4DReporting the Root Cause – Embedding Root Cause

Analysis (RCA) into audit findings

Rebecca Lee Head of Audit

BNZ

Root Cause Analysis

Rebecca Lee

Head of Audit

Bank of New Zealand

Understanding the event

What caused the Titanic to sink and 1,500 people to die?

What were their goals?

Capt. Smith

Lord PirrieHarland and Woolf ChairmanWhite Star Board Member

Bruce IsmayWhite Star ChairmanProject SponsorProject Head of Marketing

White Star Board Steering Cttee

Who managed and governed the project?

What was the environment like?

What impact did this have?

Ship Hit Iceberg

Iceberg alley

Hull steel plates bent

Flooding spread quickly

Titanic Sinks

1,500 died

Ship took on water

11.40 pm 2.20 am

How, where and when did Titanic Sink?

Ship Hit Iceberg

Iceberg alley

Hull steel plates bent

Flooding spread quickly

Titanic Sinks

1,500 died

Ship took on water

11.40 pm 2.20 am

How where and when did Titanic Sink?

Weakened materials in

cold

Change management

fail

Changes to bulkhead

design

How did 1,500 people die?

lifeboat launchorder

16 lifeboats floated

11.40 pm 12.45am 2.20 am

Ship Hit Iceberg

Iceberg alley

Titanic Sinks

1,500 died

How did 1,500 people die?

lifeboat launchorder

20 lifeboats capacity

1,178

16 lifeboats floated

Lifeboats reduced

48-20

Inspectionone drill one boat

Process failure

Certified safe to sail

11.40 pm 12.45am 2.20 am

Titanic Sinks

1,500 died

Ship Hit Iceberg

Iceberg alley

Steel Plates Bent

Flooding spread quickly

Ship took on water

Why?

Weakened materials in

cold

Changes to bulkhead

design

lifeboat launchorder

20 lifeboats capacity

1,178

16 lifeboats floated

Lifeboats reduced

48-20

Certified safe to sail

Inspectionone drill one boat

Process failure

Steering committee

COISponsor COI Culture

Lifeboat regulations out of date

Sea Trials Incomplete

11.40 pm 12.45am 2.20 am

Change management

fail

Conflicting goals

Ship Hit Iceberg

Iceberg alley

Titanic Sinks

1,500 died

Goal:

Reach New York

Safely

CULTURE

PROCESS PROJECT

MANAGEMET

Process

not tested

Believed the

“unsinkable” hype

Steering

Committee COI

New conflicting

goals

EXTERNAL

ENVIRONMENT

Titanic Sank

1500

Died

Regulations

not fit for

purpose

Sponsor

COI

Lifeboat

capacity

insufficient

Night in

Iceberg

Alley

Bulkhead

Design

changed

DESIGNGOVERNANCE

Design not

reassessed

after goal

changes

Change

management

failure

DELIVERY

CRITICAL

SUCCESS

FACTORS

BRAINSTORM

AND CHALLENGE

DOCUMENT

ACCURATELY

AND

IN DETAIL TO

UNDERSTAND

DEFINE

THE

PROBLEM

STAKEHOLDER

MANAGEMENT

& PLANNINGBE

PERSISTENT

AND CURIOUS

BE INDEPENDENT

REMOVE BIAS

Scenario

• CFO of a large global manufacturing company notified of

an error in the financial statements. Impacted both local

(UK) and Group (US) financial statements.

• Error was inaccurate recording of FX deals.

• Internal Audit was called in to identify the root causes and

review the management remediation plan to ensure

alignment with root causes.

Engage with a range of key stakeholders

Be specific, but retain an open mind

Don’t make assumptions

Be fact based

DEFINE

THE

PROBLEM

Identify everyone you need to engage with

• Local and Group CFO & FC

• Local and Group Management Assurance

• Local and Group External Auditors

• Local and Group Treasury

• Line one and Line two Risk Teams

• Listen

• Understand

• Fact Based

• Empathetic

• Visibility and Transparency

• Regular Communication Plan

• Clear and visible project plan

• Do what you say you will do!

STAKEHOLDER

MANAGEMENT

& PLANNING

Event Map (Partial)

FX deal executed by dealer

21January 2017.

Deal Email confirmation received 21

January 2017.

Deal input by dealer into FX

control spreadsheet

(shared drive:X)

Dealer Email to Treasury

Controller on 21 January 2017

requesting upload into SAP from FX

control spreadsheet

SAP upload staged by

Treasury Control and uploaded overnight 21

January 2017

Treasury P&L (Daily) Reviewed

by Head of Treasury Control on 22 January

2017

Control

breakdown

Review

ineffective as

there is no

comparison

against source

data.

DOCUMENT

ACCURATELY

AND

IN DETAIL TO

UNDERSTAND

DOCUMENT

ACCURATELY

AND

IN DETAIL TO

UNDERSTAND

Stopping too early

Not being specific enough to ensure solutions are sustainable

Making assumptions / Closed minded

Not using SME

Fear

The further you dig and the more specific you are, the more insight you will be able to provide

Event Map extract

FX deal for 20M GBP - CYNexecuted by

dealer 21January

2017.

Deal Email confirmation received 21

January 2017.

Deal input by dealer into FX

control spreadsheet

(shared drive:X) as 20M GBP –

CAN due to formula error

Dealer Email to Treasury

Controller on 21 January 2017

requesting upload into SAP from FX control

spreadsheet

SAP upload staged by Treasury

Control and uploaded

overnight 21 January 2017

Treasury P&L (Daily)

Reviewed by Head of Treasury

Control on 22 January 2017

FX control

sheet falls

within annual

spreadsheet

review policy

Policy

exemption

obtained for

spreadsheet.

No review of

spreadsheet

controls

Financial

Statements

reconcile back

to SAP, not to

source system

(spreadsheet)

WHY???

WHY???

FX deal for 20M GBP - CYN executed by

dealer 21January

2017.

Deal Email confirmation received 21

January 2017.

Deal input by dealer into FX

control spreadsheet

(shared drive:X) as 20M GBP –

CAN due to formula error

Dealer Email to Treasury

Controller on 21 January 2017

requesting upload into SAP from FX control

spreadsheet

SAP upload staged by Treasury

Control and uploaded

overnight 21 January 2017

Treasury P&L (Daily)

Reviewed by Head of Treasury

Control on 22 January 2017

FX control

sheet falls

within annual

spreadsheet

review policy

Policy

exemption

obtained for

spreadsheet.

No review of

spreadsheet

controls

Financial

Statements

reconciled

back to SAP,

not to source

system

(spreadsheet)

Exemption

process

followed. Line

1 and Two

Risk did not

raise concern

Documented

control

incorrectly

identified SAP

as source

Lack of

understanding

of spreadsheet

importance

Lack of

understanding

of system

limitations by

business, risk

and External

Audit

BE

PERSISTENT

AND CURIOUS

BE INDEPENDENT

REMOVE BIAS

BE INDEPENDENT

REMOVE BIAS

BRAINSTORM

AND CHALLENGE

GOAL:

Accurate Financial

Statements

SYSTEMS

CONTROLS PROCESS

Financial Statement Error

Complexity

of process

Understanding

Control

documentation

Operating

effectiveness

Understanding

Fitness for

purpose

Spreadsheet as

a source system

Manual

Understanding of

downstream impacts

POLICY

“Form over

Substance”

compliance

Understanding

Understanding

& visibility

PEOPLE

Understanding

Reliance on key

individuals

Clarity of roles and

responsibilities

RISK MANAGEMENT

Line 1

Risk

Line 2 Risk

Balancing of

risk-control-

management-reward

ASSURANCE

Management

Assurance

Internal

Audit

Understanding

EVENT: Incorrect recognition

of FX DEALS by Desk 234.

Value $10m

External Audit

Understanding

Structure &

capability

Accountability

Design - recognition of

spreadsheet as source

WHAT A ROOT CAUSE IS NOT

• Lack of resources

• Failure to comply with policy

• Lack of documented processes

• Lack of training

• Human error

• Failure to follow process

Turning RCA on its head to get KFC