This is the first installment of a two-part series on writing better root causes. In part 2 we discuss strategies to determine if findings really need root cause analysis (RCA) and tips for discussing RSA with the audit client.
Instead of simply reporting the issue, root cause analysis (RCA) identifies why an issue occurs. The IIA has a clear practice advisory (2320-2) that outlines the specifics of root cause analysis citing that “auditors whose reporting only recommends that management fix an issue and not the underlying reason that caused the issue” fail to “add insights that improve the longer-term effectiveness and efficiency” of the business.
Root cause analysis sounds excellent in theory, but root causes are like onions. You can peel layers and layers away and still find more root causes (and then cry about it). Perhaps for this reason, reporting on root cause seems formidable for auditors.
There are other reasons, too. Determining the why behind findings is subjective, which might sit uncomfortably for auditors who are used to testing objective controls with definitive answers. Communication-wise, RCA can be tricky with the business. Sometimes what the auditor deems as the root cause differs from the audit client’s version and other times root causes point to issues that reflect poorly on management (thus prolonging the reporting stage). Whatever the case, RCA can be just plain difficult.
But there’s hope for RCA in an audit report. If done well and communicated properly, reporting the root cause can be the glue your report needs to tie findings to the overall health of the company and create significant change for the business. Below are some strategies to use in writing and communicating root cause in audit findings.
Start with a common root cause list
Part of the auditor’s job is to simplify complex findings in the audit report. For this purpose, this article simplifies RCA considerably. First up: a cheat sheet. The following is a go-to list to use if auditors get stuck defining root cause. Common root causes include problems with
- human error, or
- lack of resources
There are additional root causes than this list, but if you’re stumped, the list is a great starting point. Here’s an example of an audit finding where you can employ the above list to determine a potential root cause:
Problem: The same employee both enters accounts receivable information and reconciles the accounts.
Normally, the same employee should not enter accounts receivable information and also reconcile the accounts. Looking at the common root cause list above, we begin to ask why there is only one employee. Is it a problem with process? Policy? Human error? For sake of argument, we arrive at the common cause as being a lack of resources because the accounts department is only one employee.
Use lack of resources sparingly because lack of resources can become a scapegoat for deeper problems. Everyone always wants more resources to solve problems. However, creative thinking can bring about a solution to most resource problems. In the case above, there really aren’t enough people in the accounts department and we’ll discover why below.
Ask “why” more than once to determine root cause
There are different methods to root cause analysis with the most common being the “5 Why’s” method. Hernan Murdock with MISTI provides a great overview here. Simply put, you define the problem and ask why a few times until you drill down to a root cause that management can solve.
Typically, your first why to a problem isn’t so much a root cause as it is a symptom. Using the scenario above, start questioning:
Why does the same employee perform conflicting job duties?
Answer: Because the accounts department is only one employee. (This is a precipitating symptom of why the problem took place. Ask more questions.)
Why is accounts only one employee?
Answer: Because the other employee quit three months ago and hasn’t been replaced.
Why has management not replaced the other employee?
Answer: Because the company is on a hiring freeze. (common root cause item: lack of resources)
In this example, it only took three why’s to determine a root cause that management can solve. If we ask why any further, we might get answers that management cannot solve and the finding will become too disconnected from the root cause.
When analyzing root cause, don’t settle on the first why of a condition. Ask why three to five times to find deeper, pervasive causes.
Write a sentence that describes the root cause
Continuing with the above example, it’s time to turn your root cause into a sentence that will be used in the audit report. First, write down the final why answer:
Because the company is on a hiring freeze.
Working backward, incorporate previous why questions to provide depth to the root cause:
Because of a hiring freeze, the accounts department is only one employee.
Use a transition to change from the root cause sentence into the following condition sentence (e.g., “as a result,” or “therefore.”)
Because of a hiring freeze, accounts department is one employee. As a result, this employee both enters accounts receivable information and reconciles the accounts.
Notice that the root cause is at the beginning of the condition. A root cause sentence doubles as a topic sentence, providing a quick overview for the reader as to why the issue they’re about to read is important.
Make the root cause sentence the first sentence
Rather than wading through a finding to determine its importance, layer the finding for your audience. Since your final audience is the executive and audit committee, layer an issue to emphasize items important to the end audience, similar to the following:
- Sentence 1: Root cause/topic sentence
- Sentence 2: Background or criteria
- Sentence 3: Evidence that points to the root cause
- Sentence 4: Conclusion based off of evidence
- Separate section: Risk
- Separate section: Recommendation
Executives and audit committees are concerned with root causes, overall risks, and whether the issue is being handled. You can emphasize these sections by either introducing them first (like your root cause sentence) or placing information in its own section (like risk and recommendations that are frequently separated into individual sections in an audit finding).
Once you write the root cause sentence, use it to double as the topic sentence for the audit finding.
Voila! Once you’ve completed the root cause sentence and placed it at the front of the finding, you are finished. Oversimplified, but what if it works? Give it a try.