How Root Cause Analysis Fits Into Various Audit Types

It is often said that the true audit work is not just finding the things that have gone or may go wrong in the organization; true auditing involves finding the root causes of the discoveries made by auditors. Only then can auditors formulate relevant recommendations to either prevent or detect and correct issues at hand. Helping management address the root causes of undesirable conditions ensures that the internal audit function is perceived as “an activity designed to add value,” as defined by the Institute of Internal Auditors’ (IIA) International Professional Practices Framework (IPPF).¹ Internal auditors should be the ones who are most independent and objective. Therefore, auditors should be among those with the broadest and deepest understanding of the underlying issues that may exceed that of any single member of management.

As the IIA Practice Advisory 2410-1 states, the observations and recommendations are based on four attributes: criteria, condition, cause and effect.² So, what is the purpose of the root cause analysis? And how is the most value-adding root cause analysis best performed while avoiding assumptions, speculations and plain guessing? It is worthwhile to further discuss the role that the root cause analysis plays in different types of engagements performed by auditors.

Compliance Audits

In compliance audit engagements, auditors focus on ascertaining whether the organization operates according to the external laws, regulations and, sometimes, professional standards. Compliance audits may also be based on the organization’s internal policies, procedures, instructions and best practices. Recommendations usually require improvements in processes and control activities used to ensure compliance with regulations. In engagements of this type, auditors are expected to first perform testing to ascertain whether noncompliance exists. If so, root cause analysis helps auditors establish why this is the case and guides them to formulating the best recommendations possible: designing and implementing control activities that should, if operating effectively in the future, either prevent or detect and correct undesirable outcomes leading to noncompliance. The most common cause is the simplest: lack of controls (control activities). This is because compliance with external laws usually requires the development of internal processes (and controls) that will ensure compliance in the first place. Therefore, trying to answer “why” a certain noncompliance occurred while trying to discover what control activity would have ensured the compliance is the most likely path to lead to the answer. In many cases, it is necessary to ask this question more than once, preferably up to five times, and the true cause will reveal itself, likely in the form of a lacking control. One of the simple examples would be a legal requirement of the organization to respond to all client complaints within a certain period of time, where the failure to do so is caused by the lack of the control mechanism providing appropriate monitoring and the timely reminder for the responses to be provided.

Process Audits or Risk and Control Reviews

Process audit engagements focus on the maturity of the organization’s processes; analyze operational risk scenarios that may affect the organization’s ability to meet the ultimate desirable objectives that the processes strive to achieve. During these engagements, per risk-based auditing principles, auditors are expected to understand the ultimate desired objectives of the process in question. Only then can auditors be equipped with the knowledge that will enable them to adequately assess operational risk stemming from either one of the four possible sources of threat: infrastructure (IT systems), people (employees), procedures or external sources. Consequently, it is a precondition for auditors to know where to expect controls aimed at mitigating the identified risk. This will result in their ability to better recognize potential control gaps, control design issues and control operating effectiveness issues, as identified through testing.

Usually, in what is commonly referred to as risk and control reviews, auditors need not spend too much of their valuable time performing a detailed root cause analysis. This is because there is rarely a need to go a step further and answer the question: “Why is there a control gap?” It is enough to recommend designing and implementing control activities wherever they are lacking. Similarly, the same stands for the question: “Why have the controls been poorly designed?” It is enough for auditors to recommend control design improvements to help the organization achieve the control objectives for which the controls were put in place to address. Finally, root cause analysis does pay off when auditors discover that the well-designed control activity does not operate effectively. When auditors take a deeper look, they often discover that the true issue stems from one (but not limited to) of the following:

• Human error, despite the satisfactory competence and experience
• Human error due to the lack of competence, despite the training
• Human error due to the lack of adequate training
• Human error due to being overburdened, as there is the lack of staff
• Lack of appropriate tools/systems
• Poor process design
• Poor organization morale/lack of motivation
• Ability to override controls
• External factors

It is important to note that auditors should focus on those causes over which management has control and for which meaningful recommendations for improvements can be made. Only then can future risk materializations on the larger scale be effectively prevented.

IT Audits

IT audits review the internal control system surrounding the automated information systems and how people use these systems. They are usually focused on IT general controls and IT application controls, often called “input-processing-output” controls. Root cause analysis represents an important step when performing these engagements, but, in most cases, the control expectations are clear in advance, which means that “attacking them directly” allows auditors to focus their recommendations on filling the control gaps, correcting the control design and operating effectiveness issues, similar to what was described for the process audits. However, the root cause analysis should not stop at the level of technology systems because it may not always be complete.

Auditors should always seek to understand why certain decisions have been made, bringing the root cause analysis to the situational level rather than retaining it at the technological level. Often enough, auditors discover that technological issues can be attributed to lack of competence caused by lack of training, lack of staff, etc. This should result in audit recommendations moving from pure system design improvements to organizational ones as well, giving IT audits a whole new dimension. Consider the information technology general controls (ITGCs), such as change management or periodic access recertifications as examples. In nature, these controls are human-driven, and their failure can rarely be attributed to the systems. It is almost always a human behind the failure of these controls, whether someone did not appropriately test or approve the change before migrating to production, or someone just rubber-stamped access review without really paying attention to what the permissions enable users to do.

Optimize for Success

In real audit life, auditors mostly perform audits that are integrated in their nature and, as such, represent a comprehensive examination of the organization’s operations. They are most likely to be process oriented, with elements of compliance audits, especially in heavily regulated sectors such as finance, healthcare or telecommunications. They are also scoped in such a manner that they touch upon the IT general controls and application-level controls, simply because many business controls may be automated and, as such, are integrated in the applications/systems used.

This only adds to the complexity of the work that auditors are expected to perform, as well as the array of skills individual auditors and the internal audit departments must maintain to be able to respond to such challenges. This does not mean that auditors may not recommend that the root cause analysis is performed by management, since there are cases when management may know better what is causing issues in the processes for which they are accountable.

It is also important to remember that in risk-based auditing, auditors are not required to prove that risk has been materialized to identify a finding and, therefore, a need for corrective measures by management. All it takes to identify a finding is to discover a control gap, control design or operating effectiveness issue. This is when auditors can focus their attention directly on the controls, since risk did not materialize initially. So, there are cases when root cause analysis does not necessarily merit attention, and auditors must be able to use their professional judgment to recognize such cases and focus their attention on other unattended areas at risk. In general, the time spent to perform the root cause analysis should be directly proportionate to the level of risk at hand—the higher the risk, the longer the time and higher the effort invested, and vice versa. Auditors are not there to uncover the “culprits,” but rather to formulate practical and implementable recommendations through quality and meaningful root cause analysis that will mitigate the risk that merits attention. Those recommendations should address the discovered causes and take the form of controls: business or IT, manual or automated, entity or process significant.

Endnotes

¹ Institute of Internal Auditors, “Definition of Internal Auditing,” http://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Definition-of-Internal-Auditing.aspx
² Institute of Internal Auditors, “Practice Advisory 2410-1: Communication Criteria,” January 2009, http://www.iia.nl/SiteFiles/IIA_leden/Parktijkadviezen/PA%202410-1.pdf