HomeAbout UsServices Our ExpertsResources InsightsGet in Touch
Home/ Insights/ Audit Reporting
Audit Reporting

Root Cause Analysis in Internal Audit: Going Beyond the Symptom

Kamran Iqbal, CIA, CISA, CFE, CRMA June 2026 7 min read
Identifying that a control failed is not the same as understanding why it failed. An audit finding that accurately describes a control weakness but attributes it to the wrong cause will produce a corrective action that addresses the surface symptom while leaving the underlying problem in place. Root cause analysis is the discipline that connects what happened to why it happened — and it is the difference between an audit that drives lasting change and one that generates recurring findings.

Why Root Cause Analysis Matters

The pattern of recurring findings is one of the most common frustrations in internal audit — and one of the most revealing indicators of root cause analysis quality. When the same finding appears in an audit today that appeared two, three, or four years ago, the most likely explanation is not that management is incompetent or indifferent. It is that the corrective action taken after the original finding addressed the symptom rather than the cause.

A payment approval failure might be attributed to a staff error and corrected by retraining the individual. If the root cause was actually an unclear policy, an inadequate segregation of duties design, or a system configuration that makes the correct procedure more cumbersome than the incorrect one, the retraining will not prevent the error from recurring.

Common Root Cause Categories

Root causes in internal control environments typically fall into one of a limited number of categories. Understanding these categories helps auditors ask the right questions during fieldwork rather than accepting the first plausible explanation.

Design failure: The control was not well-designed in the first place. The policy was ambiguous, the procedure did not address all scenarios, or the control did not adequately address the risk it was intended to mitigate.

Resource failure: The control is well-designed but the people responsible for executing it lack the time, skills, tools, or authority to do so effectively. Overloaded staff cutting corners on approval procedures is a resource failure, not a compliance failure.

Communication failure: People responsible for executing controls were not adequately trained, did not understand the purpose of the control, or were unaware of policy changes. This is distinct from design failure — the design is adequate, but it was not effectively communicated.

Governance failure: Management does not reinforce the importance of the control through oversight, tone-setting, and accountability mechanisms. Controls that are technically required but never monitored and never enforced will gradually be deprioritised.

Environmental change: The control was effective in the environment for which it was designed, but the environment has changed — new systems, new volumes, new processes, or new staff — and the control has not been updated accordingly.

Root Cause Analysis Techniques

Several structured techniques help auditors identify root causes systematically rather than relying on intuition.

The 5 Whys: Starting from the observed control failure, ask "why did this happen?" five times in sequence. Each answer becomes the subject of the next question. The goal is to move from the immediate symptom to the underlying systemic cause. The technique is simple but effective — it consistently reveals that the first answer to "why did this happen" is itself a symptom rather than a cause.

Fishbone analysis: Also known as the Ishikawa or cause-and-effect diagram, this technique maps potential causes across categories (typically people, process, technology, and environment) and then evaluates which causes are actually present in the specific situation.

Process walkthrough: Walking through the end-to-end process with the people who execute it reveals the points at which the designed procedure and the actual procedure diverge — and often surfaces the practical reasons why those divergences persist.

The most valuable question an auditor can ask is not "what went wrong?" but "what would need to change for this not to go wrong again?" The answer to the second question requires genuine root cause understanding.

Communicating Root Cause in the Finding

Once root cause is understood, it must be clearly articulated in the audit finding. The cause element of the finding should explain why the control weakness exists — not just describe it. And the recommendation should directly address the root cause: if the root cause is a design failure, the recommendation is to redesign the control; if it is a communication failure, the recommendation is training and policy clarification; if it is a governance failure, the recommendation is management oversight and accountability mechanisms.

Management responses that do not address the stated root cause are a red flag — they suggest that either the root cause is incorrect, or the management response is not genuinely aimed at sustainable resolution. Both possibilities warrant follow-up conversation before the finding is closed.

Share

Request Training

CTC Global delivers expert-led training on Audit Reporting topics for corporate teams across all sectors.

Request Training Proposal View All Services

Related Publications

Deepen your knowledge with our practical books, revision kits, and toolkits.

Book
Writing High-Impact Audit FindingsA practical guide to crafting findings that lead to real action and change.
Book
Internal Audit Quality Assurance in PracticeA comprehensive guide to building and sustaining audit quality programmes.
 Browse All Publications →

About the Author

Kamran Iqbal is a seasoned internal audit and risk professional holding CIA, CISA, CFE, and CRMA credentials. He leads CTC Global's training and consultancy practice across Pakistan and the UAE.

View Full Profile →

Continue Reading

More practical insights from CTC Global on Audit Reporting and related topics.

← Back to All Articles & Insights