WEDNESDAY MARCH 28, 2018 DAY 1
7:30 – 8:30 am BREAKFAST
8:30 – 8:45 am OPENING REMARKS
8:45 – 9:45 am OPENING KEYNOTE –
The Meaning Behind Data Making Data More Human
The Meaning Behind Data Making Data More Human

In this talk, Jer Thorp shares his beautiful and moving data visualization projects, helping audiences put abstract data into a human context. From graphing an entire year’s news cycle, to mapping the way people share articles across the internet, to the 9/11 Memorial in Manhattan, Thorp’s cutting-edge visualizations use technology and data to help us learn about the way we use digital technologies, become more empathetic in the data age, and ultimately, tell the story of our lives. How can understanding the human side of data lead to innovation and effective change? What value is there in the novel and interactive approaches to data visualization? And, what are the business applications of creative data-focused research? Thorp teaches audiences how adding meaning and narrative to huge amounts of data can help people take control of the information that surrounds them, and revolutionize the way we utilize data.

Jer Thorp, Data Artist / Innovator in Residence, Library of Congress

Concurrent Regency Room 1 Regency Room 2
9:55 – 10:45 am
Auditing Data Governance to drive greater value
Auditing Data Governance to drive greater value

Increasingly organizations have recognized the need to harness the significant potential latent in their vast data holdings .  Finance, Legal, human resources and executive management struggle to get the right information in a complete, consumable, consistent, coherent and cohesive manner so that they can make the right decisions.  Audit and the enterprise risk functions have an opportunity to add considerable value through data analytics to help mature the data governance in their organizations.  Kaval and Richard and Marc share their experiences in helping Canada Post and other organizations perform an audit of  data governance while exploring the following topics:

  • A high-level data maturity reference model
  • Key topic, challenges and practical methodology to overcome this challenges
  • An audit program and genialized approach to assessing data governance within your organizations
  • Use of current tools such as Tableau and related audit dashboards
  • Data analytics to support assessment of key controls including what risks these controls help manage and advantages/issues with data analytics
  • Practices to improve audit “value-added” services such as continuous auditing  and improving both efficiency and effectiveness while reducing the audit
  • Identify practices, systems, and tools/enablers being employed in audit teams across industries and functions (HR, IT, Finance and Legal)

Kaval Pannu, Canada Post Corporation/ MNP

Agile Auditing: Maximizing internal audit’s value on organizational transformation initiatives
Agile Auditing: Maximizing internal audit’s value on organizational transformation initiatives

As organizations transform to keep pace with a world that is rapidly evolving, internal audit functions can embrace the opportunity and find innovative ways to continue to maximize their value delivery. Internal Audit can play an essential and strategic role in organizational transformations, helping the organization navigate new risk landscapes.

When engaged to provide assurance over a major business transformation, internal audit functions may face the following challenges:

· We need to be early: By the time the environment is stable again and can be audited, the value of audit findings may be limited due to significant investments having already been incurred by the organization.
· We need to be accountable: Large and complex projects, because of the risks they entail, and their high visibility, attract the attention of external auditors. Organizations need to demonstrate that they track them well and course-correct nimbly.
· We need to be agile and risk-based: With finite and limited resources, maximizing the value of assurance activities over an evolving landscape can be difficult. In particular, by the time a risk-based audit program is developed and being executed, the risks may have already changed and audit resources may not be in the right place(s) to maximize value.

A large public sector organization developed an innovative methodology to audit a collection of major organization-wide business transformations. Adopting an agile approach with periodic (quarterly) dashboards to the audit committee, the internal audit function adapted to address the realities of a rapidly changing environment. The presentation will explore the implementation of this approach.

Yves Genest, Canadian Audit and Accountability Foundation/MNP

10:55 – 11:15 am BREAK
Concurrent Regency Room 1 Regency Room 2
11:20 – 12:10 pm
Change the way you change
Change the way you change

Hyper change across five change vectors requires that we change the way we change to compete in the digital economy. As you read all of the hype around digital transformation, one thing is clear. The risks and rewards of the current paradigm shift are like nothing we have seen before. Four out of ten companies in each sector are at risk of being disrupted.
The traditional domains of people, process, and technology are becoming permeable and are blending. Software robots can now do what people used to do, and do it faster and cheaper. Operational analytics, business and decision rule automation and algorithms can route work and cases in real time to enable a truly tailored client experience. iBPM and workflow software can now be deployed to automate much of the legacy system breaks, delays, and handoffs.
It’s time to deploy savvy street smart technology, process, and collaborative teams to change the game and jump-start the transformation/renovation program. Leaders:
Align strategy, business and IT to focus on the client segments, their needs and develop a competitive and engaging client and employee experience
Establish ways to use analytics and insight to change the dialogue, and create end to end process transparency
Look across the technology environment to lever existing assets while renovating where required to deliver the right end to end client experience
Build cross-functional teams and using agile and iterative methods to create collaboration and a culture that can react and deliver
Its about delivering Thoughtful change @speed

Neal Oswald, Wanilah Advisors Inc.

Design, Identify and Invest: Harnessing Identity Innovation
Design, Identify and Invest: Harnessing Identity Innovation
Digital Identity provides the ability to establish trusted digital relationships through your existing relationships with other providers of trusted digital services. Through this trust relationship, your bank, government, or self-sovereign relationship can now help you to establish trust with a new employer, retailer, or any trusted provider in the sharing economy.

Conditions in Canada are ripe for a cross-sector effort to build a trusted digital economy with identity and privacy being foundational to its success. To achieve this trusted identity ecosystem, there are key considerations for each digital service:

Designing transactions that not only exceed employee and customer expectations but reduce risk,
Identifying the level of trust that you require and how to establish it; and
Investing incrementally, for results
In this session we will explore some recent innovations around identity and building an ecosystem of trust. Participants will walk away with a few key actions to establish digital trust relationships and harness emerging opportunities in this space.

Charles Eckert, PWC

12:20- 1:20 pm LUNCH
1:30 – 2:30 pm KEYNOTE –
War is Being Waged Without Firing a Shot – The New Battleground of Cyber Warfare
War is Being Waged Without Firing a Shot – The New Battleground of Cyber Warfare
The lines between corporate security, domestic security and the defence of a nation are increasingly blurred. Is ransomware, theft, system corruption or denial of service only threatening to a company’s bottom line, or does it also put Canada at risk?

Does a nation’s global competitiveness and sovereignty depend upon the protection and preservation of personal data, information platforms and digital infrastructure? If so, to what extent is Canada under siege? Should individual rights to privacy and corporate protection of intellectual capital be integrated as part of the comprehensive security of a nation? What should sovereign governments, public agencies, corporations, and individuals collectively do to reduce and mitigate threats in a time of ever increasing cyber-attacks?

Leona Alleslev, Member of Parliament on the National Defence Committee, Chair of Canada’s NATO Parliamentary Association, former management consultant and Air Force officer will challenge your thinking as she explores the new battleground from influence operations, grey battle zones, and cyber-attacks and argues that governments alone cannot defend against them and that time is not on our side.

Leona Alleslev (IoT / Global Security), Federal MP Aurora – Oak Ridges – Richmond Hill (Standing Committee on National Defence / Chair of the Canadian NATO Parliamentary Association / Chair – Aerospace Caucus)

Concurrent Regency Room 1 Regency Room 2
2:40 – 3:30 pm
Cybersecurity Risk Management Reporting and Assurance
Cybersecurity Risk Management Reporting and Assurance

Cybercrime is fast becoming one of the most significant economic issues affecting businesses, public sector organizations and individuals around the world. Security breaches leading to theft of confidential information can lead to financial losses, reputational damage, diminished stakeholder confidence, lost opportunities, and potential regulatory penalties. Thus, cybersecurity is receiving an increasing amount of attention by the business community, legislators and regulatory agencies. Accordingly, cybersecurity governance, control, reporting and assurance are important agenda items for practitioners to address.

Objectives
After completing this workshop an attendee will be able to:

describe the rationale/demand for a cybersecurity examination engagement, identify standards and frameworks applicable to cybersecurity examination engagements, including NIST CSF, COSO, AICPA DC and TSC and other relevant frameworks
describe key elements of a cybersecurity risk management program examination engagement as envisioned by the AICPA working group on cybersecurity
describe the criteria for preparing and evaluating a description of an entity’s cybersecurity risk management program, including an illustrative example of such a description
describe the criteria for testing and evaluating the effectiveness of controls implemented to achieve the entity’s cybersecurity objectives (a combination of COSO-based and Trust Services based entity level criteria developed specifically for cybersecurity examination engagements)
describe issues in establishing materiality, designing tests of controls and evaluating the  results of testing
explain the reporting on the results of the cybersecurity examination.

Efrim Boritz, University of Waterloo

Cybersecurity and Digital Investigations
Cybersecurity and Digital Investigations

The presentation will touch upon some of the practical considerations of cyber security and digital investigations in the enterprise, and how the technology audit function is changing.

Jason Green, Hexigent Consulting

3:40 – 4:00 pm BREAK
4:10 – 5:00 pm
Cyber Risk & Insurance 101
Cyber Risk & Insurance 101

Cyber Risk Evaluation and Loss Quantification – How to Think About Cyber Risk
– Cyber Insurance Considerations
a) Gaps in Existing Coverage
b) Common Coverage Elements
c) Common Coverage Exlusions
– Underwriting Process & Considerations
– Insurance Market Trends

Catherine Evans, Marsh Canada Ltd.

Communicating Cyber Security to the Board of Directors
Communicating Cyber Security to the Board of Directors

It is easy to find examples of data breaches, ransomware, and online fraud across business sectors. From Target to Equifax to Canadian universities, cyber vulnerabilities have been exploited to significant financial and reputational loss. It is essential that boards of directors are informed and engaged on cyber security to protect their business interests, and yet effective communication between practitioners and boards has emerged as a key challenge to improving information risk management.

What are the potential implications of poor communication between cyber security practitioners and the board of directors, and how might these challenges be overcome? This presenation will address the challenges that face cyber security practitioners when communicating with the board of directors; why effective communication is important; and strategies to improve communication between practitioners and directors.

Rachael Bryson, Conference Board of Canada

5:00 – 6:00 pm NETWORKING EVENT

 

THURSDAY MARCH 29, 2018 DAY 2
7:30 – 8:30 am BREAKFAST
8:30 – 8:45 am OPENING REMARKS
8:45 – 9:45 am
KEYNOTE: Blockchain Revolution: Surviving and Thriving in the 2nd Era of the Internet
KEYNOTE: Blockchain Revolution: Surviving and Thriving in the 2nd Era of the Internet

The technology likely to have the greatest impact on the world over the next 20 years has arrived and it’s called the blockchain. Originally the enabling technology of cryptocurrencies like Bitcoin, blockchain is now being applied to virtually every industry in the economy and promises to usher in nothing short of the new internet of value, which will transform money, industries, the economy and the world.

Alex Tapscott, Co-author of Blockchain Revolution

Concurrent Regency Room 1 Regency Room 2
9:50 – 10:40 am
Digital Ready Cyberteams
Digital Ready Cyberteams

Digital transformation continues to create new business and social opportunities and is impacting how we communicate, shop and play, and how we consume public services. Organizations, including governments, are transforming; digital channels and time-to-market are driving much of this change. This presentation will discuss how the Ontario Government is transforming its cyber teams to be digital-ready and enablers of digital public service delivery.

Mohammad Qureshi, Ontario Government

Insights and Updates on Application Security
Insights and Updates on Application Security

Making software applications secure is important now more than ever, as demonstrated by recent data breaches that were caused by application security flaws. With the disruptions brought on by agile development and continuous integration / continuous development / continuous deployment, it is key for IT auditors to stay on top of these developments to properly assess and manage the associated application security risks.
This session will go over some recent updates in the world of application security, including the OWASP Top 10 2017, secure SDLC in an agile world, and secure DevOps. We will also cover some tools, frameworks and concepts that you should be aware of when you are looking at your organization’s application security program in your next audits.

Yuk Fai Chan, CyferSafe Inc.

10:45 – 11:05 am BREAK
Concurrent Regency Room 1 Regency Room 2
11:10 – 12:00 pm
Stopping the insanity - the role of Interal Audit in real-time mitigation of SDLC risks
Stopping the insanity - the role of Interal Audit in real-time mitigation of SDLC risks

Software development projects are notorious for under-delivering on expected budget, timeline and scope, and while the advent of new techniques like agile and devops are purported to improve performance, in some cases we are just delivering a poor quality product with more speed. In this presentation, we will speak to our audit approach which provides real-time feedback to project teams on gaps, prior to them realizing the risk, allowing them to address these gaps inflight, leading to more successful outcomes. We will also cover our approach to reviewing organizational SDLC practices, to drive overall organizational improvement and stop the “insanity” of projects continuing to do the same thing over and over again while expecting different results. Attendees of this session will learn techniques they can apply to increase the value they provide to their organizations when auditing software development activities.

In regards to when we’ll want your presentation for review, this has not been confirmed, but I would say no sooner than March 20th. I will ask the committee and we’ll
confirm this in an upcoming communication to the speakers.

Sue Kurtz, Bank of Montreal

Risk intelligent Robotics and Cognitive Automation
Risk intelligent Robotics and Cognitive Automation

RPA or Robotic Process Automation, Cognitive and AI (Artificial Intelligence) are not just buzzwords anymore. They are real and there are already a number of automation use cases in operation. However, organizations are struggling with several challenges. Many organizations recognize that these trends apply to them, but wonder where to begin and who should steer the change? Some other organizations who have plunged into it are concerned about the risks, especially when they scale from the proof of concept to live environment, or scale the number of bots. There are very few organizations who have gotten this right and have not only implemented the right operating model to embrace automation, but also govern it well and hence are able to scale it and grow.

Like any new initiative, RPA/Cognitive implementations come with their own set of risks. The challenge is that unlike traditional automation methods, RPA/Cognitive introduce net new risks to the organization that need to be understood, assessed and managed if organizations want to maximize their risk adjusted return on these investments. How does an organization embrace these technologies in a risk intelligent manner to help enhance outcomes? Answering this question will be the key focus of this session.

After a brief introduction to RPA and Cognitive, understanding how they work, discussing some sample use cases and watching some demos, the session will discuss net new risks introduced by these tools. We will then discuss various operating models that we see emerging for how organizations embrace and implement, as well as the impact of these approaches on risks and ability to govern. We will then introduce a holistic risk framework for RPA and Cognitive.

From a line of defense perspective, second line partners (e.g. risk management, security, compliance) as well as internal audit have a key role to play on the first-line’s RPA/Cognitive journey (besides being automation users themselves). However, the engagement model and timeliness is a challenge. We will discuss agile engagement models that have evolved and tend to be more effective. We will end the session with some best practice considerations for organizations to consider as they engage in their automation journey.

Baskaran Rajamani, Deloitte LLP

12:00- 1:00 pm LUNCH
Concurrent Regency Room 1 Regency Room 2
1:10 – 2:00 pm
Machine Learning and Cyber Threat Hunting: The Next Gen SOC
Machine Learning and Cyber Threat Hunting: The Next Gen SOC

Attacks are more sophisticated, requiring more advanced techniques for discovery, investigation, analysis and response. Preventing cyber attacks should not be reactive or ad hoc, security teams should actively and routinely hunt for attacks. Organizations are seeking more advanced tools for SOC personnel to improve their efficiency; It often takes many years of training for security analysts to be completely effective.

Cyber Hunting allows organizations to search proactively and iteratively through network to identify advanced threats that evade even the most advanced defense systems.

Detect suspicious activities
Use a combination of real time analytics engines – including supervised machine learning, signature and rules engines – along with third party threat intelligence, to uncover and prioritize suspicious activities.

Investigate hypotheses
Investigate hypotheses regarding suspicious activities using a variety of tools and techniques

Iteratively inform and improve analytics
Efficiently leverage security operations and response resources by enabling them to focus on legitimate attacks. Improve analysis process by leveraging information gathered in future discovery and investigation activities.

Another important aspect of a next generation SOC is the Machine Learning and Aritifical intelligence functionality

Benefits of Machine Learning and Artifical Intelligence

    • Real-Time Intelligence Correlation at the Network Edge
    • Improved Context, Prioritization
    • Integrated Network & Endpoint Analytics
    • Improved Visibility & Response
    • Automated Dynamic Analysis, Content Routing, Policy Automation
    • Improves team efficiencies, automates clerical workflows
    • User-Driven Machine Learning for Custom Detection & Improved Accuracy
    • Enhances defense posture, fine tunes algorithms to user environment

Farooq Naiyer, ORION

Identifying Sources of IT Risk in the Cloud
Identifying Sources of IT Risk in the Cloud

Cloud solutions present many challenges to organizations as they seek to capitalize on the opportunities presented by these strategies. The need to more closely articulate – or even refurbish – solutions for privacy protection, supplier assurance, GRC, DevOps, identity & access management, data governance, business resilience and cyber security can contain many surprises that challenge an organization’s understanding of risk tolerance. Capitalizing on Darren’s more than eight years of experience in managing and delivering solutions using the cloud, this session will examine SaaS, IaaS, and DRaaS solutions and view the risks they present through a business lens.

Darren Jones, KPMG

2:05 – 2:55 pm
Case Study: How Microsoft Transformed its Cyber Security Governance
Case Study: How Microsoft Transformed its Cyber Security Governance

Explore the reasons behind, the process of, and the results emerging from Microsoft’s transformation of its cyber security governance.

John Bartol, Microsoft

Audit Disruption and the Changing Skills of IT Auditors
Audit Disruption and the Changing Skills of IT Auditors

IT Auditors face a constantly changing landscape of technology that create a complex and challenging learning environment, and can impact how IT Auditors conduct audits, seek assurance, and test controls. This presentation touches on two major recent disruptions in the IT and IT Audit enviroment: 1) robotic process automation, and 2) artificial intelligence. For each topic, the presentation will explore, respectively:
1) Definition and history of the disruptive technology: what is it?
2) How businesses are using the disruptive technology: what is the benefit?
3) What does it mean? Impacts for IT Auditors, with respect to:
3.A) How disruptive technologies impact the way that audit procedures are designed to test controls
3.B) How technological capabilities has changed the emphasis of skills for IT Auditors
The presentation will provide some examples and practical guidance on changing IT audit approaches and the changing emphasis for IT auditors skills to match new technology.

Melissa Polak, Ernst & Young LLP

3:00 – 3:20 pm BREAK
3:25 – 4:15pm
Artificial Intelligence Panel
Artificial Intelligence Panel

What is Artificial Intelligence? Why would I use it? Why wouldn’t I use it and how do I get started? These are all questions our knowledgeable and prestigious panel endeavors to answer. AI can be both daunting and intriguing. Understanding where Artificial Intelligence is most effective can be key to a successful implementation. There are verticals where AI is proven effective and successful. There are also scenarios where AI will not add reasonable value. Our panel will provide examples of how to assess where it works best and why.

Moderator: Hassan Qureshi, Partner MNP
Panelists: David Long, CEO SageTea, Eli Fathi, CEO Minebridge AI, Dean Shivji, Employment and Social Development Canada and Mathieu Lemay, Partner, Lemay Solutions Consulting Inc.

CLOSING REMARKS