4DReporting the Root Cause – Embedding Root Cause
Analysis (RCA) into audit findings
Rebecca Lee Head of Audit
BNZ
Root Cause Analysis
Rebecca Lee
Head of Audit
Bank of New Zealand
Understanding the event
What caused the Titanic to sink and 1,500 people to die?
What were their goals?
Capt. Smith
Lord PirrieHarland and Woolf ChairmanWhite Star Board Member
Bruce IsmayWhite Star ChairmanProject SponsorProject Head of Marketing
White Star Board Steering Cttee
Who managed and governed the project?
What was the environment like?
What impact did this have?
Ship Hit Iceberg
Iceberg alley
Hull steel plates bent
Flooding spread quickly
Titanic Sinks
1,500 died
Ship took on water
11.40 pm 2.20 am
How, where and when did Titanic Sink?
Ship Hit Iceberg
Iceberg alley
Hull steel plates bent
Flooding spread quickly
Titanic Sinks
1,500 died
Ship took on water
11.40 pm 2.20 am
How where and when did Titanic Sink?
Weakened materials in
cold
Change management
fail
Changes to bulkhead
design
How did 1,500 people die?
lifeboat launchorder
16 lifeboats floated
11.40 pm 12.45am 2.20 am
Ship Hit Iceberg
Iceberg alley
Titanic Sinks
1,500 died
How did 1,500 people die?
lifeboat launchorder
20 lifeboats capacity
1,178
16 lifeboats floated
Lifeboats reduced
48-20
Inspectionone drill one boat
Process failure
Certified safe to sail
11.40 pm 12.45am 2.20 am
Titanic Sinks
1,500 died
Ship Hit Iceberg
Iceberg alley
Steel Plates Bent
Flooding spread quickly
Ship took on water
Why?
Weakened materials in
cold
Changes to bulkhead
design
lifeboat launchorder
20 lifeboats capacity
1,178
16 lifeboats floated
Lifeboats reduced
48-20
Certified safe to sail
Inspectionone drill one boat
Process failure
Steering committee
COISponsor COI Culture
Lifeboat regulations out of date
Sea Trials Incomplete
11.40 pm 12.45am 2.20 am
Change management
fail
Conflicting goals
Ship Hit Iceberg
Iceberg alley
Titanic Sinks
1,500 died
Goal:
Reach New York
Safely
CULTURE
PROCESS PROJECT
MANAGEMET
Process
not tested
Believed the
“unsinkable” hype
Steering
Committee COI
New conflicting
goals
EXTERNAL
ENVIRONMENT
Titanic Sank
1500
Died
Regulations
not fit for
purpose
Sponsor
COI
Lifeboat
capacity
insufficient
Night in
Iceberg
Alley
Bulkhead
Design
changed
DESIGNGOVERNANCE
Design not
reassessed
after goal
changes
Change
management
failure
DELIVERY
CRITICAL
SUCCESS
FACTORS
BRAINSTORM
AND CHALLENGE
DOCUMENT
ACCURATELY
AND
IN DETAIL TO
UNDERSTAND
DEFINE
THE
PROBLEM
STAKEHOLDER
MANAGEMENT
& PLANNINGBE
PERSISTENT
AND CURIOUS
BE INDEPENDENT
REMOVE BIAS
Scenario
• CFO of a large global manufacturing company notified of
an error in the financial statements. Impacted both local
(UK) and Group (US) financial statements.
• Error was inaccurate recording of FX deals.
• Internal Audit was called in to identify the root causes and
review the management remediation plan to ensure
alignment with root causes.
Engage with a range of key stakeholders
Be specific, but retain an open mind
Don’t make assumptions
Be fact based
DEFINE
THE
PROBLEM
Identify everyone you need to engage with
• Local and Group CFO & FC
• Local and Group Management Assurance
• Local and Group External Auditors
• Local and Group Treasury
• Line one and Line two Risk Teams
• Listen
• Understand
• Fact Based
• Empathetic
• Visibility and Transparency
• Regular Communication Plan
• Clear and visible project plan
• Do what you say you will do!
STAKEHOLDER
MANAGEMENT
& PLANNING
Event Map (Partial)
FX deal executed by dealer
21January 2017.
Deal Email confirmation received 21
January 2017.
Deal input by dealer into FX
control spreadsheet
(shared drive:X)
Dealer Email to Treasury
Controller on 21 January 2017
requesting upload into SAP from FX
control spreadsheet
SAP upload staged by
Treasury Control and uploaded overnight 21
January 2017
Treasury P&L (Daily) Reviewed
by Head of Treasury Control on 22 January
2017
Control
breakdown
Review
ineffective as
there is no
comparison
against source
data.
DOCUMENT
ACCURATELY
AND
IN DETAIL TO
UNDERSTAND
DOCUMENT
ACCURATELY
AND
IN DETAIL TO
UNDERSTAND
Stopping too early
Not being specific enough to ensure solutions are sustainable
Making assumptions / Closed minded
Not using SME
Fear
The further you dig and the more specific you are, the more insight you will be able to provide
Event Map extract
FX deal for 20M GBP - CYNexecuted by
dealer 21January
2017.
Deal Email confirmation received 21
January 2017.
Deal input by dealer into FX
control spreadsheet
(shared drive:X) as 20M GBP –
CAN due to formula error
Dealer Email to Treasury
Controller on 21 January 2017
requesting upload into SAP from FX control
spreadsheet
SAP upload staged by Treasury
Control and uploaded
overnight 21 January 2017
Treasury P&L (Daily)
Reviewed by Head of Treasury
Control on 22 January 2017
FX control
sheet falls
within annual
spreadsheet
review policy
Policy
exemption
obtained for
spreadsheet.
No review of
spreadsheet
controls
Financial
Statements
reconcile back
to SAP, not to
source system
(spreadsheet)
WHY???
WHY???
FX deal for 20M GBP - CYN executed by
dealer 21January
2017.
Deal Email confirmation received 21
January 2017.
Deal input by dealer into FX
control spreadsheet
(shared drive:X) as 20M GBP –
CAN due to formula error
Dealer Email to Treasury
Controller on 21 January 2017
requesting upload into SAP from FX control
spreadsheet
SAP upload staged by Treasury
Control and uploaded
overnight 21 January 2017
Treasury P&L (Daily)
Reviewed by Head of Treasury
Control on 22 January 2017
FX control
sheet falls
within annual
spreadsheet
review policy
Policy
exemption
obtained for
spreadsheet.
No review of
spreadsheet
controls
Financial
Statements
reconciled
back to SAP,
not to source
system
(spreadsheet)
Exemption
process
followed. Line
1 and Two
Risk did not
raise concern
Documented
control
incorrectly
identified SAP
as source
Lack of
understanding
of spreadsheet
importance
Lack of
understanding
of system
limitations by
business, risk
and External
Audit
BE
PERSISTENT
AND CURIOUS
BE INDEPENDENT
REMOVE BIAS
BE INDEPENDENT
REMOVE BIAS
BRAINSTORM
AND CHALLENGE
GOAL:
Accurate Financial
Statements
SYSTEMS
CONTROLS PROCESS
Financial Statement Error
Complexity
of process
Understanding
Control
documentation
Operating
effectiveness
Understanding
Fitness for
purpose
Spreadsheet as
a source system
Manual
Understanding of
downstream impacts
POLICY
“Form over
Substance”
compliance
Understanding
Understanding
& visibility
PEOPLE
Understanding
Reliance on key
individuals
Clarity of roles and
responsibilities
RISK MANAGEMENT
Line 1
Risk
Line 2 Risk
Balancing of
risk-control-
management-reward
ASSURANCE
Management
Assurance
Internal
Audit
Understanding
EVENT: Incorrect recognition
of FX DEALS by Desk 234.
Value $10m
External Audit
Understanding
Structure &
capability
Accountability
Design - recognition of
spreadsheet as source
WHAT A ROOT CAUSE IS NOT
• Lack of resources
• Failure to comply with policy
• Lack of documented processes
• Lack of training
• Human error
• Failure to follow process
Turning RCA on its head to get KFC