Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation [email protected].
-
date post
19-Dec-2015 -
Category
Documents
-
view
221 -
download
0
Transcript of Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation [email protected].
![Page 2: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/2.jpg)
CareerThe Kroger Co. Information systems technologistKroger Manufacturing, Stave Avenue
Grocery Products Plant, Cincinnati, OH 140 user IBM AS/400 300 user Novell Netware Application, hardware, network, software
support
http://www.kroger.com/careers.htm
![Page 3: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/3.jpg)
Career IS Auditor, The Kroger Co.Audits of data centers, food stores,
jewelry stores, warehouses, manufacturing facilities and c-stores
Multiplatform auditshttp://www.kroger.com/careers.htm
![Page 4: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/4.jpg)
Career CareFirst BCBS, Owings Mills, MD FEP Medicare/ Medicaid
![Page 5: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/5.jpg)
Norfolk Southern Corporation
![Page 6: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/6.jpg)
Best Friend of CharlestonBest Friend of CharlestonThe one hundred and forty-one persons flew on the wings of wind at the speed of fifteen to twenty-five miles per hour, The one hundred and forty-one persons flew on the wings of wind at the speed of fifteen to twenty-five miles per hour,
annihilating time and space...annihilating time and space...
6 hp- 14hour trip for 136 miles.
South Carolina Canal and RR Co.- 1827
![Page 7: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/7.jpg)
GE Evolution Series Engines
4000-4500 HP Top Speed of 60-70 MPH.
Pulls trains totaling 15-20,000 tons.
![Page 8: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/8.jpg)
Norfolk Southern Vision:
Be the safest, most customer-focused and successful transportation company in the world
![Page 9: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/9.jpg)
Rail Safety 1980- 2004
0
10,000
20,000
30,000
40,000
50,000
60,000
1980 1982 1984 1986 1988 1990 1992 1994 1996 1998 2000 2002 2004
FRA REPORTABLE INJURIES1980--2004
![Page 10: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/10.jpg)
Our Mission:
Norfolk Southern's mission is to enhance the value of our stockholders' investment over time by providing quality freight transportation services and undertaking any other related businesses in which our resources, particularly our people, give the company an advantage.
![Page 11: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/11.jpg)
Headquartered in Norfolk, VA
28,000 + employees 4000 non-
agreement 24,000 agreement
![Page 12: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/12.jpg)
We serve: 21,300 route miles 22 Eastern States
DC Ontario
20 Ports Connects to rail partners in West and Canada Logistics Intermodal
![Page 13: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/13.jpg)
Facilities Served: Bulk transfer centers- 188 (+10) Coal-loading facilities- 172 (+42) Paper distribution centers- 105 (-22) Lumber reload centers-124 (-2) Power generation plants- 139 (+15) Major steel mills and processing facilities- 75 (+1) Metals distribution centers-72 (-3) Major paper mills- 60 (+8) Intermodal terminals-52 Auto distribution facilities-38 Auto assembly plants-36 Coal and iron ore transload facilities-31 (+10) Sea ports-13 Triple Crown terminals-14 (+2) Lake ports-7 Plastics warehouse/distribution centers-7 Vehicle mixing centers-4 Just-In-Time rail auto parts centers-4
![Page 14: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/14.jpg)
Career Paths8 programs
Rail Operations Corporate Setting
![Page 15: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/15.jpg)
Transportation As a transportation trainee, you’ll learn railroad
operations in preparation to supervise conductors and locomotive engineers at a rail terminal or a road territory. You’ll spend time in rail towers, dispatch centers and riding trains. You’ll learn how we move our customers’ freight and ultimately will become responsible for the safe and efficient operations of freight trains throughout the system.
Typically, these positions are filled by engineering, management, logistics or liberal arts graduates.
![Page 16: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/16.jpg)
Communication and SignalsCommunications and Signals trainees
gain experience in all aspects of our C&S systems and devices, including design, construction, maintenance, safety compliance and inspection. You’ll be working outdoors in a predominately field-oriented and highly responsible position.
![Page 17: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/17.jpg)
Design and Construction Using your engineering background,
your time as a Design and Construction trainee will be spent working on buildings, Intermodal facilities, bridges, tunnels, coal piers and track.
![Page 18: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/18.jpg)
Maintenance of Way In this field-oriented concentration, you’ll be
preparing for placement as a manager with responsibility for various aspects of line maintenance or operations. You’ll work with a division headquarters to learn train and track dynamics, track inspection, construction and maintenance operations, and much more.
Engineering disciplines
![Page 19: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/19.jpg)
Mechanical As a mechanical trainee, you'll be developing
skills related to our extensive fleet of rail cars and locomotives.
Inspection and repair down to the component level and become familiar with the compliance standards of NS, the Association of American Railroads and the Federal Railroad Administration.
![Page 20: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/20.jpg)
Customer Accounts Customer account representatives are an
integral part of the Norfolk Southern business team. As a trainee, you may be responsible for up to 200 customers and accounts receivable up to $12 million. You’ll continually interact with multiple departments, other railroads and customers on billing-related issues.
B&E or LA
![Page 21: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/21.jpg)
Information Technology Exposure to the Norfolk Southern data
processing environment including standards, procedures and preferred programming techniques.
Client/server, computer operations, mainframe applications and PC/LAN.
CS, IT, MIS, CE for this program.
![Page 22: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/22.jpg)
Marketing As a part of our marketing team, you’ll be
working directly with our customers to generate and grow partnerships through competitive pricing and market development. You will also offer support in developing comprehensive market analyses and plans.
Marketing, international business, economics or MBA graduates.
![Page 23: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/23.jpg)
Claims Claims trainees are exposed to all aspects of
railroad operations in preparation for placement as claims agents. Members of our claims team investigate claims against or by Norfolk Southern for personal injury or property damage.
Degrees in business administration, psychology, risk management, justice administration and law enforcement as especially well-suited for these positions.
![Page 24: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/24.jpg)
Agriculture We currently serve shippers and receivers of
corn, wheat, soybeans, miscellaneous grains, animal and poultry feed, sweeteners, ethanol, food oils, flour, beverages, canned goods, consumer products, government and miscellaneous transportation.
Ag works with Intermodal and Modalgistics to offer customer most efficient, cost effective method to get their goods to market
![Page 25: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/25.jpg)
AutomotiveParts and Distribution Centers, as well as Finished vehicles.
Largest rail shipper of automotive products in North America and 13 of the last 20 assembly plants to locate in the eastern United States have chosen Norfolk Southern to be their serving carrier.
Norfolk Southern has responded to automotive industry challenges with innovative distribution methodologies using JIT Rail Centers and Triple Crown Services’ RoadRailer® technology for auto parts distribution and the vehicle mixing center network for vehicle distribution.
![Page 26: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/26.jpg)
ChemicalServing shippers and receivers of:
Sulfur and related chemicals
Petroleum products
Chlorine and bleaching compounds
Plastics
Industrial chemicals
Chemical wastes
Bulk products
Municipal wastes
Other non-hazardous wastes
![Page 27: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/27.jpg)
Coal
At Norfolk Southern, coal is our specialty. For more than 100 years, we have linked an energy-hungry world with its vital resources. In that time, we've developed an expertise in sourcing, blending and moving the highest quality steam and metallurgical coal in the world. We haul coal to destinations on our system and to six river ports and the Great Lakes for water transport. In addition, export coal off our system flows through Norfolk, VA, home of the largest and fastest coal transloading facilities in the Northern Hemisphere. In Alabama, we operate a unique delivery system where coal is hauled over rail in containers.
![Page 28: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/28.jpg)
Coal Lambert’s Point
(Coal and Cargo Docks)- Norfolk VA
350 acres, can handle over 6500 full and empty open top gondolas
![Page 29: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/29.jpg)
Coal (Pocahontas Land Corp) Pocahontas Land Corporation (PLC) and its
subsidiary, Pocahontas Development Corporation, headquartered in Bluefield, WV, own or manage 1 million acres of natural resource properties in Alabama, Illinois, Kentucky, Tennessee, Virginia and West Virginia. PLC is a wholly-owned subsidiary of Norfolk Southern Corporation.
PLC’s Yukon Mine circa 1932
![Page 30: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/30.jpg)
Government, Machinery, and Dimensional Shipments
MACH-One Machinery Service provides performance-driven transportation, combining the power of Norfolk Southern's scheduled railroad, enhanced performance and distribution network to offer you truckload delivery with the economies of long-haul rail.
![Page 31: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/31.jpg)
We have three driving goals in our Industrial Development efforts:
Locate rail-served industries along our lines by providing plant location services tailored to our customer's needs.
Aid our existing industries in their expansion efforts.
Work with our allies to promote economic growth in the communities we serve.
![Page 32: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/32.jpg)
Intermodal
![Page 33: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/33.jpg)
![Page 34: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/34.jpg)
![Page 35: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/35.jpg)
![Page 36: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/36.jpg)
![Page 37: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/37.jpg)
![Page 38: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/38.jpg)
Metals and Construction Serving shippers and receivers of: Iron and steel products Aluminum products Copper products Alumina ores Machinery Scrap metals Scrap Substitutes (DRI,HBI,Pigiron) Cement Aggregates Bricks Minerals Misc. Construction Materials
![Page 39: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/39.jpg)
Modalgistics Modalgistics, a business unit of Norfolk Southern
Corporation, provides comprehensive supply chain solutions by integrating management resources, supply chain capabilities, and information technology. The company was established to utilize, and build upon, the talent of the logistics professionals currently working within Norfolk Southern Corporation's merchandise marketing group. Modalgistics then added several industry seasoned supply chain professionals to complete the company's logistics offering
![Page 40: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/40.jpg)
Paper, Clay and Forest Products Serving shippers and
receivers of: Lumber and wood products
Pulpboard and paper products
Wood fiber Woodpulp Scrap paper Clay
![Page 41: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/41.jpg)
Real EstateManaging Property within our ROW
along our 21,600 route miles
![Page 42: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/42.jpg)
Short Lines
Shortline Marketing responsibilities are to: Assist our shortline partners in business
development and revenue growth Insure an open line of communication
between all departments in NS and our Class II & III connections
Offer support and maintain positive relations with all Class II & III partners
![Page 43: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/43.jpg)
![Page 44: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/44.jpg)
0
10
20
30
40
50
60N
um
be
rs o
f em
plo
yee
s (in
tho
usa
nd
s)
24 andunder
25-29 30-34 35-39 40-44 45-49 50-54 55-59 60-64 65+
Out of a total 232,000 active railway employees, 105,000
or 46%, are between the ages of 45 – 54
U.S. Railroad workers by age
![Page 45: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/45.jpg)
Internal Audit Department
Who are we, what do we do for Norfolk Southern?
![Page 46: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/46.jpg)
Internal Audit’s RoleInternal Audit is the independent, objective assurance
and consulting activity established within Norfolk Southern Corporation and designed to add value and improve operations.
Evaluate and improve the effectiveness of risk management, control and governance processes.
Quantitative and qualitative analyses, appraisals, recommendations, counsel and information concerning the activities reviewed.
![Page 47: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/47.jpg)
IA’s Role (cont.)The vice president internal audit reports to the
Chairman, President and Chief Executive Officer and has direct access to the Audit Committee of the Board of Directors.
Evaluation and identification of improvement opportunities concerning the
(a) adequacy and effectiveness of Norfolk Southern’s system of risk management and internal control,
(b) efficiency and effectiveness of operations, (c) safeguarding of corporate assets, and, (d) the corporation’s governance processes.
![Page 48: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/48.jpg)
NS IA Vision
To be agents of change by assisting departments in achieving the corporate vision through quality audits and recommendations.
![Page 49: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/49.jpg)
Financial AuditingFinancial auditing studies the current financial position of an
operation to evaluate the fair presentation of the financial position and results of operations as reported in the entity's financial statements.
Full financial audits of corporate operations and subsidiaries are typically performed by external, independent auditors.
The primary reason for a financial audit is to assure readers relying on the financial statements that the information contained therein is presented fairly in accordance with generally accepted accounting principles (GAAP).
![Page 50: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/50.jpg)
Operational AuditingOperational auditing is actually an extension or enhancement of a
financial audit. An operational audit examines why and how those results
occurred.
Review and appraisal of the efficiency and effectiveness of operations and operating procedures.
Operational auditing acts as a management service by evaluating the four functions of management: (1) planning, (2) organizing, (3) directing, and (4) controlling.
Common reasons for operational audits are assessing compliance with corporate policies and procedures, evaluating undesirable business conditions or results and exploring alternatives or opportunities.
![Page 51: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/51.jpg)
Investigative
Investigative (or fraud) auditing is the development of evidence in matters involving criminal or other wrongdoings by officers, employees, customers, vendors or businesses.
![Page 52: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/52.jpg)
IS Auditing Examination of significant aspects of the
corporation's electronic data processing environments, including mainframe, wide area networks (WANs), local area networks (LANs), and applications.
Although the nature of each of these types of auditing is relatively unique, the type of audit performed on any auditable unit could require a combination of any of these types of audits. In recent years, internal auditors have increasingly assumed roles which include performance of each of these types of audits.
![Page 53: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/53.jpg)
IS AuditGeneral ControlsBest PracticesConfiguration ManagementSDLCProcess ImprovementDisaster RecoveryBusiness Continuity
![Page 54: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/54.jpg)
General Controls Adherence to Policy
Passwords Administration Control Weakness/ Compensating Controls
Evaluation of policy Is it viable? Have requirements changed? Can we rely on the control recommended by the
policy?
![Page 55: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/55.jpg)
Best Practices If not referred to as a policy item, does it
make sense?Are there compensating controls?Do the compensating controls work?
Can we break them?
![Page 56: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/56.jpg)
Configuration ManagementAKA- change controlCM looks at the whole process, not just
the software changes Implementation, testing, user testing,
promotionsWill the new configuration benefit the
customers?
![Page 57: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/57.jpg)
SDLCCM for a new systemConception to customer buy-inDoes SDLC function? Is it adhered to?
![Page 58: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/58.jpg)
Process Improvement
Quarterly access review to strengthen internal controls
Three levels of signoff on Unplanned programming changes
Document Imaging
![Page 59: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/59.jpg)
Disaster Recovery Since 9/11/01, this is a very critical business
process Plan tested completely AT LEAST 2x/year NS uses a mirror facility Quarterly Tests of ALL applications Restore systems to production from backups Exercises range from 12-72 hour
![Page 60: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/60.jpg)
DRDetermine critical apps, and restore
those first ALWAYS want to
Service customer Pay employees
Switchover from DR prod to Prod after disaster
![Page 61: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/61.jpg)
Business Continuity How will we continue to service the customer
during a disaster declaration and the switchover back to production?
PLAN ‘B’- Rerouting traffic after Katrina
Railroads operated for years without IS, but with all the rail sharing that occurs nowadays, it would be impossible to operate effectively AND safely without complex systems.
![Page 62: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/62.jpg)
CISA Certified Information Systems Auditor
CISA, the Certified Information Systems Auditor is ISACA's cornerstone certification. Since 1978, the CISA exam has measured excellence in the area of IS auditing, control and security. CISA has grown to be globally recognized and adopted worldwide as a symbol of achievement. The CISA certification has been earned by more than 35,000 professionals since inception.
CPA of the IS Audit World
![Page 63: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/63.jpg)
CISAComprehensive test of 7 functional
areas:Management, Planning and
Organization of IS—Evaluate the strategy, policies, standards, procedures and related practices for the management, planning and organization of IS.
![Page 64: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/64.jpg)
CISATechnical Infrastructure and Operational
Practices—Evaluate the effectiveness and efficiency of the organization's implementation and ongoing management of technical and operational infrastructure to ensure that they adequately support the organization's business objectives.
![Page 65: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/65.jpg)
CISAProtection of Information Assets—
Evaluate the logical, environmental and IT infrastructure security to ensure that it satisfies the organization's business requirements for safeguarding information assets against unauthorized use, disclosure, modification, damage or loss.
![Page 66: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/66.jpg)
CISADisaster Recovery and Business
Continuity—Evaluate the process for developing and maintaining documented, communicated and tested plans for continuity of business operations and IS processing in the event of a disruption.
![Page 67: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/67.jpg)
CISA Business Application System Development,
Acquisition, Implementation and Maintenance—Evaluate the methodology and processes by which the business application system development, acquisition, implementation and maintenance are undertaken to ensure that they meet the organization's business objectives.
![Page 68: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/68.jpg)
CISABusiness Process Evaluation and Risk
Management—Evaluate business systems and processes to ensure that risks are managed in accordance with the organization's business objectives.
![Page 69: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/69.jpg)
The IS Audit Process
Conduct IS audits in accordance with generally accepted IS audit standards and guidelines to ensure that the organization's information technology and business systems are adequately controlled, monitored, and assessed.
![Page 70: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/70.jpg)
CISATextbook testNot RWE intensiveCan be passed with little knowledge of
audit
![Page 71: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/71.jpg)
Other CertificationsCISSPCISMAny tech certifications are VERY
helpful- DBA, AD, Novell, SQLSecurity+CIACFE
![Page 72: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/72.jpg)
What is SOX?
![Page 73: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/73.jpg)
![Page 74: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/74.jpg)
Sarbanes Oxley Act- HistoryAccounting profession built on principles
and standards with strong self governanceWhen self governance failed - Enron,
WorldCom, Tyco, …Huge personal losses, media coverage,
public outcryLed government to respond with regulation
![Page 75: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/75.jpg)
Sarbanes Oxley Act of 2002 (SOX) Public Company Accounting Reform and
Investor Protection Act Written and signed in Congress 11 Titles (i.e. chapters), multiple sections
within each Called for creation of the Public Company
Accounting Oversight Board (PCAOB) Goal: Informative, Fair and Independent
Audit Reports
![Page 76: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/76.jpg)
PCAOBFormed to oversee auditors of public
companiesBroad investigative and disciplinary
authority Issued exposure drafts that detail the
requirements of SOXWorked with the SEC to finalize
requirements
![Page 77: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/77.jpg)
Internal ControlsProcesses designed to provide
REASONABLE ASSURANCE regarding the achievement of goals in: Financial reporting reliability Operating efficiency and effectiveness Compliance with applicable laws and
standardsResponsibility of Management
![Page 78: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/78.jpg)
SOX Section 404Addresses financial reporting reliability
processes and procedures that relate to maintenance of accounting records
authorization of receipts and disbursements
safeguarding of assets
![Page 79: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/79.jpg)
404 Requirements Management must assess the effectiveness
of the company’s internal control over financials as of the end of the fiscal year
NS required to report as of December 31, 2004
External auditors attest to management’s assessment of the company’s internal controls. This requires them to attest to the design and operating effectiveness of the internal controls.
![Page 80: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/80.jpg)
Other Sections Section 103 - audit-related records kept for seven
years Section 201 - firms that audit books can no longer
perform IT services Section 301 - confidential whistle-blowing
audit.nscorp.com and Ethics Hotline (800)732-9279 Section 302 - CEO and CFO quarterly statements Section 409 - “rapid and current” reporting on
changes in financial conditions
![Page 81: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/81.jpg)
Implications The “downhill” effect Upper management assertions will be based on
departmental assertions Departmental assertions will be based on control
design tests that must be completely documented
Internal audit will independently test the effectiveness of departmental controls.
Therefore audit CANNOT design controls.
![Page 82: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/82.jpg)
ResultsLoads of documentation by departments
and IARegular testing of areas where we’ve
traditionally relied upon the controls Increased emphasis on timely audit
issue resolutionSOX compliance + strong internal
controls = no surprises from external audit reports and happy management
![Page 83: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/83.jpg)
IT Areas General controls such as policies and
procedures, access controls and change control
Specific application controls including railroad operating systems, feeders to financials and accounts closing process
Complete transaction tracing System accuracy, efficiency, and availability Records retention
![Page 84: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/84.jpg)
Bottom Line Simple, routine actions can impact control
effectiveness and how we must report With IT spanning the corporation, SOX
implications are higher than in any other area IT employees often have a higher level of
authority which holds you to higher standards IT management is firmly dedicated to SOX
compliance
![Page 85: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/85.jpg)
Enough of that…
![Page 86: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/86.jpg)
![Page 87: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/87.jpg)
![Page 88: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/88.jpg)
![Page 89: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/89.jpg)
![Page 90: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/90.jpg)
![Page 91: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/91.jpg)
![Page 92: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/92.jpg)
![Page 93: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/93.jpg)
![Page 94: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/94.jpg)
![Page 95: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/95.jpg)
![Page 96: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/96.jpg)
![Page 97: Rich Sanders, CISA Information Systems Auditor Norfolk Southern Corporation Rich.sanders@nscorp.com.](https://reader030.fdocuments.us/reader030/viewer/2022020102/56649d265503460f949fdb81/html5/thumbnails/97.jpg)
The End