SAS 70 Third Party Report on Control

　　Audit Committee Meeting September 19, 2002

　　The following material was used byPricewaterhouseCoopers LLP during an oralpresentation and discussion. This document isincomplete as a record of the presentation without theaccompanying oral comments.

　　Introduction

　　Unqualified opinion

　　PwC noted improvement and maturity in overall controlstructure. Fewer control issues were noted, higher compliance, and stronger management monitoring controls

　　Continuing increase in complexity of environment PwC appreciates level of support and assistance from

　　CAISO management and staff It is time to consider SAS 70 Type II examination

　　SAS 70 – Terms

　　Controls can be:

　　monitoring

　　manual

　　application, or

　　system controls.

　　Control Objectives vs. Control Activities

　　Control objectives relate to fundamental business assertions about the data and processes being performed, such as:

　　Accuracy

　　Completeness

　　Authorization

　　Control objectives are presented in two categories :

　　Business process controls

　　General computer controls

　　Control activities are those specific activities which support the achievement of a control objective

　　The SAS 70 is essentially a confirmation that your control activities are meeting the stated control objectives

　　Why Produce a SAS 70 Report?

　　The strength and quality strength and quality of the service organization’s controls affect affect a user organization’s ability to rely rely on them for its own financial information.

　　This dependency dependency creates a need for the user organization to understand the service organization’s internal control structure.

　　The SAS 70 provides a standard method standard method for a single auditor (the service auditor) to report on controls in a way that all user organizations and user auditors can use.

　　Why Do Organizations Need a SAS 70?

　　Extent of dependency on the service organization:

　　The control structure of a service organization may have an impact on the user organization’s financial statements depending on:

　　Degree of accountability

　　Degree of interaction

　　Nature and materiality of transactions processes Dependency affects user organization's control structure Greater dependency = greater need for user organization to understand the control structure of the service organization

　　Specifically, the need to protect market information means that not all information can be shared with the market participants – and as a result, they are highly dependent on the controls of the California ISO

　　Benefits of a SAS 70

　　The benefits to performing a SAS 70 examination are:

　　Documents and communicates the control structure of theservice organization

　　Facilitates market understanding and transparency of market operations

　　Provides an independent opinion on the operating effectiveness of the control structure

　　Assists user organizations and their user auditors with audit planning

　　Avoids over-auditing

　　Who Else Gets a SAS 70?

　　Examples of other Service Organizations that use SAS 70s:

　　Other ISOs (e.g. PJM, ERCOT, ISO NE, NYISO, MISO)

　　Trust departments of banks and insurance companies

　　Information technology facilities managers

　　Value added network (VAN) providers and transaction clearing houses

　　Insurers that maintain accounting for ceded reinsurance

　　Mortgage services that service loans for others

　　Payroll service providers

　　SAS 70 Reporting Alternatives

　　The SAS 70 standard provides for two types of reports on internal control structures of service organizations:

　　Type I

　　On design of controls in place at a point in time.

　　Type II

　　On design and effectiveness of controls in place for a period of time with details of tests performed.(Typically performed after a period of market and systems stability)

　　The CAISO SAS 70 (Type I) report is as of April 30, 2002.

　　SAS 70 Report Structure

　　A SAS 70 report includes four components:

　　One - Opinion (Report of Independent Accountants)

　　Two - Description - of service organization’s processes and controls placed in operation ；Descriptions of processes and environment；Control objectives and control activities

　　User control considerations

　　Three - Supplemental information (from service auditor or service organization)

　　Four - Glossary

　　SAS 70 Opinion

　　The SAS 70 opinion concludes that:

　　Type I

　　The description presents fairly in all material respects the controls of the service organization.

　　The controls have been suitably designed to provide reasonable assurance that the specified control objectives would be achieved if those controls were complied with as at a specific date.

　　Type II

　　The controls tested were operating with sufficient effectiveness to provide reasonable assurance that the control objectives were achieved over a period of time.

　　Summary of Scope

　　Included in the SAS 70 examination scope:

　　All business processes and general controls that directly impact financial market settlement;

　　Processes that are otherwise “invisible” to the members and upon which they must rely on CAISO for controls.

　　Not included in SAS 70 examination scope:

　　Operator and control room decisions (real time operation of the grid and RMR use)

　　Meter data quality from non-ISO metered entities

　　Pricing algorithms (Congestion and BEEP)

　　Dispute resolution process

　　Certain charge types not in use (Black Start, Overgeneration,

　　Discretionary Load Curtailment, Market Uplifts)

　　Processes Included in Current SAS 70

　　General Computer Controls

　　IT Organization and Operations Controls

　　Change/Configuration Management

　　Access Security

　　System Interfaces/Data Flows

　　Global Business Processes

　　Scheduling and Bidding

　　Metering

　　Settlements and Billing

　　Cash Clearing

　　Processes Included in Current SAS 70

　　Charge Type Specific Business Processes

　　Ancillary Services Reserve

　　Real Time Energy Dispatch

　　Real Time Intra-Zonal Congestion

　　Inter-Zonal Congestion

　　Firm Transmission Rights

　　Transmission Access Charges

　　Wheeling Services

　　Reliability Must Run

　　Long Term Voltage Support

　　Grid Management Charge

　　Neutrality Adjustments

　　Rounding Adjustment

　　Unaccounted For Energy

　　FERC Fees

　　Events and Issues Encountered

　　This past year and a half (since the last SAS 70 report) has been particularly eventful. Some examples of events and changes, and how this SAS 70 report is impacted, are as follows:

　　Market changes

　　Several new charge types – covered by SAS 70 report

　　Changes to price constraints/caps – control environment is covered by SAS 70 report

　　Policy issues surrounding such changes – not covered

　　Grid operation changes

　　CERS interface – many changes have come and gone and therefore are not covered by point-in-time SAS 70 reports; covered in Operational Audit;

　　Must Offer – covered in Operational Audit

　　Events and Issues Encountered

　　Continued:

　　Emergency transactions not executed through normal systems

　　No emergency conditions on or around April 30, 2002 – not covered by SAS 70 report

　　Cash Settlement changes

　　Return to dual invoicing – covered by SAS 70 report

　　CERS payments – covered by SAS 70 report

　　CERS catch-up payments distributed in early 2002 – not covered by SAS 70 report; however covered by special report

　　Policy issues surrounding interest payments to market – not covered by SAS 70 report

　　Results of SAS 70 Examination

　　Opinion

　　PwC issued an unqualified (clean) opinion

　　Control activities, as described, are in place at April 30, 2002 and are adequately designed to meet the ISO’s

　　identified control objectives

　　Opinion and structure of report are similar to prior SAS 70

　　Reports

　　PwC Observations

　　Number of issues that needed to be addressed/resolved – lower than in prior years

　　Specific improvement in monitoring controls – an example is the Market Quality Group

　　The level of complexity of ISO’s markets and transaction systems continues to increase

　　Considering a SAS 70 Type II Report

　　Since inception of the markets in March 1998 the ISO has had four SAS 70 Type I reports, all issued with an

　　unqualified opinion by PwC.

　　Over this time the ISO has experienced frequent change in its market design, business process, and IT systems.

　　During this time the controls culture and the business operations of the CAISO has experienced:

　　General evolution towards maturing controls (since April 1998)

　　Stress with market problems (primarily - early 2001)

　　Recovery, maturity and recommitment to sustained control environment (since mid-2001)

　　We understand ISO management is considering a SAS 70

　　Type II report for 2003.

　　Considering a SAS 70 Type II Report

　　PwC strongly encourages the ISO to progress to a SAS 70

　　Type II report in 2003.

　　A SAS 70 Type II report is substantially more meaningful to the market participants since it covers controls over a period of time (usually a year), not a point in time

　　A SAS 70 Type II is the expected standard of reporting for companies after their initial period of operations

　　A SAS 70 Type II report will evidence the organization’s achievement of a sustainable and mature control

　　environment reflective of an organization that is fully serving its fiduciary responsibility to its market.

　　This is consistent with management’s refocus on the core functions of the ISO.

　　Closure

　　Introduction – Highlights of presentation material

　　Overview of SAS 70 reporting– Technical description of a SAS 70 examination

　　Scope of this SAS 70 report – Specific coverage of this report

　　Results of this SAS 70 examination – Clean opinion; improved controls

　　Looking Ahead – To a SAS 70 Type II Report

　　Questions