Getting to the root of the problem!

Source:- Audit&Risk.org.uk, Author:- James Paterson

Often internal audit will flag up the same issues time and again without getting to the crux, or root cause, of the issue. This is why Root Cause Analysis (RCA) is essential to improving audits, writes James Paterson, the founder of Risk & Assurance Insights.

Over the past 14 years working in the internal audit arena I have seen a growing interest in the topic of Root Cause Analysis (RCA). My involvement in the topic has evolved from using it as part and parcel of a “lean auditing” approach, to running RCA webinars and seminars. I was also responsible for helping the Chartered IIA upgrade its guidance on Root Cause Analysis last year.

What is RCA?

RCA is about identifying why an issue occurred, compared to simply reporting the issue or its immediate or contributing causes. Effective RCA techniques come from lean / six sigma disciplines and good techniques include the 5 Whys, the Ishikawa/Fishbone diagram, the logic tree and Pareto analysis (preferably in combination).

What role should internal audit have in RCA? 

The IIA has a useful practice advisory (2320-2) on this topic:

“Auditors whose reporting only recommends that management fix an issue and not the underlying reason that caused the issue are failing to add insights that improve the longer-term effectiveness and efficiency of business processes and thus the overall GRC (governance, risk management and control) environment.”

It goes on to say: “A core competency necessary for delivering insights is the ability to identify the need for RCA and, as appropriate, actually facilitate, review and/or conduct a root cause(s) analysis.”

Why effective RCA is not as straightforward as you might think

Consider an IT system implementation that was delayed and over budget. It can be tempting to:

• Blame external factors (“the IT contractor made things too complicated, adding time and cost”), or
• Find a politically acceptable reason for the problem (“the IT department didn’t manage the project so well”), or
• Adopt a fatalistic approach: “projects are always over budget and a bit late, it’s just one of those things”

In each case there is unlikely to be any real organisational learning when using one of these explanations because the underlying aim is often to close down thinking to avoid being held partly accountable for what went wrong.

However, by probing the symptoms in more detail using an RCA technique it is likely that multiple factors will have contributed to the problems that have been observed and these might include:

• Having no clear framework for assessing project effectiveness during its execution
• Having weak standards in terms of oversight of third parties
• Not having an explicit risk appetite concerning tolerances around project delays or cost over-runs
• Having an unrealistic project budget
• Having weak skills in the project team (or even of the project manager or steering group)

Thus an RCA process will normally be more “forensic” in relation to why issues have arisen and is actually less likely to blame any one individual or process. After all, even if an individual was out of their depth running a project, what did the project steering group do to satisfy itself that the project manager was able to do the job? So, we can see that the reasons for issues arising are often due to a complex blend of process, system and organisational factors which effective RCA should make clearer.

Why RCA is gaining an interest in audit 

Apart from the fact that it is good practice to carry out robust RCA, my experience is that the growing interest in this valuable tool is due to three key factors:

• An increasing realisation from internal audit teams that some issues keep arising, despite internal audit raising the same, or similar, audit points on a regular basis. I call this the “Groundhog Day” phenomenon. This is a clear warning sign that root causes are not being addressed effectively
• A recognition that understanding root causes is often a way of understanding the organisational culture (which is gaining a lot of attention in the UK financial services sector)
• An interest in writing shorter and more impactful audit reports, since some audit findings are really just symptomatic of key root causes not being addressed, meaning the number of findings in the report can be reduced.

Some practical steps audit teams can take 

My advice would be for audit teams to consider and debate:

• How often do issues repeat themselves (e.g. are there common themes uncovered by audit, or through any management incident reporting?)
• What does the current audit methodology say about the need to carry out a Root Cause Analysis or recommend that management do this?
• What guidance and training is provided to internal audit team members in relation to Root Cause Analysis – e.g. the 5 Whys, the Ishikawa diagram, logic trees, Pareto analysis? (Note: a combination of techniques is more powerful than just one.)
• What root cause categories are currently being used by the audit team, and how do these compare to the IIA guidance?

If there is room for improvement in any of these areas, auditors should familiarise themselves with the IIA’s materials and either:

• Start to pilot the use of techniques such as the 5 Whys and the Ishikawa diagram in selected assignments or
• Try to analyse the common themes in audit findings and assess the root causes for these using an organisational model such as Burke-Litwin or
• Consider whether more in-depth training could be used as a way of building internal audit team competence and clarifying priority areas for action.