ADMINISTRATION: HUMAN RESOURCES
                           Control Characteristics
 Business Process   BP ID  Business Process Name  CSCS   Primary Risk(s)  Secondary   Control Activity(ies)  Control Frequency   Control   Primary 1-Critical Control (P1)
                                          Evidence of Control
 Category  Business Unit  Risk(s)  (continuous, daily,   Nature  Primary 2-Significant Control (P2)
                    monthly, periodic)  Secondary (S)
 Hiring New Associate  R22-Leak of confidential information   Periodic  P1
 R10-Penalty for non-compliance with regulatory   CSCS Associate Handbook
 Terminating Associate  requirements  C30-CSCS Associate Handbook - CSCS human resource policies   Periodic  P1
 and procedures that detail all aspects of employment at CSCS, and   Code of Conduct
 is provided to Associate upon hire (and when revised). Signature
 by Associate acknowledging policies and procedures is required.
                                          Antitrust Compliance
 C29-Code of Conduct                      Confidentiality Agreement
 Managing   C27-Confidentiality Agreement
 Human   BP 70  Administration  R9, R11,   Preventive  IT Management Policy
                                          Personnel folders
 R18-2
 Resources  C28-IT Management Policy
 R6-Unproductive use of human resources or data   Documents from Strategic
 Managing Existing Associate's Performance  C22-Effectively allocating human resources and data resources   Periodic  P2
 resources                                Planning Process
 through Strategic Planning Process
 C21-Effectively allocating human resources through Key   Key Performance Indicators
                                          (KPIs) for each Associate
 Performance Index with specific organizational, departmental, and
 individual goals.
                                          Federal/State Law Postings
                                          Confidential data are protected
 C33 (A)-All hard copy personnel files are stored in a locked file
 cabinet in the office of the Controller.   physically and electronically
                                          (locked cabinet and People
 HR Data   R22-Leak of confidential information                                                                                                                                                                                                       Manager)
 Management  BP 75  Personnel Files and Related HR Data  Administration  R21-Loss of data  R9, R11  C33 (B)-HR related information is also stored electronically on the   Continuous  Preventive  P1
 Ultipro application with password protection and restricted access.
 HR related forms, company policies and handbooks are available to   User name and password are
                                          required to access the Associate
 Associates on the CSCS secured Associate intranet.
                                          intranet
 ADMINISTRATION: ASSETS & SYSTEMS
                           Control Characteristics
 Business Process   BP ID  Business Process Name  CSCS   Primary Risk(s)  Secondary   Control Activity(ies)  Control Frequency   Control   Primary 1-Critical Control (P1)                      Evidence of Control
 Category  Business Unit  Risk(s)  (continuous, daily,   Nature  Primary 2-Significant Control (P2)
                    monthly, periodic)  Secondary (S)
 C32-Segregation of duties. On-line access to bank accounts is
 limited to some personnel: CSCS – Controller and CFO; InfoSync –
 Accountants – for reconciliation purposes, payroll and accounts
 payable processes and recording bank activity; On-line Access
 Administrator is the CFO;
                           Preventive
 R11-Fraudulent activities which are subject of public   Bank statements and
 BP 80  Bank Account Management  Administration  R9  C23 & C33 (B)-Secured website by Commerce Bank – Commerce   Periodic  P2
 scrutiny and investigation               reconciliation
 issues FOBs with numbers that change every minute that must be   Detective
 entered before any wire information can be processed using their
 on-line banking application in addition to SSL encryption.  FOBs are
 Asset   in physical possession of CSCS users listed above. Segregation of
 Management  duties for initiating transfers, approving them and booking journal
 entries and reconciling accounts.
 C33-All laptops are password protected and utilize all virus and
 security software per security policies defined by DineEquity since
 CSCS utilizes their network in each CSCS office.   CSCS asset management
                                          spreadsheet
                           Preventive
 Equipment tags are put on all assets for tracking.
 BP 85  Computers (Laptops or Desktops) and File Servers  Administration  R22-Leak of confidential information  R9, R18-2  Periodic  P1  Equipment Tags
 File servers are secured behind firewalls and utilize network   Detective
 security provisions as defined by DineEquity.   CSCS IT Management Policy
 CSCS IT Management Policy signed by all associates
 C25 & C33 & C38-
 Periodic review of third party internal control systems, Data
 Office 365 (Microsoft Exchange & Office)  Contingency Program, Periodic back up of system data. SSL
 encryption hides data during transmission. Data centers are   SAS 70
 protected by strict physical and systems security measures, plus
 Administration  fire suppression and redundant power systems. All system   SSAE16 SOC 1 and SOC2
 System   R21-Loss of data  R3, R6, R18-  providers have SAS70 type II audit.  Preventive
 Management  BP 90  HAVI - Web-based Integrated Supply Chain Management   R22-Leak of confidential information  1, R18-2,   User Account Management program manages user names and   Continuous  Detective  P1  Letter of Agreement
 R19
 System  passwords for internal and external users of HAVI.
                                          Data Retention and Storage
 CSCS website has three partitions – a public-facing external site, a   (HAVI and CSCS)
 secured Members-only site, and a secured Associate intranet site.
 Administration/  Security is managed by systems support team, with user names
 Website Management
 Procurement  and passwords assigned to each individual.
                                          Confidential data are protected
 C33-(A) Physical Protection of data, (B) Security Protection for
 Administration/   R19-Inaccurate information and data  electronic data.  physically and electronically
 Data   Brand   R3, R6, R18-  Preventive
 Management  BP 95  Data Management  Management/   R21-Loss of data  1, R18-2,   C57-CSCS Record Retention and Disposition Schedule  Continuous  Detective  P1  CSCS Record Retention and
 Procurement/
 R19
                                          Disposition Schedule and Policy
 Logistics  R22-Leak of confidential information
 C58-Data Stewards from all departments   SAS 70
 R3, R20,   C45-System Control  Corrective  Correspondence between CSCS
 BP 15 (A) Data Integrity Audits  Administration  R19-Inaccurate information and data  R21, R22,   Continuous  Preventive  P1  and suppliers, DCs, Brands, and
 R23, R24  C56-Data Audits  Detective     System admin.
 C32-Segregation of duties
 Procurement/
 BP 15 (B) Price Index (Commodity pricing tracking and forecasting)  Administration/   R19-Inaccurate information and data  R21, R22,   C20-All CSCS Associates have access to the price index  Continuous  Preventive  P1  The index outputs are published
 R23, R24
                                          to Members and Brands.
                           Detective
 Logistics
 C43-Protection of confidential information
 Analytics  C32-Segregation of duties
 Procurement/   R19, R21,   Preventive    The report shared with the Audit
 BP 15 (C) Modified PPI or Performance Tracking of the Co-ops  R23-Relationship issues with Members  C20-All CSCS Associates have access to the price index  Periodic  P1  and Finance Committee for each
 Administration  R22, R24  Detective      brand.
 C43-Protection of confidential information