Nasdaq has withdrawn a proposed rule that would have required listed companies to establish and maintain an internal audit function.
“In light of the breadth and nature of the comments from our issuer community, and others, Nasdaq has determined to withdraw the proposal so that we may adequately consider these comments,” the exchange wrote, adding that it intends to revise the proposed rule, taking into account the comments, and resubmit it.
In February, the exchange presented the notice of proposed rulemaking to the Securities and Exchange Commission. Listed companies would need to develop an internal audit function that provides management and the audit committee with ongoing assessments of risk management processes and internal controls. Companies were given the option of outsourcing this function to a third party service provider. A company listed on Nasdaq on or before June 30, 2013, would need to establish an internal audit function by no later than Dec. 31, 2013; a company listed after June 30, 2013, would need to do so prior to listing.
Nasdaq wrote, at the time of the submission, that the move would ensure that companies regularly review and assess internal controls, identify weaknesses, and develop appropriate remedial measures. The proposed rule would have aligned Nasdaq with an existing NYSE requirement. The SEC had planned to issue a decision by June 6.
Numerous comments received by the SEC were critical of the perceived burden put upon non-accelerated filers and Emerging Growth Companies. Several comments suggested that the mandate be limited to companies with a capitalization of more than $75 million or $100 million. Concerns were also raised that the requirement would be redundant and overkill for companies already mandated to comply with Sarbanes Oxley. Another complaint was that establishing an internal control function in less than a year, as was called for, would be problematic.
“This requirement will be another financial burden added to the already mounting burden that is being placed on smaller companies today to remain compliant with regulatory requirements,” wrote Sharon Barbari, CFO of San Francisco based Cytokinetics, a small biotech firm. “You are asking for critical capital to be used on compliance when the relative risk is small.”
“The proposed rule change offers companies the option to outsource the internal audit function to a third party service provider in order to ‘preserve flexibility.' In practice, biotech companies would be forced to choose this onerous option and the auditor fees associated with it,” wrote Alan Eisenberg, executive vice president, emerging companies and business development, for the Biotechnology Industry Organization, citing the costly, industry-specific expertise that would be required. He added that the proposed rule change “increases compliance costs at a time when Congress and the SEC are taking steps to spur capital formation.”
Kenneth Bertsch, president and CEO of the Society of Corporate Secretaries and Governance Professionals, opined that the rule should apply only to financial reporting risks.
“[We are] concerned that the proposed rule could be interpreted to have no limit on the scope of risks that an internal audit function would be required to assess,” he wrote. “If the intent of the proposed rule is to require the internal audit function to provide management and the audit committee with ongoing assessments of the listed company's risk management processes for each of the various types of risk, we believe it goes too far.”
Supporters of the proposed rule included Todd DeZoort, Professor of Accounting at the University of Alabama, and Dana Hermanson, of Kennesaw State University's Culverhouse School of Accountancy. In a joint letter they wrote that the Association of Fraud Examiners “has consistently found in its studies that internal audit testing is one of the most common methods of fraud detection,” with more than four times the detection rate of external auditors.