On March 4, 2013, Nasdaq issued a proposed new rule that, if approved by the Securities and Exchange Commission (“SEC”), will require listed companies to establish and maintain an internal audit function. The proposed rule is open for public comment until 21 days after publication in the Federal Register, but it is expected to be approved by the SEC. It would make this Nasdaq listing requirement similar to that of the NYSE, which already has an internal audit function requirement.
By requiring an internal audit function, Nasdaq seeks to ensure that a company’s management and audit committee receive ongoing assessments of the company’s risk management processes and system of internal control that are provided independently from the company’s routine accounting and financial reporting regimes. A company will be allowed to outsource the internal audit function to any third party (other than its independent auditor), but the audit committee must maintain sole responsibility for oversight, and it may not allocate or delegate that responsibility to another board committee.
The proposed rule does not prescribe many other specifics for the implementation of an internal audit function, and it does not indicate how Nasdaq will assess compliance with the requirement, beyond certain matters implicit in Nasdaq’s statement of the audit committee’s oversight responsibility. That statement makes clear that the audit committee will be expected to arrange periodic meetings with the personnel engaged in the internal audit function (whether they are company employees or personnel of an outsource provider) and with the company’s independent auditors, as a way to ensure both (a) receipt of the types of assessments the rule is targeting and (b) more generally, that the assigned responsibilities, budget, staffing and other aspects of the internal audit function are adequate for it to be effective.
The proposed rule seems unlikely to impose substantial additional effort on most issuers, and Nasdaq noted that many of its listed companies already have an internal audit function. However, there are no special provisions to modulate requirements for Smaller Reporting Companies, so those issuers will be subject to the same requirements as all other issuers.
In any event, many Nasdaq issuers with an existing internal audit function, particularly smaller companies, might benefit from a review of their processes and procedures to make sure this function will operate properly under the new requirement. Among other things, issuers may want to:
- Formally designate the individuals (and their requisite qualifications) who comprise the issuer’s internal audit function, whether they are existing or new employees of the issuer or personnel provided by an outsourced arrangement.
- Consider whether titles or job descriptions of any of the issuer’s employees who have been performing de facto the internal audit function (and who will continue that role) should be updated and expanded to better reflect the Nasdaq requirement.
- Consider whether lines of reporting responsibility need to be clarified, revised and/or formalized. ( Important issues often arise in integrating or balancing procedures for the requisite independence of personnel who are involved in the internal audit function with a company’s procedures for its routine accounting and financial reporting functions.)
- Check the Audit Committee’s charter to assure that it reflects the oversight and other responsibility envisioned by the new rule.
If the new rule is approved as proposed, companies listed on Nasdaq on or prior June 30, 2013 will need to comply with the new listing requirement by December 31, 2013. Companies listed on Nasdaq after June 30, 2013 will be required to establish an internal audit function prior to listing.