Monday | September 14, 2020 8:30 – 9:45 a.m. CDT Opening Keynote: How to Compete in a Global Economy Todd Buchholz Former White House Director of Economic Policy and CNBC Regular Never before have businesses felt such excruciating pressure to compete. While riding a roller coaster stock market, firms have struggled to raise prices, even when their costs go up. China poses a threat, but also an opportunity for new sales. Loyal customers seem ready to jump to a competitor. How can your company or industry survive and thrive? In this session, participants will:

• Understand what Congress may do to help or hurt their industry in the coming year. • Learn how to anticipate new trends that could open up fresh opportunities for manufacturing, service,

and technology companies. Todd Buchholz is a frequent commentator on the state of the markets, bringing his experience as a former White House director of economic policy, managing director of the $15-billion Tiger hedge fund, and Harvard economics teacher to the cutting edge of economics, fiscal politics, finance, and business strategy. Buchholz appears regularly on ABC News, PBS, and CBS and recently hosted his own special on CNBC. He has debated such luminaries in the field as Lester Thurow and Nobel Laureate Joseph Stiglitz. He’s also served as CEO of Sproglit; president of G7 Group; fellow at Cambridge University; and co-producer of Broadway’s Jersey Boys. Buchholz won Harvard’s Allyn Young Teaching Prize, holds several patents, and invented the Math Arrow.

Monday | September 14, 2020 10:15 – 11:15 a.m. CDT CS 1-1: Velocity Mismatch: Hidden Tensions Between People, Process, and Technology Billy Cheung, CISA, CRISC, CFE, ACDA Internal Audit Manager, Data Analytics Fannie Mae Catherine Schlegel, CISA Senior Internal Auditor, Data Analytics Fannie Mae

Analytics, ML, RPA. These are just some of the technologies that continue to both woo and elude audit departments. Yet underlying that promise of 100% coverage and automating away the mundane, there are still people in the weeds, researching the exceptions from that 100% coverage, and people who will still need to work together, combining domain knowledge and technical know-how to assess the outliers. In this session, participants will:

• Examine three case studies highlighting how the simple human ability to collaborate, collect and connect the dots, and continuously improve defined the success of several highly technical initiatives.

• Learn from our experience on what works and what doesn’t with different collaborative approaches in data analytics.

• Visualize the invisible work that steals all our time to acknowledge, and subsequently codify and unify divergent internal processes

• Discuss the value of cultivating and developing a cross-functional audit staff. Billy Cheung is a manager with Fannie Mae’s internal audit data and analytics team. With more than a decade of experience in the cultivation of audit intelligence through data visualization and audit analytics across a number of industries, his breadth of experience ranges from Canadian provincial regulatory agencies to U.S. healthcare providers to the U.S. housing industry. Previously, as a consultant with ACL Services, Cheung conducted training seminars and workshops for professional associations, Fortune 100 companies, and nonprofit organizations. Catherine Schlegel has more than four years of experience working in data analytics within banking and financial services. Currently, as an internal auditor and data analytics specialist within Fannie Mae’s internal audit department, she is responsible for delivering data analytics and providing assurance over client reporting in support of the department’s business and technology audit teams. Schlegel previously worked at Freddie Mac and Wells Fargo as a data analyst. CS 1-2: Culture: Is It Your Enemy or Your Friend? Pamela McWilliams Hauser Sr. Consultant, Internal Audit Nationwide Insurance Melissa Dimitri, CIRA Managing Director, Practice Lead Culture and Behavior Strategy Grant Thornton

Katherine Delesalle Growth & Transformation Practice, Senior Associate Grant Thornton A healthy culture creates higher employee engagement and stronger operating results. But just as culture can be a strategic advantage, it can also be an inhibitor, introducing organizational risk. Learn how to connect your vision, values, strategy, and mission to your company culture and assess the downstream impacts of an audit on culture. In this session, participants will:

• Understand how to assess the downstream impacts of an audit on culture. • Learn how to determine if their organization is prepared for what they might find. • Gain insights into remediating findings and measuring the improvement of culture. • Identify how to measure ROI.

Speaker Bio’s Being Finalized CS 1-3: Auditing (and Understanding) Your ERP Beyond ITGC Brian Tremblay, CIA, CISA Compliance Practice Leader Onapsis ERPs are incredibly complex, business-critical applications; outages or breaches can irreparably damage your organization and brand. You tell yourself things are fine because you have passed ITGCs and your InfoSec team assures you all is well because they get two pen tests annually. But what if you ‘ace’ ITGCs and do all the right things for your network and perimeter, yet are still completely exposed to risks you’re unaware of? Attendees of this session will:

• Learn the shortcomings of traditional ERP auditing approaches (specifically ITGCs). • Hear about the hidden risks that exist in their ERP that can create the same risks ITGCs seek to address

in different ways. • Understand what internal auditors can do to proactively help their organizations identify and mitigate

these risks.

Brian Tremblay leads the Compliance Practice at Onapsis, where he helps customers understand and navigate challenges and opportunities created by the increasing overlap of compliance, cybersecurity, and business continuity related to IT general controls and regulatory/compliance matters such as SOX and GDPR. Prior, as CAE at Acacia Communications, he founded and led the internal audit function, helped prepare the organization to go public, and facilitated ERM implementation. Previously, Tremblay oversaw all audits and projects within North America and liaised with global quality managers as director of internal audit at Iron Mountain. Formerly, as a senior manager at Houghton Mifflin Harcourt, he built an internal audit department and implemented SOX. Earlier in his career, he worked at Raytheon and Deloitte.

Monday | September 14, 2020 11:30 a.m. – 12:30 p.m. CDT CS 2-1: Superior Slides for Executive & Board Reporting Janet Jarnagin, CIA Senior Vice President, and Audit Director, Executive Reporting Bank of America Melissa Donner, CIA Vice President, Audit Supervisor Executive Reporting Bank of America Most of us have heard the overly simplified PowerPoint tips and tricks to creating a great presentation, but what about those times when your slides aren’t for an actual presentation? In today’s world, we are constantly using and distributing slide decks as reports, without ever intending to speak to every slide. This session will review to how to create superior, executive-ready “slide-u-ments” that can speak for themselves (no presentation required). In this session, participants will:

• Define the difference between slides used for presentations and slides meant to stand alone. • Understand audience analysis and storyboarding. • Demonstrate a basic understanding of data visualizations. • Apply a series of tools to polish their PowerPoint deliverables.

Janet Jarnagin is an audit director for the executive reporting team within corporate audit and credit review, responsible for the production of reporting to key stakeholders. She joined Bank of America in November 2017, bringing 12+ years of experience providing internal audit and business process consulting in banking/financial services. Her specializations include audit practices, executive presentations, regulator engagement, and audit metrics and reporting. Prior, at JPMorgan Chase & Co., Jarnagin led teams responsible for board- and senior-level stakeholder reporting, ad hoc strategy and organizational transformation programs, and the department’s communications plan. She also managed the department’s metrics and monitoring and supported strategic initiatives. Previously, at KPMG, Jarnagin performed internal audits and quality assurance reviews. Melissa Donner’s Bio Being Finalized CS 2-2: Anti-money Laundering Audit Scoping and Hot Topics Gary Lindsey, AMLP Principal Crowe LLP Shannon Moskal, CAMS, CFE Financial Crimes Consulting Senior Manager Crowe LLP Jacob Rivkin, CAMS Financial Crimes Consulting Manager Crowe LLP Regulators emphasize the importance of maintaining effective anti-money laundering (AML) compliance programs. Auditors need to be aware of trends in regulatory supervision and areas of heightened scrutiny when shaping/establishing scope for AML audits. This session will explore trends in regulatory supervision and audit strategies and techniques that may be deployed during your next audit as well as an overview of current AML hot topics.

In this session, participants will: • Learn to identify trends in AML supervision and areas of increased scrutiny. • Explore audit techniques and strategies to deploy within their AML audit. • Discuss areas of common regulatory criticism and challenges in deploying an effective AML audit. • Understand current AML hot topics and how to incorporate them into their next AML audit.

Gary Lindsey is a principal in the Crowe LLP risk consulting group and leads the firm’s national delivery of anti-money laundering (AML) audit services. In this role, he is responsible for maintaining service standards, resource development, quality assurance, and technical requirements. Lindsey has more than 20 years of experience and specializes in AML audits for financial institutions throughout the United States, including providing independent reviews, program self-assessments, peer reviews, operational effectiveness testing, and international examinations on behalf of government agencies. He has helped client audit committees and boards of directors anticipate regulatory expectations while addressing organizational constraints. Shannon Moskal and Jacob Rivkin Bio’s Being Finalized CS 2-3: Personal Data Supply Chain: What It Means to You and Your Company Kevin McCreary Director, Enterprise Applications Protiviti Frank Vukovits, CIA, CISA Director, Strategic Partnerships Fastpath Compliance with privacy regulations like GDPR and CCPA is now emphasized as a part of business, but how companies need to adapt going forward is often ignored. This session explores how controls around personal data privacy pose more than just a technical challenge, and warns that without sound business process changes and updated methodologies, companies will fail to provide environments that others in their ‘personal data supply chain’ will want to work with going forward.

In this session, participants will: • Understand current privacy regulations and how their company is impacted. • Explore how their company needs to be changing its business process to consider privacy and security

by design into their day-to-day operations, and the best way to audit these processes. • Discover proven techniques that have allowed for easier adoption of privacy guidelines and

regulations, and how auditors are reviewing these techniques. • Determine where their company stands today and what actions may be required in the future to

effectively handle personal data in the organization. Kevin McCreary’s Bio Being Finalized Frank Vukovits has 30 years of experience as an auditor, business software user, and vendor of audit and security software. He has implemented and managed numerous ERP projects and now combines his software and audit knowledge as director of strategic partnerships at Fastpath. Prior to his time working with Microsoft business applications, he was in corporate IT audit for GTE/Verizon for 12 years. Vukovits has presented educational sessions publicly at user groups and audit events for the past two decades. He previously served on Internal Auditor magazine’s editorial board and was an IIA distinguished faculty member.

Monday | September 14, 2020 1:30 – 2:30 p.m. CDT CS 3-1: Compassionate Leadership Crystal Markowsky Director, Internal Audit PayPal Stephen Caesar Director, Internal Audit PayPal Compassionate leadership/engagement recognizes that every team member is not only a significant individual, but also an essential thread in an organization’s fabric. Internal audit is uniquely positioned to demonstrate this internally to our teams and externally with our stakeholders/auditees. Compassionate leadership/engagement focuses not on the short-term or instant gratification, but instead on what’s best for the individual, the team, and the organization, and it considers other factors influencing or impacting the situation at hand.

In this session, participants will: • Learn what compassionate leadership/engagement is, why it’s essential, and how it’s beneficial. • Discuss the inspiring traits of a compassionate leader and holistic leadership. • Link compassionate engagement with their roles in internal audit. • Discover how they can continue to be compassionate. • Hear tips for guiding their team to perform at a high level, increase profits, and make their organization

look good on paper. Crystal Markowsky has financial services experience that includes technology integration, project management, internal audit, and risk management. Her expertise encompasses privacy, identity theft, information security, vendor management, and disaster recovery/business continuity planning. Before joining PayPal, she was the BSA, information security, and privacy officer for a local bank. Stephen Caesar joined PayPal from American Express, where he held senior positions such as vice president of regulatory relations; vice president of strategic quality plans and strategic initiatives; and director of internal audit. Prior to American Express, he was a senior consultant for enterprise risk services at Deloitte as and started his career as an auditor at Marriott International. CS 3-2: The End of LIBOR: Is Your Institution Ready? Christopher J. Dias Partner KPMG Eric Kingdon, CIA Audit Manager US Bank TJ Scallon Partner KPMG

As the financial system braces for the end of the London InterBank Offered Rate (LIBOR), financial institutions are working hard to understand how market behavior might affect the transition away from LIBOR, how the bottom line will be affected when financial products are tied to the alternative Secured Overnight Financing Rate (SOFR), and the products and systems that will be affected by the transition. In this session, participants will:

• Understand internal audit considerations for the LIBOR transition and leading practices. • Hear perspectives from industry participants on alternative reference rates. • Examine processes financial institutions are implementing to prepare for the LIBOR transition.

Christopher J. Dias and Eric Kingdon’s Bio Being Finalized TJ Scallon has 25 years of experience providing audit and advisory services to global financial institutions. As an advisory partner within KPMG’s internal audit and enterprise risk practice, he works closely with senior management in areas such as governance, risk and compliance, internal controls and audit frameworks, issue remediation, and ERM across all three lines of defense. Scallon was previously an audit partner within KPMG’s financial services audit practice, serving some of the firm’s largest banking and capital markets clients. He is currently the financial services lead for internal audit and enterprise risk nationally and KPMG’s New York Office banking and capital markets industry leader. CS 3-3: Internal Audit Is Crucial to Your Cloud Implementation. Learn Why! Cheryl Levesque, CIA, CPA, CISA, FLMI Partner DHG Cloud computing offers companies significant benefits in maximizing speed and leveraging economies of scale while introducing workforce flexibility and cost reductions on technology spend. These capabilities allow organizations to approach each period end with greater confidence and much more visibility into any potential bottlenecks. We will discuss the importance of positioning internal audit at the forefront of the implementation and how to ensure internal audit is engaged by the organization.

In this session, participants will: • Define the importance of internal audit’s role within implementation of a cloud solution. • Understand how internal audit can engage with organizational leaders considering cloud solution

options. • Hear examples of successful integration of internal audit within actual cloud implementations.

Cheryl Levesque is an advisory partner in DHG’s New York office. While advising Fortune 500 global public clients, she has served as CAE during a complete internal audit department redesign; overseen a SEC reporting department and the issuance of quarterly filings while redesigning the department’s process, people, and technology; managed the transition of shared services duties to a newly created Center of Excellence in Asia; handled a complete design of the second line of defense department for a newly spun-off public company; and assisted in purchase accounting and SOX compliance for acquisitions. Previously, she oversaw financial and operational audits, SOX compliance, fraud investigations, continuous monitoring engagements, and the first outsourcing audit in India as an internal audit department manager for a global provider of risk management products.

Monday | September 14, 2020 3:00 – 4:00 p.m. CDT CS 4-1: Auditing Through Regulation and Beyond: A "Plan" for Success Samantha Corvino, CPA, CISA Head of Internal Audit Municipal Securities Rulemaking Board This session will explore challenges involved with meeting regulator expectations while building a robust, value-add audit program. We’ll tackle the balance between required regulator-based audits, cyclical and risk-based audits, and integrating advisory reviews into the annual audit plan. Additionally, we’ll discuss how small audit functions can remain agile for unanticipated “fork-in-the-road” projects that increasingly burden audit plan success. Finally, we’ll explore how to employ third-party assistance to maximize internal audit efficiencies and your audit budget. In this session, participants will:

• Distinguish the optimal balance between regulator required audits, cyclical audits, and risk-based audits on the annual plan.

• Determine how best to integrate advisory projects into the internal audit portfolio. • Develop a roadmap for remaining agile, even with required regulatory reviews.

• Describe how to best deploy audit teams for audit plan success, including the use of outsourced support.

Samantha Corvino leads the internal audit department at the Municipal Securities Rulemaking Board (MSRB), where she independently develops and executes the organization’s annual risk-based internal audit plan, including a comprehensive IT audit associated with the U.S. Securities and Exchange Commission’s Regulation Systems Compliance and Integrity. As staff liaison to the MSRB Board of Directors’ Audit and Risk Committee, Corvino manages assessments and evaluations of organizational risks, mitigations, and controls. Previously, as senior manager of internal audit-IT at Protiviti, she oversaw a portfolio of financial services and telecommunications client accounts. Prior, as a manager of risk advisory services at RSM US LLP, Corvino delivered IT risk-driven projects comprising both consulting and attest services. CS 4-2: The BSA Audit Experience

Bradley Carroll, CIA, QIAL, CFSA, CRMA, CPA, CFF Principal Frazier & Deeter, CPAs & Advisors Steven E. Jameson Executive Vice President, Chief Internal Audit, and Risk Officer Community Trust Bancorp, Inc. This session will walk auditors through the history of and approaches to BSA audits as well as the expectations of the examiners. We will share practical examples of how to provide risk-based coverage and gain audit efficiencies in testing methodologies. In a case-study approach, we will show how we have used data analytic tools to enhance testing methodologies, eliminate sample risk, add more value, and change the tone of the exam. In this session, participants will:

• Understand FFIEC requirements, IIA Standards, and the Three Lines of Defense for BSA. • Be provided an overview of BSA testing areas. • Receive an introduction to enhanced/automated testing. • Discover how to gain audit efficiencies in testing.

Bradley Carroll created and led the internal audit department as the CAE of a $5B bank in Atlanta. He previously served in internal audit at a $1B community bank, was a senior internal auditor at Wachovia Bank, and started and merged a CPA firm. At Frazier & Deeter, Carroll provides internal audit and consulting services to bank boards, CAEs, CROs, CFOs, and CEOs. His CAE experience gives him insights that make him a better service provider, as he understands of both views. He has worked with banks from $200M up to $72B in asset size. A longtime IIA member, he presently serves on the Financial Services Advisory Board and has held chapter leadership roles. He has presented on risk management at IIA and bank industry conferences, receiving ratings of more than 4.5 from attendees. Steven E. Jameson’s Bio Being Finalized CS 4-3: Getting Started or Progressing Your Analytics Program: It's About Change, Not Tech Susan Powell, CRMA, CPA, CISA Senior Vice President Somerset Trust Company Ken Peterson, PMP Product Manager, TeamMate Analytics Wolters Kluwer Whether your team is just getting started or you are stalled on your analytics journey, you will get ideas that have worked for other audit teams. While tech plays a role, it is not so much about the technology you use, but the desire and focus of your team. If you want different results, then change will be required, and we will discuss what that means from an analytics perspective. In this session, participants will:

• Walk away with actions to get all auditors performing at least some analytics. • Understand why change is “hard” and discover some strategies to address that. • Gain insights into how to measure their analytics program to chart progress.

Susan Powell, senior vice president of audit, has served in the capacity of chief audit executive of Somerset Trust Company since January 2007. Her background includes eight years at the Federal Home Loan Bank of Pittsburgh in the corporate risk and internal audit departments. Powell also served as an information systems auditor for a community bank in Ohio, as well as assisted federal agencies and management in the fraud investigation at Phar-Mor, Inc. Her public accounting experience includes five years at Ernst & Young.

Ken Petersen has more than 25 years of experience developing and implementing systems and working with data in a variety of capacities for both Fortune 500 and entrepreneurial software development companies. Since 2002, he has focused on the governance, risk, and compliance space, helping numerous customers across multiple industries implement software solutions to satisfy various business needs. Petersen has been with Wolters Kluwer since 2009 and is currently a director and product manager of the TeamMate Analytics product focused on helping auditors perform data analytics.

Monday | September 14, 2020 4:15 – 5:30 p.m. CDT General Session 2: Internal Auditor’s Role in the New Normal – Sound Bite featuring: Moderator: Julie Scammahorn, CIA, CRMA Senior Executive Vice President and Chief Auditor Wells Fargo & Company Session Abstract Being Finalized Julie Scammahorn has 20+ years of financial services industry experience. At Wells Fargo, she is chief auditor, serves on the operating committee, and leads an internal audit organization of approximately 1,600 team members. As leader of Wells Fargo’s Veteran’s Team Member Network, Scammahorn is guiding development of a companywide approach to recruit and retain military veterans. She previously oversaw a global team of 1,850+ and held direct audit responsibility for anti-money laundering and compliance as chief auditor of Citigroup’s Citibank, N.A. Prior, as general auditor and senior vice president at American Express, she led a team of 150 audit professionals with an annual audit plan of 240,000 hours. Scammahorn also held audit services leadership roles at Bank of America, was principal/head research analyst at Meritus Research, and served in the U.S. Marine Corps.

The Road to Resiliency – Building a Robust Audit Plan for Operational Resilience Doug Wilbert Managing Director, Risk and Compliance Protiviti The pressure comes amid fears that operational disruptions to the products and services which organizations provide have the potential to harm consumers and market participants, threaten

the viability of these entities, and create instability in the financial markets. A string of large-scale technology outages and attacks in recent years has exposed vulnerabilities and intensified regulators’ concerns. In this session, participants will:

• Outline how operational disruptions can harm consumers and market participants, threaten organizational viability, and fuel instability in the financial markets.

• Discuss recent large-scale technology outages and cybersecurity attacks. • Explain the immediate impact in the face of a pandemic, including exposure of systemic

vulnerabilities and intensification of regulators’ concerns. Doug Wilbert’s Bio Being Finalized

Operational Resilience in the Face of a Pandemic Theresa (Terry) Grafenstine, CIA, CPA, CISSP, CISA, CRISC, CGEIT, CGMA Chief Auditor, Cyber, InfoSec, Continuity of Business, O&T Risk, and Third Parties Citigroup Session Abstract Being Finalized Theresa (Terry) Grafenstine is a chief auditor at Citi responsible for internal audit’s delivery of assurance on governance, risk management, and control across five businesses globally. Previously, as a managing director in Deloitte’s risk and financial advisory practice, she provided executive coaching to chief audit executives across all commercial industries and IT audit, risk, and governance advisory services to senior defense and national security leaders. Prior, as the appointed Inspector General of the U.S. House of Representatives, she designed, managed, and delivered audit and investigative services, including a comprehensive cyber assurance program. Grafenstine has held leadership roles with The IIA, ISACA, and AICPA. She has received numerous awards and was inducted into The IIA’s American Hall of Distinguished Audit Practitioners in 2019.

Role of Audit in Business Continuity Seth Morgan, CIA Deputy Chief Auditor, US Audit Scotiabank Kevin Bertscha, CPA Managing Director, Internal Audit Pershing, a BNY Mellon Company This presentation examines internal audit’s role and presence in two different business continuity scenarios: physical business continuity planning (BCP) for the need to relocate due to power outage, terrorist attack, or natural disaster; and for a pandemic with quarantine or decentralization requirements. This timely discussion is relevant to the unprecedented business impact experienced in 2020, and will help prepare internal audit organizations for future situations. In this session, participants will:

• Consider internal audit’s involvement in the four phases of BCP, as well as its risk assessment role in “business as usual” and BCP scenarios.

• Stress the importance of the cornerstones of internal audit coverage, ‘Define, Rationalize, Document,’ in BCP situations.

• Gain tips for complying with methodology and standards while focusing on risk assessment and testing coverage of BCP data, especially in extended BCP situations like today.

• Understand how to document coverage of potentially accumulated risk and BCP-impacted work in the course of subsequent planning.

Seth Morgan has been a director of internal audit for more than seven years, first at BNY Mellon and now at Scotiabank. Prior to BNY Mellon, he spent 14 years at Rabobank International in operations. In his 20-plus years in financial services, Morgan has developed a strong background in bank operations, including loans, trading activities, and middle office controls. Kevin Bertscha is a senior audit director at BNY Mellon with more than 25 years of experience in financial services. He started his career in corporate trust before shifting to internal audit.

Bertscha has spent the vast majority of his career covering trading and brokerage operations, although he more recently assumed coverage of government clearing and tri-party repo functions (including resiliency capabilities). He also holds FINRA Series 7, 63, and 24 licenses and is a Certified Trust Auditor.

Tuesday | September 15, 2020 8:30 – 9:45 a.m. CDT

General Session 3: Liar, Liar, Pants on Fire Traci Brown Fraud Busting, Body Language Expert Session Information Being Finalized

Tuesday | September 15, 2020 10:15 – 11:15 a.m. CDT CS 5-1: Case-Based Learning: Project Audit Approach – Large Enterprise Programs Jeff Keller, CIA, CFSA, CISA Global Head, Technology, Digital, Payments, Fraud & Project Audit TD Bank Group This session will provide an overview of an internal audit approach to evaluating governance, risk management, and execution/delivery of programs and projects. We will discuss the real-time approach and how internal audit can have a strong voice in the risk and control dialogue, from initiation to post-implementation. We will use examples of large-scale programs currently in flight and provide some lessons learned from past project audits. In this session, participants will:

• Discover how to get and use their seat at the table to have a voice, while remaining independent. • Understand a risk-based process to selecting programs/projects for review. • Review case studies on large-scale programs (e.g. IBORs - benchmark rate reform). • Gain insights into an approach to executing real-time project audits. • See some lessons learned from past efforts.

Jeff Keller’s Bio Being Finalized CS 5-2: Auditing Cloud Service Providers: Devil is in the Details William Crowe, CRMA, CISA, CISM, CRISC, CASM Third-party IT Risk Analyst Experis When engaging a cloud service provider (CSP), the contract and service level agreement (SLA) language must be detailed, as this is the one place that an organization has any control of their business before the CSP takes over. “Who should provide this language and where does audit fit in?” are the primary questions. In this session, participants will:

• Evaluate their company’s due diligence process before engaging with CSPs. • Determine if their company has roles and responsibilities identified and a sufficient data back-out plan

is in place. • Identify data that should be continuously reviewed to monitor their CSP’s data protection program. • Understand the language of contracts, service level, and operating level agreements for a CSP.

Bill Crowe is a third-party IT risk analyst for a major medical insurance company; the owner and senior consultant for Krotek Security Services; and an adjunct professor for Webster University. He has 20+ years of experience in cybersecurity, information security, IT risk and controls, IT audit, and third-party security audit. A retired Navy CPO, he served for 24 years in the surface, aviation, and training communities. He has spoken on security topics, including vendor management and cybersecurity kill chain, at local and national ISACA events, Jacksonville IT Pro-Camps, and Jacksonville Security BSides events. Crowe has volunteered with the ISACA Jacksonville Chapter Board for eight years, including four years as president. CS 5-3: Auditing GDPR: Lessons From a Global Implementation Alain Marcuse, CIPP/E, CISA, CISSP, PCI QSA Director, Security, Privacy, and Risk RSM US LLP Leslie Larson Director, Global Risk and Compliance Primo Water

New data privacy regulations such as GDPR and CCPA are becoming Board-level and audit concerns for global and regional companies alike. We will explore the lessons learned from auditing our global GDPR compliance program, and how we expect the audit program to evolve as privacy regulations multiply, especially as regards management of widely dispersed and often poorly understood flows of newly regulated data. In this session, participants will:

• Understand the latest compliance requirements stemming from the GDPR and how to structure a risk-prioritized audit program.

• Effectively leverage the provided, detailed checklist to structure and conduct GDPR compliance audits. • Complete tabletop exercises based on real-world cases, illustrating what can and has gone wrong with

GDPR implementations, commonly noted gaps, and the resultant impact. • Discuss, at Board level, the expected evolution of privacy regulations globally, and understand sources

for staying up-to-date on these regulations. Alain Marcuse has 30 years of experience in information systems, information security, and data privacy. He leads RSM’s security and privacy risk consulting practice in New England and RSM US’s data privacy service offerings nationally. He consults clients on privacy governance, security assessments, risk management, penetration testing, compliance frameworks, and strategic advisory services, in addition to supporting client teams with compliance program matters for GDPR, CCPA, and other privacy regulations. Marcuse has led large-scale engagements to design and develop cost-effective security program roadmaps to improve organizational maturity for some of the country’s largest corporations. He’s also supported legal counsel with comprehensive assessments that resulted in dismissal of class and regulatory actions following highly visible data security breaches. He frequently presents for multiple industry organizations, panels, and webcasts, as well as contributes to various publications. Leslie Larson’s Bio Being Finalized

Tuesday | September 15, 2020 11:30 a.m. – 12:45 p.m. CDT CS 6-1: Integrating Assurance: Enhancing Coordination and Partnership Across Your Organization Jude Viator, CIA, CISA, CRISC Associate Director P&N

Sarah Saunders, CIA, CFSA, CIDA Assistant Vice President, Internal Audit Jackson National Life Megan Reed Kramer, CPA Director, Internal Audit GATX Corporation Many internal audit groups receive feedback and challenge from stakehold11:15 ers and audit committees regarding the need to better align assurance work being performed across the organization. However, many struggle to achieve the correct level of partnership and coordination. They also struggle with developing relationships and “marketing” the coordination occurring across the various lines of defense. This session will provide tips and tools for true coordination and partnership between various assurance providers. In this session participants will:

• Describe the benefits and challenges of integrating their organization’s approach to assurance. • Discuss strategies for identifying and engaging assurance providers across the organization. • Identify techniques for gaining stakeholder buy-in and setting the foundation for a long-term

partnership between internal audit and other assurance providers. • Hear from three panelists with practical experience and perspectives on coordination in organizations

that: have formal, distinct and independent multiple lines of defense; have close working relationships and more blended responsibilities for risk management across the second and third lines; and use co-source or outsourced models for internal audit, but still ensure activities are well coordinated.

Jude Viator is an internal and IT audit practitioner with more than 12 years of experience providing outsourced and co-sourced controls and risks services for private, public, and government organizations, with a concentration on financial institutions. His responsibilities have included designing, preparing, executing, and reporting on controls testing. In addition, Viator regularly meets with company management, senior leadership/ownership, and oversight functions, including committees and regulators, to discuss risks and internal audit strategies. Sarah Saunders is an assistant vice president of internal audit at Jackson, focusing on finance, financial risk, and asset management. She has more than 15 years of internal audit experience within financial services and consulting. Saunders is a district advisor and a member of the North American Chapter Relations Committee of The IIA.

Megan Reed Kramer’s Bio Being Finalized CS 6-2: Coordinating Risk Assurance Across the Three Lines of Defense: Separate But Not Siloed Richard Reynolds, CIA, CPA, CRCM, CAMS Financial Services Internal Audit, Compliance, and Risk Services Leader PwC Mani Sulur Executive Vice President, Risk Control Executive Wells Fargo Whether labeled QA, QC, monitoring, or testing, the Three Lines of Defense are evolving into three lines of testing. While each function plays a role in assuring risks are appropriately assessed, mitigated, monitored, and managed, the lack of coordination leaves organizations vulnerable to duplicative efforts or missed coverage and the resource inefficiencies they create. This panel session will explore techniques for better coordinating risk assurance activities across the Three Lines. In this session, participants will:

• Assess the challenges financial institutions face in implementing the Three Lines of Defense model. • Distinguish root cause of implementation challenges from first, second, and third line perspectives. • Recognize different views on the latest regulatory expectations and priorities. • Understand solutions to improve the effectiveness and efficiency of risk assurance activities across the

Three Lines of Defense and the future role of internal audit. Richard Reynolds is the national leader for PwC’s internal audit, compliance, and risk services practice for the financial services industry. He has more than 30 years of experience working with financial institutions and is a trusted advisor to senior executives on solving complex risk management, compliance, and control related issues. Reynolds specializes in providing internal audit and first and second line of defense controls testing and monitoring services, ranging from program design to execution. He has managed risk management consulting and auditing engagements for a broad range of financial institutions, including commercial banks, investment banks, asset managers, insurance companies, and treasury operations of large corporations. Mani Sulur’s Bio Being Finalized

CS 6-3: Cracking the Cyber Liability Code Sean Scranton Cyber Liability National Practice Leader RLI Corp Nathan Thomas, CISSP, MCP Cyber Liability Underwriter RLI Corp Recent incidents emphasize how CISOs can be held accountable for cyber-related events, which may be mitigated by cyber liability insurance. However, are you sure your insurance company will pay a claim? What about those confusing forms? And how much insurance do you really need? Go behind the scenes with actual cyber insurance underwriters to crack the cyber insurance code and understand coverage issues, the application process, and how to effectively negotiate your premium. In this session, participants will:

• Understand the current cyber liability market. • Identify common coverages and exclusions. • Understand why claims are denied. • Know the Do’s and Don’ts when filling out their application. • Evaluate key factors to determine how much insurance they need.

Sean Scranton began his security career with the Air Force, working on the missile warning and space surveillance system at NORAD in Colorado Springs. He then became a network administrator with a regional healthcare corporation before moving to a midrange accounting firm, where he was responsible for implementing networks and firewalls, as well as performing IT audits and internet vulnerability assessments for financial institutions and federal agencies. Upon joining RLI in 2008 as an IT audit director, Scranton led the RLI security team, and he currently leads the cyber underwriting team. He is active on a few boards, including CEFCU credit union. Nathan Thomas’ Bio Being Finalized

Tuesday | September 15, 2020 1:45 – 3:00 p.m. CDT CS 7-1: Session Information Being Finalized CS 7-2: Fighting Fraud in a Rapidly Evolving Financial Services Landscape Barb Bergmeier, CIA, CFSA, CRMA, CISA, CRISC, CPA Financial Services Internal Audit Practice Consultant EY Dora Gomez, MS, CFE, CRMA, GRCP, GRCA Technology Consultant, FinCrime-Fraud and Compliance EY Kristen Santos Head of Fraud Prevention and Investigations Apple Bank Stacey Schabel, CIA Vice President and Chief Audit Executive Jackson National Life Insurance Company With speed and automation comes a heightened risk for fraudulent activity, and detecting and preventing fraudulent activities takes on increased urgency. Internal auditors must be prepared to identify and monitor fraud risks in today’s automated world, and evaluate whether fraud controls are designed and operating effectively to match the speed of operations. Internal auditors must continually evaluate opportunities to utilize technology, analytics, and continuous monitoring to effectively monitor fraud risks. In this session, participants will:

• Understand fraud risk management and reporting requirements for financial services organizations and internal audit’s role in fraud risk management and within an organization’s three lines of defense.

• Gain knowledge of trends and key areas of fraud risk in financial services, including a perspective on how risks are changing in a digital and automated world.

• Learn about options for internal audit functions to address the risks for fraud in their risk universe, risk assessments, audit plans, and audit programs.

• Discuss data analytics, continuous risk assessments, and control monitoring concepts.

Barb Bergmeier is a consultant for EY’s financial services internal audit practice. Previously, as a CAE in large financial services organizations for 20+ years, she oversaw fraud and special investigations units, led the development of analytics and continuous fraud monitoring programs, and worked with the first and second lines of defense to build entity wide fraud risk management programs. Bergmeier also gained a solid understanding of fraud compliance regulations and fraud monitoring requirements, including BSA and AML. She has a significant IT audit background, is an active ISACA member, and has participated in cybersecurity engagements as both a practitioner and consultant. As an IIA North American committee member, Bergmeier worked with the Anti-Fraud Collaborative to develop guidance and training for internal audit professionals. Stacey Schabel has more than 18 years of audit and risk management experience. She is responsible for a Jackson Holdings, LLC group-wide internal audit team that examines and evaluates the key activities and processes supporting the North American operations of Prudential plc, including Jackson National Life Insurance Company. She assists the board, audit and risk committee members, and executive management in protecting the organization’s assets, reputation, and sustainability by assessing and reporting on the overall effectiveness of risk management, control, and governance processes. Schabel serves on The IIA’s Global Financial Services Guidance Committee and is the Chief Audit Executive Engagement Chair for the Lansing, Michigan chapter. Dora Gomez and Kristen Santos Bio’s Being Finalized CS 7-3: Surviving the Data Breach Derrick Rice, CISSP, CISA, Director, Process Risks & Governance Frazier & Detter, CPAs & Advisors Bradley Carroll, CIA, QIAL, CFSA, CRMA Principal Frazier & Deeter, CPAs & Advisors We will start with a typical presentation of data breach stats and information. A phone call will interrupt with a “reporter” informing the presenter they received information of a data breach asking for comment. We turn the presentation to a “read team” tabletop exercise asking participants to sketch out how they would respond. Every few minutes, we change the slide with a relevant consideration.

In this session, participants will: • Learn about types of data leakage, data breach stats, and responses. • Discuss notifying the BOD and legal, verifying a breach with IT, and checking their cyber coverage. • Be provided with a breach response checklist and response plan takeaways.

Derrick Rice’ Bio Being Finalized Bradley Carroll created and led the internal audit department as the CAE of a $5B bank in Atlanta. He previously served in internal audit at a $1B community bank, was a senior internal auditor at Wachovia Bank, and started and merged a CPA firm. At Frazier & Deeter, Carroll provides internal audit and consulting services to bank boards, CAEs, CROs, CFOs, and CEOs. His CAE experience gives him insights that make him a better service provider, as he understands of both views. He has worked with banks from $200M up to $72B in asset size. A longtime IIA member, he presently serves on the Financial Services Advisory Board and has held chapter leadership roles. He has presented on risk management at IIA and bank industry conferences, receiving ratings of more than 4.5 from attendees.

Tuesday | September 15, 2020 3:30 – 4:45 p.m. CDT Closing Keynote: Effects of the Pandemic on Internal Audit Practices Stacey Schabel, CIA Vice President and Chief Audit Executive Jackson National Life Insurance Company Dana Lawrence, CIA, CFSA, CRMA, CRVPM Senior Director, Compliance and Internal Controls Azlo Session Description Being Finalized Stacey Schabel has more than 18 years of audit and risk management experience. She is responsible for a Jackson Holdings, LLC group-wide internal audit team that examines and evaluates the key activities and processes supporting the North American operations of Prudential plc, including Jackson National Life Insurance Company. She assists the board, audit and risk committee members, and executive management in protecting the organization’s assets, reputation, and sustainability by assessing and reporting on the overall effectiveness of risk management, control, and governance processes. Schabel serves on The IIA’s Global

Financial Services Guidance Committee and is the Chief Audit Executive Engagement Chair for the Lansing, Michigan chapter. Dana Lawrence is the senior director of compliance and internal control at Azlo, a tech company that provides online banking services for small businesses. She possesses 17 years of experience in the financial services and tech industry, working in a variety of audit, risk management, and compliance roles, including building departments and functions from the ground up, scaling teams, and successfully managing turnarounds. She is active in The IIA and currently serves on the Global Financial Services Guidance Committee where she develops guidance and standards. She also served as a board member, president, and vice president of The IIA–Portland chapter.