WNY AUDIT TRAIL

2-7 WNY CHAPTER ITEMS OF NOTE

8 - FIVE RESOLUTIONS FOR INTERNAL AUDITORS

9-10 JUNIOR ACHIEVEMENT

11-12 WNY IIA BOARD OF GOVERNORS

JANUARY 2016 Dear Members,

As another new year has begun and resolutions are being made, I hope that one of your resolutions this year focuses on how you can better the internal audit profession. This may be f inally working towards obtaining your certif ication, passing on your expertise by mentoring another internal auditor, volunteering on your Chapter?s board, attending a training on a topic you are not as familiar with (e.g., attending an IT training even if you are not an IT auditor), and the list can go on. Taking one of the resolutions from the IIA President and CEO, Richard Chambers? 5 Resolutions for Every Internal Auditor?s List in 2016; ult imately I hope this year you step out of your comfort zone, as you just might be surprised at what you can learn, see, and accomplish!

I am very excited to announce that in February the Chapter will welcome Michelle Sullivan, Partner, and Matt Bowser, Principal, of Crowe Horwath to speak on one of the hottest topics in our f ield today; Third-Party Risk Management. As more and more companies out-source processes, whether it be due to cost, specialization, or eff iciency, the risks associated must be considered. A company that is looking to contract with a third-party or already has an existing agreement should have controls in place to review and monitor a third-party?s compliance with any regulations/ laws, privacy of company and consumer data, and effective information security program, naming a few considerations to be given. In advance of this event, I highly encourage you to read Ms. Sullivan?s recent article published on CFO.com, Three Questions for Managing Third-Party Risk, which is included in this newsletter. To register for the event, please see the event f lyer at page 4.

Lastly, each year our Chapter earns Chapter Achievement Points for the activit ies we provide to our members, as well as for activit ies performed by our members in attaining one of the Chapter status levels recognized by the IIA. For the past 7 years, our Chapter has had the great success of earning Platinum status, the highest level. In our journey to achieving Platinum status for an 8th year in a row, I would ask that if you or another member of the Chapter have been involved in activit ies such as Junior Achievement, submitted or published articles to professional journals (e.g., Internal Auditor magazine, CGMA magazine, Journal of Accountancy), spoke on internal audit topics to other chapters/organizations, are involved in the IIA?s Audit Executive Center or Research Foundation, or other activity involving internal audit, please let myself or any Off icer/Board/Committee member know as we can receive Chapter Achievement Points. We want to hear about your accomplishments and ensure that the IIA knows about them too! We also thank you for the contributions you make to the internal audit profession every day!

Wishing you all the best in 2016,

Mariya Balicki, CPA, CIA, CGMA

Make sure to visit the WNY IIA Chapter LinkedIn account and connect with your local Audit professionals!

HAPPY NEW YEAR!

1

IIA/ISACA ALL-DAY IT EVENT

The WNY IIA/ISACA Chapters are proud to announce the return of the highly anticipated and largely attended annual, all-day IT Seminar. There will be a number of exceptional speakers presenting on the most current and emerging IT-related topics.

January 14, 2016

Salvatore’s Italian Gardens

6461 Transit Rd., Depew, NY 14043

7:30 – 8:00am: Registration & Hot Breakfast

8:00 – 9:30am: Keynote Speaker - Julieta Ross, Chief Technology Officer at M&T Bank

9:30 – 10:45am: Larry Hessney, Director, Enterprise Risk Management & Technology Services at Freed Maxick CPAs P.C.

10:45 – 12:00pm: Archana Shenoy, Chief Operating Officer at NexusPoint

12:00 – 1:00pm: Hot Lunch

1:00 – 2:15pm: Matthew Clohessy, Audit Manager of First Niagara Financial Group

2:15 – 3:30pm: Jim Raub, CISO & VP Enterprise Infrastructure at Eagle Dream Technologies

3:30 – 5:00pm: Keynote Speaker – Mike McCartney, President and CEO at Digits LLC

CPE: 8 hours

Cost: Individual - $120 per person

Group - $100 per person with registration of

3 or more individuals from the same organization

To register for this event, please access the Eventbrite page at https://www.eventbrite.com/e/iiaisaca-all-day-it-event-tickets-20036360293 by

January 11, 2016.

Join us back where it all began, New York City, for The IIA’s International Conference, July 17–20, 2016. Celebrate The IIA’s 75th Anniversary and embark on an educational journey rich with insights for internal auditors at every level, including one full track in Spanish.

Ten Educational Tracks:■■ Influential Leadership: A View From The Top

■■ Emerging Practices: Staying a Step Ahead

■■ Building the Structure Through Ethics, Governance, and Compliance

■■ Financial Services: Heightened Expectations

■■ Deconstructing Today’s Fraud for Tomorrow’s Controls

■■ IT: Elevating the Business Experience

■■ Rising to the Challenge in the Public Sector

■■ Soaring Above Risk and Exposure (Select Industries)

■■ Spanish Track: Tendencias de Auditoría Interna, Desafíos y Soluciones (Internal Audit Trends, Issues, and Solutions)

■■ The IIA’s CIA Learning System® Review

Network with 2,000+ peers from more than 100 countries, stay on the leading edge of internal auditing, and enjoy the sights and top attractions that New York City has to offer.

Register early and enjoy special 75th Anniversary rate, US$1,941!

Visit ic.globaliia.org for details.

NYC 2015-1862

Internal Audit Rising… 75 Years of Progress Through Sharing

WNY IIA FEBRUARY EVENT

THIRD PARTY RISK MANAGEMENTPRESENTED BY: MICHELE SULLIVAN, CPA | PARTNER & MATTHEW BOWSER, CIA, CISA | PRINCIPAL FROM CROWE HORWATH

February 23, 2016

12pm - 1pm Lunch | 1pm - 4pm Presentation

Harbor Center @ 100 Washington St, Buffalo, NY 14203

60$ Members | 65$ Non-members | 3CPEs

Parking will be available in the Washington St. ramp and parking validation will be provided at the event. From the ramp, elevators are available from Level 2 for direct access to 716 Food and Sports.

To register for this event, please send an email to iiawnychapter@outlook.com by February 16 and include your name, company, member status (member/non-member).

Three Questions for Managing Third-Party Risk

By Michelle Sullivan

(See original article at CFO.com here.)

In light of increased outsourcing and third-party involvement in day-to-day business operations, financial management functions in all organizations play an important role in third-party risk management programs. A thoughtful approach to better risk management can facilitate reduced costs, a continued focus on core capabilities, and increased growth and innovation, while also managing the exposures associated with third-party relationships.

Recent trends in third-party risk management represent a noticeable shift toward balancing regulatory requirements and senior management and board expectations for risk acceptance against a company?s business model. By asking themselves the following three questions related to third-party risk exposure, financial officers can gain meaningful insight into their company?s third-party risk management efforts that can help them to better manage risk and improve financial management decisions.

Does our company have a full inventory of its contracts and agreements?

Common Issues:

- While most companies have some type of contract management system, many typically use low-tech storage facilities ? like databases containing scanned copies, or even hard copies in file cabinets ? from which data can?t be extracted. Such storage facilities rarely contains complete records of all executed contracts, and even simple data like contract renewal notification and expiration dates are not tagged or automated.

- Storage facilities typically house multiple documents related to vendors and services, including master service agreements (MSAs), nondisclosure agreements (NDAs), statements of work (SOWs), amendments, and purchase orders (POs). These documents often are not stored in an easily accessible fashion, and the database they are stored in often is not relational.

- MSAs frequently are evergreen, which in the past was a workload reduction tactic because they were not thought of as risk management tools.

- Contract terms and conditions don?t keep pace with changes to regulations and the business environment.

- Financial reporting and accounting concepts such as unrecorded liabilities, contingencies, and financial commitments exist but are not understood or monitored.

Potential Solutions:

- Companies should do a complete inventory of critical relationships to ensure that they have a complete inventory of current contracts. The contracts should be assessed to determine if they meet current regulatory and business requirements, that the associated documents are relational, and that data within the contracts is meta-tagged.

- Companies should establish standard, required contract terms and use technology to track compliance. Increasingly, contracts are moved into third-party risk management systems for a ?single-book-of-record?

view and improved risk management beyond basic compliance.

2.How do we know that our relationships comply with the agreements in place?

Common Issues:

- Processes focused on post-contract management and monitoring requirements may be immature. Financial and invoice reviews often are delegated to staff-level resources who lack experience, and the more complex the relationship the harder it is to tie invoice charges back to negotiated contracts and pricing.

- Monitoring the degree of performance under service-level agreements (SLAs) and other performance metrics most often has been connected to IT-related contracts. In today?s competitive global marketplace, however, vendors and other third parties are more inclined to offer an array of SLAs that are attractive and meaningful to their customers. Ensuring that the company is realizing the benefits of SLAs is an important component of third-party risk management that can often have an impact on the bottom-line.

Potential Solutions:

- Forward-looking financial management functions help increase consistency and reduce workload for internal resources by establishing standard key performance indicators for critical relationships and using technology and portals via which third parties provide performance data.

- An experienced professional should analyze significant contracts that have been in force for some time to identify those that pose a higher risk for billing-related discrepancies. Processes and controls should be established and enforced to manage these risks going forward.

- Examine contingency engagements to identify billing variances and cost-reduction opportunities, particularly for services such as IT and telecommunications.

- SLAs are important to many types of relationships, and third-party risk management technology can be used to track and report on deteriorating performance in critical relationships.

- Information technology risks should be the responsibility of the line of business (first line of defense and relationship owner) and information technology or security subject-matter experts (second line of defense and risk expert) within a company. In addition, it is very important for risk committees to report on emerging risks and serious incidents and to ensure that these events are being remedied in a manner that aligns with the company?s overall strategy.

3.How do we identify all relevant third parties and manage the overall effort?

Common Issues:

- The potential universe of third parties within an organization can seem endless ? from global companies to intercompany affiliates to mom-and-pop providers.

- The potential universe of third parties is never constant. Companies constantly are on-boarding and terminating third parties and expanding or reducing

third-party services.

- While it is important to build data and artifacts (certificates of insurance, documentation of financial viability, or SOC reports, for example) that support your risk assessment at the third-party relationship level, it is easy to lose sight of the plan to address the entire population of third-party relationships. That population includes not only vendors but perhaps also (depending on how the company defines ?third party?) franchisees, commissionable external salespeople, or debt holders, among others. This is one area of risk management where completeness counts.

Potential Solutions:

- Create a strategy and roadmap to systematically identify third parties using an inclusive definition.

- Invest in the initial data-gathering phase and involve others across the enterprise. Effective sources of relevant information include surveys conducted by the various lines of business, contract facilities and databases, accounts payable systems, and legal counsel. The process needs to be sustainable or the population soon will become invalid.

- Perform an initial review of third-party relationships by identifying categories and potential risk factors to assist with prioritizing the evaluation. The project strategy and roadmap should start with the third parties that pose a higher risk.

- The project roadmap should include necessary activities and the timing and resource needs related to existing and future third-party due diligence and assessments. Realistically, when a company does an initial assessment of all third-party relationships, resources may need to be increased temporarily until the backlog of assessing existing third parties is completed and a sustainable cadence is in place for new third-party relationships.

Moving Forward

As organizations work to effectively manage the risks associated with third-party relationships, their financial functions are applying a more thoughtful approach to better risk management. Working through the three important questions discussed here can help financial officers reduce costs, manage risks, focus on core capabilities, and potentially increase growth and innovation.

Michele Sullivan is a partner with Crowe Horwath. She can be reached at michele.sullivan@crowehorwath.com.

5

The WNY Chapter of the IIA welcomes the following new members:

Patrick Hanavan & Vince Iwanski from First Niagara Bank, Megan Romeis from Freed Maxick CPAs, PC, and Tim Korn & Andrew Reading from Dopkins & Company, LLP

WNY CHAPTER ITEMS OF NOTE

6

IIA / ISACA All-Day IT Event

January 14, 2016

Salvatore's Italian Gardens

6461 Transit Rd., Depew, NY 14043

7:30 - 8am: Registration & Hot Breakfast

8am - 12pm: Speakers

12 - 1pm: Hot Lunch

1 - 5pm: Speakers

CPE: 8 hours

Cost: Individual - $120pp / Group - $100pp with 3 or more registrants from same organization

JANUARY EVENT

Third Party Risk Management

Presented by Michele Sullivan, CPA |Partner, and Matthew Bowser, CIA, CISA| Principal, from Crowe Horwath

February 23, 2016

Harbor Center

100 Washington St, Buffalo, NY 14203

12 - 1pm: Lunch

1 - 4pm: Speakers

CPE: 3 hours

Cost: $60 Members | $65 Non-members

FEBRUARY EVENT

The WNY Chapter of the IIA would like to congratulate the following members for obtaining their certifications:

Jordin Staschak, Mary Young, and Jonathan Wilkins for obtaining the Certified Internal Auditor (CIA) designation.

Congratulations!!!

Book Item No: 1195 Member Price: $40.00 / Nonmember Price: $50.00Visit www.theiia.org/bookstore

CRMA Exam Practice Questions If earning your CRMA designation is one of your professional development goals, this guide will help you get there faster.

Certification in Risk Management Assurance® (CRMA®) Exam Practice Questions is designed to help you prepare for the CRMA exam. The book provides 150 practical scenario-based questions as well as those of a more theoretical nature. Suggested solutions provide reference to specific sections of the CRMA Exam Study Guide (www.theiia.org/bookstore, item #1130) and the reference appendix offers sources for further study.

Within this comprehensive collection, the questions cover the four domains in the CRMA exam:

• Domain I: Organizational Governance Related to Risk Management

• Domain II: Principles of Risk Management Processes

• Domain III: Assurance Role of the Internal Auditor

• Domain IV: Consulting Role of the Internal Auditor

After reviewing the questions in each domain, you will have a clearer understanding of the exam content. This analysis and reflection will help you determine when you are ready to sit for the actual CRMA exam.

New Release From The IIA Research Foundation

2015

-123

3

5 Resolutions for Every Internal Auditor's List in 2016

By: Richard Chambers

December 7, 2015 ?

New Year's resolutions typically are made in the midst of good feelings surrounding the holidays as we look back at the past year's accomplishments. That's what makes them tricky. We set lofty personal goals for weight loss or quitt ing bad habits or being more productive at work at a time when we are most nostalgic and well-rested. I try to approach my resolutions related to work realistically, understanding the limitations of t ime, resources, and energy. That's not to say they are made without some ambition and optimism.

This is the mind-set I used to identify "5 Resolutions for Every Internal Auditor in 2016." Each was considered in light of the growing workload most internal audit functions are experiencing, the anticipation of modest gains in budgets, and the growing challenge of f inding qualif ied internal auditors.

Resolut ion 1: Be At tuned to Upcoming Regulatory Changes

Each New Year brings with it a bevy of new business regulations, deadlines, and extensions of existing rules. We must familiarize ourselves with these in order to assist the organizations we serve to mitigate compliance risks.

These will vary depending on business sector, but some regulations apply broadly, such as wage-and-hour regulations defining exempt vs non-exempt employees. Others on the horizon involve Financial Accounting Standards Board rules on accounting for deferred revenue, and lease accounting standards. Executive compensation ratio reporting under the Dodd-Frank Act won't kick in until 2017, though the groundwork will have to be laid this year.

Whatever sector you work in, endeavor to know the rules and regulations that apply to your organization and your industry, and develop relationships with sources outside of your team who can help you stay abreast of changes.

Resolut ion 2: Advocate for Mandatory Internal Audit in Publ icly Traded Companies

In September, The IIA sent a letter to the U.S. Securit ies and Exchange Commission seeking mandatory internal audit for all publicly traded companies. Such a mandate, in my view, is long overdue. In light of many spectacular corporate scandals in 2015, one would expect the presence of an independent and well-f inanced internal audit function to be a welcome addition to any organization.

Every internal auditor should be ready to make the case that strong and competent oversight of

governance, risk, and compliance issues is not a challenge to management. Instead, it is a powerful and useful tool for management and the board that can help improve eff iciency and effectiveness, boost prof it and competit iveness, and provide transparency and assurance to investors.

Crit ics might characterize such a mandate as another regulatory burden, but as counter-intuit ive as it may seem, such a mandate might mitigate the need for further regulation in the long run. A strong internal audit function discourages and deters fraudulent acts and corruption that can lead to crises that invariably are followed by waves of new regulations (e.g. the Sarbanes-Oxley Act, Dodd-Frank, and others).

Resolut ion 3: Be Wary of Internal Audit 's Expanding Scope of Work

In my previous blog, I referred to an internal report on the Toshiba scandal that placed some of the blame on the company's internal audit function. I warned that, as internal audit 's scope of work has evolved and expanded, so has the risk of overwhelming the internal audit function.

As individual auditors, we must approach this challenge in two ways: First, understand your own limitations and the limitations of your team. Whether in specialized areas, such as IT auditing, or in taking on new roles, such as auditing culture, we must be honest and aware of our skil ls and limitations. Second, we must make the commitment to invest in training to strengthen those weak areas.

There is a growing labor shortage in internal audit (more on that below), which means we cannot rely solely on hiring new talent to strengthen our teams.

Resolut ion 4: Invest in Talent Management

Throughout 2015, there were growing signs that organizations were struggling to f il l internal auditor positions, placing a premium on keeping the talent we have on staff . Poaching the best of the best is not uncommon, especially in sectors where internal auditors are most in demand, such as f inancial services.

A new Practice Guide from The IIA, Talent Management: Recruiting, Developing, Motivating, and Retaining Great Team Members, offers a comprehensive approach to the matter as it relates to IIA Standards, as well as a step-by-step approach to talent management, from understanding stakeholder needs to outsource and co-sourcing.

While the Practice Guide offers solid, practical advice for CAEs, individual auditors also can help to expand and strengthen their contributions to

the audit team by investing in themselves. Professional development through additional training, certif ications, networking, and more supports the internal audit function's ability to meet new and growing stakeholder expectations.

Resolut ion 5: Step Out of Your Comfort Zone

This may be the best resolution you can make this year ? or any year. The demands being placed on internal audit will continue to grow as business risks expand and accelerate. New technologies, increased global market opportunities, cybersecurity, and other factors inf luencing business demand that internal audit and internal auditors venture outside of their safe zones. The upcoming North American Pulse of Internal Audit report will examine this concept in depth, but for now, it is important to consider changing our mind-sets.

I'm not encouraging reckless behavior or strategies that conflict with internal audit 's long-established core principles or ethics. However, internal audit professionals should be open to examining how internal audit can help their organizations in nontraditional areas.

I hope you'll take these resolutions to heart in 2016. Each will help you contribute to strengthening your skil ls and improving the value internal audit offers its stakeholders.?

If 2016 follows the lead of recent years, we will be looking back a year from now ref lecting on the extraordinary developments that we didn't see coming. Until these events develop, I encourage you to adopt a set of professional resolutions for the New Year that will enhance your chances for success.

See original article here.

8

Get Involved:

9

Junior Achievement of WNY Program List: Kindergarten – 12th grade

*The programs listed below are some of our most popular; for a complete list please go to www.jawny.org.

10

2015-2016 Board of Governors

* - Denotes Board of Governor Position per By-laws

Position Name Contact Information

President* Mariya Balicki, CPA, CIA M&T Bank

(716) 842-5971 mbalicki@mtb.com

Vice President* Ashley Kinnear, CISA M&T Bank

(716) 842-5558 akinnear@mtb.com

Treasurer* Steve Doe, CPA M&T Bank

(716) 842-5839 sdoe@mtb.com

Secretary* Daria Adolph, CIA, CMA Derrick Corporation

(716) 206-9019 daadolph@derrick.com

Immediate Past President* Leonard Soldano, CISA, CTGA, ISA, PCIP

M&T Bank (716) 839-6947

lsoldano@mtb.com

Second Past President * Deborah Kassirer, CPA, CIA, CRMA, CCSA

Roswell Park Cancer Institute (716) 845-5788

Deborah.Kassirer@RoswellPark.org

Third Past President * Deborah Schmitt, CPA, CIA

National Fuel (716) 857-6941

krugerd@natfuel.com

Academic Relations Co-Chairs*

Heidi Martin - PwC Kate Sheer - M&T Bank

(716) 855-5925 heidi.a.martin@us.pwc.com (716) 842-5636 ksheer@mtb.com

Advocacy Chair* Marcos Manunta, CIA - New Era Cap Timothy Battaglia, CIA - New Era Cap

(716) 604-9000 ext.1455 Marcos / ext.1461 Tim marcos.manunta@neweracap.com /

tim.battaglia@neweracap.com

Associate Trustee* Maureen Cilano, CPA, CRMA, CCIPA

Evans Bank (716) 926-2000 ext. 1362 mcilano@evansbank.com

Budgeting & Reporting Committee Chairperson

Lisa Bialek M&T Bank

(716)842-2321 lbialek@mtb.com

Financial Controls Committee

Brittany Barr - First Niagara Stacey Chaffee - First Niagara

Brian Steinmetz - First Niagara

(716) 848-8457 Brittany.Barr@fnfg.com (716) 848-8477 Stacey.Chaffee@fnfg.com (716) 851-8380 Brian.Steinmetz@fnfg.com

Certifications Chair & CIA Chairperson*

Maureen Dunn, CCSA - Evans Bank Jeffrey Barnett, CIA, CCSA - Benderson Develop-

ment

(716) 926-2005 Maureen/ (716) 878-9658 Jeff mdunn@evansbank.com jeffbar-

nett@benderson.com

Meetings & Attendance Coordinator*

Margaret McWilliams, CIA, CISA, CRISC National Fuel

(716) 857-7019 mcwilliamsm@natfuel.com

Membership Chairperson* James Bandinelli - M&T Bank

Justin Bonk, CIA, CFE, CISA - Freed Maxick CPAs P.C. (716) 842-5618 jbandinelli@mtb.com

(716) 332-2680 Justin.Bonk@Freedmaxick.com

Newsletter Chairs Jeremy Fay, CISA M&T Bank Amber Buttles, CIA - Citigroup

(716) 842-2323 jmfay@mtb.com (716) 730-8242 amber.buttles@citi.com

Seminar and Events Co-Chairs*

Stephanie Coughlin - Evans Bank Michael Buziak - First Niagara

Patricia Johnson - Canisius College Ashley Hubbard - M&T Bank

(716) 926-2040 x3723 scoughlin@evansbank.com (716) 848-8469 michael.buziak@fnfg.com

(716) 888-5947 johnsonp@canisius.edu (716)842-5046 ahubbard@mtb.com

Website and Survey Admin-istration Chair*

Ellen Janicki, CIA, CRMA M&T Bank

(716) 842-2316 ejanicki@mtb.com

11

2015-2016 Board of Governors, Continued

Board Member* Micheal Ohlweiler, CPA

Partner, KPMG LLC (716) 796-6039

mlohlweiler@kpmg.com

Board Member* John D'Angelo

General Auditor, M&T Bank (716) 842-5551

jdangelo@mtb.com

Board Member* Eugene Cullen, CCSA, CRMA

VP of IA and Advisory Services, Roswell (716) 845-8374

Eugene.Cullen@RoswellPark.org

Northeast District Advisor Lynn Theriault lynn.theriault@caltech.edu

Northeast District #3 Lindsay Prichard (585) 423-8946

lindsay.prichard@xerox.com

Chapter Support - IIA HQ Donna Wiley Donna.wiley@theiia.org

12