By: James C Paterson



By proactively applying Root Cause Analysis internal auditors can get to the heart of issues that they are auditing and add greater value to their organizations.

Over the past 15 years working in the internal audit arena I have seen a growing interest in the topic of Root Cause Analysis (RCA). My involvement in the topic has evolved from using it as part and parcel of a “lean auditing” approach, to running RCA webinars and seminars for the Institute of Internal Auditors (IIA) UK, to the delivery of various in-house training workshops on this topic, and now more recently, offering a 1 day open course on RCA, as well as supporting the IIA UK to write a new practice guide on the topic. This article explains:

  • What Root Cause Analysis is
  • What involvement should internal audit have in RCA
  • Why effective RCA is not as straight-forward as you might think
  • Why RCA is gaining interest in internal audit
  • Some practical steps audit teams can take


What is RCA?

RCA is about identifying why an issue occurred compared to simply reporting the issue, or its immediate or contributing causes. The issue could be an error, non-compliance, and non-delivery of an objective or anything else that would be regarded as a failure or problem in the eyes of an organization or its stakeholders.


What role should Internal Audit have in RCA?

The IIA has a clear practice advisory (2320-2) on this topic:

“Auditors whose reporting only recommends that management fix an issue and not the underlying reason that caused the issue are failing to add insights that improve the longer-term effectiveness and efficiency of business processes and thus the overall governance, risk and control environment”.

It goes on to say:

“A core competency necessary for delivering insights is the ability to identify the need for RCA and, as appropriate, actually facilitate, review and/or conduct a root cause(s) analysis”.

In my experience most audit teams believe they can identify root causes but only a few teams have an explicit written RCA methodology, and even if they do mention techniques such as the “5 whys”, they offer limited training on effective RCA techniques to ensure quality and consistency within the audit team. I think the reason for this is that many internal auditors think they will naturally be good at RCA because they are auditors! Even if they have never had any formal training, or had only limited training, on the subject!

Why effective RCA is not as straightforward as you might think

When things don’t go according to plan in an organization there can often be a pressure to avoid taking the blame for what has gone wrong (for fear of the impact this might have on ones performance assessment or potential rating). Consider an IT system implementation that was delayed and over budget: it can be tempting to “point the finger” at external factors (“the IT contractor made things too complicated, adding time and cost”), or, if internal factors have to be acknowledged, to come up with a politically acceptable reason for the problem (“the IT department (or some other department) didn’t manage the project so well”). Another organizational defense can be to say, “projects are always over budget and a bit late, its just one of those things that happens” – resulting in no organizational learning and quite probably reinforcing a culture of project disappointments being quite common.

Even where there is a bona fide intention to carry out an unbiased RCA it can be easy to identify “obvious” issues that can be improved and to classify these as the root causes. For example, in the case of the IT system implementation an audit report might correctly state: “The finance department didn’t properly keep track of the project costs” resulting in the conclusion that: “finance needs to keep a closer track of IT project costs in future”. However, even if this is true, such an analysis of does not represent a proper RCA. To carry out a proper RCA, other avenues need to be pursued, even when “obvious” issues clearly need to be fixed. In the example above, two other avenues need to be pursued i) Why was the finance department not keeping track of the IT project costs? and ii) were there any other factors responsible for the cost over-runs, in addition to the lack of monitoring of costs?

If we continue with the example (based on a real case), we might discover that there was no agreed process in relation to when and how finance staff should monitor IT project costs, and there were limited discussions between finance and the project team about the sorts of cost management issues that might arise and how these might be identified on a timely basis (a number of which would need to be done by the project team and not just the finance department). Further, we might find that finance staff have limited time to analyze and uncover issues with IT project cost estimates, partly due to missing or incomplete information from the project, and also due to poor financial systems. Thus simply saying that finance department should keep a better track of project costs can easily ignore the underlying causes that led to this, and therefore not offer a lasting long-term solution.

Looking at other reasons that contributed to the project running late and over budget we might uncover that some project decisions (to adjust the scope of the system implementation) were made without fully thinking through the impact on time and cost, and finance staff were not involved in these decisions. Furthermore, we might identify that some users of the IT system were not fully engaged early enough in the details of what was going to be delivered resulting in problems at the testing stage, causing rework, delays and additional costs. And we can go further: why were the some of the eventual users of the IT system not engaged earlier and as extensively as they might have been? Because they were busy on other business tasks and initiatives, which meant they did not have the time to contribute as fully as they could have done at the early stages of the project!. And why was this the case? Because the project budget made limited provision for back-filling operational staff so that they could contribute to the project at an early stage! And why was the budget for back-filling constrained? Because senior decision makers wanted the project to be
done cheaply! The paradox here is that the desire to save costs at the beginning of the project was one of the reasons (but not the only reason) that there were higher costs later on in the project! Which was exactly the thing that senior managers wanted to avoid!

Good Root Cause Analysis can also help audit teams deliver shorter, more impactful, audit reports

Thus an effective Root Cause Analysis will normally reveal several factors that led to the issue or disappointment. Indeed although a proper RCA process is more “forensic” and probing than an informal approach, it is actually less likely to blame any one individual or process. In reality, the reasons for many issues and disappointments is because of a combination of process, system, organizational and cultural factors, and effective RCA will make this clearer; clarifying why some issues keep reoccurring, and offering the key to lasting long-term performance and control improvements.

Why RCA is gaining an interest in internal audit

Apart from the fact that it is good practice to carry out robust RCA, my experience is that the growing interest in being more professional in relation to RCA is due to three key factors:

1) An increasing realization by internal audit teams that some issues keep repeating themselves, despite internal audit raising the same, or similar, audit points on a regular basis. I call this the “Groundhog day” phenomenon based on the film in which the lead character has to live the same day over and over again (e.g. frauds, losses and policy non-compliance). Indeed some heads of internal audit that I have worked with have said: “I could often write 80% of an audit report in advance – there will be problems with accountabilities, risk registers will not be up to date, managers will not do enough monitoring. Etc. Etc.” Audit teams should recognize that recurring issues are a clear warning sign that Root Causes are not yet being addressed effectively.

2) An appreciation that audit reports can normally be shortened, and made more impactful, if root causes are identified. One client I worked with was finding stakeholders were not properly reading audit reports and were wondering what value they were adding. We reviewed a draft audit report concerning an IT system that had 20 findings – and 20 actions. After we did some work on the Root causes, we identified there were in fact 5 key root causes (supported by the 20 facts) and therefore only 5 key actions were needed. The report was cut in half, but still captured all of the key factual concerns but it also raised much more interesting points for senior managers.

3) A recognition of the importance of understanding the cultural factors that are contributing to audit findings. There are often increasing expectations that audit teams should be better able to comment on the risk and control culture of the organization, and a growing number of audit teams are recognizing that effective RCA is actually an important “window” into the culture of an organization.


Some practical steps audit teams can take

My first advice would be for audit teams to consider and debate:

1) How often do issues repeat themselves in your organization (e.g. are there common issues that the audit team sees, or other areas that seem to recur often? (e.g. reported through management incident, or fraud, or loss reporting)

2) How long are audit or investigation reports, and are stakeholders reading them?

3) What does the current internal audit, or investigation methodology say about RCA and what guidance and training is provided to internal audit team members concerning RCA? And what is available for the wider organization? 4) Start a dialogue with stakeholders about the benefits of improving Root Cause of analysis so there is a developing interest and capability to do this in managers and second line functions (such as finance, Health & Safety, Compliance and Risk).


If there is room for improvement in any of these areas, auditors should familiarize themselves with the IIA guidance materials and either: i) start to pilot the use of techniques such as the “5 whys” and “the fishbone diagram” in selected assignments or ii) try to analyse the common themes in audit findings and assess the root causes for these. In addition, audit teams might want to consider whether more in-depth training (for them or other departments) could be used as a way of building competence and clarifying priority areas for action.


JAMES C PATERSON, PIIA is the founding Director of Risk & Assurance Insights, Ltd that specializes in the delivery of training and workshops for heads of audit and their teams. James was previously the Chief Internal Auditor for a global pharmaceuticals company for over 7 years. He is the author of the book “Lean Auditing” published by J Wiley & Sons.