Chair: Derek Jamieson - Director of Regions, Institute
Institute: John Wood - CEO
Institute: Liz Sandwith - Chief Professional Practices Advisor
Speakers: Sara I James, Getting Words to Work www.saraijames.com
Chair's opening comments
Root cause is fundamental to our role as internal auditors; identifying findings, identifying root causes and helping to shape the future. Repeatedly reporting the same findings that are merely symptoms is not helpful to any organisation. A root cause is not always something complex and resource intensive to resolve. It can also be that something has simply fallen by the wayside or slipped through the net.
A poll was taken at the start of the session:
What % of findings, in an average year, are repeat findings?
In your audit report template, is there a specific section for root cause?
• Without root cause analysis, recommendations are a short-term sticking plaster on a gaping wound.
• HIA's are failing to provide risk-based assurance when they do not identify, share and support management to address root causes.
• '5 whys' are a great technique for identifying root cause.
• Mind-mapping is also a useful tool to identify shared root causes across a variety of findings.
• HIA's need to be mindful not to confuse root cause with categorisation of audit findings.
• It is good practice to train internal auditors to look for and ask what the root cause of an issue is, identifying root cause during fieldwork rather than waiting until the findings or reporting stage and asking ‘so what’.
• 3 important questions:
• Why wouldn’t you have a section for root cause in the report? The poll results show that a significant number of participants do not do this. It is a missed opportunity for internal audit to demonstrate relevance and commercial acumen.
• Explicitly defining the root cause is a crucial step in defining recommendations that address the risk.
• Be wary of repetitive or circular reporting where the observation, risk and root cause say the same thing but rephrased. This is not root cause analysis. But it is a trap many internal auditors fall into.
• Think of root cause as revealing layers beneath the symptom that is showing – imaging peeling an onion.
• Root cause invariably leads to culture and people; communicating this effectively is key.
• It may require challenging, lengthy conversations with stakeholders to get to the root cause.
• Typical root causes include lack of diligence or lack of governance but look beyond this – why?
• Actions to think about:
• Root cause analysis is intrinsic to good risk management
Click here to access all of the presentation slides from this week's forum.
The Institute has produced technical guidance on root cause analysis; disappointingly it is one of the least viewed/downloaded pieces of technical guidance.
Click here to read the guidance.
Perhaps internal auditors think they are doing this well so guidance isn’t required?
Identifying the root cause is not always a simple task. In reality many internal auditors who think they are doing it are not thinking deeply enough about the findings.
In the current climate, HIA's have a responsibility to focus on what really matters to an organisation. Focusing on root cause is a valuable investment of time, even when the solution is not a quick fix. It demonstrates internal audit is focused and is operating efficiently. At a time when organisations are cutting costs and fighting for survival, highlighting the root cause of a finding supports the organisation operating efficiently and effectively and often reduces the time spent improving internal control or risk management.
Chair's closing comments
There can be serious consequences for organisations when internal audit fails to identify and report root causes including regulatory censure and failure. Internal audit often knows the detail but settles for reporting the symptoms rather than the root cause for a variety of reasons including rushing to complete the audit and not having the courage of one’s convictions.
From the results of the poll it is clear that there will be a significant number of findings which are not being remediated effectively i.e. the remedial actions did not address the root cause or were not sustained.
We must always challenge ourselves when identifying repeat findings. Did we really identify the true root cause, or have we inadvertently contributed to the development of weak actions that have cost money but not addressed the problem?
The message is very clear that this is still a journey for internal auditors. Please take time to look at the Institute’s guidance and make constructive suggestions to Liz.Sandwith@iia.org.uk if you think it can be improved.
Please contact me if you are interested in sharing your experiences on a particular topic with this forum, we welcome contributors as collaboration helps us all to develop and improve.
18 November – Disruption. Please join us to share thoughts and discuss what it means for us as internal auditors in our very volatile, uncertain and complex operating environments.
Communications: The ‘5 whys’ is a useful tool
Public Sector: The ‘5 whys’ is kind of helpful...
Anon: One common issue related to addressing the root cause will be when multiple organisations are supported by a shared services organisation/central support process, which, in itself, is outside the scope of the audit.
Communications: What is the right number of predefined root causes according to your experience?
FS: Do others use the same root cause categories as the risk team use - if so, have you encountered any issues in doing so?
Utilities: Same problem. We categorise root causes (governance, policies and procedures, etc.), but I feel that it doesn’t provide much insight.
FS: That is my problem too - all my audit findings fall into very bland categories such as inadequate process or failure of controls - I don't think these help us at all.
FS: It’s easy to confuse root cause with categorisation of audit issues
Charities: We don't have defined categories and tend to be a bit more bespoke in our reports; we've instead got a 'key themes' section in our report executive summary to pull out the pervasive underlying issues. And for less pervasive root causes it is more as was described, earlier - really the root cause is the bulk of the finding content.
Communications: I think one of the confusions could be from the duel functionality of the root cause analysis: on one hand to find the best actions for the unmitigated risk, on the other hand it can provide insight to the Audit Committee about the key issues of control environment.
Utilities: When it comes to reporting for root cause be prepared to be patient to get appropriate actions. Root cause analysis can result in you having to go back up the tree and get wider overarching actions which may require investment. These may not be quick fixes and may take time to identify and agree.
Manufacturing: Agree with the comments about incorporating root cause in the overall exec summary and thematic comments. A simple question I use is "so what?" in terms of challenging whether we have articulated the risk and the root cause in terms of why this should matter to the business.
Public Sector: Completely agree with the ‘so what’ question.
FS: We also need to ensure the recommendations address the root cause to avoid it becoming a paper exercise.