Internal Audit Department - PowerPoint PPT Presentation


Title: Internal Audit Department


1
Rich Sanders, CISA Information Systems
Auditor Norfolk Southern Corporation Rich.sanders_at_
nscorp.com
2
Career
  • The Kroger Co.
  • Information systems technologist
  • Kroger Manufacturing, Stave Avenue Grocery
    Products Plant, Cincinnati, OH
  • 140 user IBM AS/400
  • 300 user Novell Netware
  • Application, hardware, network, software support
  • http//www.kroger.com/careers.htm

3
Career
  • IS Auditor, The Kroger Co.
  • Audits of data centers, food stores, jewelry
    stores, warehouses, manufacturing facilities and
    c-stores
  • Multiplatform audits
  • http//www.kroger.com/careers.htm

4
Career
  • CareFirst BCBS, Owings Mills, MD
  • FEP
  • Medicare/ Medicaid

5
Norfolk Southern Corporation
6
South Carolina Canal and RR Co.- 1827
Best Friend of Charleston The one hundred and
forty-one persons flew on the wings of wind at
the speed of fifteen to twenty-five miles per
hour, annihilating time and space... 6 hp-
14hour trip for 136 miles.
7
GE Evolution Series Engines 4000-4500 HP Top
Speed of 60-70 MPH. Pulls trains totaling
15-20,000 tons.
8
Norfolk Southern Vision
  • Be the safest, most customer-focused and
    successful transportation company in the world

9
Rail Safety 1980- 2004
10
Our Mission
  • Norfolk Southern's mission is to enhance the
    value of our stockholders' investment over time
    by providing quality freight transportation
    services and undertaking any other related
    businesses in which our resources, particularly
    our people, give the company an advantage.

11
  • Headquartered in Norfolk, VA
  • 28,000 employees
  • 4000 non-agreement
  • 24,000 agreement

12
We serve
  • 21,300 route miles
  • 22 Eastern States
  • DC
  • Ontario
  • 20 Ports
  • Connects to rail partners in West and Canada
  • Logistics
  • Intermodal

13
Facilities Served
  • Bulk transfer centers- 188 (10)
  • Coal-loading facilities- 172 (42)
  • Paper distribution centers- 105 (-22)
  • Lumber reload centers-124 (-2)
  • Power generation plants- 139 (15)
  • Major steel mills and processing facilities- 75
    (1)
  • Metals distribution centers-72 (-3)
  • Major paper mills- 60 (8)
  • Intermodal terminals-52
  • Auto distribution facilities-38
  • Auto assembly plants-36
  • Coal and iron ore transload facilities-31 (10)
  • Sea ports-13
  • Triple Crown terminals-14 (2)
  • Lake ports-7
  • Plastics warehouse/distribution centers-7
  • Vehicle mixing centers-4
  • Just-In-Time rail auto parts centers-4

14
Career Paths
  • 8 programs
  • Rail Operations
  • Corporate Setting

15
Transportation
  • As a transportation trainee, youll learn
    railroad operations in preparation to supervise
    conductors and locomotive engineers at a rail
    terminal or a road territory. Youll spend time
    in rail towers, dispatch centers and riding
    trains. Youll learn how we move our customers
    freight and ultimately will become responsible
    for the safe and efficient operations of freight
    trains throughout the system.
  • Typically, these positions are filled by
    engineering, management, logistics or liberal
    arts graduates.

16
Communication and Signals
  • Communications and Signals trainees gain
    experience in all aspects of our CS systems and
    devices, including design, construction,
    maintenance, safety compliance and inspection.
    Youll be working outdoors in a predominately
    field-oriented and highly responsible position.

17
Design and Construction
  • Using your engineering background, your time as a
    Design and Construction trainee will be spent
    working on buildings, Intermodal facilities,
    bridges, tunnels, coal piers and track.

18
Maintenance of Way
  • In this field-oriented concentration, youll be
    preparing for placement as a manager with
    responsibility for various aspects of line
    maintenance or operations. Youll work with a
    division headquarters to learn train and track
    dynamics, track inspection, construction and
    maintenance operations, and much more.
  • Engineering disciplines

19
Mechanical
  • As a mechanical trainee, you'll be developing
    skills related to our extensive fleet of rail
    cars and locomotives.
  • Inspection and repair down to the component level
    and become familiar with the compliance standards
    of NS, the Association of American Railroads and
    the Federal Railroad Administration.

20
Customer Accounts
  • Customer account representatives are an integral
    part of the Norfolk Southern business team. As a
    trainee, you may be responsible for up to 200
    customers and accounts receivable up to 12
    million. Youll continually interact with
    multiple departments, other railroads and
    customers on billing-related issues.
  • BE or LA

21
Information Technology
  • Exposure to the Norfolk Southern data processing
    environment including standards, procedures and
    preferred programming techniques.
  • Client/server, computer operations, mainframe
    applications and PC/LAN.
  • CS, IT, MIS, CE for this program.

22
Marketing
  • As a part of our marketing team, youll be
    working directly with our customers to generate
    and grow partnerships through competitive pricing
    and market development. You will also offer
    support in developing comprehensive market
    analyses and plans.
  • Marketing, international business, economics or
    MBA graduates.

23
Claims
  • Claims trainees are exposed to all aspects of
    railroad operations in preparation for placement
    as claims agents. Members of our claims team
    investigate claims against or by Norfolk Southern
    for personal injury or property damage.
  • Degrees in business administration, psychology,
    risk management, justice administration and law
    enforcement as especially well-suited for these
    positions.

24
Agriculture
  • We currently serve shippers and receivers of
    corn, wheat, soybeans, miscellaneous grains,
    animal and poultry feed, sweeteners, ethanol,
    food oils, flour, beverages, canned goods,
    consumer products, government and miscellaneous
    transportation.
  • Ag works with Intermodal and Modalgistics to
    offer customer most efficient, cost effective
    method to get their goods to market

25
Automotive
Parts and Distribution Centers, as well as
Finished vehicles. Largest rail shipper of
automotive products in North America and 13 of
the last 20 assembly plants to locate in the
eastern United States have chosen Norfolk
Southern to be their serving carrier. Norfolk
Southern has responded to automotive industry
challenges with innovative distribution
methodologies using JIT Rail Centers and Triple
Crown Services RoadRailer technology for auto
parts distribution and the vehicle mixing center
network for vehicle distribution.
26
Chemical
Serving shippers and receivers of Sulfur and
related chemicals Petroleum products Chlorine
and bleaching compounds Plastics Industrial
chemicals Chemical wastes Bulk products
Municipal wastes Other non-hazardous wastes
27
Coal
At Norfolk Southern, coal is our specialty. For
more than 100 years, we have linked an
energy-hungry world with its vital resources. In
that time, we've developed an expertise in
sourcing, blending and moving the highest quality
steam and metallurgical coal in the world. We
haul coal to destinations on our system and to
six river ports and the Great Lakes for water
transport. In addition, export coal off our
system flows through Norfolk, VA, home of the
largest and fastest coal transloading facilities
in the Northern Hemisphere. In Alabama, we
operate a unique delivery system where coal is
hauled over rail in containers.
28
Coal
  • Lamberts Point (Coal and Cargo Docks)- Norfolk
    VA
  • 350 acres, can handle over 6500 full and empty
    open top gondolas

29
Coal (Pocahontas Land Corp)
  • Pocahontas Land Corporation (PLC) and its
    subsidiary, Pocahontas Development Corporation,
    headquartered in Bluefield, WV, own or manage 1
    million acres of natural resource properties in
    Alabama, Illinois, Kentucky, Tennessee, Virginia
    and West Virginia. PLC is a wholly-owned
    subsidiary of Norfolk Southern Corporation.

PLCs Yukon Mine circa 1932
30
Government, Machinery, and Dimensional Shipments
MACH-One Machinery Service provides
performance-driven transportation, combining the
power of Norfolk Southern's scheduled railroad,
enhanced performance and distribution network to
offer you truckload delivery with the economies
of long-haul rail.
31
  • We have three driving goals in our Industrial
    Development efforts
  • Locate rail-served industries along our lines by
    providing plant location services tailored to our
    customer's needs.
  • Aid our existing industries in their expansion
    efforts.
  • Work with our allies to promote economic growth
    in the communities we serve.

32
Intermodal
33
(No Transcript)
34
(No Transcript)
35
(No Transcript)
36
(No Transcript)
37
(No Transcript)
38
Metals and Construction
  • Serving shippers and receivers of Iron and
    steel products
  • Aluminum products
  • Copper products
  • Alumina ores
  • Machinery
  • Scrap metals
  • Scrap Substitutes (DRI,HBI,Pigiron)
  • Cement
  • Aggregates
  • Bricks
  • Minerals
  • Misc. Construction Materials

39
Modalgistics
  • Modalgistics, a business unit of Norfolk Southern
    Corporation, provides comprehensive supply chain
    solutions by integrating management resources,
    supply chain capabilities, and information
    technology. The company was established to
    utilize, and build upon, the talent of the
    logistics professionals currently working within
    Norfolk Southern Corporation's merchandise
    marketing group. Modalgistics then added several
    industry seasoned supply chain professionals to
    complete the company's logistics offering

40
Paper, Clay and Forest Products
  • Serving shippers and receivers of Lumber and
    wood products
  • Pulpboard and paper products
  • Wood fiber
  • Woodpulp
  • Scrap paper
  • Clay

41
Real Estate
  • Managing Property within our ROW along our 21,600
    route miles

42
Short Lines
  • Shortline Marketing responsibilities are to
  • Assist our shortline partners in business
    development and revenue growth
  • Insure an open line of communication between all
    departments in NS and our Class II III
    connections
  • Offer support and maintain positive relations
    with all Class II III partners

43
(No Transcript)
44
U.S. Railroad workers by age
Out of a total 232,000 active railway employees,
105,000 or 46, are between the ages of 45 54
45
Internal Audit Department
  • Who are we, what do we do for Norfolk Southern?

46
Internal Audits Role
  • Internal Audit is the independent, objective
    assurance and consulting activity established
    within Norfolk Southern Corporation and designed
    to add value and improve operations.
  • Evaluate and improve the effectiveness of risk
    management, control and governance processes.
  • Quantitative and qualitative analyses,
    appraisals, recommendations, counsel and
    information concerning the activities reviewed.

47
IAs Role (cont.)
  • The vice president internal audit reports to the
    Chairman, President and Chief Executive Officer
    and has direct access to the Audit Committee of
    the Board of Directors. Evaluation and
    identification of improvement opportunities
    concerning the
  • (a) adequacy and effectiveness of Norfolk
    Southerns system of risk management and internal
    control,
  • (b) efficiency and effectiveness of operations,
  • (c) safeguarding of corporate assets, and,
  • (d) the corporations governance processes.

48
NS IA Vision
  • To be agents of change by assisting departments
    in achieving the corporate vision through quality
    audits and recommendations.

49
Financial Auditing
  • Financial auditing studies the current financial
    position of an operation to evaluate the fair
    presentation of the financial position and
    results of operations as reported in the entity's
    financial statements.
  • Full financial audits of corporate operations and
    subsidiaries are typically performed by external,
    independent auditors.
  • The primary reason for a financial audit is to
    assure readers relying on the financial
    statements that the information contained therein
    is presented fairly in accordance with generally
    accepted accounting principles (GAAP).

50
Operational Auditing
  • Operational auditing is actually an extension or
    enhancement of a financial audit.
  • An operational audit examines why and how those
    results occurred.
  • Review and appraisal of the efficiency and
    effectiveness of operations and operating
    procedures.
  • Operational auditing acts as a management service
    by evaluating the four functions of management
    (1) planning, (2) organizing, (3) directing, and
    (4) controlling.
  • Common reasons for operational audits are
    assessing compliance with corporate policies and
    procedures, evaluating undesirable business
    conditions or results and exploring alternatives
    or opportunities.

51
Investigative
  • Investigative (or fraud) auditing is the
    development of evidence in matters involving
    criminal or other wrongdoings by officers,
    employees, customers, vendors or businesses.

52
IS Auditing
  • Examination of significant aspects of the
    corporation's electronic data processing
    environments, including mainframe, wide area
    networks (WANs), local area networks (LANs), and
    applications.
  • Although the nature of each of these types of
    auditing is relatively unique, the type of audit
    performed on any auditable unit could require a
    combination of any of these types of audits. In
    recent years, internal auditors have increasingly
    assumed roles which include performance of each
    of these types of audits.

53
IS Audit
  • General Controls
  • Best Practices
  • Configuration Management
  • SDLC
  • Process Improvement
  • Disaster Recovery
  • Business Continuity

54
General Controls
  • Adherence to Policy
  • Passwords
  • Administration
  • Control Weakness/ Compensating Controls
  • Evaluation of policy
  • Is it viable?
  • Have requirements changed?
  • Can we rely on the control recommended by the
    policy?

55
Best Practices
  • If not referred to as a policy item, does it make
    sense?
  • Are there compensating controls?
  • Do the compensating controls work?
  • Can we break them?

56
Configuration Management
  • AKA- change control
  • CM looks at the whole process, not just the
    software changes
  • Implementation, testing, user testing, promotions
  • Will the new configuration benefit the customers?

57
SDLC
  • CM for a new system
  • Conception to customer buy-in
  • Does SDLC function?
  • Is it adhered to?

58
Process Improvement
  • Quarterly access review to strengthen internal
    controls
  • Three levels of signoff on Unplanned programming
    changes
  • Document Imaging

59
Disaster Recovery
  • Since 9/11/01, this is a very critical business
    process
  • Plan tested completely AT LEAST 2x/year
  • NS uses a mirror facility
  • Quarterly Tests of ALL applications
  • Restore systems to production from backups
  • Exercises range from 12-72 hour

60
DR
  • Determine critical apps, and restore those first
  • ALWAYS want to
  • Service customer
  • Pay employees
  • Switchover from DR prod to Prod after disaster

61
Business Continuity
  • How will we continue to service the customer
    during a disaster declaration and the switchover
    back to production?
  • PLAN B-
  • Rerouting traffic after Katrina
  • Railroads operated for years without IS, but with
    all the rail sharing that occurs nowadays, it
    would be impossible to operate effectively AND
    safely without complex systems.

62
CISA
  • Certified Information Systems Auditor
  • CISA, the Certified Information Systems Auditor
    is ISACA's cornerstone certification. Since 1978,
    the CISA exam has measured excellence in the area
    of IS auditing, control and security. CISA has
    grown to be globally recognized and adopted
    worldwide as a symbol of achievement. The CISA
    certification has been earned by more than 35,000
    professionals since inception.
  • CPA of the IS Audit World

63
CISA
  • Comprehensive test of 7 functional areas
  • Management, Planning and Organization of
    ISEvaluate the strategy, policies, standards,
    procedures and related practices for the
    management, planning and organization of IS.

64
CISA
  • Technical Infrastructure and Operational
    PracticesEvaluate the effectiveness and
    efficiency of the organization's implementation
    and ongoing management of technical and
    operational infrastructure to ensure that they
    adequately support the organization's business
    objectives.

65
CISA
  • Protection of Information AssetsEvaluate the
    logical, environmental and IT infrastructure
    security to ensure that it satisfies the
    organization's business requirements for
    safeguarding information assets against
    unauthorized use, disclosure, modification,
    damage or loss.

66
CISA
  • Disaster Recovery and Business ContinuityEvaluate
    the process for developing and maintaining
    documented, communicated and tested plans for
    continuity of business operations and IS
    processing in the event of a disruption.

67
CISA
  • Business Application System Development,
    Acquisition, Implementation and
    MaintenanceEvaluate the methodology and
    processes by which the business application
    system development, acquisition, implementation
    and maintenance are undertaken to ensure that
    they meet the organization's business objectives.

68
CISA
  • Business Process Evaluation and Risk
    ManagementEvaluate business systems and
    processes to ensure that risks are managed in
    accordance with the organization's business
    objectives.

69
The IS Audit Process
  • Conduct IS audits in accordance with generally
    accepted IS audit standards and guidelines to
    ensure that the organization's information
    technology and business systems are adequately
    controlled, monitored, and assessed.

70
CISA
  • Textbook test
  • Not RWE intensive
  • Can be passed with little knowledge of audit

71
Other Certifications
  • CISSP
  • CISM
  • Any tech certifications are VERY helpful- DBA,
    AD, Novell, SQL
  • Security
  • CIA
  • CFE

72
What is SOX?
73
(No Transcript)
74
Sarbanes Oxley Act- History
  • Accounting profession built on principles and
    standards with strong self governance
  • When self governance failed - Enron, WorldCom,
    Tyco,
  • Huge personal losses, media coverage, public
    outcry
  • Led government to respond with regulation

75
Sarbanes Oxley Act of 2002 (SOX)
  • Public Company Accounting Reform and Investor
    Protection Act
  • Written and signed in Congress
  • 11 Titles (i.e. chapters), multiple sections
    within each
  • Called for creation of the Public Company
    Accounting Oversight Board (PCAOB)
  • Goal Informative, Fair and Independent Audit
    Reports

76
PCAOB
  • Formed to oversee auditors of public companies
  • Broad investigative and disciplinary authority
  • Issued exposure drafts that detail the
    requirements of SOX
  • Worked with the SEC to finalize requirements

77
Internal Controls
  • Processes designed to provide REASONABLE
    ASSURANCE regarding the achievement of goals in
  • Financial reporting reliability
  • Operating efficiency and effectiveness
  • Compliance with applicable laws and standards
  • Responsibility of Management

78
SOX Section 404
  • Addresses financial reporting reliability
  • processes and procedures that relate to
    maintenance of accounting records
  • authorization of receipts and disbursements
  • safeguarding of assets

79
404 Requirements
  • Management must assess the effectiveness of the
    companys internal control over financials as of
    the end of the fiscal year
  • NS required to report as of December 31, 2004
  • External auditors attest to managements
    assessment of the companys internal controls.
    This requires them to attest to the design and
    operating effectiveness of the internal controls.

80
Other Sections
  • Section 103 - audit-related records kept for
    seven years
  • Section 201 - firms that audit books can no
    longer perform IT services
  • Section 301 - confidential whistle-blowing
    audit.nscorp.com and Ethics Hotline (800)732-9279
  • Section 302 - CEO and CFO quarterly statements
  • Section 409 - rapid and current reporting on
    changes in financial conditions

81
Implications
  • The downhill effect
  • Upper management assertions will be based on
    departmental assertions
  • Departmental assertions will be based on control
    design tests that must be completely documented
  • Internal audit will independently test the
    effectiveness of departmental controls.
  • Therefore audit CANNOT design controls.

82
Results
  • Loads of documentation by departments and IA
  • Regular testing of areas where weve
    traditionally relied upon the controls
  • Increased emphasis on timely audit issue
    resolution
  • SOX compliance strong internal controls no
    surprises from external audit reports and happy
    management

83
IT Areas
  • General controls such as policies and procedures,
    access controls and change control
  • Specific application controls including railroad
    operating systems, feeders to financials and
    accounts closing process
  • Complete transaction tracing
  • System accuracy, efficiency, and availability
  • Records retention

84
Bottom Line
  • Simple, routine actions can impact control
    effectiveness and how we must report
  • With IT spanning the corporation, SOX
    implications are higher than in any other area
  • IT employees often have a higher level of
    authority which holds you to higher standards
  • IT management is firmly dedicated to SOX
    compliance

85
Enough of that
86
(No Transcript)
87
(No Transcript)
88
(No Transcript)
89
(No Transcript)
90
(No Transcript)
91
(No Transcript)
92
(No Transcript)
93
(No Transcript)
94
(No Transcript)
95
(No Transcript)
96
(No Transcript)
97
The End
View by Category
About This Presentation
Title:

Internal Audit Department

Description:

Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders_at_nscorp.com Career The Kroger Co. Information systems technologist Kroger ... – PowerPoint PPT presentation

Number of Views:236
Avg rating:3.0/5.0
Slides: 98
Provided by: Interna7
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Internal Audit Department


1
Rich Sanders, CISA Information Systems
Auditor Norfolk Southern Corporation Rich.sanders_at_
nscorp.com
2
Career
  • The Kroger Co.
  • Information systems technologist
  • Kroger Manufacturing, Stave Avenue Grocery
    Products Plant, Cincinnati, OH
  • 140 user IBM AS/400
  • 300 user Novell Netware
  • Application, hardware, network, software support
  • http//www.kroger.com/careers.htm

3
Career
  • IS Auditor, The Kroger Co.
  • Audits of data centers, food stores, jewelry
    stores, warehouses, manufacturing facilities and
    c-stores
  • Multiplatform audits
  • http//www.kroger.com/careers.htm

4
Career
  • CareFirst BCBS, Owings Mills, MD
  • FEP
  • Medicare/ Medicaid

5
Norfolk Southern Corporation
6
South Carolina Canal and RR Co.- 1827
Best Friend of Charleston The one hundred and
forty-one persons flew on the wings of wind at
the speed of fifteen to twenty-five miles per
hour, annihilating time and space... 6 hp-
14hour trip for 136 miles.
7
GE Evolution Series Engines 4000-4500 HP Top
Speed of 60-70 MPH. Pulls trains totaling
15-20,000 tons.
8
Norfolk Southern Vision
  • Be the safest, most customer-focused and
    successful transportation company in the world

9
Rail Safety 1980- 2004
10
Our Mission
  • Norfolk Southern's mission is to enhance the
    value of our stockholders' investment over time
    by providing quality freight transportation
    services and undertaking any other related
    businesses in which our resources, particularly
    our people, give the company an advantage.

11
  • Headquartered in Norfolk, VA
  • 28,000 employees
  • 4000 non-agreement
  • 24,000 agreement

12
We serve
  • 21,300 route miles
  • 22 Eastern States
  • DC
  • Ontario
  • 20 Ports
  • Connects to rail partners in West and Canada
  • Logistics
  • Intermodal

13
Facilities Served
  • Bulk transfer centers- 188 (10)
  • Coal-loading facilities- 172 (42)
  • Paper distribution centers- 105 (-22)
  • Lumber reload centers-124 (-2)
  • Power generation plants- 139 (15)
  • Major steel mills and processing facilities- 75
    (1)
  • Metals distribution centers-72 (-3)
  • Major paper mills- 60 (8)
  • Intermodal terminals-52
  • Auto distribution facilities-38
  • Auto assembly plants-36
  • Coal and iron ore transload facilities-31 (10)
  • Sea ports-13
  • Triple Crown terminals-14 (2)
  • Lake ports-7
  • Plastics warehouse/distribution centers-7
  • Vehicle mixing centers-4
  • Just-In-Time rail auto parts centers-4

14
Career Paths
  • 8 programs
  • Rail Operations
  • Corporate Setting

15
Transportation
  • As a transportation trainee, youll learn
    railroad operations in preparation to supervise
    conductors and locomotive engineers at a rail
    terminal or a road territory. Youll spend time
    in rail towers, dispatch centers and riding
    trains. Youll learn how we move our customers
    freight and ultimately will become responsible
    for the safe and efficient operations of freight
    trains throughout the system.
  • Typically, these positions are filled by
    engineering, management, logistics or liberal
    arts graduates.

16
Communication and Signals
  • Communications and Signals trainees gain
    experience in all aspects of our CS systems and
    devices, including design, construction,
    maintenance, safety compliance and inspection.
    Youll be working outdoors in a predominately
    field-oriented and highly responsible position.

17
Design and Construction
  • Using your engineering background, your time as a
    Design and Construction trainee will be spent
    working on buildings, Intermodal facilities,
    bridges, tunnels, coal piers and track.

18
Maintenance of Way
  • In this field-oriented concentration, youll be
    preparing for placement as a manager with
    responsibility for various aspects of line
    maintenance or operations. Youll work with a
    division headquarters to learn train and track
    dynamics, track inspection, construction and
    maintenance operations, and much more.
  • Engineering disciplines

19
Mechanical
  • As a mechanical trainee, you'll be developing
    skills related to our extensive fleet of rail
    cars and locomotives.
  • Inspection and repair down to the component level
    and become familiar with the compliance standards
    of NS, the Association of American Railroads and
    the Federal Railroad Administration.

20
Customer Accounts
  • Customer account representatives are an integral
    part of the Norfolk Southern business team. As a
    trainee, you may be responsible for up to 200
    customers and accounts receivable up to 12
    million. Youll continually interact with
    multiple departments, other railroads and
    customers on billing-related issues.
  • BE or LA

21
Information Technology
  • Exposure to the Norfolk Southern data processing
    environment including standards, procedures and
    preferred programming techniques.
  • Client/server, computer operations, mainframe
    applications and PC/LAN.
  • CS, IT, MIS, CE for this program.

22
Marketing
  • As a part of our marketing team, youll be
    working directly with our customers to generate
    and grow partnerships through competitive pricing
    and market development. You will also offer
    support in developing comprehensive market
    analyses and plans.
  • Marketing, international business, economics or
    MBA graduates.

23
Claims
  • Claims trainees are exposed to all aspects of
    railroad operations in preparation for placement
    as claims agents. Members of our claims team
    investigate claims against or by Norfolk Southern
    for personal injury or property damage.
  • Degrees in business administration, psychology,
    risk management, justice administration and law
    enforcement as especially well-suited for these
    positions.

24
Agriculture
  • We currently serve shippers and receivers of
    corn, wheat, soybeans, miscellaneous grains,
    animal and poultry feed, sweeteners, ethanol,
    food oils, flour, beverages, canned goods,
    consumer products, government and miscellaneous
    transportation.
  • Ag works with Intermodal and Modalgistics to
    offer customer most efficient, cost effective
    method to get their goods to market

25
Automotive
Parts and Distribution Centers, as well as
Finished vehicles. Largest rail shipper of
automotive products in North America and 13 of
the last 20 assembly plants to locate in the
eastern United States have chosen Norfolk
Southern to be their serving carrier. Norfolk
Southern has responded to automotive industry
challenges with innovative distribution
methodologies using JIT Rail Centers and Triple
Crown Services RoadRailer technology for auto
parts distribution and the vehicle mixing center
network for vehicle distribution.
26
Chemical
Serving shippers and receivers of Sulfur and
related chemicals Petroleum products Chlorine
and bleaching compounds Plastics Industrial
chemicals Chemical wastes Bulk products
Municipal wastes Other non-hazardous wastes
27
Coal
At Norfolk Southern, coal is our specialty. For
more than 100 years, we have linked an
energy-hungry world with its vital resources. In
that time, we've developed an expertise in
sourcing, blending and moving the highest quality
steam and metallurgical coal in the world. We
haul coal to destinations on our system and to
six river ports and the Great Lakes for water
transport. In addition, export coal off our
system flows through Norfolk, VA, home of the
largest and fastest coal transloading facilities
in the Northern Hemisphere. In Alabama, we
operate a unique delivery system where coal is
hauled over rail in containers.
28
Coal
  • Lamberts Point (Coal and Cargo Docks)- Norfolk
    VA
  • 350 acres, can handle over 6500 full and empty
    open top gondolas

29
Coal (Pocahontas Land Corp)
  • Pocahontas Land Corporation (PLC) and its
    subsidiary, Pocahontas Development Corporation,
    headquartered in Bluefield, WV, own or manage 1
    million acres of natural resource properties in
    Alabama, Illinois, Kentucky, Tennessee, Virginia
    and West Virginia. PLC is a wholly-owned
    subsidiary of Norfolk Southern Corporation.

PLCs Yukon Mine circa 1932
30
Government, Machinery, and Dimensional Shipments
MACH-One Machinery Service provides
performance-driven transportation, combining the
power of Norfolk Southern's scheduled railroad,
enhanced performance and distribution network to
offer you truckload delivery with the economies
of long-haul rail.
31
  • We have three driving goals in our Industrial
    Development efforts
  • Locate rail-served industries along our lines by
    providing plant location services tailored to our
    customer's needs.
  • Aid our existing industries in their expansion
    efforts.
  • Work with our allies to promote economic growth
    in the communities we serve.

32
Intermodal
33
(No Transcript)
34
(No Transcript)
35
(No Transcript)
36
(No Transcript)
37
(No Transcript)
38
Metals and Construction
  • Serving shippers and receivers of Iron and
    steel products
  • Aluminum products
  • Copper products
  • Alumina ores
  • Machinery
  • Scrap metals
  • Scrap Substitutes (DRI,HBI,Pigiron)
  • Cement
  • Aggregates
  • Bricks
  • Minerals
  • Misc. Construction Materials

39
Modalgistics
  • Modalgistics, a business unit of Norfolk Southern
    Corporation, provides comprehensive supply chain
    solutions by integrating management resources,
    supply chain capabilities, and information
    technology. The company was established to
    utilize, and build upon, the talent of the
    logistics professionals currently working within
    Norfolk Southern Corporation's merchandise
    marketing group. Modalgistics then added several
    industry seasoned supply chain professionals to
    complete the company's logistics offering

40
Paper, Clay and Forest Products
  • Serving shippers and receivers of Lumber and
    wood products
  • Pulpboard and paper products
  • Wood fiber
  • Woodpulp
  • Scrap paper
  • Clay

41
Real Estate
  • Managing Property within our ROW along our 21,600
    route miles

42
Short Lines
  • Shortline Marketing responsibilities are to
  • Assist our shortline partners in business
    development and revenue growth
  • Insure an open line of communication between all
    departments in NS and our Class II III
    connections
  • Offer support and maintain positive relations
    with all Class II III partners

43
(No Transcript)
44
U.S. Railroad workers by age
Out of a total 232,000 active railway employees,
105,000 or 46, are between the ages of 45 54
45
Internal Audit Department
  • Who are we, what do we do for Norfolk Southern?

46
Internal Audits Role
  • Internal Audit is the independent, objective
    assurance and consulting activity established
    within Norfolk Southern Corporation and designed
    to add value and improve operations.
  • Evaluate and improve the effectiveness of risk
    management, control and governance processes.
  • Quantitative and qualitative analyses,
    appraisals, recommendations, counsel and
    information concerning the activities reviewed.

47
IAs Role (cont.)
  • The vice president internal audit reports to the
    Chairman, President and Chief Executive Officer
    and has direct access to the Audit Committee of
    the Board of Directors. Evaluation and
    identification of improvement opportunities
    concerning the
  • (a) adequacy and effectiveness of Norfolk
    Southerns system of risk management and internal
    control,
  • (b) efficiency and effectiveness of operations,
  • (c) safeguarding of corporate assets, and,
  • (d) the corporations governance processes.

48
NS IA Vision
  • To be agents of change by assisting departments
    in achieving the corporate vision through quality
    audits and recommendations.

49
Financial Auditing
  • Financial auditing studies the current financial
    position of an operation to evaluate the fair
    presentation of the financial position and
    results of operations as reported in the entity's
    financial statements.
  • Full financial audits of corporate operations and
    subsidiaries are typically performed by external,
    independent auditors.
  • The primary reason for a financial audit is to
    assure readers relying on the financial
    statements that the information contained therein
    is presented fairly in accordance with generally
    accepted accounting principles (GAAP).

50
Operational Auditing
  • Operational auditing is actually an extension or
    enhancement of a financial audit.
  • An operational audit examines why and how those
    results occurred.
  • Review and appraisal of the efficiency and
    effectiveness of operations and operating
    procedures.
  • Operational auditing acts as a management service
    by evaluating the four functions of management
    (1) planning, (2) organizing, (3) directing, and
    (4) controlling.
  • Common reasons for operational audits are
    assessing compliance with corporate policies and
    procedures, evaluating undesirable business
    conditions or results and exploring alternatives
    or opportunities.

51
Investigative
  • Investigative (or fraud) auditing is the
    development of evidence in matters involving
    criminal or other wrongdoings by officers,
    employees, customers, vendors or businesses.

52
IS Auditing
  • Examination of significant aspects of the
    corporation's electronic data processing
    environments, including mainframe, wide area
    networks (WANs), local area networks (LANs), and
    applications.
  • Although the nature of each of these types of
    auditing is relatively unique, the type of audit
    performed on any auditable unit could require a
    combination of any of these types of audits. In
    recent years, internal auditors have increasingly
    assumed roles which include performance of each
    of these types of audits.

53
IS Audit
  • General Controls
  • Best Practices
  • Configuration Management
  • SDLC
  • Process Improvement
  • Disaster Recovery
  • Business Continuity

54
General Controls
  • Adherence to Policy
  • Passwords
  • Administration
  • Control Weakness/ Compensating Controls
  • Evaluation of policy
  • Is it viable?
  • Have requirements changed?
  • Can we rely on the control recommended by the
    policy?

55
Best Practices
  • If not referred to as a policy item, does it make
    sense?
  • Are there compensating controls?
  • Do the compensating controls work?
  • Can we break them?

56
Configuration Management
  • AKA- change control
  • CM looks at the whole process, not just the
    software changes
  • Implementation, testing, user testing, promotions
  • Will the new configuration benefit the customers?

57
SDLC
  • CM for a new system
  • Conception to customer buy-in
  • Does SDLC function?
  • Is it adhered to?

58
Process Improvement
  • Quarterly access review to strengthen internal
    controls
  • Three levels of signoff on Unplanned programming
    changes
  • Document Imaging

59
Disaster Recovery
  • Since 9/11/01, this is a very critical business
    process
  • Plan tested completely AT LEAST 2x/year
  • NS uses a mirror facility
  • Quarterly Tests of ALL applications
  • Restore systems to production from backups
  • Exercises range from 12-72 hour

60
DR
  • Determine critical apps, and restore those first
  • ALWAYS want to
  • Service customer
  • Pay employees
  • Switchover from DR prod to Prod after disaster

61
Business Continuity
  • How will we continue to service the customer
    during a disaster declaration and the switchover
    back to production?
  • PLAN B-
  • Rerouting traffic after Katrina
  • Railroads operated for years without IS, but with
    all the rail sharing that occurs nowadays, it
    would be impossible to operate effectively AND
    safely without complex systems.

62
CISA
  • Certified Information Systems Auditor
  • CISA, the Certified Information Systems Auditor
    is ISACA's cornerstone certification. Since 1978,
    the CISA exam has measured excellence in the area
    of IS auditing, control and security. CISA has
    grown to be globally recognized and adopted
    worldwide as a symbol of achievement. The CISA
    certification has been earned by more than 35,000
    professionals since inception.
  • CPA of the IS Audit World

63
CISA
  • Comprehensive test of 7 functional areas
  • Management, Planning and Organization of
    ISEvaluate the strategy, policies, standards,
    procedures and related practices for the
    management, planning and organization of IS.

64
CISA
  • Technical Infrastructure and Operational
    PracticesEvaluate the effectiveness and
    efficiency of the organization's implementation
    and ongoing management of technical and
    operational infrastructure to ensure that they
    adequately support the organization's business
    objectives.

65
CISA
  • Protection of Information AssetsEvaluate the
    logical, environmental and IT infrastructure
    security to ensure that it satisfies the
    organization's business requirements for
    safeguarding information assets against
    unauthorized use, disclosure, modification,
    damage or loss.

66
CISA
  • Disaster Recovery and Business ContinuityEvaluate
    the process for developing and maintaining
    documented, communicated and tested plans for
    continuity of business operations and IS
    processing in the event of a disruption.

67
CISA
  • Business Application System Development,
    Acquisition, Implementation and
    MaintenanceEvaluate the methodology and
    processes by which the business application
    system development, acquisition, implementation
    and maintenance are undertaken to ensure that
    they meet the organization's business objectives.

68
CISA
  • Business Process Evaluation and Risk
    ManagementEvaluate business systems and
    processes to ensure that risks are managed in
    accordance with the organization's business
    objectives.

69
The IS Audit Process
  • Conduct IS audits in accordance with generally
    accepted IS audit standards and guidelines to
    ensure that the organization's information
    technology and business systems are adequately
    controlled, monitored, and assessed.

70
CISA
  • Textbook test
  • Not RWE intensive
  • Can be passed with little knowledge of audit

71
Other Certifications
  • CISSP
  • CISM
  • Any tech certifications are VERY helpful- DBA,
    AD, Novell, SQL
  • Security
  • CIA
  • CFE

72
What is SOX?
73
(No Transcript)
74
Sarbanes Oxley Act- History
  • Accounting profession built on principles and
    standards with strong self governance
  • When self governance failed - Enron, WorldCom,
    Tyco,
  • Huge personal losses, media coverage, public
    outcry
  • Led government to respond with regulation

75
Sarbanes Oxley Act of 2002 (SOX)
  • Public Company Accounting Reform and Investor
    Protection Act
  • Written and signed in Congress
  • 11 Titles (i.e. chapters), multiple sections
    within each
  • Called for creation of the Public Company
    Accounting Oversight Board (PCAOB)
  • Goal Informative, Fair and Independent Audit
    Reports

76
PCAOB
  • Formed to oversee auditors of public companies
  • Broad investigative and disciplinary authority
  • Issued exposure drafts that detail the
    requirements of SOX
  • Worked with the SEC to finalize requirements

77
Internal Controls
  • Processes designed to provide REASONABLE
    ASSURANCE regarding the achievement of goals in
  • Financial reporting reliability
  • Operating efficiency and effectiveness
  • Compliance with applicable laws and standards
  • Responsibility of Management

78
SOX Section 404
  • Addresses financial reporting reliability
  • processes and procedures that relate to
    maintenance of accounting records
  • authorization of receipts and disbursements
  • safeguarding of assets

79
404 Requirements
  • Management must assess the effectiveness of the
    companys internal control over financials as of
    the end of the fiscal year
  • NS required to report as of December 31, 2004
  • External auditors attest to managements
    assessment of the companys internal controls.
    This requires them to attest to the design and
    operating effectiveness of the internal controls.

80
Other Sections
  • Section 103 - audit-related records kept for
    seven years
  • Section 201 - firms that audit books can no
    longer perform IT services
  • Section 301 - confidential whistle-blowing
    audit.nscorp.com and Ethics Hotline (800)732-9279
  • Section 302 - CEO and CFO quarterly statements
  • Section 409 - rapid and current reporting on
    changes in financial conditions

81
Implications
  • The downhill effect
  • Upper management assertions will be based on
    departmental assertions
  • Departmental assertions will be based on control
    design tests that must be completely documented
  • Internal audit will independently test the
    effectiveness of departmental controls.
  • Therefore audit CANNOT design controls.

82
Results
  • Loads of documentation by departments and IA
  • Regular testing of areas where weve
    traditionally relied upon the controls
  • Increased emphasis on timely audit issue
    resolution
  • SOX compliance strong internal controls no
    surprises from external audit reports and happy
    management

83
IT Areas
  • General controls such as policies and procedures,
    access controls and change control
  • Specific application controls including railroad
    operating systems, feeders to financials and
    accounts closing process
  • Complete transaction tracing
  • System accuracy, efficiency, and availability
  • Records retention

84
Bottom Line
  • Simple, routine actions can impact control
    effectiveness and how we must report
  • With IT spanning the corporation, SOX
    implications are higher than in any other area
  • IT employees often have a higher level of
    authority which holds you to higher standards
  • IT management is firmly dedicated to SOX
    compliance

85
Enough of that
86
(No Transcript)
87
(No Transcript)
88
(No Transcript)
89
(No Transcript)
90
(No Transcript)
91
(No Transcript)
92
(No Transcript)
93
(No Transcript)
94
(No Transcript)
95
(No Transcript)
96
(No Transcript)
97
The End
About PowerShow.com