New Year’s greetings to one and all!

Most of you are hard at work day and night addressing year-end audit work, issuing those final reports from last year and starting audits for 2012. Historically, we take a hiatus in January to let you address more pressing matters.

Our calendar for the first half of 2012 is outstanding. New topics, a return visit from our chapter’s favorite fraud expert, capped off by the first (of hopefully many) joint IIA / ACFE Fraud Conference.

Based on the chapter survey there was a strong demand for a roundtable for seniors and supervisors. The managers, directors and CAE’s seem to have more than their share of these forums. The chapter has specially designed an event tailor-made to the challenges and tremendous opportunities that seniors and supervisors face in 2012. I hope to see you on February 15th in Schaumburg.

March 8th the chapter is very proud to present a cornerstone full day seminar with John Hall. The session is entitled “Fraud 2012: What’s Out There and What Auditors Can Do About It”. Experience one of John’s sessions first hand. His outstanding training abilities, hands-on experience, and highly interactive approach translate into one of the highlights of the year for our chapter.

As you have seen by the save the date email, the chapter is very excited about the upcoming IIA /ACFE Fraud conference on May 11th. Guest Keynote Speakers include:

Denny Beran, Chairman of the Board, Institute of Internal Auditors James Ratley, President, Association of Certified Fraud Examiners

The full list of speakers will be communicated shortly. It will be an event worthy of sending your entire team.

Although the temperature is frigid outside (fall couldn’t last forever), things are definitely heating up for the members of the NW Metro Chicago Chapter.

Brian Babendir

Chapter President

PRESIDENT PERSPECTIV ES

Inside this issue:

President Perspectives 1

3 Ways to Prevent Employee

Frustration and Disengagement 2

Certification Resources 3

Network access control policy:

Handling smartphone access

control

4

Changes to Continuing Profes-

sional Education

6

The North West Metro Chicago I IA Chapter

THE NORTHWEST NEWS JANUARY/FEBRUARY 2012

ISSUE 5 , VOLUME 1

Upcoming Events

Feb. 15: First Annual Roundtable for Internal Audit Seniors and Supervisors; RSM McGladrey , Schaumburg.

March 8: Fraud 2012: What’s Out There and What Auditors Can Do About It ; Sears, Hoffman Estates.

May 11: 1st Annual Joint IIA/ACFE Fraud Conference; Sears, Hoffman Estates.

3 Ways to Prevent Employee Frustration and Disengagement—Joanne Sammer

Page 2

THE NORTHWEST NEWS

In our last post, we discussed the significant lack of engagement across employee groups and how employees become frustrated. Now, we will take a closer look at how companies can reverse this trend toward high levels of frustration and low levels of productivity among employees.

"In many organizations, there is a significant pocket of frustration among employees and leaders who feel that they are being held back by unnecessary rules or an unsupportive working environment," says Mark Royal, senior principal with the Hay Group in Chicago and co-author with Tom Agnew of "The Enemy of Engagement: Put an End to Workplace Frustration — and Get the Most from Your Employees" (AMACOM). "Getting rid of those barriers and obstacles to performance is a real opportunity for an organization to motivate employees and unleash their energy and creativity. This, in turn, can yield tangible financial benefits for the organization."

Engaging employees is just one part of the process for improving performance. "Companies must not only engage or motivate employees but also enable or support those employees’ strong contributions," says Royal. Doing so can lead to higher revenue growth and lower turnover. Royal states that companies ranking in the top quartile on both engagement and enablement achieve revenue growth that is 4.5 times greater than companies ranking high on engagement alone. In addition, companies that both engage and enable employees have voluntary turnover rates that 54 percent less than their peers.

Royal estimates that frustrated employees make at least 20 percent of the total workforce and that nearly one-third of employees report they do not have the necessary resources and information to successfully do their jobs, which is a frequent precursor to frustration.

Here are three moves companies can take to prevent employee frustration and eventual lack of engagement:

1. Hold managers accountable for removing barriers to employee efforts. If employees don’t have what they need to be successful, they become frustrated. It is up to managers to identify what employees need and provide it,

while also removing the barriers to maximum employee effectiveness.

2. Require ongoing performance conversations. Annual reviews and goal setting are not enough to generate the ongoing feedback most employees seek. Royal notes that employees want to understand their impact on the bigger picture and the challenges they must tackle advance in the organization. Instead of annual reviews, he suggests that managers work to improve ongoing conversations about goals, priorities and challenges.

3. Ensure that managers find ways to clear the path to productivity for employees. Even when companies face tight budgets and other resource constraints, it is important to help employees find ways around those constraints to get the job done.

It is important to remember that enabling employees is a prerequisite for engaging those employees. Motivating employees and providing employees with the resources necessary to be successful is the right combination to optimize both employee satisfaction and productivity.

Joanne Sammer

Contributor to http://businessfinancemag.com

CAREER OPPORTUNITIES If your company is looking to fill an audit related position , we can post a short announcement in this section.

Anixter is seeking an Internal Auditor to our corporate headquarters team in Glenview, IL . This is a

great opportunity for a candidate with strong analytical, communication, project management and

interpersonal skills who is interested in taking on new challenges. ONLY RESUMES THAT INCLUDE

SALARY REQUIREMENTS WILL BE CONSIDERED. Visit our web site at www.anixter.com

Grant Thornton is interested in talking with Internal Audit professionals who are seeking a career in

IT risk advisory and business consulting. Please contact Colleen Johnson, Recruiting Manager at col-

leen.johnson@us.gt.com

Page 3

THE NORTHWEST NEWS

Frequently Asked Questions (FAQ) About Certification

Do you have questions about IIA certifications? If so, read through some common questions, and their answers, regarding The IIA's Certified Internal Auditor® (CIA®) exam and specialty exams. You will find many more answers to your questions in our Candidate Handbook. If you still have questions that you have not been able to find answers for, please email us at certification@theiia.org or call us at +1-407-937-1111.

Not Yet Enrolled

Enrolled

Certified

Certification Resources

Network access control policy: Handling smartphone access control Mike Chapple, SEARCHSECURITY.COM

Page 4

THE NORTHWEST NEWS

From iPhone, to Droid, to BlackBerry, to Nexus One, it seems a new mobile device is born every week and employees are trying to put them on corporate wireless networks about 15 minutes after launch!

How does an organization cope with the risk posed by mobile devices and control their introduction onto enterprise networks? In this tip, we examine the role that network access control (NAC) systems play in the mobile environment.

Network access control (NAC) policy for mobile devices If you’re already using NAC in your environment, you’re probably familiar with the process used to authenticate a laptop or desktop computer:

1. User attempts to join a new device to the network.

2. The NAC server detects the new device and determines it is not already authenticated.

3. The user is prompted to install a NAC client on the endpoint.

4. The NAC client provides the user’s credentials to the NAC server for authentication.

5. The NAC client performs an assessment of the client’s security status and provides that to the NAC server.

6. The NAC server uses the credentials and assessment results to determine what, if any, network access the device should gain.

Unfortunately, this process breaks down at step three, when smartphones, tablets or similar “dumb” devices try to join the network, as it’s not possible to install a NAC client on such gadgets. In this case, NAC systems usually fall back to two possible approaches:

● In the “captive portal” approach, the NAC device intercepts the user’s requests for webpages and redirects him or her to a Web-based authentication page. Once the user authenticates, the device is granted access to the network, which allows authorized users to join any mobile device to the network.

● The alternative approach is to whitelist the MAC addresses of approved wireless devices. This involves much more

administrative overhead, requiring your IT staff to add the MAC address of each device to the NAC system every time a new device is deployed. However, this whitelisting option does give the enterprise a greater degree of control over network access.

The downside of both of these approaches is the NAC system has no ability to probe the security status of the device, greatly reducing the functionality that NAC traditionally offers in the laptop/desktop environment.

Making the most of mobile NAC So, how can an enterprise leverage its existing NAC infrastructure to help secure mobile devices? I suggest a three-pronged approach that hinges upon differentiating between corporate-owned devices and personally owned devices. Your mileage may vary, depending upon the security needs of the organization, but this framework offers a starting point that you can use to build an appropriate mobile network access control policy and related controls for your business environment.

● Limit full wireless network access to company-owned smartphones. You’ll simply never be able to gain the level of confidence in personally owned devices that you can have in those owned and managed by your IT staff. For this reason, I encourage limiting full network access to those devices owned and managed by the company. The easiest way to enforce this requirement is with the MAC whitelisting approach described above.

● Supplement NAC with mobile device management. While NAC products generally don’t allow you to reach down into the configuration settings of smartphones for more thorough smartphone access control, mobile device management software does. I suggest deploying one of these products as a complement to NAC and using it to enforce encryption, screen locking and other security settings on your company-owned devices.

● Consider a quarantine network for personally owned devices. In many environments, practicality dictates allowing personally owned devices to access the network. If this is the case in your organization, you may wish to place these devices on a separate quarantine network that has limited access. While you might allow personally owned devices to freely access the Internet, you should carefully control what (if any) corporate resources they are able to access. After all, do you really want

(Continued on page 5)

Page 5

THE NORTHWEST NEWS

business secrets sitting on a phone that you don’t own?

While it is difficult to bring the advantages of NAC to the mobile phone environment, it’s certainly achievable. The three steps outlined above provide the basic framework needed to begin designing a smartphone management strategy that meets your business needs.

(Continued from page 4)

U.S. Intel Chief: Insider Leaks A Top Priority

By J. Nicholas Hoover InformationWeek

Building the architecture necessary to prevent anoth-er Wikileaks might take several years, director of na-tional intelligence James Clapper said at an event Thursday in Washington, D.C.

The Wikileaks scandal, in which 260,000 diplomatic

cables, many of them sensitive, were burned onto CD-

RWs and later published online, has accelerated work

toward ensuring that information sharing is secure,

Clapper said in a speech on information sharing at the

Center for Strategic and International Studies. Howev-

er, there is no silver bullet to preventing insider

threats.

Read article online

Do you need a cyber umbrella?

Mary K. Pratt (Computerworld (US))

If your company were hit with a cyber attack today, would it be able to foot the bill? The entire bill, in-cluding costs from regulatory fines, potential lawsuits, damage to your organizations' brand, and hardware and software repair, recovery and protection?

It's a question worth careful consideration, given that the price of cyber attacks is rising at an alarming rate. The second annual Cost of Cyber Crime study, re-leased last August by the Ponemon Institute, reported that the median annualized cost of cybercrime for a company is $5.9 million -- a 56% increase from the 2010 median figure.

Continue reading online

About the author:

Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served

as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a fre-

quent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of

several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

Page 6

THE NORTHWEST NEWS

On Tuesday, November 15, 2011, the Global Board approved the implementation of several key changes to the Continuing Professional Education (CPE) reporting process. The changes in the program align The IIA with industry best practices and will enhance the reporting experience for certified individuals.

Effective January 1, 2012, changes to the reporting period, CPE requirements, and the reporting process will be implemented. The

table below summarizes these changes.

The full list of changes as approved by the Board of Directors is available in The IIA’s Administrative Directive Number 4: 2011.

(Continued on page 7)

Changes to Continuing Professional Education (CPE)

Requirements and Reporting Processes to be Implemented in 2012

Page 7

THE NORTHWEST NEWS

Changes to CPE, cont.

WHAT DO THESE CHANGE S MEAN FOR YOU? The 2012 reporting year will be a transition year, bringing all certified individuals in line with the new CPE program. Candidates will

need to report for a varied amount of CPE based on when they last reported. The table below indicates the reporting requirement

for the December 31, 2012 deadline based on the certificant’s ID number and last reporting cycle.

(Continued from page 6)

Page 8

THE NORTHWEST NEWS

1st

ANNUAL JOINT IIA/ACFE FRAUD CONFERENCE

CHICAGO SPRING 2012

JOINTLY SPONSORED BY CHAPTERS OF

Friday May 11, 2012

Full Day Event

We are pleased to present to you Special Guest Keynote Speakers:

Denny Beran, Chairman of the Board, Institute of Internal Auditors

James Ratley, President, Association of Certified Fraud Examiners

Stay tuned for further details

The 1st Annual Roundtable for Internal Audit Seniors

and Supervisors!

Discuss the challenges and the tremendous opportunities facing seniors and

supervisors in 2012 and beyond.

Date: Wednesday, February 15th, 2012

Time: 1:30 Registration / Event runs from 2:00 am to 4:00 pm

Location: RSM McGladrey, 20 North Martingale, Lower Level Training

Room,

Schaumburg, IL

CPE: Attendees are eligible for 2 CPE Credits

Prerequisites: None

Cost: $20

Register: For more information or to register,

visit https://www.123signup.com/register?id=crqhd

Fraud 2012: What’s Out There and

What Auditors Can Do About It

Date: March 8, 2011 Location: Sears

3333 Beverly Rd.

Hoffman Estates, IL, 60179

Registration: 8:30

Training: 9:00 – 4:30

CPE: 8

Cost: $185

Register today!

https://www.123signup.com/register?id=crvyj

The Latest IT Security Trends and Challenges

1st Chicagoland Information Security Officer (ISO)

Roundtable

Crowe Horwath will host and facilitate a discussion

of the topic: “The Latest IT Security Trends and

Challenges.” To kick-off the session, Special

Agents Alyssa Doyle and Pete Traven with the FBI

will discuss of the latest information security

trends.

Contact/RSVP:

Please contact mike.delgiudice@crowehorwath.com

Date February 22, 2011

Location Crowe Horwath

One Mid America Pla-

za, Suite 700

Oak Brook, IL

Time 8:00 -10:30 AM

Board members

Brian Babendir President

Mark Alexander Academic Relations

Elliott Bujan Communications

John Turner Research, Publication and Certifications

Matthew Budy Operations

Frank Moriarty Enterprise Relations and Advocacy

Brian Duffy Membership

Curtis W. Siegel Director of Forums

Angela Banks-Buford Administration

Toula Panagakos Programs

Oliver J. Tang Finance

Term expiring in 2012

Tami McLane Michael Heraty

Sharon Bell Tracy Heming-Littwin

Term expiring in 2013

Frank Moriarty Adewale Ademokunla

Earl Potjeau James A. Ruzicka

Governors

CHAPTER SITE: WWW.THEIIA.ORG/NORTHWESTMETROCHICAGO

EMAIL: IIACHICAGONW@GMAIL.COM

Page 9

THE NORTHWEST NEWS

Welcome, New Members

Brian Mohr 1/11/2012

Zipporah Hamlet 11/1/2011

Brian Tornga 11/3/2011

Joseph Hamilton 11/3/2011

Kush Desai 11/3/2011

Chris Oldiges 11/3/2011

Jeffrey Whiteside 11/10/2011

Chen Song 11/15/2011

Adam Trudo 11/30/2011

Meghann Cefaratti 12/5/2011

Chih-Chen Lee 12/5/2011

Sandra Fasnacht 12/6/2011

Heather Boyce Kearns 12/9/2011

Kimberly White 12/12/2011

Laurel Orenchak 12/12/2011

Michael Davis 12/12/2011

Jim Haan 12/12/2011

Nancy Rochwick 12/12/2011

Maxine Kirchgessner 12/12/2011

Michael Hueser 12/12/2011

Luke Penskar 12/12/2011

Sandy Oh 12/12/2011

Michael Barhaug 12/12/2011

John Wojcik 12/14/2011

Sarah Gainer 12/19/2011

Kathleen Grogan 12/27/2011

Robert Riecker 1/11/2012

Andrae Johnson 1/11/2012

Prapti Desai 1/11/2012

Jason McConnell 1/11/2012

Elena Ghinea 1/11/2012

Melissa Bumbales 1/11/2012

Yuriy Stasij 1/11/2012