Risk: The Root of the Matter

The most common approach to root cause analysis is the Five Whys technique, which involves asking a succession of questions to discover why a problem occurred. However, the major shortcoming of this approach is that it implies there will be just one root cause for a problem, which is rarely the case. To get to true root causes, internal audit functions should look beyond the Five Whys.

Not All Causes Are Root Causes

To excel at root cause analysis, internal auditors must first understand the different types of causes. First, there are immediate causes, such as the Titanic striking an iceberg in April 1912. Second, there are contributing causes, such as design problems with the ship’s bulkheads and the lack of lifeboats. Then, there are root causes, which are the underlying reasons why problems arise. In the case of the Titanic, several root causes were identified from two inquiries, culminating in the International Convention for the Safety of Life at Sea, published in 1914.

Root causes explain why things go wrong rather than simply who or what might be responsible for a problem. As a rule, people will never be the root cause of a problem, although they may be an immediate or contributing cause. This is not to say that an organization should not discipline or fire a perpetrator in the case of a fraud or other ethical breach. However, a root cause frame of mind asks auditors to go beyond blaming people, and ask: “Were our anti-fraud arrangements adequate?”

So, if a supervisor failed to properly check a payment that was fraudulent, auditors need to ask why he or she didn’t heed any warning signs. Was it because of poor training? Or were workload pressures a factor? Good root cause analysis is about asking why human factors were not adequately addressed when designing processes and systems.

Get Comfortable With Multiple Causes

“The Bowtie Diagram” demonstrates why multiple root causes should be expected. It illustrates how threats can result in incidents or risk exposures that can, in turn, result in consequences of different sizes. Organizations use detective and preventive controls to stop incidents from arising and may use recovery controls to reduce adverse outcomes. This means if something goes wrong, or nearly goes wrong, at least one preventive and one detective control and perhaps a recovery measure will have let the organization down. It cannot be due to just one failure point.

Three-way Five Whys

This takes auditors to a “minimum viable” root cause analysis technique, the Three-way Five Whys (3W5W). This method builds on the Five Whys to guide internal auditors to explore reasons why from more than one perspective.

If auditors see an incident or a risk exposure, they should begin by collecting facts and evidence and putting that information in a timeline. Next, auditors should look at the reasons why the problem could not be, or was not, prevented. For the detection part of the test, auditors should ask why the risk exposure was not detected before an incident or before internal audit found the problem. For the recovery section, auditors should ask why any recovery measures such as business continuity plans or other relevant measures were not in place or working effectively.

The 3W5W technique enables internal auditors to establish insights in three dimensions. So, if auditors identify a root cause for an overpayment as: 1) A failure to implement a proper approval or segregation of duties, they also must ask: 2) Why was there no mechanism or person to detect that this preventive control was absent?

Internal auditors also can use a range of other root cause analysis techniques, including fault trees, the fishbone diagram, and causal loop analysis. For example, a fishbone diagram can help auditors think about the reasons why things aren’t going as planned and aid thematic analysis.

Audit Requirements

The Global Internal Audit Standards direct internal audit functions to develop and document methodologies for root cause analysis. This means auditors need:

1. An explanation of different cause types (immediate, contributing, and root).
2. A list of root cause analysis templates. Some of these techniques, such as the bowtie diagram and 3W5W, will be used more frequently, while other methods may only be used some of the time.
3. A clear explanation of how root cause analysis should be carried out as part of audit engagements and used in audit reports.
4. An explanation of themes collected, categorized, and reported to senior management and the board. Because cause types must explain why, people, processes, systems, and culture are not best practice cause types.

In addition to meeting Standards requirements, there are good practices internal auditors can follow when performing root cause analysis.

Don’t Leave It Until the End of an Engagement. Internal audit should consider using root cause analysis at the start of an audit engagement, allowing them to seize opportunities to add value. When done well, by the time audit teams complete a work program, they may already know most of the key causes that are driving findings. Good root cause analysis should not slow down the audit process — it often speeds it up.

Shorten Audit Reports. Root cause analysis benefits audit reporting because auditors can combine excep­tions — which may be symptoms — into key points in the document.

Share Practices Across Departments. Sharing good root cause analysis practices with other business functions will support coordinated assurance activities and board reporting and sharpen the focus of governance, risk, and control improvement programs.

Get a Good Under­standing of Behavior and Culture. According to the 2023 Organizational Culture and Ethics Report, published by the Chartered Institute of Internal Auditors and AuditBoard, nearly half of internal audit functions surveyed say they use root cause analysis to understand organizational culture. After all, if auditors think culture is a cause of problems, they need to understand why the culture is not as they would like it. Even if cultural issues are attributed to problems with the tone at the top, auditors still must determine why the tone at the top is not the way it should be.

Masters of Analysis

Root cause analysis is an important tool to help internal audit teams upgrade the way they approach many activities — from engagement plans to engagement reporting. Implementing the new Standards requirements is an important first step, but beyond that, auditors should consider this technique as a powerful tool to strengthen their critical and strategic thinking. A disciplined approach to root cause analysis can give auditors an edge when analyzing situations and help the audit function demonstrate its rightful place at the head table.