How JCPenney is Managing Corporate Risk

John Polarinakis, Audit Director

Dave Miller, Senior Audit Manager

What is JCPenney doing?

Ethics Program Internal Audit Function Anti-Fraud Programs Enterprise-Wide Hotline

On-line Ethics Statement

A letter from our Chairman The purpose of the Statement of

Business Ethics Our responsibility as an employee A great work environment Our duty to the Company

An Effective Ethics Program Communication with Employees Communications with Suppliers Employee Training The Use of Criminal Background Checks The Role of the Legal and Ethics

Compliance Committee Measuring our Performance – how

effective are the programs

How does Internal Audit support the Company’s corporate governance initiatives?

Perform an Annual Risk Assessment

Risk rank each audit area Discuss with management Allocate resources Allow for flexibility

Fashion Triangle for Internal Auditing

Anti-Fraud Programs

Fraud Risk Assessment Fraud Awareness Program Continuous Auditing and Monitoring Enterprise-Wide Hotline

Objectives of Fraud Risk Assessment

Evaluated the adequacy of select controls to mitigate fraud risks

Reviewed the oversight processes to prevent and detect fraudulent activity

Identified additional anti-fraud control enhancements

Benefits of Fraud Risk Assessment

Interaction with management Increasing management’s fraud

awareness

Business Process Owner

Fraud Schemes/Scenarios

Controls Monitoring

Stores Theft of merchandise Store access is secured and alarmed when not receiving merchandise or during “off” hours.Hotline established for use by employees to report theft issues.Written procedures related to physical security, shoplifting, and internal employee theft.

The following areas monitor these activities:Store, District and Regional ManagementStore, District, Regional and Home Office Loss PreventionInternal Auditing

Fraud Risk Matrix

Increasing Fraud Awareness

Established multi-department task force to oversee

Conducting awareness and ethics presentations

Red Flags of Fraud poster Senior Management presentations

to Audit Committee

Continuous Auditing

Continuous Monitoring

Monitoring Retail Store Operations

Short cash expense Bad check expense Purchase card expense POS information

Anti-Fraud Continuous Auditing

Matching vendor and employee name, address and telephone number

Identifying duplicate vendor invoices Identifying duplicate expenses –

travel

Establishing an Enterprise-Wide Hotline

Required as part of SOX 301 and 806 Means of anonymous communication

for employees and vendors Establishing Awareness programs No Retaliation Policy communication

Benefits of Outsourced Program

Online database of all call activity Automatic notification of call activity Available 24/7 Multi-lingual service Experienced operators Call monitoring

Steps to Take

Communicate what is expected of employees

Provide a safe mechanism to report concerns

Zero Tolerance for fraud

Questions?