As we recently learned, NASDAQ has withdrawn a proposed new rule (PDF) requiring that companies listed on the exchange establish and maintain an internal audit function, citing push-back from issuers and others during the public comment period. Some companies and commenters didn't see the value of an internal audit function. There weren't a lot of comments, but there were enough that it was troubling to NASDAQ.
The Securities and Exchange Commission (SEC) received dozens of comments, both for and against the proposal, including an official endorsement from The IIA under my signature. I have never been an advocate for laws or regulations requiring an internal audit function because I believe that mandates diminish the perceived value of auditors as trusted advisers to senior management and audit committees. I do, however, support internal audit as a listing requirement because I believe that a properly structured internal audit function can provide independent, objective assurance and advisory activities that add value and improve an organization's operations.
An adequately staffed and resourced internal audit function helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes.
Having personally reviewed the comments posted on the SEC website, what disappoints me most are the misconceptions that some of the correspondence conveyed about internal auditing. Some of the letters to the SEC demonstrated a complete lack of understanding that internal auditing is a vital function that companies and shareholders need and should want, not something being forced on them.
We have worked hard as a profession, and have made much progress toward getting key stakeholders to recognize the value that comes from an independent and well-resourced internal audit function. And yet, it seems that some corporate executives still don't understand why assurance on internal controls and risk management should encompass all facets of an organization — including technology, control, and governance — not just financial risk, as some commenters have proposed.
What we do adds value, which is why I bristled at the response of one research organization, which called the internal audit proposal "burdensome" and suggested that it had the potential to delay life-saving research.
Reading such comments affirmed for me the importance of The IIA's advocacy work. As far as we have come, we have much to do when it comes to getting stakeholders to see us as a source of value. An internal audit function strengthens the fabric of a company or organization. It strengthens risk management and internal controls. And it enables the board to execute its oversight responsibility.
By all indications, the vast majority of NASDAQ's largest listed companies have internal audit functions without being required to do so. However, recent research by the consulting firm Navigant indicates that 40 percent of NASDAQ-listed companies with market capitalization between US $75 million and US $250 million do not have internal audit functions.
NASDAQ has said it plans to resubmit the proposal, but it wants to take time to carefully consider the feedback it has received. That certainly is prudent. In the meantime, I'd like to ask every one of you to join me in helping to spread the word about the value of our profession. We are 180,000 members strong and we can make a difference.
No doubt most of you have encountered naysayers before. What did you tell them? How do you articulate the value of internal audit? I look forward to reading your comments.