Michael Deeming is a Director in the internal audit and financial advisory practice with a focus on IT Audit. Since joining Protiviti in 2004, his career has included more than seven years in Asia as a member of the Protiviti Japan, Hong Kong, and Singapore offices. He is a Certified Information Systems Auditor (CISA), a Certified Public Accountant (CPA), and a Payment Card Industry Qualified Security Assessor (PCI QSA).

Director @ As a Director in Protiviti's internal audit and financial advisory practice, I have responsibility for building and leading the IT Audit team in the San Francisco Bay area. I also frequently work with our international offices. I have developed and delivered training on many topics for both clients and Protiviti staff. I have also engaged in speaking engagements presenting on topics in security, privacy and GRC. In my 11+ years with Protiviti I have been been fortunate to have many opportunities to support my clients in a wide variety of technical system assessments, controls evaluations, and implementations. Some examples of my recent experiences include: • Recruited and managed an integrated cross border US-Brazilian-Japanese team to perform JSOX testing for a Japanese client with a subsidiary in Brazil that had recently implemented SAP • Developed and executed a customized approach to perform a Data Loss Prevention security assessment that involved locations in the US-Singapore-Germany • Developed and managed security assessments for several international clients that involved internal/external penetration testing, configuration reviews, social engineering • Conducted IT Governance review for international company • Manager on multiple US and JSOX projects with domestic and international locations. Internal audit role requires providing client advisory services in addition to testing various platforms and scope areas including ITGC, ITAC, SoD, Key Reports, ELC, Spreadsheets/EUC. • Performed ERP pre-implementation review for company to evaluate project risk in areas including project management, scheduling, OCM/training, requirements definition, resourcing, testing, security, data management • Developed and presented a seminar at the Fall ISACA 2014 conference on "Conducting Personal Data Protection Reviews Based on International Laws" From July 2014 to Present (1 year 6 months) Associate Director @ As an Associate Director on international assignment to the Singapore office, I was APAC regional lead for PCI DSS and SAP solutions. I supported projects for international companies throughout the region including: IT Audit, PCI DSS, IT Security, SAP GRC, Incident Response, SDLC, EUC, ITGC, US SOX / JSOX. Examples of client services provided include: • Developed approach, managed and executed System Selection assessment of a customized Customer Portal solution • Engagement manager on a security review for a custom developed hybrid cloud/on-premise system that included internal/external penetration testing, web application testing, database testing and host configuration review • Developed and executed Application Security Assessment of a custom developed MRP system and key ERP interfaces • Engagement Manager and assessor on numerous PCI DSS ROC engagements including online travel insurance company, payment switching company, data center in financial service industry, call center in hospitality industry, store/retail locations • Engagement manager and tester on SAP Project Risk Management review for large MNC in the Electronics and Entertainment industry. Client required a review to understand and benchmark the level of customization in their SAP environment in Europe in order to develop a high level understanding of the long-term cost impacts associated with the current customization strategy • Developed and presented customized training for large mining company with the following topics: EUC Spreadsheet Risk, SAP Risk and Control Continuous Monitoring, Information Security and Incident Response, Data Analytics using Microsoft Access, Data Privacy • Developed and presented customized training on “Risks of Cloud Computing” for client IT Audit group • Speaker at Protiviti’s 2013 Annual Seminar and presented topic “ERP Optimization” From August 2012 to June 2014 (1 year 11 months) SingaporeAssociate Director @ An extension of my international assignment from Japan to Hong Kong, my role continued to focus on supporting international clients for Protiviti. Projects varied from US/JSOX, IT Audit, SAP audit, IT security and PCI compliance. I also created and delivered training on various IT related topics and engaged in public speaking engagements. Experience included the following: • APAC PMO lead for assessing compliance with a client developed IT Audit framework in Seoul, Tokyo, Nagasaki, Sydney, Beijing and Hong Kong branches of a major International Insurance company. Responsibilities involved staffing/administration, scope guidance, approach instruction, local client management, testing assistance, workpaper review for all APAC regions. • Engagement Manager on User Developed Tools (MS Excel, Access) pilot program for large International Asset Management firm with sample spreadsheet models from Private Banking and Investment Management lines of business for compliance with recently implemented control framework. • Project lead, manager and tester on multiple US SOX and JSOX ITGC engagements with International locations and multiple language requirements. Reported to clients in US and Japan. • Developed and delivered 2 Day training on “The Basics of Auditing SAP” to IA staff for Japan’s largest Media and Electronics Company in their Tokyo and Shanghai offices. • Engagement Manager on numerous PCI DSS engagements including call center in hospitality industry, retail locations From January 2012 to August 2012 (8 months) Hong KongAssociate Director, Audit and Consulting @ Relocated to Japan on international assignment to help manage IT Audit and Consulting needs of International clients. As an IT leader I helped recruit and mentor Protiviti Japan’s Cross Border Team, comprised of approximately 15 bilingual professionals that served global accounts. Assembled overseas teams of staff from different Protiviti offices (including contractors as needed) to deliver on expectations from overseas clients. Additionally led the local ACE (Application Controls Effectiveness) team to support SAP audit and consulting in Japan. Serviced the following engagements: • Engagement Manager and lead auditor on network perimeter Security review for a global asset management company. • Audited SAP ECC6.0 implementation in Japan for large retail company • Project lead, manager and tester on many US SOX and JSOX ITGC engagements, establishing and managing global teams with multiple language requirements. Scope has included up to 14 international locations and coordination of teams exceeding 20 staff. Traveled to Brazil, Chile, China, US, UK, etc. to conduct testing to ensure client expectations for quality were met • Performed SDLC risk review of a custom developed policy tracking system (AS400) at a life insurance company • Engagement Manager on numerous PCI DSS engagements including call center in hospitality industry, retail locations, internal penetration testing for retail client • Performed data acquisition in support of an investigation for an international trading company • Developed and delivered lecture on “Integrating IT Audit to Promote Development of Secure Systems” at the Japan Society of Security Management (JSSM) Annual Convention. Had my presentation published as an article featured in their semi-annual magazine From March 2007 to January 2012 (4 years 11 months) Manager, Audit and Consulting @ From March 2004 to March 2007 (3 years 1 month) Controller @ From August 1999 to March 2004 (4 years 8 months)

MS, Accountancy @ San Diego State University-California State University From 2002 to 2003 MSBA, Information Systems @ San Diego State University-California State University From 2000 to 2001 BS, Business and Economics @ Lehigh University - College of Business and Economics From 1988 to 1993 Michael Deeming is skilled in: Information Security, Internal Audit, CISA, IT Audit, Sarbanes-Oxley Act, PCI DSS, Sarbanes-Oxley, Auditing, Information Technology, Enterprise Risk Management, Strategy