April 2013

On March 4, 2013, NASDAQ issued a proposed new rule (Release No. 34-69030; File No. SR-NASDAQ-2013-032) which would require listed companies to have an internal audit function:

“Each Company must establish and maintain an internal audit function to provide management and the audit committee with ongoing assessments of the Company’s risk management processes and system of internal control. The Company may choose to outsource this function to a third party service provider other than its independent auditor. The audit committee must meet periodically with the internal auditors (or other personnel responsible for this function) and assist the Board in its oversight of the performance of this function. The audit committee should also discuss with the outside auditor the responsibilities, budget and staffing of the internal audit function.

A Company listed on Nasdaq on or before June 30, 2013, must establish an internal audit function by no later than December 31, 2013. A Company listed after June 30, 2013, must establish an internal audit function prior to listing.”

The noble goals of this change were described as follows:

  • “to prevent fraudulent and manipulative acts and practices,
  • to promote just and equitable principles of trade,
  • to foster cooperation and coordination with persons engaged in regulating, clearing, settling, processing information with respect to, and facilitating transactions in securities,
  • to remove impediments to and perfect the mechanism of a free and open market and a national market system, and,
  • in general, to protect investors and the public interest”

The proposed rule was generally expected to be approved by the SEC.  It was not believed to be highly controversial, as it mirrored a requirement that already existed for NYSE listed companies.  In fact, many NASDAQ companies already have an internal audit function.  If desired, the internal audit function could be outsourced to a third party (although not to the external auditor), as long as it reported directly to the Audit Committee.

Not surprisingly, the Institute of Internal Auditors (IIA) enthusiastically supported the proposal:

“The IIA believes that a properly structured internal audit function can provide independent, objective assurance and advisory activities that add value and improve an organization’s operations. An adequately staffed and resourced internal audit function helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control and governance  processes.”

However, there was also resistance during the comment period.  This came mainly from the Smaller Reporting Companies, who are defined by having less than $75 million in public float or $50 million in annual revenue.  While these entities are excepted from certain SEC rules and reporting requirements, there was no such carve out under this proposal.  Many of the comments indicated this placed undue cost burden on these smaller entities.

The unexpected controversy seems to be weighing on the SEC, who has filed a notice to solicit additional comments and has extended its final decision date from April 22 to June 6.  Although some changes might improve the clarity and definition of the proposal, its goals and requirements should provide an overall value.  Internal audit is not simply an added level of bureaucracy.  A properly implemented internal audit function should provide a favorable cost benefit, improving management, control, and organizational performance by identifying, tracking, reporting, and proposing needed solutions with regards to

  • Controls and control deficiencies
  • Regulatory requirements and violations
  • Governance and operational inefficiency
  • Company policy and compliance

Having such activities performed internally and with a direct report to the audit committee allows the organization to take quick and well-informed action to correct threats to its safety, reliability and profitability.  It should improve the prevention and detection of fraud and other corporate malfeasance.  The proposal has substantial implementation flexibility, as it does not cite specific risks and controls that must be addressed.  Instead it properly makes the function scalable and responsive to the particular needs of the organization.

Fulcrum Inquiry performs forensic accounting services.