April 6, 2013
I do applaud the NASDAQ efforts to establish an internal control function for its constituents. I have always been a firm believer that internal controls are one of the most profitable investments for companies, and that every dollar spent in internal controls would result in a significant return on investment.
Having said that, I believe that there are some areas that could be better addressed in your proposal:
(1) Making the proposal pervasive across all companies may significantly increase the burden on smaller companies. I would suggest that the formal establishment and reporting of the internal control function should be limited to companies with a capitalization of over $75M or over $100M.
(2) I think that this requirement may be redundant for companies that are already mandated to comply with Sarbanes Oxley, and I would suggest that you modify this requirement for them.
(3) I do not personally believe that the internal control function should be solely responsible for the risk management process. Risk Management is mostly the responsibility of the company senior management team, who may choose, at their discretion, to delegate it to any party, including the internal audit function.
(4) The discussion about the staffing and budget of the audit committee with the external auditors seems to be problematic. I would suggest that you change "discuss" to "disclose". I personally believe that the external auditors should have no say in the staffing and budget of the internal control function.
(5) Establishing an internal control function in less than a year may be problematic for some companies. I would suggest that you extend the period to one year starting from the final approval of the ruling rather than December 2013.
Just some thoughts. Another time, as an investor, I am happy to see the establishment of internal controls as a mandatory requirement for larger NASDAQ companies.