May 16, 2005

Honorable Phil King
Chairman, Committee on Regulated Industries
Texas House of Representatives
P.O. Box 2910
Austin, TX 78768

Dear Chairman King:

The recent letter from the Comptroller to Texas House members has raised questions about ERCOT’s vulnerability to fraud. This is to update you on the efforts we have made and continue to make to detect and prevent fraud in our organization.

ERCOT management first identified fraudulent acts in early 2004 and has been committed to supporting law enforcement and prosecutors in their investigations from the beginning. ERCOT acted quickly to terminate the employees who abused their positions and betrayed the trust of ERCOT and the public, and has supported all efforts of the authorities in their investigations by providing all support requested. I am certain the officials of the Department of Public Safety, the Office of the Attorney General, the Williamson County District Attorney’s Office, and others will corroborate our full cooperation.

I have every confidence that these authorities have been thorough in their work The progress to date is evident — including indictments issued by a specially empanelled grand jury that focused exclusively on alleged criminal activity at ERCOT. We have dedicated hundreds of hours of staff time and delivered thousands of pages of documents to law enforcement officials — including all requested documents and many others identified by ERCOT as being potentially valuable in identifying fraudulent acts.

Throughout this process and under the direction of a Special Committee of the ERCOT Board, we have continued our own investigations into other areas of potential fraud. Our objective is to satisfy ourselves and our Board of Directors that we have thoroughly reviewed our vulnerability and identified any potential criminal acts by other parties. We are working with the authorities to provide any additional information they need in support of their prosecution efforts.

In addition, our internal audit staff has conducted reviews of all contract files that were active when the fraud was identified, as well as reviews of human resource-related issues and expense-related items. The internal audit staff reports directly to the Finance & Audit Committee of the Board and upon request has provided reports to the Special Committee.

I also want to emphasize ERCOT’s response to the prompt and thorough action of our oversight authority, the Public Utility Commission, which immediately ordered three audits by independent audit firms. These audits investigated whether the fraudulent conduct compromised ERCOT’s security, and assessed the status of the control and security structures that made ERCOT vulnerable to the fraud. Two of the audits focused on management practices and business processes:

• Deloitte and Touche tested the internal controls around ERCOT’s administrative business processes vulnerable to the suspected fraud — with a particular focus on human resources and contract management. The initial scope of the project was expanded to include testing of areas considered highly susceptible to fraud, including a review of ERCOT’s fixed assets, Lawson security, change management, and control configuration. Deloitte issued an interim report on November 15, 2004 and a final report on March 15, 2005.
• Ernst & Young assessed ERCOT’s security profile and identified actions to improve its IT and physical security. The report was issued November 15, 2004.

While both of these reviews identified a number of internal control and security issues that could create vulnerability to fraud or abuse, neither identified actual incidents of fraud or abuse other than those already known.

Even before the reports were issued, ERCOT began taking specific action to prevent future abuse including the remediation of the issues as they were identified to reduce ERCOT’s vulnerability. The work performed by these firms now provides the foundation for major efforts to improve the design and operating effectiveness of key internal controls across our organization, including fraud prevention and detection. We realize we must meet or exceed a higher standard of internal controls than ever before, and are now deeply engaged in correcting the issues and achieving this goal.

ERCOT’s anti-fraud program consists of the following elements:

• Internal Control Management Program. ERCOT is building fraud prevention and detection controls into the internal controls of its day-to-day activities and functions. The anti-fraud measures are focused on the areas of the organization most vulnerable to fraudulent activity, enabling management to actively identify and deter fraud. The PUC and ERCOT retained Deloitte and Touche to assist in the development of this program, which is built upon the COSO framework and industry best practices.
• Enterpiise Risk Assessment. ERCOT is conducting an organization-wide risk assessment, using the internal control review conducted by Deloitte and Touche as a foundation, with the goal of understanding risks and potential inside and outside threats that affect the organization. We are developing and implementing action plans to prevent, detect, and mitigate these risks.
• Internal Audit. ERCOT has strengthened its internal audit function, adding in January an Anti-Fraud Specialist with over 10 years of fraud investigation experience to conduct fraud reviews. A monitoring program is being implemented to identify and follow up on potential areas of risk for fraud and abuse, with reviews focused on analyzing transactions and investigating anomalies. In addition, the internal audit staff and management periodically review, identify and assess risks related to ERCOT’s business processes.
• Ethics hotline. ERCOT in mid-2004 established an employee hotline (phone and web-based) available to employees and any other concerned party to report anonymously issues about ERCOT, including suspected fraud. An independent third party monitors the reports, which are then investigated, logged and tracked by the Internal Audit Department, and confidentially reported monthly to the ERCOT Board’s Finance and Audit Committee.
• Ethics Agreement and Business Conduct. In addition to employees executing an Ethics Agreement upon employment, all employees are required to reaffirm their compliance and adherence to ERCOT’s ethics policies on an annual basis by signing an Ethics Reaffirmation. Ethics issues are covered in detail during new employee orientation.

While some have alluded to other potential acts of fraud or abuse, no new information related to any specific incidents has been communicated to ERCOT. No organization can ever be fully immune from fraud, but we can assure you that ERCOT is working very hard to put in place strong processes for detecting and preventing fraud and managing corporate risk. We expect our efforts to be validated in 2006 when the PUC directs follow-up audits to verify the adequacy of our internal control processes, including fraud prevention and detection.

ERCOT has made great strides toward becoming an operating organization committed to strong internal controls and business processes, and we will not be satisfied until we have regained the full trust and confidence of policymakers and the public. Please let me know if I can answer any questions or provide any additional background.

Sincerely,

(Original signed)

Thomas F. Schrader
President and CEO