rich sanders, cisa information systems auditor norfolk southern corporation [email protected]
Post on 19-Dec-2015
221 views
TRANSCRIPT
CareerThe Kroger Co. Information systems technologistKroger Manufacturing, Stave Avenue
Grocery Products Plant, Cincinnati, OH 140 user IBM AS/400 300 user Novell Netware Application, hardware, network, software
support
http://www.kroger.com/careers.htm
Career IS Auditor, The Kroger Co.Audits of data centers, food stores,
jewelry stores, warehouses, manufacturing facilities and c-stores
Multiplatform auditshttp://www.kroger.com/careers.htm
Career CareFirst BCBS, Owings Mills, MD FEP Medicare/ Medicaid
Norfolk Southern Corporation
Best Friend of CharlestonBest Friend of CharlestonThe one hundred and forty-one persons flew on the wings of wind at the speed of fifteen to twenty-five miles per hour, The one hundred and forty-one persons flew on the wings of wind at the speed of fifteen to twenty-five miles per hour,
annihilating time and space...annihilating time and space...
6 hp- 14hour trip for 136 miles.
South Carolina Canal and RR Co.- 1827
GE Evolution Series Engines
4000-4500 HP Top Speed of 60-70 MPH.
Pulls trains totaling 15-20,000 tons.
Norfolk Southern Vision:
Be the safest, most customer-focused and successful transportation company in the world
Rail Safety 1980- 2004
0
10,000
20,000
30,000
40,000
50,000
60,000
1980 1982 1984 1986 1988 1990 1992 1994 1996 1998 2000 2002 2004
FRA REPORTABLE INJURIES1980--2004
Our Mission:
Norfolk Southern's mission is to enhance the value of our stockholders' investment over time by providing quality freight transportation services and undertaking any other related businesses in which our resources, particularly our people, give the company an advantage.
Headquartered in Norfolk, VA
28,000 + employees 4000 non-
agreement 24,000 agreement
We serve: 21,300 route miles 22 Eastern States
DC Ontario
20 Ports Connects to rail partners in West and Canada Logistics Intermodal
Facilities Served: Bulk transfer centers- 188 (+10) Coal-loading facilities- 172 (+42) Paper distribution centers- 105 (-22) Lumber reload centers-124 (-2) Power generation plants- 139 (+15) Major steel mills and processing facilities- 75 (+1) Metals distribution centers-72 (-3) Major paper mills- 60 (+8) Intermodal terminals-52 Auto distribution facilities-38 Auto assembly plants-36 Coal and iron ore transload facilities-31 (+10) Sea ports-13 Triple Crown terminals-14 (+2) Lake ports-7 Plastics warehouse/distribution centers-7 Vehicle mixing centers-4 Just-In-Time rail auto parts centers-4
Career Paths8 programs
Rail Operations Corporate Setting
Transportation As a transportation trainee, you’ll learn railroad
operations in preparation to supervise conductors and locomotive engineers at a rail terminal or a road territory. You’ll spend time in rail towers, dispatch centers and riding trains. You’ll learn how we move our customers’ freight and ultimately will become responsible for the safe and efficient operations of freight trains throughout the system.
Typically, these positions are filled by engineering, management, logistics or liberal arts graduates.
Communication and SignalsCommunications and Signals trainees
gain experience in all aspects of our C&S systems and devices, including design, construction, maintenance, safety compliance and inspection. You’ll be working outdoors in a predominately field-oriented and highly responsible position.
Design and Construction Using your engineering background,
your time as a Design and Construction trainee will be spent working on buildings, Intermodal facilities, bridges, tunnels, coal piers and track.
Maintenance of Way In this field-oriented concentration, you’ll be
preparing for placement as a manager with responsibility for various aspects of line maintenance or operations. You’ll work with a division headquarters to learn train and track dynamics, track inspection, construction and maintenance operations, and much more.
Engineering disciplines
Mechanical As a mechanical trainee, you'll be developing
skills related to our extensive fleet of rail cars and locomotives.
Inspection and repair down to the component level and become familiar with the compliance standards of NS, the Association of American Railroads and the Federal Railroad Administration.
Customer Accounts Customer account representatives are an
integral part of the Norfolk Southern business team. As a trainee, you may be responsible for up to 200 customers and accounts receivable up to $12 million. You’ll continually interact with multiple departments, other railroads and customers on billing-related issues.
B&E or LA
Information Technology Exposure to the Norfolk Southern data
processing environment including standards, procedures and preferred programming techniques.
Client/server, computer operations, mainframe applications and PC/LAN.
CS, IT, MIS, CE for this program.
Marketing As a part of our marketing team, you’ll be
working directly with our customers to generate and grow partnerships through competitive pricing and market development. You will also offer support in developing comprehensive market analyses and plans.
Marketing, international business, economics or MBA graduates.
Claims Claims trainees are exposed to all aspects of
railroad operations in preparation for placement as claims agents. Members of our claims team investigate claims against or by Norfolk Southern for personal injury or property damage.
Degrees in business administration, psychology, risk management, justice administration and law enforcement as especially well-suited for these positions.
Agriculture We currently serve shippers and receivers of
corn, wheat, soybeans, miscellaneous grains, animal and poultry feed, sweeteners, ethanol, food oils, flour, beverages, canned goods, consumer products, government and miscellaneous transportation.
Ag works with Intermodal and Modalgistics to offer customer most efficient, cost effective method to get their goods to market
AutomotiveParts and Distribution Centers, as well as Finished vehicles.
Largest rail shipper of automotive products in North America and 13 of the last 20 assembly plants to locate in the eastern United States have chosen Norfolk Southern to be their serving carrier.
Norfolk Southern has responded to automotive industry challenges with innovative distribution methodologies using JIT Rail Centers and Triple Crown Services’ RoadRailer® technology for auto parts distribution and the vehicle mixing center network for vehicle distribution.
ChemicalServing shippers and receivers of:
Sulfur and related chemicals
Petroleum products
Chlorine and bleaching compounds
Plastics
Industrial chemicals
Chemical wastes
Bulk products
Municipal wastes
Other non-hazardous wastes
Coal
At Norfolk Southern, coal is our specialty. For more than 100 years, we have linked an energy-hungry world with its vital resources. In that time, we've developed an expertise in sourcing, blending and moving the highest quality steam and metallurgical coal in the world. We haul coal to destinations on our system and to six river ports and the Great Lakes for water transport. In addition, export coal off our system flows through Norfolk, VA, home of the largest and fastest coal transloading facilities in the Northern Hemisphere. In Alabama, we operate a unique delivery system where coal is hauled over rail in containers.
Coal Lambert’s Point
(Coal and Cargo Docks)- Norfolk VA
350 acres, can handle over 6500 full and empty open top gondolas
Coal (Pocahontas Land Corp) Pocahontas Land Corporation (PLC) and its
subsidiary, Pocahontas Development Corporation, headquartered in Bluefield, WV, own or manage 1 million acres of natural resource properties in Alabama, Illinois, Kentucky, Tennessee, Virginia and West Virginia. PLC is a wholly-owned subsidiary of Norfolk Southern Corporation.
PLC’s Yukon Mine circa 1932
Government, Machinery, and Dimensional Shipments
MACH-One Machinery Service provides performance-driven transportation, combining the power of Norfolk Southern's scheduled railroad, enhanced performance and distribution network to offer you truckload delivery with the economies of long-haul rail.
We have three driving goals in our Industrial Development efforts:
Locate rail-served industries along our lines by providing plant location services tailored to our customer's needs.
Aid our existing industries in their expansion efforts.
Work with our allies to promote economic growth in the communities we serve.
Intermodal
Metals and Construction Serving shippers and receivers of: Iron and steel products Aluminum products Copper products Alumina ores Machinery Scrap metals Scrap Substitutes (DRI,HBI,Pigiron) Cement Aggregates Bricks Minerals Misc. Construction Materials
Modalgistics Modalgistics, a business unit of Norfolk Southern
Corporation, provides comprehensive supply chain solutions by integrating management resources, supply chain capabilities, and information technology. The company was established to utilize, and build upon, the talent of the logistics professionals currently working within Norfolk Southern Corporation's merchandise marketing group. Modalgistics then added several industry seasoned supply chain professionals to complete the company's logistics offering
Paper, Clay and Forest Products Serving shippers and
receivers of: Lumber and wood products
Pulpboard and paper products
Wood fiber Woodpulp Scrap paper Clay
Real EstateManaging Property within our ROW
along our 21,600 route miles
Short Lines
Shortline Marketing responsibilities are to: Assist our shortline partners in business
development and revenue growth Insure an open line of communication
between all departments in NS and our Class II & III connections
Offer support and maintain positive relations with all Class II & III partners
0
10
20
30
40
50
60N
um
be
rs o
f em
plo
yee
s (in
tho
usa
nd
s)
24 andunder
25-29 30-34 35-39 40-44 45-49 50-54 55-59 60-64 65+
Out of a total 232,000 active railway employees, 105,000
or 46%, are between the ages of 45 – 54
U.S. Railroad workers by age
Internal Audit Department
Who are we, what do we do for Norfolk Southern?
Internal Audit’s RoleInternal Audit is the independent, objective assurance
and consulting activity established within Norfolk Southern Corporation and designed to add value and improve operations.
Evaluate and improve the effectiveness of risk management, control and governance processes.
Quantitative and qualitative analyses, appraisals, recommendations, counsel and information concerning the activities reviewed.
IA’s Role (cont.)The vice president internal audit reports to the
Chairman, President and Chief Executive Officer and has direct access to the Audit Committee of the Board of Directors.
Evaluation and identification of improvement opportunities concerning the
(a) adequacy and effectiveness of Norfolk Southern’s system of risk management and internal control,
(b) efficiency and effectiveness of operations, (c) safeguarding of corporate assets, and, (d) the corporation’s governance processes.
NS IA Vision
To be agents of change by assisting departments in achieving the corporate vision through quality audits and recommendations.
Financial AuditingFinancial auditing studies the current financial position of an
operation to evaluate the fair presentation of the financial position and results of operations as reported in the entity's financial statements.
Full financial audits of corporate operations and subsidiaries are typically performed by external, independent auditors.
The primary reason for a financial audit is to assure readers relying on the financial statements that the information contained therein is presented fairly in accordance with generally accepted accounting principles (GAAP).
Operational AuditingOperational auditing is actually an extension or enhancement of a
financial audit. An operational audit examines why and how those results
occurred.
Review and appraisal of the efficiency and effectiveness of operations and operating procedures.
Operational auditing acts as a management service by evaluating the four functions of management: (1) planning, (2) organizing, (3) directing, and (4) controlling.
Common reasons for operational audits are assessing compliance with corporate policies and procedures, evaluating undesirable business conditions or results and exploring alternatives or opportunities.
Investigative
Investigative (or fraud) auditing is the development of evidence in matters involving criminal or other wrongdoings by officers, employees, customers, vendors or businesses.
IS Auditing Examination of significant aspects of the
corporation's electronic data processing environments, including mainframe, wide area networks (WANs), local area networks (LANs), and applications.
Although the nature of each of these types of auditing is relatively unique, the type of audit performed on any auditable unit could require a combination of any of these types of audits. In recent years, internal auditors have increasingly assumed roles which include performance of each of these types of audits.
IS AuditGeneral ControlsBest PracticesConfiguration ManagementSDLCProcess ImprovementDisaster RecoveryBusiness Continuity
General Controls Adherence to Policy
Passwords Administration Control Weakness/ Compensating Controls
Evaluation of policy Is it viable? Have requirements changed? Can we rely on the control recommended by the
policy?
Best Practices If not referred to as a policy item, does it
make sense?Are there compensating controls?Do the compensating controls work?
Can we break them?
Configuration ManagementAKA- change controlCM looks at the whole process, not just
the software changes Implementation, testing, user testing,
promotionsWill the new configuration benefit the
customers?
SDLCCM for a new systemConception to customer buy-inDoes SDLC function? Is it adhered to?
Process Improvement
Quarterly access review to strengthen internal controls
Three levels of signoff on Unplanned programming changes
Document Imaging
Disaster Recovery Since 9/11/01, this is a very critical business
process Plan tested completely AT LEAST 2x/year NS uses a mirror facility Quarterly Tests of ALL applications Restore systems to production from backups Exercises range from 12-72 hour
DRDetermine critical apps, and restore
those first ALWAYS want to
Service customer Pay employees
Switchover from DR prod to Prod after disaster
Business Continuity How will we continue to service the customer
during a disaster declaration and the switchover back to production?
PLAN ‘B’- Rerouting traffic after Katrina
Railroads operated for years without IS, but with all the rail sharing that occurs nowadays, it would be impossible to operate effectively AND safely without complex systems.
CISA Certified Information Systems Auditor
CISA, the Certified Information Systems Auditor is ISACA's cornerstone certification. Since 1978, the CISA exam has measured excellence in the area of IS auditing, control and security. CISA has grown to be globally recognized and adopted worldwide as a symbol of achievement. The CISA certification has been earned by more than 35,000 professionals since inception.
CPA of the IS Audit World
CISAComprehensive test of 7 functional
areas:Management, Planning and
Organization of IS—Evaluate the strategy, policies, standards, procedures and related practices for the management, planning and organization of IS.
CISATechnical Infrastructure and Operational
Practices—Evaluate the effectiveness and efficiency of the organization's implementation and ongoing management of technical and operational infrastructure to ensure that they adequately support the organization's business objectives.
CISAProtection of Information Assets—
Evaluate the logical, environmental and IT infrastructure security to ensure that it satisfies the organization's business requirements for safeguarding information assets against unauthorized use, disclosure, modification, damage or loss.
CISADisaster Recovery and Business
Continuity—Evaluate the process for developing and maintaining documented, communicated and tested plans for continuity of business operations and IS processing in the event of a disruption.
CISA Business Application System Development,
Acquisition, Implementation and Maintenance—Evaluate the methodology and processes by which the business application system development, acquisition, implementation and maintenance are undertaken to ensure that they meet the organization's business objectives.
CISABusiness Process Evaluation and Risk
Management—Evaluate business systems and processes to ensure that risks are managed in accordance with the organization's business objectives.
The IS Audit Process
Conduct IS audits in accordance with generally accepted IS audit standards and guidelines to ensure that the organization's information technology and business systems are adequately controlled, monitored, and assessed.
CISATextbook testNot RWE intensiveCan be passed with little knowledge of
audit
Other CertificationsCISSPCISMAny tech certifications are VERY
helpful- DBA, AD, Novell, SQLSecurity+CIACFE
What is SOX?
Sarbanes Oxley Act- HistoryAccounting profession built on principles
and standards with strong self governanceWhen self governance failed - Enron,
WorldCom, Tyco, …Huge personal losses, media coverage,
public outcryLed government to respond with regulation
Sarbanes Oxley Act of 2002 (SOX) Public Company Accounting Reform and
Investor Protection Act Written and signed in Congress 11 Titles (i.e. chapters), multiple sections
within each Called for creation of the Public Company
Accounting Oversight Board (PCAOB) Goal: Informative, Fair and Independent
Audit Reports
PCAOBFormed to oversee auditors of public
companiesBroad investigative and disciplinary
authority Issued exposure drafts that detail the
requirements of SOXWorked with the SEC to finalize
requirements
Internal ControlsProcesses designed to provide
REASONABLE ASSURANCE regarding the achievement of goals in: Financial reporting reliability Operating efficiency and effectiveness Compliance with applicable laws and
standardsResponsibility of Management
SOX Section 404Addresses financial reporting reliability
processes and procedures that relate to maintenance of accounting records
authorization of receipts and disbursements
safeguarding of assets
404 Requirements Management must assess the effectiveness
of the company’s internal control over financials as of the end of the fiscal year
NS required to report as of December 31, 2004
External auditors attest to management’s assessment of the company’s internal controls. This requires them to attest to the design and operating effectiveness of the internal controls.
Other Sections Section 103 - audit-related records kept for seven
years Section 201 - firms that audit books can no longer
perform IT services Section 301 - confidential whistle-blowing
audit.nscorp.com and Ethics Hotline (800)732-9279 Section 302 - CEO and CFO quarterly statements Section 409 - “rapid and current” reporting on
changes in financial conditions
Implications The “downhill” effect Upper management assertions will be based on
departmental assertions Departmental assertions will be based on control
design tests that must be completely documented
Internal audit will independently test the effectiveness of departmental controls.
Therefore audit CANNOT design controls.
ResultsLoads of documentation by departments
and IARegular testing of areas where we’ve
traditionally relied upon the controls Increased emphasis on timely audit
issue resolutionSOX compliance + strong internal
controls = no surprises from external audit reports and happy management
IT Areas General controls such as policies and
procedures, access controls and change control
Specific application controls including railroad operating systems, feeders to financials and accounts closing process
Complete transaction tracing System accuracy, efficiency, and availability Records retention
Bottom Line Simple, routine actions can impact control
effectiveness and how we must report With IT spanning the corporation, SOX
implications are higher than in any other area IT employees often have a higher level of
authority which holds you to higher standards IT management is firmly dedicated to SOX
compliance
Enough of that…
The End