Page 397 - Aida Hovsepian Onboarding
P. 397
R10-Penalty for non-compliance with regulatory C32-Segregation of duties - tax returns are prepared by third party
Other requirements and signed by CAO. Third party insurance agent is notified if
Administration BP 65 Corporate Taxes Administration R18-2-Monetary loss R9 premiums are not paid and they would, in turn, notify CAO. Periodic Preventive P1 Independent third parties provide
services and segregation of duties
Processes
R11-Fraudulent activities which are subject of public C40-Annual audit by third party
scrutiny and investigation
ADMINISTRATION: HUMAN RESOURCES
Control Characteristics
Business Process BP ID Business Process Name CSCS Primary Risk(s) Secondary Control Activity(ies) Control Frequency Control Primary 1-Critical Control (P1)
Evidence of Control
Category Business Unit Risk(s) (continuous, daily, Primary 2-Significant Control (P2)
monthly, periodic) Nature Secondary (S)
Hiring New Associate R22-Leak of confidential information Periodic P1
R10-Penalty for non-compliance with regulatory CSCS Associate Handbook
requirements C30-CSCS Associate Handbook - CSCS human resource policies
Terminating Associate Periodic P1
and procedures that detail all aspects of employment at CSCS, and Code of Conduct
is provided to Associate upon hire (and when revised). Signature by
Associate acknowledging policies and procedures is required.
Antitrust Compliance
C29-Code of Conduct
Confidentiality Agreement
Managing C27-Confidentiality Agreement
Human BP 70 Administration R9, R11, Preventive IT Management Policy
Resources R18-2 C28-IT Management Policy Personnel folders
Managing Existing Associate's Performance R6-Unproductive use of human resources or data C22-Effectively allocating human resources and data resources Periodic P2 Documents from Strategic
resources through Strategic Planning Process Planning Process
C21-Effectively allocating human resources through Key Key Performance Indicators
(KPIs) for each Associate
Performance Index with specific organizational, departmental, and
individual goals.
Federal/State Law Postings
Confidential data are protected
C33 (A)-All hard copy personnel files are stored in a locked file physically and electronically
cabinet in the office of the Controller. (locked cabinet and People
HR Data R22-Leak of confidential information Manager)
Management BP 75 Personnel Files and Related HR Data Administration R21-Loss of data R9, R11 C33 (B)-HR related information is also stored electronically on the Continuous Preventive P1
Ultipro application with password protection and restricted access.
HR related forms, company policies and handbooks are available to User name and password are
required to access the Associate
Associates on the CSCS secured Associate intranet.
intranet
ADMINISTRATION: ASSETS & SYSTEMS
Control Characteristics
Business Process BP ID Business Process Name CSCS Primary Risk(s) Secondary Control Activity(ies) Control Frequency Control Primary 1-Critical Control (P1) Evidence of Control
Category Business Unit Risk(s) (continuous, daily, Nature Primary 2-Significant Control (P2)
monthly, periodic) Secondary (S)
C32-Segregation of duties. On-line access to bank accounts is
limited to some personnel: CSCS – Controller and CFO; InfoSync –
Accountants – for reconciliation purposes, payroll and accounts
payable processes and recording bank activity; On-line Access
Administrator is the CFO;
Preventive
R11-Fraudulent activities which are subject of public Bank statements and
BP 80 Bank Account Management Administration scrutiny and investigation R9 C23 & C33 (B)-Secured website by Commerce Bank – Commerce Periodic Detective P2 reconciliation
issues FOBs with numbers that change every minute that must be
entered before any wire information can be processed using their on-
Asset line banking application in addition to SSL encryption. FOBs are in
Management physical possession of CSCS users listed above. Segregation of
duties for initiating transfers, approving them and booking journal
entries and reconciling accounts.
C33-All laptops are password protected and utilize all virus and CSCS asset management
security software per security policies defined by DineEquity since spreadsheet
CSCS utilizes their network in each CSCS office. Preventive
BP 85 Computers (Laptops or Desktops) Administration R22-Leak of confidential information R9, R18-2 Periodic P1 Equipment Tags
Equipment tags are put on all assets for tracking. Detective
CSCS IT Management Policy
CSCS IT Management Policy signed by all associates
C25 & C33 & C38-
Office 365 (Microsoft Exchange & Office) Periodic review of third party internal control systems, Data
Contingency Program, Periodic back up of system data. Data
centers are protected by strict physical and systems security
Administration measures, plus fire suppression and redundant power systems. SSAE16 SOC 1 and SOC2
System R21-Loss of data R3, R6, R18- Preventive Letter of Agreement
Management BP 90 HAVI - Web-based Integrated Supply Chain Management R22-Leak of confidential information 1, R18-2, R19 User Account Management program manages user names and Continuous Detective P1
passwords for internal and external users of HAVI.
System Data Retention and Storage
(HAVI and CSCS)
CSCS website has three partitions – a public-facing external site, a
secured Members-only site, and a secured Associate intranet site.
Security is managed by systems support team, with user names and
Website Management Administration/P passwords assigned to each individual.
rocurement
C33-(A) Physical Protection of data, (B) Security Protection for
Administration/ R19-Inaccurate information and data electronic data. Confidential data are protected
Data Brand R3, R6, R18- Preventive physically and electronically
Management BP 95 Data Management Management/ R21-Loss of data 1, R18-2, R19 C57-CSCS Record Retention and Disposition Schedule Continuous Detective P1 CSCS Record Retention and
Procurement/
Logistics R22-Leak of confidential information Disposition Schedule and Policy
C58-Data Stewards from all departments
