As internal auditors, we are often tempted to stress in our reports the conditions we observe. After all, conditions that result from risk management or control failures can often be described in compelling terms. A failure of a new IT system, a key compliance requirement, or a critical financial control are sure to rivet the attention of management and the board. Internal audit reports also frequently include in-depth discussions of the effects associated with the conditions. After all, the only thing more sensational than describing something that is broken is regaling the reader with all of the consequences of the breakage.
While reports that include extensive narrative on conditions and effects can make for great prose, they often fall short of adding real value. I once had a manager who readily admitted that he had problems. He pleaded with me at the outset of the audit not to come back and tell him what he already knew. In his words, “I don’t need someone to come in here and tell me I have problems. I know I have problems. I need someone who can tell me how to fix them.” It was the recommendations that would be included in the report that would help him the most.
Criteria (what should have been), conditions, effects, and recommendations are often cited among the core elements of “audit findings.” But there is another element that is often the least understood, and perhaps the most critical: the cause (or root cause) of the conditions. Without understanding the cause, it is virtually impossible to offer sound recommendations for corrective actions.
Many who are new to the profession, or who have not been adequately trained, will often gloss over the cause of problems, because an accurate assessment may require the time and skills that are lacking. However, a superficial explanation is rarely adequate, so root cause analysis is necessary. As a chief audit executive (CAE), I was often suspicious of audit recommendations for management to hire more staff or provide existing staff with more training. These recommendations were easy to make, but also signaled that the internal audit team might not have grasped the root causes of the condition.
The U.S. Government Accountability Office was a pioneer in promulgating auditing standards (The Yellow Book), and was one of the first to offer guidance on the key elements of an audit finding. In the current Yellow Book, the GAO offers the following guidance on identifying the cause associated with an observed condition:
“The cause identifies the reason or explanation for the condition or the factor or factors responsible for the difference between the situation that exists (condition) and the required or desired state (criteria), which may also serve as a basis for recommendations for corrective actions. Common factors include poorly designed policies, procedures or criteria; inconsistent, incomplete, or incorrect implementation; or factors beyond the control of program management. Auditors may assess whether the evidence provides a reasonable or convincing argument for why the stated cause is the key factor or factors contributing to the difference between the condition and the criteria.”
The IIA’s Practice Advisory on root cause analysis points out that, in certain circumstances, identifying a root cause can be as simple as asking “why” in a five-step process:
“The worker fell. Why? Because of oil on the floor. Why? Because of a broken part. Why? Because the part keeps failing. Why? Because of changes in procurement practices.” Why?
It’s imperative that we craft internal audit findings to include each of the “5 C’s” discussed above: Criteria, Condition, Consequence/Effect, Cause, and Corrective Action/Recommendation. But, while each of the 5 C’s is important in our reporting, we must never lose sight of the fact that, when performing our internal audits, root cause can be infinitely more revealing than any of the other “C’s.”
It has often been said that internal auditors cannot see the forest for the trees. However, my experience is that we often cannot see the roots for the trees. The next time you are crafting or reviewing an internal audit report, I challenge you to assess whether the findings dig deep enough to expose all of the roots.