UPDATE:

Compliance Week reports that NASDAQ withdrew its proposed rule mandating an internal audit function – based in part on the comment letter that I drafted for The Society of Corporate Secretaries and Governance Professionals, which is quoted in the article . 

NASDAQ may resurrect the proposal after further consideration, but likely with a narrower focus and a longer implementation timeline.

ORIGINAL POST:

The SEC has published for comment a proposed rule that would require NASDAQ-listed companies to have an internal audit function by the end of this year. The rule allows the function to be outsourced, but not to the company’s independent auditor. The scope of this function would be fairly broad; encompassing risk management processes and the system of internal control.

Each Company must establish and maintain an internal audit function to provide management and the audit committee with ongoing assessments of the Company’s risk management processes and system of internal control. The Company may choose to outsource this function to a third party service provider other than its independent auditor. The audit committee must meet periodically with the internal auditors (or other personnel responsible for this function) and assist the Board in its oversight of the performance of this function. The audit committee should also discuss with the outside auditor the responsibilities, budget and staffing of the internal audit function.

A Company listed on Nasdaq on or before June 30, 2013, must establish an internal audit function by no later than December 31, 2013. A Company listed after June 30, 2013, must establish an internal audit function prior to listing.

Although NYSE companies are subject to a similar rule under the NYSE’s governance listing standard 303A.07(c), it is likely that many of the typically-larger NYSE-traded companies would have had an internal audit function at the time of that rule proposal – so it is not clear to me that smaller company concerns were fully vetted in that rulemaking process.

I have the following concerns about the proposed NASDAQ rule:

1)  The implication that the Audit Committee must be responsible for all facets of risk oversight, because this internal audit function reports to the Audit Committee. The Board should be free to assign among of its various committees aspects of enterprise risk management (ERM).

2) A lack of clarity about the meaning of “ongoing” assessments. Is that continuous (without interruption) or periodic? If periodic, how frequent?

3)  A lack of clarity about the scope of the risks that must be encompassed.  There are financial risk, cyber-risk, legal risks, HR risk, etc.  A typical internal audit function may not assess all aspects of risk. Is this scope even limited to the range of risks within the COSO ERM Integrated Framework?

4)  A lack of clarity about the scope of internal controls systems that must be encompassed. This seems to be broader than “internal controls over financial reporting.” Does it include IT controls, disclosure controls, compliance controls, etc.?

5)  A lack of clarity whether the listed company can outsource this function to more than one vendor, with different vendors providing assessments of various types of risks. The rulemaking refers singularly to “a third party” and “function” which implies one single outsourced vendor. (Depending on the answers to the scope questions described in items 3 and 4 above, are there sufficient, reasonably-priced vendors who could provide all of the services?)

6) The short time frame allowed to implement the rule.

7) The lack of any cost-benefit or impact analysis.