DII Best Practices Forum Internal Controls Workshop June 23, 2011

1. DII Best Practices ForumInternal Controls WorkshopJune 23, 2011 Keith Rivers Director of Business Practices United Technologies Corporation

2. United Technologies Corporation (12/31/2010) Sikorsky Pratt & Whitney • 6 autonomous businesses • 208,000 employees • Operations in 70 countries • Net sales $54 Billion • Net USG sales $10 Billion • Member of Dow Jones Industrial Average since 1939 Hamilton Carrier Otis Fire & Security

3. Internal Controls at UTC • Audit Committee/Chairman set the overall tone • Close working relationship with CFO, General Counsel, Audit, Business Practices • Business Unit Presidents are required to maintain an effective internal control structure • Finance Council oversees implementation of Sarbanes-Oxley certification and assessment requirements

4. Overall Internal Control Structure Control Environment Internal Control Activities

5. Executing the Internal Controls Review • Scoping • Corporate/business units develop a review plan based on asset and earnings coverage desired • Primary focus on 60 Tier I entities • Requirements for Tier I Entities • Perform a risk assessment • Evaluate general control environment • determine extent of controls testing required • Test key controls outlined in UTCs 10 matrices • Identify and correct control deficiencies • Certify results to Corporate

6. Management Risk • Management tenure/turnover • Management ability to override controls • Changes in delegation of authority • Financial Risk • History of operating losses • Significant fluctuations in balance sheet accounts • Judgmental reserves • Organizational Risk • Restructurings • Recent acquisitions • New outsourcing agreements • Complex organization structure • Operational Risk • Changing market conditions • Legal Proceedings • New products • Systems Risk • New ERP implementation • Old unsupported applications • Ineffective back-up and recovery procedures • Ethics and compliance risk • Frequency of ethics investigations • Low scores on ethics portion of employee survey • Recently verified fraud cases Factors to Consider in Evaluating Risks

7. Key Control Matrices • 10 cycles covered • Revenue • Expenditure (Purchasing, Receiving, Accounts Payable, Disbursements) • Payroll • Fixed assets • Production • Treasury • Financial Reporting • Information Technology • Tax (Field Level) • Company Level Controls (General Control Environment)

8. Controls Testing Example Control objectives for the revenue cycle Control activities and testing routine

9. Overall Internal Control Structure Control Environment Internal Control Activities

10. UTC’s Approach to Enterprise Risk Management • ERM adopted as Corporate policy in 2009 • Business units/Corporate Functions identify and mitigate significant business and compliance risk • ERM results and mitigation activities reviewed at: • July Business Reviews with Chairman • October Presidents Council (consolidated results) • December Audit Committee (final assessment)

11. ERM – 2010 SUMMARY Lower Higher Business Risks Identified Business Risk Identified Business Risk Identified Business Risk Identified Business Risk Identified Business Risk Identified Business Risk Identified Business Risk Compliance Risks Identified Compliance Risk Identified Compliance Risk Identified Compliance Risk Identified Compliance Risk Identified Compliance Risk Identified Compliance Risk Identified Compliance Risk B 6 2 C 1 3 A E G 7 Risk Ranking D F 5 4 Consistently applied & effective Inconsistently applied & not fully effective Not effective Adequacy of Mitigation 2009 Risk

12. ERM: 2011 CYCLE Review ERM portfolio at: Functional Councils (September) Compliance Council (October) Presidents Council (10/25) Audit Committee (12/13) Update Presidents’ objectives Per Matrix Jan 1 Aug 1 Sept 1 Oct 1 Nov 1 Dec 1 Dec 31 BUs perform risk assessments BUs report at OMM II Roll-up risks & risk responses Use results in identifying next year’s objectives Review with Board Corporate departments perform risk assessments Review status with VPBP/IA (June – August) Roll-up risks/ responses Use results in identifying next year’s objectives Actions in response (e.g. mitigation) ERM team responsibility Business Unit responsibility Corporate Office Department responsibility All