Page 410 - Onboarding May 2017

P. 410

ADMINISTRATION: HUMAN RESOURCES
Control Characteristics
Business Process BP ID Business Process Name CSCS Primary Risk(s) Secondary Control Activity(ies) Control Frequency Control Primary 1-Critical Control (P1)
Evidence of Control
Category Business Unit Risk(s) (continuous, daily, Nature Primary 2-Significant Control (P2)
monthly, periodic) Secondary (S)
Hiring New Associate R22-Leak of confidential information Periodic P1
R10-Penalty for non-compliance with regulatory CSCS Associate Handbook
Terminating Associate requirements C30-CSCS Associate Handbook - CSCS human resource policies Periodic P1
and procedures that detail all aspects of employment at CSCS, and Code of Conduct
is provided to Associate upon hire (and when revised). Signature
by Associate acknowledging policies and procedures is required.
Antitrust Compliance
C29-Code of Conduct Confidentiality Agreement
Managing C27-Confidentiality Agreement
Human BP 70 Administration R9, R11, Preventive IT Management Policy
Personnel folders
R18-2
Resources C28-IT Management Policy
R6-Unproductive use of human resources or data Documents from Strategic
Managing Existing Associate's Performance C22-Effectively allocating human resources and data resources Periodic P2
resources Planning Process
through Strategic Planning Process
C21-Effectively allocating human resources through Key Key Performance Indicators
(KPIs) for each Associate
Performance Index with specific organizational, departmental, and
individual goals.
Federal/State Law Postings
Confidential data are protected
C33 (A)-All hard copy personnel files are stored in a locked file
cabinet in the office of the Controller. physically and electronically
(locked cabinet and People
HR Data R22-Leak of confidential information Manager)
Management BP 75 Personnel Files and Related HR Data Administration R21-Loss of data R9, R11 C33 (B)-HR related information is also stored electronically on the Continuous Preventive P1
Ultipro application with password protection and restricted access.
HR related forms, company policies and handbooks are available to User name and password are
required to access the Associate
Associates on the CSCS secured Associate intranet.
intranet
ADMINISTRATION: ASSETS & SYSTEMS
Control Characteristics
Business Process BP ID Business Process Name CSCS Primary Risk(s) Secondary Control Activity(ies) Control Frequency Control Primary 1-Critical Control (P1) Evidence of Control
Category Business Unit Risk(s) (continuous, daily, Nature Primary 2-Significant Control (P2)
monthly, periodic) Secondary (S)
C32-Segregation of duties. On-line access to bank accounts is
limited to some personnel: CSCS – Controller and CFO; InfoSync –
Accountants – for reconciliation purposes, payroll and accounts
payable processes and recording bank activity; On-line Access
Administrator is the CFO;
Preventive
R11-Fraudulent activities which are subject of public Bank statements and
BP 80 Bank Account Management Administration R9 C23 & C33 (B)-Secured website by Commerce Bank – Commerce Periodic P2
scrutiny and investigation reconciliation
issues FOBs with numbers that change every minute that must be Detective
entered before any wire information can be processed using their
on-line banking application in addition to SSL encryption. FOBs are
Asset in physical possession of CSCS users listed above. Segregation of
Management duties for initiating transfers, approving them and booking journal
entries and reconciling accounts.
C33-All laptops are password protected and utilize all virus and
security software per security policies defined by DineEquity since
CSCS utilizes their network in each CSCS office. CSCS asset management
spreadsheet
Preventive
Equipment tags are put on all assets for tracking.
BP 85 Computers (Laptops or Desktops) and File Servers Administration R22-Leak of confidential information R9, R18-2 Periodic P1 Equipment Tags
File servers are secured behind firewalls and utilize network Detective
security provisions as defined by DineEquity. CSCS IT Management Policy
CSCS IT Management Policy signed by all associates
C25 & C33 & C38-
Periodic review of third party internal control systems, Data
Office 365 (Microsoft Exchange & Office) Contingency Program, Periodic back up of system data. SSL
encryption hides data during transmission. Data centers are SAS 70
protected by strict physical and systems security measures, plus
Administration fire suppression and redundant power systems. All system SSAE16 SOC 1 and SOC2
System R21-Loss of data R3, R6, R18- providers have SAS70 type II audit. Preventive
Management BP 90 HAVI - Web-based Integrated Supply Chain Management R22-Leak of confidential information 1, R18-2, User Account Management program manages user names and Continuous Detective P1 Letter of Agreement
R19
System passwords for internal and external users of HAVI.
Data Retention and Storage
CSCS website has three partitions – a public-facing external site, a (HAVI and CSCS)
secured Members-only site, and a secured Associate intranet site.
Administration/ Security is managed by systems support team, with user names
Website Management
Procurement and passwords assigned to each individual.
Confidential data are protected
C33-(A) Physical Protection of data, (B) Security Protection for
Administration/ R19-Inaccurate information and data electronic data. physically and electronically
Data Brand R3, R6, R18- Preventive
Management BP 95 Data Management Management/ R21-Loss of data 1, R18-2, C57-CSCS Record Retention and Disposition Schedule Continuous Detective P1 CSCS Record Retention and
Disposition Schedule and Policy
R19
Procurement/
Logistics R22-Leak of confidential information
C58-Data Stewards from all departments SAS 70
R3, R20, C45-System Control Corrective Correspondence between CSCS
BP 15 (A) Data Integrity Audits Administration R19-Inaccurate information and data R21, R22, Continuous Preventive P1 and suppliers, DCs, Brands, and
R23, R24 C56-Data Audits Detective System admin.
C32-Segregation of duties
Procurement/
BP 15 (B) Price Index (Commodity pricing tracking and forecasting) Administration/ R19-Inaccurate information and data R21, R22, C20-All CSCS Associates have access to the price index Continuous Preventive P1 The index outputs are published
R23, R24
to Members and Brands.
Detective
Logistics
C43-Protection of confidential information
Analytics C32-Segregation of duties
Procurement/ R19, R21, Preventive The report shared with the Audit
BP 15 (C) Modified PPI or Performance Tracking of the Co-ops R23-Relationship issues with Members C20-All CSCS Associates have access to the price index Periodic P1 and Finance Committee for each
Administration R22, R24 Detective brand.
C43-Protection of confidential information

405 406 407 408 409 410 411 412 413 414 415