PETCO Enterprise-WideRisk Assessment & Internal Audit Plan

Presenters:Jim BrighamWendy CoolingZach Couasnon

March 9, 2011

Risks Assessments – Part I – Data Gathering (8:00 am – 9:10 am)1. Background

A. Evolution of Audit Planning ProcessB. IIA Standards and Other GuidanceC. Internal Audit CharterD. Scope of WorkE. Risk Assessment Definitions

2. Risk Assessment ApproachA. Identify Key RisksB. Evaluate Key Risks

Risks Assessments – Part II – Reporting (9:20 am – 10:15 am)2.Risk Assessment Approach (continued)

C.Develop Internal Audit PlanD.Monitor Risks and Learn

Learning Objectives

1. Background

1.A Evolution of Audit Planning Process

Source: Corporate Executive Board, Audit Director Roundtable, Enterprise Risk Audit Planning, 2006

Performance Standard 2120.A1The internal audit activity must evaluate risk exposures relating to the organization's governance, operations and information systems regarding:

Reliability and integrity of financial and operational information

Effectiveness and efficiency of operations

Safeguarding of assets

Compliance with laws, regulations and contracts

Practice Advisory Standard 2120-1 Assessing the Adequacy of Risk Management Processes

Position Paper Role of Internal Auditing in Enterprise-wide Risk Management

Practice Guides GAIT for Business and IT Risk

GTAG 6 – Managing and Auditing IT Vulnerabilities

GTAG 10 – Business Continuity Management

1.B IIA Standards and Other Guidance

MissionThe mission of the lnternal Audit Department (the "Department") is to provide independent, objectiveassurance and consulting services designed to add value and improve the Company's operations.The Department helps PETCO accomplish its objectives by bringing a systematic, disciplinedapproach to evaluate and improve the effectiveness of risk evaluation, internal control, and corporategovernance processes.

Scope (in part)To accomplish our mission, the Department will ensure:

Risks are appropriately identified, understood and properly managed The efficiency and effectiveness of internal controls are evaluated Significant financial, managerial, and operating information is accurate, reliable, and timely Compliance with laws, regulations, and PETCO policies

Responsibility (in part)The responsibilities of the Department include the following:

Develop a flexible risk-based annual audit plan, including any risks or control concerns identified by management, and submit the plan and budget to senior management and the Audit Committee for review and approval. Report to the Audit Committee as to whether the Department provides sufficient coverage of

PETCO operations, available resources are effectively utilized toward the highest exposure of risk, and the scope and authority of the Department is sufficiently unrestricted.

1.C Internal Audit Charter

The scope of PETCO's Risk Assessment included the identification and prioritization of the risks that may impact PETCO’s ability to achieve its objectives as well as the development of the 2011 Internal Audit Plan.

Key activities included:

Implementation of a structure, framework and methodology for PETCO’s Risk Assessment and 2011 Internal Audit Plan

Survey of Management to identify:Business objectives and processesUnderstanding of risk Perceived risks to PETCOPerceived risks within business units

Exploration of the risks within each identified process or activity

Assignment of risk ratings based on the potential likelihood and impact to PETCO

1.D Scope of Work

RiskAn uncertain future event which could adversely affect the achievement of an organization’s objectives.

Risk LikelihoodThe probability that a risk can occur. Factors to consider when assessing risk likelihood are: the source of the threat, capability of the source, nature of the vulnerability and existence and effectiveness of current controls. Likelihood can be described as high, medium and low.

High: An event is expected to occur in most circumstances Medium: An event will probably occur in many circumstances Low: An event may occur at some time

Risk ImpactThe potential effect that a risk could have on the organization if it arises. The severity of impact also can be categorized as high, medium and low.

High: Serious impact on operations or reputationMedium: Significant impact on operations or reputationLow: Less significant impact on operations or reputation

1.E Risk Assessment Definitions

The combination of likelihood and impact gives us the value for each risk factor.

See chart below.

Risk Assessment ProcessThe process of identifying and analyzing inherent and residual risks to the achievement of an organization’s objectives.

Audit Universe An inventory of audit areas that is compiled and maintained to identify areas for audit during the audit planning process. The audit universe is now determined by risk. The risk-based approach to auditing results in planning that is driven by the organization's risk register. The audit universe will be periodically revised to reflect changes in the overall risk profile.

RiskIt is an uncertain future event which could adversely affect the achievement of an organization’s objectives.Risk LikelihoodIt is the probability that a risk can occur. The factors that should be taken into account in the determination of likelihood are: the source of the threat, capability of the source, nature of the vulnerability and existence and effectiveness of current controls. Likelihood can be described as high, medium and low.• High:  An event is expected to occur in most circumstances • Medium:  An event will probably occur in many circumstances • Low: An event may occur at some time

Risk ImpactIt is the potential effect that a risk could have on the organization if it arises. It is worth mentioning that not all threats will have the same impact as each system in the organization is worth differently. The magnitude of impact also can be categorized as high, medium and low.• High:  Serious impact on operation, reputation, or funding status • Medium:  Significant impact on operations, reputation, or funding status • Low:  Less significant impact on operations, reputation, or funding status

The combination of likelihood and impact gives us the value for each risk factor

                                                              

1.E Risk Assessment Definitions

Risk Evaluation Criteria

Risk Likelihood

Risk Impact

Specific risks were identified within each area and, based upon evaluation of each, a rating was assigned. The ratings were developed based on an analysis of the likelihood and associated impact if the risks were not mitigated and are not necessarily a reflection of current performance in a given area.

This analysis was performed based on our collective knowledge of PETCO prior to and during this assessment, and our industry experience. Each risk was classified as either high, medium, or low based on the following definitions:

High – requires significant management focus and awareness

Medium – requires possible focus and consideration by management

Low – significant focus and action not required by management at this point in time

Some risks are inherently high due to the magnitude and severity of the impact to the organization. A high risk rating does not necessarily imply poor controls. Not all risks identified are areas in which Internal Audit can perform a review. For areas in which an Internal Audit review is appropriate, project names and areas of focus were developed.

1.E Risk Assessment Definitions

2. Risk Assessment Approach

2.A Identify Risks

Identify Risks

Evaluate

Key Risks

Develop Internal Audit Plan

Monitor

Risks and Learn

Identify Risks - Overview

Data Gathering for Risk Universe Prior Year Sources (December)

Risk Assessments

Audit Director Roundtable Audit Plan Hotspots

Annual PETCO Leadership Meeting Takeaways

Financial Audit Reports

External Auditor Management Letter Comments

Industry 10-Ks (Item 1A. Risk Factors)

Accounting's Financial Reporting Risk Assessment

& Fraud Risk Assessment

Surveys (January)

Overall Company Risk Survey

Store-Focused Risk Survey

Identify Risks - ADR

Audit Director Roundtable - http://audit.executiveboard.com

Identify Risks - ADR

Identify Risks – PETCO Leadership Meeting Takeaways

Identify Risks – Industry 10-Ks

Go to www.sec.gov

Identify Risks – Industry 10-Ks

Identify Risks – 10-Ks

A decline in consumer spending or a change in consumer preferences could reduce our sales or profitability and harm our business.

Risk The economy

The pet products and services retail industry is very competitive and continued competitive forces may adversely impact our business and financial results.

Risk Competition

Failure to successfully manage and execute our marketing initiatives could have a negative impact on our business.

Risk Marketing/Advertising effectiveness

Failure to successfully manage our inventory could harm our business.Risk Inventory shrinkage

 

Identify Risks – 10-Ks

If our information systems fail to perform as designed or are interrupted for a significant period of time, our business could be harmed.

Risk Disaster recovery and business continuity

If we fail to protect the integrity and security of customer and associate information, we could be exposed to litigation and our business could be adversely impacted.

Risk Security of personally identifiable information (ex. employee and customer information)

 

Information gathered from surveys

In your opinion, list the top three risks to achieving PETCO's 2011 goals and objectives within your department

List areas of our Company that you would like to see included in the 2011 Internal Audit Plan

Has your department implemented any new technology within the last 12 months? Examples include software, database management systems, existing system upgrades, new-to-you (shared technology from another department).

Will any key business processes performed by your department change significantly within FY2011? Please list and describe changes if applicable.

How could someone internally or externally misappropriate assets from your specific department resources?

Identify Risks – Surveys

2.B Evaluate Key Risks

Identify Risks

Evaluate

Key Risks

Develop Internal Audit Plan

Monitor

Risks and Learn

Evaluate Key Risks - Overview

Still Data Gathering to Evaluate Key Risks Surveys (January)

Overall Company Risk Survey

Store-Focused Risk Survey

Industry Experience & Knowledge

Professional Judgment

Leadership Meeting Takeaways (Early February)

External Auditor Feedback (Late February)

Evaluate Key Risks - Surveys

Internal Audit utilizes an internal HTML based survey tool to collect management opinions on business risks faced by the organization.

Consists of around 53 questions 10% open ended questions 90% “Rate the Risk” style questions

Sent to director level and above roles

Survey is voluntary

Allowed two weeks for completion

Evaluate Key Risks - Survey Administration

An email is sent from to all director level and above associates A link to the internal HTML based survey is included in the email No reminders are sent

Evaluate Key Risks - Survey Administration

Once the link is clicked, the survey opens up in a browser window

ID is also captured from the login ID used to authenticate to the network

Shown are examples of open ended style of questions

Evaluate Key Risks - Survey Administration

Shown are examples of “Rate the Risk” style questions. Only one answer can be selected for each

Risk ratings are later scored to generate the heat map

Currently, IA only requires survey takers to assess risk impact only

Evaluate Key Risks - Survey Administration

IA always allows for additional comments, sometimes we get some very interesting feedback!

Upon submission, survey selections are logged

Specified IA associates receive survey results from each associate directly to their inbox

Evaluate Key Risks - Survey Response Scoring

Evaluate Key Risks

Dramatic Pause

Evaluate Key Risks - Initial Risk Heat Map

Questions

What about unknown

risks?

What about strategic

risks?

Break 9:10 am – 9:20 am

2. Risk Assessment Approach

(continued)

2.C Develop Internal Audit Plan

Identify Risks

Evaluate

Key Risks

Develop Internal Audit Plan

Monitor

Risks and Learn

Develop Internal Audit Plan - Overview

Reporting Four Key Considerations during Reporting

Initial Risk Heat Map

Available Hours

Hours consumed by required audits

Budget available for outsourced audits

Align Assessed Risks to Vision, Key Business Objectives, 6Ps

and Audit Plan

Consult with Management and Audit Committee members

Prepare Final Key Deliverables

Risk Heat Map

Internal Audit Plan

Develop Internal Audit Plan - Initial Risk Heat Map

Develop Internal Audit Plan – Available Hours & Required Audits

Alignment of Assessed Risks

Linkage to Vision, Key Business Objectives,

6Ps and Audit Plan

11

Develop Internal Audit Plan

Develop Internal Audit Plan – Alignment of Assessed Risks

Develop Internal Audit Plan – Alignment of Assessed Risks

Develop Internal Audit Plan – Alignment of Assessed Risks

Develop Internal Audit Plan – Alignment of Assessed Risks

NOTE: Not all risks identified are areas in which Internal Audit can perform a review. Risks in bold are covered by the 2011 Audit Plan.

Develop Internal Audit Plan – Final Risk Heat Map

Develop Internal Audit Plan – Audit Plan Rationale

Risk-Based Audit Plan

Overall Company Risk

Survey

Store Focused Risk

Survey

Internal Audit Experience

Financial Reporting (SOX) Risk

Assessment**

Fraud Risk Assessment**

Risks were identified in each of the retail focus areas and were prioritized based on feedback from management

Audit projects were defined to address each risk identified (in some cases, one project addresses multiple risks)

Projects were prioritized based on the significance of the risk(s) they address

** Accounting prepares the Fraud Risk Assessment and the Financial Reporting (SOX) Risk Assessments.

Develop Internal Audit Plan

Dramatic Pause

2.D Monitor Risks and Learn

Identify Risks

Evaluate

Key Risks

Develop Internal Audit Plan

Monitor

Risks and Learn

Monitor Risks and Learn - Overview

Reassess Key Risks Continuously Through Audit Plan Execution

Industry/Regulatory Developments

Evolving Strategic Direction of PETCO

Risk Assessment ApproachIdentify RisksGather Data From Prior Year Sources

Risks AssessmentsFinancial Reporting Risk Assessment** Fraud Risk Assessment**ADR Audit Plan Hotspot ReportsPETCO Leadership Meeting TakeawaysOther Company 10-KsSurveys (Overall Company & Store-Focused) With Open Ended Questions

Evaluate Key RisksSurveys (Overall Company & Store-Focused) Where Management Evaluates RisksPETCO Leadership Meeting TakeawaysIndustry Experience & KnowledgeProfessional Judgment

Develop Internal Audit PlanAlign Assessed Risks to Vision, 6Ps and Audit

PlanConsult with Management and Audit Committee Prepare Final Key Deliverables Risk Heat Map Internal Audit Plan

Monitor Risks and LearnReassess Key Risks Continuously Through

Audit Plan Execution Industry/Regulatory Developments Evolving Strategic Direction of PETCO

Identify Risks

Evaluate

Key Risks

Develop Internal Audit Plan

Monitor

Risks and Learn

Continuous - Can Occur Anytime During This ProcessManagement InterviewsAudit Committee FeedbackExternal Auditor Feedback

Questions

Contact information

Jim Brigham – jimbr@petco.com

Wendy Cooling – wendyco@petco.com

Zach Couasnon – zacharyc@petco.com

Break 10:15 am – 10:30 am