In this article, John Selwood ACA explains root cause analysis (sometimes abbreviated to RCA), looking ahead to the new quality management standard that specifically requires the process to be performed. Further guidance on RCA is available in Navigate eCPD and an ISQM (UK) 1 mind map is also available
Root cause analysis has been used by some audit firms for a number of years to assist in improving audit quality. The process uses the findings of reviews, both hot and cold, to discover the root cause of failings.
It attempts to address the cause rather than the symptom, by simply asking why did this happen?
Nick Reynolds, Senior Manager in ICAEW’s Quality Assurance Department reminds us that:
'Root cause analysis is not a radical new approach, but rather a formalisation of what many firms may have regarded as best practice in the past. Root cause and remediation will now become part of business as usual for auditors. It may not always come up with the right (or at least complete) answer every time, but should be seen as an iterative process that supports continuous improvement in audit quality.’
Currently when Financial Reporting Council or ICAEW Quality Assurance Department visits identify significant weaknesses, audit firms are sometimes encouraged to undertake root cause analysis to identify the root cause of the findings and to make remediation easier. Indeed, where disciplinary action results from a poor regulatory visit, the fact that the firm used root cause analysis, in order to address the weaknesses identified, can form part of the mitigation used to justify less severe sanctions.
However, the introduction of paragraph 41 to International Quality Management Standard (UK) 1 (ISQM (UK) 1) effectively makes root cause analysis mandatory for all firms. ISQM (UK) 1 will apply from 15 December 2022, although early adoption is strongly encouraged.
How to do root cause analysis?
One of the reasons that implementing ISQM (UK) 1 will take time to complete is that every firm is going to have to design their own quality management systems, in response to the risks that they identify in their firm. As the Standard is risk-based, what works for one firm might not work for another.
As part of this, audit firms will need to consider how they are going to use root cause analysis.
Every review and every finding
Firms could apply root cause analysis to every finding, of every review, but it is unlikely to be an efficient approach. Instead, most firms will have to design a way of suitably targeting root cause analysis at the most appropriate reviews and findings.
This will involve taking into account factors such as:
- Risk and/or whether the audit is high profile or of a Public Interest Entity (PIE).
- The reviews it could be applied to, cold file reviews, engagement quality reviews and/or external monitoring reviews.
- Should it be applied to all low scoring/graded files, in cold file reviews?
- Are the findings in question, recurring themes?
Should there be a framework for the process of root cause analysis?
There is a view that root cause analysis is best carried out using a ‘blank piece of paper’ approach. This means the reviewer would research root causes without a prescriptive framework and the reviewer therefore has the opportunity of discovering root causes which a framework might not. In other words, there might be a better chance of ‘thinking outside the box’.
However, a ‘blank piece of paper’ can be intimidating and many firms might want to develop a more systematic approach, using checklists and standard forms.
How will the results be considered?
Should each finding be addressed separately? Should there be a degree of aggregation of issues? Which results should be acted upon? All of them or just a selection?
Firms will have to address all of these questions.
What is the right approach?
Ultimately, each firm will have to decide for themselves. The focus should be on developing an approach that is both efficient and effective at remediating significant weaknesses that were identified in the original review.
Also, it is worth remembering that root cause analysis can be used to encourage good practice. If reviews identify good practice, root cause analysis can be used to identify why something went well, with a view to taking actions to ensure that the good practice is repeated.
Pitfalls to avoid
In order for the root cause analysis to be accurate and useful, those undertaking the work should:
- avoid attributing blame which might result in audit team members being reluctant to openly participate;
- avoid superficial answers. Sometimes you need to ask ‘why?’ again;
- challenge what you are being told;
- not avoid the difficult issues. Sometimes there might be easy answers but often there will not be;
- know when to stop; and
- focus on driving action to improve audit quality. Finding the root cause is only part of the process. The ultimate goal is remediation.
Who can do root cause analysis?
There is no ‘one size fits all solution’.
The root cause analysis might be easier and more efficient if performed by somebody who has previous knowledge of the audit, such as a member of the audit team or the cold file reviewer. However, they might lack independence, particularly in the case of a member of the audit team.
On the other hand, someone who is independent of the audit, with no previous experience of the entity, might take longer and possibly might miss things.
When to do root cause analysis?
Again, there is a balance to be struck.
If the root cause analysis is done too soon after the original review, the audit team might still be defensive and possibly minded to continue to challenge the findings. Also, the root cause analysis will have a very different objective from the original review and transitioning from one to the other might be difficult.
However, if a significant amount of time is allowed to elapse since the original review then key facts and events might be forgotten and momentum might be lost.
Quality standards and ISQM (UK) 1 mind map now within Auditing Standards
The quality standards released recently by the FRC are now included within Auditing Standards, with a helpful interactive mind map for ISQM (UK) 1 to help readers navigate and digest the new requirements. See:
- International Standard on Quality Management (UK) 1 (ISQM (UK) 1) Quality Management For Firms That Perform Audits Or Reviews Of Financial Statements, Or Other Assurance Or Related Services Engagements;
- ISQM (UK) 1 mind map;
- International Standard on Quality Management (UK) 2 (ISQM (UK) 2 Engagement Quality Reviews; and
- International Standard on Auditing (UK) 220 (Revised July 2021) Quality Control For An Audit Of Financial Statements.