Identifying areas of strength in an organisation and providing meaningful challenges that drive real business improvements are a central purpose of internal audit and what makes internal auditors valuable. However, too often this information lies segregated in separate audits. It can be hard to extract and compare data that is buried in findings issued to different functions and, as a consequence, internal audit can fail to spot common themes that could help managers to prevent issues happening elsewhere.
I’ve spent the past eight years of my career leading internal audit functions at the forefront of managing risks to critical national infrastructure. In my last role, as head of internal audit at Network Rail, my team and I wanted to use the entire volume of audit findings and recommendations from previous reports, so we asked how we could cut through the complexity of that information, identify key themes and turn these into tangible actions aligned to business strategy and goals.
One key issue was to tackle the root causes of problems, rather than focusing on the symptoms. This was a long-term aim, but previously we had found it hard to make progress. Root causes can be complex and it can be difficult to compile evidence because the underlying pattern they create becomes clear only over a period of months or years.
We knew that if we were to identify and articulate these patterns faster, we needed to change the way we thought about them and new methods of analysing all the available information.
I used to ask my team members “if you stepped into a lift with the chief executive tomorrow, how would you summarise the lessons we have learnt from our internal audits?”. There’s nothing wrong with explaining what we learnt in the past month, but could we explain what we learnt in the past quarter, year or two years? We needed instant access to these important lessons before we could hope to understand the root causes behind our audit findings and present them in an articulate, accessible and aggregated way to our board.
To achieve this, we collaborated with EY’s risk practice to build and embed a bespoke Root Cause Framework (RCF). We began by identifying eight discrete categories, which are “level 1” root causes (see dashboard on page 60), defining the root cause of internal audit findings, observations and any associated behavioural factors. This is one of the RCF’s most significant features, because it allows teams to align audit observations directly with root causes, making it easier to identify underlying patterns and pinpoint weaker areas.
The data-led framework was flexible, so that it could be applied either “live” during an audit, or retrospectively to previous audit reports. This gave us access to a bank of high-quality root cause information that could be used to underpin evidence-based insights into the risk and controls landscape.
The project team faced significant challenges. We had to develop and implement the RCF with minimal disruption to ongoing internal audit activity, while ensuring that the root causes we identified were sufficiently objective. We also had to assess the best way to report back on audit findings, using the information effectively and enriching institutional knowledge.
Given this was a new way of analysing data, we needed a new way to present it to the business. We wanted it to be user-friendly, but also to drive insight and change across the organisation. Using PowerBI, we created custom visuals that depicted the key messages in a striking, impactful way that we hoped would resonate with stakeholders. Users follow an intuitive click-through approach and can drill down through every graph to discover, for example, everything from the headline number of findings rated as “serious” in one part of the organisation, to the details of individual audit findings that were raised.
The RCF has helped to generate more informed conversations about internal audit findings, while the dashboard interface makes the underlying themes clear to stakeholders. For example, the root cause of multiple internal audit findings might be a gap in procedural documentation or supporting training, but this only becomes clear when you have the power to recognise and interrogate patterns in audit data across all audits.
Business risk and control owners can now access the RCF dashboard in real time to see where their core weaknesses lie. This knowledge, presented in a visually engaging display, makes it easier for managers to address issues proactively. This has reduced the amount of follow-up activity that the internal audit team has to do, has improved relationships and means that internal audit is now perceived more positively in the organisation.
At the touch of a button, we can now analyse root-cause information by:
• Business area: looking at each function and regional business, identifying information and making comparisons specific to
• Trends over time: examining core processes, root-cause category or the severity of audit findings.
• Core process area: enabling central executive team owners to see what issues are being identified in their areas of accountability.
• Theme, eg, capital projects: providing information about where issues are being found in key projects and programmes.
This was a turning point because it enabled the internal auditors to make business managers aware of, and to address, systemic governance, risk management and compliance (GRC) issues themselves, rather than just responding to audit findings as they arise. It also enables the board and executive management to have an overview of the performance of the internal control framework at any given time.
This approach helped us to progress the conversations between management and internal audit and helped the team to leverage the organisation’s huge bank of GRC information and intelligence. Not only did this help the internal audit team but, more importantly, it helped the broader business.
The RCF has enabled the team to achieve things that it could not do previously. During audit fieldwork, the team utilises the framework to identify Level 1 and Level 2 root-cause categories. For example, if an issue arises with governance (a Level 1 category – see dashboard) they can identify the issue more specifically than before and say that governance was, for example, not being “fully defined”, “not operating as intended”, there were “gaps in oversight” or problems with “organisational structure” (all Level 2 categories).
This metadata is captured and tagged across all audit findings by business area, finding rating and core process area. Once this data is aggregated and represented visually, we can start to identify common themes and trends that we can use to plan audits and understand the status of controls across the business. The board can use it to ascertain areas of concern or strength, and the business can use it to pinpoint where improvement is required and identify possible interventions to make.
Before we had the RCF, we spent significant time re-reading audit reports to identify common themes – none of the information was at our fingertips. Our conversations with the board focused more on recent audit activity rather than cumulative intelligence. Although the business could access the reports we had issued, it was not easy for managers to access these to improve their understanding of control issues on a real-time basis.
Direct financial savings are hard to quantify, but the RCF has certainly saved hours of internal audit team time when planning audits, sharing information with stakeholders and preparing for committee meetings. It’s also helped the team to make huge strides in building relationships and positioning the function as an agent for change in the business, helping to bolster other lines of defence by sharing easily accessible information.
One real change was clear when we came to prepare the annual audit opinion for the board. The new information we could access enabled us to analyse the work of internal audit through a far stronger lens – we could offer overviews from numerous audits that could be cut in a number of dimensions. For example, for the first time we could easily analyse and compare business performance by function, by process area and by timescales. We could then drill into the detail to support these thematic assessments with specific audit findings so it was real and tangible for the audience.
Gerry Mansey is director of internal audit at Pay.UK. He was previously head of internal audit at Network Rail, where the work discussed in this article took place.
This article was first published in May 2022.