Source:- Audit&Risk.org.uk, Author:- James Paterson
Often internal audit will flag up the same issues time and again without getting to the crux, or root cause, of the issue. This is why Root Cause Analysis (RCA) is essential to improving audits, writes James Paterson, the founder of Risk & Assurance Insights.
Over the past 14 years working in the internal audit arena I have seen a growing interest in the topic of Root Cause Analysis (RCA). My involvement in the topic has evolved from using it as part and parcel of a “lean auditing” approach, to running RCA webinars and seminars. I was also responsible for helping the Chartered IIA upgrade its guidance on Root Cause Analysis last year.
RCA is about identifying why an issue occurred, compared to simply reporting the issue or its immediate or contributing causes. Effective RCA techniques come from lean / six sigma disciplines and good techniques include the 5 Whys, the Ishikawa/Fishbone diagram, the logic tree and Pareto analysis (preferably in combination).
The IIA has a useful practice advisory (2320-2) on this topic:
“Auditors whose reporting only recommends that management fix an issue and not the underlying reason that caused the issue are failing to add insights that improve the longer-term effectiveness and efficiency of business processes and thus the overall GRC (governance, risk management and control) environment.”
It goes on to say: “A core competency necessary for delivering insights is the ability to identify the need for RCA and, as appropriate, actually facilitate, review and/or conduct a root cause(s) analysis.”
Consider an IT system implementation that was delayed and over budget. It can be tempting to:
In each case there is unlikely to be any real organisational learning when using one of these explanations because the underlying aim is often to close down thinking to avoid being held partly accountable for what went wrong.
However, by probing the symptoms in more detail using an RCA technique it is likely that multiple factors will have contributed to the problems that have been observed and these might include:
Thus an RCA process will normally be more “forensic” in relation to why issues have arisen and is actually less likely to blame any one individual or process. After all, even if an individual was out of their depth running a project, what did the project steering group do to satisfy itself that the project manager was able to do the job? So, we can see that the reasons for issues arising are often due to a complex blend of process, system and organisational factors which effective RCA should make clearer.
Apart from the fact that it is good practice to carry out robust RCA, my experience is that the growing interest in this valuable tool is due to three key factors:
My advice would be for audit teams to consider and debate:
If there is room for improvement in any of these areas, auditors should familiarise themselves with the IIA’s materials and either: