The document provides an overview of PETCO's enterprise-wide risk assessment and internal audit plan presentation. It discusses the risk assessment approach, which includes identifying risks through various data sources, evaluating key risks through surveys and management feedback, developing the internal audit plan by aligning risks to objectives and consulting with management, and continuously monitoring risks as the audit plan is executed. The presentation covers defining risk likelihood and impact, administering surveys to gather management's perceived risks, developing an initial risk heat map, and prioritizing audit projects to address key risks. The goal is to identify the highest risks to PETCO and focus internal audit resources on those areas.

1. PETCO Enterprise-WideRisk Assessment & Internal Audit PlanPresenters: Jim Brigham Wendy Cooling Zach CouasnonMarch 9, 2011

2. Risks Assessments – Part I – Data Gathering (8:00 am – 9:10 am)BackgroundEvolution of Audit Planning ProcessIIA Standards and Other GuidanceInternal Audit CharterScope of WorkRisk Assessment DefinitionsRisk Assessment ApproachIdentify Key RisksEvaluate Key RisksRisks Assessments – Part II – Reporting (9:20 am – 10:15 am)Risk Assessment Approach (continued)Develop Internal Audit PlanMonitor Risks and LearnLearning Objectives

3. 1. Background

4. 1.A Evolution of Audit Planning ProcessSource: Corporate Executive Board, Audit Director Roundtable, Enterprise Risk Audit Planning, 2006

5. 1.B IIA Standards and Other GuidancePerformance Standard 2120.A1The internal audit activity must evaluate risk exposures relating to the organization's governance, operations and information systems regarding: Reliability and integrity of financial and operational information Effectiveness and efficiency of operations Safeguarding of assets Compliance with laws, regulations and contractsPractice Advisory Standard 2120-1 Assessing the Adequacy of Risk Management ProcessesPosition Paper Role of Internal Auditing in Enterprise-wide Risk ManagementPractice Guides GAIT for Business and IT Risk GTAG 6 – Managing and Auditing IT Vulnerabilities GTAG 10 – Business Continuity Management

6. MissionThe mission of the lnternal Audit Department (the "Department") is to provide independent, objectiveassurance and consulting services designed to add value and improve the Company's operations.The Department helps PETCO accomplish its objectives by bringing a systematic, disciplinedapproach to evaluate and improve the effectiveness of risk evaluation, internal control, and corporategovernance processes.Scope (in part)To accomplish our mission, the Department will ensure:Risks are appropriately identified, understood and properly managed The efficiency and effectiveness of internal controls are evaluated Significant financial, managerial, and operating information is accurate, reliable, and timely Compliance with laws, regulations, and PETCO policiesResponsibility (in part)The responsibilities of the Department include the following: Develop a flexible risk-based annual audit plan, including any risks or control concerns identified by management, and submit the plan and budget to senior management and the Audit Committee for review and approval. Report to the Audit Committee as to whether the Department provides sufficient coverage of PETCO operations, available resources are effectively utilized toward the highest exposure of risk, and the scope and authority of the Department is sufficiently unrestricted.1.C Internal Audit Charter

7. The scope of PETCO's Risk Assessment included the identification and prioritization of the risks that may impact PETCO’s ability to achieve its objectives as well as the development of the 2011 Internal Audit Plan. Key activities included:Implementation of a structure, framework and methodology for PETCO’s Risk Assessment and 2011 Internal Audit Plan Survey of Management to identify:Business objectives and processesUnderstanding of risk Perceived risks to PETCOPerceived risks within business unitsExploration of the risks within each identified process or activityAssignment of risk ratings based on the potential likelihood and impact to PETCO1.D Scope of Work

8. RiskAn uncertain future event which could adversely affect the achievement of an organization’s objectives.Risk LikelihoodThe probability that a risk can occur. Factors to consider when assessing risk likelihood are: the source of the threat, capability of the source, nature of the vulnerability and existence and effectiveness of current controls. Likelihood can be described as high, medium and low.High: An event is expected to occur in most circumstances Medium:An event will probably occur in many circumstances Low:An event may occur at some time Risk ImpactThe potential effect that a risk could have on the organization if it arises. The severity of impact also can be categorized as high, medium and low.High:Serious impact on operations or reputationMedium: Significant impact on operations or reputationLow: Less significant impact on operations or reputation1.E Risk Assessment Definitions

9. RiskIt is an uncertain future event which could adversely affect the achievement of an organization’s objectives.Risk LikelihoodIt is the probability that a risk can occur. The factors that should be taken into account in the determination of likelihood are: the source of the threat, capability of the source, nature of the vulnerability and existence and effectiveness of current controls. Likelihood can be described as high, medium and low.High: An event is expected to occur in most circumstances

10. Medium: An event will probably occur in many circumstances

11. Low: An event may occur at some time Risk ImpactIt is the potential effect that a risk could have on the organization if it arises. It is worth mentioning that not all threats will have the same impact as each system in the organization is worth differently. The magnitude of impact also can be categorized as high, medium and low.High: Serious impact on operation, reputation, or funding status

12. Medium: Significant impact on operations, reputation, or funding status

13. Low: Less significant impact on operations, reputation, or funding status The combination of likelihood and impact gives us the value for each risk factor The combination of likelihood and impact gives us the value for each risk factor. See chart below.Risk Assessment ProcessThe process of identifying and analyzing inherent and residual risks to the achievement of an organization’s objectives.Audit Universe An inventory of audit areas that is compiled and maintained to identify areas for audit during the audit planning process. The audit universe is now determined by risk. The risk-based approach to auditing results in planning that is driven by the organization's risk register. The audit universe will be periodically revised to reflect changes in the overall risk profile. 1.E Risk Assessment Definitions

14. 1.E Risk Assessment DefinitionsRisk Evaluation CriteriaRisk Likelihood Risk Impact Specific risks were identified within each area and, based upon evaluation of each, a rating was assigned. The ratings were developed based on an analysis of the likelihood and associated impact if the risks were not mitigated and are not necessarily a reflection of current performance in a given area. This analysis was performed based on our collective knowledge of PETCO prior to and during this assessment, and our industry experience. Each risk was classified as either high, medium, or low based on the following definitions: High – requires significant management focus and awareness Medium – requires possible focus and consideration by management Low – significant focus and action not required by management at this point in timeSome risks are inherently high due to the magnitude and severity of the impact to the organization. A high risk rating does not necessarily imply poor controls. Not all risks identified are areas in which Internal Audit can perform a review. For areas in which an Internal Audit review is appropriate, project names and areas of focus were developed.

15. 2. Risk Assessment Approach

16. 2.A Identify Risks

17. Identify Risks - OverviewData Gathering for Risk Universe Prior Year Sources (December) Risk Assessments Audit Director Roundtable Audit Plan Hotspots Annual PETCO Leadership Meeting Takeaways Financial Audit Reports External Auditor Management Letter Comments Industry 10-Ks (Item 1A. Risk Factors) Accounting's Financial Reporting Risk Assessment & Fraud Risk Assessment Surveys (January) Overall Company Risk Survey Store-Focused Risk Survey

18. Identify Risks - ADRAudit Director Roundtable - http://audit.executiveboard.com

19. Identify Risks - ADR

20. Identify Risks – PETCO Leadership Meeting Takeaways

21. Identify Risks – Industry 10-KsGo to www.sec.gov

22. Identify Risks – Industry 10-Ks

23. Identify Risks – 10-KsA decline in consumer spending or a change in consumer preferences could reduce our sales or profitability and harm our business. Risk  The economyThe pet products and services retail industry is very competitive and continued competitive forces may adversely impact our business and financial results.Risk  CompetitionFailure to successfully manage and execute our marketing initiatives could have a negative impact on our business. Risk  Marketing/Advertising effectivenessFailure to successfully manage our inventory could harm our business.Risk  Inventory shrinkage

24. Identify Risks – 10-KsIf our information systems fail to perform as designed or are interrupted for a significant period of time, our business could be harmed. Risk  Disaster recovery and business continuityIf we fail to protect the integrity and security of customer and associate information, we could be exposed to litigation and our business could be adversely impacted. Risk  Security of personally identifiable information (ex. employee and customer information)

25. Information gathered from surveysIn your opinion, list the top three risks to achieving PETCO's 2011 goals and objectives within your departmentList areas of our Company that you would like to see included in the 2011 Internal Audit PlanHas your department implemented any new technology within the last 12 months? Examples include software, database management systems, existing system upgrades, new-to-you (shared technology from another department).Will any key business processes performed by your department change significantly within FY2011? Please list and describe changes if applicable.How could someone internally or externally misappropriate assets from your specific department resources?Identify Risks – Surveys

26. 2.B Evaluate Key Risks

27. Evaluate Key Risks - OverviewStill Data Gathering to Evaluate Key Risks Surveys (January) Overall Company Risk Survey Store-Focused Risk Survey Industry Experience & Knowledge Professional Judgment Leadership Meeting Takeaways (Early February) External Auditor Feedback (Late February)

28. Evaluate Key Risks - SurveysInternal Audit utilizes an internal HTML based survey tool to collect management opinions on business risks faced by the organization. Consists of around 53 questions 10% open ended questions 90% “Rate the Risk” style questions Sent to director level and above roles Survey is voluntary Allowed two weeks for completion

29. Evaluate Key Risks - Survey Administration An email is sent from to all director level and above associates A link to the internal HTML based survey is included in the email No reminders are sent

30. Evaluate Key Risks - Survey Administration Once the link is clicked, the survey opens up in a browser window ID is also captured from the login ID used to authenticate to the networkShown are examples of open ended style of questions

31. Evaluate Key Risks - Survey Administration Shown are examples of “Rate the Risk” style questions. Only one answer can be selected for each Risk ratings are later scored to generate the heat map Currently, IA only requires survey takers to assess risk impact only

32. Evaluate Key Risks - Survey Administration IA always allows for additional comments, sometimes we get some very interesting feedback! Upon submission, survey selections are logged Specified IA associates receive survey results from each associate directly to their inbox

33. Evaluate Key Risks - Survey Response Scoring

34. Evaluate Key RisksDramatic Pause

35. Evaluate Key Risks - Initial Risk Heat Map

36. QuestionsWhat about unknown risks?What about strategic risks?

37. Break9:10 am – 9:20 am

38. 2. Risk Assessment Approach(continued)

39. 2.C Develop Internal Audit Plan

40. Develop Internal Audit Plan - OverviewReporting Four Key Considerations during Reporting Initial Risk Heat Map Available Hours Hours consumed by required audits Budget available for outsourced audits Align Assessed Risks to Vision, Key Business Objectives, 6Ps and Audit Plan Consult with Management and Audit Committee members Prepare Final Key Deliverables Risk Heat Map Internal Audit Plan

41. Develop Internal Audit Plan - Initial Risk Heat Map

42. Develop Internal Audit Plan – Available Hours & Required Audits

43. Develop Internal Audit PlanAlignment of Assessed RisksLinkage to Vision, Key Business Objectives, 6Ps and Audit Plan 11

44. Develop Internal Audit Plan – Alignment of Assessed Risks

45. Develop Internal Audit Plan – Alignment of Assessed Risks

46. Develop Internal Audit Plan – Alignment of Assessed Risks

47. Develop Internal Audit Plan – Alignment of Assessed Risks

48. Develop Internal Audit Plan – Final Risk Heat MapNOTE: Not all risks identified are areas in which Internal Audit can perform a review. Risks in bold are covered by the 2011 Audit Plan.

49. Develop Internal Audit Plan – Audit Plan RationaleRisks were identified in each of the retail focus areas and were prioritized based on feedback from managementAudit projects were defined to address each risk identified (in some cases, one project addresses multiple risks)Projects were prioritized based on the significance of the risk(s) they address** Accounting prepares the Fraud Risk Assessment and the Financial Reporting (SOX) Risk Assessments.

50. Develop Internal Audit PlanDramatic Pause

52. 2.D Monitor Risks and Learn