February 2003

Thursday, February 13, 2003
CityPlace Conference Center

Joint Meeting with North Texas ISACA/
Student Day

Lunch Meeting 12:00pm
Registration begins at 11:30am

Roadblocks To Practical Security

By Gary Bahadur,
CIO - Foundstone

With all the talk of security and privacy needs, post 9/11, why is security still such a dismal failure? What is keeping businesses from being secure even with the knowledge that they face attacks on a daily basis? A very small percentage of businesses can actually claim to be secure and mean it. The rest make the effort to be secure yet that level of security is never reached. This discussion will focus on the following:

• What does roadblock mean?
• How are these roadblocks categorized?
• What should the security industry, businesses and governments be doing to remove these roadblocks?

Gary, a cofounder of Foundstone Inc, is responsible for the Foundstone infrastructure and operations that support the consulting and training services. Foundstone's research and development labs are a key part of the security solutions provided to our clients to empower them to secure their own environments. In addition to internal corporate responsibilities, Gary provides security consulting and training services to Foundstone's clients. Areas of expertise include security architecture reviews, and ethical hacking reviews focusing on UNIX and Windows NT systems. Gary has been involved with numerous penetration studies and network reviews covering various firewalls, UNIX, Windows NT, Novell networks, Web servers, Internet connectivity, SAP security in UNIX and Windows NT environments, routers, during the past 6 years. He has helped develop the methodologies for network security reviews and was one of the co-developers of the "Extreme Hacking" class at Ernst & Young. Prior to joining Foundstone, Gary held positions of Manager in the Security Profiling Services Group of Ernst & Young and Senior Consultant in Price Waterhouse's Enterprise Security Solutions practice. Gary developed methodologies for network security at both companies.

Gary performs speaking engagements at various industry conferences, several of which include:

• Illinois CPA Society "Practical Roadblocks to Secure E-Commerce", 8/01
• Information Systems Audit and Control Association (ISACA) Conference "Securing UNIX Systems"
• ISSA Conference "Performing Penetration Tests"
• Security.Net 99, Toronto CA, 9/99 Co-Keynote Speaker
• Illinois CPA Society, "Who's Knocking On Your Door?" 8/00
• Army Reserve Information Assurance Seminar "Drive By Shootings"
• Hack2002, Melbourne, "Penetration Testing Methodologies"
• National Security Conference. Singapore, "Profiling the Enemies Weapons"
• Hack2002, Sydney, "Footprint Analysis"
• MEC 2002, "Hacking Exposed Live"
• IAA 10/02, "Hacker attacks and new trends in information security"

Gary holds a Bachelor of Science degree in Information Systems / Finance from New York University and is a Certified Information Systems Security Professional (CISSP). For more information, see his website at: http://www.foundstone.com/company/gary_bahadur.html

Concurrent Post-meeting 1:30pm

Governance Self Assessment Workshop

Stacey Hamaker & Austin Hutton, Shamrock Technologies

In response to the recent flurry of legislative and media attention focused on Corporate Governance, there is fervent demand for improved accountability and transparency across all organizations. Prudent firms are now taking a hard look inside to shore up their own capabilities. But how does one gauge accountability and transparency?

Stacey Hamaker and Austin Hutton of Shamrock Technologies will conduct a Governance Self-Assessment Workshop to help attendees assess the general level of Governance at their own organizations. The presentation will include a discussion of “Governance Gotcha’s”, that is, areas where today’s companies commonly have weaknesses. The Governance Self-Assessment Workshop will also provide some insight into common practices and principles associated with Governance topics.

The material presented will be an extension of that which appears in Ms. Hamaker’s article, “Spotlight on Governance”, featured in the current issue of Information Systems Control Journal. In the article, she compares and contrasts the concepts of Corporate Governance, Enterprise Governance, and Information Technology Governance. The presentation will address issues common to all 3 types of governance. The article may be previewed at: http://www.shamrock-technologies.com/Journal_article2.pdf.

Stacey Hamaker, CISA is Managing Principal and Founder of Shamrock Technologies. A thought-leader and published author on Governance issues, she has 25 years experience with enterprise-wide technology initiatives at Fortune 500 as well as mid-sized clients. Her background spans strategic needs assessment, CRM requirements, ERP implementation review, legacy evaluation, mergers & acquisition conversion, due diligence review, E-business planning, business continuity, data base administration, IT project management, and internal controls.

Austin Hutton, Principal at Shamrock Technologies, is a demonstrated leader with experience managing global technology organizations for Fortune 50 companies, serving as a contract CIO, and developing and managing consulting practices for a global IT consulting firm. His extensive experience dealing first hand with Governance issues in a global environment brings color to his “war stories” and validity to his recommendations.

Since 1990, Shamrock Technologies has been providing strategic, enterprise-wide analyses, requirements definition, project management and internal control services to both public and private sector clients. Specializing in large, inter-departmental special projects, the firm has recently been pioneering Governance issues. Past engagements include work at the City of Dallas, City of Ft. Worth, BNSF, COMPUSA, New Horizons Learning Centers, Reliant Building Products, Advocare, and Spirit International.

Concurrent Post-meeting 1:30pm

5th Annual Student Forum Post meeting

Students from the University of North Texas, University of Texas at Arlington, Louisiana State - Shreveport, and Midwestern State University will be attending the luncheon and participating in the Student Forum Post Meeting. At this meeting, Students will be given the opportunity to ask questions about the profession from panel members who are in industry, public accounting, internal audit recruiting, and consulting. Panel members this year include:

Earnest Thomas has over seventeen years of business experience including eleven years in audit and six years in tax accounting. He has public accounting experience and experience in numerous industries including manufacturing, mortgage, banking, insurance, property management, oil and gas, and governmental. He developed the initial internal audit policies and procedures manual, internal control risk assessment, audit charter and mission statement for a large financial institution. This past year, he performed a business process improvement review in the areas of human resources and payroll for a multi-billion dollar corporation. Earnest has been an audit professional with Jefferson Wells, International since April, 1999.

Maurice Gilbert, CPA has 20 years experience in finance. He started his audit career in public accounting before assuming a management position in internal audit with a Fortune 500 company. Additional experiences include commercial real estate management positions with GE Capital and Citigroup. Maurice is in the executive search business with Catterton, Inc. where he specializes in financial, operational and information systems audit.

Lesley Jeffcoat, CPA is an Internal Audit Manager for JCPenney in Plano, Texas and is involved with a combination of operational and financial audits. Prior to joining JCPenney, Lesley was a senior external auditor and financial operations manager with Arthur Andersen, LLP. Lesley received her Bachelor of Business Administration degree in Accounting from Texas Tech University and was a member of Beta Alpha Psi.

Rhonda Allen graduated from Dallas Baptist University with a Bachelors Degree in Finance. Rhonda is a Certified Information Systems Auditor (CISA), currently working as an Information System Specialist for Southwest Airlines. Rhonda has been with Southwest Airlines for two years as of January. Prior to her current position, Rhonda spent 4 years in the Internal Audit Department at The Associates First Capital Corporation which was acquired by Citigroup.

NOTE: There is no Pre-meeting this month due to the morning seminar.

Prizes, Prizes, Prizes

Reminder: The Dallas Chapter is giving a special Door Prize in May 2003. The prize will include a gift certificate toward dinner for two and the "Chocolate and Champagne" one night special at the Hotel Intercontinental, or equivalent. To be eligible, you must have attended 4 or more monthly meeting luncheons between September 2002 and April 2003.

Also, join us for the February Meeting with bigger $$ door prizes as part of our joint meeting with ISACA and Academic Relations.

This meeting is being held at CityPlace Conference Center.

The DART light rail station at CityPlace serves both the RED and BLUE lines. Check for schedules, routes and fare information at  http://www.dart.org/default.asp

Preferred Method:

The best method to place and confirm your reservation is via the web site at http://www.dallasiia.org/Reserve.htm.

Secondary Method:

An optional method is to use the telephone, fax, or e-mail. However, a $2 phone/fax/e-mail fee will be assessed to each reservation.

Reservations must be received by noon on Friday, February 7, 2003 or a $5 late fee will be charged.

We reserve the right to bill for "no-shows."

Please mark your calendar these meeting dates for the balance of the 2002-2003 chapter year:

• March 20, 2003
• April 17, 2003
• May 13, 2003

We Now Accept Credit Cards - Online Only

The IIA Dallas Chapter, in conjunction with PayPal, will now accept payment online for the monthly luncheons. There is no change in the cost to you for the lunch. We accept VISA, MasterCard, Discover, American Express, or eCheck. Note that some corporate-issued cards are not accepted by PayPal. This service is only available online at the time the reservation is made. This can be used to pay for individual or group reservations. Follow the instructions on our website. If you properly cancel a reservation before the meeting, the Chapter will either return the funds to you or reserve you for the next meeting. Any questions, contact Lynn Allsup, Treasurer, 214-559-1630 or Lynn.Allsup@RepubLink.com.

After you place your reservation online, you will see the link to pay via PayPal if desired.

Chapter Seminars

Review Course for May 2003 Exam -
It's not too late, but time is running out!

The Dallas Chapter will once again sponsor an interactive CIA review course to help prepare candidates taking the May 2003 CIA Exam. This four-day course will be taught by Dr. Glenn Sumners, Director of the Center for Internal Auditing at LSU. The review course will be held as follows:

• Part I - Friday, February 7, 2003
• Part II - Saturday, February 8, 2003
• Part III - Sunday, February 9, 2003
• Part IV - Monday, February 10, 2003

Each review course session will run from 8:00 AM to 5:00 PM.

For further information on the review course, including cost, location and registration, log on to the IIA Dallas Chapter website at http://dallasiia.org/CIAReview_S03.htm.

Dallas IIA Student Day Seminar and Forum

Are you up to date on the latest things Auditors must consider in Risk Awareness? Are you properly considering the objectives and the risks your corporation is facing to achieve those objectives? The Dallas Chapter will present the answers to these questions and the various perspectives on the trends in Audit’s Role in Risk Management and Awareness on February 13, 2003 from 8:00 a.m. to 12 noon at CityPlace Conference Center.

Presenters at this seminar will be:

• Howard Johnson, Chief Audit Executive & Senior V.P. for JCPenney, will discuss how internal auditors incorporate risk assessment into all the major aspects of their audit work - from assessing the overall control and governance environment in their organization down to individual audits. Specific topics that will be addressed include: What are the biggest risks facing an organization today? How can auditors help mitigate these risks? What can an audit staff do to be in the best shape to help their company effectively manage risk? How can an audit staff use technology to monitor the control environment in your Company? How can auditors get involved in overall risk management activities?
• Al Bazis of DART and Kathryn Barton of Lone Star Technologies will discuss the latest trends in Control Self-Assessment and how it benefits the organization. If you are considering implementing CSA, you will benefit from this presentation. Mr. Bazis and Mrs. Barton bring experience in successfully implementing CSA in organizations they have been involved with.
• Thomas Keils and Scott Graham of Protiviti Consulting will bring all this together by discussing how you can use this and other information to successfully develop your audit plan to help your organization meet its organizational objectives.

Your registration fee includes this 4-Hour CPE credit seminar and the monthly IIA luncheon at CityPlace. In addition, you will be supporting the Dallas Chapters’ efforts in keeping local area universities involved in our great profession.  Make checks payable to Dallas IIA and send to: Jeff Seutter, JCPenney Co., PO Box 10001, Dallas, TX, 75301-4305

To register go online http://dallasiia.org/Student_day_03.htm or contact Keith Howell at HowellK@aafes.com (214-312-6460) or Jeff Seutter at jeseutte@jcpenney.com (972-431-8906).

Registration Fees: (Includes The Monthly Lunch Fee)

$75 For Members
$85 For Non-Members

Seminars in Plano

The IIA would like to invite Dallas chapter members to the upcoming IIA seminars being held the week of March 10 - 14, 2003 at the DoubleTree Hotel & Executive Meeting Center, 7120 Dallas Parkway, Plano/Legacy Town Center. Contact the hotel at 972-473-6444 for details and to make lodging reservations.   There is a special room rate of $135 single or double occupancy for reservations made prior to February 17th. This is on a first-come, first-served basis for the allocated number of rooms for The IIA attendees.

We will be offering the following seminars (Click on any Seminar title to link back to The IIA Web site to get full course descriptions, who should attend, and to register, etc):

The costs are:

• 4.5 days $1,095 members/$1,220 nonmembers
• 3 days $1,345 members/$1,470 nonmembers
• 2.5 days $855 members/$980 nonmembers

Full course information, fees, benefits, etc. are accessible through the IIA's Seminar Page or the links above. Registration can be made online or by calling Customer Service at 407-937-1111.

All of these seminars qualify for the FOUR CAN ATTEND FOR THE PRICE OF THREE special offer except for the Audit Smart and ACL for Windows courses. For every three people from the same organization who register for the Dallas seminars and pay together, the fourth person can attend FREE. The least expensive of the four registration fees will be paid by The IIA!

The IIA hopes several of our members will take advantage of this training right in our own backyard.

Chapter News

Report Your Speaking and Writing

It's time again for the survey to determine which IIA Dallas Chapter members have submitted articles or spoken during January, or earlier if not previously reported. Each speaking engagement on internal auditing that a Dallas Chapter member completes will earn the Chapter 1 credit per CPD hour. Each full article, Roundtable article, Fraud Finding, etc. submitted that meets basic editorial guidelines will earn 5 credits. For each full article published 20 credits are earned. Each internal audit related article published in any other trade or professional journal that is authored by a chapter member is 5 credits.

To report your writing and speaking go to http://dallasiia.org/Speaking.htm and complete the provided form by February 15, 2003. Contact Magdalena Kovats (972-389-3344 or magdalena.kovats@mckesson.com) if you have any questions.

Phone Call Opt Out

If you want your name removed from our reminder phone call list, go to the chapter website. Click on the "Members" tab and then click on "Opt Out."

IIA Research Foundation

The Research Foundation’s newest publication is entitled Mergers. Acquisitions and Divestitures: Control and Audit Best Practices. This research examines current practices employed by internal audit departments in support of mergers, acquisitions, and strategic alliances. It targets the challenges to the control processes which emerge as different business cultures are blended into one entity. Similarly, this research examines the participation of internal audit departments in organizing, staffing, reporting, and monitoring the business combination activities. Finally, it codifies the activities of leading-edge companies and reaches consensus regarding elements of effective internal audit practice.

Membership Updates

Please welcome our newest members:

CIA Exam

There is plenty of time to prepare for the May CIA exam. The registration deadline is March 31st.

Make a commitment to become certified in 2003!

Visit the IIA website at theiia.org (certification tab) for test information and study aids or call (407) 937-1100.

Who Else is Interested in Evaluating Internal Controls: A COSO-based Approach Training in Early 2003 and Saving on Travel and Training Costs?

To help manage our travel and training costs and meet training goals, I'm looking for other Dallas area audit departments willing to commit to sharing the costs of bringing this IIA training course to our area March 13-14, 2003. The IIA offers this highly rated course outlined below. However, the IIA is not offering it in the Dallas area this year. Therefore, I would like to bring the seminar to us and spread the costs among other area audit departments and we can all win.

Follow this link to review the course description: http://www.theiia.org/iia/seminardetails.cfm?RequestTimeout=500&semID=30

Please contact me if you are interested in attending or sending staff to this seminar

Kathryn Barton, bartonk@lonestarstech.com or 972-770-6400.

Career Opportunities

Are you currently in the job market either voluntarily or involuntarily? Let the Employment Committee help you. Send us your resume and we will include you in our resume database. We receive calls from recruiters and hiring managers for open positions and will forward your resume if there is a match. We get calls for staff to director levels, IT to finance, local to out of town. All inquiries will be handled confidentially. If you have any questions, we will have a table set up at the next chapter meeting, or give us a call or e-mail us. We look forward to helping you.

• Brad Bates (chair) 214-840-7364 bbates@deloitte.com
• Fred Herman 214-273-0877 fherman@dynacare.com
• Rene Scott 972-855-4371 rscott@komen.com

CURRENT OPPORTUNITIES AS OF 1/15/03 FOR AUDITORS

THESE ARE PERMANENT OPPORTUNITIES, NOT CONTRACT!!!

Please note these are thumbnail sketches, to learn more details, email or call.

• Senior Auditor - travel 15-25% of the time - 7+ years of audit experience - CPA a must - location is in NE Dallas - 50/50 financial/operational audit - team of 5 - heavy interaction with Executive Management -- $65-75K
• Auditor (4 openings) -- travel 50% of the time - 2-7 years of audit experience - CPA or CIA or strong candidate - location is in N. Dallas - strong preference towards folks with Public Accounting experience - 80/20 financial/operational audit - team of 25+ -- up to $65K depending on experience
• Auditor II (2 openings) - external audit for local Public Accounting firm of about 100+ professionals - 2+ years of experience - location is in N. Dallas - 90/10 financial/operational audit - up to $60K

Contact Information:

Todd K. Baker
Executive Recruiter
RemX Financial Staffing
(972) 726-7369 phone
(972) 726-0377 fax
toddb@remxfinancial.com
http://www.remxfinancial.com