Home > Risk > A brave root cause analysis and how COSO might help

A brave root cause analysis and how COSO might help

I have been a big fan of the IIA’s magazine for a long time, having been both a contributor and a member of its editorial board.

A recent piece tackled a topic that I believe is important, not only for internal auditors but also for risk practitioners in an article titled, Digging Deep (available to IIA members).

The lead-in paragraph says:

Using COSO-based root cause analysis to connect reasons for control failures with internal control principles can help identify weaknesses across the organization.

Now I’m not sure the author understands that root cause analysis has nothing whatsoever to do with the COSO Internal Control Framework.

However, that COSO framework’s principles can point to some areas, such as competency and information, that can help understand the true root cause of an internal control failure – so the author just got the wording wrong.

She says this well:

Conducting a root cause analysis is a way internal audit can add value to the organization by looking beyond identified symptoms of internal control weaknesses to the underlying reasons for why they exist. Without an RCA, recommended corrective actions often fail to address the actual cause of a problem, and the issue may persist or evolve.

In fact, if the auditor doesn’t perform a root cause analysis it is highly likely that only the symptom is identified and addressed, rather than the underlying disease.

RCA should not be considered an additional step. It should be mandatory for every identified control weakness.

The author has a useful section on the different ways a root cause analysis can be performed.

  • Five Whys: Asking “why” five times to drill down to the true cause of a finding.
  • Pareto Chart: Presenting potential causes for the identified problems on a chart from the highest to the lowest frequency to focus on areas of improvement with the greatest impact.
  • Fishbone Diagram: Assessing potential causes grouped into categories (people, process/methods, equipment, materials, measurement, environment) to establish a relationship with the identified problem.
  • Scatter Plot Diagram: Testing correlation between variables by plotting potential root cause (an independent variable) against the effect (dependent variable).

I would add a caveat: whichever method you choose (I prefer the first), you have to keep inquiring until the true root cause is identified.

In other words, you may have to ask “why” six, seven, or more times until you are satisfied that the root cause has been identified, and only then can corrective actions be considered.

Consider this. An audit or review has identified that reconciliations are not being completed on time.

  1. Why? Because people are too busy.
  2. Why are they busy? They have too much work to do in other areas and the reconciliations are lower priority tasks.
  3. Why do they have too much work? People have left and not been replaced.
  4. Why have they not been replaced? The manager has not been able to fill the positions.
  5. Why hasn’t he been able to fill the positions? Candidates are asking for too much money, more than the company can offer.
  6. Why is the company not able to offer sufficient compensation? Because the Human Resources department mandates a salary and bonus range for these positions that is lower than candidates with the required experience and ability demand.
  7. Why…..?

And on it goes until the true root cause, which in this case is in a different department than the symptom, is identified.

The other three methods (Pareto chart, Fishbone diagram, and Scatter plot diagram) may not be sufficient. For example, you may identify a common point of failure for multiple control issues. But then you have to ask “why” several times to get to why that cause existed.

Where the article goes astray is in its attempt to list ‘common root causes’ for deficiencies in particular areas. If you have been able to access and read the article, you will see what I mean. We can set aside the rest of that article.

So are there common root causes?

I would start with the principle that holds true in 99.99% of cases: the root cause is people related. It may be:

  • Controls are performed by people with insufficient training, experience, or competency (addressed by a COSO principle). The author has identified competency weaknesses and lack of training as common root causes, but they are not root causes. The auditor needs to ask why these conditions exist. Why didn’t competent people get hired? Why wasn’t adequate training provided? Several more whys may be needed before the true root cause is identified.
  • Controls are performed by people who have not received the information they need to do their job well (another COSO principle). Again, the article just says the common root cause is insufficient internal communication. But why did that happen? And why, and why, and why.
  • Management is lacking in some way, whether it is in how people are directed, how they are motivated, or some other issue.

Take one example from Auditing that Matters. Loretta Forti is our heroine, conducting an audit that focused on the timeliness of approval for capital expenditures (Authorizations for Expenditures, or AFEs).

I had asked her to perform an audit of the AFE process after I discovered that expenditures with a very high ROI were taking so long to be approved that the opportunity passed!

It was relatively easy to find out how the process worked. Once a month, the division CFO gathered all the Vice Presidents and they collectively reviewed all the AFEs and the analysis prepared by Mike Passaretti and his team [the Capital Expenditure department]. They would take about half a day to discuss them and decide which they would propose should move forward and what the priority was for each.

The next meeting, typically the following day, was with the division CEO, Bob. The CFO and all the Vice Presidents would review with Bob the AFEs they believed should go forward. When he felt that the total was too high or disagreed with the VPs’ recommendations, the executives had to debate which would be approved, which might be deferred, and which would be declined. This meeting also took a half-day on average.

Because of the intense review and approval process, each executive was careful to ensure all the AFEs they proposed had complete and accurate analyses included in the package. Mike and his team were equally careful with their review and analysis. This all took time.

It was clear to Loretta, as it was to all the Vice Presidents and the CFO, that the process was too long, consumed far too much executive time, and often cost more than the spending itself (if you count the cost of the VPs’ time)!

The question was why the process was this way.

The CFO and VPs all agreed, usually with language they wouldn’t use with children around, that they hated both the all-VP meeting and the meeting with Bob. They said they didn’t have the time to spare and asked for our help to get the process – both time and cost – under control.

Loretta and I met to talk about what we were to do. Rather than share my opinion, for once I did the smart thing and asked Loretta for her opinion.

At first, she didn’t know what to say. But as she realized she could say what was on her mind, and with some gentle guidance from me, she said it: the CEO was the problem. He was the only one who wanted these long and expensive meetings. Only when he was persuaded to change his mind could it be changed.

I knew Bob quite well, having worked with him before he moved into his current position with the company. He was one of the executives with whom I met frequently to discuss the business and he had shared a number of confidences with me.

I was sure that he would listen to Loretta and had a suspicion he would find it easier to understand himself if he met one-on-one with her. Both a formal meeting with the CFO present and a larger meeting with the three of us (Bob, Loretta, and I) might make it harder for him to look in the mirror.

And so it was. I persuaded him to meet with Loretta and she, in turn, trusted me when I told her she would not only be safe but would enjoy herself.

I admit that I was a little nervous as I waited in my office for Loretta. Then she appeared in the doorway, all smiles!

She told me that the meeting went brilliantly. Bob was charming, as usual, and showed great respect for her – even though she was ‘only’ a manager. He let her explain what she had found and that the long process was preventing timely investment to seize market opportunities. In addition, not only was it consuming a lot of expensive executive time, but it was taking them away from running the business.

This was critical, explaining the issue in terms of how it affected the business and its success. Auditors who talk in their language (what I call “technobabble”), rather than the language of the executives they are attempting to inform or persuade (which is the objective of an audit report) are unlikely to succeed.

Loretta said that Bob responded with silence, clearly thinking about what she had said.

Then he shocked her by telling her that he was the problem. He recognized that his insistence on discussing and approving every AFE could not continue. Bob told Loretta she had done an excellent job and that he would like to talk to me.

When I met Bob later that week, he repeated his praise for Loretta. Then he asked for my opinion. Again I was smart and didn’t give him my opinion straight away. Instead, I asked him why he wanted to approve every AFE.

After a short hesitation, he said that perhaps he should only approve major capital expenditures instead of every one. I concurred, saying that was what I was used to and would advise.

But I kept at it. Why had he insisted on approving every AFE? This was not what he had done in his previous positions with the company, nor was it what he was used to working directly for Tom O’Malley – a consistent and effective delegator.

Then he looked again in the mirror and saw his true self.

“Norman, I can see now that I didn’t trust my direct reports enough to make these decisions!”

We talked about this for a while. Either he had the wrong people in these key positions, in which case he needed to replace them, or he needed to trust the people he had and delegate more effectively. He didn’t hesitate before saying he had excellent people; he just had to let go, take a little more risk, and trust and delegate.

For the next couple of weeks, Loretta and I had a trail of VPs visiting us to express their thanks for Loretta’s great work. Bob had changed the entire process, with new delegations of authority such that the VPs could approve most AFEs, the CFO would have to approve all over a certain value, and Bob was only involved in truly major capital expenditures.

Going back to the statement I made earlier, that PEOPLE are almost always the root cause, in one way or another, root cause analysis may surface some ugly truths.

It can take a lot of interpersonal and even political skills for the auditor (with the CAE’s active assistance) to discuss the issue and root cause with management, obtain their agreement on the facts, and work with them on the appropriate corrective action.

They are often unable or unwilling to face those facts.

Consider situations where:elephant in the room

  • A manager is a poor leader, failing to delegate, motivate, inspire, etc.
  • The employee charged with performing the control has too much work and management is unwilling to hire additional staff.
  • A manager is unable (might be incapable) to persuade more senior management that there is a need to address a risk, to hire more people, to change direction, etc.
  • People are talking in different languages, such as senior management and the cybersecurity staff.
  • The company’s systems are old and need to be replaced at a cost of tens of millions, which is not in the budget.
  • The CEO is a bully and gets his direct reports to compete instead of working together.
  • The Marketing team distrusts the people in the front lines, and therefore loses touch with the needs and wants of the customer base.
  • The manager is biased against individuals who don’t look like him or her, creating a hostile environment and failing to get the best out of employees.
  • The culture established and reinforced by management’s actions discourages creativity and risk-taking, and stifles performance.
  • Management is not trusted or respected.
  • People are motivated to achieve their personal performance goals rather than what is best for the organization.

A root cause analysis that is not afraid of identifying and reporting people failures is essential.

The COSO principles are useful, but they are insufficient. Only some of the bulleted situations above are covered by them.

I am reminded that the former CEO of GE, Jack Welch, was once asked what problems he faced every day. His answer was:

  1. People
  2. People
  3. People

They are the root of (almost every) control failure.

We need to be brave to see and help others see the true situation.

I welcome your thoughts.

  1. Morgan
    July 22, 2022 at 11:16 AM

    Highly recommend two things related to RCA. Proper problem definition, best captured in the Kepner-Tregoe methodology, and Dean Gano’s Apollo Root Cause Analysis. The latter introduces important concepts, that cause and effect are the same thing and depend on your perspective and there are *always* at least two causes to each effect (so your 5-whys should actually branch like a tree.) The more causes you can find to a given effect, the more flexibility, creativity and cost controls you have over developing a solution.

    You learn some of these things and you will learn that some problem management tools are as poor as some risk management tools. Thanks for your blog!

  2. Ishdeep
    July 22, 2022 at 7:35 PM

    Couldn’t agree more. But at times it becomes difficult for an external consultant to identify people issues as they don’t get the detailed insights in the time bound assignment.

    That’s the RCA for why most Auditors fail to identify the relevant root cause 🙂

  3. Bruce McCuaig
    July 23, 2022 at 6:17 AM

    If I may I’d like to add a few thoughts. COSO, as I recall, was intended to reveal the root cause of financial failures in S&L’s and other institutions in the late 1980’s. Ironically, it is not useful for root cause analysis. (Nor for that matter, in my extensive experience, for anything else.)
    I do agree that human error is the prime cause of failure in any human endeavor. Other professionals, primarily in the areas of safety and environment use root cause analysis extensively and can illustrate that human error is behind 55-65% of incidents. A good example is the detailed root cause analysis performed for every aviation failure in the US and the huge increase in safety over the last few decades.
    In the world of internal auditing, I believe 90-95% of internal audit recommendations have absolutely nothing to do with human behavior or the errors that result, and are aimed at symptoms, not causes. I have looked at hundreds, if not thousands of reported SOX deficiencies, and I have never seen a root cause identified and reported. In many cases it is difficult to figure out what the deficiency was, let alone its root cause.
    While I admire any attempt to address the 5 questions you suggest, I think our audiences would be well served for now to ask just one and report the answer. I believe root causes should be classified under Purpose, Commitment, Capability and Monitoring and detailed criteria are available to further define those criteria for better analysis. Root cause of failure does not need to be psychoanalyzed by auditors. If an error is caused because an employee was not trained, that is sufficient to report, If a deficiency resulted from a poor policy, that’s a good starting point. If root causes of failure were required to be identified and aggregated by type, internal audits value would increase vastly. Value would be measured by a reduction in reported issues or deficiencies and improved performance.

  4. Michael Howell
    July 24, 2022 at 3:50 AM

    I sadly can’t recall who I learned it from to give them credit, but I like phrasing it as contributing causes rather than root cause. Often it is more than one condition that gives rise to the event (aligned with your approach of understanding all the things that might happen). I helped investigate a disruptive IT incident that occurred after a patching event. A couple of “whys” later, a third party configured something incorrectly 2 years prior. Problem solved, someone to blame. But asking more questions uncovered:
    – the people doing the patching had limited knowledge of the systems they were working on, delaying diagnosis
    – there was no budget for upskilling or hiring internal expertise
    – they had to patch other systems at the same time to make that work, again reducing the time until diagnosis could begin
    – they couldn’t do THOSE patches earlier because their requests to do so had been denied so they could work on features rather than maintain systems
    While the event wouldn’t have happened without the initial misconfiguration, other elements were within the companies control.

    Agree on people, but on the other side of the coin I would almost always challenge when ‘human error’ was put forward as the primary root cause, such that the offender should just ‘do better’. My regular follow up is to ask what environment that person was working in, and how much control do we have over that environment or those conditions? Those questions may of course lead back to behaviour of other people who have more sway over how that environment operates

    I’ve seen a number of issues where people were initially provided feedback for their errors, but once further analysis was conducted, it became evident that processes, systems or training had plenty of room for improvement in order to prevent them. Or as you cover, high workloads, bullying, unclear expectations etc.

    • Bruce McCuaig
      July 24, 2022 at 4:36 AM

      I can’t disagree fundamentally with your points. Finding cause of failure can be complex. But this is a profession that opines on “internal control effectiveness” an even more complex concept. I think deep analysis and disclosure of significant failures is important, but in the case of the auditing profession, the complexity leads to paralysis, not insight. For example, I suggest you compare any publicly disclosed “material weakness” or “significant deficiency” to a typical NTSB investigation report of an aviation incident. Here is an example assuming links are permitted https://www.ntsb.gov/investigations/Pages/dca20ma002.aspx

    • Norman Marks
      July 24, 2022 at 5:50 AM

      Very well said, Michael.

      Root cause(s): what needs to be fixed if the symptom is to be removed.

  1. July 22, 2022 at 7:56 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: