ISACA Journal
Volume 3, 2,017 


IS Audit Basics: The Soft Skills Challenge, Part 7: The 5 Whys Tool 

Ed Gelbstein, Ph.D. 

This column is the final IS Audit Basics contribution from Ed Gelbstein, Ph.D., to the ISACA Journal. He was the IS Audit Basics columnist from volume 1, 2015, to volume 3, 2017. Prior to his death in July 2015, Gelbstein wrote and contributed enough columns to the ISACA Journal to fill this column until now because of his desire to share his professional knowledge and his prolific writing. ISACA is deeply grateful to Ed Gelbstein and his wife Cora for his continued, valuable contributions of knowledge and expertise to ISACA Journal readers both before and after his death.

The 5 Whys tool1 has been around since the 1930s. It is simple and effective, and, although unknown to many, it is part of a “lean approach” to problem solving. This tool is based on the assumption that asking questions is a fundamental tool to support diagnostics. Failure to ask the right questions means not getting the right answers.

What it does is to drill down to find the underlying cause of a problem with relatively little effort. By asking the question “why” repeatedly (five times is usually enough), layers of symptoms can be removed to arrive at the root cause of a problem.

If a more detailed approach is needed, other tools can be used to supplement it, such as cause-and-effect analysis (also known as fishbone diagrams, Ishikawa diagrams or herringbone diagrams).

The 5 Whys clearly identify areas for which the answer is not known and this, in itself, is a valuable finding. While it originated as part of quality management, it can be applied to audits, problem solving and risk management, mainly at the discovery stage.

How to Use It

This tool is most useful when dealing with situations involving human factors or interactions and where there are cultural barriers to revealing the true nature of problems.

The success of the 5 Whys approach depends on a clear, complete and specific definition of the problem under review. Once that definition is complete, the process begins by asking why the problem occurred and writing down the answer given by team members and/or the people working on the particular situation.

If this answer does not elucidate the root cause of the problem, it is necessary to ask why again and continue this cycle until the root cause is identified. It may take fewer than five iterations.

Warning: Each time the why question is asked, the answer must be based on verifiable facts. That is, the answer must cover things that have actually happened—not ones that might have happened. This prevents the 5 Whys from becoming a process of deductive reasoning, as this is likely to generate a number of possible causes and, therefore, create more confusion (see the conclusions section in this article).

The 5 Whys is most effective when it is used to build a more sophisticated tool, such as the cause-and-effect (or fishbone) diagram that permits the exploration of all the potential or real causes that result in an undesirable outcome.

The following two examples of using the 5 Whys—both from real life but omitting the names of the organizations and individuals involved—illustrate the simplicity of the technique (figures 1 and 2).

Example 1: Delayed Project
This was uncovered in one of several audits of a large enterprise resource planning (ERP) implementation project that extended over several years.

Diagnosis 1: The managing director has a “saving money regardless of cost” (SMRC) attitude, as there is an unwillingness to fund training or the required level of remuneration for the job in question.

Diagnosis 2: The team structure for the project was weak from the outset as there was no adequate backup for the critical role of project manager.

Consequence: No action was taken on these issues and the project became even more delayed and costly. By the time the project was completed, the ERP was obsolete and the organization is now working to replace it.

Example 2: Critical Audit Recommendation Not Implemented
Diagnosis 1: In this organization, senior management considered IS/IT to be less complex than it actually is and was under pressure to reduce the number of staff and its budget.

Diagnosis 2: The employee noted in the answer to the fifth why that he/she had a contract guaranteeing employment until retirement or death, whichever came first. This individual had acquired a level of self-confidence that allowed him/her to say, “I do not want to and you cannot make me.”

Consequence: The auditors’ report included a photograph of a wiring cabinet—part of a critical network that resembled a rat’s nest that was escalated to top management and the audit committee. The organization had to wait until the employee referenced in the fifth question retired before action could be taken. Luckily the network did not collapse before it was fixed.

Limitations of the 5 Whys Approach

If this tool is so effective, why is it not better known and more extensively used?

For children of around 3 to 5 years old, the question “why” comes naturally. If their questioning is encouraged and supported, it helps develop their curiosity and acquisition of knowledge of the world around them.

Shutting down or discouraging their questioning is the worst possible thing to do, but it appears to happen often enough because in this author’s experience in teaching postgraduates and running workshops for professionals, the question “why” is rarely raised. Does this reflect a fear of looking ignorant (or, worse, stupid)? If so, it is useful to remember the following Chinese proverb: If you do not know and you ask, you may look like a fool for a minute. If you do not know and you do not ask, you will be a fool all your life.

When using the 5 Whys, it may be tempting to apply it superficially, i.e., not delving deeply enough to identify root causes. Moreover, this activity is likely to be limited by the knowledge of the individuals applying it, so different people may come to different conclusions.

To overcome some of these issues, it is worthwhile to ask three other questions (the 3 Whos):

  1. Who knows? (Who has some, if not most, of the relevant information?)
  2. Who cares? (Who cares enough so that something is done about it?)
  3. Who can? (Who can implement a solution?)

Recently, this author had a discussion with a very experienced doctor (in medicine) following a health event that required a multitude of tests. What emerged from this discussion was that anything that cannot be attributed to a specific is referred to as “idiopathic,” i.e., of unknown cause. Later, another doctor (jokingly) explained that this word does not imply that doctors are idiots, simply that there is still much to be learned.

However, an audit in which findings cannot identify a root cause is generally regarded to be unsatisfactory. Why? Because it cannot help the auditee remove the cause.


1 The Happy Manager, “5 Whys: Getting to Root Causes Fast!,” The Happy Manager blog,

Ed Gelbstein, Ph.D., 1940–2015
Worked in IS/IT in the private and public sectors in various countries for more than 50 years. Gelbstein did analog and digital development in the 1960s, incorporated digital computers in the control systems for continuous process in the late ‘60s and early ‘70s, and managed projects of increasing size and complexity until the early 1990s. In the ‘90s, he became an executive at the preprivatized British Railways and then the United Nations global computing and data communications provider. Following his (semi)retirement from the UN, he joined the audit teams of the UN Board of Auditors and the French National Audit Office. Thanks to his generous spirit and prolific writing, his column continues to be published in the ISACA Journal posthumously.


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.