KPMG Canada

Service Provider Audit Highlights

- Led over 50 service organization control (SOC) audits of numerous service providers, clients each with varying levels of sophistication and complexity in their IT environments and processes, addressing business and IT processes, meeting time and budget schedules, and consistently achieving client satisfaction and high quality deliverables. 

- Technology providers audited include Bell NHS, Nortel Networks, CGI, Capgemini and Research in Motion.  For Nortel, assessed IT and business processes including 3PL manufacturing, inventory management, sales and distribution and the primary financial processes.

- Experienced with all variations of SOC1 standards (SSAE 16/18 and ISAE, SSAE, ASAE, CSAE 3402 equivalents) and SOC2 Trust Services principles

Internal Audit Key Highlights

- Project managed an internal audit co-source engagement with a major insurance company managing requirements and resources within North America and Asia, for approximately 4,000 hours.  Engagements include topics of ICFR/SOX, cyber security, project risk assessments, application controls and general IT controls.

- Performed a detailed internal audit of the service delivery (change management, incident management, access management, project management, and systems development) controls at a North American hosted SAP delivery center for a professional services organization.

- Led the co-source IT internal audit engagement manager role for a Toronto based hospital over a three year period where I worked closely with the client’s chief internal auditor in identifying key areas of IT risk and the subsequent audit program.  Worked in all phases of the audit planning, execution and reporting cycles of the planned audits. 

- Led an IT internal audit of a federal agency’s IT processes and supporting controls using customized COBIT based self-assessment questionnaires.

External Audit Key Highlights

- Led IT risk and control assessments at numerous Top 20 Canadian companies in the financial services, manufacturing, retail and electronics sectors, evaluating all elements of the client’s IT environment including automated application controls, access/security controls, systems development, change management, incident management and computer operations. 

- Assessed many large scale computing environments in a mainframe, mid-range or Windows context operating complex application environments such as SAP and Oracle and customized in-house developed applications. 

Business Process Audit Highlights

- Evaluated and documented processes and controls across numerous business processes and industries including the revenue generation process at a major Canadian Telco provider, billing processes at a parcel shipment company, health and pension administration processes at several service providers, and a wide range of manufacturing, inventory, sales and distribution, financial management processes at industry leading organizations in Canada and the US.

Information Security Highlights

- Assessed and identified risks and weaknesses relating to security policies, procedures and system configurations of numerous platforms including:

• Operating Systems - Windows, Unix variants, OS/400, OS/390
• Databases - SQL and Oracle
• Applications - SAP, JD Edwards, Oracle Financials and custom developed applications
• Network environments - cloud and site hosted

- Assessed configurations as noted above, as well as numerous access/roles security related assessments, policies and procedures reviews, embedded application security assessments, network and cyber security management assessments.

- Led a cyber security assessment on a client's new web and mobile banking environment.  Initially, assisted the client with the development of a range of IT policies which were used as a point of reference for the second phase assessment of the online banking environment.  Using a combination of COBIT, ISO27001 and other cyber security methodologies and principles, assessed the robustness of the cyber security practices, prior to going live.  

Other IT Risk and Control Highlights

- Led numerous IT Due Diligence assessments on a target client’s IT environment to assess potential hidden risks to the purchaser.  Aspects reviewed included in-flight project implementations, IT resources, external support agreements, technology and IT process limitations.

- Led and participated in a number of Internal Controls assessments as part of the client’s Sarbanes Oxley or Canadian internal controls certification (ICC) requirements.  Includes projects at two of Canada’s ‘big 5’banks (with a focus on their capital markets business) and telecommunication’s companies. 

Project Advisory Highlights

- Led the integrated project management QA, data validation and internal controls roles on a successful major US and Canada SAP implementation over a 2.5 year period.  Also, co-managed the UAT component in the same implementation

- Led an internal controls and project risk assessment identifying risks to processing integrity at an implementation at a regional hospital

- Evaluated go-live and conversion issues and risks, highlighting areas of concern for a national meat manufacturing company and a global network device manufacturer

- Supported a system selection through the RFI and RFP stage at a pension plan administrator and a property management organization

Internal Support Roles

- Team Lead for 10 people evaluating performance, utilization and forward planning on resource needs; managed the resource planning and scheduling of annuity work for over 100 companies and approximately 25,000 annual hours

- Performance manager for many team members, who have subsequently achieved more senior roles in the practice

- Regularly interviewed potential incoming candidates for strengths and capabilities

- Led the business development of service lines instrumental in growing the base of service provider audit engagements, project advisory, and internal and external IT audit support

- Delivered numerous successful proposals and presentations to clients; consistently re-engaged for ongoing projects