NASDAQ recently filed a proposed rule change with the SEC that’s seemingly aimed at SOX compliance. If implemented, each NASDAQ-listed company will be required to establish and maintain an internal audit function “to provide management and the audit committee with ongoing assessments of the Company’s risk management processes and system of internal control.” Companies listed as of June 30, 2013, will be required to establish an internal audit function by December 31, 2013; companies listed after June 30, 2013, will be required to establish that function prior to listing. In NASDAQ’s view, the proposed rule change will place no unnecessary or inappropriate burden on competition.
To me, this proposed rule change signals that the NASDAQ is weighing in on the JOBS Act provision that exempts certain companies from SOX 404(b), an auditor attestation regarding internal controls that was intended to foster growth by lowering administrative burdens on emerging growth companies (those with revenues less than $1 billion) entering the public market. These companies were granted as many as five years’ relief from a number of rules, including independent auditor attestation on the design and effectiveness of internal controls over financial reporting.
The more than 30 comments posted by the recent close of the SEC comment period were primarily from CFOs of small NASDAQ-listed companies, who said the proposed rule was costly for their enterprises and duplicative of existing SOX requirements. Some comments reflected concern that the rule reduced audit committees’ flexibility to direct the focus of the internal audit function.
Here’s my take: the proposed rule change was not intended to force companies to go beyond what is currently considered best practice—and what most companies do in support of SOX 404(b). (In general, companies that comply with 404(b) have a much more robust set of internal controls and are more diligent in consistently adhering to them—and therefore have greater financial statement integrity—than companies complying only with 404(a).) Although the proposed rule specifically excludes companies’ external audit firms from providing internal audit services, it does allow outsourcing to a third party.
The NASDAQ’s attempt to close the SOX loophole should not significantly affect RoseRyan’s SOX clients. These companies typically engage us to help them ensure that their internal controls are appropriately designed, to independently test the controls’ effectiveness and to periodically meet with their audit committees. I don’t see the proposed rule greatly changing that scope of work. However, the rule will add to the workload of many newly public companies currently exempt from 404(b). I view that change as a step in the right direction for investor protection and for leveling the playing field for companies traded on the NASDAQ, regardless of when they went public.