Norman Marks on Governance, Risk Management, and Internal Audit

I have been a big fan of the IIA’s magazine for a long time, having been both a contributor and a member of its editorial board.

A recent piece tackled a topic that I believe is important, not only for internal auditors but also for risk practitioners in an article titled, Digging Deep (available to IIA members).

The lead-in paragraph says:

Using COSO-based root cause analysis to connect reasons for control failures with internal control principles can help identify weaknesses across the organization.

Now I’m not sure the author understands that root cause analysis has nothing whatsoever to do with the COSO Internal Control Framework.

However, that COSO framework’s principles can point to some areas, such as competency and information, that can help understand the true root cause of an internal control failure – so the author just got the wording wrong.

She says this well:

Conducting a root cause analysis is a way internal audit can add value to the organization by looking beyond identified symptoms of internal control weaknesses to the underlying reasons for why they exist. Without an RCA, recommended corrective actions often fail to address the actual cause of a problem, and the issue may persist or evolve.

In fact, if the auditor doesn’t perform a root cause analysis it is highly likely that only the symptom is identified and addressed, rather than the underlying disease.

RCA should not be considered an additional step. It should be mandatory for every identified control weakness.

The author has a useful section on the different ways a root cause analysis can be performed.

• Five Whys: Asking “why” five times to drill down to the true cause of a finding.
• Pareto Chart: Presenting potential causes for the identified problems on a chart from the highest to the lowest frequency to focus on areas of improvement with the greatest impact.
• Fishbone Diagram: Assessing potential causes grouped into categories (people, process/methods, equipment, materials, measurement, environment) to establish a relationship with the identified problem.
• Scatter Plot Diagram: Testing correlation between variables by plotting potential root cause (an independent variable) against the effect (dependent variable).

I would add a caveat: whichever method you choose (I prefer the first), you have to keep inquiring until the true root cause is identified.

In other words, you may have to ask “why” six, seven, or more times until you are satisfied that the root cause has been identified, and only then can corrective actions be considered.

Consider this. An audit or review has identified that reconciliations are not being completed on time.

1. Why? Because people are too busy.
2. Why are they busy? They have too much work to do in other areas and the reconciliations are lower priority tasks.
3. Why do they have too much work? People have left and not been replaced.
4. Why have they not been replaced? The manager has not been able to fill the positions.
5. Why hasn’t he been able to fill the positions? Candidates are asking for too much money, more than the company can offer.
6. Why is the company not able to offer sufficient compensation? Because the Human Resources department mandates a salary and bonus range for these positions that is lower than candidates with the required experience and ability demand.
7. Why…..?

And on it goes until the true root cause, which in this case is in a different department than the symptom, is identified.

The other three methods (Pareto chart, Fishbone diagram, and Scatter plot diagram) may not be sufficient. For example, you may identify a common point of failure for multiple control issues. But then you have to ask “why” several times to get to why that cause existed.

Where the article goes astray is in its attempt to list ‘common root causes’ for deficiencies in particular areas. If you have been able to access and read the article, you will see what I mean. We can set aside the rest of that article.

So are there common root causes?

I would start with the principle that holds true in 99.99% of cases: the root cause is people related. It may be:

• Controls are performed by people with insufficient training, experience, or competency (addressed by a COSO principle). The author has identified competency weaknesses and lack of training as common root causes, but they are not root causes. The auditor needs to ask why these conditions exist. Why didn’t competent people get hired? Why wasn’t adequate training provided? Several more whys may be needed before the true root cause is identified.
• Controls are performed by people who have not received the information they need to do their job well (another COSO principle). Again, the article just says the common root cause is insufficient internal communication. But why did that happen? And why, and why, and why.
• Management is lacking in some way, whether it is in how people are directed, how they are motivated, or some other issue.

Take one example from Auditing that Matters. Loretta Forti is our heroine, conducting an audit that focused on the timeliness of approval for capital expenditures (Authorizations for Expenditures, or AFEs).

I had asked her to perform an audit of the AFE process after I discovered that expenditures with a very high ROI were taking so long to be approved that the opportunity passed!

It was relatively easy to find out how the process worked. Once a month, the division CFO gathered all the Vice Presidents and they collectively reviewed all the AFEs and the analysis prepared by Mike Passaretti and his team [the Capital Expenditure department]. They would take about half a day to discuss them and decide which they would propose should move forward and what the priority was for each.

The next meeting, typically the following day, was with the division CEO, Bob. The CFO and all the Vice Presidents would review with Bob the AFEs they believed should go forward. When he felt that the total was too high or disagreed with the VPs’ recommendations, the executives had to debate which would be approved, which might be deferred, and which would be declined. This meeting also took a half-day on average.

Because of the intense review and approval process, each executive was careful to ensure all the AFEs they proposed had complete and accurate analyses included in the package. Mike and his team were equally careful with their review and analysis. This all took time.

It was clear to Loretta, as it was to all the Vice Presidents and the CFO, that the process was too long, consumed far too much executive time, and often cost more than the spending itself (if you count the cost of the VPs’ time)!

The question was why the process was this way.

The CFO and VPs all agreed, usually with language they wouldn’t use with children around, that they hated both the all-VP meeting and the meeting with Bob. They said they didn’t have the time to spare and asked for our help to get the process – both time and cost – under control.

Loretta and I met to talk about what we were to do. Rather than share my opinion, for once I did the smart thing and asked Loretta for her opinion.

At first, she didn’t know what to say. But as she realized she could say what was on her mind, and with some gentle guidance from me, she said it: the CEO was the problem. He was the only one who wanted these long and expensive meetings. Only when he was persuaded to change his mind could it be changed.

I knew Bob quite well, having worked with him before he moved into his current position with the company. He was one of the executives with whom I met frequently to discuss the business and he had shared a number of confidences with me.

I was sure that he would listen to Loretta and had a suspicion he would find it easier to understand himself if he met one-on-one with her. Both a formal meeting with the CFO present and a larger meeting with the three of us (Bob, Loretta, and I) might make it harder for him to look in the mirror.

And so it was. I persuaded him to meet with Loretta and she, in turn, trusted me when I told her she would not only be safe but would enjoy herself.

I admit that I was a little nervous as I waited in my office for Loretta. Then she appeared in the doorway, all smiles!

She told me that the meeting went brilliantly. Bob was charming, as usual, and showed great respect for her – even though she was ‘only’ a manager. He let her explain what she had found and that the long process was preventing timely investment to seize market opportunities. In addition, not only was it consuming a lot of expensive executive time, but it was taking them away from running the business.

This was critical, explaining the issue in terms of how it affected the business and its success. Auditors who talk in their language (what I call “technobabble”), rather than the language of the executives they are attempting to inform or persuade (which is the objective of an audit report) are unlikely to succeed.

Loretta said that Bob responded with silence, clearly thinking about what she had said.

Then he shocked her by telling her that he was the problem. He recognized that his insistence on discussing and approving every AFE could not continue. Bob told Loretta she had done an excellent job and that he would like to talk to me.

When I met Bob later that week, he repeated his praise for Loretta. Then he asked for my opinion. Again I was smart and didn’t give him my opinion straight away. Instead, I asked him why he wanted to approve every AFE.

After a short hesitation, he said that perhaps he should only approve major capital expenditures instead of every one. I concurred, saying that was what I was used to and would advise.

But I kept at it. Why had he insisted on approving every AFE? This was not what he had done in his previous positions with the company, nor was it what he was used to working directly for Tom O’Malley – a consistent and effective delegator.

Then he looked again in the mirror and saw his true self.

“Norman, I can see now that I didn’t trust my direct reports enough to make these decisions!”

We talked about this for a while. Either he had the wrong people in these key positions, in which case he needed to replace them, or he needed to trust the people he had and delegate more effectively. He didn’t hesitate before saying he had excellent people; he just had to let go, take a little more risk, and trust and delegate.

For the next couple of weeks, Loretta and I had a trail of VPs visiting us to express their thanks for Loretta’s great work. Bob had changed the entire process, with new delegations of authority such that the VPs could approve most AFEs, the CFO would have to approve all over a certain value, and Bob was only involved in truly major capital expenditures.

Going back to the statement I made earlier, that PEOPLE are almost always the root cause, in one way or another, root cause analysis may surface some ugly truths.

It can take a lot of interpersonal and even political skills for the auditor (with the CAE’s active assistance) to discuss the issue and root cause with management, obtain their agreement on the facts, and work with them on the appropriate corrective action.

They are often unable or unwilling to face those facts.

Consider situations where:

• A manager is a poor leader, failing to delegate, motivate, inspire, etc.
• The employee charged with performing the control has too much work and management is unwilling to hire additional staff.
• A manager is unable (might be incapable) to persuade more senior management that there is a need to address a risk, to hire more people, to change direction, etc.
• People are talking in different languages, such as senior management and the cybersecurity staff.
• The company’s systems are old and need to be replaced at a cost of tens of millions, which is not in the budget.
• The CEO is a bully and gets his direct reports to compete instead of working together.
• The Marketing team distrusts the people in the front lines, and therefore loses touch with the needs and wants of the customer base.
• The manager is biased against individuals who don’t look like him or her, creating a hostile environment and failing to get the best out of employees.
• The culture established and reinforced by management’s actions discourages creativity and risk-taking, and stifles performance.
• Management is not trusted or respected.
• People are motivated to achieve their personal performance goals rather than what is best for the organization.

A root cause analysis that is not afraid of identifying and reporting people failures is essential.

The COSO principles are useful, but they are insufficient. Only some of the bulleted situations above are covered by them.

I am reminded that the former CEO of GE, Jack Welch, was once asked what problems he faced every day. His answer was:

1. People
2. People
3. People

They are the root of (almost every) control failure.

We need to be brave to see and help others see the true situation.

I welcome your thoughts.