From my past research on Root Cause Analysis (RCA) including watching various video lessons conducted by RCA experts, I realised that there are some missing links between the good tips that they shared and the kind of work that we do in GRC.
To put it in the context of an Internal Audit report, we are to state the root cause(s) for the audit issues presented and thereafter engage with the management and process owners in devising suitable remedial and preventive control actions to overcome the issues.
By using the general RCA methodology, the process entails identifying the what, why, when, who and when – it is the ‘5-whys approach’ in undertaking RCA. Upon completion, mitigation actions are to be formulated to address the problems.
There is nothing wrong in this method if it is used on general matters and for certain professions.
However, when it comes to an audit issue in the GRC profession, it is vital to pin-point the breakdown of the control or controls that led to the audit issue in order to inform and assist management and process owners in devising the precise control measures to address the issue.
Let’s take an example to better illustrate this.
It was reported late last year that a fish farming business in the northern region has suffered hundreds and thousands of ringgit of losses due to the death of the fishes which were meant for export.
In the article, the local experts including the State Fishery Department officials have concluded that the lack of oxygen in the pond was the main cause. There were few factors identified that have caused the lack of oxygen namely:
Following the internal auditing standard approach, I would think that the lack of oxygen is not the root cause as the root cause concept in the space of assurance is about the control(s) that have failed.
We need to further identify which controls have given way leading to factor #1 to #3 above. The RCA to be conducted by internal auditors would certainly be revolving around the control framework and procedures applied in the farm operations.
We will still be asking the ‘5-why’ but the focus will be on the right control elements. This is when COSO comes to mind.
In short, there needs to be a more precise RCA approach, ie. one that is based on the internal control framework for internal auditors. The knowledge on control and COSO is utmost relevant and important for us to successfully identify the right causes and remedies when issues are found.
Stay Vigilant and Stay Healthy.