Summary

A dynamic, certified and degreed professional experienced in formulating and executing the strategy, objectives, processes and tactical plans to manage Enterprise Risk, Audit, Information Security, IT Governance, New Regulatory Compliance, and Regulatory Exam Programs efficiently leveraging existing assets, or supply chain business partner resources. Acquired extensive risk-based expertise executing a wide range of Internal and External Audit, Change Management, Data Governance/Integrity, Operational Risk, Information Security, IT Governance, Regulatory Compliance and Application Development Engagements, Initiatives and Projects.

Highly effective in managing risk to acceptable levels and resolving issues that trigger control exceptions. Adept at building or re-designing risk-focused programs, including the creation of Policies, Baselines, Standards, Processes and Procedures to manage risk exposure, and threats and vulnerabilities that may compromise IT assets or impact IT Confidentiality, Integrity and Availability.

A decisive and innovative leader with excellent communication skills that leverages an assertive, collaborative and persuasive personality that leads to sustainable and transformative results. Acquired 10+ years of experience managing Internal and External Audits (HIPAA; J-SOX; SOX, PCI DSS), and multiple programs and projects impacting Information Security (FISMA, ISO-27001, ISO-27002, NIST SP-800-53), Data Integrity, Privacy (GLBA), IT Operations (ITIL) and Regulatory Compliance and Exam engagements with U.S. agencies (CFTC, DTCC, FDIC, FFIEC, FRB, OCC; OFAC) for publicly-traded, non-profit and privately-held organizations. Compliments this solid skill set with sound Accounting, Finance and IT acumen and resourceful research knowledge that helps improve operations. Well-trained MBA with extensive practical experience designing, deploying, testing and managing risk programs, including: 

▪ Identity & Access Management: Design, Policy Assessments, Retooling

▪ Accounting/Finance/IT Process Design, Testing, Optimization 

▪ Operational Risk, Threat, Vulnerability, Incident Management Resolution 

▪ BC/DR Strategy, Documentation, Management, Situational Testing 

▪ Corporate & IT Governance Strategy, Design, Deployment, Management

▪ Internal Control Design, Operating Effectiveness Testing, Rationalization

▪ Enterprise Risk Strategy, Design, Execution, Management, Realignment

▪ Regulatory Exams - Readiness Assessments, Testing, Remediation

▪ IT Audit (Internal/External) Planning, Scoping, Testing, Issue Resolution

▪ FISMA/FFIEC/GLBA/HIPAA/NIST/PCI/SOX/SSAE-16 Testing, Management 

▪ Information Security/Privacy Program Design, Project Management 

▪ New Regulatory Compliance: Scoping, Readiness Assessments, Activation    

Work History

Work History

VP, SR. (IT) BUSINESS CONTROL SPECIALIST (TECHNOLOGY RISK LEAD) 

BANK OF AMERICA CORP.

Audit (Direct, Indirect, and Integrated) / ECF QA & ECIO BCMR QC Engagement Planning, Testing, Reporting & Remediation: Partnered with BAC Corporate Audit, Application Owners, ECIO SSPM (Shared Services Production Management) and other technical support resources to execute scheduled Audit engagements throughout the year to test the Design and Operating Effectiveness of IT controls. As the assigned Technical Risk Partner, formulated and deployed solutions to resolve issues identified. Prepared and submitted progress updates for reported findings to Audit, ECIO BCMR, Enterprise BCMR, impacted Enterprise Control Function groups and senior technology management on a cyclical basis (any of the 284 applications could be scoped).  

 

▪ Internal Control Design & Operating Effectiveness Monitoring, Risk/Root Cause Identification, Documentation, Risk Classification and Mitigation: Proactively monitored and reported on the operating effectiveness of Internal Controls. Identified, documented, rated, and reported exceptions associated with operational risk, threats, vulnerabilities, and control weaknesses that could impact compliance with BAC Risk Framework and Appetite requirements. Documented exceptions (STORMS, SIAI’s), designed remediation plans and related milestones to activate brand-new or streamlined controls to re-align operations. Led remediation efforts to closure working in partnership with Application Management and Enterprise Control Function teams. Secured approvals required.

 

▪ U.S. Regulatory Agency Examinations: Coordinated, managed, tracked and reported on the execution of scheduled U.S. regulatory compliance agency exams in partnership with the enterprise’s Regulatory Exam team and impacted System Owners. Ensured compliance deliverables and requested responses and Action Items resulting from the issuance of MRIA’s (Matters Requiring Immediate Attention) and MRA’s (Matters Requiring Attention) were addressed in line with agency expectations. Prepared and submitted status metric and metric reports to senior technology management on a recurring basis.  

 

▪ New U.S. Regulation Compliance: Monitored new and new U.S. regulatory compliance requirements that could impact RCITT LOB and the supporting application portfolio. Assisted in Impact Analysis evaluations, and the definition and implementation of changes to IT systems and related processes, procedures and operations. Significant Initiatives included: FDIC Rule 360.9; CFTC Rule 1.31 and other Dodd-Frank Act compliance requirements. 

 

▪ Enterprise Control Function Quality Assurance/Enterprise BCMR Quality Control Testing: Executed QA & QC Audit Readiness Assessments of multiple applications (any of 284) in partnership with ECIO BCMR (Business Controls Monitoring & Readiness), Enterprise BCMR and 6 Enterprise Control Function teams to test controls for compliance with Information Security, Performance & Capacity Management, Identity & Access Management, SW Dev, SDLC/Change  Management, Incident  Management and Data Quality requirements. Designed/deployed solutions to resolve issues to maintain a strongly controlled IT environment.

May 2011 - Sep 2013

VP, (IT) BUSINESS CONTROL MANAGER (TECHNOLOGY RISK LEAD)

BANK OF AMERICA CORP.

▪ Information Security/Identity & Access Management: Led risk mitigation activities to protect enterprise and bank client information classified as Confidential, Material Non-Public, Non-Public and Proprietary against disclosure, leaks or unwarranted access on account of Segregation of Duties conflicts. Continuously designed new controls or enhanced existing ones to maintain awareness, compliance and optimum Operating Effectiveness through the application of Global Information Security Policies and Standards, U.S. regulatory rules or external compliance frameworks (COSO, COBIT, ITIL, NIST, etc). 

 

▪ Business Continuity/Disaster Recovery Strategy, Planning, Documentation, Testing, and Issue Resolution: Defined and implemented the strategy and approach required to document and test Disaster Recovery Plans in line with GBCR (Global Business Continuity & Recovery) requirements for a portfolio of 34 Secondary Marketing Technology Group systems supporting the Corporate Investment Group – Secondary Marketing and the CFO Controller’s Group lines of business. Designed and deployed solutions with System Owners to resolve issues identified on account of test findings to maintain the operating integrity of the application portfolio while reducing operational risk exposure. 

 

▪ Situational, Risk-Based Consulting–Advisory/Assurance Leadership: Provided situational, risk-based advisory and assurance guidance on a case-by-case basis to System Owners and Technology Support resources for proposed IT operation changes, LOB Initiatives, new business ventures or new regulations to ensure IT operations remained managed with the range of controls required to manage risk exposure. Re-designed Processes, Procedures and Controls in alignment with Global Information Security Policy, Risk Framework and Risk Appetite requirements. Significant Initiatives included: 1) Data Transfer Protocol Control Deployment; 3) Reasonableness Check Re-Alignment; 4) SOX Key Control Re-Designs (Accounting, Finance, Operations & IT); 5) CSDB (Central Security DB) Access Entitlement Reporting for Automated Access Reviews; and 6) Data Integrity Control Activation; 7) Pre-Authorized Support Approval Process; 8) MDT Production Scan Report; 9) DB Activity Monitoring (IBM Guardium); 10) Data Sanitization (NPI/SSN Protection); 11) MDT Impact Analysis Environment Deployment and 12) MDT Performance/Capacity Management Process Activation.  

 

▪ Cyber Security Information Security/Threat & Vulnerability Assessments: In partnership with BAC Global Information Security and Application Management resources, executed Threat & Vulnerability Assessments for multiple RCITT systems. Resolved findings based on risk classification to the enterprise within required timeframes. Reported issues to management cyclically to maintain effective operating integrity and reduce risk exposure. Tests included Automated Ethical Hack Scans, Manual Ethical Hack Tests for lower-level environments and High Volume Scans of Production environments.

 

▪ External Vendor SSAE-16 SOC Type II Due Diligence Risk Assessments/Validations: Evaluated SSAE-16 SOC Type I/II Assessments of vendors supporting RCITT applications to ensure these included testing of Internal Controls to meet BAC Global Information Security and U.S. regulatory compliance requirements and risk coverage. Addressed gaps and reported findings to senior management. Also executed due diligence assessments of proposed agreements with new vendors, summarized findings and presented these to senior management for review and approval.

 

▪ TCOA Application Operating Cost Analysis, Decommissioning: Evaluations Evaluated application Total Cost of Ownership expenditures. Spearheaded efforts to retire and decommission 12 applications and supporting IT assets as approved by Secondary Marketing Technology Group management.

Oct 2009 - May 2011

IT GOVERNANCE, RISK & COMPLIANCE PM (TECHNOLOGY RISK LEAD)

SAPPHIRE (CLIENT: BANK OF AMERICA CORP.)

▪ Audit Issue/MRA/MRIA Control Exception Resolution: Identified and tested mitigating IT process controls, designed brand-new controls, and streamlined existing IT processes to resolve Audit Issues identified by the enterprise’s external auditor, PricewaterhouseCoopers LLP and IT operation deficiencies impacting the Home Loans & Insurance division listed in U.S. regulatory agency MRIA’s and MRA’s that required immediate resolution. Led associated remediation efforts and reported updates to senior management on a recurring basis.  

 

▪ SIAI (Self-Identified Audit issue)/Initiative Resolution: Responsible for the identification of operational risks and Self-Identified Audit Issues that impacted LOB or IT operations and compliance with enterprise Risk Framework and Risk Appetite Thresholds, Enterprise Control Function (ECF) Policies, Baselines and Standards or U.S. regulatory requirements. Prepared Operations Impact Analysis Reports including the related trigger root cause(s) in the STORM Risk Database.

Developed Solution Plans and Milestones to remediate these Internal Control gaps and secured ECIO BCMR (Business Controls, Monitoring & Readiness), Enterprise Control Function (ECF) and RCITT senior management approvals. Partnered with Application Owners and multiple technology support teams across the enterprise (i.e. SSPM, ECF teams, Technical Infrastructure) to complete all approved Remediation Plans and Milestones as approved by impacted ECF senior management.  As the assigned Technology Risk Partner, monitored and reported remediation progress to RCITT senior management on a weekly basis. 

 

▪ Application Profile, IT Process & Procedure Documentation: Prepared Application Control Plans, Defined/Re-Defined IT Processes and related Procedures to establish the basic foundation of control for Identity & Access Management, Software Development, Change Management, Code Reviews, Release Management and Information Security for the Secondary Marketing Technology Group application portfolio. This required the dissemination, interpretation and application of BAC enterprise Information Security Policies, Standards and Baselines. Trained IT Application Support resources to increase understanding of Risk Management, Information Security and Compliance requirements to reduce portfolio risk exposure. 

 

▪ SMTG Technology Risk Lead: As the Technology Risk Lead for the Secondary Marketing Technology Group and the Credit Loss Mitigation Strategies application portfolios, supported the group’s assigned Risk Control Officer and 4 Technical Executives by providing risk-based advisory services that addressed a wide range of IT operational risks, including  but not limited to, those impacting IT Audit; Data Governance/Data Integrity; Cyber Security Information Security Threats and Vulnerabilities; Change Management/SDLC; Quality Assurance Testing; Code Reviews; Identity & Access Management; Non-Public Information Data Element Protection; Privacy; Economic Sanctions/Anti-Money Laundering Compliance.        

 

▪ Audit Planning, Testing & Exception Resolution (SOX404): Executed Accounting, Finance and IT audit engagements with BAC’s Corporate Audit team and its external audit partner, PricewaterhouseCoopers LLP to test the Design and Operating Effectiveness of Internal Controls over Financial Reporting for compliance with SOX Section 404. Formulated and executed action plans to remediate all exceptions, issues and deficiencies.  

 

▪ IT Risk & Compliance Strategy & Execution, Monitoring & Reporting & Revision: Working in partnership with the Secondary Marketing Technology Group’s Risk Control Officer, formulated and deployed the Risk Management and Compliance strategy for an application portfolio consisting of 48 high-visibility applications (34 SMTG; 14 LAS), including 11 SOX applications. Provided risk and advisory services support 4 Technical Executives. Monitored operations on a daily basis and prepared progress reports for management on a weekly basis. 

Aug 2008 - Apr 2009

DIRECTOR, INFORMATION SECURITY & COMPLIANCE (GLBA, PCI DSS, SOX)

LIVE NATION ENTERTAINMENT

Member: PCI Compliance Steering Committee

Member: Information Security Steering Committee

- Conceptualized the strategy and related program milestones required to meet 240 Information Security Controls designed to safeguard Information Confidentiality, Integrity and Availability that are part of the Payment Card Industry’s Data Security Standard. Leveraged an IT layer approach (Networks, OS, Applications, Databases) to ensure maximum security and risk coverage.

- Executed a thorough PCI DSS and SOX 404 Internal Control Readiness Assessment review of Live Nation Ticketing’s IT Operations Control Environment using the risk-based approach advocated by the PCAOB (Audit Statement No. 5). Managed an outsourced team of PwC Information Security consultants and ensured the PCI Compliance Program's many milestones and deliverables were completed, accurate and valid in relation to the project’s defined and approved scope. Tracked/Reported Compliance Program milestones and findings to senior IT management as needed and required.

- Deployed solutions to resolve Internal Control and Information Security deficiencies identified with the configuration and operation of the company's Networks, Operating Systesms, Applications and Databases as well as audit exceptions reported by Ernst & Young (external auditor) and PwC on account of IT Internal Audit reviews executed in Fiscal Years 2007 and 2008 and the PCI DSS/SOX 404 Internal Control Readiness Assessment executed in Fiscal Year 2009. Designed and proposed the deployment of streamlined Internal Controls to address enterprise risks in partnership with IT Business Application Owners and IT Process Owners to meet PCI DSS, GLBA and SOX control requirements.

- Established Live Nation Enterprise IT Governance Information Security Program based on CIS, COSO, COBIT, ITIL, ITGI, NIST, NSA and ITGI information security guidelines. Prepared and initiated the deployment of 14 primary (initial) enterprise-wide IT Policies and Procedures (segmented by IT layer) that would mitigate defined Enterprise and IT risks while meeting SOX and PCI DSS Internal Control compliance requirements. The primary Policies/Procedures included:

01. Info Security Configuration Baseline Policy (all IT layers)

02. Info Security Vulnerability, Patch Management (all IT layers)

03. Acceptable (IT Asset) Use Policy (all IT layers)

04. Malware Policy (Operating Systems and Utilities)

05. Access Provisioning & Control Policy(all IT layers)

06. Log Register and Monitoring Policy (all IT layers)

07. Networks, Firewalls and Op. Systems Policy (Infrastructure)       

08. Change Management/SDLC Policy (all IT layers)

09. Data Security Awareness & Training Policy (Enterprise Security)

10. Physical Security Policy (SAS-70 Type II Report evaluation)

11. Data/Info Breach Incident Response Plan Policy (Enterprise Security) 

12. Data Classification, Retention and Disposal Policy

13. Data/Information Privacy Management Policy (Web App Security)

14. Password Management Policy (all IT layers)

- Qualified PCI Qualified Security Assessors (QSA's) in preparation for a PCI QSA audit; established RFP scope guidelines and evaluated submitted proposals using a self-developed quantitative and qualitative-based Scorecard Model. Presented proposals and recommendations to senior IT management officers accordingly.

- Established the Live Nation’s PCI DSS Compliance Steering Committee and Information Security Steering Committee and participated in relevant Committee briefing meetings with senior-level company officers. Prepared corresponding committee charters and reported the current status of IT General Computing Control deployment activities to senior IT management on a continuous basis. Presented risk-based strategies Live Nation should leverage to resolve existing Internal Control environment challenges and deployed solutions approved by senior IT management accordingly.

- Assessed the potential impact of Internal Control and Information Security challenges presented by proposed new business development ventures and strategic partnerships. Prepared/presented risk-based relevant subject-matter guidance direction to senior IT executives to ensure final business deal Terms and Conditions required partners to provide controlled risk assurance and data/information security.

- Executed Web Application Vulnerability and Web Application Penetration testing activities with outsourced Approved Scanning Vendors (ASV’s) to meet PCI DSS compliance requirements and address well-known application security vulnerabilities identified by OWASP, the Open Web Application Security Project guide framework and the PCI Data Security Standards Council.

- Evaluated the impact of emerging compliance regulations and Information Security threats and vulnerabilities and reported findings to senior IT management accordingly so the company's IT infrastructure and related components, systems and devices could be re-configured accordingly. Proposed the deployment of improved Information Security controls to diminish threat level impact and strengthen the enterprise's Internal Control environment and risk mitigation activities.

- Spearheaded an effort to deploy a proactive and preventive web-based Data/Information Security Awareness and Training Program to ensure the company's IT personnel was continuously informed and aware of Information protection procedures, protocols, techniques, practices and challenges. 

- Assessed whether emerging technologies, products, services, protocols and standards could impact existing Live Nation Ticketing Information Security practices and reported findings to IT management accordingly. 

Apr 2008 - Jul 2008

PROJECT MANAGER III, SOX IT COMPLIANCE CONSULTANT

ROBERT HALF (CLIENT: KAISER FOUNDATION HEALTH PLANS AND HOSPITALS)

Member: SoCal Region SOX Compliance Team

- Executed IT General Computing Controls (Logical Security layer) Operating Effectiveness tests for a variety of Mainframe and Client-Server based applications to ensure the effective and efficient deployment and sustainability of SOX 404 Key Controls. Prepared and executed test scripts; held control deployment verification meetings with Business Application Owners (BAO's), Business Application Owner Delegates (BAO-D's), Business Process Owners (BPO's) and Control Owners (CO's), validated test results for completeness, accuracy and validity and reported findings to senior managers and/or the SOX PMO and conceptualized remediation solutions to resolve identified control exceptions and deficiencies.

- Provided constructive recommendations to enhance the organization's SOX compliance program and control deployment framework on demand or when required. Recurrent meeting participation included IT Mega; SOX PMO; Revenue Cycle; Segregation of Duties (End-User Controls); Policies/Procedures Committee and IT Practice meetings.

- Conceptualized strategies to ensure the deployment of User Access controls for 5 Revenue Cycle applications in line with Compliance Program milestones promulgated by KP's SOX PMO. Engaged discussions with BAO's, BAO-D's, BPO's, CO's and members of KP's SOX PMO and KP IT to identify and resolve technical problems that would hinder the successful deployment of SOX Key Controls in daily business operations. Reported findings to Regional SOX Office senior management officers as needed/required to ensure effective and efficient compliance with the organization's compliance program.

- Executed Quality Assurance reviews of multiple internal department Policies and Procedures as prompted; needed and/or required to advocate and promote streamlined and relevant Corporate Governance business operation practices and an effective IT Control Environment.

- Evaluated ways to streamline KP's Business Document Retention Policy. Conceptualized a risk-based proposal to re-organize KP’s Policies/Procedures document archive with the objective of improving information collection and distribution effectiveness. Presented the proposal to Regional SOX office senior management officers for review and approval.

- Executed Quality Assurance management review activities of SOX IT and Finance (Business) Internal Control Operating Effectiveness tests executed by KP's Purchasing and Materials Management Mega business division Application Owners and Application Owner Designees. Prepared a comprehensive report and submitted it to Regional SOX office senior management officers for review and concurrence approval.

Nov 2007 - Mar 2008

SR. IT COMPLIANCE CONSULTANT, J-SOX

ROBERT HALF (CLIENT: AMPAC TIRE DIST. INC./ITOCHU  INTERNATIONAL)

- Designed executable Audit Plans and Programs over three primary IT domains: IT Change Management, Technology Operations and Physical/Logical Security. Used a 4 IT-layer approach that included Networks, Operating Systems, Applications and Databases to ensure maximum Internal Control and Information Security coverage.

- Executed a comprehensive Enterprise Risk Assessment of the company's IT Control Environment and verified the alignment of existing Internal Controls over Financial Reporting (Key Controls) with the Risk Assessment process and methodology and Corporate Governance provisions promulgated by Japan's Financial Services Authority ("J-SOX"). Presented the Enterprise Risk Assessment to the company's IT and Executive (Business) management officials for review and remediation.

- Prepared scripts to test the Design and Operating Effectiveness of General Computing and Application Controls deployed in IT Operations. Executed tests for IT GCC's, compiled a list of relevant Internal Control deficiencies and exceptions and a list of recommendations to re-design and remediate identified challenges.

- Documented IT processes in Narrative and flowchart format (in three domains: Change Management; Technology Operations and Physical/Logical Security; and four IT layers: Networks; Operating Systems; Applications and Databases) using CobIT and COSO as the guiding frameworks. Identified and documented the company’s existing IT Internal Controls over Financial Reporting (ICFR) Key Controls and deployed new Key Controls that re-aligned the company’s IT Risk Universe and minimized Enterprise risk.

- Documented IT processes in Narrative and flowchart format (in three domains: Change Management; Technology Operations and Physical/Logical Security; and four IT layers: Networks; Operating Systems; Applications and Databases) using CobIT and COSO as the guiding frameworks. Identified and documented the company’s existing IT Internal Controls over Financial Reporting (ICFR) Key Controls and deployed new Key Controls that re-aligned the company’s IT Risk Universe and minimized Enterprise risk.

- Developed value-driven, cost-effective and resource-efficient solutions the company's IT management deployed to remediate the control deficiency findings identified through the execution of the strategic Risk Assessment. Delivered a Remediation Matrix Plan for three IT domains: Change Management; Technology Operations and Physical/Logical Security using a 4-IT layer context: Networks; Operating Systems; Applications and Databases.

- Actively engaged discussions with IT senior-level officials, IT personnel (Network Administrators; System Administrators, etc.) to ensure all findings identified through the execution of the IT Risk Assessment were remediated as required by the Itochu's J-SOX Compliance Program milestones and initiatives.

- Conducted an assessment of AMPAC’s IT Policies and Procedures against J-SOX’s Internal Control requirements and reported gaps to IT and Executive management for review. Drafted new IT Policies and Procedures to meet J-SOX requirements as approved. Ensured new Policies met Itochu International corporate requirements. Prepared and presented project milestone status reports to IT and Executive management as needed or required.

Jul 2006 - Oct 2007

DIRECTOR, SOX STRATEGY & EXECUTION (COMPLIANCE ENGAGEMENT DIRECTOR)

SOX SOLUTIONS CORP. (CLIENTS: MULTIPLE - 6)

- Directed the strategic and tactical execution of Sarbanes-Oxley Section 404 compliance engagements for publicly-traded and privately-held clients operating in multiple economic sectors. Engagements included the assessment of existing Accounting and Finance Internal Controls over Financial Reporting, IT Entity-Level Controls, IT General Computing Controls and IT Application Controls and for Design and Operating Effectiveness as required by SOX 302, 404 and 906.

- Managed and directed SOX compliance activities for 6 concurrent Internal Audit clients (Entity-Level; General Computing and Application Controls in IT and Accounting and Finance Controls). Prepared compliance engagement strategy and execution models and leveraged these to ensure cost and scope-effective compliance with the approval of the Company’s President and CEO. 

- Prepared Process Narratives, Risk/Control Matrices, Test Scripts, Gap Assessments and Remediation Plans for to test the Operating Effectiveness of Enterprise Accounting, Finance and IT processes using the risk-based approach advocated by the PCAOB's Audit Statement No. 5. Used COSO, COBIT, NIST, NSA, CIS and the ITGI's "IT Control Objectives for SOX, v.2.0" as the primary guiding frameworks and IT maturity models. The practical experience acquired with documentation, QA and Interim/Roll-Forward testing activities included:  

- Enterprise-Level Accounting, Finance and IT Controls (Corporate Governance): - Based on COSO’s 5-Domain Model: Control Environment; Control Activities; Information and Communication; Risk Assessment and Monitoring.  

- Enterprise-Level Accounting, Finance and IT Controls (Corporate Governance): - Based on COSO’s 5-Domain Model: Control Environment; Control Activities; Information and Communication; Risk Assessment and Monitoring.  

- Information Technology (General Computing Controls/Application Controls): - Based on COSO, ITGI, ISO-17799, ITIL , NIST, NSA, CIS and/or COBIT framework guidelines and requirements. Expert IT Domain Documentation for: Change Management; Technology Operations and Physical / Logical Security.

- Accounting & Finance (Business Operation and Administration): - Accounts Payable/Cash Disbursements; Fixed Assets; Accounts Receivable/Sales/Sales Returns & Allowances; Inventory; Human Resources and Payroll; Financial Statement Close Process; Equity and Taxes (Provision, FIN 48 and FAS 109).

- Prepared/Deployed SOX 404 Compliance Engagement Plans; Engagement Scope Requirements; IT and Business Process Business Process Audit Programs and Corporate and Business Process Risk Assessments for Internal Controls over Financial Reporting as required by SOX’s Section 404 requirements using CIS, COSO, ISO 17799, ITIL, COBIT, NIST, NSA, and/or COSO’s “Smaller Public Company Guidance” as guiding frameworks in preparation for Business Process documentation and Design and Operating Effectiveness evaluation activities.

- Evaluated the breadth; scope and operational impact of Management Letters of Comment and Year-End Audit Reports issued by External Audit firms (Deloitte; KPMG; PwC, etc.) to existing compliance clients to communicate IT and Finance (Business) Control Deficiency issues. Acted as an extended liaison with the external auditors as needed/required and participated in meetings to discuss Corporate Governance/SOX compliance expectations, strategic remediation options and acceptable, on-target solutions.

- Conceptualized/presented compliance solutions to SOX client officers, senior executives and professional personnel members to ensure the timely, cost and scope-effective resolution of the Internal Control Observations, Deficiencies and Material Weaknesses noted by the external auditors.

- Prepared/Deployed multiple IT and Finance Business Process Policies and Procedures and Policy/Procedure Corporate Governance Guidebooks for multiple Corporate Governance/SOX compliance clients to ensure compliance with SOX’s Section 404 - Internal Controls over Financial Reporting requirements.

- Executed contractor employee search activities, prospective staff interviews, SOX Section 404 requirements and SOX Solutions methodology/approach training activities with newly-hired employees as directed and/or required by the Company’s President & CEO to ensure adequate engagement-scope focus and on-target execution. Prepared/provided templates/training materials, contractor employee agreements and client-specific information materials as required.   

- As a part-time member of the company’s Sales/Business Development team, participated in the company’s sales process by meeting with prospective privately-held and publicly-traded executives (CEO's, CFO's, Directors of Internal Audit, etc.) seeking SOX 404 compliance and business advisory services. Drafted/presented sales presentations and proposals and sold 2 service contracts that increased company revenues by $400K. Prepared/submitted Engagement Agreements listing engagement Terms & Conditions; executable project phases; resource allocation requirements and other relevant project milestones and deliverables. Provided support for new sales on demand as prompted by the President & CEO.   

- Prepared Internal Control Gap Reports, Corporate Governance Planning/Development tactical execution Plans and Remediation Summary Reports and presented these to client executives and professional staff members with the objective of resolving identified Business Process Observations; Internal Control Deficiencies; Significant Deficiencies and Material Weaknesses. Evaluated the cost and benefit of integrating proposed best-operating practice and remediation options with client executives to minimize enterprise risk and ensure compliance with SOX’s requirements.

- Authored/published SOX compliance SOX compliance business case studies, staff member biographies, and other supporting sales and marketing materials used to market the company’s SOX 404 compliance and business advisory service offerings (Note: part of this content is currently posted on its corporate website).  

- Advocated for the need to improve Enterprise Risk, Information Security and Corporate Governance practices by leading executive officer and Audit professional conference sessions as a CPE Institute instructor. Prepared/Distributed curriculum materials (presentations, etc.) as needed and/or required.

- Led the effort to develop and deploy of a customized SOX compliance application program at Physician’s Formula, Inc. Conceptualized; communicated and approved the application's entire taxonomy and functionality and all related modules to its vendor to ensure its source code functions met PF's existing business infrastructure and SOX 404 compliance obligations. Provided logical and taxonomy feedback where/when necessary to streamline the application as needed or required. 

- Attended multiple Governance, Risk and Compliance conferences, IT and Information Security seminars, CEO/CFO conferences, and Audit SME training sessions and meetings throughout the year to keep abreast of emerging regulatory compliance laws and practice regulations to conceive streamlined, cost-effective skills, techniques, tactics and approaches that could be leveraged to improve client service.

- Executed SOX 404 compliance requirement training sessions with existing client executive officers, senior executives and professional personnel (CEO's, CFO's, SVP's, Directors, IT Administrators). 

- Supervised the work activities of 4 Accounting, Finance and IT compliance consultants. Coached/trained newly-hired associate staff members on required and/or assigned Accounting, Finance or IT client accounts and engagement requirements and deliverables. Executed, reported and approved QA review activities to the company's President and CEO on demand or as needed and required. 

- Supervised the work activities of 4 Accounting, Finance and IT compliance consultants. Coached/trained newly-hired associate staff members on required and/or assigned Accounting, Finance or IT client accounts and engagement requirements and deliverables. Executed, reported and approved QA review activities to the company's President and CEO on demand or as needed and required. 

SOX 404 Engagement Client Roster: 

1) Big 5 Sporting Goods (Consumer Products)

2) Blue Holdings Corp. (Apparel)

3) Physicians Formula (Consumer Products)

4) Pyramid Oil (Energy and Utilities)

5) San-Bio Corp. (Bio-Technology)

6) Triad Financial Services (Financial Services)

Apr 2006 - May 2006

SR. IT CONSULTANT, SOX / PCI DATA SECURITY STD.

SMCI (CLIENT: THE WALT DISNEY CO. )

Member: Enterprise IT Compliance PMO- Using COBIT as the primary guiding framework, evaluated/reported on the operating effectiveness and efficiency of multiple IT Entity-Level, IT General Computing and IT Application Controls for compliance with the Sarbanes-Oxley Act of 2002 (including Change Management, Data Configuration/Management and Physical/Logical Security). - Executed evaluations of the Design and Operating Effectiveness of third party vendor’s SAS-70 Type II reports for outsourced Internal Controls activities. Mapped deployed SAS-70 controls against Walt Disney Co.'s Corporate Governance, Internal Audit and SOX 404 requirements. -  As a member of Walt Disney’s Enterprise IT Compliance PMO, conducted Business Process and IT Application Owner interviews with representatives from multiple business units to identify; document and test existing IT controls that would require Logical Security remediation for compliance with the PCI Data Security Standard, version 1.1.

-  Created a proprietary qualitative and quantitative model to assess RFP proposals submitted by Qualified Security Assessors (QSAs). Conducted a review of 8 RFP proposals and presented results and proposal recommendations to senior IT management officers.

-  Conceived and deployed a process to map, or index TWDC's SOX Logical Security Key Controls to those required under the PCI Data Security Standard using a  proprietary spreadsheet model. This effort minimized TWDC's execution of repetitive ICFR Operating Effectiveness tests for multiple compliance programs. 

Mar 2004 - Mar 2006

PROFESSIONAL CONSULTANT, IT AUDIT & SOX CONTROLS

STRUCTURE NETWORKS (CLIENT: JEFFERSON WELLS INTERNATIONAL)

- Assessed and documented Corporate Governance Entity-Level (Enterprise); Accounting and Finance (Accounts Payable, Accounts Receivable, Financial Statement Close Process; Human Resources and Payroll; Inventory; Royalties; Tax, etc.), IT General Computing Controls (IT Operations) and IT Application Controls (in-scope systems) in preparation for Design and Operating Effectiveness testing activities as required by the Sarbanes-Oxley (SOX) Act of 2002.

- Conducted Design and Operating Effectiveness walk-through testing activities of Accounting, Finance and IT process Internal Controls for a total of 7 Internal Audit clients in line with existing Compliance Program testing schedule milestones. Prepared all required test scripts, reported Internal Control exception findings to senior executives (CEO's, CFO's, SVP's, Directors) and professional client personnel (Accounting Managers, Controllers, Network Administrators, Application System Administrators, DB Administrators, etc.).

- Prepared and presented Internal Control recommendations, deployed  approved Internal Control remediation initiatives, re-designed existing Internal Controls and/or deployed mitigating controls to ensure process risks were effectively and efficiently addressed. Re-tested all newly-deployed controls to provide Design and Operating Effectiveness assurance as advocated by the PCAOB's Audit Statement No. 2.  - Conceptualized, prepared and deployed Accounting, Finance and IT Governance Policies, Programs, Processes and Procedures to senior client officers (CEO's, CFO's, SVP's, Directors of Internal Audit, Administrators, etc.) to minimize risk and improve operational effectiveness and efficiency while simultaneously meeting regulatory compliance initiatives.

- Served as an Internal Audit liaison representative with external audit firms (PwC, Deloitte, Ernst & Young, KPMG, Grant-Thornton, etc.) to ensure identified Accounting and Finance Process Controls, IT General Computing Control and IT in-scope Application Control external audit exceptions were resolved through the deployment of new Key Controls or mitigating controls.

- Conducted Enterprise Risk Assessments and Corporate Governance charter evaluations to ensure these addressed strategic and operational risks for clients operating in specific economic segments. Prepared, presented and deployed specific, in-context remediation initiatives to senior company officials.

SOX 404 Engagement Client Roster: 1) ARC Corp. (Consumer Products)2) Boeing Co. (Aerospace)3) Card Service International / First Data Corp. (Debit/Credit Card Processing Operations)4) Edison International / Southern California Edison (Energy & Utilities)5) Image Entertainment, Inc. (Media & Entertainment)6) Loopnet, Inc. (Internet Merchant Operations)7) Masimo, Inc. (Bio-Technology)

Jun 2003 - Mar 2004

IT FINANCIAL ANALYST, SYSTEMS PLANNING & CONTROL

AJILON FINANCE (CLIENT: THE WALT DISNEY CO. )

- Executed a comprehensive review of the company's world-wide IT Systems Planning & Control practices to ensure IT spending for Fiscal Year 2003 aligned with pre-approved IT corporate budget allocations. Identified and reported IT operating budget variances and remediation recommendations for multiple geographic regions (AMERICAS, APAC & EMEA) to senior IT management.  

-  Created and continuously updated strategic and business unit operational financial reports (CAPEX/OPEX Reports) in support of IT Systems Planning & Control's worldwide IT Planning and operating strategy for multiple geographic territories as directed by senior IT management officials.  

-  Proposed and initiated a process to review, compile, consolidate and map four years of actual Operating Plan results against approved Fiscal Year IT Annual Operating Plan budgets to measure IT Systems Planning & Control's performance vis-a-vis TWDC's Studio 5-year Business Operating Plan. Prepared a consolidated final report listing metrics, performance trends and areas that required immediate attention and improvement. Presented findings to senior IT management officials along with recommendations that could be leveraged to improve internal performance.

- Prepared Quarterly and IT Annual Operating Plan (AOP) financial forecast and projected (pro-forma) performance reports for TWDC's IT Systems Planning and Control department in line with TWDC IT Governance Policies/Procedures. 

May 2002 - May 2003

ASSOCIATE CONSULTANT, INTERNAL AUDIT

VENTURI (CLIENT: KPMG )

-  Executed Accounting and Finance business process operational audits in partnership with a KPMG Sr. Consultant for the company's largest Healthcare Internal Audit client in So-Cal, WellPoint Health Networks (now Anthem Healthcare).

-  Conducted risk-based operational evaluations in support of multiple WellPoint Health Networks Corporate Audit Plan projects (HIPAA ROI, SOX 404 Compliance, EDI Claims Initiative, Corporate Quality Review). Prepared Audit Programs, compiled evidence work papers for executed audits and reported findings and recommendations to WellPoint's Office of the CFO and Internal Audit clients to minimize risk impact and likelihood. 

-  Prepared and submitted Internal Audit, Regulatory Compliance and business unit effectiveness summary reports to  WellPoint's Audit Committee on a monthly basis to support WellPoint's Corporate Governance Program goals and objectives and related milestones.  

-  Audited the operational implementation of external vendor service agreements. Evaluated the success rate of contract milestones, cost variances or deviations and other vendor performance criteria. Escalated issues and proposed improvement recommendations accordingly.  

-  Supported the implementation of HIPAA data standardization Internal Controls throughout WellPoint's business unites. Prepared Regulatory Compliance Program metrics, milestones and evidence workpapers as required by the KPMG Sr. Manager in charge of the Program's implementation company-wide.  

-  Under the guidance of a KPMG Senior Manager, prepared, revised and managed WellPoint business unit HIPAA compliance budget forecasts (i.e. 3+9, 6+6, 9+3, etc.). Interacted with mid and senior-level WellPoint professionals to track and reconcile budget vs. actual variances, compliance program milestones and other metrics. Prepared and presented a Compliance Program Analysis Report to KPMG's Partner in charge for the WellPoint account.  

-  Prepared KPMG business advisory service sales proposals. Conducted extensive market research activities using healthcare industry and regulatory compliance information, intended client intelligence and other KPMG proprietary competitive analysis information. Created complementary marketing materials as needed and/or required.

Sep 2001 - Mar 2002

IT FINANCE AUDIT CONSULTANT, MGMT INFORMATION SYSTEMS

VENTURI (CLIENT: CINESITE HOLLYWOOD)

-  Compiled a comprehensive roster of all IT and IS equipment owned or leased by Cinesite Hollywood to determine which assets could be depreciated in accordance with Generally-Accepted Accounting Principles (GAAP). Segregated assets by type, function and depreciable life and presented the report to senior IT management officials for review.

-  Conducted an evaluation of the Design and Operating Effectiveness of the company’s IT Fixed Asset, IT Inventory and IT asset Depreciation process Internal Controls using a risk-based approach. Identified process deficiencies, compiled list of remediation recommendations and presented findings to senior IT management officials for review.

-  Prepared and deployed a Policy and related procedure to require all Company IT assets to be identified, depreciated and tracked to minimize loss risk and ensure IT assets were depreciated in line with GAAP requirements. Deployed initiative to identify all company IT assets with alpha-numeric tags and track the entire inventory using a spreadsheet-based model.

-  Conducted research for IT applications used to track IT asset inventories and also compiled depreciable life estimates in accordance with GAAP to ensure depreciation expense entries were accurately and timely recorded in the company's General Ledger. Presented findings and recommendations to senior IT management officials for review.

Aug 1987 - Aug 2000

MANAGER, CREATIVE SERVICES 

PARAMOUNT PICTURES CORP. (HOME ENTERTAINMENT)

During a career spanning 13 years, directed the production and distribution of Creative Advertising, Marketing and Sales promotional materials required to market motion pictures, network and syndicated TV programs and direct-to-video releases in 45 countries worldwide in multiple platforms.   

- Creative Marketing Production: Produced and distributed motion picture, TV programming and direct-to-video Sales, Creative and Marketing promotional materials (including photography required to manage related product publicity campaigns) used in Paramount Home Video's Sales Solicitation and Sales Re-Promotion processes.  Responsible for managing creative advertising production, Sales Program and Marketing Project milestone deliverables with 10 third-party vendors.   

- Paramount Home Video National Sales Force Operations: Managed and directed studio communication with 35 Regional Sales Managers, 14 Brand Managers, Licensees, mass merchant, retail, Internet and brick-and-mortar distributor account to increase brand and product exposure and penetration to meet and/or accelerate sales objectives at the retail level.

- Strategic Business Partner Alliance Execution: Prepared and deployed brand and property-specific Creative Advertising campaigns designed to meet strategic business partner marketing alliances and co-branding agreements nationwide to foster increased product awareness and direct placement at key retail, distributor and mass merchant client locations. 

- Inter/National Market Business Development: Supported the release of Motion Picture, TV, catalog library and direct-to-video acquisition properties on VHS and DVD in 45 territories worldwide by producing and distributing brand, product sales program, marketing, publicity, photography,merchandising and other brand-specific intellectual property materials required by Paramount's international headquarter office in London, England.

- Talent Acquisition Management: Managed and directed the activities of a team consisting of 5 direct reports (FTE's, Interns, Contractors). Executed personnel interviews, training sessions and performance evaluations as required. Leveraged a team-focused management style to boost loyalty, morale and improved operational performance effectiveness and efficiency.

- Intellectual Property Archive Management: Founded, structured and managed 5 major IP archives consisting of more than 6,000 digital files and 200K advertising, marketing, photography and promotional merchandising materials. Counseled Regional Sales Managers, Regional Brand Managers, Distributors, Licensees, Strategic Business Partners and Retail Network Representatives in the application of relevant Intellectual Property (Copyrights, Trademarks, Contract Terms, etc.) contractual requirements for specific Motion Picture, Television, Direct-to-Video and Acquisition properties.

- Budget Management and Expense Control: Controlled, accounted and reported variances for a $3.5M annual operating budget. Managed production with 10 third-party vendors (including Creative Advertising design studios, print brokers, digital asset management agencies, POP merchandising display companies, national media agencies, stock photo agencies and contract photography companies). Managed RFP cycles and streamlined operational processes that bore savings exceeding $500K annually. Issued Purchase Orders and reconciled Accounts Payables on a monthly basis. 

- Business Affairs and Legal Administration: Assumed proxy responsibilities on behalf of PHV's Creative Services to secure brand, product, sales promotion and project-specific intellectual property clearances from the division's legal counsel team. Interpreted and applied strategic business partner deal terms, motion picture and television contracts and licensing agreement contractual terms. Prepared, deployed and enforced a wide range of Creative Advertising, Marketing and Publicity Policies and Procedures. 

Education

Education
Aug 1996 - Apr 1998

BACHELOR OF SCIENCE

PEPPERDINE UNIVERSITY

Management Science (Business Administration)

Skills

Skills

IT General Computing Control Optimization

Cyber Security (Web Application)

Internal Control Re-Alignments / Re-Structuring

Enterprise Risk Assessments

Information Security & Privacy Management

Information Confidentiality, Integrity & Availability

SOX 404 Compliance (Accounting, Finance, IT)

PCI Data Security Standard

Corporate Governance, Risk and Compliance

Certifications

Certifications