This document provides an overview of data protection impact assessments (DPIAs) and the role of the data protection officer (DPO) under the General Data Protection Regulation (GDPR). It discusses when DPIAs are required, the DPIA process, how to identify and assess risks, select controls, and ensure continuous monitoring. It also outlines the DPO requirements, including the need for independence and expertise. The DPO is responsible for enabling compliance and fostering a data protection culture.
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
GDPR Data Protection Impact Assessment Webinar
1. 4/16/2020
1
Richard Cascarino CISM,
CIA, ACFE, CRMA
General Data
Protection Regulation
(GDPR) Webinar 4
Data Protection
Impact Assessment
About Jim Kaplan, CIA, CFE
President and Founder of AuditNet®,
the global resource for auditors
(available on iOS, Android and
Windows devices)
Auditor, Web Site Guru,
Internet for Auditors Pioneer
IIA Bradford Cadmus Memorial Award
Recipient
Local Government Auditor’s Lifetime
Award
Author of “The Auditor’s Guide to
Internet Resources” 2nd Edition
Page 2
1
2
2. 4/16/2020
2
ABOUT AUDITNET® LLC
• AuditNet®, the global resource for auditors, serves the global audit
community as the primary resource for Web-based auditing content. As the first online
audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the
use of audit technology.
• Available on the Web, iPad, iPhone, Windows and Android devices and
features:
• Over 3,100 Reusable Templates, Audit Programs, Questionnaires, and
Control Matrices
• Webinars focusing on fraud, data analytics, IT audit, and internal audit
with free CPE for subscribers and site license users.
• Audit guides, manuals, and books on audit basics and using audit
technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
Introductions
Page 3
HOUSEKEEPING
This webinar and its material are the property of AuditNet® and its Webinar partners.
Unauthorized usage or recording of this webinar or any of its material is strictly forbidden.
• If you logged in with another individual’s confirmation email you will not receive
CPE as the confirmation login is linked to a specific individual
• This Webinar is not eligible for viewing in a group setting. You must be logged in with
your unique join link.
• We are recording the webinar and you will be provided access to that recording after
the webinar. Downloading or otherwise duplicating the webinar recording is expressly
prohibited.
• If you meet the criteria for earning CPE you will receive a link via email to download
your certificate. The official email for CPE will be issued via NoReply@gensend.io and it
is important to white list this address. It is from this email that your CPE credit will be
sent. There may be a processing fee to have your CPE credit regenerated if you did not
receive the first mailing.
• Submit questions via the chat box on your screen and we will answer them either during
or at the conclusion.
• You must answer the survey questions after the Webinar or before downloading your
certificate.
3
4
3. 4/16/2020
3
IMPORTANT INFORMATION
REGARDING CPE!
• ATTENDEES - If you attend the entire Webinar and meet the criteria for CPE you will receive
an email with the link to download your CPE certificate. The official email for CPE will be
issued via NoReply@gensend.io and it is important to white list this address. It is from this
email that your CPE credit will be sent. There may be a processing fee to have your CPE credit
regenerated after the initial distribution.
• We cannot manually generate a CPE certificate as these are handled by our 3rd party provider.
We highly recommend that you work with your IT department to identify and correct any email
delivery issues prior to attending the Webinar. Issues would include blocks or spam filters in
your email system or a firewall that will redirect or not allow delivery of this email from
Gensend.io
• You must opt-in for our mailing list. If you indicate, you do not want to receive our emails
your registration will be cancelled, and you will not be able to attend the Webinar.
• We are not responsible for any connection, audio or other computer related issues. You must
have pop-ups enabled on you computer otherwise you will not be able to answer the polling
questions which occur approximately every 20 minutes. We suggest that if you have any
pressing issues to see to that you do so immediately after a polling question.
The views expressed by the presenters do not necessarily represent the views,
positions, or opinions of AuditNet® LLC. These materials, and the oral presentation
accompanying them, are for educational purposes only and do not constitute
accounting or legal advice or create an accountant-client relationship.
While AuditNet® makes every effort to ensure information is accurate and complete,
AuditNet® makes no representations, guarantees, or warranties as to the accuracy or
completeness of the information provided via this presentation. AuditNet® specifically
disclaims all liability for any claims or damages that may result from the information
contained in this presentation, including any websites maintained by third parties and
linked to the AuditNet® website.
Any mention of commercial products is for information only; it does not imply
recommendation or endorsement by AuditNet® LLC
5
6
4. 4/16/2020
4
ABOUT RICHARD CASCARINO,
MBA, CIA, CISM, CFE, CRMA
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 28 years experience in IT audit
training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of Data Analytics for Internal
Auditors
7
TODAY’S AGENDA
Page 8
• How to perform a data protection impact assessment
(DPIA)
• The role of the data protection officer (DPO)
• Transferring personal data outside the EU
7
8
5. 4/16/2020
5
PRIVACY IMPACT
ASSESSMENT
• “An evaluation conducted to assess how the adoption of new
information policies, the procurement of new computer systems, or the
initiation of new data collection programs will affect individual privacy”
• [cf. A.M. Green, Yale, 2004]
• Considering privacy issues at the early stages of a project cycle
reduces potential adverse impacts on privacy after it has been
implemented
• To be effective
• DPIA process should be independent
• DPIA performed by an independent entity (office and/or commissioner) not linked
to the project under review
RISK OF NOT DOING A DPIA
The need to redesign all or major parts of the system/project
Collapse of the project due to adverse publicity
Loss of trust or reputation
Breach of data protection legislation and significant fines
Subsequent regulatory action by the Information Commissioner’s
Office (ICO) as a result of complaints received from data
subjects
Individuals subjected to fraud, identity theft and distress
Legal action taken by individuals to sue the organization
9
10
6. 4/16/2020
6
When you plan to:
Embark on a new project involving the collection of
personal data
Introduce new IT systems for storing, accessing or
otherwise using personal information
Participate in a new data-sharing initiative with other
organizations
Create new policies that affect individuals
Initiate actions based on a policy of identifying particular
demographics
Use existing data for a “new and unexpected or more
intrusive purpose”
Prior to outsourcing any type of processing to a service
provider
DO I NEED TO CARRY OUT A DPIA?
EXISTING SYSTEMS OR ACTIVITIES
If an existing activity or system that processes personal data might have
intrinsic risks and no DPIA was done at the design stage
Processing of special category personal data
Processing of financial data
Using external software
Using a surveillance system
Processing data that, if disclosed, could lead to discrimination or
other harm
Processing data that, if disclosed, could lead to loss of reputation
for data subjects or corporation
Review an existing system or activity if there are any concerns
about privacy intrusion or security vulnerabilities
11
12
7. 4/16/2020
7
WHERE DO WE START
Do we need a DPIA
Description of Activity
How is the information collected, stored, used and deleted?
What information is used?
What it is used for?
Who will have access to it?
Compliance with Privacy Laws
Screening
Risk Identification
THE PROCESS
Planning and Mobilization
Setup the team, finalize the scope
Determine what resources are needed
Identify process owners and stakeholders, establish
consultation plan
Perform the Assessment
Consult stakeholders, analyze risks and legal gaps, create risk
map
Determine necessary controls and remediation measures to
address legal gaps and risks
Create risk management plan, get sign off
Implement the control framework
Deploy risk management controls
Address legal gaps through remediation measures
Monitor and evaluate on a regular basis
13
14
8. 4/16/2020
8
AUTOMATED PERFORMANCE TOOLS
One Trust
Maintain Ongoing, Scalable Records to Demonstrate Global Privacy
Compliance
Integrate Privacy by Design into Existing Processes
Sharing Project Assessments Externally
CENTRL's Privacy360
Automate the full assessment process
Use standard assessment templates or upload proprietary ones
Track issues and manage process to remediation
Reporting and analytics
Vigilant Software
Identify data security risks and determine the likelihood of their
occurrence and impact.
Easily review and update DPIAs when changes in processing activities
occur.
Share DPIA findings with stakeholders and data processors.
Demonstrate that appropriate measures have been taken to comply with
the requirements of the GDPR.
RISK ASSESSMENT
Absolute risk – The maximum potential exposure data has to a
specific risk the exposure before controls
The personal data being processed should be categorized
according to the risk to do damage
Mitigation of risk
A description of the measures to address the absolute risk and
reduce it to a residual risk
Should indicate how the technical measures comply with the
principles of GDPR
Proportionality
Is the data over collected and over retained with respect to its
original purpose?
Is it in line with the corporate risk appetite?
15
16
9. 4/16/2020
9
RISK CLASSIFICATION
Inherent Risk
The pure risk as part of the nature of the activity
Control risk
The risk that an established control will fail to function
as intended
Detection Risk
The risk of management and/or auditors failing to
detect a risk
Planning Risk
The risk of the managers and/or auditors choosing the
wrong plan
Residual Risk
The risk remaining after all controls are in place and
effective
RISK ANALYSIS
18
Opportunity
Hazard
Uncertainty
Compliance and
Prevention
Operating
Performance
Strategic
Initiatives
Internal
Auditor
Manager Director CEO
17
18
10. 4/16/2020
10
SELECTING CONTROLS FOR MONITORING
Tools to evaluate controls
Application control cube
IT areas
Components
Threats
Adequate
Inadequate
Jerry FitzGerald CDP, CISA
Used to identify high-impact areas for auditing
Looks at systems via their components and
threats
Threat identification
Threat evaluation
Control identification
Control evaluation
Audit work selection
Recommendation formulation
Allows the use of nested matrices
DEVELOPED FROM THE FITZGERALD
MATRIX APPROACH
20
19
20
11. 4/16/2020
11
1 Identify the components and threats in a
given audit unit
2 Rank the components and threats
3 Create the control matrix identifying the
high-risk quartile and the low-risk quartile
4 Identify controls known / believed to be in place
5 Evaluate the effectiveness and cost/benefits of the
systems of internal control
6 Make recommendations where controls
are deemed to be inadequate
7 Test key controls to ensure their effectiveness
8 Re-evaluate based on known control effectiveness
and make recommendations where appropriate
STEPS IN THE MATRIX APPROACH
21
DATA PROTECTION
PRINCIPLES
Data processed lawfully, fairly and in a transparent manner ('lawfulness, fairness and
transparency')
The inclusion of the principle of transparency is a new provision within the GDPR.
Data obtained for specified, explicit and legitimate purposes and not further processed in a
manner that is incompatible with those purposes
GDPR provisions include processing for public interest and/or scientific purposes, widening the scope for further processing.
Archiving, scientific / historical research or statistical purposes would not been seen as incompatible with this purpose.
However there would be a need to consider pseudo anonymising the data.
Data processed is adequate, relevant and limited to what is necessary
Data is accurate and, where necessary, kept up to date
Rights for individuals in the GDPR e.g. data erasure, data correction etc. which will impact on this principle
Data should not to be kept longer than is necessary for the purpose
GDPR expands the list of exceptions permitting the storage of data for longer periods where the data is being processed for
archiving purposes in the public interest and/or scientific purposes, and in addition for statistical or historical purposes.
Appropriate technical and organisational measures against unauthorised or unlawful processing,
loss, damage or destruction
21
22
12. 4/16/2020
12
CONTINUOUS MONITORING
23
Continuous Risk Management
Risk Assessment and Security Planning Policies &
Procedures
Risk Analysis as part of the development cycle
Periodic Risk Assessments
Risk Mitigation
Vulnerability scanning
Patching
Incident response coordination
Feedback loop with installed base
DPO
DPO requirement applies to both controllers and
processors
No exception for small or medium-sized companies, but
risk-based approach
The GDPR requires the appointment of a DPO in three
cases:
1.Public authorities or bodies (except courts)
2.Private companies where the “core activities” consist of
a)processing operations which require “regular and
systematic monitoring” of data subjects “on a large
scale”
b)“large scale” processing of sensitive data or data
relating to criminal convictions and offences
23
24
13. 4/16/2020
13
ROLE OF THE DPO
Enabling compliance with the GDPR
Fostering a data protection culture within the
organization
Not personally responsible for non-compliance.
SOURCING THE DPO
Single DPO if easily accessible from each
establishment
Full-time or part-time employee
Consultant / Outsource under contract
Single role or part of another role
A supporting team around the DPO
No conflict of interest
No position within the organization that leads them
to determine the purposes and the means of the
processing of personal data
chief executive, chief operating, chief financial, chief medical
officer, head of marketing department, head of HR, head of IT
25
26
14. 4/16/2020
14
INDEPENDENCE
Data controllers or processors should:
Identify positions which would be incompatible with the DPO
function;
Draw up internal rules to avoid “conflicts of interests;”
Formally declare via internal & external comms & in policy
documentation that the DPO has no conflict of interests with regard
to function as a DPO, as a way of raising awareness of this
requirement;
Include safeguards within the organization’s internal rules and
ensure that the publicly-posted DPO job description or the services
contract for an External DPO is sufficiently precise and detailed in
order to avoid a conflict of interests.
INDEPENDENT REPORTING
LINE
Chief Compliance Officer;
Audit team
Report directly to the CEO, COO, Board, etc
External contractor (i.e., outside consultant or counsel)
reporting to a C-level officer or the Board
Other reporting line without conflicts
27
28
15. 4/16/2020
15
EXPERTISE REQUIRED
Integrity and high professional ethics
Expertise in national and European data protection laws and
practices
In-depth understanding of GDPR
Knowledge of the business sector and of the organization of the
controller
Knowledge of the administrative rules and procedures of the
organization
Autonomy - Does not receive any instructions regarding the
exercise of their tasks
Not be dismissed or penalized by the controller (or the
processor) for performing their tasks
WP29 SPECIFIES
Level of Expertise: It is essential that the DPO understand how to
build, implement, & manage data protection programs.
The more complex or high-risk the data processing activities are,
the greater the expertise the DPO will need.
Professional Qualities: DPOs need not be lawyers, but they must
have expertise in member state and European data protection law,
including an in-depth knowledge of the GDPR
DPOs must also have a reasonable understanding of the
organization's technical and organizational structure and be
familiar with information technologies and data security
In the case of a public authority or body, the DPO should have sound
knowledge of its administrative rules & procedures
29
30
16. 4/16/2020
16
ROLE COMPARISON
CISO
Responsible for securing global
corporate infrastructure,
applications, IP, & personal data
Support CPO (Chief Privacy
Officer) by answering security
questions
Responsible for implementation
of appropriate technical &
organizational measures to
ensure a level of security
appropriate to risk
Responsible for ensuring the
security of the systems and
transactions with respect to the
rights of data subjects
DPO
Responsible for oversight of EU
privacy, data protection, & security
compliance
Advise CPO on when a DPIA is
necessary & the risk-based
methodology to use; review risks
identified by DPIA for GDPR
compliance
Advise the CPO & CISO on meeting
GDPR documentation
requirements, mitigating security
controls, whether controls have
been accurately carried out
Advise the organization on whether
it is appropriately respecting the
rights of data subjects
TASKS OF THE DPO
Advisory role
The controller, the processor and their employees
Monitoring compliance
With GDPR and other data protection legislation, but also
internal policies
Inform and Advise on data protection impact assessments and
monitor performance (upon request)
Cooperate with supervisory authorities (“SAs”)
Contact point for SAs and data subjects
Contact details of the DPO shall be published and
communicated to the SA
Serve as a privacy contact
Data subjects’ rights, withdrawal of consent, right to be
forgotten etc.
31
32
17. 4/16/2020
17
THE NEW DPO
Get familiar with the processing activities and existing rules and
processes
Understand the scope of your tasks and responsibilities
Statutory tasks versus optional tasks (for instance, maintaining the
record of processing activities)
Identify key issues and contact persons
Identify budget and other resource requirements
Draw up a work plan and prioritize
Regularly attend relevant meetings and speak to employees and
senior management (in some countries Works Councils are
important)
Regularly report to senior management
Keep up to date (training)
TRANSFERRING PERSONAL
DATA OUTSIDE THE EU
Article 2(g): “recipient” shall mean a natural or legal person, public authority,
agency or any other body to whom data are disclosed, whether a third party
or not; however, authorities which may receive data in the framework of a
particular inquiry shall not be regarded as recipients
Generally - (GDPR) restricts transfers of personal data to countries
outside the EEA. These restrictions apply to all transfers, no matter the
size of transfer or how often you carry them out
Article 44: General principle for transfers
Any transfer of personal data by controller or processor shall take place
only if certain conditions are complied with:
a. Transfers on the basis of adequacy;
b. Transfers subject to the appropriate safeguards
c. Binding corporate rules apply.
33
34
18. 4/16/2020
18
ADEQUACY
Transfers on the basis of adequacy
A transfer may take place where there is an adequate level of
protection
The adequacy criteria:
– the rule of law;
– respect for human rights and fundamental freedoms;
– relevant legislation, both general and sectoral, including:
concerning public security
defense
national security
criminal law
SUBJECT TO APPROPRIATE
SAFEGUARDS
Legally binding agreement between public authorities or bodies
Standard data protection clauses in the form of template transfer clauses
adopted by the Commission
Standard data protection clauses in the form of template transfer clauses
adopted by a supervisory authority and approved by the Commission
Compliance with an approved code of conduct approved by a supervisory
authority
Certification under an approved certification mechanism as provided for in
the GDPR
Contractual clauses agreed authorized by the competent supervisory
authority
Provisions inserted in to administrative arrangements between public
authorities or bodies authorized by the competent supervisory authority
35
36
19. 4/16/2020
19
DEROGATIONS (EXEMPTIONS)
Made with the individual’s informed consent
Necessary for the performance of a contract between the individual
and the organization or for pre-contractual steps taken at the
individual’s request
Necessary for the performance of a contract made in the interests of
the individual between the controller and another person
Necessary for important reasons of public interest
Necessary for the establishment, exercise or defense of legal claims
Necessary to protect the vital interests of the data subject or other
persons, where the data subject is physically or legally incapable of
giving consent
Made from a register which under UK or EU law is intended to provide
information to the public (and which is open to consultation by either
the public in general or those able to show a legitimate interest in
inspecting the register)
BINDING CORPORATE RULES
Binding Corporate Rules (BCRs) are designed to allow
multinational companies to transfer personal data from the
European Economic Area (EEA) to their affiliates located
outside of the EEA
Applicants must demonstrate that their BCRs put in place
adequate safeguards for protecting personal data throughout
the organization
Existing model BCRs are Data Protection Directive (DPD)-
related
37
38
20. 4/16/2020
20
PRIVACY SHIELD (USA ONLY)
The decision on the EU-U.S. Privacy Shield was adopted by the
European Commission on 12 July, 2016
Commercial sector
Strong obligations on companies and robust enforcement
U.S Government access
Clear safeguards and transparency obligations
Redress
Directly with the company
With the data protection authority
Privacy shield panel
Monitoring
Annual joint review mechanism between US Department of
commerce and EU Commission
SAFE HARBOR
Safe Harbor was a transfer mechanism negotiated
between the Commission and the U.S. Department of
Commerce (DOC) that for years was the basis for a
Commission adequacy decision finding that the U.S.
provided an “adequate level of protection.”
More than 4,000 American companies relied on to
legitimize their transatlantic data transfers
Following the Snowden revelations, Safe Harbor fell
under criticism as not providing sufficient protection
against U.S. surveillance
39
40
21. 4/16/2020
21
SAFE HARBOR vs PRIVACY SHIELD
The Privacy Shield Framework was deemed adequate by the European
Commission
Participating organizations are deemed to provide “adequate” privacy
protection
Compliance requirements of the Privacy Shield Framework are clearly laid out
and can be implemented by small and medium-sized enterprises
Privacy Shield supersedes Safe Harbor (mutually exclusive)
Withdrawal from Safe Harbor requires recertification from Privacy Shield
NB: Privacy Shield reflects DPD, not GDPR
PRIVACY SHIELD CHANGES
1. Notice
2. Choice
3. Enhanced Redress for Data Subjects
4. Onward C2C Transfers
5. C2P Transfers and Vendor Management
6. Verification
7. Ongoing Obligations
41
42
22. 4/16/2020
22
NOTICE
Companies must provide “clear and conspicuous
”privacy policies that contain at least 13 enumerated
items of information about the company, its data
processing, and the consumer’s rights under Privacy
Shield.(For comparison, Safe Harbor only required four
items to be disclosed in privacy notices.)
In practice, this will require process mapping, gap
assessments, and updates to privacy notices.
CHOICE
Companies must give individuals an opt-out any time they intend to
use data for a purpose that is “materially different” than the
purposes for which the data was collected
Also, any time companies intend to transfer or use “sensitive data
”for new and different purposes (e.g.,data about race, ethnicity,
medical conditions, religious beliefs, or sex life), they must first
obtain opt-in consent from users
Choice principle will require process mapping to determine in-scope
data, designate authorized uses, and assess gaps in existing opt-
out mechanisms
43
44
23. 4/16/2020
23
ENHANCED REDRESS FOR
DATA SUBJECTS
Individuals are entitled to lodge a complaint directly with the company
responsible for their data
The company must respond within 45 days.
Companies are obligated to designate and cooperate with an “independent
recourse mechanism”(basically a mediation provider)
Companies must inform consumers of who the mediation provider is and
ensure that consumers can lodge complaints (and participate in
mediation)free of charge
Individual EU citizens can lodge complaints against Privacy Shield
companies directly with their local DPAs
The DPA will forward complaints to the DOC, which will investigate them at
no cost to the individual
After attempting all three oft he above mechanisms–individuals can invoke
a special Privacy-Shield-specific arbitration procedure
Privacy Shield companies are bound by the results of the arbitration
Alternatively, U.S. companies can elect to work directly with European
DPAs in resolving consumer complaints (binding)
ONWARD C2C TRANSFERS
In order to transfer data to a another company acting as a controller,
Privacy Shield requires companies to:
Inform individuals about the “type or identity” of the data recipient and the
purposes of the transfer
Give individuals an opportunity to opt out of the transfer
Enter a written agreement with the recipient obligating it to maintain “the
same level of protection” required by Privacy Shield
45
46
24. 4/16/2020
24
C2P TRANSFERS AND
VENDOR MANAGEMENT
Privacy Shield requires written contracts as the basis for any relationship
with a processor
This will generally require businesses to engage in a contract and/or vendor
management program for outsourced processing activities
As part of managing contractual relationships, Privacy Shield requires both
due diligence and auditing of vendors.
Notably, Privacy Shield contains a new liability rule ensuring that its
Principles flow through to vendors
Privacy Shield organizations are presumed liable for any violation of the
Privacy Shield Principles committed by their vendors
VERIFICATION
While Safe Harbor gave companies the option of
conducting compliance audits, Privacy Shield now
mandates that organization annually verify that they are
in compliance with Privacy Shield Principles and that
their published privacy policies are accurate
Privacy Shield permits organizations to do so through
self-assessment or third-party audits
If self-assessing, an officer’s signed certification will be
required and can be demanded by the FTC or DOCat
any time
47
48
25. 4/16/2020
25
ONGOING OBLIGATIONS
Any organization that receives personal data under Privacy
Shield must apply the Privacy Shield Principles to that
information for as long as the organization retains it
Even if the organization stops participating in (or is removed
from) the Privacy Shield program
There is a possibility the Commission may insert a Data
Retention Principle into Privacy Shield decision that would
require organizations to delete EU data after a specified time
Either way, organizations will need to map their data flows and
implement compliance systems for Privacy Shield data
SELF CERTIFICATION
The information that an organization must provide during the self-
certification process includes:
Organization information:
Company name
Address
Contact
Mechanism to investigate complaints
Description of privacy policy
The following URL must be included in an organization’s privacy
policy to meet the Framework requirement
https://www.privacyshield.gov
49
50
26. 4/16/2020
26
THE CLOUD
The Cloud is not automatically territorially limited
Any transfer of personal data by controller or processor shall take place
only if certain conditions are complied with:
Transfers on the basis of adequacy
Transfers subject to the appropriate safeguards
Binding corporate rules apply
All provisions shall be applied to ensure the protection of natural
persons is not undermined
To countries with similar data protection regulations
Cloud providers are a key risk area
Highest penalties apply to breaches of these provisions
Cloud providers need to ensure they are able to differentiate their EU
and non-EU provision and provide clarity to data subjects and
controllers
QUESTIONS?
Any Questions?
Don’t be Shy!
51
52
27. 4/16/2020
27
AUDITNET® AND CRISK
ACADEMY
• If you would like forever
access to this webinar
recording
• If you are watching the
recording, and would like
to obtain CPE credit for
this webinar
• Previous AuditNet®
webinars are also
available on-demand for
CPE credit
http://criskacademy.com
http://ondemand.criskacademy.com
Use coupon code: 50OFF for a
discount on this webinar for one week
THANK YOU!
Page 54
Jim Kaplan
AuditNet® LLC
1-800-385-1625
Email:info@auditnet.org
www.auditnet.org
Follow Me on Twitter for Special Offers - @auditnet
Join my LinkedIn Group –
https://www.linkedin.com/groups/44252/
Like my Facebook business page
https://www.facebook.com/pg/AuditNetLLC
Richard Cascarino & Associates
Cell: +1 970 819 7963
Tel +1 303 747 6087 (Skype Worldwide)
Tel: +1 970 367 5429
eMail: rcasc@rcascarino.com
Web: http://www.rcascarino.com
Skype: Richard.Cascarino
53
54