In a letter to the SEC, the Society of Corporate Secretaries and Governance Professionals urged the Commission to ensure that the proposed Nasdaq internal audit rule applies only to financial reporting risk.
The Society is concerned that the proposed rule could be interpreted to have no limit on the scope of risks that an internal audit function would be required to assess. There are many types of risks facing listed companies, noted the Society, such as liquidity, credit, currency, and interest rate risk, as well as strategic risk, operational risk, cyber risk, legal and compliance risk, and brand risk. The nature of these unique industry risks is such that technical expertise, other than financial literacy/expertise, is critical in order to provide comprehensive board oversight
The proposed rule would require the internal audit function to report solely to the audit committee. The Society believes that audit committees should not be required to oversee all types of risk and internal controls. The Society is concerned that the implication is that the audit committee would, therefore, not be responsible for merely financial risks and financial reporting, but would also be responsible for all facets of risk and internal controls.
Similarly, there seems to be no limit on the types of internal controls that the internal audit function would be required to assess. The rulemaking notice refers both to a system of internal control and to internal control over financial reporting. The implication is that a system of internal control is broader than internal controls over financial reporting. For example, the proposed rule could be interpreted to require assessments of information technology controls, operational risk controls, disclosure controls, and compliance controls. Thus, the Society urged that the rule be narrowed to confine its scope to internal controls over financial reporting only.