Time Level 17a Level 17b
8:45 – 9:00 am Opening Remarks 
9:00 – 10:00 am
Opening Keynote - Future Proof: Privacy, Security and the Detection of Crime - 25 Years into the Future
Opening Keynote - Future Proof: Privacy, Security and the Detection of Crime - 25 Years into the Future
Imagine a world where every telephone call is monitored, every email and text message read. A world where your most personal information is for sale to the highest bidder. As technology proliferates, what choices will you make?  How much of your privacy will you be willing to give up for the sake of security?  Convenience?  Social Interaction? And where will be as a society in 25 years?  What impact will the choices we make today have on privacy and security in the future.  And how will our government protect us? Join Chris as he takes you on a journey, describing remarkable technologies which already exist and some of the more frightening ones to come.  Technologies that will ultimately change, not only how we will live, but who and what we will be, as a society.

Chris Mathers

10:05 – 10:25 am AM Break AM Break
10:30 – 11:20 am
Prepare for Blockchain Disruption: The Basics and What It Means
Prepare for Blockchain Disruption: The Basics and What It Means
In this session, we will explore the basics of blockchain technology and how it provides inherent integrity through an open, distributed ledger. We will also outline some of its major benefits and risks, as well as impact on internal audit. Session objectives include:

    • Understand the concept of blockchain
    • Articulate the impact to organizations
    • Outline the impact to the organization’s risk environment
    • Describe how this changes the company’s internal control structure

Ram Balakrishnan

Auditing the Big Picture: Best Practices and Lessons Learned from integrating IT Audits with the Finance, Operations, and others
Auditing the Big Picture: Best Practices and Lessons Learned from integrating IT Audits with the Finance, Operations, and others
A modern IT audit cannot simply be performed as a rote checklist exercise. Inelastically relying upon a “reperform last year’s file” approach may feel comfortable, but it increases the risk of generating a false sense of security where auditors examine what’s easy to assess, rather than focusing on the current area of greatest risk. Strong internal audit functions are continually evolving their approaches, performing dynamic integrated risk assessments on each engagement to identify the areas of greatest risk to the enterprise, including both IT and financial elements among others. After addressing the critical planning and risk assessments steps, we will pivot to reviewing entertaining and intriguing real world examples, sharing best practices and flagging potential pitfalls which may occur when conducting integrated reviews: * Asserting effective IT General Controls to place reliance on automated controls * Identifying when data conversion audits are needed * Leveraging visual analytics to detect outliers and quickly mine complex data sets for insights * Examining the state of user training and readiness prior to go-live of new enterprise systems * Managing the human element of IT audits: effectively managing and motivating engagement teams composed of diverse backgrounds and experiences

Andrew Krupowicz, Mark Samson

11:25 – 12:15 pm
A New Audit Risk Model and Why it is Needed
A New Audit Risk Model and Why it is Needed
Disruption in most forms brings equal parts threats and opportunities. However, the latter can be achieved only if approached and leveraged correctly, placing the capacity for agility and, dare we say, creativity at the center of success. In a business context, this applies to both the mindset for navigating disrupted landscapes and the technical prowess for harnessing the opportunity that lies within. This session identifies a three-fold proposition enabled by disrupted landscapes: 1) Making owner-ordered auditing cost-effective: focal point is assurance on completeness of ROI and revenue. 2) Raising the bar for assurance on completeness: “follow the stuff” instead of “follow the money”, not limited to missing revenue. 3) Allowing a paradigm merge between owner-ordered and management-ordered auditing (agency theory: principal vs. agent). Captured in a renewed Audit Risk Model with distinguished guidance for understatement and overstatement. Where understatement guidance incorporates referral to a proven baseline for financial completeness controls per type of industry, modernized by alignment with cyber security Common Vulnerabilities and Exposures (CVE), Common Weakness Enumeration (CWE), etc.

Dr. Philip Elsas

A Tale of Two Heists – A regulatory perspective
A Tale of Two Heists – A regulatory perspective
In 2018, OSFI completed a large scale exercise where a few of Canada’s larger financial institutions were asked to respond to a severe but plausible Cyber scenario. The scenario involved a data breach of customer information at a third party that led to a spike in bank accounts being hacked and drained of funds. The name of the scenario was named “Maple Heist”. Since then, the number of Cyber attacks to the financial sector increased significantly, including Cybercrime such as ATM heists, fraudulent transactions on digital channels, and large scale payment systems heists. This presentation will briefly discuss insights from the exercise and real life incidents to broadly address the changing Cyber threat landscape for financial institutions in Canada; and provide observation on efforts by both financial institutions and regulation sector to assess, mitigate, monitor, and manage these threats.

Joshua Tang

12:15- 1:15 pm Lunch Lunch
1:20 – 2:10 pm
Auditing Cyber and Information Security from Both a Physical and Electronic Perspective
Auditing Cyber and Information Security from Both a Physical and Electronic Perspective
In today’s business world, Cyber and Information Security is a significant risk that is faced by all Corporations. Every day businesses have their data compromised through various attacks. The complexity of the connected environments as well as the growing sophistication and rapidly evolving threats make these attacks and managing the Cyber and Information risk a significant enabler to ensure an effective governance structure to business continuity of business and its operation. As a result, an effective Information and Cyber security audit approach based on the best practice guidance, will provide the stakeholders with the assurance that the established processes and controls are able to provide the required protection while ensuring confidentiality, integrity and availability of the information from internal or external threats. As a result, this session will provide the audience practical application on planning, testing and reporting of the risked based audit of controls objectives applicable to the cyber and information management and security processes.​
In this presentation, participants will be able to identify not only their stakeholder’s expectation in regards to cyber and information security risk but also their appetite and their risk tolerance in regards to this risk. In this session the participant will also be able to identify potential observations, their impact and practical recommendations in order to manage the cyber and information security risk.
Kaveh Rikhtegar
Criteria for Evaluating the Integrity of a Set of Data
Criteria for Evaluating the Integrity of a Set of Data
This presentation will cover the criteria and professional standards applicable to services related to the criteria. It will discuss how the criteria and professional standards can contribute to improving data based decision making. Part of the session will be interactive to enable participants to exchange information about current practices used to assure the integrity of data used for decision making and how current practices might be transformed and improved through the application of the data integrity criteria.

Efrim Boritz

2:15 – 3:05 pm A Causal Mapping Tool for Auditors: Process and Results

Yves Genest, David Long, Matt Lemay

Continuous Audit Techniques to Assess Network Security Risk
Continuous Audit Techniques to Assess Network Security Risk
Organizations are rapidly digitizing their processes and data generated from these processes is readily available for audit use.  Our presentation will show a real-world example through which audit would be able to continually assess the effectiveness of controls across the Bank holistically, and glean new insights through innovation and analytics. This approach will transform the Audit function by developing a capability to respond to fast-moving risks, increasing collaboration between auditors, auditees and reporting the state of risk environment near real time. It will also improve the agility of the audit function by reducing the effort to execute audit procedures, an increase in the audit coverage and allow auditors to focus on more value-added assessments. The objective of our session is to demonstrate the use of automated techniques to identify and report security risks within the network security. Our focus will be to show a real-world example of performing continuous risk assessment (CRA) of various aspects of firewall security. We will present an approach and a toolset that can be widely used to develop automation within the network security, discuss the lessons learned, pitfalls and overall methodology that can be used by audit departments to implement CRA.

Angie Ng, Vineet Sharma

3:10 – 3:30 pm PM Break PM Break
3:35 – 4:25 pm
Breaking Risk Silos
Breaking Risk Silos
There is increasing pressure on Boards to ensure they fulfill their risk oversight role. Many Boards receive information on risks that often do not present a consolidated picture of risks. In many organizations, IT risks, although often a critical component in achieveing strategic priorities, are separated from other risks. Not only does this fractured picture prevent the Board from effectively assessing management’s response to risk, it becomes a barrier to effective Board oversight.  The presentation “Breaking  Risk Silos”  provides practical information for auditors that will allow them to present risk information in a consolidated manner to Boards of Directors. In doing so, they will learn how to identify the interrelationships between IT and enterprise risks and increase the effectiveness of risk response.

Angela Byrne

Looking Forward - Auditing as Never Before
Looking Forward - Auditing as Never Before
This session addresses three topics that auditors will have to address in the near future. * Rapidly changing technologies: those requiring audit and those whose use will be required in conducting audits * Audit Challenges: challenges to be faced in extending the scope of audits, including new technologies, new sources of audit information such as big data, artificial intelligence, IoT sensors, robotics and cellular devices. * Audit Skills: addresses the new skill set that auditing in the future will require; skills that will range from technical capabilities to the adoption of new talents such as critical thinking, root cause analysis, and mathematical modelling using multivariate discriminate analysis, factor analysis and regression analysis. This session provides insight into the expanding need for assurance throughout business and government and the roll that auditors and particularly technology auditors will play in the future.

Robert Parker

4:30 – 5:30 pm Networking Event
Program: Day 2