SAS 70 Third Party Report on Controls Overview and Timetable Finance / Audit Committee Meeting Austin, Texas January 14, 2003/ February 18, 2003

PricewaterhouseCoopers 2 Agenda Overview of Project Scope and Results Scope of Project Summary of Report Commentary on Results of Testing Looking Forward

PricewaterhouseCoopers 3 Overview of Project Scope and Results Project is complete Final draft report issued last week Final report to be issued this week (perhaps today) Opinion is unqualified Scope of report is consistent with plan – described to the Committee in July (in depth)

Scope of Project 4

PricewaterhouseCoopers 5 Scope of Project – Reporting Structure What is a SAS 70 report? It is a report on internal controls based on a standard reporting structure. It is commonly referred to as a SAS 70 Report – named after the auditing standard that defines the reporting framework of an internal control examination for service organizations that must be relied upon by its users/members/participants. The Auditing Standard The American Institute of Certified Public Accountants (AICPA) Statement on Auditing Standards (SAS) No. 70: Reports on the Processing of Transactions by Service Organizations

PricewaterhouseCoopers 6 Market Operations Power Operations Load Prof., Data Acq. and Agg. Settlement, Billing & Finance Registration Business Process Controls Meter Data Acquisition Meter Data Aggregation Losses and UFE Ancillary Services Balancing Energy Replacement Reserve Revenue Neutrality Black Start Other Fees Statements, Invoicing and Clearing Market Participant Registration Scheduling and Bidding Verbal Dispatch Instructions Transmission Control Rights Processes Included in SAS 70

PricewaterhouseCoopers 7 Communications and IT Infrastructure General Controls Organization and Administration Logical Security Physical Security Configuration Management Computer Operations Processes Included in SAS 70

PricewaterhouseCoopers 8 Summary of Scope Included in the SAS 70 scope: All business processes and general controls that impact or affect financial wholesale market settlement; Processes that are otherwise invisible to the members and upon which they must rely on ERCOT for controls. Not included in SAS 70 scope Operator and control room decisions Congestion pricing calculations Dispute resolution process Retail operations and customer switching

PricewaterhouseCoopers 9 Summary of Scope SAS 70 Scope

Summary of Report 10

PricewaterhouseCoopers 11 Summary of Report Section One – PwC opinion Section Two – Description of processes and related control objectives and activities Section Three – User control considerations Section Four – Additional information Section Five - Glossary

PricewaterhouseCoopers 12 SAS 70 Opinion PwCs Unqualified Opinion states that: The description presents fairly, in all material respects, the ERCOTs controls for the identified processes. The controls have been suitably designed to provide reasonable assurance that the specified control objectives would be achieved if those controls were complied with as at a specific date. And

PricewaterhouseCoopers 13 Section Two – the Core of the Report Overview information - including ERCOTs governance, oversight functions, and general control environment Business processes - Generally comprising Settlements related functions (example meter data aggregation) - 14 business processes in total Information system processes - Representing IS infrastructure activities (example configuration and change management) – 6 functional areas in total

PricewaterhouseCoopers 14 Section Two – the Core of the Report Each of the 20 process descriptions is organized as follows: - Narrative description - Control objectives - Control activities In summary, PwCs report addresses the adequacy of the reported control activities to support the stated control objectives that are presented in this section

Commentary on Results of Testing 15

PricewaterhouseCoopers 16 Results of SAS 70 Execution in accordance with plan: Consistent with plan presented to the Committee in July 2002 October 31, 2002 as of date Unqualified opinion Scope as planned – with some relatively minor additions for late developments (example – RMR) Management took full responsibility: Responsible for control environment Responsible for report content

PricewaterhouseCoopers 17 Review of SAS 70 Timeline Mar 02: SAS 70 Initial Development of Control Objectives Apr 02: SAS 70 Readiness Exercise Business Processes – in good shape, most ready for SAS 70 testing General Controls – some control processes needed further documentation and refinement. Jun - Aug 02: SAS 70 Preparations Ongoing management efforts to complete readiness for SAS 70 PwC involved in real-time review of improvements as they are implemented Sep - Oct 02:SAS 70 Testing Oct 31, 2002: SAS 70 Type 1 Report as of Date Jan 03:Report Issuance The project began almost 10 months ago

PricewaterhouseCoopers 18 Results of SAS 70 PwC Observations: ERCOT management and staff were responsive to PwCs findings and recommendations identified during the audit process; Certain of ERCOTs Settlement Processes are best practice; We will issue an letter to management with recommendations for further strengthening and improvement of controls; The level of complexity of ERCOTs markets and transaction systems will continue to increase.

Looking Forward 19

PricewaterhouseCoopers 20 SAS 70 Reporting Alternatives The SAS 70 standard provides for two types of reports on internal control structures of service organizations: Type I On design of controls in place at a point in time. This is the report ERCOT is issuing Type II On design and effectiveness of controls in place for a period of time with details of tests performed. (Typically performed after a period of business and systems stability)

PricewaterhouseCoopers 21 Looking Forward ERCOT should plan to evolve to a Type 2 environment (perhaps in 2004); factors to consider: Stability of processes Resource requirements - time and costs Resulting process improvement Value of report What ERCOTs peers are doing PwC to present broad-based 2003 Assurance Plan at next Committee meeting

Questions? 22

PricewaterhouseCoopers 23