On March 4, 2013, the SEC announced that the NASDAQ Stock Market LLC has filed a proposed rule change that would require listed companies to establish and maintain an internal audit function no later than December 31, 2013. Specifically:

Each Company must establish and maintain an internal audit function to provide management and the audit committee with ongoing assessments of the Company’s risk management processes and system of internal control. The Company may choose to outsource this function to a third-party service provider other than its independent auditor. The audit committee must meet periodically with the internal auditors (or other personnel responsible for this function) and assist the Board in its oversight of the performance of this function. The audit committee should also discuss with the outside auditor the responsibilities, budget, and staffing of the internal audit function.

The SEC comment period closed at the end of March at which time they had received over 35 comments. Some of these comments supported the rule change but a significant number, particularly from smaller companies, argued against the change. A common theme of those against the change is reflected in the following from the CFO of Perceptron, Inc:

There already exists a requirement for public companies to review, maintain and report on internal controls under Federal securities law. Rules 13a-15 and 15d-15 specifically require a certification by the Chief Executive Officer and the Chief Financial Officer. This proposed rule by NASDAQ adds a second layer of regulation that is not necessary and would not provide value. Perceptron maintains internal controls with management oversight and already engages outside, independent firms to perform SOX 404 testing of its internal controls. Management provides a report of the results of its independent firms’ testing every quarter to the Audit Committee. Further, the Company’s independent auditor meets with the Audit Committee regularly, including in private sessions without management’s presence.

QUESTION 1: 

Do you agree with the CFO? If so explain how SOX 404 and CEO/CFO certification removes the need for an internal audit function. If you don’t agree, explain what an internal audit function adds beyond SOX 404 and CEO/CFO certification.