On March 4, 2013, NASDAQ issued a proposed new rule (Release No. 34-69030; File No. SR-NASDAQ-2013-032) which would require listed companies to have an internal audit function:
“Each Company must establish and maintain an internal audit function to provide management and the audit committee with ongoing assessments of the Company’s risk management processes and system of internal control. The Company may choose to outsource this function to a third party service provider other than its independent auditor. The audit committee must meet periodically with the internal auditors (or other personnel responsible for this function) and assist the Board in its oversight of the performance of this function. The audit committee should also discuss with the outside auditor the responsibilities, budget and staffing of the internal audit function.
A Company listed on Nasdaq on or before June 30, 2013, must establish an internal audit function by no later than December 31, 2013. A Company listed after June 30, 2013, must establish an internal audit function prior to listing.”
Although this proposal mirrors a similar requirement by NYSE listed companies, some of the smaller companies at the NASDAQ have protested the new rule as an undue burden. The unexpected controversy seems to be weighing on the SEC, who has filed a notice to solicit additional comments and has extended its final decision date from April 22 to June 6.
While some changes might improve the clarity and definition of the proposal, its goals and requirements should provide an overall value. Internal audit is not simply an added level of bureaucracy. A properly implemented internal audit function should provide a favorable cost benefit, improving management, control, and organizational performance by identifying, tracking, reporting, and proposing needed solutions with regards to
- Controls and control deficiencies
- Regulatory requirements and violations
- Governance and operational inefficiency
- Company policy and compliance
Having such activities performed internally and with a direct report to the audit committee allows the organization to take quick and well-informed action to correct threats to its safety, reliability and profitability. It should improve the prevention and detection of fraud and other corporate malfeasance. The proposal has substantial implementation flexibility, as it does not cite specific risks and controls that must be addressed. Instead it properly makes the function scalable and responsive to the particular needs of the organization.
Additional information can be found here.