contact us  |  print  |  français  |  log in
my downloads
pay an invoice
my account
Accounting & assurance
Business & finance
CPA Canada Handbook
Information technology
Practice management
Risk & governance
in all formats

2014 Canadian Conference on IT Audit, Governance and Security
2014 Fundamentals of IT Audit – A Three-Day Workshop

2014 Canadian Conference on IT Audit, Governance and Security OR 2014 Fundamentals of IT Audit – A Three-Day Workshop - This product is available in the following media types: Conference Archive Event
Note: As this event is now over, information is for reference purposes only.

March 26-28, 2014
Westin Harbour Castle Toronto Hotel, Toronto, ON
(en anglais seulement)

The conference and workshops are co-presented by the Chartered Professional Accountants of Canada (CPA Canada), the Institute of Internal Auditors (IIA) - Toronto Chapter and the Information Systems Audit and Control Association (ISACA) - Toronto Chapter.

2014 Canadian Conference on IT Audit, Governance and Security
March 26-27, 2014 (optional Post-Conference Workshop March 28)

This conference features plenary combined with concurrent sessions from top IT industry and professional services leaders on a variety of “hot topics”, each of which encompasses different aspects of IT Audit, Governance, and Security. This impressive, jam-packed program will refocus you and your team on the practical issues IT and senior financial professionals need in order to expand your knowledge and enhance your competitive edge.


2014 Fundamentals of IT Audit – A Three-Day Workshop
March 26-28, 2014

This three-day workshop is designed to provide new IT assurance-and-control professionals with the core skills needed by all Information Technology Auditors. You will review and understand key audit and control principles, as well as many practical techniques, which are all necessary to complete a wide range of IT audit assignments within today’s complex computing environments.

ItemCPDItem no.Price
Registration starting at 
Prices may change without notice. User license policies

Canadian Conference on IT Audit, Governance and Security

Plus optional one-day Post-Conference Workshop (March 28)

Who Should Attend

This is the ideal conference for IT professionals and financial leaders with responsibility for the IT function including:

  • CFOs
  • CIOs
  • IT Security Officers
  • Managers of: IT, IT audit, internal audit, compliance
  • Auditors: external, internal and IT
  • Finance professionals with responsibility for the IT function

Topics Include

  • Big Data
  • ABYOD – Auditing “Bring Your Own Device” in Your Organization
  • Top Ten Security Risks
  • Corporate Espionage, Cyber Crime and Insider Threats
  • Putting SOC to work
  • NEW for 2014: Compliance issues for Financial Institutions
  • Chasing the Clouds Away – Auditing the Use of Externally provided SaaS Clouds
  • Shadow-IT – The Sequel
  • Overviews of: COBIT 5 and COSO
  • ERM


Day 1

Wednesday, March 26, 2014

7:30am - 8:30am
8:30am - 9:30am
Opening Keynote Address - "The Good, the Bad and the Ugly"
Eugene Roman - Chief Technology Officer, Canadian Tire Corporation, Limited


In his keynote address, Eugene Roman will share his views on: issues; opportunities and new ideas, in the areas of IT audit, governance and security.

About Eugene Roman

Eugene Roman was appointed Chief Technology Officer of the Canadian Tire group of companies in 2012.

He has prime responsibility for the evolution and operational support of all digital and interactive technologies of the corporation. His mission is to accelerate the deployment and use of next generation digital platforms to grow the revenue of the corporation and evolve key digital platforms to support the evolving needs of the corporation. He believes that the Canadian Tire team of highly skilled technologists are a major competitive differential in the delivery of systems of engagement which use the best internet technologies available today and into the future. He sees the future of retail as "etail" where smart technologies create new opportunities for innovation and excellence.

Eugene started his career in telecommunications and has worked for Nortel Networks Corporation, Bell Canada Enterprises Inc., and Open Text Corporation. In progressively senior technology and business roles in Canada, the U.S. and the U.K, Eugene was responsible for integrating critical technology and business processes to better deliver innovative programs. He has also led efforts to increase productivity and improve performance in order to deliver current and "next generation? services more efficiently within a large organization.

Eugene holds a Master's Degree in Administration, Bachelor's Degree in Economics, is a Certified Management Accountant, and is a recent graduate of the Institute of Corporate Directors program. He is a frequent speaker on "The Future of Digital Content" and was recently appointed as a Distinguished Senior Fellow at the Munk School of Global Affairs at the University of Toronto, where he will continue his outstanding work in advancing innovation in Canada. He is also an industry professor in Design Engineering at McMaster University.

9:30am - 10:30am
James Bond in Your Midst - Battling Corporate Espionage
Ed Rosenberg, BMO Financial Group


Although the Cold War between countries no longer exists, a new battle ground is emerging in the global marketplace with the rise in industrial espionage due to a more competitive environment. With an increased pressure to gain competitive advantages and the advances in information technology, companies must setup protective measures to address risks such as emerging hacking techniques, electronic surveillance systems, and the rise of social engineering. Billions of dollars have been lost to foreign and domestic competitors targeting economic intelligence for technologies and corporate trade secrets. Is your company in a position to defend this risk? This session will focus on the various forms of corporate espionage and methods to protect your business.

About Ed Rosenberg

Ed Rosenberg has more than 25 years of experience consulting on operational risk matters, including complex litigation, fraud and security. As Chief Security Officer, he is responsible for leading BMO's corporate security operations, including investigation, protective services and fraud management.

10:30am - 11:00am
11:00am -12:15pm
P3 Audit (Auditing PMOs, Programs and Projects)
Moderator: Rob Rowe, KPMG LLP
Panel: Ray Henrickson, Scotiabank and
Shirley Kelly, Project Management Specialist


In response to the fast-changing business processes and environment, organizations are heavily investing in the projects and acquiring the capabilities in managing their project risks more effectively. Establishing PMOs, clubbing change initiatives in portfolio and programs and building robust framework and methodologies are some common mechanisms used to prioritize, select and implement the changes more effectively, efficiently and timely. As most of the audit, risk and compliance functions are getting involved in review and assessing the project activities, it is critical that they have a good understanding of these activities and processes to assist management.

This interactive panel discussion is planned to bring together several individuals with extensive experience, knowledge and expertise from both the project management and audit communities to explain these key activities along with their objectives, roles and best practices, and finally have their opinion and thoughts on how to effectively design the review of these processes and activities through clearly identifying the objectives, scope, communication and reporting.

About Rob Rowe

Rob Rowe is a partner at KPMG with over 25 years experience focused on the implementation and review of IT systems within a variety of industries and a diverse range of organizations. Rob held National responsibility for KPMG's IT Assurance Services. Over the past 5 years, Rob has been the program director for KPMG's own implementation of a global enterprise system.

About Ray Henrickson

Ray Henrickson is the Vice President of Information Systems and Technology Audit at the Bank of Nova Scotia, responsible for the audit of risks and controls across enterprise's data processing centres. In his career as an IT auditor, Ray has also headed the IT audit function of another major Canadian bank and served as an Information Systems Audit Partner with Ernst & Young, responsible for the delivery of internal audit, information systems audit and information technology consulting services in Southwestern Ontario and Western Canada.

Ray is the past chairman of the IT Advisory Committee of the Canadian Institute of Chartered Accountants.

About Shirley Kelly

Shirley Kelly has 25+ years experience in Telecom and IT industry working for Bell Canada and CGI Group Inc. Shirley has worked on large USD$30million plus projects, building new Telecommunication systems (Landline, Fixed Wireless, Wireless), e-Services and; Server Infrastructure and Desktop Modernization project; International work experience in Brazil and Uruguay creating and running project offices.

Shirley developed and delivered training for internal corporate initiatives at CGI. Subject matter expert on Project Management training at CGI.

Shirley has been an instructor at Ryerson University for the Project Management Certificate program since 2005. In addition she has been a guest speaker at numerous conferences in Canada and U.S.

Big Data Part I: An Introduction to Big Data and Predictive Analytics
Jerry Gaertner, Managed Analytic Services Inc.


We have entered a new era. The coming together of computing power, cheap storage, pervasive internet, available bandwidth and HUGE amounts of new data have opened doors of opportunity for auditors. Opportunity to do what we have done for so long better and faster and more effectively. Opportunity to shift the focus of our profession from retrospective, historical and reactive to prospective, real time and predictive.

In this session, we'll discuss:

- What exactly is Big Data and why is it so important?

- Is this paradigm shift any different from cloud, internet, mobile and all the other changes we have seen?

- Why is the adoption of Big Data not optional - for businesses, governments and auditors?

- What should we be doing today to prepare ourselves and our organizations for taking advantage of upcoming changes and advances?

About Jerry Gaertner

Jerrard Gaertner is Senior Vice President, Risk, Compliance and Security at Managed Analytic Services Inc., a company he co-founded in 2012. He is a Chartered Professional Accountant (CPA), Chartered Accountant (CA), Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), as well as holding certifications in IT governance, internal audit, fraud investigation, privacy and technology management. Jerry is also President of the Canadian Information Processing Society (Ontario), Canada's only statutorily- mandated organization of IT professionals.

For 25+ years, Jerry has worked in the areas of systems assurance, computer auditing and security, eventually becoming a practice leader at two different global accounting firms. He is author of numerous articles on security, privacy, technology governance and risk, including most recently in Elsevier's International Journal of Accounting Information Systems, and has co-authored 3 comprehensive texts on bankruptcy and insolvency law (Carswell).

Jerry is currently developing a graduate-level program in computer security/privacy for Ryerson University, where he is Adjunct Professor of Computer Science. He is responsible for the strategic development of U of T's auditing, risk and finance courses (Continuing Studies) and is lead developer and instructor for their new Certificate in the Management of Enterprise Data Analytics.

Jerry is a highly regarded speaker and has spoken to many organizations over the years, including the ACM, ISACA, Canadian Bar Association, U Waterloo, CRA, OSFI and each of Canada's major banks. Jerry is a graduate of MIT, licensed trustee in bankruptcy and former member of the Boards of the Association of Certified Forensic Investigators (ACFI) and Ontario Association of Insolvency and Restructuring Professionals (OAIRP).

Social Media Risks and Governance
Anna Maria Cicirello and Doug Tumber, KPMG LLP


Social media is quickly becoming the new way people receive information and stay up to date with latest trends and events - such as; advertisements, endorsements, recommendations, gossip, and news. Whether it is through Twitter, Facebook, LinkedIn, on-line blogs, or many of the other emerging tools - all of these social media forums offer great potential for connecting with friends, peers, and customers. Many use these forums as a way to voice their opinions, rally support, or simply to make a statement.

One of the biggest impacts of the social media evolution is that instead of the conversations being between only a few individuals, the conversations are now broadcast to the masses at lightning speed. Effective methods of monitoring and responding to cyber chatter are necessary to protect organizations from reputational risk. This session will explore social media risks, myths, and leading practices for risk mitigation. We will provide some examples of social media mistakes, discuss questions organizations should be asking, and provide some examples of how social media can be used as a tool to support audit or investigation work.

About Anna Maria Cicirello

Anna Maria Cicirello is a Senior Manager within the Forensic practice of KPMG LLP in Toronto. She has over 14 years accounting experience and has worked in various locations in Canada, the United States of America, China and the Caribbean. She currently provides advisory services to assist in fraud risk management, litigation support, investigations and various matters involving business disputes and related issues. She has authored several articles on social media and assisted organizations with establishing guidelines around social media policies as well as utilized social media during the course of investigations.

About Doug Tumber

Doug Tumber is a Senior Manager within KPMG's Internal Audit Risk and Compliance Services in Winnipeg. He has over 15 years' experience providing assurance and advisory services to clients including assisting clients with regulatory compliance reporting, working with client internal audit functions, and performing specialized audit and advisory projects. He is an experienced facilitator and has led and assisted on a wide range of advisory projects including process redesign, improvement and gap analysis. Doug has conducted governance and privacy reviews on social media practices and has facilitated presentations in this area.

12:15pm - 1:30pm
1:30pm -2:30pm
Three Unique Challenges for IT ERM
Rob Quail, Hydro One Networks Inc. and Richard Wilson, PwC


Many organizations are encountering challenges when implementing an ERM process for their IT department. There are unique complexities in designing an IT risk process since there are multiple layers of IT risk. How do you separate and manage IT strategic risk, implementation risk, and the risk presented to other areas of the organization that rely on IT's services? Who owns these risks and how do you determine how large the impact is across the enterprise for any given IT risk? This session will discuss these questions and provide you with a practical approach to identify, assess, and manage your IT risks within the ERM framework.

About Rob Quail

Rob has had a leadership role in ERM at Hydro One since 2000, and developed much of Hydro One's pioneering ERM methodology. He has successfully applied ERM techniques to a diverse range of business problems and decisions, including annual business and investment planning, major transformational, infrastructure, customer, and technology projects, acquisitions, partnerships, divestitures, downsizing, and outsourcing.

Rob was a contributing author to the Wiley textbook, "Enterprise Risk Management: Today's Leading Research and Best Practices for Tomorrow's Executives," and is guest lecturer for the Schulich Business School "Masters Certificate Program on Business Performance and Risk Management.

He is an Industrial Engineering graduate of the University of Toronto.

About Richard Wilson

Richard's practical, strategic, performance focused approach to risk management has changed how boards, management teams, and front lines prioritize and manage risk today.

As Director, Risk at PricewaterhouseCoopers (PwC), Richard is a senior advisor across North America. His practical approach comes from 15 years in a CEO or COO role at publically traded and private firms since 1992. In the past decade Richard has assessed, designed and implemented risk management programs for some of the most prominent organizations today, including the largest mining company, and the largest retail company globally; Canada's largest public utility, federal and provincial public sector entities, and more than 40 other organizations across 10 sectors. Notably, Richard has led a risk assessment for the United Nations.

Richard has designed PwC's Performance + Risk methodology which is a distinctive approach specifically focused on managing risk as a means of achieving desired performance.

He has been published in Compliance Week, Canadian Business, and the Globe & Mail and has been a keynote speaker on the topic of risk at numerous conferences in Canada, the US, and Mexico. Richard is Chair of PwC's Mining Risk Forum, and he is an active board member of the Risk Oversight and Governance Board at Chartered Professional Accountants of Canada.

Big Data Part II: Big Data, Analytics and Governance - How do you apply all three to your organization?
Paul C. Zikopoulos, IBM


Every day, we create 2.5 quintillion bytes of data, so much that 90% of the data in the world today has been created in the last two years alone. This data comes from everywhere: sensors used to gather climate information, posts to social media sites, digital pictures and videos, purchase transaction records, and cell phone GPS signals to name a few.

Big data is more than simply a matter of size; it is an opportunity to find insights in new and emerging types of data and content, to make your business more agile, and to answer questions that were previously considered beyond your reach. Until now, there was no practical way to harvest this opportunity.

During this session you will learn:

- How to get started with Big Data?

- Can you find a needle in a hay stack?

- Why is Governance and Analytics important to you?

- Understand how your peers are leveraging Big Data though case study examples

About Paul C. Zikopoulos

Paul C. Zikopoulos, B.A., M.B.A., is the Vice President of Technical Professionals for IBM Software Group's Information Management division and additionally leads the World Wide Competitive Database and Big Data Technical Sales Acceleration teams. Paul is an award winning writer and speaker with more than 19 years of experience in Information Management. Paul is seen as a global expert in Big Data and database - independent groups often recognize Paul as a thought leader in Big Data, with nominations to SAP's "Top 50 Big Data Twitter Influencers", Big Data Republic's "Most Influential", and Onalytica's "Top 100" lists. Technopedia listed him a "A Big Data Expert to Follow" and he was consulted on topic of Big Data by the popular TV show "60 Minutes". Paul has written more than 350 magazine articles and 16 books, some of which include "Harness the Power of Big Data", "Understanding Big Data: Analytics for Enterprise Class Hadoop and Streaming Data", "Warp Speed, Time Travel, Big Data, and More: DB2 10 New Features", "DB2 pureScale: Risk Free Agile Scaling", "DB2 Certification for Dummies", "DB2 for Dummies", and more. In his spare time, he enjoys all sorts of sporting activities, including running with his dog Chachi, avoiding punches in his MMA training, and trying to figure out the world according to Chloë-his daughter.

Chasing the Clouds Away - Auditing the Use of Externally provided SaaS Clouds
Charan Kumar Bommireddipalli, Collins Barrow LLP


Cloud computing ("Cloud") is an IT service delivery model that enables convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned with minimal effort or service provider interaction. One of the most popular and fastest growing Cloud product categories is Software as a Service ("SaaS"). This category of products provides remote access to a service provider's externally hosted application. All the client needs is a workstation and a client interface, often a web browser, to access the service. Although SaaS technology provides significant business advantages, they can also create security and business continuity risks that must be carefully managed. This session intends to cover the need to audit these externally provided SaaS Clouds, focusing on the existence and adequacy of controls in place to protect the organization's interests and its confidential information.

About Charan Kumar Bommireddipalli

Charan Kumar Bommireddipalli specializes in Enterprise Governance, assisting enterprises in enhancing their competitiveness by leveraging internal audit and deploying technology for strategic business advantage.

With over 20 years of experience, Charan reviewed the operations of diverse organizations with global operations (billion dollars plus in annual sales) in leadership roles. He also led a special review at a unit of United Nations in New York.

Charan specializes in process efficiencies, project management, CSAE 3416 audits and in the use of CAATS (Computer Assisted Audit Techniques).

Charan is a Certified Internal Auditor, a Certified Information Systems Auditor and Certified in the Governance of Enterprise IT. He is a regular speaker at various forums; including Canadian Conference on IT Audit, Governance and Security in Toronto, Computer Audit Control and Security Conference in Hungary, Singapore, Australia, USA. Charan is a member of the Board of Governors - IIA Toronto Chapter and a member of the Academic Relations and Research Committee of ISACA - Toronto Chapter.

2:30pm - 2:45pm
2:45pm - 3:55pm
ABYOD - Auditing "Bring Your Own Device" in Your Organization
Edwin Luk, Francis Romany, BCE Inc.


So BYOD has been around for awhile now. Employees have been bringing their own device. What now? Does Audit need to worry? This session intends to walk attendees through the controls and risk considerations of BYOD in your organization and what an auditor needs to know to review the BYOD risks to the company. The session will touch on policies and procedures, roles and responsibilities, security structure design and architecture, end-user agreements and obligations, device testing and qualification processes, device on-boarding and off-boarding processes, and compliance monitoring and enforcement.

About Edwin Luk

Edwin Luk, CPA, CA, CISA has been in the field of Audit and IT Consulting for over 17 years. He began his career at Coopers & Lybrand as a consultant where he gained experience servicing clients in the manufacturing, waste management, and financial service industries. After leaving PwC, he took on a process improvement role with a utility company in their electricity retail division. Edwin is currently employed by Bell Canada in their Internal Audit department.

About Francis Romany

Francis Romany is currently a technology auditor in Bell Canada's Internal Audit department. Francis has over nineteen years of internal and external auditing experience covering financial, operational, IT audits, as well as control/risk assessments.

Before joining Bell Canada, he worked in the Internal Audit departments as a Senior Manager at Rogers Communications and a manager at BlackBerry (formerly Research in Motion). Francis also worked at KPMG offices in Canada, the United Kingdom and the Caribbean performing audit and advisory services.

Big Data Part III: Key Success Factors for Enterprise Data Migrations
Anthony Lorraway, KPMG LLP


Too often, system transformations fail or get off to a bad start due to poorly planned or badly executed data migrations. Lack of preparation or understanding of quality objectives are just some of the underlying issues around failed data migrations. In this session, obtain an understanding of the key principles and techniques essential to a successful, high quality data migration within a major system transformation.

We will cover:

- Relationship to the Enterprise Data Governance plan

- Source to Target Data mapping activities

- Transformation tools

- Data Validation Strategies and Objectives - Layered Approach

- Integration of the Advisor / Auditor

About Anthony Lorraway

Anthony has over 20 years experience focused on the review of IT systems and processes, including those within pre-implementation/development and operational phases of project implementations.

Over the past two years, Anthony has assumed a number of project leadership roles within KPMG's own implementation of a global enterprise system as part of both the US and Canadian teams. Foremost of these roles has been a data quality validation role where he worked with the technical Data Management team and the business data owners to establish a methodical process for confirmation of the data integrity.

Anthony spearheaded the development of procedures that assisted in providing confidence of the load accuracy and quality, working with the business and the technical teams to resolve problem areas within their data, processes and establish tools to aid in the validation.

The Evolution of Protecting Your Network - Adapt or else....
Kent Schramm, Ministry of Government Services, Province of Ontario


The traditional approach to protecting a network is no longer enough. Firewalls, anti-virus protection, intrusion detection systems and other security devices are critical cornerstones of network defence, but they alone are not enough. The cyber threat is real and agile. In this presentation, we will cover the basic building blocks of cyber security, the multitude of threats the network faces every day, the shift to a risk based approach to cyber security and the importance of building cyber situational awareness in order to be proactive rather than reactive. In addition, some of the processes and tools used to detect, prevent, and remediate the malware on the network will also be discussed.

About Kent Schramm

Kent Schramm is currently the Head, Cyber Security, Ministry of Government Services for the Province of Ontario. The Cyber Security Branch is responsible for providing a full suite of cyber security services in support of the Province. Before assuming this position, Kent served at the National Cyber Security Directorate, Public Safety Canada in Ottawa for over two years. Leading several initiatives, he laid the foundation for establishing cyber situational awareness for the Government of Canada. In addition, Kent led the development of a national cyber incident response framework, identifying the roles and responsibilities for stakeholders in the federal government and others in responding to, and/or mitigating a significant cyber event affecting non-federal government computer networks.

Prior to joining Public Safety Canada, Kent served 22 years in the Canadian Air Force as a Communications and Electronics Engineer, attaining the rank of Lieutenant-Colonel. He served in a variety of operational and headquarters staff roles across Canada and at NORAD Headquarters in the United States. Since 1996, he has specialized in cyber operations for domestic, multi-national and deployed operations in Bosnia, Sudan and Afghanistan. Upon graduation from university, Kent served as a Forensic Specialist for several years with the Royal Canadian Mounted Police.

3:55pm - 4:00pm
4:00pm - 5:00pm
How Would YOU Handle a Security Breach? - Tabletop Exercise
Jeff Roth, Nova Technologies


Using a scenario based on real-world events, each attendee will work as a team to develop a response based on your assigned role. You'll then be provided with the actual responses used, and have an opportunity to evaluate and discuss how your responses compared to the real world response.

Share your experiences and explore different options from different perspectives as you deal with the threat that is presented. The intent is to facilitate an Interactive learning experience with your peers, form relationships and gain insights into solutions as you play your role in our organization. After the session, attendees will also receive actual scenario response used and industry accepted good practice templates for data loss/breach incident response need relevant to their organization.

About Jeff Roth

Jeff Roth, CISA, CGEIT, CISSP-ISSEP, is a member of ISACA's IT Audit and Assurance and Information Security Foundations working groups and an Information System Security Engineering Principal for the Nova Technologies. He currently focuses on IT critical infrastructure protection for DoD and Federal agency systems. Jeff has more than 27 years of external and internal audit experience ranging from Federal, State and Local governments along with aerospace, chemical production, power generation, and healthcare and petroleum exploration to the manufacturing industries.

Prior to his current position, from 2005 to 2010, Jeff was the practice leader for RSM McGladrey's FISMA and DIACAP practice and director of Technology Risk Management Services for external and internal audits of publically traded companies along with not-for-profits and state and local government. From 2000 to 2005 Jeff was the manager of internal audit and government relations for the NASA prime contractor for the Space Shuttle and International Space Station operations. As part of his duties, Jeff provided specialized business process analysis and reengineering and disaster recovery, security, ethics, and fraud investigation support to inside/outside legal counsel, ethics officers, company security and the NASA Office of the Inspector General at Johnson, Kennedy, Marshall and Stennis Space Centers.

Jeff is a frequent speaker for ISACA, FICPA and the IIA throughout the Americas, Europe and Oceania on IT security, internal controls, risk management and governance. He was the 2006 recipient of the ISACA John Kuyers Best Speaker/Conference Contributor Award, which recognizes individuals for major contributions in Information Technology Audit and Security and/or outstanding speaking achievements.

5:00pm - 6:00pm
Sponsored by PwC

About PwC

PwC Canada helps organizations and individuals create the value they're looking for. We're a member of the PwC network of firms in 158 countries with more than 180,000 people. We're committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at

Day 2

Thursday, March 27, 2014

7:30am - 8:30am
8:30am - 9:30am
Cyber Crime: Now and Coming Soon to a Computer Near You
Jeff Adam, Director General, Technical Investigation Services, RCMP Technical Operations


This session offers a unique opportunity to hear the Canadian Law enforcement perspective on cyber criminal activities. Examples of some mitigation strategies to help protect against cyber crime will also be explored.

About Jeff Adam

Jeff Adam is a Director General in the Royal Canadian Mounted Police. He completed 14 years of operational policing in New Brunswick, duties including General Investigation, Highway Patrol, Commercial Crime and Technological Crime Investigations. Soon after being transferred to Ottawa in 2002, he was asked to form the RCMP's Performance Management Unit (PMU) to bring the in Balanced Scorecard and link it to the RCMP's business planning cycle. The PMU was instrumental in achieving the Hall of Fame award from the Balanced Scorecard Collaborative and was featured in the Harvard Business Review. When the Task force on Governance and Cultural Change in the RCMP was announced, he was chosen to lead the RCMP team in their support. Following the report, he was assigned to lead the RCMP writing team responding to the Government's Strategic Review. He then took on the position of the Director of the RCMP's Proceeds of Crime and Money Laundering Programs. He is currently the DG of Technical Investigation Services in Technical Operations in Ottawa.

9:30am - 10:30 am
Shadow-IT - The Sequel: IT Risk Transformation and Lines of Defense
Baskaran Rajamani, Deloitte


As a sequel to last year's primer on the Shadow-IT issue and the risks, this session aims to broaden the discussion to other emerging drivers of IT related business risks and the impact of "IT risk transformation" that organizations are experiencing. Traditional IT risk management processes (risk identification, assessments and management) while still relevant in many respects, is proving to be inadequate in the face of unexpected risk exposures caused by organizations' extended boundaries and emerging IT risks (e.g. BYOD, social media, cloud computing, cyber security, shadow-IT). Organizations in the regulated industries experience regulatory pressures forcing this transformation. This session will provide an overview of how organizations can address this challenge and plan for their risk transformation journey, the nature of changes required to the organization, roles and responsibilities, processes and tools. The discussion will include concepts such as: three/six lines of defense, key risk indicators, risk appetite, risk tolerance and risk reporting.

About Baskaran Rajamani

Baskaran is a Partner with Deloitte in Toronto with over 30 years of experience, with the last 18 years in professional services. Baskaran specializes in helping financial services clients successfully manage IT risk management, audit, regulatory compliance, outsourcing and IT governance risks. Baskaran is a frequent speaker on technology risk management and technology governance topics and has authored several technical papers on IT risk management and IT audit and presented at conferences and seminars in different parts of the world. Baskaran is the President of the ISACA Toronto Chapter. Baskaran has a Master's in Engineering, an MBA in Finance and earned several professional designations.

Is Cloud Ready for Enterprise Deployment?
Reza Kopaee, RiskView Inc.


Organizations are continuously under pressure to make more efficient use of their IT resources while enhancing their compliance with regulatory and legal requirements. Cloud computing and its various flavours offer an enormous opportunity for agile and elastic computing with a lower capital cost. However, many organizations are reluctant to trust cloud service providers with critical information.

Organizations are continuously under pressure to make more efficient use of their IT resources while enhancing their compliance with regulatory and legal requirements. Cloud computing and its various flavours offer an enormous opportunity for agile and elastic computing with a lower capital cost. However, many organizations are reluctant to trust cloud service providers with critical information.

The purpose of this session is to understand potential opportunities of cloud computing while managing the enterprise risks. We will explore good practices from business requirements gathering to design, implementation, and security of cloud based solutions.

About Reza Kopaee

Reza is the director and founder of RiskView Inc. a Data Security and Data Analytics consulting firm. Reza has over fourteen years of solid experience in eCommerce, risk management and Information security. Prior to founding RiskView, he was an Associate Partner at Deloitte providing IT and risk management consulting services to large organizations including banks and governments. Reza has gained practical experience through direct involvement in more than 100 large IT and risk management initiatives.

Reza holds a B.Sc.H and MSc. in Computer Science from Queen's University, with expertise in Data Security, Governance Risk and Compliance, IT Strategy, and Emerging Technology Risk Management (Social, Mobile and Cloud).

Practical Implementation of the 2013 COSO Internal Control Framework
Massood Oroomchi, FinEx Group


The objective of this session is to provide a concise understanding of the requirements of the 2013 Updated COSO and how it differs from the existing 1992 COSO Internal Control Framework. The session will also demonstrate how to transition to the new COSO with the least amount of disruption to the business of the entity as well as its current Internal Control Program.

About Massood Oroomchi

Massood Oroomchi specializes in design and implementation of internal control environments, best practices for corporate governance, enterprise-wide risk assessment, and finance process optimization including accelerated close and spreadsheet controls. He has developed a comprehensive top-down, risk-based Internal Control Solution which is based on the 2013 Updated COSO Internal Control Framework and can easily be customized to any size of firm whether publicly traded, private, pre-IPO, government or not-for-profit organizations. He provides customized on-site training in governance, risk and controls for all forms of organizations resulting in significant savings in employee training costs. With 35 years of experience, he is a founding member of FinEx Group and is a Fellow of the Institute of Chartered Accountants of England and Wales, a past-member of the Board of Trustees of Canadian Financial Executives Research Foundation, a past- member of the Board of Directors of the Financial Executives International Canada and Past-Chair of FEI Canada's Audit and Finance, National Technical and Corporate Reporting Committees. He is also a past-member of the Accounting Standards Oversight Council of CPA Canada.

10:30am - 11:00am
11:00am - 12:15pm
IT Auditors Building Bridges between IT and Business
Cameron Chapman, Raul Mangalindan, Sarah Prsa, BCE Inc.


IT Auditors don't just audit IT. Since IT enables the business units to meet their objectives, IT Auditors help their organizations accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. To do this effectively, Internal Auditors need to build bridges of communication and collaboration between a number of teams. Attendees at this session will hear how IT auditors can and should establish strong relationships with IT and business auditors, the value of communicating the role of the IT auditor in the organization, some leading practices in bridge building and how to work together towards the success of your organization.

About Cameron Chapman

Cameron joined BCE Inc. in April 2010 and currently serves as Senior Internal Auditor in the Audit and Risk Advisory Services group. In this role, he has led audits focused on driving value-add process improvements in each of Bell's business units. During his time with BCE, Cameron also spent a year as Associate Director of Planning and Performance Management at Bell Media where he was responsible for various aspects of Bell Media's corporate forecasting and reporting and was involved in the integration of Astral into Bell Media in 2013.

A Chartered Professional Accountant (CPA, CA), Cameron began his finance career in the Audit and Assurance group of PricewaterhouseCoopers after graduating from The School of Business at Queen's University.

About Raul Mangalindan

Raul Mangalindan is currently the Vice-President of the Toronto Chapter of the Information Systems Audit and Control Association (ISACA)and a long serving chapter volunteer. He is a Senior Audit Manager in Bell Canada, with over twenty-two years of integrated internal auditing experience covering financial, operational, IT audits, as well as control/risk assessments and fraud investigations. Prior to joining Bell Canada, he was a Senior Manager with KPMG and prior to that, he was the head of Internal Audit and Revenue Assurance at Sprint Canada.

Raul is also a long-standing member of the Institute of Internal Auditors (IIA) and the Association of Certified Fraud Examiners (ACFE). He is a CISA, CGEIT and CRMA. Raul has also spoken on various topics such as Audit Best Practices, Sarbanes-Oxley, Audit Automation, Revenue Assurance and Due Diligence at numerous conferences in Canada, UK and Malta. He was noted in the 2002 ACL User Challenge for the successful use of ACL in digital analysis and revenue assurance.

About Sarah Prsa

Sarah is a Chartered Professional Accountant in the Audit and Risk Advisory Services group at BCE Inc., in the role of Senior Internal Auditor. Throughout her experience at BCE, she has performed audits of financial and operational processes across various business units focusing on business process improvements. Sarah is also responsible for developing and continuously enhancing the Governance, Risk and Compliance (GRC) methodology which is enforced and followed by members of the Internal Audit group at BCE.

Prior to joining BCE, Sarah was a Senior Associate in the Consulting & Deals and External Audit groups at PricewaterhouseCoopers LLP, providing internal audit, consulting and external audit services to consumer retail, health care, pharmaceutical, energy, manufacturing, and software organizations in the GTA.

She is currently a member of Chartered Professional Accountants of Ontario (CPA Ontario) and the Institute of Internal Auditors (IIA), while most recently speaking at the Infonex 2013 IT Audit Best Practices conference and attending the IIA 2013 General Audit Management Conference for Chief Audit Executives.

Mobile Security and PCI
David Gamey, Control Gap Inc.


Mobile payments have the potential for tremendous expansion and increased convenience that brings with it the promise of growth in the payment industry. Many organizations and technologies are currently vying to become leaders in this field. All of these will have to overcome concerns about security on their way to achieving end user confidence and acceptance. Ultimately any organization venturing into this area will need to be sure their solutions will work with compliance frameworks such as PCI. This presentation will examine these challenges from the perspective of organizations wishing to exploit mobile payments in the current regulatory environment with a view to how this may change.

About David Gamey

David Gamey is an information security practitioner with Control Gap Inc. with over 30 years' experience. He was the lead "ethical hacker" for IBM Canada for seven years. Since 2003 he has specialized in credit card and payment security. He currently holds PCI certifications as QSA(P2PE), PA-QSA(P2PE). Most recently, David has been working with solution providers to certify solutions using end-to-end encryption and solutions in payment terminals and embedded systems.

Vendor Risk Management: Leveraging the Value of SOC Reporting
Jennifer Johnson, PwC


In today's market, companies have increased reliance on 3rd parties to support their business and meeting their customer needs. As a result, vendor risk management becomes a critical governance and compliance component in running the business. Simultaneously there is also increased focus on enterprise risk driving further requirements and transparency around process & controls at external service providers. This session will explore what is involved in a robust vendor risk management framework, what service organization controls (SOC) reporting options are available and how best to leverage their value to manage the vendor risks.

About Jennifer Johnson

Jennifer Johnson is a partner with the Consulting - Risk & Controls practice of PwC Canada working in the Toronto office. She has more than 15 years of experience leading business process and information technology internal controls reviews in the US and Canada. Jennifer is a leader in the Canadian Performance Assurance team within our Risk & Controls practice which specializes in providing assurance over clients' processes, controls and data to build transparency and trust with their internal and external stakeholders. She has also been a Canadian representative for PwC's global third-party controls reporting network. She has significant experience managing CPA CSAE 3416, AICPA SSAE 16, Trust Services reviews, and Agreed-Upon Procedures within several industries and across multiple global client environments. She has authored several PwC publications on the topic of service organization controls reporting.

Jennifer earned a Bachelor of Science in Finance (Magna Cum Laude) from Central Connecticut State University in 1998. She is also a Certified Information Systems Auditor and Certified in Risk and Information Systems Control.

Jennifer was an active board member at a non-profit organization focused on supporting youth in Boston, MA and surrounding areas. She has led the organization and delivery of multiple team volunteering events within the firm. She is also actively involved in the firm's diversity and inclusion initiatives.

12:15pm - 1:30pm
1:30pm - 2:45pm
Financial Institutions and Compliance Challenges
Moderator: Keith Matcham, EY
Panel: David Gillies, TD Bank Group
William Morland, RBC Capital Markets


Canadian financial institutions continue to face a complex regulatory environment that requires the ongoing assessment, monitoring, and mitigation of regulatory and operational risks. Moreover, the expectations on institutions is that appropriate technological solutions are deployed to address new regulations and issues. This session will discuss the process and challenges of deploying the appropriate information technological solutions to support the compliance requirements such as Basel II, III, Dodd Frank and OSFI.

About Keith Matcham

Keith Matcham is a Partner in the Financial Services Advisory practice of Ernst & Young LLP.

Keith Matcham is the leader of the Financial Services IT Risk practice and also serves as the Quality and Risk Management Leader of the Canadian Advisory Services practice providing technical consultation and oversight.

Keith has 26 years of advisory experience, 17 of which have been with Ernst & Young's financial services practices in Toronto and London, England. He spent nine years working within the private sector - banking and insurance.

Keith is a UK Chartered Accountant, and Certified Information Systems Auditor. He is also member of the Institute of Internal Auditors.

Engagement Experience:

- Served as the global IT audit partner for a major bank and a major life insurance company. Also served as the SOX 404 advisor for a major bank during the initial implementation of SOX 404.

- Partner for a CSAE 3416 (formerly Section 5970) review at a major cheque and currency processor, an annual assurance review issued to several banks.

- Currently acting as the IT Internal Audit Leader for a major bank.

- Responsible for the Information Technology Risk Management current state assessment, future state design and roadmap/investment approach for a major bank.

- Provided co-sourced internal audit services to two of the major Canadian banks, including review of cheque clearing process, development of an audit guide for reviewing systems under development, data centre and security reviews of new operations and security vulnerability assessments.

- Advisory Partner for a major billion Canadian Pension Plan: recent projects include: review of regulatory reporting process, internal control risk assessments; complex project assessments; post-implementation reviews, business continuity planning assessment; QA testing of IT systems.

- Provided IT risk services to a $40 billion pension plan including: pre-implementation review of a new pension system; an enterprise-wide review of business continuity planning, reviews of IT security on various platforms.

- Responsible for internal audit co-sourcing relationship with a $30 billion asset management company. Mandate involves assisting the leader of internal audit assess enterprise-wide risks and developing and executing a risk based internal audit plan. Projects included a review of the ICAAP process for OSFI regulated trust company subsidiary, tax reporting process, selection of new brokerage system, review of enterprise risk management deployment.

- Performed an OSFI mandated review of an Internal Audit function at a major life insurer.

About David Gillies

Mr. David Gillies is a Vice-President in Technology Solutions for the TD Bank Group Corporate Segment. He leads the Risk Solutions Group which supports the Credit Risk, Operation Risk, Liquidity Risk and Technology Risk corporate teams. He was formerly the Senior Director of Product Management at Algorithmics, a leading risk management technology vendor. David has also worked at Ernst & Young's management consulting practice. He holds an MBA from the Rotman School of Business and a M. Eng. and B.A.Sc. in Civil (Environmental) Engineering from the University of Toronto.

About William Morland

William joined RBC Capital Markets in 2008 to work on the design and implementation of a new IT infrastructure to handle the increasingly complex demands of risk managers. Almost immediately the risk management landscape changed with the collapse of Lehman Brothers and the resulting financial crisis. Over the subsequent five years financial regulations tightened and made additional demands on risk systems.

Prior to joining RBC, William worked for seven years at Algorithmics designing and building risk management software. William has a masters degree from the University of Waterloo where he specialised in the generation of quasi random sequences for Monte Carlo simulation.

The Insider Threat - Lessons from the Front Line
Jeff Roth, Nova Technologies


This session will be a cover the key elements in building "Security in Depth" to address the Insider Threat using real world scenarios ranging from data loss prevention to malicious actions from disgruntled internal, vendors and business partner employees. You will be provided system security engineering pointers and identify industry tools that you can use after the conference to start addressing potential insider threats that your organization may be facing.

About Jeff Roth

Jeff Roth, CISA, CGEIT, CISSP-ISSEP, is a member of ISACA's IT Audit and Assurance and Information Security Foundations working groups and an Information System Security Engineering Principal for the Nova Technologies. He currently focuses on IT critical infrastructure protection for DoD and Federal agency systems. Jeff has more than 27 years of external and internal audit experience ranging from Federal, State and Local governments along with aerospace, chemical production, power generation, and healthcare and petroleum exploration to the manufacturing industries.

Prior to his current position, from 2005 to 2010, Jeff was the practice leader for RSM McGladrey's FISMA and DIACAP practice and director of Technology Risk Management Services for external and internal audits of publically traded companies along with not-for-profits and state and local government. From 2000 to 2005 Jeff was the manager of internal audit and government relations for the NASA prime contractor for the Space Shuttle and International Space Station operations. As part of his duties, Jeff provided specialized business process analysis and reengineering and disaster recovery, security, ethics, and fraud investigation support to inside/outside legal counsel, ethics officers, company security and the NASA Office of the Inspector General at Johnson, Kennedy, Marshall and Stennis Space Centers.

Jeff is a frequent speaker for ISACA, FICPA and the IIA throughout the Americas, Europe and Oceania on IT security, internal controls, risk management and governance. He was the 2006 recipient of the ISACA John Kuyers Best Speaker/Conference Contributor Award, which recognizes individuals for major contributions in Information Technology Audit and Security and/or outstanding speaking achievements.

COBIT 5 - Overview
Daisy Lui, Crowe Horwath Global Risk Consulting


COBIT 5 is the only business framework for the governance and management of enterprise IT. This evolutionary version incorporates the latest thinking in enterprise governance and management techniques, and provides globally accepted principles, practices, analytical tools and models to help increase the trust in, and value from, information systems.

This session will provide participants with a high level overview of this framework and familiarize you with the products and publications of COBIT 5 family including the training and accreditation processes. The targeted audience for this session is: current COBIT 4.1 users considering the move to COBIT 5; IT and audit professionals planning to improve their organizations' IT and business processes; and ITAudit/ Risk/Governance professionals looking for COBIT 5 certification and accreditation opportunities.

About Daisy Lui

Daisy has over 14 years of experience in Information Technology (IT), internal audit, compliance, IT risk management, and IT governance. Daisy is responsible for leading technology oriented business risk control reviews and managing internal audit outsourcing projects for clients. Daisy's also as significant experience in assisting her clients in adopting the COBIT framework and meeting internal controls certification requirements.

Daisy has led technology enabled business process reviews, controls reviews and risk identification/mitigation engagements (general environmental reviews, security reviews, change management reviews, application control reviews, and business continuity management reviews) in a wide range of entities including financial institutions, organizations in the public sector and companies in the consumer business industry. Other than client services delivery, Daisy has obtained the Foundation Certificate for COBIT and ITIL and she is an accredited COBIT facilitator. In 2012, Daisy led a team of professionals in reviewing the COBIT 5 exposure draft and provided comments to ISACA on the framework.

2:45pm - 3:00pm
3:00pm - 4:15pm
Top Ten Security Risks and Myths
Moderator: Sajith Nair, PwC
Panel: Joe LoBianco,
Alexander Rau, Symantec


Security threats are more aggressive, more ruthless and more effective than ever before. Malware, hacktivism and insider espionage are just some examples of what organizations must fully understand in order to put appropriate controls in place. As security threats evolve, companies must make sure their risk management processes reflect both current and future risks in an environment of constant change.

This session will focus on the top 10 current and emerging security threats, as well as the defences to help you manage and mitigate these risks. The session will also examine common security myths and will address the "it would not happen to our company" mindset prevalent in many Canadian organizations.

About Sajith Nair

Saj is a Director in PwC's Cyber Security practice and specializes in helping Financial Institutions effectively manage information and cyber security risks. He has helped several clients transform their information risk and cyber security functions. This has enabled them to grow and operate with confidence knowing they have the resilience to manage known risks and respond to the unexpected. He is regularly sought after by clients for solving complex information risk and cyber security challenges and helping them obtain buy in from their Executives and Board.

He has international experience with providing consulting services in North America, Australia, Asia and Europe. He has extensive experience with cyber security strategy, cyber threat modelling and intelligence, information risk management, security and risk culture transformation, outsourcing and off shoring risks, cloud computing risks, data loss protection and M&A security risk management.

He holds a Bachelor of Engineering from University of Sydney, Australia and holds several professional accreditation including Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT), and ITIL Foundations Certificate V3.

About Joe LoBianco

Joe LoBianco is currently Senior Director, Information Security with CIBC, where he holds responsibility for security policy, strategy and architecture, as well as risk assessments and leading new security initiatives. In the past he managed the Security Operations functions for CIBC and previously for Bank of Montreal. Prior to his 12+ years in financial services, Joe worked in a variety of consulting and product management roles for security companies. During this time, he worked extensively with clients in the financial, high tech, healthcare and defense industries providing advice on vulnerability management, incident response, risk assessment and threat intelligence. Joe holds a CISSP designation and a Honours Bachelor of Science from the University of Toronto.

About Alexander Rau

Alexander is a National Information Security Solutions Advocate with Symantec Canada. With over 15 years experience in IT specializing in security, Alexander holds CISSP and CISM certifications and has consulted many large public and private sector organizations on how to address their security challenges. Prior to joining Symantec, he held a Sr. IT Security role with IBM. Since 2008, Alexander has also been a part-time faculty member at Georgian College teaching computer and network systems security.

Day 3

Thursday, March 28, 2014 Optional one day workshop

7:30am - 8:30am
8:30am - 4:00pm
Optional Workshop: Database Security and Audit
John G. Tannahill, J. Tannahill & Associates


The focus of this one-day workshop will be on the audit, control and security issues related to the use of database management systems in today's business environments.

A specific focus will be security and audit of Oracle 11g/12c; Microsoft SQL Server 2008/2012 and DB2/UDB 9.5 environments.

Learn practical approaches and techniques for evaluating the implementation of database security and control. Live demonstrations using Oracle; SQL Server and DB2/UDB database environments will reinforce the principles presented.

Key Topics:
1. Database Concepts

  • Relational database concepts
  • Database schemas, instances
  • Database objects
  • SQL components
  • Using SQL as an audit tool

2. Database Security & Control
  • Database versions
  • Architecture and components
  • Audit & Control objectives
  • Security Configuration
  • Data dictionary
  • Database connection
  • Identification and authentication
  • Password administration
  • System and object privileges
  • Audit trails and security logs
  • Role of operating system security
  • Known security vulnerabilities
  • Security patches

3. Audit Tools & Techniques
  • Audit Testing Approaches
  • Audit Checklist
  • Database Vulnerability and Penetration Testing

4. Security & Audit Resources
  • Audit & Security References
  • Useful Web Sites
  • Mailing Lists/Advisories

About John Tannahill

John G. Tannahill, CISM, GEIT, CRISC, MANAGEMENT CONSULTANT, J. Tannahill & Associates is an independent Information Security and Audit Services Consultant. His current consulting work areas are focused on information security in large information systems environments and networks, requiring detailed knowledge of the major operating systems encountered. Particular areas of technical security expertise include:

  • Windows 2008/2012
  • Unix (including Solaris, AIX & Linux)
  • Oracle; Microsoft SQL Server & DB2
  • Network and Firewall security.

John is a frequent speaker in Canada; USA and Europe on the subject of Information Security. He is a member of the Institute of Chartered Accountants of Scotland.


Fundamentals of IT Audit – A Three-Day Workshop

Who Should Attend

This workshop is ideal for new IT assurance-and-control professionals including:

  • Internal auditors
  • External auditors
  • IT professionals providing assurance or advice on controls
  • Other professionals seeking an understanding of the fundamentals of an IT Audit

Topics Include

Key topics include:

  • Understanding IT audit risks and defining audit scope
  • Internal control concepts and the role of computer control standards
  • General controls protecting the IT environment
  • Business process controls covering specific financial systems
  • Communicating audit findings


3-Day Workshop - March 26-28, 2014
(Running concurrently with the Conference: Day 1-3)

7:30am - 8:30am
8:30am - 4:30pm
Fundamentals of IT Audit
Workshop Leader: Craig McGuffin, C.R. McGuffin Consulting Services


This three-day workshop is designed to provide new IT assurance-and-control professionals with the core skills needed by all information technology auditors. You will review and understand key audit and control principles, as well as many practical techniques, which are all necessary to complete a wide range of IT audit assignments within today's complex computing environments.

Topics covered include overall IT audit planning and objectives, as well as audit risk assessment. We'll also examine the wide range of controls needed for managing the IT function, system development/acquisition and implementation, IT operations, logical and physical security and business resumption/disaster recovery. Included are the vital business process controls found within specific financial tracking and reporting systems. In addition, we will consider important technology components IT auditors must be able to understand, use and evaluate.

Key topics include:

  • Understanding IT audit risks and defining audit scope
  • Internal control concepts and the role of computer
  • Control standards
  • General controls protecting the IT environment
  • Business process controls covering specific financial
  • Systems
  • Communicating audit findings

Your understanding will be facilitated by demonstrations and discussions of current technology and audit techniques to help reinforce the key concepts. After completing the workshop, you will be able to take part in many types of IT audit assignments and have a solid foundation on which to continue to build your audit expertise.

Detailed Workshop Agenda

Part 1 - The IT Audit Process
An overview covering setting up the IT audit function within an organization, as well as conducting individual audits. Also covers the objectives of various types of IT audits, as well as audit risks.

Part 2 - Control Overview / Impact on Audit Strategy
Discuss control objectives and categorizations (e.g. general vs. business process, preventive vs. detective). Introduces the control benchmark we'll be using during subsequent sections. Discuss the impact of controls on audit strategy and testing.

Part 3 - Controls Over IT Management
Examine the types of controls expected over the management of IT. Examples include long-range and short-range planning, steering committee, issuing governance, risk management.

Part 4 - Controls Over SDLC
Review the traditional systems development life cycle, and examine the controls expected at each point. Special focus on controls over the transition of systems from development to testing to production. Also covers steps suitable for package acquisition. Includes a case study to identify missing controls.

Part 5 - Controls Over IT Operations
Examine the types of controls expected over IT operations. Examples include hardware capacity planning and monitoring, operating schedules, and preventative maintenance. Also covers controls over outsourcing.

Part 6 - Controls Over IT Security
Examine the types of controls expected over logical and physical security of IT systems. Will include a generic model for security controls, then apply to examples at the operating system, database, and firewall levels. Includes a case study to identify missing controls.

Part 7 - Controls Over BCP / DRP
Review the process for developing Business Continuity Plans and Disaster Recovery Plans, including key concepts (user-driven BIAs, Recovery Point Objective, Recovery Time Objective), and examine the control expectations at each level. Also addresses the overall topic of Incident Response.

Part 8 - Controls Over Business Processes
Explains business process (application) controls, and their relationship to the general controls covered previously. Discuss typical information system processing components (transaction files, master files) and the controls appropriate for each. Consideration of two methods of evaluating business controls: traditional (checklist based) and systematic. Also includes a discussion of documentation requirements and techniques.

Part 9 - Testing IT Controls
Discuss options and techniques for testing IT controls found during the audit.

Part 10 - Communicating Audit Findings
Discuss issues surrounding communicating audit findings, techniques for presentation, and whether recommendations are appropriate in all cases.

About Craig McGuffin

Workshop Leader Craig McGuffin, CPA, CA, CISA, CISM, CGEIT, CRISC, Principal of C.R. McGuffin Consulting Services, has more than 25 years of experience in the field of computer and network controls and security. He has a background in computer science and has worked as an information systems auditor, security consultant and security manager, obtaining experience in all major computing and networking environments. He also is the co-author of two books on networking technology.

Craig is an award-winning and extremely popular speaker on the use of computer technology, controls and security, delivering core knowledge and practices through university courses, training seminars and conferences on six continents. He frequently presents on behalf of ISACA, IIA, and CPA Canada.


Westin Harbour Castle Toronto Hotel
One Harbour Square Toronto ON
Toronto, ON M5J 1A6
t. 416-869-1600 or 1-888-627-8559

The Westin Harbour Castle, Toronto is a CAA/AAA Four Diamond hotel located in the heart of downtown Toronto. Guests can easily access the city's most thrilling destinations, from the bustling financial district to the lively Lake Ontario waterfront.


Attendees of the Conference or Workshop can enjoy a Westin Harbour Castle Hotel accommodation rate of $205.00 (plus applicable taxes) for a Traditional Room based on single or double occupancy.

  • Online room reservations
  • Call the hotel at 1-888-627-8559 ~ please quote "Canadian Conference on IT Audit, Governance and Security" to obtain our guaranteed rate.
Note: Guaranteed Rate available until Monday, March 3, 2014 (or when room block is sold out). Book early to avoid disappointment.

Contact Us

For more technical details of the conference content, contact:
Mary Olynik, Principal, Continuing Education
Phone: (416) 204-3312

For general information on this conference, contact:
Esther Lee, Registration Manager
CPA Canada Conference Office
Tel: (416) 651-5086 or 1-888-651-5086
Fax: (416) 593-1805

Event dates, locations and prices subject to change.

CPA Canada offers many Sponsorship Opportunities to promote your products and services.

View Terms and conditions | Privacy policy | Shipping and store policies | AODA

Help Desk: Mon-Fri, 9am-5pm ET | 1-866-256-6842 | Contact us

© 2001-2014, CPA Canada | EYEP. All rights reserved.