SAS 70 Third Party Report on Controls Overview and Timetable Finance / Audit Committee Meeting Austin, Texas January 14, 2003/ February 18, 2003.

SAS 70Third Party Report on Controls

Overview and Timetable

Finance / Audit Committee Meeting

Austin, TexasJanuary 14, 2003/ February 18, 2003

PricewaterhouseCoopers 2

Agenda

• Overview of Project Scope and Results

• Scope of Project

• Summary of Report

• Commentary on Results of Testing

• Looking Forward

PricewaterhouseCoopers 3

Overview of Project Scope and Results

Project is complete

Final draft report issued last week

Final report to be issued this week (perhaps today)

Opinion is unqualified

Scope of report is consistent with plan – described to the Committee in July (in depth)

Scope of Project

4

PricewaterhouseCoopers 5

Scope of Project – Reporting Structure

What is a SAS 70 report?

It is a report on internal controls based on a standard reporting structure.

It is commonly referred to as a SAS 70 Report – named after the auditing standard that defines the reporting framework of an internal control examination for service organizations that must be relied upon by its users/members/participants.

The Auditing Standard

The American Institute of Certified Public Accountants’ (AICPA) Statement on Auditing Standards (SAS) No. 70: Reports on the Processing of Transactions by Service Organizations

PricewaterhouseCoopers 6

Market Operations

Power Operations

Load Prof., Data Acq. and Agg.

Settlement, Billing

& FinanceRegistration

Business Process Controls

• Meter Data Acquisition

• Meter Data Aggregation

• Losses and UFE

• Ancillary Services

• Balancing Energy

• Replacement Reserve

• Revenue Neutrality

• Black Start

• Other Fees

• Statements, Invoicing and Clearing

• Market Participant Registration

• Scheduling and Bidding

• Verbal Dispatch Instructions

• Transmission Control Rights

Processes Included in SAS 70

PricewaterhouseCoopers 7

Communications and IT InfrastructureGenera

lControl

s • Organization and Administration

• Logical Security

• Physical Security

• Configuration Management

• Computer Operations

Processes Included in SAS 70

PricewaterhouseCoopers 8

Summary of Scope

Included in the SAS 70 scope: All business processes and general controls that impact or affect

financial wholesale market settlement;

Processes that are otherwise “invisible” to the members and upon which they must rely on ERCOT for controls.

Not included in SAS 70 scope Operator and control room decisions

Congestion pricing calculations

Dispute resolution process

Retail operations and customer switching

PricewaterhouseCoopers 9

Summary of Scope

MARKETPARTICIPANT

REGN

SETTLEMENTS(Lodestar)

RegistrationInformation

QSE METEREDENTITY

LEGAL OPERATIONS LOAD PROFILING &DATA AGGREGATION

ERCOT - OVERVIEW

KEY:Input File SYSTEM OUTPUT

MARKETDATABASE

MOS to BEFile

ERCOTPolledMeters

TDSPMeters

MV 90

METER DATAAGGREGATION

LOADPROFILING

TelemetryData

SETTLEMENT & BILLING

POWEROPERATING

SYSTEM(POS)

MARKETOPERATING

SYSTEM(MOS)

SettlementStatements &

Invoices

Payments

ControlData

MarketData

SettlementData

Registration Data Meter Data

CLIENTSERVICES

RegistrationInformation

MARKETPARTICIPANT

REGN

SETTLEMENTS(Lodestar)

RegistrationInformation

QSE METEREDENTITY

LEGAL OPERATIONS LOAD PROFILING &DATA AGGREGATION

ERCOT - OVERVIEW

KEY:Input FileFile SYSTEM OUTPUT

MARKETDATABASE

MOS to BEFile

MOS to BEFile

ERCOTPolledMeters

TDSPMeters

MV 90

METER DATAAGGREGATION

LOADPROFILING

TelemetryData

SETTLEMENT & BILLING

POWEROPERATING

SYSTEM(POS)

MARKETOPERATING

SYSTEM(MOS)

SettlementStatements &

Invoices

Payments

ControlData

MarketData

SettlementData

Registration Data Meter Data

CLIENTSERVICES

RegistrationInformation

SAS 70 Scope

Summary of Report

10

PricewaterhouseCoopers 11

Summary of Report

Section One – PwC opinion

Section Two – Description of processes and related control objectives and activities

Section Three – User control considerations

Section Four – Additional information

Section Five - Glossary

PricewaterhouseCoopers 12

SAS 70 Opinion

PwC’s Unqualified Opinion states that:

The description presents fairly, in all material respects, the ERCOT’s controls for the identified processes.

The controls have been suitably designed to provide reasonable assurance that the specified control objectives would be achieved

if those controls were complied with as at a specific date.

And

PricewaterhouseCoopers 13

Section Two – the Core of the Report

Overview information - including ERCOT’s governance, oversight functions, and general control environment

Business processes - Generally comprising Settlements related functions (example meter data aggregation) - 14 business processes in total

Information system processes - Representing IS infrastructure activities (example configuration and change management) – 6 functional areas in total

PricewaterhouseCoopers 14

Section Two – the Core of the Report

Each of the 20 process descriptions is organized as follows:- Narrative description- Control objectives- Control activities

In summary, PwC’s report addresses the adequacy of the reported control activities to support the stated control objectives that are presented in this section

Commentary on Results of Testing

15

PricewaterhouseCoopers 16

Results of SAS 70

Execution in accordance with plan: Consistent with plan presented to the Committee in July 2002 October 31, 2002 “as of date” Unqualified opinion Scope as planned – with some relatively minor additions for late

developments (example – RMR)

Management took full responsibility: Responsible for control environment Responsible for report content

PricewaterhouseCoopers 17

Review of SAS 70 Timeline

Mar 02: SAS 70 Initial Development of Control Objectives

Apr 02: SAS 70 Readiness Exercise• Business Processes – in good shape, most ready for SAS 70 testing• General Controls – some control processes needed further

documentation and refinement.

Jun - Aug 02: SAS 70 Preparations• Ongoing management efforts to complete readiness for SAS 70• PwC involved in real-time review of improvements as they are

implemented

Sep - Oct 02: SAS 70 Testing

Oct 31, 2002: SAS 70 Type 1 Report “as of” Date

Jan 03: Report Issuance

The project began almost 10 months ago

PricewaterhouseCoopers 18

Results of SAS 70

PwC Observations:

ERCOT management and staff were responsive to PwC’s findings and recommendations identified during the audit process;

Certain of ERCOT’s Settlement Processes are “best practice”;

We will issue an letter to management with recommendations for further strengthening and improvement of controls;

The level of complexity of ERCOT’s markets and transaction systems will continue to increase.

Looking Forward

19

PricewaterhouseCoopers 20

SAS 70 Reporting Alternatives

The SAS 70 standard provides for two types of reports on internal control structures of service organizations:

Type I

On design of controls in place at a point in time.

This is the report ERCOT is issuing

Type II

On design and effectiveness of controls in place for a period of

time with details of tests performed.

(Typically performed after a period of business and systems stability)

PricewaterhouseCoopers 21

Looking Forward

ERCOT should plan to evolve to a Type 2 environment (perhaps in 2004); factors to consider:

Stability of processes

Resource requirements - time and costs Resulting process improvement Value of report What ERCOT’s peers are doing

PwC to present broad-based 2003 Assurance Plan at next Committee meeting

Questions?

22

PricewaterhouseCoopers 23