Home > Risk > Did PwC have a crystal ball?

Did PwC have a crystal ball?

September 5, 2012 Leave a comment Go to comments

Back in 2007, PwC published Internal Audit 2012, subtitled: “A study examining the future of internal auditing and the potential decline of a controls-centric approach”.

Since then, I have been praising its vision – and that has nothing to do with the fact that Richard Chambers (then a Managing Director with PwC and now President and CEO of the IIA) and Dick Anderson (then the lead internal audit services partner with PwC and a member of the same IIA committee as me, now a clinical professor at DePaul University) were involved in writing it.

I praised it because of its call for change – a change I supported then and now. PwC didn’t hold their punches when they said:

Internal audit leaders must adopt risk-centric mindsets if they want to remain key players in assurance and risk management.”

They continued with:

Throughout the next five years [i.e., through 2012 – ndm], the value of the controls-focused approach that has dominated internal audit is expected to diminish. As this occurs, internal audit leaders must redefine the function’s value proposition and adopt risk centric mindsets if they expect to remain key players in assurance and risk management.”

Dick and Richard asked internal audit functions to “rethink their fundamental value propositions by shifting from an internal audit model focusing on controls assurance to a risk-centric model where risk and control assurance are based on the effectiveness of risk management processes developed by management.”

This captures the heart of the message:

Internal audit thus finds itself at a crossroads, with two possible paths to the future.

“One is to continue doing what it does today and nothing more, a path that brings with it the inherent risk of future obsolescence.

“Alternatively, internal audit may choose the path we believe is more likely to lead it to meet the evolving needs of modern organizations, and the rising expectations of senior management and audit committees. This path involves moving beyond the fundamentals of risk and controls to create a new internal audit value proposition.

“The new (and inherently more strategic) value proposition would include the provision of risk management assurance along with the traditional responsibility of assurance over controls. Adding risk management capabilities would inevitably help internal audit align itself more closely with an organization’s maturing risk management functions. But doing so would require something not always associated with today’s internal audit function: a risk-centric mindset.”

In this post and elsewhere, I have suggested that internal audit should:

  1. Assess the risk management program
  2. Where possible, use that program as the basis for a risk-based audit program designed to provide assurance on the more significant risks to the organization
  3. Assess the design and operation of the internal controls and whether they provide reasonable assurance that risks are managed at desired levels (which may be called risk appetite, risk criteria, etc.)

I think this is what PwC suggested 5 years ago.

We are now in the second half of 2012. When will we catch up to PwC’s vision?

Or is it the wrong vision?

  1. John Mogni
    September 5, 2012 at 6:12 PM

    I agree with the vision. However, in my opinion, controls are one way to address risks. Therefore, assessments of an organization’s risks should occur first and be performed regularly and as preparation for audits. Otherwise, wouldn’t an audit approach that is primarily controls-focused be like “placing the cart before the horse” (pardon the cliche)?

    I recall basing audits in part on risk assessments, which also made them more efficient and better focused. Perhaps this concept has been lost over time. Any thoughts?

  2. vikram vijh
    September 5, 2012 at 8:45 PM

    The correct approach I feel is to keep a balance between controls and risks. Neither can be ignored.

  3. September 5, 2012 at 10:12 PM

    I agree with this philosophy but in a sense this is more about “new packaging” than new product. When I first moved from external to internal auditing, over 20 years ago (1990) we used a Coopers and Lybrand (ie PwC) based methodology which emphasized the primacy of controls ADEQUACY, defined by reference to RISK, over control effectiveness (a measure of how the control operates in practice). After SOX we started to distinguish these concepts as DESIGN and OPERATING effectiveness. But how can one evaluate design effectiveness without reference to objectives and risk?

    What HAS come a long way since then is the Enterprise Risk tool set. Today’s auditor is much more likely to be able to articulate what is missing in the RISK space – in other words, to describe where management has not defined its objectives and risk appetite/ tolerances sufficiently clearly. PwC is right. Since COSO – ERM there has been no excuse in theory for ignoring the vital risk dimension. But of course organizational change can be slow, ERM has had a mixed reputation because of the consulting industry’s over-selling of it, and auditors must always operate in a real world context. I use a surfing analogy: neither too far ahead, nor too far behind, the crest of the organizational wave.

    (in his spare time Quixotree is also a Head of Internal Audit in a financial services organization). Thank you to Norman for another thought provoking post.

  4. September 6, 2012 at 6:07 PM

    I’m still learning from you, but I’m trying to achieve my goals. I certainly love reading everything that is written on your blog.Keep the tips coming. I enjoyed it!

  5. Peter
    September 11, 2012 at 9:58 PM

    The controls centric approach was something new introduced by the External Audit firms to make money, particularly out of SOX. It was not the approach I used at two of the Big 4 audit firms I worked at in the 1980’s and 1990’s. The approach I was familiar with was to focus on Control Objectives. In other words: the outcomes, the risks associated with these outcomes and the objectives for controlling the risks. In other words, “getting business processes under control”.

    To make money, you need to leverage junior staff. The easiest way is to create a checklist and give it to juniors to use. The profits are enormous, albeit that the quality of work shocking.
    I am afraid the controls-centric approach was contrary to the 1992 COSO Integrated Framework and the 2002 ERM framework.

    Any organisations that uses a controls-centric approach is out of line with generally accepted risk management practices – which in the more recent years includes the Big 4..

    So I am afraid moving away from a controls-centric approach is not crystal ball stuff, its actually about correcting a known incompetence.

  6. September 18, 2012 at 5:47 AM

    “Alternatively, internal audit may choose the path we believe is more likely to lead it to meet the evolving needs of modern organizations, and the rising expectations of senior management and audit committees. This path involves moving beyond the fundamentals of risk and controls to create a new internal audit value proposition.

  7. Mike Corcoran
    February 27, 2013 at 12:27 PM

    Yes we called for this at C&L in 1997.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: