This document provides background and experience for a senior independent IT auditor with expertise in governance, risk, and compliance (GRC) audits related to IT systems in highly regulated industries like pharmaceuticals and healthcare. The auditor has over 20 years of experience conducting GRC audits, developing best practices, and contributing to standards bodies to assess risk and ensure compliance with regulations for cloud computing, big data, and other emerging technologies. They have supported many large companies and organizations in conducting audits, developing strategies, and implementing systems to meet regulatory requirements.

1. CONFIDENTIAL
Pw Carey
Compliance Partners, LLC
250 South Grove Ave., Suite 200, Barrington, Illinois 60010 - USA
Senior Independent IT Auditor (GRC), CISSP, CISA
San Francisco-Chicago-Boston & Best, Netherlands
224-633-1378, 650-264-9617 or 278-3731 - FAX: 847-381-2067
tc-pcarey@raland.com or pwc.pwcarey@gmail.com
http://www.complysys.com
BACKGROUND:
• GRC IT Audits, Cloud/Big Data/Mobile, CFTC, Part 22, PCI-DSS, e-Discovery Re: BSA/AML, PCAOB, GAAP, FASB, IASB, &
IFRS-9
• COBIT-5 IT Audits Focusing on Related Parties & Significant & Unusual Transactions, including Long-term Obligations (TLTROs)
• ECPA, 18 U.S.C., CFR 21, Part 11, ICFR & ITGC, ISF, IIA, Rule 404(b), BSA (Bank Secrecy Act), SOX, Dodd-Frank
• SIEM, ID/PS, APT Analysis, Metasploit, Nexpose, Nessus, Splunk, RSA/EMC, Symantec), PEN Testing, SCAP, & CAESARS
• GRC/CIA Compliance Attestation, NIST SP 800-53, SP 800-37, GAO/OMB, COFAR, A-133 Std., Cloud/Big Data risk assessments
• Risk Analysis, COBIT5. SAML, & ISO/IEC 17799, 27001, 27002, ISO/IEC 17025:2005 Accreditation of the Digital Forensics
• DOJ/SEC FCPA, SEC Internal Guidance, SSAE No. 16 AT Section 801, ISAE 3402. FedRAMP, FISMA, FISCAM & GAGS
• IETF (Network/WebSec), Cloud/BigData Ecosystems: OpenStack, AWS, and Azure, (MSN, Cisco, Oracle & IBM), via (IPv4&IPv6)
• ITIL, COSO, ICEFR, CobiT5, RACI, & ZACHMAN Frameworks, via PMBOK, PRINCE2, SABSA, TOGAF, SIEM, ID/PS strategies
• SP 800-86 Forensic Techniques, SIRT (Security Incident Response Team), Risk Analysis & Fraud-Re: Cloud/BigData/Hadoop
• HIPPA/HITECH incorporating eDiscovery & Digital Forensics via PCAOB Stds., lastly an RF/PF Adviser, w/CIB and U.S. Passport
EXPERIENCE
Compliance Partners, LLC Mar. 2003 to Present
250 Grove Ave., Suite 200,
Barrington, IL 60010-USA
Client – NIST/ITL, Gaithersburg, MD Mar. 2011 to
Present
Contributor-Senior IT Auditor (GRC), CISA, CISSP supporting NIST’s (National Institute of Standards and Technology) Big Data/Cloud Eco-
system initiatives. SME, including; Cloud Computing Standards Roadmap, SP 500-291, Ver. 1.0, July, 2011/2013 & Cloud Computing Security
Reference Architecture, SP 500-299, Ver. 1.0, May 15th, 2013. Big Data, Digital Forensics in the Cloud Eco-system, Forensics, Gaithersburg,
MD, Nov. 28th-30th, Big Data/Cloud Computing Security, Privacy and Forensics WGs. Reference Architecture & Taxonomy, (Big Data/Cloud
Computing) Forensics, Technology RoadMap & SLA Workgroups, Cloud Security WG Work Group, Big Data/CC Road Map WG (Accessibility &
Performance).Incorporating; IEEE Cloud Profiles WG 2301 & Intercloud WG 2302. CSA Cloud Security Alliance, (CSA) Group 2: GRC
Governance, Risk & Compliance, within Cloud/Big Data Eco-systems WGs: Reference Architecture and Taxonomy, Standards Acceleration to
Jumpstart Adoption of Cloud Computing (SAJACC), Security, Standards Roadmap, Business Use Cases, and the Koala Project, incorporating
PCAOB, DoJ, GAO, SEC and IRS regulatory standards, guidelines and best practices in-line with US Code Title 18.
Professional Sabbatical 2009 thru 2011
Big Data/Cloud Eco-system Audits/GRC best practices
Senior IT Auditor, (CISA/CISSP) Contributor: Cloud Security Alliance CSA Group 2, NIST CC Security & Roadmap WGs, AICPA, & COSO
RFC’s & Whitepapers. AICPA Request for Comments (RFC): SAS 59 The Auditor's Consideration of an Entity's Ability to Continue as a
Going Concern, January 31st
, COSO Internal Control-Integrated Framework (ICIF), 2011-Request for Comments (RFC)
• SAP GRC Cloud Security & Computing: Best Practices, Limitations and Liabilities, GAO's IG Quality Standards for Inspection and
Evaluation, January 2011 & Financial Audit Manual FAM 2008, Cloud Security Alliance (CSA) Group 2: Governance, Risk
Management, Compliance, Audit, Physical, BCM, DR. Security Models, ITIL, COSO, CobiT, ISO/IEC , organizational security
standards, ISO 9001:2008, ISO 27001:2005, ISO 27002, ISO 20000-1 and ISO 38500:2008 Corporate Governance, Zachman &
SABSA, ISO/IEC 17799:2000, ISO/IEC 15408:1999.
• ASTM E-55 Pharmaceuticals & ASTM E-48 Biotechnology Forums, ISACA San Francisco Chapter (CISA Examination Course), ISSA-
San Francisco Chapter – (CISSP Exam Course), NIST SP 800-30 & 800-66, OECD, NIST-FISMA, CDER, 21 CFR 314.50(l) (NDAs), 21
CFR 314.94(d) (ANDAs), 21 CFR 601.14(b) (BLAs), and 21 CFR 314.81(b) (annual reports to marketing applications), ISO 9000, ISO
13485 RAPS Risk Evaluation and Mitigation Strategy (REMS).
CLIENT – Genentech/Roche SSF, CA Dec. 2008 to May 2009
IT Systems Analyst, SAP (Pharmaceuticals-Logistics-Clinical Trials) GRC (Governance, Risk & Compliance), PM audit and validation expertise
for client’s product development/clinical trials group, providing GRC guidance for clients IT systems: data management, clinical trials, sponsors,
and Contract Research Organizations (CROs), within FDA and EMEA guidelines.
CLIENT - Philips Medical Systems (PMS), PMS Best/Eindhoven, NL Feb. 2007 to May 2007
CONFIDENTIAL - Page 1 of 2 – CONFIDENTAL

2. CONFIDENTIAL
IT Systems Analyst serving in the capacity of Project Liaison; (SAP-Pharmaceuticals/Logistics)-SPS/Liaison/SPS Blueprint utilizing PMBOK,
GRC & SCRUM Best Practices while serving as the Royal Dutch Philips (PMS) SPSBlueprint Liaison, supporting PMS's UPS.
CLIENT - Boston Scientific, Natick, MA Oct. 2006 to Jan. 2007
IT Systems Analyst providing validation, auditing and GRC PM knowledge and expertise as an SAP (Pharmaceuticals/Logistics) Lead, directly
supporting Boston Scientific's SAP 4.6c to 4.7 global upgrade of Supply Chain, Production and Product Development, Sales & Distribution and
Marketing modules. Formal reviews of BPs (Business Processes) & SW Requirements), due to FDA 483s and CAPA Audits.
CLIENT - Medtronic, Mpls./St. Paul, MN Jan. 2005 to Aug.
2006
IT Systems Analyst providing validation, testing, and GRC PM expertise as an SAP (Pharmaceuticals/Logistics) Team Lead 21 CFR, Part 11
SAP (SD, MM, WM, QM and PP-PI) Analyst, requiring Track Wise tool integration. Serving as Team Lead providing guidance and training
for the clients in developing logistics test scripts for their (global) SAP Implementation, & SOX requirements: 302, 404/09, 802 & 809.
EXPERIENCE (Continued)
CLIENT - American Pharmaceutical Partners, Schaumburg, IL Mar. 2003 to Dec. 2004
IT Systems Analyst providing GRC auditing, validation, testing expertise for SAP Pharmaceuticals/Logistics). Lead analyst, conducting CAPA
integrity assessments and audits while supporting client's SAP implementation under FDA regulations 21 CFR, Part 11, 210 and 211. Client's
legacy system transitioned over from JD Edwards to I-many's Contract Administration and Reporting System (CARS). I-many application
supported client's logistical requirements including 3rd party vendors addressing requirements such as: plant to plant transfers of unrestricted or
restricted finished product(s), processing unauthorized return delivery from a customer’s warehouse, stock transfers orders - plant to plant in
addition to EDI 3rd party vendors within their SAP R/3 implementation. Also, directly supporting the client’s logistics groups with their
implementation of SAP, as Protocol Director, developed client’s BPRs: FI/CO, SD, PP-PI, WM, MM, and QM.
CLIENT - Eli Lilly & Company, Indianapolis, IN Jun. 2002 to Mar. 2003
IT Systems Analyst providing validation, GRC and SOX requirements analysis covering: 302, 404, 409, 802 & 809. Auditing experience includes
SAP (Pharmaceuticals/Logistics):Systems Analyst, supporting clients SAP ERP upgrade following: (21 CFR, Part 11, 210 and 211) FDA
Standards interfacing with I-Many bolt-on application requiring GRC validation, risk assessments and analysis using IBM Rational tools.
GvS, LLC, Belmont, CA Apr. 2000 to May 2002
IT Systems Analyst supporting Silicon Valley Start-up. SAP (Business Systems Analyst/Logistics): Business Lead, and SAP Development
Manager --- In response to pharmaceutical clients RFPs, out team developed an integrated mobile SAP R/3 implementation proposal, from initial
concept through business continuity risk assessment, requirements, testing, development, implementation, (DQ, IQ, OQ, & PQ) thru system
retirement, for functional modules (FI, CO, PP, WM, MM, QM, and SD) within their 21 CFR Part 11 environments.
Oracle Corp., Redwood Shores, CA Dec. 1999 to Apr. 2000
Systems Analyst Courseware Developer: Initial Oracle 11i E-Business Suite Implementation for our Automated Sales Force module. Product roll
out required the building upon Oracles 8i and 9i Business Applications, for a comprehensive suite of integrated ERP, SCM and CRM modules,
including iStore, Order Management and Workflow.
CLIENT - Thomson Corp., Foster City, CA Sep. 1998 Nov. 1999
IT Systems Analyst/Business Systems Analyst: Team Lead requiring development of internal customer based pre-implementation software
requirements protocol, roles and responsibilities matrix and validation traceability matrix. Pre-Implementation Software Requirements SOP.
Deliverables covered the preparation of: maintenance, network security and escalation. Methodologies used: UML & Rational Rose.
NAI, Santa Clara, CA Jul. 1997 to Aug. 1998
Systems Analyst: Primary project duties and responsibilities included the design and development of technical deliverables for the client’s end
users, field support personnel, DBAs and System Administrators. This 3-tier network design strategy, focuses on a Web based system delivering
an enterprise wide solution addressing: security, installation, maintenance, troubleshooting, and on-line help.
GigaLabs, Sunnyvale, CA Jan. 1996 to Jul. 1997
Systems Analyst/project management responsibilities for this Silicon Valley startup included the direct support of product beta testing (test
scripts/manual only) and user interface, in addition to the design and development of technical deliverables for our gigabit Ethernet switches and
routers. Deliverables included support for Field Technicians responsible for: PCI I/O NIC installations, SBus NIC installations.
Technically Elite, San Jose, CA Sep. 1996 to Jan. 1996
Systems Analyst/team lead and project management providing software testing modules: (test scripts, integration, regression, user interface,
etc.), system administrator's incorporating RMON-II technology, for UNIX LAN network monitoring/administration, security, troubleshooting and
maintenance application. Methodologies included: Rational Rose, (UML) Ver. 4.0 Lite and Visual Test.
AERO SPACE & DEFENSE ANALYST 1985 to 1996
Internal Auditor, SQA/Configuration Management, SDLC Military Aerospace and Defense Government Contracts. Security Clearance; Top
Secret/Secret Final (Inactive). Projects included requirements design and development for; V-22 Tilt Rotor, Command, Control, Communication,
Computers, and Intelligence (C4I) Systems, Star Wars-Ballistic Missile Defense System, and THAAD Systems.
EDUCATION
Business Development & Entrepreneurship, Stanford University, Palo Alto, CA, MS Information Science - (Candidate), Minnesota State
University, Mankato, MN, BS/Honors Program, Gustavus Adolphus College, Saint Peter, MN
PROFESSIONAL PRESENTATIONS, ASSOCIATIONS, SOCIETIES & TRAINING
ISC2
, ISACA, IPSEC WG, AFS (Apache Software Foundation), NIST CC WG, OCEG, CSA & CSA Group 2, Cloud Security, GRC & Audit,
Open Group, Jerico Forum, ISACA, ISSA, PCAOB, IIA, OWASP, ISC2
Intersec, SAP SDN & BPX, SAP Certification Training, (ERP
Upgrade), CRM Community, DIA, NoCOUG, PDA (PDA-Auditor), ISPE, RAPS, PMForum.org, IETF, E55 Pharmaceuticals, E-48
Biotechnology, and RF/PF Advisor. SAJACC, NIST SP 800-53-Rev 4, SP 500-291 & SP 500-292, Standards Roadmap, Business Use Cases,
Cloud Audit WG, IEEE Cloud Profiles WG (CPWG) Working Group 2301_WG & IEEE Intercloud WG (ICWG) 2302 WG, IETF Cloud
WG,CSA (Cloud Security Alliance) Contributor, CSA SecaaS (Security as a Service) WG, Peer Reviewer: Security Guidance For Critical
Areas of Focus in Cloud Computing Ver. 3.0, Black Hat Workshop: OWASP SamuraiWTF Intro to the Zed Attack Proxy, CSA Security
CONFIDENTIAL - Page 2 of 2 – CONFIDENTAL

3. CONFIDENTIAL
Guidelines, Ver. 3.0, Domain 7: Business Continuity, DR & Traditional Security, October 10th
, 2011, Domain-14 Security As A Service, FCPA
Foreign Corrupt Practices Act, Basel III Security Requirements, AICPA, 2012, Contributor: ISO/IEC 2nd WD 27017–Information technology–
Security techniques– Information security Management--Guidelines on Information security controls for the use of cloud computing services
based on ISO/IEC 27002, April 6th
, 2012, GAGAS,GAO 2011 Government Auditing Standards ‘Yellow Book’, Black Hat, DC, SAP
Backdoors & Web Applications, and EUROPA Mar 15th, 2011 Barcelona, SAP: Session (Fixation) Attacks and Protections (in Web
Applications). Service Organization Control (SOC) Reports. 12th
Annual ISACA Security Conference, San Francisco, Oct. 15th
-17th
Committee,
11th
Annual ISACA Security Conference, San Francisco, Nov. 7th
-9th
-Speaker: G32: WikiLeaks, Social Media & Whistleblowers: The Future of
IT Auditing A Definitive Landscape & G32-The Changing Influences of Social Media, WikiLeaks and Whistleblowers: A Modest Proposal: The
Future of IT Auditing by Mapping ITIL V3 and ISO/IEC 27002 With CobiT 4.1 Control Objectives, Conference Speaker’s Committee’s &
Moderator. 10th Annual ISACA Security Conference, San Francisco [Speaker’s Committee & Speaker]: C24: Fraud In The Workplace: Three
Mock Trials For Auditors.
a
CONFIDENTIAL - Page 3 of 2 – CONFIDENTAL