Back in 2007, PwC published Internal Audit 2012, subtitled: “A study examining the future of internal auditing and the potential decline of a controls-centric approach”.

Since then, I have been praising its vision – and that has nothing to do with the fact that Richard Chambers (then a Managing Director with PwC and now President and CEO of the IIA) and Dick Anderson (then the lead internal audit services partner with PwC and a member of the same IIA committee as me, now a clinical professor at DePaul University) were involved in writing it.

I praised it because of its call for change – a change I supported then and now. PwC didn’t hold their punches when they said:

Internal audit leaders must adopt risk-centric mindsets if they want to remain key players in assurance and risk management.”

They continued with:

Throughout the next five years [i.e., through 2012 – ndm], the value of the controls-focused approach that has dominated internal audit is expected to diminish. As this occurs, internal audit leaders must redefine the function’s value proposition and adopt risk centric mindsets if they expect to remain key players in assurance and risk management.”

Dick and Richard asked internal audit functions to “rethink their fundamental value propositions by shifting from an internal audit model focusing on controls assurance to a risk-centric model where risk and control assurance are based on the effectiveness of risk management processes developed by management.”

This captures the heart of the message:

Internal audit thus finds itself at a crossroads, with two possible paths to the future.

“One is to continue doing what it does today and nothing more, a path that brings with it the inherent risk of future obsolescence.

“Alternatively, internal audit may choose the path we believe is more likely to lead it to meet the evolving needs of modern organizations, and the rising expectations of senior management and audit committees. This path involves moving beyond the fundamentals of risk and controls to create a new internal audit value proposition.

“The new (and inherently more strategic) value proposition would include the provision of risk management assurance along with the traditional responsibility of assurance over controls. Adding risk management capabilities would inevitably help internal audit align itself more closely with an organization’s maturing risk management functions. But doing so would require something not always associated with today’s internal audit function: a risk-centric mindset.”

In this post and elsewhere, I have suggested that internal audit should:

1. Assess the risk management program
2. Where possible, use that program as the basis for a risk-based audit program designed to provide assurance on the more significant risks to the organization
3. Assess the design and operation of the internal controls and whether they provide reasonable assurance that risks are managed at desired levels (which may be called risk appetite, risk criteria, etc.)

I think this is what PwC suggested 5 years ago.

We are now in the second half of 2012. When will we catch up to PwC’s vision?

Or is it the wrong vision?