Implications and Opportunities Of the PCAOB and SEC Proposals

1. Implications and Opportunities Of the PCAOB and SEC Proposals Presented By:

2. AGENDA • Overview of Recently Issued SOX Guidance • Bruce Ring, Grant Thornton • Management Perspective on the Guidance • Bill McGee, GMAC Controller’s Staff • Internal Audit Perspective on the Guidance • Angie Chin, GM Audit Services • External Audit Perspective on the Guidance • Dan Langlois, KPMG • Considerations for Non-accelerated Filers • Bruce Ring, Grant Thornton

3. Recently Issued SOX Guidance (SEC) • Issued interpretive guidance for management on evaluating internal control over financial reporting • Guidance organized around two overriding related principles • Management should evaluate the design of controls to determine whether they adequately address the risk that a material misstatement in the financial statements would not be prevented or detected • Describes a top-down, risk-based approach to this principle including the role of entity level controls in assessing risks and the adequacy of controls • Guidance explicitly states there is no requirement to identify every control in a process or to document the operating activities affecting internal control over financial reporting • Management’s evaluation of the operation of its controls should be based on its assessment of the risk associated with those controls - Allows management to align the nature and extent of its procedures and the evidence it obtains with the financial reporting areas that pose the greatest risk to reliable financial reporting • SEC provided details to approach in four areas • Identifying risks and related controls • Evaluating operating effectiveness • Evaluating deficiencies and reporting • Evidence to support assessment • Comments on proposed rule are due by February 26, 2007

4. Recently Issued SOX Guidance (PCAOB) • Proposed a revised standard for audits of internal control over financial reporting • Would supersede Auditing Standard #2 • Four objectives of guidance • Focus on matters most important to internal control • Top-down approach • Definitions of material weakness and significant deficiency revised • Eliminate unnecessary procedures • Evaluation of management’s process for assessing the effectiveness of internal control eliminated • Knowledge from prior years can be used in risk assessment • Multi location testing requirements refocused on risk rather than coverage • Use of work of others commonized under one auditing standard • Walkthroughs only required for each significant process rather than major class of transactions within a process • Scale the audit for smaller companies • Simplify the requirements • Auditors’ report would express only one opinion on internal controls, an opinion on the effectiveness of the company’s internal control over financial reporting • Comments on proposed rule are due by February 26, 2007

5. Management Perspective on Recently Issued SOX Guidance (SEC & PCAOB) • Interpretive guidance sets forth an approach by which management can conduct a top-down, risk-based evaluation of internal control over financial reporting (ICFR) • From managements perspective, there may be a opportunity to revisit the use of financial statement coverage as the main factor in determining overall scope • Allows external auditors to consider prior period results in scoping current year risk. • Give full consideration to entity level controls in assessing financial reporting risks and the adequacy of controls • If risk at individual locations is considered low, sufficient evidence may be obtained from self assessment at the individual location combined with ongoing central monitoring • Management’s evaluation of evidence about the operation of its controls should be based on its assessment of risk • The lower the risk the less persuasive the evidence that is needed to conclude on the effective operation of the control • Management may obtain evidential support through daily interaction with its controls (good for smaller companies), self assessment procedures and other monitoring procedures. • Evidence need not address all controls within every process that affects financial reporting

6. Management Perspective on Recently Issued SOX Guidance (SEC & PCAOB) • Elimination of independent public accountant’s requirement to evaluate management’s process for assessing the effectiveness of internal controls • Shouldn’t fees be adjusted accordingly? • Multi-location testing requirements refocused on risk rather than coverage. • Independent Auditor allowed to use direct assistance of others when performing walkthroughs • Also, walkthroughs only required for significant processes not for each major class of transactions within a process • Shouldn’t fees be adjusted accordingly? • Now is the time to start planning for these changes. • While the proposed auditing standard may not be adopted until 2008, early adoption may be encouraged.

7. Perspective from Internal Auditor (IA) • SEC Proposed Guidance • Leverage the guidance for IA’s: • Annual risk assessment • Control evaluation • Control testing • Align audit plan and coverage with SOX 404 plan to achieve optimal coverage • Preliminary Assessment on Implication for IA • No major changes to IA methodology and practices • Continue to increase focus on ICFR • Need to hire additional technical accountants

8. Perspective from Internal Auditor (IA), cont’d • PCAOB Exposure Draft (AS2 Replacement) • Leverage the guidance for IA’s: • Annual risk assessment • Control evaluation • Control testing • Increase opportunities to rely on IA work to the greatest extent • Conduct walkthroughs • Continuous monitoring/auditing • Control evaluation and testing • Align new definitions of control deficiency, significant deficiency, and material weakness with IA methodology and control rating system • Preliminary Assessment on Implication for IA • Increase opportunities to coordinate audit work with external auditor to achieve optimal reliance • Could increase/decrease IA scope and coverage • Need to hire additional technical accountants

9. Perspective from External Auditor • SEC proposed guidance • Management has a broad array of alternatives for use in making its assessment • Should provide management with greater flexibility which may result in time and cost savings • In some circumstances, the documentation management creates specifically for the evaluation of ICOFR may be limited • The more informal management’s testing and documentation, the more likely the auditor will not be able to use the work of management

10. Perspective from External Auditor, cont’d • PCAOB Exposure Draft (AS 2 replacement) may provide opportunities for reduction in auditor effort

11. Considerations for Non-Accelerated Filers • Current Requirements • Management assessments for fiscal years – December 15, 2007 • Auditor's attestation report for fiscal years – December 15, 2008 • Transition period for newly public companies – after one annual report is filed with the SEC • Guidance • COSO: Internal Control over Financial Reporting – Guidance for Smaller Public Companies • Designed to provide a cost efficient and practical application of COSO

12. Considerations for Non-Accelerated Filers • An Approach for Smaller Companies • Focus on top-down, risk based process to drive efficiency in SOX readiness • Take a practical approach to "right-sizing" documentation of internal controls • Identify the key monitoring controls upfront that are critical in managing smaller companies • Integrate information technology and business process tracks to ensure appropriate leveraging of automated and manual controls • Build your SOX structure with an eye towards minimizing future compliance costs

13. Contact Information Bruce Ring Partner, Grant Thornton LLP bruce.ring@gt.com 248-213-4280 Angie Chin General Director, GM Audit Services angelina.chin@gm.com 313-665-3729 Bill McGee Manager, Controller’s Staff, GMAC william.mcgee@gm.com 313-667-4527 Dan Langlois Partner, KMGP LLP dlanglois@kpmg.com 313-230-3426 Pam Bishop Engagement Manager, Jefferson Wells pamela.bishop@jeffersonwells.com 248-226-1200