Getting to the Bottom of It: Why Root Cause Analysis Is Vital

When you go to the doctor, do you want them to tell you what’s really wrong with you so that you can begin to treat the actual illness? Or are you content with that doctor only treating the symptoms, leaving the actual illness undiagnosed? Of course not. Well, issuing reportable conditions (audit findings) that do not address root cause isn’t much different.

Root cause analysis is a way for internal auditors to get at the underlying reasons for why a particular condition exists. Too often, an internal audit might identify areas of concern, such as control weaknesses, error conditions, process failings, risks not being adequately managed, and more. The audit might also propose recommendations for corrective actions. But what if the underlying reasons that cause the condition to exist go much deeper? Without root cause analysis, the reason for the condition could be misreported and the recommendations offered would not actually address the real issues.

“Without a solid root cause analysis, internal audit recommendations will tend to treat the symptoms, but not the disease,” says Mary McVeigh, vice president of quality and internal audit at Heritage Insurance. “As a result, you’ll see repeated findings year after year, with little value added from the audit process. When we perform effective root cause analyses, we can recommend treatments for the disease, and often those recommendations lead to process improvements that can benefit other areas of the company as well.”

Getting to the real source of problems is never easy. And some may even suggest that operating management is better equipped to do root cause analysis. Generally, that may be true. Yet conducting root cause analysis is still a proper role for internal audit, as management may not be objective enough to get at the true reasons for a problem. It’s even possible that the process owners themselves are actually the root cause for the condition existing.

Getting to the Source
Anyone who has gardened knows that if you do not pull a weed out from the root it will grow back again. The root is the real basis for the weed’s existence, not the stalk, the leafy outgrowths, or the flowering head.

Such can be the case for conditions that exist and are reported during an audit.

You may find a control weakness, for example, that you address as an issue and identify and report as a finding. But then a future internal audit of the same area finds that the reportable condition still exists. In other words, the weed has grown back. Internal audit didn’t get to the heart of the issue and address the real problem.

Reporting on the cause that gives rise to a reportable condition is what internal auditors must do.

Certainly, nearly every internal auditor is familiar with the common construct for writing good audit findings for their audit reports, known as the 5-C’s:  Condition, Criteria, Cause, Consequence, and Corrective Action. Cause is one of the key elements. Well, would not having a good way to diagnose and get at the real cause make any findings more meaningful and position the organization to address the matter more effectively?

“Often we can easily identify deviations or exceptions when doing our work. It is important for us to view these instances as potential symptoms, instead of exceptions,” says David White, chief internal auditor at Louisiana Workers’ Compensation Corp.” If we can find the one thing that might make the several items to ‘go away’… we have then identified the root cause and will very likely have a very worthwhile recommendation for management to consider. This is one way we can demonstrate our value as trusted advisors.”

The Chartered Institute of Internal Auditors has a great definition for root cause analysis. It reads, “Root cause analysis is a process for understanding what happened and solving a problem through looking back and drilling down to find out why it happened in the first place. Then, looking to rectify the issues so that it does not happen again, or reduce the likelihood that it will happen again.”

Beyond Reporting Control Failures
During an audit, items often surface that should be reported to management that will require some corrective action. Let’s say internal audit is looking at the functioning of a particular control and its finds that there are times where exceptions got through and were not caught, or prevented, because the controls did not work as expected or desired. As part of internal audit’s reporting on the condition, it recommends that the controls be addressed so that they work all the time. At some later date, internal audit comes back to do some follow-up or another audit of this area to investigate the functioning of control activities, and finds that the same previously reported exceptions are still occurring … nothing has changed.

If internal auditors default to findings like “x” is broken and our recommendation is nothing more than “fix x,” then we are just doing compliance work. Not that there is anything wrong with that. But where is the insight in that recommendation? A recommendation, however, that gets at addressing what the real root cause is and proposing potential solutions is where internal audit can truly add value.

Perhaps we did not get at the real reason why the control was failing, and only reported on the fact that the control was not working. We addressed the “what” but didn’t dig deep enough to understand “why.” By not addressing the real reasons why, we are not getting at the root cause and the error condition, perhaps not surprisingly, will persist.

Keep It Simple
There are a few formalized methodologies to root cause analysis, including fishbone diagrams, fault tree analysis, and other methods. But to me, simplicity is often the best when complex issues are involved, and therefore the easiest thing to do to get at root cause is to employ the “five whys.”

Basically, once you find an error condition, ask yourself (or, better yet, have others ask you) why? Why does that situation exist? And, with your answer to that, ask yourself, or have others ask you, and why does that exist? Do this for as many as five iterations, and it is likely you will have found, or gotten much closer to, the root cause or the real reason why the originally found condition exists.

Here’s an Example:
Condition: You determine that discounts are not being taken on accounts payable.

Your recommendation: Put controls in place to ensure discounts are taken on accounts payable to maximize cost savings.

Here comes the big “But…”

  1. Why were the discounts not being taken?

There was a change in personnel in the accounts payable department and the new employee assigned did not know that such discounts should be taken.

  1. Why did the employee not know this?

The previous employee left abruptly, so there was no cross training. The new employee came from a company where the policy was to maximize float, and not take discounts.

  1. Why was the new employee not trained on the company’s policy in this regard?

The manager was on vacation, and the procedures were not documented.

  1. Why were the procedures not documented consistent with company policy?

The previous employee was asked to document the procedures, but never got around to it since they knew what to do and thought documenting them was a waste of time, and their manager did not make it mandatory that it get done.

  1. Why did the manager not require that the procedures get documented and give the previous employee a deadline for completing this task?

The manager has a history of not managing their employees well, but nothing has ever been done about it.

Hmmm. Now we have possibly gotten to the root of the issue. It is not about the discounts at all. The discounts were a symptom. The issue is that we have a problem with managerial oversight.

Why Is Root Cause So Hard to Get to?
Without the proper training and experience in digging deeper, an internal auditor might stop probing to understand the reason why something is the way it is. Further, we might not know the area we are auditing well enough beyond the immediate work we are doing. As well, we might also have a hard time being objective and might not ask the right questions in an objective fashion since we identified the error condition in the first place. So it helps to have someone asking you the “why” questions, as opposed to asking them to yourself. Indeed, having a disinterested person ask you the “why” questions can help overcome that thing we all know and love … our inability to be objective. As you articulate your answer to that other person to each successive “why,” you might surprise yourself as to where you eventually end up.

Sometimes, we must keep digging at the “why” of something until we reach some point of discomfort. Often the real reason why some condition exists is because of certain underlying factors, such as training, experience, application of policy, management, and others. The problem isn’t because of a broken policy, procedure, or control. The broken policy, procedure, or control is just a symptom of a deeper issue, not the cause. That’s why it is called root “cause” analysis and not superficial “symptom” analysis (wink, wink).

As the U.K.’s Association of Chartered Certified Accountants points out in a 2019 technical article, written by James C. Patterson, “individual persons who are involved in a problem should not be regarded as a root cause. Even if a person made a mistake, a proper root cause analysis will invariably reveal problems with the training, coaching and monitoring of the person who made the mistake.”

A word of caution: I can recall several times in my own personal experience where the attempt to get a root cause ended up digging a little too deep, though. In essence we went past the point of the root, when drilling down with “why” questions. Your leaders in the audit function can help guide you when you might have dug too far. It takes courage to report on the root issues of certain matters—the courage to address potentially sensitive issues. And, probably most importantly, it also takes an organization that trusts what internal audit does and truly values what internal audit has to say on matters.

Can it create tension with auditees when trying to drill down to root cause? It surely can! Think about it this way, you find that a key procedure is not being followed, and it is resulting in a bunch of errors occurring, some of which are or could be material. There were also inadequate controls and review processes in place to prevent or catch the errors from occurring. Now, you might say that the fix is to update the procedures, provide training, and enhance the broken controls and monitoring. To this, management of the area may say “fine,” and probably even agree. Yet if the real reason (the root cause) has to do with apathy in the area, lack of effective leadership, or performance problems with certain personnel, recommending that changes be made in those more sensitive areas might result in push back and defensiveness. Doing your job of identifying the real reason (the root cause), and calling it as you see it is certainly aided by this method referred to as root cause analysis.

Can It Be Easy to Get It Wrong?
Sure it is. Basically, doing root cause analysis is like working your way through a decision tree. As you answer each “why” question there are a number of possible paths or answers. It is through analysis of data and evidence, and most importantly wisdom and experience, that will guide you down the path to the likely potential root answer.

Yet other branches on the tree exist. And, if you don’t feel comfortable in your answer to any “why” question, then stop there. Think of it like that doctor diagnosing an illness, there are other answers to explain your symptoms, but the doctor is using training, knowledge, and experience, as applied to the facts and circumstances, to get to the root cause of your particular illness. Misdiagnoses can be quite impactful in a negative way. Same here. So, like any powerful weapon, root cause analysis must be used carefully and with all due caution.

As The Institute of Internal Auditors articulates regarding using due professional care when doing root cause analysis in its Practice Guide 2320 – Analysis and Evaluation, “Root cause analyses enable internal auditors to add insights that improve the effectiveness and efficiency of the organization’s governance, risk management, and control processes. However, these analyses also sometimes require extensive resources, such as time and subject matter expertise. Thus, when conducting a root cause analysis, internal auditors must exercise due professional care by considering effort in relation to the potential benefits.”

“Reporting out an audit finding that stops at identifying contributing factors may actually contribute more risk to the organization because the mitigation plan, timing and cost may not consider the root cause factors that led to the contributing factors; ultimately spending time and resources fixing the contributing factors that will present themselves again since the root cause is not addressed,” says Brian Howell, a business and technology risk advisor.

Internal audit adds the most value when it can identify issues that will impede organizational success on things that matter. But identifying issues is only part of the job. Helping make sure the organization is also successfully positioned to put the most effective corrective measures in place to address the issues is the other part. Using root cause analysis is a key tool in the arsenal for how successful internal audit functions add value and sustain their relevance.

As Tracie Marquardt, Managing Director and Audit Communication Consultant, Quality Assurance Communication, put it to me, “Having reviewed thousands of audit reports over the years, I have concluded that not identifying and addressing the real root cause of findings in audit reports is one of internal audit’s most glaring weaknesses, restricting its ability to demonstrate its full added value.”

That’s why root cause analysis is so vital!


Hal Garyn is Managing Director and Owner of Audit Executive Advisory Services, LLC based in FL.

5 Replies to “Getting to the Bottom of It: Why Root Cause Analysis Is Vital”

  1. Root Cause Analysis takes the Internal Audit findings to their logical end for correcting the situation that create the problems. Excellent article for introspection by Internal Auditors.

  2. I couldn’t agree more. There is a reason auditors continually add controls and rarely recommend reducing them. The vast majority of errors in almost any field are due to human failure. In fields such as aviation safety root cause of failure is tracked meticulously and analyzed to improve performance.. Coso was originally intended as a study of root causes of failure.. Somewhere we lost our way.

  3. Root cause analysis is vital skill in internal auditing. As a function that is meant to add value, it’s important to always narrow our findings to the main issues rather than the symptoms. Great article.

Leave a Reply

Your email address will not be published. Required fields are marked *