Just Ask Why: The Key to Successful Audit Remediation

Imagine you just received an audit report identifying deficiencies and weaknesses in your agency’s operations or reporting. Or maybe a self-assessment of your organization resulted in significant findings. Now, what do you do?

If you only fix the symptoms, you’ll likely receive repeat findings next year and the year after that. Even if the problem found is somewhat small, it indicates that something within your processes is broken. If you don’t fix it, then this year’s $1 million issue could grow to become a $50 million issue next year. Or if you “fix” the problem but only implement a Band-Aid solution rather than digging deeper to discover why the problem occurred in the first place, then you may lose valuable time and resources. That’s why a proactive and thorough approach to addressing any deficiencies or weaknesses as soon as they are identified is so important.

But Why?

It can be difficult to understand how and why a finding occurred, but behind every finding is a root cause. Organizations often focus on immediate short-term solutions which don’t address the true underlying causes of repeat audit findings. Remediation is about truly understanding the root cause and implementing corrective actions to address financial and operational challenges.

Root cause analysis digs deep and asks “why?” Why did you receive this audit finding? Why does this problem exist? By focusing on root causes, you figure out the real issue and spend your time and resources fixing that. When you receive a finding, it’s usually caused by a process, the people involved in the process, the technology used to execute the process, or the underlying data.

Root cause analysis should begin with the “Five Whys” technique. Just like it sounds, you keep asking why until you find the true root cause. In general, it should take no more than five questions to get there. Let’s look at an example from home ownership: a leak in your basement.

1. WHY IS THERE A PROBLEM?
• Water leaked into the basement.
2. WHY DO YOU HAVE A LEAK IN YOUR BASEMENT?
• It rained and some water came in.
3. WHY DID THE WATER COME IN?
• There was a space under the basement door.
4. WHY IS THERE A SPACE THERE?
• The door is off the hinge.
5. WHY IS THE DOOR OFF THE HINGE?
• There is a missing screw — you found the root cause!

Digging for information in that way is similar to what doctors do when trying to diagnose an illness. Too many times, people get focused on a symptom. (In the above example, water leaked into the basement.) But the symptom doesn’t tell you anything about the cause. There are many ways to alleviate symptoms that don’t cure the underlying issue, which is why it’s critical to identify the root cause.

What's Next?

Once you understand the root cause of the problem — usually a people, process, technology, or data issue — it’s time to develop a remediation plan. If it’s a people issue, can you hire somebody new or provide additional training? If it’s a process issue, what can you change or do differently within the process? If it’s a technology issue, how do you modify the existing technology, or do you need a new technology solution? If it’s a data issue, how can you ensure the consistency and accuracy of data?

Remediation activities tend to be complex projects that consume significant internal and external resources and call for an end-to-end view of the whole process. They might take the form of re-engineering a manual process or implementing an automated solution, or they might entail developing policies and procedures to address new requirements or instances where documentation does not already exist.

You need a roadmap to help you ensure successful remediation — the corrective action plan (CAP). The CAP documents the overall remediation plan and lists the milestones and tasks the agency should take, as well as when and how you’ll know you’ve completed them. Milestones might include developing a policy or procedure, whereas the tasks will be more detailed, such as meeting with process owners, reviewing existing policy, and documenting a draft. Importantly, each task will be assigned to a specific person so everyone knows who’s responsible for what.

You should establish performance measures, create incentives for improvement and hold people accountable for the remediation, because, as the saying goes, “what gets measured gets fixed.” You should also assign responsibility to someone for tracking and monitoring the CAP to ensure progress is being made, and they should provide reports and dashboards to leadership to support accurate, timely, and informed decision-making.

You Fixed It. Now What?

Once the CAP milestones and tasks are completed, it’s important to make sure that the root cause was adequately addressed. Verification and validation (V&V) testing achieves this and confirms auditability of the remediation results. V&V testing may include collecting newly developed documents, such as policies and procedures, or selecting and reviewing a sample of items to support controls implemented in a newly designed business process.

Through this testing, you may find that the fix didn’t work, because maybe you hadn’t identified the true root cause. In this case, you should go back to the beginning of the cycle and start over to avoid any repeat audit findings. Or you may find that the fix worked — in which case you can move on to other efforts to help improve the efficiency and effectiveness of other operational areas and support fulfillment of your agency’s objectives.

Written  by Michelle Paul. Copyright © 2023 BDO USA, LLP. All rights reserved. www.bdo.com