NASDAQ Hesitates in Its Quest to Mandate Internal Audit

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession. 


As we recently learned, NASDAQ has withdrawn a proposed new rule (PDF) requiring that companies listed on the exchange establish and maintain an internal audit function, citing push-back from issuers and others during the public comment period. Some companies and commenters didn’t see the value of an internal audit function. There weren’t a lot of comments, but there were enough that it was troubling to NASDAQ.

The Securities and Exchange Commission (SEC) received dozens of comments, both for and against the proposal, including an official endorsement from The IIA under my signature. I have never been an advocate for laws or regulations requiring an internal audit function because I believe that mandates diminish the perceived value of auditors as trusted advisers to senior management and audit committees. I do, however, support internal audit as a listing requirement because I believe that a properly structured internal audit function can provide independent, objective assurance and advisory activities that add value and improve an organization’s operations.

An adequately staffed and resourced internal audit function helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes.

Having personally reviewed the comments posted on the SEC website, what disappoints me most are the misconceptions that some of the correspondence conveyed about internal auditing. Some of the letters to the SEC demonstrated a complete lack of understanding that internal auditing is a vital function that companies and shareholders need and should want, not something being forced on them.

We have worked hard as a profession, and have made much progress toward getting key stakeholders to recognize the value that comes from an independent and well-resourced internal audit function. And yet, it seems that some corporate executives still don’t understand why assurance on internal controls and risk management should encompass all facets of an organization — including technology, control, and governance — not just financial risk, as some commenters have proposed.

What we do adds value, which is why I bristled at the response of one research organization, which called the internal audit proposal “burdensome” and suggested that it had the potential to delay life-saving research.

Reading such comments affirmed for me the importance of The IIA’s advocacy work. As far as we have come, we have much to do when it comes to getting stakeholders to see us as a source of value. An internal audit function strengthens the fabric of a company or organization. It strengthens risk management and internal controls. And it enables the board to execute its oversight responsibility.

By all indications, the vast majority of NASDAQ’s largest listed companies have internal audit functions without being required to do so. However, recent research by the consulting firm Navigant indicates that 40 percent of NASDAQ-listed companies with market capitalization between US $75 million and US $250 million do not have internal audit functions.

NASDAQ has said it plans to resubmit the proposal, but it wants to take time to carefully consider the feedback it has received. That certainly is prudent. In the meantime, I’d like to ask every one of you to join me in helping to spread the word about the value of our profession. We are 180,000 members strong and we can make a difference.

No doubt most of you have encountered naysayers before. What did you tell them? How do you articulate the value of internal audit? I look forward to reading your comments.

Posted on Jun 3, 2013 by Richard Chambers

Share This Article:    

  1. Richard: I agree with you that mandating something via a law to force people to do something is generally not as good as people seeing the value in doing it themselves. My personal view is the SEC/NASDAQ needs to specifically make board oversight of risk a legal accountability and provide parameters defining what effective risk oversight entails. Boards would then need to assess how they will discharge those responsibilities. An internal audit function with staff that have stayed current on evolving IIA IPPF expectations and upgraded their skills via training like the CRMA curriculum is an obvious way that boards can be confident they are receiving reliable information to discharge their risk oversight responsibilities. I encourage all readers to take the time to read the Feb 2013 report from the Financial Stability Board "Thematic Review of Risk Governance". I think it provides one of the best visions of what IA's role should be going forward that I have seen to date. Unfortunately, many board members do not currently see Internal Audit as a tool to help them oversee big picture risks and SOX has further reinforced the view that IA often functions mainly as a "Checker". The CICA board risk oversight guidance saw little role for IA helping boards meet their risk oversight obligations. I believe COSO 2013 will further entrench the perception of many that auditors primary role is to complete long checklists that specify organizations need hundreds of "controls". The IIA needs to do everything it can to ensure the profession isn't relegated in to completing long checklists to support COSO 2013 implementation and focus on playing the role supporting board's that want to meet their risk oversight responsibilities envisioned in the FSB report.
  1. Hello Richard, Your comment about internal audit function is comprehensive and it is very much in line with internal audit professional goals and objectives. I am troubled by the fact that it is still a hard sell to professional management domain experts out there about the added value internal audit brings on the table at the end of the day. Those who see COSO definition of internal control differently from IIA definition of internal audit view internal audit as simple "tick and tie" checker function bothers me at the professional level of audit independence. The control objectives and standards to meet those control objectives have no problem with AICPA guidelines standards, yet, internal audit professionals always end up with uphill task consistently all the time in the pre-Sarbox and post-Sarbox era of corporate scandals to convince the very same professionals about the internal audit function & its value. That really bothers me as internal audit profession. I hope you understand my view points on the same subject matter. At this juncture, I am pretty convinced that professional internal auditor's job is not done in meeting ongoing professional challenges out there even in the era of post Enron and post WorldCom corporate bigotry and scandal.
  1. In India, it is a legal requirement to have an internal audit function and audit commitee for corporates having issued capital over a certain amount or having turnover a certain amount.

    Stcok Exchanges as part of their listing requiremets require a company to have Internal audit function (inhouse/ outsourced as they deemed fit).

    Audit Committe is required to consider the internal audit report.

    In case there is no internal audit function, external auditors are required to issue a qualified report.

    Having an Internal audit function, helps a company's director to be atleast aware about the risk faced by the company.

    If 60% of the companies listed in Nasdaq can have an internal audit function, rest 40% can also have an internal audit function.

    If Issuers are not comfortable with Internal audit function, then its high time, someone need to inspect  their books and give a realistic assessment of the working of controls in these issuer companies.

  1. There is a still a serious lack of understanding of the role of internal audit. I urge you all to look at the comment letter from the VP, Finance of Psychemedics, who considers himself well-versed in internal audit since he worked as an internal auditor for six years. His first point is "The design, implementation and testing of internal controls are all key functions of any internal audit department". And please, do not take this as a criticism of this person - I believe he means well. Unfortunately, he is likely not the only one to share this incorrect notion. Hopefully, we can all do something to change this.


    Thank you Richard for your reflections and advocacy for our profession.  For 10 yrs. I have performed a role in an Internal Audit department.  I recall in the early to mid 2000's, large corporations began touting the phrase ‘Risk Management ‘. An understandable reaction to the post Enron/Worldcom events at the time. At first I thought ‘Risk’ was just another buzzword used by execs, but now I am glad to see that it has gained substance and respect through the successes of newly formed corporate entities and organizations like the IIA.  Of course, for decades, those in the Audit profession have recognized the term ‘Risk’ as an essential business fundamental. I have dreams of a future, when the words ‘Risk’ and ‘Audit’ are so mutually coupled that ‘Audit’ can benefit from the new respect given to ‘Risk’. And, ‘Audit’ is recognized as the most effective solution to the question of ‘Risk’.
  1. Why did the NASDAQ want to make this a mandate in the first place?  I am assuming without reading all the details that led to this discusison that they wanted to give investors more assurance when investing in these companies.  I expect many comments came from those companies that generate lower revenue relative to their peers and are simply not interested in the additional costs, and they do not understand the value of a truly independant and objective audit team focused on helping them lower the residual risks to the company. That takes business leaders with a desire to have a culture with a high level of integrity and a sense of responsibility, working together with dedicated/educated risk partners (e.g., audit) to make reasonable decisions on managing risks.

  1. Respected Sir Richard.

    Your reaction to the NASDAQ stand on IA profession is very professional and balanced. As IA professional, we need to continue to keep our cool and keep adding more and more measurable values and benfits to the organization we work for and we must continue to win the hearts of all in and out of the organization. Such win for internal audit will spread when we win the trust and confidence of all stakeholders and form as a unbreakable bridge between executing Management and investing shareholders , especially the key stakeholders. All stake holders should feel in their heart that IA service is essential for knowing the real truth of the situation independently and that too at the right time for enabling their right decisions that donot bring backlashes and ignomny later. How do we achieve this win - win atmosphere ? We need to be more business oriented and help achieve the Management team their business objectives without compromising and sacrificing cardinal principles of Internal control, Governance, risk mitigation effectiveness. To achieve this common goal of the organization, society and General public/Governmant, we need to keep the trusted communication and reporting between the two sides and we need to be nuetral without any interests whatsover. As Internal auditors , we are happy ( though we will not be in a position to be) when all are made happy. Without an independent officers like IA inside the organisation, the truthful position will never surface for corrections and improvements on continuous basis and for its continuous existence. This is what I want to share with you as my inner voice. DEV

  1. Excellent article! This concern reaches beyond the NASDAQ-applies to many other bodies incl. Ontario Municipalities-no requirement for an oversight function to protect the taxpayer purse (article coming). The IIA has achieved success in advocating the value of an IA Function; however, lack of awareness remains-demonstrated by the uninformed comments against mandating the function. Many NASDAQ IA functions were created to support SOX requirements-resistance to create/support a broader function will continue until profits improve. Many companies remain focused on survival & operate with bare-bone structures-essential services. A well-run IA function can result in a signicant ROI; but, many companies resist unless required by law-sad to see the NASDAQ hesitation. Investor confidence is critical-there is demand for transparency & accountability-an independent IA function supports this. Through increased media exposure, the public is more aware of government political corruption & corporate wrongdoing-this should help! T Langlois CIA, CRMA, CPA-CFF, CFE, CGMA

  1. It is still very hard for many executives to really see the value of internal audit, they may admit it during audit committee meetings, but deep down many of them still believe IA is some sort of overhead and a nice thing to have instead of a truly value add function. It's really up to us and each individual IA department to demonstrate that value to its organization.

  1. The evolution of Internal Audit, the efforts by IIA and the strength of Corporations that have internal audit functions are critical in helping the people who see internal audit as a burden to change that perception and see IA as a valuable and strategic leader within the corporate level. All I can say is that IA's climb towards the corporate high table was never and shall never be easy, but we are getting there. Many regulatory bodies are very clear that IA should be a critical function in any organization. The Problem is not the organizations that gave feedback to NASDAQ. The problem is NASDAQ! If they are withdrawing the requirement, it means they did not believe in it in the first place! NASDAQ should stop being wishy-washy about the internal auditing profession, they should incorporate IIA in their noble initiatives, that way, expert IA can be able to engage professionally and objectively with these corporations, just as Richard has done in this article. - E. O. Ogutu CPA(K), CIA, CFE
  1. Richard, thanks for the article it was worth reading. I also thank everyone for their comments. I enjoyed reading all of them. It is nice to see the passion, honesty and integrity everyone shares. However, I don't think this mandate will ever be passed by NASDAQ, especially when considering the large number of smaller companies within the NASDAQ. "Too much to lose", is what you don't hear from NASDAQ and their hosted companies. If you watch CNBC, frequently they complain about SOX and how it is an "unnecessary burden". What makes anyone believe they can take this any further? Excluding the criminals or unethical people out there, unfortunately many business people have had bad personal experiences with internal auditors and other risk professionals. I blame the bad relationship on poorly run audit, risk, compliance, etc. departments, uneducated business managers, poorly implemented enterprise wide risk management programs/practices, and a failure to instill good cultural values (e.g., integrity, honesty). I would be interested in knowing how many listed companies have honestly done a great job of implementing effective risk management programs. Do we do enough to share stories with Senior Managers and Boards of Directors about successful RM programs at other companies?

Leave a Reply