Internal Audit Department

1
Rich Sanders, CISA Information Systems
Auditor Norfolk Southern Corporation Rich.sanders_at_
nscorp.com
2
About me

• WVU MIS 1999
• Minor in Communications

3
Career

• The Kroger Co.
• Information systems technologist
• June- December 2000
• Kroger Manufacturing, Stave Avenue Grocery
  Products Plant, Cincinnati, OH
• 140 user IBM AS/400
• 300 user Novell Netware
• Application, hardware, network, software support
• http//www.kroger.com/careers.htm

4
Career

• IS Auditor, The Kroger Co.
• Jan 01- June 2003
• Audits of data centers, food stores, jewelry
  stores, warehouses, manufacturing facilities and
  c-stores
• Multiplatform audits
• http//www.kroger.com/careers.htm

5
Career

• Sr. IS Auditor June 03-Aug 04
• CareFirst BCBS, Owings Mills, MD
• FEP
• Medicare
• CM
• Oracle Financials

6
Norfolk Southern Corporation
7
Our Vision

• Be the safest, most customer-focused and
  successful transportation company in the world

8
Our Mission

• Norfolk Southern's mission is to enhance the
  value of our stockholders' investment over time
  by providing quality freight transportation
  services and undertaking any other related
  businesses in which our resources, particularly
  our people, give the company an advantage.

9

• Headquartered in Norfolk, VA
• 28,000 employees
• 4000 non-agreement
• 24,000 agreement

10
We serve

• 21,600 route miles
• 22 Eastern States
• DC
• Ontario
• 20 Ports
• Connects to rail partners in West and Canada
• Logistics
• Intermodal

11
Facilities Served

• Bulk transfer centers-178
• Coal-loading facilities-130
• Paper distribution centers-127
• Lumber reload centers-126
• Power generation plants-124
• Major steel mills and processing facilities-74
• Metals distribution centers-75
• Major paper mills-52
• Intermodal terminals-52
• Auto distribution facilities-38
• Auto assembly plants-36
• Coal and iron ore transload facilities-21
• Sea ports-13
• Triple Crown terminals-12
• Lake ports-7
• Plastics warehouse/distribution centers-7
• Vehicle mixing centers-4
• Just-In-Time rail auto parts centers-4

12
The Thoroughbred of Transportation
Result of numerous mergers since 1838 (over 42
railroads) Most recent merger was Conrail-
1999. Gained largest share of NYC/ Northeast
market after this acquisition
13
What do we do?

• Agriculture
• Automotive
• Chemicals
• Coal
• Industrial Development
• Intermodal
• Metals Construction
• Modalgistics
• Paper, Clay, Forest
• Real Estate
• Shortline
• Distribution Network

14
Agriculture

• We currently serve shippers and receivers of
  corn, wheat, soybeans, miscellaneous grains,
  animal and poultry feed, sweeteners, ethanol,
  food oils, flour, beverages, canned goods,
  consumer products, government and miscellaneous
  transportation.
• Ag works with Intermodal and Modalgistics to
  offer customer most efficient, cost effective
  method to get their goods to market

15
Automotive
Norfolk Southern (NS) serves automotive
manufacturers and vehicle parts suppliers by
transporting vehicle parts to assembly plants and
after market distribution centers as well as
delivering finished vehicles to market. Norfolk
Southern is the largest rail shipper of
automotive products in North America and 13 of
the last 20 assembly plants to locate in the
eastern United States have chosen Norfolk
Southern to be their serving carrier. NS serves
36 U.S. auto assembly plants, 38 auto
distribution terminals, 4 Just-In-Time (JIT) Rail
Centers, and 4 vehicle mixing centers
strategically positioned across its network.
Norfolk Southern has responded to automotive
industry challenges with innovative distribution
methodologies using JIT Rail Centers and Triple
Crown Services RoadRailer technology for auto
parts distribution and the vehicle mixing center
network for vehicle distribution.
16
Chemical
Serving shippers and receivers of Sulfur and
related chemicals Petroleum products Chlorine
and bleaching compounds Plastics Industrial
chemicals Chemical wastes Bulk products
Municipal wastes Other non-hazardous wastes
17
Coal
At Norfolk Southern, coal is our specialty. For
more than 100 years, we have linked an
energy-hungry world with its vital resources. In
that time, we've developed an expertise in
sourcing, blending and moving the highest quality
steam and metallurgical coal in the world. We
haul coal to destinations on our system and to
six river ports and the Great Lakes for water
transport. In addition, export coal off our
system flows through Norfolk, VA, home of the
largest and fastest coal transloading facilities
in the Northern Hemisphere. In Alabama, we
operate a unique delivery system where coal is
hauled over rail in containers.
18
Coal

• Lamberts Point (Coal and Cargo Docks)- Norfolk
  VA
• 350 acres, can handle over 6500 full and empty
  open top gondolas

19
Coal (Pocahontas Land Corp)

• Pocahontas Land Corporation (PLC) and its
  subsidiary, Pocahontas Development Corporation,
  headquartered in Bluefield, WV, own or manage 1
  million acres of natural resource properties in
  Alabama, Illinois, Kentucky, Tennessee, Virginia
  and West Virginia. PLC is a wholly-owned
  subsidiary of Norfolk Southern Corporation.

PLCs Yukon Mine circa 1932
20

• We have three driving goals in our Industrial
  Development efforts
• Locate rail-served industries along our lines by
  providing plant location services tailored to our
  customer's needs.
• Aid our existing industries in their expansion
  efforts.
• Work with our allies to promote economic growth
  in the communities we serve.

21
Intermodal
22
What is INTERMODAL????

• Using two or more transportation methods
• NS is the industry leader in this area
• Exclusive owner of RoadRailer trailer Technology
• Patent owner

23
Competitions technology
Average to rail time of 16 minutes per trailer
24
THOROUGHBRED TECHNOLOGY
Average to rail time of 3.5 minutes per trailer
25
RoadRailer Trailer

• The RoadRailer trailer can go anywhere and do
  anything a conventional trailer can do, plus it
  has the self-contained capability of riding
  directly on the rail.
• The RoadRailer trailer is uniquely equipped with
  independent air-ride running gear for both
  highway and rail travel.  The dual mode air
  suspension system not only facilitates transfer,
  but also provides maximum cargo protection by
  providing air-ride cushioning both on the highway
  and on the rail.
• Slack-free couplers greatly reduce both the
  chance of cargo damage and the need for
  additional blocking and bracing.

26
(No Transcript)
27
(No Transcript)
28
(No Transcript)
29
(No Transcript)
30
(No Transcript)
31
Metals and Construction

• Serving shippers and receivers of Iron and
  steel products
• Aluminum products
• Copper products
• Alumina ores
• Machinery
• Scrap metals
• Scrap Substitutes (DRI,HBI,Pigiron)
• Cement
• Aggregates
• Bricks
• Minerals
• Misc. Construction Materials

32
Modalgistics

• Modalgistics, a business unit of Norfolk Southern
  Corporation, provides comprehensive supply chain
  solutions by integrating management resources,
  supply chain capabilities, and information
  technology. The company was established to
  utilize, and build upon, the talent of the
  logistics professionals currently working within
  Norfolk Southern Corporation's merchandise
  marketing group. Modalgistics then added several
  industry seasoned supply chain professionals to
  complete the company's logistics offering

33
Paper, Clay and Forest Products

• Serving shippers and receivers of Lumber and
  wood products
• Pulpboard and paper products
• Wood fiber
• Woodpulp
• Scrap paper
• Clay

34
Real Estate

• Managing Property within our ROW along our 21,600
  route miles

35
Short Lines

• Shortline Marketing responsibilities are to
• Assist our shortline partners in business
  development and revenue growth
• Insure an open line of communication between all
  departments in NS and our Class II III
  connections
• Offer support and maintain positive relations
  with all Class II III partners

36
(No Transcript)
37
Internal Audit Department

• Who are we, what we do for Norfolk Southern?

38
IS Audit

• General Controls
• Best Practices
• Configuration Management
• SDLC
• Process Improvement
• Disaster Recovery
• Business Continuity

39
General Controls

• Adherence to Policy
• Passwords
• Administration
• Control Weakness/ Compensating Controls
• Evaluation of policy
• Is it viable?
• Have requirements changed?
• Can we rely on the control recommended by the
  policy?

40
Best Practices

• If not referred to as a policy item, does it make
  sense?
• Are there compensating controls?
• Do the compensating controls work?
• Can we break them?

41
Configuration Management

• AKA- change control
• CM looks at the whole process, not just the
  software changes
• Implementation, testing, user testing, promotions
• Will the new configuration benefit the customers?

42
SDLC

• CM for a new system
• Conception to customer buy-in
• Does SDLC function?
• Is it adhered to?

43
Process Improvement

• How can we serve the customer better?
• RoadRailer
• Helps alleviate 18 wheeler traffic
• Eases burden on over crowded roadways

44
Disaster Recovery

• Since 9/11/01, this is a very critical business
  process
• Plan tested completely AT LEAST 2x/year
• NS uses a mirror facility
• Restore systems to production from backups
• Exercises range from 12-72 hour

45
DR

• Determine critical apps, and restore those first
• ALWAYS want to
• Service customer
• Pay employees
• Switchover from DR prod to Prod after disaster

46
Business Continuity

• How will we continue to service the customer
  during a disaster declaration and the switchover
  back to production?
• PLAN B
• Railroads operated for years without IS, but with
  all the rail sharing that occurs nowadays, it
  would be impossible

47
CISA

• Certified Information Systems Auditor
• CISA, the Certified Information Systems Auditor
  is ISACA's cornerstone certification. Since 1978,
  the CISA exam has measured excellence in the area
  of IS auditing, control and security. CISA has
  grown to be globally recognized and adopted
  worldwide as a symbol of achievement. The CISA
  certification has been earned by more than 35,000
  professionals since inception.
• CPA of the IS Audit World

48
CISA

• Comprehensive test of 7 functional areas
• Management, Planning and Organization of
  ISEvaluate the strategy, policies, standards,
  procedures and related practices for the
  management, planning and organization of IS.

49
CISA

• Technical Infrastructure and Operational
  PracticesEvaluate the effectiveness and
  efficiency of the organization's implementation
  and ongoing management of technical and
  operational infrastructure to ensure that they
  adequately support the organization's business
  objectives.

50
CISA

• Protection of Information AssetsEvaluate the
  logical, environmental and IT infrastructure
  security to ensure that it satisfies the
  organization's business requirements for
  safeguarding information assets against
  unauthorized use, disclosure, modification,
  damage or loss.

51
CISA

• Disaster Recovery and Business ContinuityEvaluate
  the process for developing and maintaining
  documented, communicated and tested plans for
  continuity of business operations and IS
  processing in the event of a disruption.

52
CISA

• Business Application System Development,
  Acquisition, Implementation and
  MaintenanceEvaluate the methodology and
  processes by which the business application
  system development, acquisition, implementation
  and maintenance are undertaken to ensure that
  they meet the organization's business objectives.

53
CISA

• Business Process Evaluation and Risk
  ManagementEvaluate business systems and
  processes to ensure that risks are managed in
  accordance with the organization's business
  objectives.

54
CISA

• Textbook test
• Not RWE intensive
• Can be passed with little knowledge of audit

55
Other Certifications

• CISSP
• CISM
• Any tech certifications
• CIA
• CFE

56
Resources

• www.isaca.org
• www.auditnet.org
• www.theiia.org