Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

​A Framework for Root Cause Analysis​

Comments Views

Quite a while ago, I started a series of posts regarding identifying root causes. At the end of the last post, I ended with an apology for ending that post with a bit of a cliffhanger. But I also promised I would quickly continue the discussion. Now I have to start with another apology, this time for just how long it has taken to continue the discussion. For one, life gets in the way. But, perhaps more importantly, as I began thinking (and typing — it's how I think these things through) about the things I wanted to say, what I wanted to say started morphing into something different than I first thought. And it's taken me a while to get to the half-formed ideas you're about to see.

Two-and-a-half months ago (yes, two-and-a-half months ago — I told you an apology was in order), I was discussing root causes. (It's been so long you may want to go back and catch up on what this was all about.) In the first post, I provided an example of one of the best root cause analyses I've ever seen. It was from the book The Power of Habit: Why We Do What We Do in Life and Business by Charles Duhigg. In response, a number of people posted some of their stories, all similarly excellent examples of good root causes analysis.

In the next post​, I talked about the five why's, its role in finding true root cause, and how, in spite of the effectiveness with which we use this approach, internal auditors may still not be getting to true root causes. I ended that post by promising a discussion about common root causes and the potential for an inventory of those causes.

So, finally, it's time to move on.

To start out, we have to recognize that the concept of categories of root causes is not necessarily a new thing. If you do a search (and I did just that before I really started going down this rabbit hole), you will see various attempts by various people in various professions to define such frameworks. However, none of them get to the kind of root causes we are looking for in our operational-oriented, value-adding approach to internal audit.

So, to get a handle on what potential categories might exist, I began putting together a list of what I felt were common root causes. In the process, a framework began to develop. And, as I fleshed it out, it began to look familiar. And then I slapped my hand against my forehead, said "D'oh," then said "Ouch," then got a Band-Aid brand adhesive bandage to cover the associated cuts and contusions, and then …

Wait. Before we get into the revelation, let me tell you two stories.

Story No. 1: What got me thinking about this concept of fundamental root causes was an audit I was involved in a number of years ago. Our audit found that the department under review was not performing an important control step. The exact details are not important here. It could have been gaining an approval, it could have been completing a reconciliation, it could have been any of the myriad steps that need to be completed to ensure successful accomplishment of a process. Suffice to say it was not being done

Discussions with the client revealed, quite simply, they did not have the resources to accomplish this task. Bam! True root cause. Solution? Get more resources. Put a little more formally, the root cause was that inadequate resources resulted in the department being unable to complete the task; the corrective action was to address the lack of resources — hire more people, move the task to another department, etc.

Later, we got to talking within internal audit and we had one of those epiphanies that come too late to be of any value. (The French have the perfect phrase for this one. Espirit de l'escalier, which loosely translates to "the thought at the stairs" or perhaps more precisely "wit of the staircase." Basically, it is when you come up with the perfect reply, only it is far past the time when you could use that reply. Think George Costanza and "Well, the jerk store called and they're running out of you.") We had missed out on a chance to not only provide a better solution, but also provide training that would be impactful for the entire company.

If you do not have the resources to do everything that is required, then you must make a decision about which tasks you will perform and which you will not perform. In effect, you should be performing a risk assessment. What are the risks of not doing certain steps? Which steps can be eliminated with the least impact on the department's success?

However, in my experience, I have never seen a department approach lack of resources with such a thorough analysis. The decision is made accidently. The step in the process that gets dropped is the one that falls through the cracks or just hasn't come up yet or, for whatever reason, is the one everyone wants to avoid.

If we had been doing an effective job of root cause analysis, we would have identified the lack of a structured risk assessment as one of the reasons for ineffective controls. And it would have provided an excellent opportunity for us to help train the department on what risk assessment was really all about.

Keep that concept — risk assessment — in mind as I tell story No. 2.

A number of years ago, we worked with Sally Cutler to redesign our reports. Sally did a fantastic job (as she always does) and some very powerful and successful changes were accomplished. However, the most interesting change was the inclusion in all findings of COSO's Internal Control–Integrated Framework. That is, for every issue, we included the internal control framework component related to the breakdown.

It was genius on many levels. First, it required us to make sure all internal auditors fully understood the components of COSO's Internal Control–Integrated Framework. Second, it provided us an opportunity to begin training our clients on those components in a very positive manner. (We didn't start out with "Let me tell you about a little thing called COSO." Instead, we just started including it in the reports and, whenever a client asked us what that section was all about, we could have a conversation that was rooted in curiosity rather than force-fed information.)

And there was one more thing it should have done — help us better understand our root causes — how they weren't always just about controls, but could be anything from control environment to monitoring activities.

Unfortunately, I can tell you we did not live up to the promise of that final benefit. Yes, there was good training occurring with the auditors and with our clients. But where we really missed the boat was on understanding how our findings related to the control framework.

And that is where story No. 1 comes in. Had we been digging for deeper and more impactful root causes — had we paid attention to the lessons we were meant to learn from the restructuring of our audit reports — we would have seen that getting resources was only part of the answer. The real solution was within the internal control framework.

And that is where my exploration of potential frameworks suddenly led me — where I had my "D'oh!" moment. The framework for root cause already exists, and it is called COSO. If we want to really get at a root cause about why a risk to an objective may not be properly mitigated, then we need to dig deep enough to see how the control framework is impacted. Maybe it does relate to control activities — the control activities established do not properly mitigate the risk to objective achievement. But, perhaps it is an issue with the control environment (the organization is not holding individuals accountable for their internal control responsibilities) or monitoring activities (the organization is not communicating internal control deficiencies timely) or risk assessment.

To ensure you have truly gotten to a root cause, take a look at the control framework and make sure your cause fits in with the broader picture this framework paints.

And, technically, I've reached the conclusion I was looking for at the start of all this. But I still think there is some value in identifying the common root causes that are out there. So, next time, I'll share some of the ones I came up with.

Until then (and I will do my best to make "until then" a very short period of time), think about some of the causes that you have heard, and determine if they might be considered "common" issues. Or is there something deeper that needs to be identified? Then we can compare and contrast.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • Your-Voices-Recruitment-January-2022-Blog-1
  • Fraud-Virtual-Conference-January-2022-Blog-2
  • IT-General-Controls-Certificate-January-2022-Blog-3