Embed Size (px)
Citation preview
Rich Sanders, CISA
Senior Information Systems Auditor
Norfolk Southern Corporation
Career
• The Kroger Co.• Information systems technologist• Kroger Manufacturing, Stave Avenue
Grocery Products Plant, Cincinnati, OH• 140 user IBM AS/400• 300 user Novell Netware • Application, hardware, network, software support
• http://www.kroger.com/careers.htm
Career
• IS Auditor, The Kroger Co.
• Audits of data centers, food stores, jewelry stores, warehouses, manufacturing facilities and c-stores
• Multiple platform audits
• http://www.kroger.com/careers.htm
Career
• CareFirst BCBS, Owings Mills, MD• FEP• Medicare/ Medicaid• HIPAA
– Privacy– Security
Norfolk Southern Corporation
Best Friend of CharlestonBest Friend of CharlestonThe one hundred and forty-one persons flew on the wings of wind at the speed of fifteen to twenty-five miles per hour, The one hundred and forty-one persons flew on the wings of wind at the speed of fifteen to twenty-five miles per hour,
annihilating time and space...annihilating time and space...
6 hp- 14hour trip for 136 miles.
South Carolina Canal and RR Co. c.1827
GE Evolution Series Engines
4500-6000 HP Top Speed of 60-70 MPH.
Pulls trains totaling 6,000- 8,000 tons.
Norfolk Southern Vision:
Be the safest, most customer-focused and successful transportation company in the world
Rail Safety 1980- 2004
0
10,000
20,000
30,000
40,000
50,000
60,000
1980 1982 1984 1986 1988 1990 1992 1994 1996 1998 2000 2002 2004
FRA REPORTABLE INJURIES1980--2004
Our Mission:
Norfolk Southern's mission is to enhance the value of our stockholders' investment over time by providing quality freight transportation services and undertaking any other related businesses in which our resources, particularly our people, give the company an advantage.
• Headquartered in Norfolk, VA
• 28,000 + employees• 4000 non-agreement• 24,000 agreement
We serve:
• 21,200 route miles• 22 Eastern States
– DC– Ontario
• 20 Ports• Connects to rail partners in West and Canada• Logistics• Intermodal• Real Estate
Facilities Served:
• Bulk transfer centers- 187 • Coal-loading facilities- 136• Paper distribution centers- 135• Lumber reload centers-144• Power generation plants- 138• Major steel mills and processing facilities- 74• Metals distribution centers-73• Major paper mills- 63• Intermodal terminals-52• Auto distribution facilities-35• Auto assembly plants-31• Coal and iron ore transload facilities-27• Sea ports-13• Triple Crown terminals-14• Lake ports-7• Plastics warehouse/distribution centers-7• Vehicle mixing centers-4• Just-In-Time rail auto parts centers-3
Career Paths
• 8 programs– Rail Operations– Corporate Setting
Transportation
• As a transportation trainee, you’ll learn railroad operations in preparation to supervise conductors and locomotive engineers at a rail terminal or a road territory. You’ll spend time in rail towers, dispatch centers and riding trains. You’ll learn how we move our customers’ freight and ultimately will become responsible for the safe and efficient operations of freight trains throughout the system.
• Typically, these positions are filled by engineering, management, logistics or liberal arts graduates.
Communication and Signals
• Communications and Signals trainees gain experience in all aspects of our C&S systems and devices, including design, construction, maintenance, safety compliance and inspection. You’ll be working outdoors in a predominately field-oriented and highly responsible position.
Design and Construction
• Using your engineering background, your time as a Design and Construction trainee will be spent working on buildings, Intermodal facilities, bridges, tunnels, coal piers and track.
Maintenance of Way
• In this field-oriented concentration, you’ll be preparing for placement as a manager with responsibility for various aspects of line maintenance or operations. You’ll work with a division headquarters to learn train and track dynamics, track inspection, construction and maintenance operations, and much more.
• Engineering disciplines
Mechanical
• As a mechanical trainee, you'll be developing skills related to our extensive fleet of rail cars and locomotives.
• Inspection and repair down to the component level and become familiar with the compliance standards of NS, the Association of American Railroads and the Federal Railroad Administration.
Customer Accounts
• Customer account representatives are an integral part of the Norfolk Southern business team. As a trainee, you may be responsible for up to 200 customers and accounts receivable up to $12 million. You’ll continually interact with multiple departments, other railroads and customers on billing-related issues.
• B&E or LA
Information Technology
• Exposure to the Norfolk Southern data processing environment including standards, procedures and preferred programming techniques.
• Client/server, computer operations, mainframe applications and PC/LAN.
• CS, IT, MIS, CE for this program.
Marketing
• As a part of our marketing team, you’ll be working directly with our customers to generate and grow partnerships through competitive pricing and market development. You will also offer support in developing comprehensive market analyses and plans.
• Marketing, international business, economics or MBA graduates.
Claims
• Claims trainees are exposed to all aspects of railroad operations in preparation for placement as claims agents. Members of our claims team investigate claims against or by Norfolk Southern for personal injury or property damage.
• Degrees in business administration, psychology, risk management, justice administration and law enforcement as especially well-suited for these positions.
Agriculture
• We currently serve shippers and receivers of corn, wheat, soybeans, miscellaneous grains, animal and poultry feed, sweeteners, ethanol, food oils, flour, beverages, canned goods, consumer products, government and miscellaneous transportation.
• Ag works with Intermodal and Modalgistics to offer customer most efficient, cost effective method to get their goods to market
AutomotiveParts and Distribution Centers, as well as Finished vehicles.
Largest rail shipper of automotive products in North America and 13 of the last 20 assembly plants to locate in the eastern United States have chosen Norfolk Southern to be their serving carrier.
Norfolk Southern has responded to automotive industry challenges with innovative distribution methodologies using JIT Rail Centers and Triple Crown Services’ RoadRailer® technology for auto parts distribution and the vehicle mixing center network for vehicle distribution.
ChemicalServing shippers and receivers of:
Sulfur and related chemicals
Petroleum products
Chlorine and bleaching compounds
Plastics
Industrial chemicals
Chemical wastes
Bulk products
Municipal wastes
Other non-hazardous wastes
Coal
At Norfolk Southern, coal is our specialty. For more than 100 years, we have linked an energy-hungry world with its vital resources. In that time, we've developed an expertise in sourcing, blending and moving the highest quality steam and metallurgical coal in the world. We haul coal to destinations on our system and to six river ports and the Great Lakes for water transport. In addition, export coal off our system flows through Norfolk, VA, home of the largest and fastest coal transloading facilities in the Northern Hemisphere. In Alabama, we operate a unique delivery system where coal is hauled over rail in containers.
Coal
• Lambert’s Point (Coal and Cargo Docks)- Norfolk VA
• 350 acres, can handle over 6500 full and empty open top gondolas
Coal (Pocahontas Land Corp)
• Pocahontas Land Corporation (PLC) and its subsidiary, Pocahontas Development Corporation, headquartered in Bluefield, WV, own or manage 1 million acres of natural resource properties in Alabama, Illinois, Kentucky, Tennessee, Virginia and West Virginia. PLC is a wholly-owned subsidiary of Norfolk Southern Corporation.
PLC’s Yukon Mine circa 1932
Government, Machinery, and Dimensional Shipments
MACH-One Machinery Service provides performance-driven transportation, combining the power of Norfolk Southern's scheduled railroad, enhanced performance and distribution network to offer you truckload delivery with the economies of long-haul rail.
We have three driving goals in our Industrial Development efforts:
• Locate rail-served industries along our lines by providing plant location services tailored to our customer's needs.
• Aid our existing industries in their expansion efforts.
• Work with our allies to promote economic growth in the communities we serve.
Intermodal
Metals and Construction• Serving shippers and receivers of: Iron and steel products • Aluminum products • Copper products • Alumina ores • Machinery • Scrap metals • Scrap Substitutes (DRI,HBI,Pigiron) • Cement • Aggregates • Bricks • Minerals • Misc. Construction Materials
Modalgistics
• Modalgistics, a business unit of Norfolk Southern Corporation, provides comprehensive supply chain solutions by integrating management resources, supply chain capabilities, and information technology. The company was established to utilize, and build upon, the talent of the logistics professionals currently working within Norfolk Southern Corporation's merchandise marketing group. Modalgistics then added several industry seasoned supply chain professionals to complete the company's logistics offering
Paper, Clay and Forest Products
• Serving shippers and receivers of: Lumber and wood products
• Pulpboard and paper products
• Wood fiber • Woodpulp • Scrap paper • Clay
Real Estate
• Managing Property within our ROW along our 21,200 route miles
Short Lines
Shortline Marketing responsibilities are to:• Assist our shortline partners in business
development and revenue growth • Insure an open line of communication between
all departments in NS and our Class II & III connections
• Offer support and maintain positive relations with all Class II & III partners
Major Route Map- Norfolk Southern
0
10
20
30
40
50
60
Num
bers
of e
mpl
oyee
s (in
thou
sand
s)
24 andunder
25-29 30-34 35-39 40-44 45-49 50-54 55-59 60-64 65+
Out of a total 232,000 active railway employees, 105,000
or 46%, are between the ages of 45 – 54
U.S. Railroad workers by age
Internal Audit Department
Who are we, what do we do for Norfolk Southern?
Internal Audit’s Role
Internal Audit is the independent, objective assurance and consulting activity established within Norfolk Southern Corporation and designed to add value and improve operations.
Evaluate and improve the effectiveness of risk management, control and governance processes.
Quantitative and qualitative analyses, appraisals, recommendations, counsel and information concerning the activities reviewed.
IA’s Role (cont.)
The vice president internal audit reports to the Chairman, President and Chief Executive Officer and has direct access to the Audit Committee of the Board of Directors.
Evaluation and identification of improvement opportunities concerning the
(a) adequacy and effectiveness of Norfolk Southern’s system of risk management and internal control,
(b) efficiency and effectiveness of operations, (c) safeguarding of corporate assets, and, (d) the corporation’s governance processes.
NS IA Vision
To be agents of change by assisting departments in achieving the corporate vision through quality audits and recommendations.
Financial AuditingFinancial auditing studies the current financial position of an operation
to evaluate the fair presentation of the financial position and results of operations as reported in the entity's financial statements.
Full financial audits of corporate operations and subsidiaries are typically performed by external, independent auditors.
The primary reason for a financial audit is to assure readers relying on the financial statements that the information contained therein is presented fairly in accordance with generally accepted accounting principles (GAAP).
Operational AuditingOperational auditing is actually an extension or enhancement of a
financial audit. An operational audit examines why and how those results occurred.
Review and appraisal of the efficiency and effectiveness of operations and operating procedures.
Operational auditing acts as a management service by evaluating the four functions of management: (1) planning, (2) organizing, (3) directing, and (4) controlling.
Common reasons for operational audits are assessing compliance with corporate policies and procedures, evaluating undesirable business conditions or results and exploring alternatives or opportunities.
Investigative
Investigative (or fraud) auditing is the development of evidence in matters involving criminal or other wrongdoings by officers, employees, customers, vendors or businesses.
IS Auditing
• Examination of significant aspects of the corporation's electronic data processing environments, including mainframe, wide area networks (WANs), local area networks (LANs), and applications.
• Although the nature of each of these types of auditing is relatively unique, the type of audit performed on any auditable unit could require a combination of any of these types of audits. In recent years, internal auditors have increasingly assumed roles which include performance of each of these types of audits.
IS Audit
• General Controls
• Best Practices
• Configuration Management
• SDLC
• Process Improvement
• Disaster Recovery
• Business Continuity
General Controls
• Adherence to Policy– Passwords– Administration– Control Weakness/ Compensating Controls
• Evaluation of policy– Is it viable?– Have requirements changed?– Can we rely on the control recommended by the
policy?
Best Practices
• If not referred to as a policy item, does it make sense?
• Are there compensating controls?
• Do the compensating controls work?– Can we break them?
Configuration Management
• AKA- change control
• CM looks at the whole process, not just the software changes
• Implementation, testing, user testing, promotions
• Will the new configuration benefit the customers?
SDLC
• CM for a new system
• Conception to customer buy-in
• Does SDLC function?
• Is it adhered to?
Process Improvement
Quarterly access review to strengthen internal controls
Three levels of signoff on Unplanned programming changes
Document Imaging
Disaster Recovery
• Since 9/11/01, this is a very critical business process
• Plan tested completely AT LEAST 2x/year• NS uses a mirror facility• Quarterly Tests of ALL applications• Restore systems to production from backups• Exercises range from 12-72 hour
DR
• Determine critical apps, and restore those first– ALWAYS want to
• Service customer• Pay employees
• Switchover from DR prod to Prod after disaster
Business Continuity
• How will we continue to service the customer during a disaster declaration and the switchover back to production?
• PLAN ‘B’- – Rerouting traffic after Katrina
• Railroads operated for years without IS, but with all the rail sharing that occurs nowadays, it would be impossible to operate effectively AND safely without complex systems.
CISA
• Certified Information Systems Auditor– CISA, the Certified Information Systems Auditor is
ISACA's cornerstone certification. Since 1978, the CISA exam has measured excellence in the area of IS auditing, control and security. CISA has grown to be globally recognized and adopted worldwide as a symbol of achievement. The CISA certification has been earned by more than 35,000 professionals since inception.
• CPA of the IS Audit World
CISA
• Comprehensive test of 7 functional areas:
• Management, Planning and Organization of IS—Evaluate the strategy, policies, standards, procedures and related practices for the management, planning and organization of IS.
CISA
• Technical Infrastructure and Operational Practices—Evaluate the effectiveness and efficiency of the organization's implementation and ongoing management of technical and operational infrastructure to ensure that they adequately support the organization's business objectives.
CISA
• Protection of Information Assets—Evaluate the logical, environmental and IT infrastructure security to ensure that it satisfies the organization's business requirements for safeguarding information assets against unauthorized use, disclosure, modification, damage or loss.
CISA
• Disaster Recovery and Business Continuity—Evaluate the process for developing and maintaining documented, communicated and tested plans for continuity of business operations and IS processing in the event of a disruption.
CISA
• Business Application System Development, Acquisition, Implementation and Maintenance—Evaluate the methodology and processes by which the business application system development, acquisition, implementation and maintenance are undertaken to ensure that they meet the organization's business objectives.
CISA
• Business Process Evaluation and Risk Management—Evaluate business systems and processes to ensure that risks are managed in accordance with the organization's business objectives.
The IS Audit Process
Conduct IS audits in accordance with generally accepted IS audit standards and guidelines to ensure that the organization's information technology and business systems are adequately controlled, monitored, and assessed.
CISA
• Textbook test
• Not RWE intensive
• Can be passed with little knowledge of audit
Other Certifications
• CISSP
• CISM
• Any tech certifications are VERY helpful- DBA, AD, Novell, SQL
• Security+
• CIA
• CFE
Sarbanes Oxley Act- History
• Accounting profession built on principles and standards with strong self governance
• When self governance failed - Enron, WorldCom, Tyco, …
• Huge personal losses, media coverage, public outcry
• Led government to respond with regulation
Sarbanes Oxley Act of 2002 (SOX)
• Public Company Accounting Reform and Investor Protection Act
• Written and signed in Congress• 11 Titles (i.e. chapters), multiple sections within
each• Called for creation of the Public Company
Accounting Oversight Board (PCAOB)• Goal: Informative, Fair and Independent Audit
Reports
PCAOB
• Formed to oversee auditors of public companies
• Broad investigative and disciplinary authority
• Issued exposure drafts that detail the requirements of SOX
• Worked with the SEC to finalize requirements
Internal Controls
• Processes designed to provide REASONABLE ASSURANCE regarding the achievement of goals in:– Financial reporting reliability– Operating efficiency and effectiveness– Compliance with applicable laws and
standards
• Responsibility of Management
SOX Section 404
• Addresses financial reporting reliability– processes and procedures that relate to
maintenance of accounting records– authorization of receipts and disbursements– safeguarding of assets
404 Requirements
• Management must assess the effectiveness of the company’s internal control over financials as of the end of the fiscal year
• NS required to report as of December 31, 2004• External auditors attest to management’s
assessment of the company’s internal controls. This requires them to attest to the design and operating effectiveness of the internal controls.
Other Sections
• Section 103 - audit-related records kept for seven years
• Section 201 - firms that audit books can no longer perform IT services
• Section 301 - confidential whistle-blowing audit.nscorp.com and Ethics Hotline (800)732-9279
• Section 302 - CEO and CFO quarterly statements
• Section 409 - “rapid and current” reporting on changes in financial conditions
Implications
• The “downhill” effect
• Upper management assertions will be based on departmental assertions
• Departmental assertions will be based on control design tests that must be completely documented
• Internal audit will independently test the effectiveness of departmental controls.
• Therefore audit CANNOT design controls.
Results
• Loads of documentation by departments and IA
• Regular testing of areas where we’ve traditionally relied upon the controls
• Increased emphasis on timely audit issue resolution
• SOX compliance + strong internal controls = no surprises from external audit reports and happy management
IT Areas
• General controls such as policies and procedures, access controls and change control
• Specific application controls including railroad operating systems, feeders to financials and accounts closing process
• Complete transaction tracing• System accuracy, efficiency, and availability• Records retention
Bottom Line
• Simple, routine actions can impact control effectiveness and how we must report
• With IT spanning the corporation, SOX implications are higher than in any other area
• IT employees often have a higher level of authority which holds you to higher standards
• IT management is firmly dedicated to SOX compliance
Legal Impacts
• HR and Benefits Positions affected by recent legislation– HIPAA – SOX– Privacy Issues regarding SSNs and other
Identity Theft Issues
Norfolk & Western J-Class 611
Then
Now
The End
