NASDAQ recently filed a proposed rule change with the SEC that’s seemingly aimed at SOX compliance. If implemented, each NASDAQ-listed company will be required to establish and maintain an internal audit function “to provide
To me, this proposed rule change signals that the NASDAQ is weighing in on the JOBS Act provision that exempts certain companies from SOX 404(b), an
The more than 30 comments posted by the recent close of the SEC comment period were primarily from CFOs of small NASDAQ-listed companies, who said the proposed rule was costly for their enterprises and duplicative of existing SOX requirements. Some comments reflected concern that the rule reduced audit committees’ flexibility to direct the focus of the internal audit function.
Here’s my take: the proposed rule change was not intended to force companies to go beyond what is currently considered best practice—and what most companies do in support of SOX 404(b). (In general, companies that comply with 404(b) have a much more robust set of internal controls and are more diligent in consistently adhering to them—and therefore have greater financial statement integrity—than companies complying only with 404(a).) Although the proposed rule specifically excludes companies’ external audit firms from providing internal audit services, it does allow outsourcing to a third party.
The NASDAQ’s attempt to close the SOX loophole should not significantly affect RoseRyan’s SOX clients. These companies typically engage us to help them ensure that their internal controls are appropriately designed, to independently test the controls’ effectiveness and to periodically meet with their audit committees. I don’t see the proposed rule greatly changing that scope of work. However, the rule will add to the workload of many newly public companies currently exempt from 404(b). I view that change as a step in the right direction for investor protection and for leveling the playing field for companies traded on the NASDAQ, regardless of when they went public.