![](/media/1gthk3dx/tools-for-the-job-root-cause-analysis.jpg?width=160&height=160&format=webp,webp&quality=70&v=1db1ee1ea9379d0 160w,/media/1gthk3dx/tools-for-the-job-root-cause-analysis.jpg?width=320&height=320&format=webp,webp&quality=70&v=1db1ee1ea9379d0 320w,/media/1gthk3dx/tools-for-the-job-root-cause-analysis.jpg?width=480&height=480&format=webp,webp&quality=70&v=1db1ee1ea9379d0 480w,/media/1gthk3dx/tools-for-the-job-root-cause-analysis.jpg?width=640&height=640&format=webp,webp&quality=70&v=1db1ee1ea9379d0 640w)
Tools for the job – root-cause analysis
If you have been following the development of the new Global Internal Audit Standards, you may be aware of proposals to incorporate root cause analysis (RCA). RCA is a vital tool for delivering insight and value and is invaluable for developing a better thematic analysis of findings (another proposed new requirement in The Standards).
I became familiar with various RCA techniques when I was Chief Audit Executive of AstraZeneca, but in the dozen years since I started working on this topic with others, I have seen a range of good and less good practices. I shared some of my research in my most recent book on the subject, Beyond the Five Whys, at IIA Global’s international conference in Amsterdam and believe these may interest internal audit colleagues more widely.
Seek multiple causes
First, I should point out that, while the Five Whys technique is still commonly used by internal audit teams, it implies there will be just one root cause for a problem. This is rarely the case.
The Bowtie diagram demonstrates why seeking a single root cause is a problem. Threats and risks can result in incidents or near misses (risk exposures) which can, in turn, result in consequences of different magnitudes. We use detective and preventative controls to stop incidents (risk exposures) arising, and then recovery controls to reduce the severity of the impacts if these fail.
So, if something goes wrong, or a risk is out of tolerance, at least one preventative and one detective control has let us down (and possibly the recovery measures
as well).
Typically, a range of prevent and detect controls are necessary, so a minimum viable technique for RCA is the Five Whys Two Legs, or the Three-way Five Whys.
Some audit teams may find it hard to stop seeking a single cause for an audit observation, but sometimes we must take a step back from a simplistic approach, to take two steps forward.
Consider cause types
Further problems with RCA stem from a failure to recognise the differences between cause types. There are immediate causes, (a spark), plus contributing causes (dry tinder on a forest floor), and then there are root causes (a range of other things that reduce or increase the chances of a forest fire). Root causes are the underlying reasons why problems arise. Understanding root causes helps us to address classes of problems rather than single problems or faults.
Thus, a person who makes a mistake – or who deliberately causes harm – is not a root cause. If we find fraud or bribery and punish the perpetrator, we still need to ask: “Were the anti-fraud or anti-corruption arrangements adequate?” Were there shortcomings in risk assessments, processes, systems, etc, that explain why the fraud or corrupt act was possible?” It’s not about one person’s behaviour.
Think about the whole system
It is also about systems thinking – stepping back to see the bigger picture of connections and dependencies. When we find a fraud, or corruption, punishing the person should not end the story. The deeper question is “What in our organisation as a system (processes, policies, etc) made this possible?”
When you think this way, you start to question whether the organisation is serious about addressing certain risks properly. This may extend to questioning the clarity of roles and accountabilities, the maturity of certain processes (and the resources invested in making them work) and the way incentives and deterrents work. There are eight main causal factors that can explain many problems we might see, although which of these applies in a specific situation depends on the facts and circumstances of the case.
It’s also important to watch for repeating problems – for example, out-of-date access rights or projects running into difficulty – which invariably indicate systemic problems. If you recognise that “every system is set up to get the issues it currently gets”, you will see how issues are recurring because underlying causal factors have not been addressed or resolved.
Additional points
• Using a technique such as the fishbone diagram for RCA can help the audit team to cluster the reasons for problems into common categories, which can then aid thematic analysis. Remember, however, that the common categories of “people, process and systems” do not explain why something happened. Similarly, identifying “culture” or “tone from the top” as a root cause does not explain why the culture or tone at the top is failing.
• Effective RCA in internal audit starts at the beginning of assignments, not at the end. Sometimes root causes for problems lie between departments or across a process. If you scope an assignment without thinking about possible root causes, you may find an important cause is beyond the scope of what you planned to do. In these circumstances you might need to extend an assignment mid-way to draw out the causes, which can cause delays and frustration.
• It is not true that RCA will inevitably extend internal audit assignments. Indeed, it can be a valuable tool to help you zoom in on critical causal factors during the execution of work programmes and speed up assignments. By the time you finish a well-designed work programme, you should already know most of the key causes.
• RCA helps to produce better audit reports, because it can enable you to combine observations (which may be symptoms) that highlight issues and relevant actions at the level of more significant (and insightful) underlying problems.
• Because actions to address root causes may be more substantial than quick fixes, the internal audit team should, obviously, consider the cost/benefit of what they are proposing management should do. Consequently, it is essential to pay attention to the potential impact of risk control shortcomings, not just to the current impact of what has been found.
Lastly, being good at RCA has benefits beyond internal audit assignments. It can help an internal audit team to think critically about current challenges. For example, if we look at issues such as repeated problems getting management to implement audit actions fully and sustainably, we might find that the problems stem from shortcomings in how actions were agreed, a failure to set interim milestones, or lack clarity about verification requirements to demonstrate that a risk is now “in control”. Put simply, RCA is a general purpose tool to help an internal audit team think more carefully about the challenges it encounters.
Lastly, being good at RCA also helps us to understand better some of the cultural aspects of organisations and it is worth noting that recent research by the Chartered IIA identified that nearly 50% of internal audit teams use RCA as a tool for understanding organisational culture. This is another reason why it’s timely that IIA Global is giving this important technique a new prominence.
James C Paterson is Director at Risk & Assurance Insights Ltd. He is the course tutor on the Chartered IIA’s course on Root Cause Analysis. He is the author of “Lean Auditing” and “Beyond the Five Whys. Root Cause Analysis and Systems thinking,” published by Wiley.
This article was published in January 2024.