Page 394 - Board Member Onboardin August 2019
P. 394
ADMINISTRATION: FINANCE & ACCOUNTING
Control Characteristics
Business Process BP ID Business Process Name CSCS Primary Risk(s) Secondary Control Activity(ies) Control Frequency Control Primary 1-Critical Control (P1) Evidence of Control
Category Business Unit Risk(s) (continuous, daily, Primary 2-Significant Control (P2)
monthly, periodic) Nature Secondary (S)
C32 & C25-Segregation of duties and other control by third party Approved Invoice Report
(InfoSync)
R11-Fraudulent activities which are subject of public No one at CSCS has access to enter vendors into the vendor master Annual audit by independent third
BP 50 New Vendor Setup & Maintenance Administration scrutiny and investigation R9 file. CSCS Sr. Manager, Finance & Accounting, periodically reviews Periodic Preventive P2 parties (risk document - see name
the vendor master for validity. New vendor set up and maintenance is / Annual audit report)
R19-Inaccurate information and data approved by CSCS through the invoice approval process.
Weekly approval process sent by InfoSync to CSCS
C32 & C25-Segregation of duties and other control by third party
R11-Fraudulent activities which are subject of public (InfoSync) Approved Invoice Report
BP 51 Invoice Entry Administration scrutiny and investigation R9 Continuous Preventive P1
C38-Continuous review and control from CSCS Annual audit by independent third
R19-Inaccurate information and data parties
Accounts Monthly reporting process by InfoSync to CSCS
Payable Controls R11-Fraudulent activities which are subject of public C32 & C25-Segregation of duties and other control by third party Approved check register
/ Processes BP 52 Invoice Payment Administration scrutiny and investigation R9 (InfoSync) Continuous Preventive P1
C38-Continuous review and control from CSCS Annual audit by independent third
R19-Inaccurate information and data parties
Monthly reporting process by InfoSync to CSCS
C32 & C25-Segregation of duties and other control by third party
R11-Fraudulent activities which are subject of public (InfoSync) Review and approval of original
scrutiny and investigation receipt
BP 53 Corporate Expense Card Payment Administration R9 Continuous Preventive P1
R19-Inaccurate information and data C38-Continuous review and control from CSCS Approved check register
Monthly reporting process by InfoSync to CSCS
R11-Fraudulent activities which are subject of public C32 & C25-Segregation of duties and other control by third party Approved check register
scrutiny and investigation (InfoSync)
BP 54 Expense Report Payment Administration R9 Continuous Preventive P1 Annual audit by independent third
R19-Inaccurate information and data C38-Continuous review and control from CSCS parties
Monthly reporting process by InfoSync to CSCS
R11-Fraudulent activities which are subject of public
scrutiny and investigation C32 & C25-Segregation of duties and other control by third party Biweekly Sourcing Fee Invoice
(InfoSync) Report
BP 55 (A) Sourcing Fee Invoices (for Dry Mix) Administration R19-Inaccurate information and data R9 Continuous Preventive P1
C38-Continuous review and control from CSCS Annual audit by independent third
Monthly reporting process by InfoSync to CSCS parties
R18-2-Monetary loss
R11-Fraudulent activities which are subject of public C32 & C25-Segregation of duties and other control by third party Vendor PO Reports and
scrutiny and investigation (InfoSync) Reconciliation
BP 55 (B) Sourcing Fee Invoices (for Other Products) Administration R9 Continuous Preventive P1
R19-Inaccurate information and data
C38-Continuous review and control from CSCS Annual audit by independent third
R18-2-Monetary loss Monthly reporting process by InfoSync to CSCS parities
R11-Fraudulent activities which are subject of public C32 & C25-Segregation of duties and other control by third party
(InfoSync)
scrutiny and investigation Periodic Price Variance Invoice
BP 56 Price Variance Analysis Invoices Administration R9 Continuous Preventive P1 Report
C38-Continuous review and control from CSCS
R19-Inaccurate information and data Monthly reporting process by InfoSync to CSCS
Accounts C32 & C25-Segregation of duties and other control by third party Quarterly Membership
Receivable (InfoSync) Reconciliation
Controls /
Processes BP 57 Membership Fees Administration R19-Inaccurate information and data R9 C38-Continuous review and control from CSCS Continuous Preventive P1 Balance Sheet Details
Monthly reporting process by InfoSync to CSCS
Annual audit by independent third
C40-Annual audit by third party parties
C32 & C25-Segregation of duties and other control by third party
(InfoSync)
C24-Utilizing dual signoff on cash disbursements Patronage Spreadsheet
BP 58 Patronage Calculations/ Disbursement Administration R19-Inaccurate information and data R9, R11, R18 Continuous Preventive P1 Annual audit by independent third
C38-Continuous review and control from CSCS parties
Monthly reporting process by InfoSync to CSCS
C40-Annual audit by third party
C32 & C25-Segregation of duties and other control by third party
(InfoSync)
BP 59 IHOP and Applebee’s Franchisee Conference Invoices Administration R22-Leak of confidential information R9, R11 Continuous Preventive P1 Reconciliation Spreadsheet
showing committed vs. received
C38-Continuous review and control from CSCS
Monthly reporting process by InfoSync to CSCS
Personal Folders documenting any
BP 60 (A) Payroll R18-2-Monetary loss
change in compensation
401(k) Election spreadsheet by
Associate
401(k) deduction spreadsheet
every payroll from InfoSync
C32 & C25-Segregation of duties and other control by third party
Payroll and BP 60 (B) 401(k) Accounts (InfoSync) Contribution detail report from plan
Benefits Administration R9, R22 C38-Continuous review and control from CSCS Continuous Preventive P1 administrators
Controls / R11-Fraudulent activities which are subject of public Monthly reporting process by InfoSync to CSCS Form 5500-SF [Annual 401(k)
Processes scrutiny and investigation audit done by Tax Favored
C40-Annual audit by third party Benefits]
Election spreadsheet by Associate
BP 60 (C) Health Savings Accounts
Deduction spreadsheet from
InfoSync every payroll
Business Insurance
R10-Penalty for non-compliance with regulatory C32-Segregation of duties - tax returns are prepared by third party
Other requirements and signed by CAO. Third party insurance agent is notified if
Administration BP 65 Administration R18-2-Monetary loss R9 premiums are not paid and they would, in turn, notify CAO. Periodic Preventive P1 Independent third parties provide
services and segregation of duties
Processes Corporate Taxes
R11-Fraudulent activities which are subject of public C40-Annual audit by third party
scrutiny and investigation
ADMINISTRATION: HUMAN RESOURCES
Control Characteristics
Business Process BP ID Business Process Name CSCS Primary Risk(s) Secondary Control Activity(ies) Control Frequency Primary 1-Critical Control (P1)
Evidence of Control
Category Business Unit Risk(s) (continuous, daily, Control Primary 2-Significant Control (P2)
monthly, periodic) Nature Secondary (S)
R22-Leak of confidential information
Hiring New Associate Periodic P1
R10-Penalty for non-compliance with regulatory CSCS Associate Handbook
requirements
Terminating Associate C30-CSCS Associate Handbook - CSCS human resource policies Periodic P1
and procedures that detail all aspects of employment at CSCS, and is Code of Conduct
provided to Associate upon hire (and when revised). Signature by
Associate acknowledging policies and procedures is required. Antitrust Compliance
C29-Code of Conduct Confidentiality Agreement
Managing Human R9, R11, C27-Confidentiality Agreement IT Management Policy
Resources BP 70 Administration R18-2 Preventive Personnel folders
C28-IT Management Policy
R6-Unproductive use of human resources or data Documents from Strategic
Managing Existing Associate's Performance C22-Effectively allocating human resources and data resources Periodic P2 Planning Process
resources
through Strategic Planning Process
Key Performance Indicators (KPIs)
C21-Effectively allocating human resources through Key Performance for each Associate
Index with specific organizational, departmental, and individual goals.
Federal/State Law Postings
Confidential data are protected
C33 (A)-All hard copy personnel files are stored in a locked file physically and electronically
cabinet in the office of the Controller. (locked cabinet and People
HR Data R22-Leak of confidential information Manager)
Management BP 75 Personnel Files and Related HR Data Administration R21-Loss of data R9, R11 C33 (B)-HR related information is also stored electronically on the Continuous Preventive P1
Ultipro application with password protection and restricted access.
HR related forms, company policies and handbooks are available to User name and password are
required to access the Associate
Associates on the CSCS secured Associate intranet.
intranet
ADMINISTRATION: ASSETS & SYSTEMS
Control Characteristics
Business Process BP ID Business Process Name CSCS Primary Risk(s) Secondary Control Activity(ies) Control Frequency Control Primary 1-Critical Control (P1) Evidence of Control
Category Business Unit Risk(s) (continuous, daily, Primary 2-Significant Control (P2)
monthly, periodic) Nature Secondary (S)
