All you internal auditors out there, take note: PricewaterhouseCoopers has published a paper clarifying what you ought to do with your life.

Titled “Internal Audit: An opportunity for transformation,” the paper suggests internal audit departments should shift their focus to auditing business risks to protect shareholder value. For too long, the authors say, companies have relied on financial models or credit ratings to gauge risks, and now those methods have turned out to be bogus. Companies should return to old-fashioned due diligence—and thus, enter the internal auditor.

Internal auditing always fascinates me, because when I started writing for Compliance Week, I assumed corporations already knew what internal audit departments were supposed to do and how to put them to work. In the intervening years, I’ve found just the opposite to be the case; nobody knows whether internal auditors should be in charge of Sarbanes-Oxley compliance, financial controls generally, or whatever else comes to mind. To PWC’s thinking, business risks and shareholder value are the new black for internal auditors. Someone else will propose something different next quarter, I’m sure.

On one hand, the idea of internal auditors prowling around for business risks and protecting shareholder value strikes me as sensible. After all, somebody has to do it, and too often that person is not in the corner office. (Anyone doubting this should ask a General Motors shareholder what he thinks of CEO Rick Wagoner these days.) And internal auditors do have a knack for assuming the worst, finding the weakness, or browbeating the masses into compliance. Those are all useful traits when it comes to passing judgment, and that’s what gauging business risk is all about.

Then come my doubts. Investigating business and strategic risks sounds a bit beyond the pay-grade of your average internal auditor. I’m also not entirely clear on how one “audits” a strategic risk, anyway. For example, what sort of documentation do you need to confirm that GM’s insistence on making large vehicles is risky? I’ve always thought those questions could be answered by exercising common sense, but that’s been in short supply around Corporate America for years.

I don’t mean to disparage PWC’s report; its suggestions are worth considering and they highlight a problem that does need to be addressed. But at its essence, the question is whether internal auditing departments are best used to audit changes in operations, as PWC suggests, or to audit adherence to policy, as most departments have historically done. I don’t know what the right answer is. Do you?

Topics