisms to respond to high-priority risks. In this capacity,
David has worked extensively with the Senior Management teams of many of the largest companies in
the life sciences industry, including Chief Audit Executives and Chief Information Security Officers.
David is licensed as a CPA in Massachusetts, New Jersey and New York. He is a member of the
American Institute of Certified Public Accountants, the Institute of Chartered Accountants in England
and Wales and the British-American Business Association.
____________________________________________________________________________________________________
Dr. Mike Lloyd, Chief Technology Officer – RedSeal Networks
Dr. Mike Lloyd has more than 25 years of experience in the modeling and control of fast-moving,
complex systems. He has been granted 18 patents on security, network assessment, and dynamic
network control. Before joining RedSeal Networks, Dr. Lloyd was Chief Technology Officer at
RouteScience Technologies (acquired by Avaya), where he pioneered self-optimizing networks. Dr.
Lloyd was previously principal architect at Cisco on the technology used to overlay MPLS VPN services
across service provider backbones. He joined Cisco through the acquisition of Netsys Technologies,
where he was the senior network modeling engineer.
Dr. Lloyd holds a degree in mathematics from Trinity College, Dublin, Ireland, and a Ph.D. in stochastic
epidemic modeling from Heriot-Watt University, Edinburgh, Scotland.
8
Thank You to our Speakers
Michael Money, Director-Security & Privacy – Protiviti
Michael Money is a Director in Protiviti‟s Information Security & Privacy Solutions Practice based in New York City. Mr. Money
is a Certified Information Privacy Professional (CIPP), Certified Information Systems Professional (CISSP), PCI Qualified
Security Assessor (QSA) and Certified Information System Auditor (CISA). He has over 20 years experience directing and
consulting on information technology risk, secure system implementation and operation, developing and executing global
security and privacy programs, assessment and control.
Mike has an undergraduate degree from Fairfield University and a M.B.A. from the University of Houston at Clear Lake. He is
an author of several publications and a frequent speaker at industry conferences.
____________________________________________________________________________________________________
Perry Menezes, Information & Technology Risk Governance – Deutsche Bank
Perry Menezes is an information systems risk management professional with responsibilities to provide
governance and oversight for IT Risk, Information Security and Vendor Risk across a number of global
technology and policy initiatives for Deutsche Bank. He has over 15 years experience in the technology
and information security and risk space, including at Bedford Associates (subsidiary of British Airways),
Ernst & Young and Reed Elsevier.
Perry holds a B.E. in Electronics Engineering and a M.S. in Computer Science, as well as certifications
including CISSP, CIPP, CISM and CRISC.
____________________________________________________________________________________________________
John Lu, Senior Manager – Deloitte & Touche LLP
John is a Life Sciences Senior Manager in Deloitte & Touche LLP‟s Enterprise Risk Services
practice, specializing in the area of Security & Privacy Services. He has over twelve years of
experience in information technology, information security, data privacy, and risk management, with
a focus on Identity & Access Management.
John‟s experience encompasses a broad spectrum of engagement types, ranging from project
management, policy development, current state assessment, strategy and roadmap development,
requirements analysis and definition, vendor evaluation and selection, architecture and design,
installation and configuration, testing, and knowledge transfer.
____________________________________________________________________________________________________
Praveen Nallasamy, Senior Consultant-Security & Privacy – Protiviti
Praveen Nallasamy is a Senior Consultant on Protiviti's Security and Privacy team. His work and
research are in various areas of Mobile security, Web Application security, Network security,
Incident Response, and PCI. He has worked in various capacities as a developer, penetration
tester and source code reviewer.
Over the last few years, Praveen has done penetration testing on about 40 mobile applications
across various platforms like iOS, Android, WebOS and Windows Phone 7.
Praveen is a chapter leader at the OWASP New York chapter, and is a frequent speaker at
OWASP meetings. He is a CISSP, PCI-QSA and a GIAC certified Incident Handler (GCIH). He
holds a Master‟s degree in Information Security from Johns Hopkins University.
9
Thank You to our Speakers
Tom Patterson, CPA CISA CGEIT CRISC, Associate Partner – IBM Global Business Services
In his role at IBM, Tom focuses on providing IT Governance & Security services to public sector
organizations. He is the Past President, Vice President, and Board Member of the Washington
DC Chapter of ISACA. While serving in leadership roles in 1995-98, he led the effort to develop
the initial audit guide for the COBIT framework and was an expert reviewer for the recently
released COBIT5.
Tom provides subject matter expertise on a wide variety of corporate and IT governance, risk
management (enterprise and IT), and IT related control disciplines based on his 25+ year career
in accounting, auditing (financial and IT), and governance, compliance and risk (GRC)
consulting. He has worked in or consulted with commercial banks such as Deutsche Bank,
Bank of NY-Mellon, Riggs Bank (M&T), and with investment companies, broker-dealers, and
government financial services regulators such as the US Federal Reserve Board of Governors, the US FDIC, the SEC, and
other banking oversight agencies in the US. Tom has a B.S. in Accounting from the Virginia Commonwealth University in
Richmond, and additional credit hours in post-graduate Management Information Systems courses from the same university.
____________________________________________________________________________________________________
Ray Purcell, Director-Financial Controls – Pfizer, Inc.
Ray is a CPA with over 30 years in various finance leadership roles in industry, with experience in
controllership, business process redesign, shared services, and internal controls. For most of his
career, Ray worked in the industrial gases industry, starting in cost accounting, moving on to budgeting
and forecasting, and to divisional controllership in BOC Gases, a division of The BOC Group. He
moved to Honeywell and played a leadership role in the Shared Services organization, with
responsibility for accounting services in the United States and Mexico. Since 2005, Ray has been with
Pfizer, where his focus is SOX compliance and financial controls. In that role, Ray recently played a
significant role in the development and implementation of a new governance, risk controls and
compliance function at Pfizer, and will lead the new center of excellence for financial controls within that
organization.
Ray is a member of FEI and is currently serving as the FEI representative on the Advisory Council to the COSO project,
currently nearing completion, to update the 1992 Internal Controls – Integrated Framework.
____________________________________________________________________________________________________
John Sabatini, Partner – PwC
John is the national leader of advanced risk and compliance analytics solutions for Risk Assurance within PwC. John and his
team help risk, compliance and finance organizations conduct testing and assessments using analytical systems and
techniques; transform departments to better handle increasing data needs; build dashboards and surveillance systems to
allow senior management to focus on highest risk areas; and assist with data governance needs. Prior to joining PwC, John
worked for Goldman Sachs where he served as Managing Director of IT. In that role, he led a global technology audit team
responsible for evaluating the firm‟s internal control structure and providing strategic advice to management as they developed
control solutions and monitored the implementation of management‟s control measures.
John has an M.B.A. with a concentration in finance from Columbia Business School. He also has an M.B.A. with a
concentration in accounting from Fordham Business School. John completed his B.S. degree in political science with a
concentration in computer engineering from the United States Military Academy, West Point, NY.
____________________________________________________________________________________________________
Hari Shah, Senior Director of Information Technology – Coach, Inc.
Hari Shah‟s primary responsibilities are Information Security, Business Continuity, Privacy and Compliance. In the past 8 years
at Coach, Hari formalized and implemented a comprehensive Information Security and Business Continuity Program. He led
efforts in keeping Coach compliant to various regulatory and industry standards. In the past 23 years, he has been an
innovative leader serving in several different key positions within Information Systems.
Hari‟s prior experience includes working in various industries including major Financials firms, Insurance, Pharmaceuticals,
Internet Start-up and Retail. He is a frequent speaker on topics of New Technologies, Internet Safety, PCI Compliance,
Business Continuity and other technology topics. Hari is a Board Member of the SunGard User Group and holds a Bachelor‟s
Degree in Electrical Engineering.
10
Thank You to our Speakers
Parthiv Sheth, Senior Manager-Internal Audit – Coach, Inc.
Parthiv Sheth has over 7 years experience in risk management, governance, accounting and auditing. He specializes in
operational, information security, strategic and compliance audits. He is a Certified Information Systems Auditor (CISA) and
holds a Master‟s Degree in Business Administration. Over the years he has led and managed multiple audit engagements
around PCI Compliance, S-Ox, system implementations, joint ventures, social media, and supply chain.
____________________________________________________________________________________________________
Morten Boel Sigurdsson, Chief Executive Officer – Omada
Morten Sigurdsson is CEO and co-founder of Omada. Omada has for more than 12 years worked
with large clients worldwide implementing Identity & Access Management projects.
In the past 4 years, Omada has also been working with strategic clients implementing innovative
Identity & Access Governance solutions utilizing business intelligence & analytics principles and
thereby gained valuable insights as an organization within this field.
____________________________________________________________________________________________________
Allen Ureta, Executive Director and Vice President – Deltamine, Inc.
Allen Ureta brings over 25 years of experience helping organizations design and deliver cost-effective
programs to support the governance and management of enterprise assets. He is experienced in IT
Operations and Application Management, IT Performance Measurement, Value and Portfolio
Management, as well as IT Strategic Planning and Development. He is also an instructor in
numerous disciplines to include COBIT, ITIL, ISO 20K, CISA CISM, CGEIT, CRISC, PMP, CompTIA
Cloud, and Virtualization.
Prior to joining Deltamine, Allen was an advisor with Ernst & Young in their Strategic Technology
Advisory practice. Prior to E&Y, he was Chief Technology Architect for MetLife International serving
as chief technology advisor to the CIO.
____________________________________________________________________________________________________
Michael Zboray, Chief Technology Officer – Gartner
Michael Zboray is chief security officer at Gartner. Previously at Gartner, Mr. Zboray was a research analyst, covering
networking as well as network, Internet and Web security. Prior to joining Gartner in 1993, Mr. Zboray was the director of
marketing at AscomTimeplex, where he was responsible for data networking products and network management systems.
He began his career in networking and communications in 1979 at AT&T Bell Laboratories, where he developed product
specifications and architectures in areas such as fast-packet switching, LANs, Unix and MSDOS desktop computing, as well
as protocol development. Mr. Zboray has a Bachelors in engineering from Stevens Institute of Technology, a Masters in
electrical engineering from Rutgers University, and a Professional degree in electrical engineering from Columbia University.
____________________________________________________________________________________________________
Dan Zitting, VP Product Management & Design – ACL
Dan Zitting is responsible for product management, design, and user experience for ACL‟s
industry-leading software products. His previous experience was in the audit, risk and assurance
industry. After several years at Ernst & Young, he co-founded the CPA firm Linford & Company
LLP which provides audit services to global clientele. Dan developed web-based software for
auditors to meet his team‟s needs. As demand for this software increased, he founded
Workpapers.com which was acquired by ACL in late 2011.
Dan is dedicated to advancing productivity enhancing technology for the audit profession and
received the CPA Practice Advisor Magazine‟s 40 under 40 and Readers‟ Choice awards. He is a
Certified Public Accountant, Certified Information System Auditor and Certified Information
Technology Professional. Dan holds a Bachelor of Science from Colorado State University and a
Master of Science from University of Notre Dame.
11
Thank You to our Sponsors
Corero Network Security, an organization’s
First Line of Defense, is an international
network security company and the leading
provider of Distributed Denial of Service
(DDoS) defense and next generation security
solutions. As the First Line of Defense,
Corero’s products and services stop DDoS and
server targeted attacks, protect IT infrastructure and eliminate downtime.
Corero’s solutions are dynamic and automatically respond to evolving cyber-attacks, known and unknown,
allowing existing IT infrastructure -- such as firewalls -- to perform their intended purposes. Corero’s products
are transparent, highly scalable and feature the lowest latency and highest reliability in the industry.
For more information on Corero’s First Line of Defense products, visit: www.corero.com.
____________________________________________________________________________________________________
PwC - Risk Assurance Services - Seeing Risk Holistically
PwC understands that significant risk is rarely confined to discrete
areas within an organization. Rather, most significant risks have a
wide-ranging impact across the organization. As a result, PwC's Risk
Assurance practice has developed a holistic approach to risk that
protects business, facilitates strategic decision making and enhances
efficiency. This approach is complemented by the extensive risk and
controls technical knowledge and sector-specific experience of its Risk
Assurance professionals. The end result is a risk solution tailored to
meet the unique needs of clients.
PwC firms help organizations and individuals create the value they‟re looking for. We‟re a network of firms in 158
countries with close to 169,000 people who are committed to delivering quality in assurance, tax and advisory
services. Tell us what matters to you and find out more by visiting us at http://www.pwc.com.
____________________________________________________________________________________________________
For almost twenty years, Accume Partners has been providing internal
audit, regulatory compliance and risk management services to New York
banks and financial institutions. As the level of regulatory and business
complexity has surged, so has the need for specialized knowledge and
focus. Our certified, professional staff supports Accume clients with deep
knowledge, expertise and practical approaches in the following areas:
Internal Audit
Technology Risk Management
Credit Risk Management
Enterprise Risk Management
Regulatory Compliance
For more information, visit www.accumepartners.com.
12
Thank You to our Sponsors
ACL delivers technology solutions that are transforming
audit and risk management to give organizations
unprecedented control over their business.
Our integrated family of products—including our cloudbased audit and compliance management solution and
flagship data analytics products—are used at all levels of
the enterprise to help maximize growth opportunities by identifying and mitigating risk, protecting profits,
and accelerating performance. Visit www.acl.com.
____________________________________________________________________________________________________
EisnerAmper LLP is a leading full-service
advisory and accounting firm, and is among
the largest in the United States. We provide
audit, accounting, and tax services, as well
as corporate finance, internal audit and risk
management, litigation services, consulting, private business services, employee benefit plan audits, forensic
accounting, and other professional advisory services to a broad range of clients across many industries.
EisnerAmper is PCAOB-registered and provides services to more than 150 public companies and over 1,300
financial services entities and portfolio companies. With offices in New York, New Jersey, Philadelphia,
California, and the Cayman Islands, and as an independent member of PKF International, EisnerAmper serves
clients worldwide. Visit www.eisnerampner.com.
____________________________________________________________________________________________________
NopSec, Inc., a New York City-based
SaaS Security provider, develops
intelligent algorithms to analyze security
vulnerability data. The Company provides
a cloud-based SaaS solution that detects,
analyzes, prioritizes, alerts and remediates
security weaknesses embedded in
websites, applications, servers, networks, and mobile devices.
NopSec revolutionizes vulnerability management from manual, scanner-centric, point solution to automated,
TM
process-driven, scalable intelligent solution. NopSec‟s Unified VRM cost-effectively enables regulated
enterprise users to holistically manage, control and mitigate vulnerability and compliance risks, whether
on- or off-premises. Visit nopsec.com.
____________________________________________________________________________________________________
Established in 1999, Omada is a leader in Identity Management and Identity & Access Governance solutions and
services - enabling organizations to achieve compliance and reduce IT costs.
Omada provides „Omada Identity Suite‟ which is the only comprehensive enterprise solution that provides
integrated enterprise functionality across Identity Management and Identity Governance processes. The solution
is built on the Microsoft platform and utilizes BI technologies to deliver high performance and deep access
intelligence. Visit www.omada.net.
13
Thank You to our Sponsors
Protiviti (www.protiviti.com) is a global consulting firm
that helps companies solve problems in finance,
technology, operations, governance, risk and internal
audit.
Through our network of more than 70 offices in over
20 countries, we have served more than 35 percent of
FORTUNE® 1000 and Global 500 companies. We
also work with smaller, growing companies, including
those looking to go public, as well as with government agencies.
____________________________________________________________________________________________________
RedSeal Networks is the leading provider of
proactive security management solutions that
enable enterprises to continuously audit and
monitor IT compliance and risk to eliminate
cyber-attacks.
The RedSeal 6 Platform supplements
traditional and next generation network infrastructure, SIEM systems, and GRC platforms which are unable to
deliver proactive network security. RedSeal delivers the industry‟s most powerful network and security
operational insights using patented network visualization and predictive threat modeling. Backed by Venrock,
OVP, Sutter Hill, JAFCO, Leapfrog and In-Q-Tel, RedSeal is used by the world‟s largest government and
commercial organizations to dramatically cut compliance costs and effectively prioritize vulnerability remediation
efforts. Visit redsealnetworks.com.
____________________________________________________________________________________________________
Riebeeck Stevens Limited (RSL) is an international consultancy
providing solutions for data protection/privacy, governance, risk
management and compliance (GRC) challenges covering systems
integration and operational optimization as well as audit and
assurance services.
info@riebeeckstevens.com
www.riebeeckstevens.com
Assurance Advisors
Programme Managers
____________________________________________________________________________________________________
Telavance is an international consulting firm
providing risk and compliance advisory services
and software products to the financial community. The firm specializes in anti-money laundering, regulatory
compliance, enhanced due diligence, independent reviews, regulatory remediation, internal audit, risk
management, IT controls assessments and system implementations.
Telavance has partnered with the Wynyard Group, specialists in intelligence-led risk management software to
expand our Governance, Risk and Compliance (GRC) offerings with the Wynyard Group‟s market leading
Enterprise Risk Management/GRC solution Methodware ERA Kairos.
For more information visit www.telavance.com or contact Uday Gulvadi uday@telavance.com.
14
Thank You to our Sponsors
Thomson Reuters Accelus is a leading provider of
software for internal audit, risk management and
compliance. With a proven track record at thousands of
corporate and government clients, our comprehensive
internal audit software offers improved audit efficiency
and productivity through the entire audit process
including risk assessment, scheduling, workpapers,
reporting and issue tracking.
To learn more about our internal audit software, AutoAudit and Enterprise GRC:
Visit accelus.thomsonreuters.com/audit Email autoaudit@thomsonreuters.com
____________________________________________________________________________________________________
Vicom Computer Services, Inc. is a leading information technology integrator and consulting firm servicing
the Fortune 1000, state and local government and emerging mid-size organizations. As a major vendor in
the information technology arena, Vicom offers a full array of industry leading products, services and
solutions from VMware, IBM, NetApp and Cisco. In addition, Vicom consults with organizations to
strategically develop efficient IT approaches for their business.
As your technology partner, we will work with you to develop flexible and scalable solutions that can easily
accommodate an ever-changing IT landscape. We specialize in helping deliver solutions with the greatest
value and foundations that enable you to meet current and future business demands.
Visit vicomnet.com.
____________________________________________________________________________________________________
____________________________________________________________________________________________________
15
NYIIA Monthly Workshop November 16, 2012
Registration is open for the November 16th monthly workshop at Baruch College.
We have Grant Thornton speaking at our luncheon on the State of Internal Audit. Additionally, we have a representative from
the IIA Research Foundation and Telavance joining us for our workshop sessions and have a great day planned.

AM Session - IIA Research Foundation will be presenting:
Preparing Internal Auditors for the Future

Luncheon Speaker- Grant Thornton will be presenting:
State of Internal Audit

PM Session - Telavance will be presenting:
Internal Audit of AML and OFAC, Regulatory Expectations and Controls Monitoring Practices, Effective Risk
Assurance through an integrated approach
We have multiple registration options for this event: the full day workshop (including breakfast and lunch), AM or PM workshop
including lunch, AM or PM workshop not including lunch, or the luncheon only. To register, visit www.nyiia.org.
COBIT 5 for Information Security Webinar Tuesday, October 30, 2012
12:00 PM - 1:00 PM Eastern Time
COBIT® 5 for Information Security builds upon the COBIT® 5 framework, in that it focuses on information security and
provides more detailed and practical guidance for information security professionals and other interested parties at all levels of
the enterprise.
Earn a CPE for attending this FREE webinar. Registration information is available on www.isaca.org/nymetro.
Membership Meeting and Holiday Party
December 12, 2012
nd
th
Save the Date! The 2 Quarter Membership Meeting and Holiday Party will be held on Thursday, December 12 at Citi on
Greenwich Street. New members, long-time members, friends and other interested parties are all invited.
Our speaker will be Michelangelo Sidagni, Chief Technology Officer of NopSec. NopSec is a leading provider of information
security services and Security-as-a-Service (SaaS) solutions headquartered in New York City. At NopSec, Mr. Sidagni is
responsible for technical development, security research and operations. Bringing 19 years of security engineering experience
to the organization, he is instrumental in the development of NopSec‟s Unified Vulnerability Risk Management (VRM) solution.
Earn a CPE and celebrate the holiday season! We look forward to seeing you there.
Event and registration information will be available on www.isaca.org/nymetro on November 1, 2012.