Académique Documents
Professionnel Documents
Culture Documents
James Rose
CIA, CRMA, CPA, CISA, CISSP
• Vice President & Chief Audit Executive at Humana, a publicly-traded health and
wellness company headquartered in Louisville, Kentucky
• Vice-Chair, International Professional Issues Committee of the Institute of Internal
Auditors
• Audit Committee Member, United Nations World Food Programme
• Co-lead Data Analysis and Review Committee –Public/Private Healthcare Fraud
Prevention Partnership with U.S. Department of Health and Human Services and
U.S. Department of Justice
• Humana’s Internal Audit Consulting Group consists of 75+ associates with diverse
backgrounds in GRC systems, audit, consulting, technology, nursing, law,
compliance, actuarial science, data governance, finance, project management,
and investigations
2
Root Cause Analysis (RCA): A Brief History
3
RCA In Relation To IIA Standards
• Standard 2320: Analysis & Evaluation
– Internal auditors must base conclusions and engagement results on
appropriate analyses and evaluations
4
Critical Thinking and Insights
5
Perceived Gap in Insight Delivery by Role
• Internal audit can be the ideal group to analyze issues and identify the
root cause(s) given their independence, objectivity and cross-functional
view
7
Illustrative Root Cause Analysis Techniques
• “5 Whys”
• Failure mode and effects analysis
• SIPOC (suppliers, inputs, processes, outputs, customers)
• Flowcharting of the process flow, system flow, and data flow
• Fishbone diagrams
• Critical to quality metrics
• Pareto chart
• Statistical correlation
8
5 Whys
• The practice of asking, five times, why the failure has occurred in
order to get to the root cause/causes of the problem
• Note: 5 is an arbitrary number, it may take more or less to get to the
root cause of the issue that is reasonable. You should attempt to
answer 5 why using multiple paths to ensure you have gotten to the
root cause.
5 Whys Process
1. Write down the specific problem
2. Ask the first ‘Why’ and write the answer
3. Continue until what you believe is the true root cause is defined
4. Don’t allow an early plausible answer to keep you from
continuing to ask why!
9
5 Whys Example
The City Veteran’s monument was disintegrating
They eat spiders and there are a lot of spiders at the monument
Solution: Turn on the lights at a different time or use different kind of lights
10
Failure, Modes, and Effect Analysis
Step-by-step approach for identifying all possible failures in a design, a
manufacturing or assembly process, or a product or service
11
SIPOC
High level process map showing suppliers, inputs, process steps, outputs and
customers. It defines the process boundaries and how the parts ‘fit’ together
This is important to root cause analysis in order to fully understand the process
and potential causalities
12
Fishbone Diagram
Identifies many possible causes for an effect or problem. It can be used to
structure a brainstorming session. It immediately sorts ideas into useful
categories.
13
Pareto Chart
A Pareto chart is a bar graph that categories the frequency of a certain
type of transaction of event. In this example of customer complaints,
documents and product quality stand out.
Excerpted from Nancy R. Tague’s The Quality Toolbox, Second Edition, ASQ Quality Press,
2004, pages 376-378.
Root Cause Analysis and Auditor Skills
15
Using RSA Daily: Employ “The 5 Cs”
• Criteria – the law, regulation, contractual obligation, policy,
procedure, or best practice that is expected to be followed
• Cause – The root cause which allowed the condition to not mirror
the criteria
Consequence/Effect/Risk:
• The impact to the individual process/operation AND to the
Company of having the Condition not meet the highest level of
Recommendation Follow Up: Criteria
• Targeted review to determine whether • Quantified and estimated to the extent possible
the root cause has been corrected and
condition now approximates highest level
of criteria and risk management Cause:
expectation The root cause for the Condition not meeting the highest level of
• May note completion of Criteria (six sigma, or similar methodology on root cause analysis)
recommendations as discussed in the
audit report, other actions identified by
management, no action taken because Recommendation
circumstances changed, or an • Directly corrects the root cause, AND is worded to note what
needs to be changed regarding the Condition
acceptance of the risk by management. • Cost of the recommendation does not exceed estimated
• Evaluates change in the condition materiality of the effect
17
EXAMPLES OF WHAT CAN
HAPPEN WHEN THE DOTS
DO NOT CONNECT
TAKE ADVANTAGE OF
NEAR MISSES TO
PREVENT THE BIG MISSES
AND SURPRISE RISK
EVENTS
18
JP Morgan Chase & Co.
19
Federal Aviation Administration (FAA)
Airline Near Miss Tracking
Purpose
The ASRS collects, analyzes, and responds to voluntarily submitted aviation safety
incident reports in order to lessen the likelihood of aviation accidents.
ASRS data are used to:
20
Managing Resistance and Concerns to
Internal Audit Function Work on RCA
• Management can be reluctant to embrace IA’s role
in RCA
• CAE and auditors should demonstrate the audit activity’s role
and capabilities
• Resistance from management in conducting RCA due to
time and resource commitments
• Focus on potential impacts from misses opportunities and errors
versus a focus solely on likelihood
• Provide both short term and long term fixes to issues
• Identify near misses in your own organization that turned into
larger problems as a basis for RCA
• Advocate a portion of time should be spent on RCA and prioritize
that effort on the biggest preventative opportunities
21
Environmental Factors of RCA
• In many cases, RCA can be traced back to a person or persons
22
Managing the Perception that RCA Places
Auditors in the Role of Management
• Manage this perception risk by:
– Providing specific, objective, and supported analysis of the root cause
– Distinguish the root cause determination from the recommendation to
address root cause
– Ensure the internal audit charter and engagement reporting clearly
notes the role of management to assess recommendations made by
internal audit and own the implementation of any changes to the
process
– Distinguish between engagements driven by internal audit activity that
are assurance in nature versus those that are consulting and driven by
the management sponsor
23
Final Thoughts
• Root Cause Analysis is not an “extra” service
– Rather, it is a core part of Internal Auditor’s role and insight delivery
• Addressing the “does audit add value and insights” expectations gap
requires auditors to:
– take risks Read the
– demonstrate critical thinking skills
Practice Advisory!
– drive positive change in the organization
24