In another move that more closely aligns Nasdaq listing standards with those of the NYSE, Nasdaq has filed a proposed rule change with the SEC that would require its listed companies to have an internal audit function by December 31, 2013. Companies looking to be listed on Nasdaq after June 30, 2013 will need to put this in place prior to listing. The role may be handled internally or outsourced to a third party other than a company's independent auditors. The proposal is subject to comments and SEC approval.
An internal audit function is identified in Nasdaq’s rule filing as being necessary to provide management and the audit committee with ongoing assessment of a company’s risk management processes and system of internal control. The proposed rule gives the audit committee sole responsibility to oversee the internal audit function, which cannot be allocated or delegated to another board committee.
In another matter also related to a stock exchange regulation of audit committee responsibilities, the New York City Bar Association Financial Reporting Committee has asked the NYSE to consider revising its rules regarding the extent to which audit committees shoulder the burden for risk management oversight. NYSE requires audit committees to discuss policies with respect to risk assessment and risk management. Commentary to these rules indicates that the audit committee is not required to be the sole body responsible for risk assessment and management, but it must discuss guidelines and policies to govern the process by which this activity is undertaken.
The Financial Reporting Committee letter expressed concern that the NYSE rules not only call upon audit committees to assume oversight responsibility for risks beyond those associated with financial reporting, but also that the level of responsibility the committees must undertake is unfortunately ambiguous. The letter argues that audit committees are already burdened with their existing duties and also do not possess particular expertise in broader subjects of risk management that may expand to operational and environmental risk, for example. The letter suggests perhaps a more useful approach would be to vest in the entire board the responsibilities for the allocation of risk management oversight instead.