Key Takeaways
- Root cause analysis asks why a deficiency happened, not just what happened.
- ISQM 1.41 requires firms to investigate root causes of identified deficiencies and to evaluate their severity and pervasiveness.
- In its 2023/24 thematic review, the FRC found that many firms completed root cause analysis too late to feed into the annual evaluation of the system of quality management.
- Without RCA, a firm cannot demonstrate that its remediation addresses the actual problem rather than a surface indicator.
What is root cause analysis (audit quality)?
ISQM 1.41 sits inside the monitoring and remediation component. Once a firm's monitoring activities identify a deficiency (a quality objective not being achieved or a response not operating effectively), the firm investigates the root cause. No specific methodology is prescribed. Some firms use the "five whys" technique; others prefer fishbone diagrams, structured interviews with engagement teams, or a combination. What matters is that the investigation moves beyond the immediate finding to the underlying condition.
Two decisions follow from the output. First, the firm evaluates severity and pervasiveness under ISQM 1.42 to determine whether the deficiency, individually or combined with others, is severe enough to require the conclusion that the system of quality management does not provide reasonable assurance. Second, the firm designs remedial action that targets the root cause (ISQM 1.43). A file review that finds inadequate engagement quality review documentation on four engagements could trace back to unclear firm guidance, insufficient reviewer capacity, a culture that treats the review as a formality, or time pressure during busy season. Each root cause demands a different response. Without root cause analysis (RCA), remediation defaults to retraining, which may fix nothing.
Worked example: Firma Vandijk Accountants
Context: Firma Vandijk Accountants (a mid-sized Dutch firm with 14 audit partners) conducts its annual monitoring cycle and identifies the following deficiency: on 5 of 22 inspected engagement files, the assessment of fraud risk factors under ISA 240.26 was limited to a checklist with no narrative explanation of why certain risks were dismissed.
Step 1 — Define the deficiency
Under ISQM 1.30(a), the firm's quality objective requires engagement teams to comply with professional standards. Five files did not meet ISA 240.26 because the fraud risk assessment lacked documented reasoning.
Step 2 — Investigate the root cause
Interviews with the five engagement partners and the two managers who prepared the fraud risk sections reveal that the firm's standard template includes a checklist but provides no prompt for narrative reasoning. Four of the five partners assumed the checklist alone was sufficient because the template did not ask for more. One partner had added narrative on prior-year files but stopped when the firm rolled out an updated template in 2024 that removed the free-text field.
Step 3 — Evaluate severity and pervasiveness
Five of 22 files (23%) show the deficiency. It relates to a single quality response (the fraud risk template) rather than a systemic failure across multiple components. Under ISQM 1.42, the firm assesses the deficiency as not severe and not pervasive, but material enough to require remediation before the next audit cycle.
Step 4 — Design targeted remediation
Vandijk revises the template to reinstate the free-text field with a mandatory prompt: "For each fraud risk factor dismissed, state the specific reason." A 90-minute workshop for all engagement partners is scheduled before the 2026 busy season, and a follow-up inspection of fraud risk documentation on Q1 2026 files will verify whether the fix works.
Why it matters in practice
In its 2023/24 thematic review of ISQM (UK) 1 RCA, the FRC found that firms frequently completed their investigations too late in the cycle to inform the annual evaluation of the system of quality management. ISQM 1.41 does not prescribe timing, but the analysis loses its purpose if it finishes after the firm has already concluded on the system's effectiveness.
At firms like ours, the honest temptation is to treat RCA as a relabelling exercise: the monitoring report states the finding, and the "root cause" section restates it in different words. That is not RCA. ISQM 1.41 requires investigation of why the deficiency occurred, which means moving at least one causal layer deeper than the observed symptom. A finding that says "insufficient documentation of going concern" paired with a root cause of "the team did not document going concern sufficiently" is just ticking and bashing the form without doing the actual thinking.
Root cause analysis vs. monitoring inspection
| Dimension | Root cause analysis | Monitoring inspection |
|---|---|---|
| Purpose | Explains why a deficiency occurred | Identifies whether a deficiency exists |
| Timing | Follows the identification of a deficiency | Typically performed on a cyclical basis (annually for most firms) |
| Output | Causal explanation that informs targeted remediation | Finding or observation on whether quality objectives were achieved |
| Governed by | ISQM 1.41 | ISQM 1.37–40 |
A monitoring inspection without RCA can identify problems but cannot fix them effectively. RCA without monitoring has nothing to investigate. Both operate as sequential steps within the same ISQM 1 remediation cycle, and firms that collapse them into a single activity risk performing neither well.
Related terms
Related reading
Frequently asked questions
Does ISQM 1 require a specific root cause analysis methodology?
No. ISQM 1.41 requires the firm to investigate root causes of identified deficiencies but does not mandate a particular technique. Firms may use structured interviews, the "five whys" method, fishbone diagrams, or any other approach proportionate to the deficiency's nature. The standard's application guidance (ISQM 1.A172) confirms that the nature and extent of root cause investigation depends on the circumstances.
How often should a firm perform root cause analysis?
ISQM 1 ties root cause analysis to the identification of deficiencies, not to a fixed calendar. Whenever the firm's monitoring activities identify a deficiency under ISQM 1.39, root cause analysis follows under ISQM 1.41. In practice, most firms batch their analysis after the annual file inspection cycle, but significant deficiencies identified mid-year should be investigated promptly so remediation can begin before the next busy season.
Can root cause analysis cover positive outcomes as well as deficiencies?
ISQM 1 focuses root cause analysis on deficiencies, but ISQM 1.A170 acknowledges that firms may also choose to investigate the root causes of positive inspection outcomes to understand what drives quality. The FRC's 2023/24 thematic review encouraged this practice, noting that understanding why certain engagements perform well helps firms replicate those conditions across the portfolio.