I have been a big fan of the IIA’s magazine for a long time, having been both a contributor and a member of its editorial board.
A recent piece tackled a topic that I believe is important, not only for internal auditors but also for risk practitioners in an article titled, Digging Deep (available to IIA members).
The lead-in paragraph says:
Using COSO-based root cause analysis to connect reasons for control failures with internal control principles can help identify weaknesses across the organization.
Now I’m not sure the author understands that root cause analysis has nothing whatsoever to do with the COSO Internal Control Framework.
However, that COSO framework’s principles can point to some areas, such as competency and information, that can help understand the true root cause of an internal control failure – so the author just got the wording wrong.
She says this well:
Conducting a root cause analysis is a way internal audit can add value to the organization by looking beyond identified symptoms of internal control weaknesses to the underlying reasons for why they exist. Without an RCA, recommended corrective actions often fail to address the actual cause of a problem, and the issue may persist or evolve.
In fact, if the auditor doesn’t perform a root cause analysis it is highly likely that only…
