Root Cause Analysis for Internal Auditors

I ran another Root Cause Analysis (RCA) workshop this week in London, with participants from the Financial services sector, Oil and Gas and Public sector. All those attending agreed that proper RCA was important to get to the heart of issues and to enable Internal Audit to provide insights, but none had done any formal training of any length on the topic and most had no explicit, consistent, RCA methodology defined.

We explored the root causes of how such an important topic could be relatively neglected, which includes its absence from current IIA standards, and came up with themes that I have heard on many other workshops, ranging from: “As auditors we have a natural instinct about root causes” to “There is limited time during assignments to do a proper RCA” to “Robust RCA would highlight quite sensitive matters and put us into conflict with management”.

Over the course of the workshop participants learned a range of practical approaches to effective RCA, but the key underlying messages were:

  • There is no such thing as a single root cause to a problem – specifically there will be:
    • Why did the issue happen? and
    • Why was the issue missed?
  • Just because you have found one remedial action to a problem, you may still not have reached the real root cause(s)
  • RCA can often speed up audit assignments and provide powerful insights in relation to the audit planning process.
  • Finding repeating issues (“Groundhog Day”) is often symptomatic of insufficiently robust RCA

In one exercise during the day participants identified the most common issues that kept recurring in their organisations. Common themes included:

  • Overdue receivables
  • Not Treating customers fairly (Conduct)
  • Issues with new product launches
  • Customer due diligence
  • Salaries, bonuses and allowances overpaid
  • Policy non-compliance
  • IT security issues
  • User Access issues
  • Project issues
  • Past audit findings not properly closed
  • Slow decision making

And then participants worked through the “5 whys and 2 legs” technique and came up with the following list of root causes:

What we can see from this list is a significant amount of similarity in relation to underlying causes, despite the fact the surface problems are very different. What should also be clear is that one root cause alone will usually never be enough to cause a recurring problem – it needs at least one “friend” to help it hide and stay unnoticed.

It is beyond the scope of this paper to discuss all the latest good practices in relation to RCA for internal auditing, but my hope is that those with an interest in avoiding Groundhog Day will start to engage their audit teams on this important topic. You can do this by reading the IIA UK guidance on RCA that I helped to write, or by attending a workshop on this topic, or just starting to ask why more often (but remember the importance of the two legs – why did it happen, and why was it missed!)

James C Paterson
May 2017

Join our mailing list

We will keep you updated with news and events.


Contact and appointments:

Risk & Assurance Insights
T: +44 (0)7802 868914

Please also use our contact form