Social Monitoring Visits Explained We rely on three professional, independent, third-party audit firms to evaluate facility partner compliance with our Terms of Engagement. Social Supply Chain 59 2021 ESG REPORT These auditing professionals are able to speak the language of the workers and management and have extensive experience monitoring social compliance on behalf of international customers. Facilities are evaluated for compliance on a regular basis. Completion of our full audit program requires a minimum two-day visit. Follow-up audits are traditionally completed in one day. We reserve the right to review vendor partner facilities and conduct unannounced on-site inspections. Once a facility is deemed compliant with our Terms of Engagement, we apply a facility risk rating system based on the facility’s performance. The categories are low risk (green), medium risk (yellow), elevated risk (orange) and high risk (red). Using this risk-based approach, a facility may be subject to more regular audits. The following factors are used during our risk assessment: • Social conditions in the geographic location of the facility • Facility management commitment toward social compliance • Historical audit results of both vendor partner and facility (social, sustainability and CTPAT performance, as applicable) • Open-source information • Potential issues reported via public media The Facility Audit Process Explained When our auditors arrive at a facility, they conduct an opening meeting with management to review our Terms of Engagement. If access to the facility is denied, the auditor immediately notifies us. The Factory Compliance team researches facility management’s reason for denying access and determines whether the facility will be granted another visit. If so, the Factory Compliance team plans an unannounced visit. After the opening meeting, the facility is toured with workers randomly selected to be interviewed. Worker interviews are conducted privately in their local language. The content of worker interviews is kept strictly confidential from the facility and vendor partner(s). In addition, a detailed review of the facility’s worker time cards and wage payments is conducted and other business records are reviewed to evaluate compliance with our Terms of Engagement. In particular, age verification documentation is reviewed to ensure that facility management does not employ child labor, and conditions of employment are voluntary. During each facility visit, our independent auditor documents the potential noncompliance with our Terms of Engagement. At the conclusion of a facility inspection, the auditor summarizes and discusses instances of noncompliance with facility management for immediate corrective action. The audit report is sent to the Factory Compliance team for review and we work with our vendor and facility partners to implement corrective action plans. Third-party follow-up audits are performed, as needed, to monitor the noncompliance remediation process. When our assessments identify noncompliance issues, we categorize them as major or minor. This is based on the severity of the violation and the level of risk to workers. We then take action as appropriate that will include working with our vendor and facility partner(s) to ensure adequate steps are taken to address the noncompliance violation, facilitate training, cancel affected orders and/or review future orders, conduct third-party investigations or terminate the business relationship. Whenever possible, we work toward improvement and attempt to bring noncompliant facilities into compliance rather than terminate the business relationship. Kohl’s Social Compliance Risk Distribution for Active Facilities Elevated Risk Medium Risk High Risk 77 % 16 % 5 % 2 % Low Risk