Expanding Your IT Audit Exposure


Friday, April 14, 2017 from 8:00 AM to 4:30 PM EDT
Add to Calendar 


George Mason University - Arlington Campus 
3351 Fairfax Drive
Founder's Hall Classroom 113
Arlington, VA 22201

Driving Directions 

Virginia Sqaure Metro (Orange & Silver lines)


Toan Do 
IIA Washington, D.C. 


IIA Member: $150
Non-Member: $175

Last day to register is April 7th, 2017

*Note – Walk-ins without prior registration cannot be accommodated due to security concerns.

More Information

8 CPE credits will be awarded to attendees.

Attendees will be served a continental breakfast and lunch.


8:00 to 8:20 AM - Continental Breakfast & Registration
8:20 to 10:100 AM - Session 1
10:00 to 10:15 AM - Morning Break
10:15 to 11:45 AM - Session 2
11:45 to 12:45 AM - Lunch & Networking
12:45 to 2:00 PM - Session 3
2:00 to 2:15 PM - Afternoon Break
2:15 to 4:30 PM - Session 4


Broaden Your IT Audit knowledge with the following topics in this 1-Day Event!

Social Networking –
Business, Compliance & Audit Implications

EXECUTIVE SUMMARY: Most corporations have social media sites for their customers and clients. These sites could be sources of security risks for the company and the personnel using them. This session will discuss these issues from the corporation’s perspective and from the individual’s perspective.


  • What it is & How it is used
  • Survey Results
  • Various Issues
  • Audit & Control Implications
  • Risk Mitigation

Crisis and Change Management – Internal Audit Involvement

EXECUTIVE SUMMARY: This session will review the implications and impacts of crisis management and organizational change management and what the internal auditor may need to do.


  • Definition: Reputation Integrity & Crisis
  • Crisis Management Planning
  • Crisis Management Execution
  • Audit’s Role
  • Definition: Organizational Change Management
  • Impacts on the organization
  • What may be needed from Internal Audit

Outsourcing and the Need for Supplier Audits

EXECUTIVE SUMMARY: This presentation will discuss the reasons why companies use third party suppliers, either as in an outsourced arrangement or in a true vendor arrangement, the risks involved and what audit should be doing.


  • Understanding the risks from a security and privacy perspective
  • Contract elements
  • Minimum security requirements that should be put in contracts
  • Supplier Audit techniques


EXECUTIVE SUMMARY: More companies are trying to reduce their internal expenses for company owned devices by allowing employees to use their smart phone, iPads, etc. to access company data. This poses significant risks or data loss and security breaches. The auditor must be aware of this and be able to comment upon the strategy being proposed.


  • Understand the risks associated with allowing employees to use personal devises for business activities
  • Understand the controls that are needed in this environment
  • Audit or participate in the pilot of a BYOD initiative
  • Provide management with meaningful recommendations


Speaker Bio

John Gatto was with Health Care Service Corporation (HCSC) in Chicago, IL from December, 2005 until his retirement in January, 2015. He was the Divisional Vice President, Audit Services and was responsible for all aspects of IT Audit for the five Blue Cross Blue Shield Plans comprising HCSC (Illinois, Texas, Montana, New Mexico and Oklahoma) and encompasses NAIC / MAR compliance and testing, risk based audits, advisory engagements for new development projects, coordination of SOC-1 and SOC-2 reviews and E&Y Year-End Financial Audits. John was a member of a number of Steering Committees within the IT area of HCSC.

Prior to HCSC, John worked at Federal-Mogul in Michigan as the Sox coordination supervisor, Avery Dennison in California as a Project Manager, and spent 13 years with Horizon BlueCross BlueShield of New Jersey, where he was Director of Systems Audit, Customer Audit and Operations Audit.

John has over 45 years of audit experience, most of it in the IT Audit arena. He is a CISA and CRISC and has his MBA from Fairleigh-Dickinson University in New Jersey. John is a frequent speaker for the BCBSA, IIA and ISACA organizations. In 2010 he was named “Educator of the Year” by the Chicago Chapter of the IIA.

Since retiring, John has spoken at the Southeastern and Southwest Intergovernmental Audit Forums, the ISACA CACS Conference and at the ISACA Chapters in South Carolina, North Carolina, Harrisburg, New Jersey, Minnesota, New Mexico and Central Florida. He is focusing on speaking on a range of topics such as PCI, BYOD, Disaster Recovery, etc. Descriptions of these sessions are available upon request.