Most internal auditors would likely agree that audit findings can best be resolved by addressing, correcting, or eliminating the root cause as opposed to merely addressing symptoms, and that directing corrective measures at the root cause reduces the probability of recurrence. In fact, auditors whose reporting only recommends that management fix the issue — and not the underlying reason that caused the issue — could be failing to add insights that improve the longer-term effectiveness and efficiency of business processes, and thus the overall governance, risk, and control environment.
Root cause analysis enables auditors to produce deeper, more thorough reporting by providing an objective, structured approach to identifying and determining the most probable underlying causes of a problem or undesired event within an organization. It considers factors that result in the nature, magnitude, location, or timing of harmful outcomes (consequences) stemming from past risk events, or factors that may lie behind future risk events. The auditor uses this information to identify what behaviors, actions, inactions, or conditions need to be addressed to prevent recurrence of similar harmful outcomes.
Complex, serious, or pervasive problems are rarely the result of a singular event or failure. Frequently, a "perfect storm" of several causes forms to create an ideal environment for the failure to occur. Moreover, simply getting to the root cause to prevent it from happening again may not be enough — the consequences have to be addressed.
To better understand root cause analysis, two general myths need to be dispelled — the myth of the single root cause, and the myth that fixing the root cause alone fixes the problem. Upon recognizing these false notions, internal auditors can use several methods to perform root cause analysis more effectively on their engagements.
Multiple Root Causes
Many organizations mistakenly use the term root cause to identify one main cause. However, focusing on a single cause can limit the solutions set, resulting in the exclusion of viable solutions.
Internal auditors commonly use the Five Whys technique to explore the cause–effect relationships underlying audit issues, with the goal of determining the root cause of a defect or problem. By asking successive "why" questions, the nature of the problem as well as its solution usually become clearer. Asking "why" helps identify the causes associated with each sequential step of the defined problem or event. An example from The IIA's Implementation Guide 2320: Analysis and Evaluation illustrates this technique: "The worker fell. Why? Because oil was on the floor. Why? Because a part was leaking. Why? Because the part keeps failing. Why? Because the quality standards for suppliers are insufficient." By the fifth "why," the internal auditor should have identified or be close to identifying the root cause. (For another example, see the Five Whys Table.)
Although this technique can be useful, some experts contend that using the Five Whys leads auditors to mistakenly believe that only one true root cause to an issue exists — and that if they are successful in finding that root cause they will permanently solve the problem. In reality, several related or unrelated root causes are frequently responsible for the findings that auditors identify. (See Fault-tree Analysis for a variant of the Five Whys technique that better accommodates multiple root causes.)
Rather than assuming the presence of just one root cause, internal auditors should brainstorm with a team to identify all the potential causes that contribute to a problem. The process can result in multiple opportunities to mitigate risk and prevent problems from occurring. It is also helpful for auditors to think about root cause analysis in terms of three stages: identification, measurement, and prioritization. Using this approach, the structure of root cause analysis is analogous to the structure of a risk assessment (see "ERM vs. Root Cause" at right).
Identification The cause-and-effect diagram represents a preferred tool for identifying multiple root causes. Also called a fishbone diagram — because its shape is similar to the side view of a fish skeleton — this method enables users to visually display the many potential causes of a problem or an effect, helping reveal key relationships among causes and provide additional insight into process behavior. It uses a graphical description of the process elements to analyze potential sources of process variation (see "Fishbone Diagram" below right).
When using a team approach to problem solving, differing opinions often arise as to the problem's root cause. The fishbone diagram helps capture these ideas and stimulate team brainstorming. It also can be used to structure the brainstorming session, as the diagram not only helps identify the many possible causes for an effect or problem, but also enables users to sort these ideas into useful categories:
- Man (people) — anyone involved with the process.
- Machine (equipment/technology) — any equipment, software, hardware, tools, supplies, etc. required to accomplish
- Measurements (management) — data generated from the process and metrics used to evaluate its quality, efficiency, and effectiveness.
- Method (process) — how the process is performed and the specific requirements for doing it, such as policies, procedures, and rules.
- Materials (inputs) — raw materials, parts, documents, data, etc. used to produce the final product or output of the process.
- Mother Nature (environment) — the conditions, such as location, time, and temperature, in which the process operates, as well as external factors that are not associated with the natural environment, including laws, regulations, and culture.
Causes derived from the brainstorming effort are grouped into these categories and then traced back to the root causes, which can be performed using the Five Whys technique in conjunction with the fishbone diagram. Because people by nature often like to start working on a problem as quickly as possible, this approach can help yield a more efficient and thorough exploration of the issues behind the problem, which in turn will lead to a more robust solution. (See Root Cause Summary Table for a tool that can be used to capture results from fishbone diagraming.)
Measurement and Prioritization For the measurement and prioritization phases, the team can numerically confirm the proportion of each root cause's impact on the problem and rank them accordingly. Two root cause analysis tools can be especially useful in this process — the Pareto chart and the scatter diagram.
The Pareto chart illustrates the Pareto principle, frequently referred to as the 80/20 rule, which states that 20 percent of the population accounts for 80 percent of the phenomenon. The chart's purpose is to highlight the set of factors or activities that most contribute to a problem or opportunity (see "Pareto Chart — Types of Errors" below right).
By categorizing and displaying the supporting data for multiple causes, the Pareto chart can focus attention on the causes most important to resolving, reducing, or eliminating a problem. This approach can be particularly helpful when the team is:
- Analyzing data about potential root causes or the frequency
- Dealing with many different problems and causes but looking to focus on the most significant ones.
- Analyzing wide-reaching causes by zeroing in on their individual components.
Scatter diagrams pair causes and effects, with one variable on each axis, to look for a relationship between them. It could depict the relationship between a cause and an effect, between one cause and another, or even between one cause and two others. If the diagram reveals a relationship, then the possibility arises that one variable may be controlled by varying the other variable, or that two effects that appear related share the same cause. During root cause analysis, scatter diagrams can be useful for displaying and analyzing the relationship or correlation between cause and effect variables, which can help point to the true root causes of problems as well as facilitate ranking those causes in order of importance by strength of relationship (see "Scatter Diagram — Revenue vs. Sales" below right).
Fixing the Problem
The use of data analytics helps drive improved effectiveness in the way audit departments assess risk and execute audits. Pareto charts and statistical correlation tools such as scatter diagrams leverage data analytics for root cause measurement and prioritization to quantitatively determine the significance of the root cause(s) identified. Root cause analysis can be supported by data analytics during the measurement/prioritization phase by statistically measuring the potential impact of root causes observed and prioritizing them according to risk.
Once internal auditors have identified a root cause, or multiple root causes, they must be able to offer meaningful recommendations or management action plans to address the issue. But contrary to a common misconception, fixing the root cause alone does not necessarily fix the problem — auditors must also help address the damage or difficulties that emerged as a result. To better understand this idea, practitioners can benefit from reviewing a key foundational concept in audit report writing, informally referred to as the Five C's:
- Condition (what is).
- Criteria (what should be).
- Cause (why).
- Consequence [Effect] (so what).
- Corrective action plans and recommendations (what's to be done).
Well-written audit reports provide recommendations that address the underlying root causes of a problem, thus helping to ensure the condition will not recur. Because recommendations must resolve both the condition and the cause, the terminology used in the recommendation often mirrors or matches the terminology in the condition and the cause. Moreover, the recommendation must identify the action necessary to bring the condition in line with the criteria.
Irrespective of the reporting format an audit function uses, these elements should generally be included in some form in each finding to address and report audit issues effectively. For root cause analysis, auditors need to drill down a little further on the last two components — consequence and corrective action plans/recommendations — to ensure they add value.
When noting a condition's business impact in an audit finding, one of four levels may apply:
- Direct, one-time effect on the process.
- Cumulative effect on the process.
- Cumulative effect on the organization.
- High-level, systemic effect.
In response to these levels, three important types of recommendations/action plans can be considered. The first two are described in the IIA Practice Guide, Audit Reports: Communicating Assurance Engagement Results":
- Condition-based recommendations — provide an interim solution for correcting the current condition (e.g., removing inappropriate access).
- Cause-based recommendations — actions needed to prevent the condition/observation from occurring again. Root cause-based recommendations are typically longer term solutions and may involve more time (e.g., creating and implementing an access review policy).
A third type of recommendation/action plan must be considered when the root cause has created a consequence whose damaging effects must be remediated before business continues:
- Recovery-focused — address the consequences of the condition and describe what will be done to correct errors caused by it.
As illustrated by disasters such as the Deepwater Horizon oil drilling accident, which resulted in 11 deaths and caused the largest oil spill in U.S. history, identifying the root cause to prevent such a catastrophe from recurring is only one part of the solution — someone also has to clean up the oil. So, in addition to a recovery-focused root cause analysis effort to get to the root cause of the spill's consequences, a recovery-focused recommendation and action plan would be needed to address the environmental damage.
Internal auditors should consider that the level of the effect will drive the nature of the root cause analysis and the type of recommendation and action plan:
- Direct, one-time effect on the process (condition-based recommendation and action plan).
- Cumulative effect on the process (cause-based recommendation and action plan).
- Cumulative effect on the organization (recovery-focused recommendation and action plan).
- High-level, systemic effect (recovery-focused recommendation and action plan).
As noted in Audit Reports: Communicating Assurance Engagement Results, "Action plans are effective when designed and executed in a way that addresses the root cause." In that regard, root-cause analysis has the aim of generating and formulating agreed-upon corrective actions to eliminate, or at least mitigate, those causes to produce significant long-term performance improvement in addition to promoting the achievement of better consequences.
Reap the Benefits
The resources spent on root cause analysis should be commensurate with the impact of the issue or potential future issues and risks. Before starting root-cause analysis for more complex issues, internal auditors should bear in mind that additional time may be required to analyze the processes, personnel, technology, and data necessary to generate agreed-upon corrective action plans that eliminate, or at least significantly mitigate, the root causes. An effective action plan brings the condition in line with the criteria and addresses the potential or existing harmful outcomes stated in the effect. In the end, this approach will allow the auditor, audit client, and organization to reap the full benefits that a well-executed root-cause analysis effort can provide.