Semi-Annual Audit, Compliance, and Enterprise Risk Management Update

1
Semi-Annual Audit, Compliance, and Enterprise
Risk Management Update

• Steve Byone
• Chief Financial Officer

2
Audit Update
3
Audit Update August 2007

• The Internal audit department has started working
  on the 2008 audit plan and program
• When warranted the program is augmented by
  external resources (i.e. IBM for Nodal)
• External audits and reviews are also conducted
• Financial audit
• SAS 70 Type II
• Benefit program audit
• Security and other reviews
• Managements formalized program to monitor audit
  findings and remediation plans is ongoing
• Subset of Internal Control Management Program
  (ICMP)

4
Nodal Audits performed and completed in 2007
Audit name Opportunities for improvements identified
1. Nodal Compliance with Procurement Guidelines Audit of ERCOTs compliance with Corporate Standards and good business practices in its procurement and selection of vendors for the Nodal Program Subcontractor Contract Language in Professional Service Agreements Billing Rate Ranges for the Preferred 7 Staffing Vendors Procurement Metrics and Monitoring Vendor Performance Monitoring Audit Clauses in Professional Service Agreements
2. Nodal Signing Authority and Delegation of Authority Audit to determine whether the approvals to commit ERCOT funds are controlled and in compliance with the Corporate Standard and ERCOTs operating procedures Invoice and Timesheet Approvals Documentation regarding Single/Sole Source Contracts
3. Nodal Ethics Compliance Compliance Review of Nodal Program employees and contractors with ERCOTs Code of Conduct and Ethics Standards. Nodal Work Spaces and Environment Awareness of EthicsPoint (ERCOTs anonymous ethics reporting hotline)
4. Nodal Recruiting Review of the recruiting decision making process for staffing the Nodal Program and compliance with ERCOTs hiring and other applicable procedures Minor concern regarding use of a long-term, staff augmentation contract worker
5. Nodal Employee Time Tracking and Direct Internal Labor Expense Calculations Audit of the recording of direct internal labor expenses to the Nodal Program Implementation of Intended Cost Methodology Employee Timesheets and Approvals
Legend - Report Rating
Audit Rating Definition
  Unsatisfactory Controls are not functioning and/or fraudulent activities have been detected which will or have a material impact on both the financial statements and operations of the company.
  Significant Improvements Needed The control environment is lacking or has degraded since the last audit and is a contributing factor to non-achievement of business objectives. Immediate management actions need to be taken to address the control deficiencies noted.
  Moderate Improvements Needed Some controls are in place and functioning however, several major issues were noted that could jeopardize the accomplishment of business objectives.
  Minor Improvements Needed Many of the controls are functioning as intended however, some minor changes are necessary to make the control environment more effective and efficient.
  Controlled Controls are functioning as intended and no additional actions are necessary at this time.
5
Additional Nodal Audits Planned for 2007

• Nodal Accounting
• In Progress
• To include allocation of support for Nodal vs.
  Zonal
• Nodal Contractor and Vendor Billings
• In Progress
• Just getting started
• Nodal Program Management Office
• Not yet started
• Targeted review of nodal program cost reporting
• Planned for Q4 2007

6
Recent Audits Completed

• External

Internal
7
August 2007 Recently Completed, Open and Planned
Audits

• Audits Completed
• (last 3 months)
• Internal Audits
• PMO (Non-Nodal)
• Contract Audit of 21st Century
• Nodal Timetracking
• Nodal Delegation of Authority
• Employee Background/ Reference Checks Drug
  Screens (Targeted Review)
• Nodal Procurement
• External Audits
• 2006 Final MPP
• Texas Nodal Program Controls - Review 3
  (IBM-managed by IAD)

• Open Audits
• Internal Audits
• Nodal Acctg./Allocation
• Nodal Vendor Billings
• Cash Investments
• QSE Credit
• Contractor Background/ Reference Checks Drug
  Screens
• External Audits
• 2007 SAS70 (PwC)
• 2007 401K Audit (Maxwell, Locke Ritter)
• Texas Nodal Program Controls Review 4 (Managed
  by IAD)

• Planned Audits
• (next 3 months)
• Internal Audits
• Nodal PMO (Targeted Review)
• Congestion Mgmt./TCRs
• Disaster Recovery Plan
• Ethics Agreement Reaffirmation
• Protocol/Market Guide Approvals/Revisions
• Debt Financing
• External Audits
• Texas Nodal Program Controls Review 5 - IBM
  (Managed by IAD)
• NOTE Conducted by internal resources other
  than Internal Audit

8
Audit Update August 2007
Status of Open Audit Points
9
Compliance Update
10
Management Compliance Self Assessment

• Management conducts regular self assessments of
  compliance
• applicable laws
• regulations protocols
• contractual obligations
• disclosure mandates
• etc.
• For each requirement, an assessment is made of
  whether the area is in compliance, substantially
  compliant, or not in compliance with any
  non-yes answer requiring further explanation.
• Each ERCOT Officer has completed a signed
  attestation as to the status of Compliance
  Requirements within their respective
  organizations
• For each requirement, an assessment is made of
  whether the area is in compliance, substantially
  compliant, or not in compliance with any
  non-yes answer requiring further explanation.

Substantially Compliant means compliance with
essential requirements of a statutory provision,
standard, policy or procedure as may be
sufficient for the accomplishment of the purpose
thereof.  As such, there may be an accidental
mistake or a good business reason for a minor
modification or deviation from the statutory
provision, standard, policy or procedure, but
that does not affect that substantial compliance
has been met of the statutory provision,
standard, policy or procedure.
11
Management Compliance Status Update

• Details regarding areas deemed substantially in
  compliance are included in your Executive
  Session materials.

12
Management Compliance Next Steps

• Continue to address Substantially Compliant
  items to move to Full Compliance in all areas
• Progress report to FA in November 2007
• Continue quarterly signed Management Attestation
  as to the accuracy of the Compliance
  Certification Report
• Next semi-annual review of compliance results
  with the Board of Directors in February 2008

13
Enterprise Risk Management Update
14
Enterprise Risk Management Update

• ERCOT formalized its ERM program in 2005
• Management reviews key enterprise risks on a
  monthly basis
• Changes in management assessment of a key risk
  are reported to the Finance Audit Committee
  monthly
• Governance structure calls for a Board of
  Directors update semi-annually

15
August 2007 Risk Inventory Stoplight Report