What Do Changing Companies Experience? Control Transition Model “We’re in control” Turnover Business Changes Rapid Growth Lack of Emphasis System Changes Lack of Recognition Efficient Effective Control Environment “Blind Spot” Errors Overlook Ignore Inefficient Ineffective Detection Audit Surprise Aware Unaware

Internal Control Activities Key Activities to Mitigate Risks Transition Control Concerns Internal Control Activities Area of Concern Key Activities to Mitigate Risks Cash Control Fraud Payment Errors and Omissions Unauthorized Purchases and Expenses Formation of an enterprise wide Cash Committee for oversight & authorization New cash management process Deployment of cash forecasting system Asset Protection Exit Procedures Disgruntled Employee Acts Malicious Third Party Attacks Theft of Intellectual Property Proactive monitoring of security termination activities Increased penetration testing of likely access points Oversight of e-mail blocking and quarantining processes Heightened levels of network and employee monitoring Data Integrity Authorized System Changes Loss of Data Availability of Systems Technology Segregation Application development activities halted –critical maintenance only Oversight and quality assurance of all application security cleanup efforts Oversight of plans for technology separation between “New Company” & “Estate” systems As opposed to policy development, business continuity planning, application context diagramming

Transition Control Concerns Cash Management Cash Disbursements End Time: 7:30 A.M. Cash Committee End Time: 10:00 A.M. Intraday Emergency Requests Purchase Goods and Services iBuyit Daily BU Payables Reports Invoice Receipt iPayit SAP “Cash Czar” Review Cash Committee Approval Treasury Funding Business Activity Settlement Systems Cash Forecasting End Time: 4:00 P.M. As opposed to policy development, business continuity planning, application context diagramming Forecast Reports Daily BU 5 Day Forecasting Treasury Cash Forecasting Document Retention CAO/Delegate approval of all items CAO/Delegate review and modification Executive Approval

Current Control Environment Trading & Risk Management Controls Status Current Control Environment Seriously impacted by current events but essential elements remain in place for control Many control processes were heavily dependent on people Risk books not updated daily Cancelled/terminated contracts not immediately reflected in positions Heavy focus of talent and effort on “Netco” Requirement remains to maximize the value of Enron’s estate: Includes success of “Netco” Also includes orderly wind-down and maximization of existing positions and assets sales in The Estate As opposed to policy development, business continuity planning, application context diagramming

Trading and Portfolio Management (Commodity and Related) Assessment by Major Business Unit Trading and Portfolio Management (Commodity and Related) Americas EIM EGM EES EGS Wholesale Significance Overall Deal Execution and Capture Valuation Activities Trading Operations Portfolio Monitoring, Analysis & Management Overall Comments Less mature businesses have excessive manual processes and less robust systems Curve validation processes exist but are inconsistent. An effort is underway to establish a consistent methodology and to document the process. Multiple instances were identified in which the limits reported in the Daily Position Report did not agree to limits approved in the Risk Management Policy or policy addendums maintained by Market Risk Management. Credit risk analyses are incomplete and do not aggregate credit risk components from Enron Energy Services, Enron Broadband Services and Enron Metals Value at Risk and credit exposure analyses may be incomplete or inaccurate as data transfers and data collection processes may fail due to complex aggregation principles applied to the analysis. Exception reporting or validation reports are not consistently used to determine the completeness and accuracy of data in the analysis Significant transactions, including (1) transactions executed by Global Finance and Corporate Development and (2) transactions that do not include initial cash outlay, such as total return swaps, tilted swaps or embedded debt financing, may not be approved by RAC through the DASH process and detective controls are not in place to identify such deals. EES There is no consistent process in place for independent validation of Retails EAM volumetric, timing and capital assumptions. EES There is currently no process in place to ensure that flash to actual differences are reconciled on a timely basis and that procedures are modified to mitigate future flash to actual differences. EES There is no consistent process in place to ensure that Retail unaccounted for gas volumes are reconciled and billed on a timely basis. As of September 30, 2001 there was a total of $55 M gas point volume variances. EES There is no process to volumetrically balance Retail power commodity purchased, scheduled, metered, and billed volumes to ensure accurate billing and accounting for power transactions. EES There is no consistent process in place for validation of Retail tariff curves. (Repeat) EES There is currently no process in place to reforecast the volumetric positions in the commodity risk books (i.e. adjust forward position upon analyzing actual usage data). (Repeat) Risk Management Policy – Trader acknowledgements have not been obtained. Process to communicate limits from the board to the daily position report personnel has not been established. Processes have not been established to ensure traders do not trade on their own personal accounts in markets for which they transact for the company. L M H L M H Significance of business unit activity Control Assessment

Trading and Portfolio Management (Merchant and Other Investments) Assessment by Major Business Unit Trading and Portfolio Management (Merchant and Other Investments) Americas EIM EGM EES Wholesale Significance Overall Deal Origination Valuation Activities Portfolio Monitoring, Analysis & Management Overall Comments There is inconsistent classification of merchant assets included in the Merchant Portfolio Report (MPR). In addition, the definition of “merchant” for inclusion in the MPR is unclear, resulting in variances in accounting treatment across business units for assets included on the report. What does this include: companies that are not wholly owned by Enron. Examples include: ETOL, Dabhol, Elektro, Cuiaba, TGS, etc. Business units are currently valuing all inventory associated with trading activity to the spot rate, except for natural gas inventory, which is valued at the Weighted Average Cost of Gas (WACOG). No documentation exists for the inconsistency in this inventory valuation methodology L M H L M H Significance of business unit activity Control Assessment

Assessment by Major Business Unit Systems Net Works Europe EES EGS Significance Overall Access Integrity Availability Overall Comments Lack of business continuity plans for trading systems and processes. Plans for 2002 have been put on hold. Application security administration processes, such as password aging and access control list review, need improvement. Network administration processes are effective. Infrastructure security of devices and operating systems is has improved significantly over the past two years. Overall, it is good. Enron Intelligent Network security issues have been addressed. Entry, Transfer, and Exit Procedures require improvement. Initiatives are on hold. L M H L M H Business Unit Dependence on Information Technology Control Assessment

Assessment by Major Business Unit Other Basic Controls Americas EIM/EGM Europe EES EGS Corp Wholesale Significance Overall Comments Many policies and procedures tend to be informal throughout the organization. Examples include: required reconciliations, transfer procedures, entry and exit procedure, communication of limits, review of AR/AP balances, authority limit reviews, confirmation follow up procedures. There are no defined requirements for inclusion of Government/Regulatory Affairs on DASH (i.e. dollar amount, regions, countries, etc.) Deals on which Government/Regulatory Affairs is not included may result in unidentified risks and incorrect quantification of risks associated with Government/Regulatory issues. Purchasing and Payable controls, although improved from prior years, allow for high dollar approval thresholds and the ability of individuals to order, purchase and approve payments without any secondary approval. Within their approved dollar limit. A large number of cash accounts and other balance sheet accounts have not been reconciled.