Sunday | October 21, 2018 1:00 p.m. – 5:00 p.m. Workshop 1: Win-Win Conversations: Transforming Conflict Into Collaboration Margie Bastolla, CIA, CRMA Principal Margie Bastolla Facilitations, LLC It’s a fact. Conflict is a part of life. Your attitude toward conflict will determine your success during difficult conversations at work and whether you achieve favorable results. Win-win conversations require that we learn why conversations fail, as well as proven methods to ensure that even our most difficult conversations have a high chance of success. In this session, participants will:

• Identify key skills that underpin successful conversations and negotiations. • Discuss eight conflict triggers and five methods for managing them. • Learn how collaboration can be particularly effective when the stakes are high. • Discuss activities that lead to ongoing collaboration and trust throughout the audit.

Margie Bastolla is a professional trainer and speaker who provides customized, onsite training for internal auditors on both technical and soft skill topics. She has worked in over 40 countries, conducting hundreds of seminars, workshops, and conference sessions for corporations, government entities, U.N. agencies, and IIA chapters and institutes. Bastolla draws on 30 years of leadership experience in internal auditing, international relations, association management, and public accounting. Previously, she was an executive with The IIA’s global headquarters and an auditor with Worthen Banking Corporation and Deloitte.

Monday | October 22, 2018 8:30 – 9:45 a.m. General Session 1: Security in a Connected World Marc Goodman Global Security Strategist Author of Future Crimes Chair for Policy, Law, and Ethics, Silicon Valley’s Singularity University A huge proponent of technology, Marc Goodman knows that the positive aspects of the Internet are manifest. But as one of the world’s leading authorities on global security, he also recognizes that when it comes to technology, the increased scale of influence can be used both for good and for ill. In a global society run by computers, whoever controls the computer code can control the world. Every day we connect more and more devices to the Internet, ranging from laptops and mobile phones, to critical infrastructures including financial systems and electrical grids. We trust what our screens tell us, but all technologies can be hacked to provide a stealth window direct into an unsuspecting user’s home, office, family, or social life. In this eye-opening talk, Goodman provides access to his deep insights about the future of technology and where the next threats will come from, along with the preventative measures we need to take before it’s too late.

Marc Goodman is a global strategist, author, and consultant focused on the profound change technology is having on security, business, and international affairs. He has been appointed by the FBI as their Futurist in Residence, is the founder of the Future Crimes Institute and currently serves as the Chair for Policy, Law, and Ethics at Silicon Valley’s Singularity University. Goodman has worked with organizations such as INTERPOL, the U.N. Counterterrorism Task Force, NATO, the U.S. Government and the Los Angeles Police Department. His forthcoming book, Future Crimes, will be published in February 2015.

Monday | October 22, 2018 10:15 – 11:15 a.m. CS 1-1: Emerging Technology Trends and the Impact to Audit: Machine Learning and Artificial Intelligence Brian Foster, CIA, CPA General Manager, Internal Audit Microsoft Corporation Gerard Morisseau, CISSP, CIPP Director, IT Audit Microsoft Corporation As companies adopt and integrate artificial intelligence (AI) into their core services and business processes, the internal audit function needs to develop new competencies and a framework for auditing AI initiatives to provide assurance that related risks are adequately managed. The session will cover key trends in AI technologies, and the opportunities and risks associated with Machine Learning. It will also provide an overview of the recently published AI Audit Framework from the IIA. In this session, participants will:

• Distinguish between artificial intelligence (AI) and other technology trends such as Machine Learning, Deep Learning, Natural Language Processing (NLP), and Augmented Intelligence.

• Identify various types of intelligent AI machines. • Understand some of the key opportunities and risks associated with various applied AI initiatives. • Understand the different components of IIA’s new Artificial Intelligence Auditing Framework.

Brian Foster has been with Microsoft nearly 20 years in a variety of roles. In addition to internal audit, he has served as the controller for several of Microsoft’s business units, including Office, Windows, Cloud & Enterprise, Devices, and Gaming. Within The IIA, Foster previously served on the Board for the Puget Sound Chapter in North America, and has been serving IIA Global since 2009 on the Professional Issues Committee, the Professional Certifications Board, and currently on the IT Guidance Committee. Prior to joining Microsoft, Foster was a divisional controller and corporate accounting manager at a leading entertainment and educational software company from 1996 to 1998, and spent 1994 to 1996 with Deloitte and Touche, serving clients in a variety of industries, including technology, retail, manufacturing, food and consumer products, and healthcare.

Gerard Morisseau is responsible for overseeing the company’s programs for cybersecurity, Microsoft IT, Office 365, artificial intelligence, and Microsoft retail stores. During his time in internal audit, he has contributed to the security certifications of all major cloud services at Microsoft. Morisseau joined the information security team at Microsoft in 2007 as a program manager. In this role, he was responsible for leading security assessments and for developing the organization’s vendor security maturity assessment program. CS 1-2: Applying Analytics as a Core Audit Capability Ryan Kastner Global Head, Audit Analytics PayPal Session Description Being Finalized Ryan Kastner has over 20 years of progressive leadership experience covering internal audit, regulatory compliance, enterprise risk management, and business intelligence in financial services, with an emphasis in audit analytics and the payments industry. He has held both U.S.-centric and global roles at PayPal, First Data Corporation, and First National of Nebraska Inc. CS 1-3: Using Multiple Guidance Systems for the Governance of Enterprise IT Mark Thomas, CGEIT, CRISC President Escoute Counsulting As GRC activities are increasingly integrated into enterprises, it is critical to ensure a healthy balance between performance and conformance. This session will discuss how it is crucial to use multiple GPS-like systems to effectively steer GRC activities and focus on creating value. Using multiple viewpoints can help improve decision-making and strengthen an enterprise. In this session, participants will:

• Recognize the importance of having multiple guidance systems to navigate GRC efforts in a holistic manner. • Learn how to leverage multiple perspectives and techniques in balancing performance and conformance when

determining GRC priorities. • Gain insight into how to implement tactics and apply them to create value for your enterprise.

Mark Thomas is an internationally known governance, risk, and compliance expert in the areas of cybersecurity, IT service management, assurance and audit, and IT controls. His background spans leadership roles from CIO to management and IT consulting in several federal and state agencies, private firms, and Fortune 500 companies. With over 25 years of professional experience, Thomas has led large IT teams, conducted information governance/risk activities for major initiatives, managed enterprise applications implementations, and implemented cybersecurity and governance processes across multiple industries. Additionally, he works as a consultative trainer and speaker, and earned the ISACA John Kuyers award for Best Speaker/Conference contributor in 2016.

CS 1-4: Adding Value by Managing the Perception Gap Jeremy White, CISA Senior Director, Audit Services LifePoint Health The environment in which we work and the expectations under which we operate require that we shift to meet the definition of not just what we do, but of who we are as auditors. A key factor in successfully making that shift is managing perception. We all have a “reality” of who we are and what we do, but too often our “reality” is smashed on the rocks of someone else’s perception. It will be to the auditor’s benefit to identify and manage the perception gap that exists in their organization. In this session, participants will:

• Explore the shift that every audit department is trying to make from a compliance and regulatory function to a value-adding business partner.

• Discuss a very important — if not the most important — factor in that shift: Perception. • Identify ways to determine the current perception of your department and compare it with your defined reality

or expectation. • Determine ways to manage the gap that exists between those two places — perception and reality — leading to

adding value. Jeremy White has been involved in numerous facets of auditing over the past 16 years, beginning his professional career with Deloitte & Touche as an enterprise risk services consultant. After several years at Deloitte, he transitioned from public accounting into industry, particularly health care. In addition to corporate roles, White owned his own consulting practice for several years. In addition, he serves on the Accounting and Advisory Board at Tennessee Tech.

Monday | October 22, 2018 12:30 – 1:30 p.m. CS 2-1: Delivering Internal Audit Capabilities in a Cloud Environment Eugene Joung Senior Director, Internal Audit PayPal As technology continues to become more dynamic and complex, Internal Audit is challenged to apply our standards in relevant ways. The cloud computing environment brings great convenience and efficiencies to technology operations, but what does it mean for Internal Audit? How can we help our partners maintain control of their environments even as they shift core technology infrastructure and capabilities to the cloud? In this session, participants will:

• Identify the business drivers for moving to the cloud • Preparing for the challenges and risks of operating in a cloud environment • Align our audit approach to the cloud computing environment • Develop guiding principles for approaching audit challenges in a cloud computing environment

Eugene Joung is an internal audit executive with more than 20 years of global experience building and leading multi-functional global audit teams in the finance and technology industries. Having started in the profession as IT auditor, Joung has expanded his risk and controls capabilities to cover financial, operational, and compliance areas. In his current position at PayPal, he oversees a broad range of internal audit leadership responsibilities spanning finance, compliance, and technology. CS 2-2: Data Analytics: A Road Map for Expanding Capabilities Brady Rothrock, CPA, CFE Data Scientist Sprint Mary-Margaret Henke, CPA Senior Vice President, Head of Corporate Applications, Governance, and Transformational Programs Western Union Shawn Stewart, CPA, CRP, CISA, PMP National Managing Partner Grant Thornton LLP Meredith Murphy, CFE, CAMS Managing Director Grant Thornton LLP Grant Thornton has partnered with The Institute of Internal Auditors, Internal Audit Foundation (formerly “IIAF”) in the publication of its second book “Data Analytics – A Roadmap for Expanding Capabilities” (preliminary title). The book, to be released shortly before the GAM Conference, will provide insight into the topic of analytics and how analytics can be applied for organizational success. To unleash the potential of such expanding capabilities, leaders must anticipate the needs of their company and their customers, innovate, and deploy resources effectively to generate the highest return on those investments. Analytics and digitization continue to be on the innovation agenda because of their potential to improve profitability, mitigate risk, and ensure a sustainable organization. In this session, participants will:

• Distinguish between artificial intelligence (AI) and other technology trends such as Machine Learning, Deep Learning, Natural Language Processing (NLP), and Augmented Intelligence.

• Identify various types of intelligent AI machines. • Understand some of the key opportunities and risks associated with various applied AI initiatives. • Understand the different components of IIA’s new Artificial Intelligence Auditing Framework.

Brady Rothrock joined Sprint in 2012 and works within the Internal Audit Technology Audit Group. He performs and guides data analytic projects in audit areas spanning retail, finance, operational, and enterprise risk management. Rothrock is pursuing a Master of Science in Business Intelligence and Analytics from Rockhurst University, having completed a Certificate of Data Science in 2017. His focus is on the integration of data science technology and techniques into Sprint's Internal Audit function, while discovering innovative approaches to enhance the utilized risk-based auditing model. Prior to joining Sprint, Rothrock worked as an auditor for the Federal Home Loan Bank of Topeka and BKD. Mary-Margaret Henke has over 25 years of experience in accounting, corporate systems, governance, and risk functions for financial services firms. She joined Western Union in 2007 and currently serves on the IT leadership team. During her tenure, she served as general auditor, navigating the continually evolving regulatory environment and increasingly complex technology landscape. She led significant advancements in the company’s talent development and audit data analytic capabilities, along with various CFO strategic initiatives, including global Oracle and Wall Street system technology upgrades, enterprise risk management, and acquisition and integration activities. Henke was previously general auditor for Janus Capital and assistant controller at CoBank. She began her career with PricewaterhouseCoopers. Shawn Stewart is a national managing partner in Grant Thornton’s business advisory services practice with more than 18 years of experience providing process design, internal audit, risk consulting, IT consulting, regulatory compliance, and M&A services to financial services clients. He has also worked with the consumer and industrial products, technology, manufacturing, aerospace and defense, real estate, and not-for-profit industries. Stewart’s areas of focus include SAS 65, SAS 70, SAS 99, COSO/COBIT framework implementation, Gramm-Leach-Bliley, HIPAA, information privacy regulations, and Rules 38a-1& 206(4)-7 to establish compliance programs for investment companies and investment advisors. Meredith Murphy is a managing director in Grant Thornton LLP’s advisory services practice with more than 16 years of experience helping clients create value, protect value, and transform. She has spent her career developing and executing growth strategies, enabling clients with analytic insights, and providing forensic and investigative expertise. Murphy is also a director in the firm’s Analytics Center of Excellence, where she drives value and growth for clients through the launch and adoption of analytic solutions. CS 2-3: Data Theft, Departing Employees: A Bigger Threat Than Hackers Jason Park Director of Forensic Services U.S. Legal Support Companies which spend millions of dollars a year to "keep the bad guys out" of their computer networks are oftentimes allowing some of their most valuable data to walk out the door unhindered ... via departing employees. This session will focus on methods departing employees use to steal proprietary, confidential or trade secret data, and how companies can prevent these losses.

In this session, participants will:

• Learn about some of the most common data theft methods and how to spot them. • Discuss best practices to incorporate into HR/employee manuals. • Find out how valuable an outside vendor or reliable contact in the IT department can be. • Explore what to incorporate into the termination/exit interview process.

Jason Park has more than 23 years of experience in litigation support, and his diverse background includes extensive knowledge of computer forensics, electronic discovery, project management, programming, and more, within the legal industry. As the founder of a forensic training company, Park has provided computer forensic and e-discovery training to individuals and companies including candidates seeking to become Certified Computer Examiners. Park is a licensed private investigator, expert witness, and facilitated CLE Seminars for the State Bar of Texas and Colorado Bar Association. CS 2-4: Improving IA’s Relevance: Performing Audits That Make an Impact Gregg Hart, CIA, CRMA, CFE Vice President, Internal Audit (Chief Audit Executive) Penske Truck Leasing & Logistics How does an internal audit department go from being very good to one that is considered world-class? Within any organization, there are a numerous areas where internal audit’s perspective and skills can provide some unique and invaluable insights to your leadership team and oversight committees. Understanding what matters most to your organization’s leadership is where and how internal audit can best achieve making the greatest positive impact to improving its relevance. In this session, participants will:

• Learn how to enhance the risk assessment process within your organization. • Discuss emerging risks and areas that most organizations are currently focused on. • Discover worthwhile, relevant audits that can be performed. • Understand how to conduct more meaningful and impactful audits.

Gregg Hart has more than 20 years of experience as a chief audit executive. Since 2017, he has served as vice president of audit services for Penske Truck Leasing and Logistics, a global company with annual revenues of approximately $8 billion and 34,000 employees. Previously, Hart was CAE for two mid-cap publicly traded companies: Penn National Gaming, Inc. and Isle of Capri Casinos, Inc.

Monday | October 22, 2018 1:45 – 2:45 p.m. CS 3-1: Innovative Approaches With Technology and Digitization to Advance Internal Audit and Promote Value Moderator: Princy Jain, CIA, CCSA, CRMA Partner PwC

Panelists: Scott Schulze Head, Internal Audit Autodesk Cathy Young, CIA, CRMA, CPA, CFE, CISA Vice President, Internal Audit Hitachi Vantara Asif Siddique Vice President, Internal Audit Oracle Technology has the power to disrupt, shifting a market almost overnight. Blockchain, artificial intelligence, robotics, and data analytics are just some of the current buzzwords and trends across the globe. With business leaders looking to embrace these new technologies, this engaging and thought-provoking panel discussion will assess how internal audit is adapting to technology and digitization to advance internal audit and promote its value. In this session, panelists will:

• Discuss technologies (AI, machine learning, robotic process automation) their companies have adopted, how IA is disrupted by technology, and how technology impacts the talent model within IA.

• Examine how IA aligns/pivots its approach and plan with rapid changes in business and related risks. • Explore audit committee expectations for internal audit and share how IA can create awareness amongst

stakeholders on the value IA can provide. Princy Jain has more than 20 years of experience serving technology-sector companies and has spent the past 10 years serving public and venture-backed companies by providing his expertise within internal audit, Sarbanes-Oxley compliance, risk management, and related consulting services across a range of industries including semiconductor, electronics, consumer electronics, internet, software, and more. Jain is an active public speaker on topics including internal audit, Sarbanes-Oxley, and more, and has contributed as a co-author on several guidance publications produced by The IIA. He is an active volunteer at The IIA, serving on The IIA’s North American and Global Boards. He also serves on the Northern California’s Board of Ascend, an organization dedicated to leveraging the leadership and global business potential of Pan-Asians. Scott Schulze Bio Being Finalized Cathy Young is vice president of internal audit for Hitachi Vantara and a former Big Four audit manager with over 20 years of internal/external auditing, controller, and project management experience. She has collaborated with domestic, international, and public Fortune 1000 companies in the semiconductor, hardware/software, wireless carrier, cruise line, and financial services industries. Her common sense approach to communicating, distilling complex issues, and implementing innovative solutions allows her to add value to the companies she supports. Young has been recognized for her exceptional integrity and development of critical business relationships, as well as her accomplishments in building and leading highly effective and successful teams within dynamic businesses. She began her career with Price Waterhouse.

Asif Siddique Bio Being Finalized CS 3-2: External Quality Assessments: The Benefits of and Leading Practices to Exceed Stakeholder Expectations Greg Jaynes, CIA, CRMA, CFE, CGFM Chief Audit Executive, Managing Director, Internal Audit The IIA Bailey Jordan, CIA, CRMA, CISA, CPA Partner, Business Risk Services Grant Thornton LLP Not only is it required by The IIA’s Standards for an internal audit department to conduct external quality assessments, it just makes good business sense. If you are conducting periodic internal assessments, then the external assessment should be a piece of cake and enable you to prove your department’s inherent value to your stakeholders. In this session, participants will examine the process and results of The IIA’s own internal audit function EQA. In this session, participants will:

• Learn the fundamental EQA requirements. • Examine one approach to execute an EQA. • Discuss the value of an EQA to management and the audit committee. • Find out how an EQA raises the quality of the internal audit function. • Explore lessons learned and leading practices.

Greg Jaynes has over 30 years of internal audit, accounting, and financial management experience, including a long career in public sector internal auditing before joining The IIA in 2011. His public service tenure included 24 years in the Office of the Inspector General, Tennessee Valley Authority. Jaynes has served as an advisor on numerous enterprise risk management and operational process improvement panels/committees. He also has extensive experience in the investigation of ethics and fraud related issues. Bailey Jordan has 30 years of consulting experience covering a wide range of engagements, including projects in enterprise risk management, internal audit co-sourcing/outsourcing, quality assurance reviews, internal audit transformation, and Sarbanes-Oxley. He is an advisory council member of COSO’s ERM – Integrated Framework Update Project and advisory board member of N.C. State University’s College of Management ERM Initiative. Jordan frequently speaks on topics including trends in internal audit, ERM, EQA, internal controls, and consulting and soft skills for the internal auditor. He currently serves as a member of The IIA’s North American Advocacy Committee. CS 3-3: Operationalizing Cybersecurity With Risk-based Governance Steven Minsky Chief Executive Officer LogicManager, Inc.

Companies, though aware of the financial and reputational damages cyberattacks can cause, often operate under the misconception that cybersecurity is the responsibility of the IT department alone, or react to external threats by investing in technology solutions without addressing ineffective risk management and governance programs. A holistic, cross-functional approach to cybersecurity is the only way to achieve cross-department engagement and simplify the audit process by ensuring controls designed to protect the company are effective and properly implemented. In this session, participants will:

• Discuss how successful, proactive governance programs work across departments to operationalize defense policies, assign clear accountability, and monitor effectiveness.

• Learn how to operationalize cybersecurity policies across departments and levels. • Determine clear, cross-functional accountability for cybersecurity responsibilities. • Explore metrics that monitor the effectiveness of cybersecurity programs. • Consider best practices for reporting cybersecurity progress and effectiveness to the board and regulators.

Steven Minsky has overseen the organization that provides an integrated, intuitive software-as-a-service platform to help companies make better decisions through risk intelligence for more effective corporate governance, risk, and compliance management, for over 12 years. He is the author of the popular RIMS Risk Maturity Model and frequently teaches and contributes to blogs and the press across a range of risk management topics. Minsky is also a patent author of risk and process management technology. CS 3-4: Chutes and Ladders of Internal Audit: How to Rise and Fall Due to Meeting or Failing to Meet Stakeholder Expectations Kayla Flanders, CIA, CRMA, CISA, CPA, CFE, CGMA Senior Audit Manager Pella Corporation Different stakeholders have different expectations. Different people within common stakeholder groups may have different expectations and how to identify and work with each. Some expectations may be driven by stereotypes of internal auditors and strategies to overcome them. We will discuss how to challenge our past activities to quickly identify and move beyond stereotypes and work to shape appropriate stakeholder expectations for the future. In this session, participants will:

• Explore how stereotypes for internal audit shape stakeholder expectations and examine how our client perceptions of audit are our reality.

• Determine internal audit's role in perpetuating or negating stereotypes and then meeting or changing those expectations.

• Gain techniques to combat common stereotypes and shape expectations for the future. • Challenge the "one size fits all" approach and develop understanding around individualized stakeholder

expectations. Kayla Flanders has overall responsibility for the organization’s internal audit activities. Prior to joining Pella Corporation, she was a senior audit manager at Wells Fargo on the finance and corporate activities team, chief compliance officer at DuPont Pioneer, and director of internal audit at Layne Christensen Company. Flanders also served as a treasury manager and manager of accounting research and policies. She began her career at Deloitte & Touche.

Monday | October 22, 2018 3:15 – 4:15 p.m. CS 4-1: In Conversation With…Blockchain: Auditing Impacts Facilitator: Bill Michalisin Executive Vice President, Chief Operations Officer The IIA Speaker: Scott Moore, CIA, CRISC, CISA Supervisor, Information Security and Risk Devon Energy Corporation Blockchain technology has gone from a niche topic often associated with shady online transactions to a strategic topic for many companies and industries. It has been called ‘the internet of value’ and has the potential to revolutionize the way parties do business and transactions are stored. But what is it exactly and how does it work? And what are the audit considerations for blockchain applications? This session will cover those topics and also provide an opportunity to talk with other attendees about how their companies or industries have been impacted by this transformational technology. In this session, participants will:

• Understand the key components of a blockchain application and how these components work together to provide a potentially transformational technology.

• Learn the benefits and risks of employing a blockchain-based solution. • Discuss with other attendees how their companies and/or industries have or plan to pursue a blockchain-based

solution and how they have or plan to audit it. Bill Michalisin joined The IIA in 2013 as chief marketing officer leading all brand, marketing, communications, sales, and relationship enablement strategies across all global IIA channels. In 2014, his role was expanded to include oversight as the executive director of The IIA’s Research Foundation, and in 2015, he assumed the role of chief officer for IIA operations. In his current role, Michalisin leads all operations and core services offered to IIA members globally, including Membership, Chapter & Institute Relations, Certifications, Conferences, Learning Solutions, Partnerships, and Enterprisewide Sales & Business Development. Prior to joining The IIA, Michalisin was industry marketing leader for consumer and industrial products at Deloitte, which included responsibilities for cross-functional delivery within aerospace and defense, automotive, consumer products, process and industrial products, retail and distribution, and travel, hospitality, and leisure sectors. Earlier in his career, Michalisin was a business process strategy and fraud/forensic investigation consultant at both Deloitte Consulting and Accenture, providing consulting services to clients in media and entertainment, consumer products, manufacturing, and financial services. Scott Moore is a supervisor in the information security and risk group at Devon Energy, a Fortune 500 independent E&P company based in Oklahoma City. He has been with Devon since 2012, with responsibilities varying from IT audits and financial audits, to most recently specializing in enterprise risk management. Moore previously served in public accounting positions. He also volunteers on The IIA’s IT Guidance Committee, which updates and issues global IT audit guidance.

CS 4-2: Internal Audit's Digital Transformation Imperative Jim Pelletier, CIA, CGAP Vice President, Professional Solutions The IIA In this session, Jim will discuss the disruptive forces driving the imperative for internal audit’s digital transformation. The session will include recent data from The IIA on roadblocks to internal audit’s ability to be agile and innovative and will include discussion on what digital transformation could look like. In this session, participants will

• Understand the disruptive forces impacting the internal audit profession and the opportunities that transformation could represent.

• Recognize roadblocks to internal audit’s ability to be agile and innovative. • Explore transformation pathways leading toward enhancing internal audit’s value with key stakeholders.

Jim Pelletier has more than 15 years of internal auditing experience in both the public and private sectors. In his current role, he provides direction for The IIA’s Audit Executive Center; Financial Services Audit Center; American Center for Government Auditing; Environmental, Health and Safety Audit Center; and Global and North American Advocacy. Prior to joining The IIA, Pelletier served as city auditor for Palo Alto, Calif., and was the chief of audits for the County of San Diego. His diverse auditing experience also includes roles at the California State University System, PETCO Animal Supplies, Inc., State Street Corporation, and General Electric. Pelletier received The IIA’s John B. Thurston Award for outstanding paper in the field of internal auditing for his article “Adding Risk Back into the Audit Process.” His new book, Collaborative Auditing, is available through The IIA’s Bookstore, powered by the Internal Audit Foundation. CS 4-3: Criminal Minds: Profile of a Fraud Cindy Carradine, CPA/CFF, CGMA Managing Director Hill Schwartz Spilker Keller LLC How easy is it to get inside the mind of a criminal? This presentation examines the largest municipal embezzlement case in U.S. history and takes a close look at why it happened, how the fraudster avoided detection for 22 years, and what has happened in the aftermath. This extraordinary case is compared with current information regarding fraudsters, fraud schemes, and the warning signs of fraud. In this session participants will:

• Learn the subtle and not so subtle warning signs of fraud. • Receive practical fraud prevention tips. • Hear about painful true stories on how fraud impacts its victims.

Cindy Carradine is a managing director in the dispute advisory and forensics practice of HSSK in Dallas, Texas. She has more than 30 years of diversified experience providing dispute advisory and forensic accounting services, testifying in state and Federal courts, serving as an audit partner with a Big Four firm, and serving as the CFO of an internet service provider. Her industry background has included oil and gas, internet, airlines, and healthcare, and she is familiar with intellectual property infringement matters. CS 4-4: Agile Internal Auditing: Walmart’s Journey to Elevating Internal Audit’s Performance and Value Brandi Joplin Senior Vice President, Chief Audit Executive Walmart Shondae LeGrand, CPA Senior Manager Walmart Sandy Pundmann Managing Partner Deloitte & Touche LLP Ranjani Narayanan, CISA, CISSP Senior Manager Deloitte & Touche LLP As internal auditors seek new ways to innovate in their roles, Agile Internal Audit (IA) is being explored. Walmart is on a journey using an Agile IA mindset to drive clearer outcomes, increased engagement, and improved documentation to produce valuable, timely results. This session will explore drivers of effective change in internal audit, and how organizations like Walmart are using Agile IA today to foster that evolution. Presenters will discuss: how to define desired outcomes at the outset of an agile project; key tenets of successful adoption of Agile IA; and using Agile IA to solve business problems with enhanced planning, empowered teams, accelerated delivery cycles, and delivering valuable insights. In this session, participants will:

• Develop a baseline understanding of Agile principles and its application to internal audit. • Develop a refreshed and agile mindset to internal audit. • Reference use cases of practical applications of Agile to IA projects, and associated benefits and lessons learned.

Brandi Joplin assumed the position of senior vice president, chief audit executive (CAE) in October, 2016. Joplin leads the global team that provides assurance on the effectiveness of risk management and the adequacy of the control environment across all of Walmart’s businesses. She reports functionally to the Audit Committee of the Board of Directors. Prior to her current role, she served as vice president international controller. Joplin led the group of international retail market controllers and managed the international segment accounting and reporting. She helped align the markets to the global controllership vision and drive accountability to achieve our global standards. Joplin joined Walmart in March 2009 and served as vice president of Walmart’s Global Internal Audit Services for North America, where she led the team providing audit and advisory services for United States and Canada business operations, as well as Walmart corporate functions. Joplin is a member of the Women’s Officer Caucus leadership committee, and serves on the Walmart Foundation Board of Directors as well as the President’s Inclusion Council. Prior to joining Walmart, Joplin worked for Alltel Corporation, the Little Rock, Arkansas-based Fortune 500 telecommunications company. During her 14-year tenure, she served in a variety of management roles within the Alltel finance organization, including vice P\president of accounting and finance and vice president of internal audit. Prior to Alltel, she worked for Arthur Andersen, LLP. Shondae LeGrand is a senior manager on Walmart's Global Audit team. Her responsibilities include leading agile internal audit efforts to transform the Global Audit Team to embrace and adopt agile ways of working. She has fifteen years' audit experience with ten years within internal audit. Ranjani Narayanan specializes in the area of enterprisewide risk management and risk consulting services. She serves clients across consumer and industrial products and technology media and telecommunications industries. Narayanan provides information technology risk services to clients of various sizes and risk profiles. She has served in several roles during her tenure including risk management, internal audit, governance, cybersecurity, and finance transformation. Narayanan led large IT internal audit functions, both outsourced and co-sourced, and has extensive experience in Sarbanes-Oxley's requirements of internal controls over financial reporting. Sandy Pundmann leads the U.S. internal audit practice within Deloitte Risk and Financial Advisory. She works with CEOs, chief risk officers, chief audit executives, and compliance officers to help develop company-specific risk programs, identify risks to add value, and leverage value-creation opportunities. Pundmann helps internal audit departments elevate their organization to provide assurance, advise, and anticipate risks. She is a frequent speaker and author on governance, enterprise risk management, and internal audit.

Monday | October 22, 2018 4:30 – 5:30 p.m. CS 5-1: Innovative Use of Robotics in Internal Auditing Jessica Roos Managing Director Citigroup Marc Sabino Chief Auditor, Innovation Citigroup

Technology has the power to disrupt, shifting a market almost overnight. Blockchain, artificial intelligence, robotics, and data analytics are just some of the current buzzwords and trends across the globe. With business leaders looking to embrace these new technologies, this engaging and thought-provoking panel discussion will assess how internal audit is adapting to technology and digitization to advance internal audit and promote its value. In this session, panelists will:

• Discuss technologies (AI, machine learning, robotic process automation) their companies have adopted, how IA is disrupted by technology, and how technology impacts the talent model within IA.

• Examine how IA aligns/pivots its approach and plan with rapid changes in business and related risks. • Explore audit committee expectations for internal audit and share how IA can create awareness amongst

stakeholders on the value IA can provide. Jessica Roos Bio Being Finalized Marc Sabino is responsible for Citigroup’s internal audit innovation team, including providing strategic vision for an innovation strategy that supports a mission to drive positive change and be a game changer in the industry. He leads a team that identifies and executes innovation and automation opportunities, and performs data analytics to drive insights and operational efficiency. Previously, as head of business intelligence and analytics and head of human capital reporting and analytics, Sabino drove Citi’s analytics strategy, with a focus on leveraging data and technology solutions to manage revenue, employees, HR processes, banker and branch productivity, recruiting, diversity, and more. CS 5-2: Solving the Key Challenges of the Smaller Audit Group Alice Mariano, CIA, CPCU, CPA Director, Internal Audit North Carolina Farm Bureau Mutual Insurance Co., Inc. Every internal auditor could use more resources, but the challenge is most acutely faced by the CAE who has only up to about eight auditors. The risks to be addressed keep growing, but there never seems to be enough time or resources to obtain, develop, and deploy the limited resources available. This session will focus on approaches a smaller audit group can use, leveraging strategies that have worked and resources available from The IIA. In this session, participants will:

• Explore using flexible planning tactics. • Discuss process disciplines that keep everyone on track. • Identify tools available to CAEs of smaller groups. • Join in an interactive session designed to allow for sharing great ideas.

Alice Mariano has more than 20 years of experience in auditing and accounting. She established the internal audit department at North Carolina Farm Bureau Mutual Insurance Co., Inc. and has served as director of internal audit for 10 years. Previously, she spent more than 8 years in public accounting, assisting global and domestic customers with their external and internal audit needs. Mariano serves on The IIA’s chapter relations committee.

CS 5-3: Diamond in the Rough: Maximizing Synergies of Global Governance and Investigation Dawn Williford, CIA, CRMA South Region Leader, Risk Advisory Services BDO USA, LLP Jesse Daves, CPA, CFF, CFE Managing Director, Global Forensics and Investigations BDO USA, LLP This story has it all: Diamond necklaces, excessive entertainment, mislabeled products, and an unsuspecting home office. This real-life case study is a sparkling example of process and control failures, corruption, cultural differences, unethical behavior including illicit diamond gifts, and lessons learned that can help auditors identify similar situations, get to the root of the problems, and implement changes and controls to move from a toxic environment to a diamond standard in governance. In this session, participants will:

• Gain an understanding of risk factors of conducting business globally, specifically as it relates to doing business in developing countries.

• Acquire an understanding of cultural issues and lack of home office oversight that contributed to control failures, misaligned business practices, declines in product quality, and loss of market share.

• Obtain knowledge to recognize organizational triggers and audit techniques to uncover the depth and breadth of these issues.

• Learn about leadership, processes, and controls changes that can drive behavioral change to shift an unhealthy organization to one that aligns with values, laws, and expectations of the home office.

Dawn Williford has over 17 years of experience in delivering internal audit, compliance, and consulting solutions to Fortune 500 and middle market companies. Prior to joining BDO, Williford was at UHY Advisors TX, LLC for 12 years and before that, she was with PwC. She has assisted newly public companies successfully achieve year-one Sarbanes-Oxley compliance and been heavily involved in all aspects of business process evaluation and documentation, corporate governance, Sarbanes-Oxley readiness and ongoing compliance, risk assessments, root cause analysis, and internal audit outsourcing and cosourcing. Williford has managed large-scale internal audit, internal controls consulting, and Sarbanes-Oxley engagements. She has assisted clients with design and implementation of their internal controls framework, and led teams that developed the firm’s COSO 2013 methodology. Williford assists clients with the development of their internal audit department and served as the CAE for her outsourced internal audit clients. She has managed construction, vendor, joint venture, and large scale multi-vendor audit programs that have identified millions of dollars in cost recoveries for her clients. Jesse Daves has 20 years of experience providing audit, forensic accounting and investigative services to clients across a wide range of industries including, energy, retail, real estate, and manufacturing. Daves has conducted fraud-related investigations involving numerous issues, including alleged violations of the Foreign Corrupt Practices Act (FCPA), embezzlement, kickbacks, Ponzi schemes, conflicts of interest, and variations employment matters.

CS 5-4: Increasing Audit’s Business Impact – Strategies for Unlocking Audit’s Potential Tegan Gebert Senior Executive Advisor CEB, now Gartner Dominique Vincenti, CIA, CRMA Vice President, Internal Audit Nordstrom To improve audit staff's performance and deliver more value to the business as part of every audit, chief audit executives (CAEs) traditionally turn to two solutions: 1) training audit staff, and 2) recruiting auditors with different backgrounds. CEB Audit Research shows that these strategies alone do not change staff's behavior or improve performance. Instead, CAEs must transform the environment in which their staff operate. This session will highlight easy, low-cost, yet powerful changes CAEs can make to drive behavior change and create a more impactful internal audit department. In this session, participants will:

• Gain practical tips for enabling staff to add value and drive change in the business as part of every audit engagement.

Tegan Gebert is a senior executive advisor with CEB Audit Leadership Council, a division of CEB, now Gartner. Since joining CEB in 2008, Gebert has advised chief audit executives and their teams from the world’s largest, most progressive organizations on topics such as creating an audit plan that addresses emerging risk, engaging the audit committee with clear and impactful presentations, and training staff on the competencies most critical to helping the business take action on audit’s findings. Dominique Vincenti is the VP of Internal Audit at Nordstrom, a Fortune 250 Company and one of the US leading Fashion Specialty Retailer. Her 20 years of experiences includes internal audit management positions principally in the retail industry for prominent international retailers: Marks & Spencer – UK or Kering (former PPR) – France (Gucci, Yves Saint Laurent, Alexander McQueen, Balenciaga, Stella McCartney, Puma etc.…). For 6 years prior to joining Nordstrom she was a Chief Officer at The Institute of Internal Auditors where she was overseeing the organization's professional, research and technical practices, developing guidance or representing the internal audit profession working on Governance Risk & control issues, closely with other professional, national or international institutions and regulators such as the US Securities and Exchange Commission, International Organization of Supreme Audit Institution, the International Federation of Accountants or the OECD to name a few.

Tuesday | October 23, 2018 8:30 – 9:45 a.m. General Session 2: The Positive Impact of Disruptive Leadership Mary McNiff Chief Audit Executive Citigroup

Session Description Being Finalized Mary McNiff joined Citigroup in 2012 and is responsible for the internal audit department, which includes the delivery of audit assurance on governance, risk management, and the control environment. Previously, she served as the CAO for Latin America and Mexico at Citigroup, responsible for key strategic projects, including governance and control; business, process, and system transformations; and productivity. Significant components of this role focused on addressing important regulatory matters and transformation within the region. McNiff’s professional experience has focused on significant business/process/people transformations within the financial services industry, with the delivery of large group-wide projects, and process re-engineering. She held senior internal audit positions across several large financial institutions around the world gaining experience of all financial products across investment banking and consumer activities. Prior to joining Citi, McNiff was the managing director for change at Lloyds Banking Group, responsible for leading a key part of the largest data migration in Europe involving the transformation of 63 million customer records from three systems down to one. She also spearheaded a process simplification program across the organization. Before Lloyds, McNiff was a key member of the internal audit leadership team at both Barclays and JPMorgan.

Tuesday | October 23, 2018 10:15 – 11:15 a.m. CS 6-1: Tools and Techniques Swap: Tactics for Cyber Resiliency Daimon Geopfert, CISP, CISM, CISA, GCIH, GREM, CEH National Leader, Security, Privacy, and Risk RSM US LLP For some time it has been expected that internal audit teams would perform reviews of an organization’s cyber security controls, but as security continues to transition from a technical issue to a core enterprise risk, pressure is mounting for these audits to move away from “checkbox” technical reviews to true assessments of security capability and maturity. In this session we will discuss tools and methods that allow IA teams to more accurately determine the effectiveness of an organization’s security program even when the team itself is lacking resources with extensive security experience. In this session, participants will learn:

• How to properly scope various aspects of a security audit, when technical reviews such as penetration testing are of value and when they can be misleading.

• How to leverage threat modelling and threat intelligence to focus the review for maximum effectiveness. Daimon Geopfert specializes in penetration testing, vulnerability and risk management, security monitoring, incident response, digital forensics and investigations, and compliance frameworks within heavily regulated industries. He has more than 20 years of experience in a wide array of information security disciplines. Geopfert has served as the manager and lead technician for security assessments performed on some of the largest corporations and government entities in the world.

CS 6-2: Change Management Best Practices for ERP Systems: A Case Study From Audits of Oracle E-Business Suite Installations Jeffrey Hare, CPA, CIA, CISA CEO ERP Risk Advisors Change management is a multi-faceted topic. Like the various sides of a gem, having mature change management processes and controls requires various approaches. One can think of change management in four buckets – object oriented changes, security, patching, and configurations. This session explores what it takes to build and implement a first-class change management process for organizations running ERP systems. In this session, participants will:

• Evaluate change management best practices in conjunction with The IIA’s GTAG, Change and Patch Management Controls: Critical for Organizational Success, 2nd edition.

• Understand how these standards apply to ERP systems. • Discuss various examples of organizational maturity in change management controls. • Explore common issues organizations struggle with related to the change management process.

Jeffrey Hare is a top expert, having worked around the world in the Oracle ERP space with an extensive background in public accounting (including Big 4 experience), industry, and Oracle applications consulting experience. He has been working in the Oracle applications space since 1998 with implementation, upgrade, and support experience. Hare currently teaches the MISTI class "Auditing Oracle's E-Business Suite" and has written two books on security and controls for Oracle E-Business Suite. Hare is working updated editions of both titles, which are expected to be released in 2017. He has written whitepapers and articles that have been published by major trade and industry organizations. CS 6-3: Measuring Effectiveness of a Risk Focused Third Party Risk Management Program John Maynor, CRISC, CISA, Security+ Senior Leader, Third-party Risk Management Worldpay Third-party Risk Management programs, or TPRMs, as a best practice arguably encompass stages including Planning, Due Diligence, Contracting, Ongoing Monitoring, and Termination. Interactive discussions are encouraged to allow participants to share effective TPRM programs including key tools used to identify and measure the risks of utilizing third parties and how to measure the effectiveness of these programs. Real-world stories and examples from tours of global vendor sites will compare and contrast the differences between desktop and on-site evaluation of third parties. In this session, participants will:

• Gain an understanding of the critical components of an effective third-party risk management program. • Learn how to build effective audit programs to measure the soundness and effectiveness of third-party risk

management programs. • Explore the tools that effective third-party risk management programs should use to provide a basis for

measuring and auditing TPRM programs.

John Maynor is senior leader of global third-party risk management (TPRM) for Worldpay, a leading payment processing and technology service provider. Previously, he was with PwC for 11 years, specializing in cybersecurity and TPRM. Maynor’s work has primarily centered on taking a risk-based approach to TPRM to help organizations develop new or enhance current TPRM programs. He has extensive knowledge of what makes a TPRM program effective and how to measure programs to ensure their effectiveness. Maynor has performed hundreds of on-site assessments of domestic and international third parties. CS 6-4: Using Data Points to Assess Corporate Culture Brian Christensen, CPA Executive Vice President, Global Internal Audit Protiviti Katie Shellabarger, CPA Vice President, Chief Audit Executive CDK Global, Inc. The culture of an organization is the mix of shared values, attitudes, and patterns of behavior that give the organization its particular character. Many internal audit departments are encountering new and uncharted territory when they are asked to audit the culture of the organization. In this session, participants will:

• Discuss what it means to audit an organization’s culture and how to start the process. • Understand the relationship between organizational culture and risk culture. • Explore auditing the “tone-at-the-top.” • Identify methods to incorporate data analytics into the processes that monitor an organization’s culture. • Review key data points that indicate a potential problem with an organization’s culture.

Brian Christensen is a member of Protiviti’s executive leadership team and is the current global leader of the firm’s Internal Audit and Financial Advisory Solution. In this role, he is responsible for the development and execution of Protiviti’s internal audit products. Christensen has more than 30 years of experience in helping clients increase the value of their internal audit function. He is a frequent speaker on auditing and risk topics at national conferences. Katie Shellabarger leads the internal audit function that delivers financial, operational, and IT audit and consulting services. In addition, she oversees the company’s service organization controls reporting program. Prior to joining CDK, Shellabarger was a director at Caesars Entertainment Corporation leading business process improvement initiatives and special projects and directing Sarbanes-Oxley program efforts. In addition, she has nearly 15 years of top-tier audit and consulting experience, including Protiviti and Deloitte & Touche LLP where she provided internal audit and Sarbanes-Oxley services. Shellabarger began her career in the Audit and Business Advisory Practice at Arthur Andersen LLP specializing in financial services.

Tuesday | October 23, 2018 12:30 – 1:30 p.m. CS 7-1: A Real-life Practical Internal Audit Approach to Cyber Security Gurmit Aujla, CIA, CPA, CRMA, CRISC, CA, CITP Director, Internal Audit British Columbia Lottery Corporation Cory Strumecki, CISA, CISM, CIPT Manager, Internal Audit British Columbia Lottery Corporation Cybersecurity is an emerging/changing risk where traditional internal audit departments and previous approaches may not be adequate, but using the complex cyber risk environment provides us with an opportunity to showcase the value we bring to our organizations. Walk through one organization’s journey in developing a strategic approach to cyber risk and the steps they took to reach that point. In this session, participants will:

• Learn a practical way to get started on implementing an audit approach to address cyber risk. • Identify steps to communicate cyber risk to key stakeholders such as the audit committee and executive

management. • Obtain tools to build cyber risk into your audit plan. • Discuss practical challenges that may arise as you explore this area as a way to showcase your function’s value.

Gurmit Aujla has more than 15 years of experience in internal audit, risk management, internal controls, finance, and corporate functions. He has served in his current role since 2009 where he was responsible for the transformation of the internal audit group from a traditional compliance-based practice to a proactive, value-driven group that works collaboratively with the organization. Aujla established a leading IT audit capability within the internal audit department and developed a pragmatic, risk-based approach to identifying, assessing, and managing IT risk. Prior to BCLC, he worked in private industry in the international manufacturing, banking, and restaurant sectors, with a focus on governance, risk management, and implementing Sarbanes-Oxley. Aujla has delivered numerous presentations and webinars for professional and trade organizations on topics including internal audit, governance, and risk management. Cory Strumecki starting his gaming career as a slot machine revenue auditor 17 years ago and his career path included stints as a casino trainer, QA system analyst, and innovator, and eventually into the world of internal audit, particularly into the area of IT auditing. Strumecki originally trained as a chef but transitioned into accounting and has found his passion in the gambling industry. CS 7-2: QAIP in the Small Audit Department Bradley Carroll, CIA, QIAL, CFSA, CRMA, CPA, CFF Director, Internal Audit State Bank Financial Corporation

IIA research indicates that five of the top 10 issues cited in External Quality Assurance reviews relate to Standard 1300: Quality Assurance and Improvement Program, and its subparts. Many audit functions struggle with the QAIP process, but small audit departments have the deck stacked against them. But there are proven tactics and strategies to help small functions earn the coveted "generally comply" comment in regard to their QAIP. In this session, participants will:

• Analyze the results of an EQA. • Look at research conducted on the QAIP process. • Look at one program developed to conform to Standard 1300: Quality Assurance and Improvement Program for

a small audit department. • See a scorecard model developed to present QAIP results to the audit committee.

Bradley Carroll began his career in internal audit with Central Bank LA after graduating from college. Upon the sale of Central Bank, he moved to an internal auditor position for Carter's Childrenswear and Wachovia Bank. He then pursued public accounting for the next 14 years, starting and then selling a CPA practice. Carroll transitioned back into internal audit when he was hired as the CAE of a two-year old $3 billion community bank using outsourced services for internal audit with the challenge of developing and staffing the bank’s own internal audit function. CS 7-3: When Life Gives You Lemons: Seven Ways to Turn GRC Struggles Into Success Rob Simkow Risk Manager, Country Risk Management General Motors Company Ina Cheatem, CCSA, CRMA, PMP Manager, Professional Practices, Audit Services General Motors Company Get ready for an interactive case study and knowledge-sharing session on an innovative approach to GRC implementation. Throughout the session, participants will be engaged in contributing to a lively discussion via polling, collaborative brainstorming, short video clips followed by lessons learned reviews, and culminating in a Q&A period. In this session, participants will:

• Elaborate on the definition of GRC and understand different interpretations among companies. • Explore how General Motors approached an innovative GRC implementation. • Understand key lessons learned that may assist other companies in similar implementations.

Rob Simkow is responsible for country risk management at General Motors Company, including fostering an environment of timely risk escalation and transparency between the corporate staffs and individual regions and countries outside of the United States. Prior, he managed the implementation of a global, cross-functional GRC technology solution spanning audit services, SOX, strategic risk management, operational risk management, and other risk and control organizations. Simkow previously held multiple other roles at GM; beginning as an IT auditor, he transitioned to a finance controllership role in a manufacturing plant, followed by a finance role in audit, and then a management role in IT finance.

Ina Cheatem is manager of professional practices for GM audit services and has supported the implementation of GM’s global, cross-functional GRC technology, STAR. Prior, at Consumers Energy, Cheatem led the implementation of an enterprise-wide, best practice regulatory compliance framework spanning approximately 40 regulatory compliance areas. Previously, at Rolls Royce Power Systems, she initiated and led a pilot project that later became the foundation for a global internal controls framework rollout across the company’s 30 legal entities; in addition to supporting the global rollout, Cheatem also established, managed, and facilitated the U.S. division’s control self-assessment and operational risk management process. CS 7-4: Why Emotional Intelligence and Critical Thinking Skills Are Essential Bret Kobel Managing Partner Verracy (formerly Empower Audit) Internal auditors spend most their time communicating: speaking with and interviewing clients, preparing information for distribution and deciphering information they have gathered. Those communications are frequently strained because auditors regularly encounter conflict, difficult situations, and at times, difficult people. Enhanced emotional intelligence (EQ) and critical thinking skills can turn these situations into opportunities to build positive relationships and end conflict to improve an auditor’s effectiveness. In this session, participants will:

• Understanding what emotional intelligence is and how it helps or hurts us. • Learn strategies to improve emotional intelligence and in turn, better perform the role of internal auditor. • Understand the levels of thinking and what constitutes critical thinking. • Discover methods to increase critical thinking and ways to identify when you are not thinking critically. • Examine the ways emotional intelligence and critical thinking together improve communication, specifically in

interviewing audit clients. Bret Kobel is managing partner for Verracy and has more than 20 years of experience in finance and accounting, internal audit, fraud examination, and risk and compliance for diverse organizations ranging from venture-backed startups to global Fortune 500 companies. He specializes in process transformation and implementation, process improvement, and global accounting and internal controls. Kobel has significant international experience, including an ex-pat assignment in Singapore as regional CFO for a global logistics company.

Tuesday | October 23, 2018 1:45 – 2:45 p.m. CS 8-1: Best Practices for Proactive IT Governance Berk Algan, CISA, CGEIT, CRISC, CIPP Director, IT Governance Silicon Valley Bank

The session will feature an information sharing session covering 5 topics focused on how to build and evolve a First Line of Defense function and an IT governance framework by providing specific real-life examples drawn from the speaker’s experience working at a financial institution, including pitfalls and lessons learned. Attendees will have an opportunity to pose questions at the end of the session. In this session, participants will:

• Learn about a practical approach to creating an IT governance framework. • Understand the cornerstones of a proactive First Line of Defense model. • Gain tools and knowledge to build an effective IT governance framework and a proactive First Line of Defense

model. • Learn how to avoid common pitfalls when implementing proactive First Line of Defense model.

Berk Algan is a governance, risk, and compliance (GRC) executive who currently leads the IT GRC group at Silicon Valley Bank (SVB). His primary goal at SVB is to promote a risk-based culture and instill governance best practices across the bank. Algan has extensive experience in implementing governance, risk, and security frameworks; improving business processes; setting IT strategies; leading risk assessments; performing audits; and facilitating organizational change. Previously, he was a senior manager at EY’s advisory services group, where he audited and advised numerous high-tech companies in the Bay Area. CS 8-2: Internal Audit's Role in Sustainability Accounting Disclosures Douglas Hileman, CRMA, CPEA President Douglas Hileman Consulting, LLC There are several frameworks for non-financial reporting (NFR). The Sustainability Accounting Standards Board’s mission is to focus on non-financial (or Sustainability) disclosures that should be in companies’ financial filings in accordance with current SEC regulations. Whereas other frameworks have been developed for a range of stakeholders, SASB’s focus is exclusively on the investment community. SASB completed provisional standards for every sector and industry in 2016, and launched an information portal in 2017. SASB publications mention some roles for Internal Audit. In this session, participants will:

• Learn a high-level overview of SASB, risks and opportunities arising from Sustainability disclosures • Learn why 2017 is set to be a benchmark year for SASB • Review focus areas the SASB mentions for Internal Audit • Learn other ways where Internal Audit can help organizations manage risks and leverage opportunities in their

organizations. Douglas Hileman has 40 years of experience in compliance, operations, risk management, and auditing. He has led his firm for nine years, after six years at PwC, nine years in industry, and over 15 years in management consulting. His firm has clients nationwide and he has led conflict minerals independent private sector audits (IPSAs) for the SEC conflict minerals rule for four consecutive years. His firm has innovative approaches to nonfinancial (or “sustainability") reporting, and safety program management. Hileman is a frequent speaker for IIA events and other professional meetings nationwide.

CS 8-3: Ethics and Motivations of the Fraudster Allan Bachman, CFE Education Manager Association of Certified Fraud Examiners Ethics is not something we are born with; it is a learned and observed behavior resulting ideally in making good ethical choices and decisions. These choices are often not conflict free and the wrong choice can lead to serious consequences. In this session, we will cover the fundamentals of ethical learning and behavior and hear from convicted white-collar criminals, their stories, and their outcomes from making bad choices. In this session, participants will:

• Learn the difference between personal and organizational ethics. • Understand how culture can have an impact on organizational codes of conduct. • How to approach ethical challenges. • Develop an understanding of the various fraudster models.

Allan Bachman is responsible for the educational content of all ACFE domestic and international conferences, new seminar development, and online learning. Prior to joining the ACFE, he worked in higher education as director of internal audit, managing IT projects specializing in information and access security. His largest fraud investigation, well into seven figures, was conducted during this time. Previously Bachman worked or consulted for retail, real estate, and manufacturing. In each of these areas, he actively worked fraud cases. He has taught college courses in accounting/auditing and information systems security and regularly conducts training sessions and speaks nationwide on anti-fraud and fraud related topics. CS 8-4: Transforming the Internal Audit Report Margie Bastolla, CIA, CRMA Principal Margie Bastolla Facilitations, LLC Change is the final product of any audit. To that end, are your audit reports designed, structured, and written in a way that encourages positive change? If not, then it’s time to transform your report-thinking and report-writing processes so that stakeholders receive, grasp, and act on the information reported. In this session, participants will:

• Learn the seven myths of audit reporting. • Discover what stakeholders want most from the audit report. • Understand readers’ three expectations for report structure. • Receive tips on aligning report recommendations with organizational strategies and priorities.

Margie Bastolla is a professional trainer and speaker who provides customized, onsite training for internal auditors on both technical and soft skill topics. She has worked in over 40 countries, conducting hundreds of seminars, workshops, and conference sessions for corporations, government entities, U.N. agencies, and IIA chapters and institutes. Bastolla draws on 30 years of leadership experience in internal auditing, international relations, association management, and public accounting. Previously, she was an executive with The IIA’s global headquarters and an auditor with Worthen Banking Corporation and Deloitte.

Tuesday | October 23, 2018 3:15 – 4:15 p.m. CS 9-1: Agile Auditing: Sprinting to Change – Reimagining Internal Audit in a Digital World Celia Edwards Karam Senior Vice President, Head of Small Business Banking Capital One Financial Arun Rajappa Compliance Audit Leader Capital One Financial Recognizing early on that internal audit must adapt to the financial services industry’s digital transformation to remain relevant, Capital One’s Corporate Audit Services (CAS) function established an imperative to boldly re-imagine the future of its profession. To design its vision, CAS engaged traditional banking peers, nontraditional peers, and a leading design thinking firm. As a result, CAS’ human-centric agile audit approach elevates quality and efficiency naturally by holistically transforming delivery through the lens of people, process, and technology. In this session, participants will:

• Understand the macro global and industry forces that require internal audit leaders to holistically reimagine the future of their profession.

• Learn how agile audit delivery practices can elevate practitioners’ business acumen, promote collaboration, create capacity, and bridge traditional co-location challenges.

• Discuss the need to super-charge existing data science strategies and capabilities made possible by a world-class analytics platform and 100% internal auditor data analytics proficiency.

• Explore a vision of the internal auditors’ behaviors and competencies required for success long term. Celia Edwards Karam Bio Being Finalized Arun Rajappa Bio Being Finalized CS 9-2: Innovative Approaches Into Putting Core Principles Into Practice: Panel Discussion Facilitator: Debi Roth, CIA Managing Director, Global Standards and Guidance The IIA

Speakers: Yulia Gurman, CIA, CPA Director, Internal Audit and Corporate Security Packaging Corporation of America Steve Sanders, CRMA Vice President, Internal Audit Computer Services, Inc. This panel discussion will provide insight into practical and meaningful ways to incorporate the Core Principles into the operating practices of the internal audit activity. Each panellist will describe their experience evaluating effectiveness of the Core Principles using the “Core Principles Effectiveness Framework” and share insights gained from the process. In addition, each panellist will share innovative approaches to embedding the Core Principles into the operating culture of their activity. In this session, participants will:

• Gain insight into innovative approaches to evaluating the effectiveness of Core Principles in the internal audit activity.

• Gain an understanding of the relationship between the Core Principles and characteristics that define their effectiveness.

• Understand the challenges to evaluating effectiveness of Core Principles. • Explore the benefits of incorporating Core Principles into the operating culture of the internal audit activity.

Debi Roth serves as staff liaison to the International Internal Audit Standards Board and the Professional Responsibility and Ethics Committee and was responsible for the 2017 Revised (IIA) Standards project as well as development of Implementation Guidance in support of the revisions. She also served as staff liaison to The IIA’s IPPF Relook Task Force during the development and July 2015 release of The IIA’s new International Professional Practices Framework. Roth has more than 15 years of professional audit and tax experience in various industries, including health care, transportation, manufacturing and banking. Prior to joining The IIA, she was enterprise risk manager for WellCare Health Plans. Before that, Roth was the manager of internal audit for AirTran Airways for more than five years. Yulia Gurman is the director of internal audit and corporate security at Packaging Corporation of America (PCA), where she is responsible for internal audit, internal controls, and corporate security. Prior, Gurman served as vice president, internal audit at Retail Properties of America, Inc. (RPAI); director of internal audit at OfficeMax; and began her career as an external auditor at a public accounting firm. She is on the Board of Governors for the IIA’s Chicago Chapter and the Committee of Research and Education Advisors for the IIA. Gurman has spoken at SuperStrategies conferences, CAE Master’s Program, IIA International Conference, and the American Accounting Association’s Annual Meeting. Steve Sanders oversees the evaluation of risks associated with IT, financial, and operational systems. He has a strong knowledge of cybersecurity and privacy, accompanied by an educational background in computer security and data protection. Sanders regularly speaks at conferences on information security, cybersecurity, and risk management.

CS 9-3: In Conversation With…Crisis Management Facilitator: Doug Anderson, CIA, CRMA Managing Director, CAE Solutions The IIA Speaker: Tom McCormick Senior Advisor StoneTurn Group Every organization experiences unexpected disruption from either known or unknown risks. Sometimes these disruptions are easily handled, sometimes they can nearly paralyze the organization as it tries to respond. In this session hear from an expert who has lived through a number of these disruptions and his suggestions on what he has seen is the most successful approach by an organization. In this session, participants will:

• Understand the nature of potential disruptive events. • Consider how organizations typically prepare for or respond to such events. • Explore tactics that have proven to be most useful, or near useless, when disruption occurs.

Doug Anderson joined The IIA in 2016 after serving as an assistant professor at Saginaw Valley State University. Until 2013 Anderson worked with The Dow Chemical Company for 22 years. His roles at Dow included 16 years in internal audit (9 years as CAE), a global finance director in corporate controllers supporting acquisitions, divestitures, and joint ventures, and the finance leader for the global Dow latex business. Previously he spent 10 years with PriceWaterhouseCoopers. Tom McCormick has more than 30 years of experience in risk, ethics, and compliance issues, helping companies develop and improve controls, risk management processes, and culture to comply with laws and regulations. He has worked with clients across various industries, including chemicals and manufacturing, energy, and financial services. McCormick is the former group ethics and compliance officer of BP, responsible for promoting, overseeing, and building the Group’s capability to ensure compliance with laws and regulations, BP’s code of conduct, and related Group standards. He coordinated with business leaders and functions such as legal and audit to identify and mitigate significant global compliance risks, including bribery and corruption, environmental and safety, and antitrust/competition laws. Previously, McCormick was associate general counsel and director of global ethics and compliance for The Dow Chemical Company, joining the legal department’s litigation section in 1986 after several years of private law practice. McCormick has lectured and taught seminars at professional organizations on ethics and compliance topics, including risk management, developing and maintaining an ethical culture, and conducting internal investigations.

CS 9-4: Five Factors of Successful Talent Management Russell Robinson, EdD Director, Organization Development and Leadership, Federal Occupational Health U.S. Department of Health and Human Services An organization’s talent management philosophy is a critical driver of the engagement experience of its workforce. As a driver of employee engagement, it impacts culture and various individual and organizational outcomes. However, very few public sector agencies and organizations have concrete plans to identity, select, on-board, develop, promote and off-board talent. This presentation will identify the successful factors of developing an organization wide talent management philosophy, and how an agency dramatically increased its employee engagement score in the process. In this session, participants will:

• Identify key factors in the development of a talent management process. • Understand the impact change management has on the development process. • Bridge the gap between academic employee engagement research and practical implementation.

Russell Robinson is director of training, development, and engagement for the Program Support Center, an office within the U.S. Department of Health and Human Services. Within the federal government, he works with leaders on being strong and inspiring, selecting and developing talent, and creating an open and safe culture. As a passionate champion of employee engagement, Robinson has spoken at several domestic and international conferences, focusing on improvement of the workforce experience for civil servants.

Wednesday | October 24, 2018 8:30 – 9:45 a.m. General Session 3: Big Data and Artificial Intelligence Patrick Schwerdtfeger Business Futurist and Author The explosion of big data technologies and the Internet of Things (IoT) have led to dramatic advancements in artificial intelligence (AI) and machine learning. These technologies are fueling innovation in predictive analytics, autonomous vehicles, virtual reality, and countless other fields. Patrick has accumulated dozens of case histories and success stories in a variety of different industries, allowing him to explain the trends in a way that people understand. His technology keynotes don’t get into technical specifications. Instead, they highlight trends and strategies for executive and managerial audiences. In this session, participants will:

• Understand why artificial intelligence capabilities are accelerating • Hear case histories where AI technologies are being deployed • Predict which jobs are most likely to be replaced by automation • Learn how to anticipate disruptive innovation in this industry

Patrick Schwerdtfeger specializes in technology trends including artificial intelligence, Fintech, blockchain, and social media. He has lectured at numerous academic institutions and is a regular speaker for Bloomberg TV. Schwerdtfeger is the founder of Trend Mastery Inc. and host of the Strategic Business Insights video blog, with over 20,000 subscribers and 4 million views on YouTube. He has spoken about business trends, technology, and digital marketing at hundreds of conferences around the world, and discussed Learned Intuition at the TEDx Sacramento event in 2012. Schwerdtfeger authored the award-winning book Marketing Shortcuts for the Self-Employed, and other titles including Keynote Mastery: The Personal Journey of a Professional Speaker; Webify Your Business: Internet Marketing Secrets for the Self-Employed; and Make Yourself Useful: Marketing in the 21st Century. Schwerdtfeger has been featured by the popular press including the New York Times, LA Times, Reader’s Digest, CNN Money, NPR, Fortune, Bloomberg Businessweek, the Associated Press, MONEY Magazine, Forbes, and many others.

Wednesday | October 24, 2018 10:15 – 11:30 a.m. General Session 4: Panel Discussion: Understanding Unconscious Bias and Its Impact on Internal Audit Moderator: Harold Silverman, CIA, QIAL, CRMA, CPA, CISA Former Vice President, Internal Audit The Wendy's Company Panelists: Paulette Brown Partner Locke Lord LLP Dominique Vincenti, CIA, CRMA Vice President, Internal Audit Nordstrom Benito Ybarra, CIA, CISA, CFE, CCEP Chief Audit and Compliance Officer Texas Department of Transportation Objectivity is a state of mind that leads to the way you make decisions and take action. While it is conceptually simple to do this, each of us carries perceptions and experiences that impact our decisions and actions. This session will aim to discuss the concept of unconscious bias and its impact on how we conduct our work and serve our organizations. In this session, participants will:

• Understand the concept of unconscious bias. • Hear about examples of where unconscious bias can impact decisions and actions. • Understand the tie to the Standards. • Learn of ways to identify and prevent unconscious bias from impacting key decisions.

Harold Silverman currently serves as chairman of The IIA’s Global Professional Development Committee and sits on The IIA’s North American and Global Boards. He recently served as vice president of internal audit at The Wendy’s Company. Prior to Wendy’s, he was vice president of internal audit at Houghton Mifflin Harcourt Publishing Co. Before HMH, Silverman served as senior manager of internal audit at Raytheon Co., managing the team that performed audits at corporate locations and divisions in the northeast. Earlier in his career, he was an internal audit manager at PricewaterhouseCoopers and gained external audit experience at Arthur Andersen. Paulette Brown is a member of the labor & employment practice group of Locke Lord LLP and is the Immediate Past President of the American Bar Association. Throughout her career, she has held a number of positions, including in-house counsel to a number of Fortune 500 companies and as a Municipal Court Judge. For the past 30 years, Paulette has engaged in the private practice of law, focusing on all facets of labor and employment and commercial litigation. She has defended employers in cases involving discrimination on the basis of age, sex, marital status, sexual harassment, disability, race and national origin. Paulette has received results in class action employment discrimination cases based upon race and wage and hour claims. She is also experienced in all aspects of workplace training and collective bargaining. Paulette litigates in both federal and state courts, as well as arbitration forums for both unionized and non-union employees. She is a certified mediator for the United States District Court, District of New Jersey and a member of the Employment AAA Panel. Paulette is a frequent lecturer on labor and employment issues and issues related to electronic discovery and serves as Chair of the Labor and Employment Section of the New Jersey State Bar Association. She is also a member of the College of Labor & Employment Lawyer and American Law Institute. Additionally, Paulette has been recognized by the New Jersey Law Journal as one of the prominent women and minority attorneys in the State of New Jersey and by the National Law Journal as one of "The 50 Most Influential Minority Lawyers in America." She has been listed as a NJ Super Lawyer since its inception and for the past three years as one of the top 50 women lawyers and one of the top 100 lawyers. Ms. Brown has also repeatedly been named by US News as one of the Best Lawyers in America in the area of Commercial Litigation. Paulette also received DRI's Pioneer Diversity Award and the NJ State Bar Association's Excellence in Diversity Award, and she was honored with the Spirit of Excellence and Margaret Brent Women Lawyers of Achievement Awards by the American Bar Association Commission on Women in the Profession. In 2014, Paulette was honored by the Rutgers Law-Camden Black Law Students Association for exemplifying the values advocated by Dr. Martin Luther King Jr. Dominique Vincenti is the VP of Internal Audit at Nordstrom, a Fortune 250 Company and one of the US leading Fashion Specialty Retailer. Her 20 years of experiences includes internal audit management positions principally in the retail industry for prominent international retailers: Marks & Spencer – UK or Kering (former PPR) – France (Gucci, Yves Saint Laurent, Alexander McQueen, Balenciaga, Stella McCartney, Puma etc.…). For 6 years prior to joining Nordstrom she was a Chief Officer at The Institute of Internal Auditors where she was overseeing the organization's professional, research and technical practices, developing guidance or representing the internal audit profession working on Governance Risk & control issues, closely with other professional, national or international institutions and regulators such as the US Securities and Exchange Commission, International Organization of Supreme Audit Institution, the International Federation of Accountants or the OECD to name a few. Benito Ybarra has more than 17 years of audit experience and oversees TxDOT's Internal Audit and Compliance divisions; their functions are aimed at improving controllership, risk management, accountability, and governance. He is a member of The IIA's North American Board and serves on the Publications Advisory Committee. Ybarra also serves on the internal audit and peer review committees of the American Association of State Highway and Transportation Officials and the (Texas) State Agency Internal Audit Forum.