If approved, Nasdaq-listed companies would be required to establish and maintain an internal audit function. Although the proposed rule references an “internal audit” function, companies would be permitted to outsource the function to a third party service provider other than its independent auditor. According to the Nasdaq, the purpose of the proposed rule is: (1) to ensure that companies have a mechanism in place to regularly review and assess their internal controls and, thereby, to identify any weaknesses and develop appropriate remedial measures; and (2) to make sure that the company’s management and audit committee are provided with ongoing information about risk management processes and the internal controls.
The Nasdaq indicated that it believes that the proposed rule will assist companies to comply with the current 1934 Act rules that require companies to maintain and to evaluate the effectiveness of the internal control over financial reporting, and that many companies already have an internal audit function as a matter of best practice. The Nasdaq also pointed out that the NYSE has a similar rule already in place.
Many commentators are opposed to the rule to the extent it applies to smaller reporting companies. Some commentators have noted that: (1) the rule would increase costs of being listed on Nasdaq and would further tax the limited resources available to smaller companies; (2) internal audit functions are more appropriate for larger companies with larger, more distributed and complex operations; and (3) the certifications that PEOs and PFOs are required to sign are sufficient incentive to maintain processes designed to review and assess internal controls and that the rule-specified function is not necessary. Even the Society of Corporate Secretaries & Governance Professionals commented that it "believes that all three stated policy purposes for the rule are adequately addressed by existing laws and rules," and that "companies should be permitted the flexibility to design and implement approaches to assess risks and internal controls that are suitable to their particular size, industry, risk profile and other circumstances."
If the proposed rule is approved, companies listed on Nasdaq on or before June 30, 2013, must comply with the rule by December 31, 2013. A company listed after June 30, 2013, must establish the internal audit function prior to listing.