I. Introduction to Kiodex

1
I. Introduction to Kiodex

• Kiodex delivers a Web-services platform that
  helps 70 corporations
• Measure commodity price risk and benchmark it
  against corporate objectives
• Design and execute optimal hedging strategies and
  reduce hedging costs
• Use independent, transparent market data for
  pricing, analytics and reporting
• Generate internal and external reports
• Comply with FAS 133 / IAS 39 accounting standards
• Comply with Sarbanes-Oxley
• Offices in NYC and Houston
• Kiodex recently received the award for 2003
  Energy Innovation of the Year by Energy and
  Power Risk Management

2
I. Introduction to Kiodex
3
Introduction of Panel Members
PwC
Sarbanes Oxley Act of 2002 Compliance with
Section 404 for Energy Companies April
2004 The information and considerations
presented herein do not constitute legal or any
other type of professional advice. Companies are
encouraged to consult with legal counsel
concerning their responsibilities under and
compliance with the Sarbanes-Oxley Act of 2002
and related Securities and Exchange (SEC) rules
and regulations.
Insert Worlds Image / Client Specific Image Here
4
Presentation Roadmap

• The Sarbanes-Oxley Act Sections 404 and 302
  Overview
• Observations on 404 and the Energy Industry
• System Issues Related to 404
• PwCs Approach to Preparing for Section 404
  Compliance
• Q A 30 Minutes

5
Why Sarbanes Oxley?
6
The Sarbanes-Oxley Act of 2002Sections 404 and
302 Overview
7
The Need for Action? By When?

• If you have not yet started to prepare for the
  internal control evaluation, begin working on it
  immediately.
• --Speech by Scott A. Taub, Deputy Chief
  Accountant,
• U.S. Securities and Exchange Commission. May
  29, 2003

• 404 Deadline Most domestic issuers for fiscal
  years ending after November 15, 2004

8
What Is It?

• Section 404 Requires an annual report by
  management regarding the effectiveness of
  internal control over financial reporting, and
  an attestation by the companys auditors as to
  the accuracy of managements assessment.
• Managements report to include
• Assessment of controls over initiating,
  recording, processing and reconciling accounts,
  transactions, and disclosure and related
  assertions in financials the selection and
  application of appropriate accounting policies
  the prevention, identification, and detection of
  fraud
• Managements assessment of the effectiveness of
  such controls
• Identification of the framework used to evaluate
  effectiveness.
• The registered public accounting firms
  attestation report must be filed as part of the
  annual report.
• Scope of auditors work will include independent
  testing of controls as well as testing of
  managements assessment process
• Scope of controls testing will include testing
  over areas involving judgements and estimates
• COSO is an accepted standard for managements
  assessment.
• See graphic on next page

9
The Five Components under the COSO Framework

• Control Activities
• Policies/procedures that ensure management
  directives are carried out.
• Range of activities including approvals,
  authorizations, verifications, recommendations,
  performance reviews, asset security and
  segregation of duties.

• Monitoring
• Assessment of a control systems performance over
  time.
• Combination of ongoing and separate evaluation.
• Management and supervisory activities.
• Internal audit activities.

• Control Environment
• Sets tone of organization-influencing control
  consciousness of its people.
• Factors include integrity, ethical values,
  competence, authority, responsibility.
• Foundation for all other components of control.

• Information and Communication
• Pertinent information identified, captured and
  communicated in a timely manner.
• Access to internal and externally generated
  information.
• Flow of information that allows for successful
  control actions from instructions on
  responsibilities to summary of findings for
  management action.

• Risk Assessment
• Risk assessment is the identification and
  analysis of relevant risks to achieving the
  entitys objectives-forming the basis for
  determining control activities.

All five components must be in place for a
control to be effective.
10
Section 404 Attestation vs. Audit of Financial
Statements

• Audit of Financial Statements
• Understanding and consideration of internal
  controls only to develop the audit approach
• Overall objective is the rendering of an opinion
  on the financial statements, not to opine on
  internal controls
• Internal control reports have been very rare in
  practice and are the subject of different
  professional standards

• 404 Attestation
• 100 controls-based approach
• Must evaluate and test controls across business
  and functional areas to opine on effectiveness
  (broad and deep) over financial reporting.
• Lack of errors, historically,in financial
  statements is notde-facto evidence unto
  itself,of an appropriate internalcontrol over
  financial reporting.

11
Update on 404 and the Energy Industry
12
Few Companies Had Appropriate Documentation

• Although processes and controls are well
  understood in many parts of the business, there
  is limited documentation of
• The actual processes involved policies and
  procedures
• The monitoring of controls to ensure that they
  are in compliance
• Process definitions may be inappropriate
• The actual definition of significant processes
  may have been done by senior management that was
  far removed from the trading business as such
  many processes in trading were overlooked or not
  thought to be significant.
• A more logical process breakup (i.e. relevant
  activities from deal execution to settlement)
  would have ensured greater control coverage
• Non-routine processes are poorly documented or
  understood. For example
• Balancing with LDCs for retail marketing and with
  pipelines for the gas business these can be very
  material numbers in peak seasons.

13
Wholesale / Trading Activities Need Most
Remediation Documentation

• There tends to be the least up to date existing
  documentation of organizational processes
• Formal trading policies are not established or
  do not reflect management's current risk appetite
  to provide guidance regarding authorized
  transactions, processing of transactions and
  recording of transactions
• The trading business may have many contracts
  which require specialized or manual accounting
  processes
• companies often do not consider all types of
  transactions that they may be processing,
  including different commodity types or both
  financial and physical transactions
• Systems are typically more recent and less
  reliable
• Many users have short cuts around the system
• Systems may be used in such a way as to defeat
  logical security or segregation of duties
• Access permission tables typically are not kept
  up to date with organizational changes

14
Significance of Some Financial Statement
Activities Poorly Understood

• Examples of inputs to the financials that may be
  overlooked are
• Modeling of forward prices
• Calculation of correlations
• Extrapolation of volatility curves or surfaces
• Prices derived from third parties
• Processes impacting the financials that may be
  overlooked are
• Settlements of complex contracts
• ISO / RTO settlements and reconciliations
• The definition of financial risk can begin
  narrowly (risk that a financial statement could
  be materially incorrect), but can grown to be
  more broad (company assets are adequately
  safeguarded, policies and procedures are
  enforced/followed, etc).

15
Other Observations

• Attempting to adapt generic control objectives
  for classic receivables and payables cycles is
  not effective for trading businesses.
• Management may determine controls to be
  insignificant based on dollar values that flowed
  through last year. This may work for a typical
  business activity, but is less suitable for
  trading related items that have variable
  valuations - due to volume of trading activity,
  price levels, out-of-the money options, etc
• When control issues are identified, there is a
  tendency to remediate with an ad-hoc control
  (typically a sign-off, log, or other record kept
  in a spreadsheet, etc). In many cases, a better
  approach may be to use the identified control
  weakness to rethink the overall process. This is
  one of the areas of opportunity in the Sarbanes
  Oxley compliance effort.

16
Section 404 System Issues
17
Legacy Systems Typically Less Reliable in the
Energy Trading Area

• Packaged Solutions
• Better change control of source code
• However user defined reports may be used to
  generate FAS 133 and other accounting related
  journal entries
• When implementing packaged solutions, clients
  need to ensure that there are strong change
  control processes surrounding financial
  management reports

• Custom Developed Systems
• often lack edit and validation controls to
  prevent unauthorized or invalid transactions from
  being entered into the system
• Typically lack logical security controls used to
  maintain segregation of duties

• Many users have short cuts around the system,
  or the system is not fully utilized and has been
  augmented with spreadsheets and manual processes
• Access permission tables typically are not kept
  up to date with organizational changes

18
Systems Relied on to Implement Controls Require
Testing and Documentation

• Systems used informally lead to other problems
• system development methodology informal and
  inconsistent with best practices
• Program change management procedures informal and
  inconsistent with best practices
• Overall too many manual processes and manual
  workarounds due to systems that do not meet
  requirements
• Informal approvals/review procedures and lack of
  evidence to support review procedures

19
PwCs Approach to Preparing for Section 404
Compliance
20
Given the Requirements for Section 404, How Does
Management Ensure Readiness?

• The following is a recommended 404 readiness
  approach

Continuous Improvement
Management
Auditor
Initiate Project And Assess Risk
Document and Evaluate Control Design
Prepare Report on Internal Control Over
Financial Reporting
Remediate
Test Operating Effective- ness
Attest and Report
Project Management Support
21
Framework for Considering Efficiency of 404
Assessment Efforts

• High Efficiency
• Reliance on continual monitoring and review of
  periodic testing
• Use of dashboard for key indicators and controls
• Reliance on certifications and acknowledgements
• Management Time Commitment Moderate

• Medium Efficiency
• Some manual testing required for key activities
• Some reliance on monitoring
• Reliance on certifications and acknowledgements
• Management Time Commitment Significant

• Low Efficiency
• Substantial manual efforts
• Testing and validation required of activities
• Management Time Commitment Significant

• Monitored
• Standardized controls with periodic testing for
  effective design operation w/ reporting to mgt.
  

• Optimized
• Integrated internal controls with real time
  monitoring by mgmt. and continuous improvement

• Unreliable
• Unpredictable environment where controls are not
  designed or in place

• Informal
• Controls are designed and in place but not
  adequately documented

• Standardized
• Controls are designed, in place and adequately
  documented

22
Action Plan Timeline
Major ProjectStreams
2003
2004
2005
July-Sept
Oct-Dec
Jan-March
July-Sept
Oct-Dec
Jan-March
April-June
April-June
Companies with December 31 Year End
Initiate Project and Assess Risk
Document and Evaluate Control Design
Remediate Identified Gaps
Test Operating Effectiveness
Prepare Managements Report
Attest and Report
Companies with June 30 Year End
Initiate Project and Assess Risk
Document and Evaluate Control Design
Remediate Identified Gaps
Test Operating Effectiveness
Prepare Managements Report
Attest and Report
23
Conclusion

• The Sarbanes Oxley legislation has established a
  new paradigm for corporate accountability.
  Responsibilities of the audit committee, CEO and
  CFO have been clearly established at higher
  levels than in the past. It has created a new
  standard for companies regarding the reporting of
  internal control effectiveness and has raised the
  bar for the design, documentation, and operation
  of internal control.

Good internal controls are no longer just a best
practice Its the Law!