Contents
The “What If” Detective: Why “We’ve Always Done It This Way” Is the Most Dangerous Sentence in Business
Imagine you have driven the same car for 20 years. It has never broken down. It has never failed to start. Because of this, you decide that you never need to check the brakes or change the oil. After all, it has worked fine for two decades, right?
Most people would agree that this is a bad idea. Just because the car hasn’t crashed yet doesn’t mean the brakes aren’t wearing thin.
In the business world, companies often fall into this same trap. They have processes for paying bills, shipping products, or managing payroll that have been the same since the early 2000s. When an auditor asks about these processes, the managers often smile and say, “Don’t worry, this process has worked fine for 20 years.”
For an auditor, that sentence is a red flag. It usually means the process runs on luck, habit, and trust, rather than strong controls. To find the cracks in these “perfect” systems, auditors use a powerful tool: The “What If” Scenario.
This article explains how auditors use hypothetical questions to break the illusion of safety and find gaps that have been hiding in plain sight.
The Problem with “It Works Fine”
Before looking at the solution, we must understand the problem. Why is a long-standing process dangerous?
When a process stays the same for a long time, it creates “Institutional Blindness.” The employees doing the work stop thinking about why they are doing it. They just follow the steps. Over time, informal shortcuts appear.
For example, maybe the official rule is that a manager must sign every check. But 10 years ago, the manager started getting busy, so he gave his stamp to his assistant. The assistant has been stamping checks for a decade without stealing any money. The company thinks the process is safe because no money has been stolen.
However, the safety is an illusion. The process isn’t working because of the rule; it is working because the assistant is honest. This is where the auditor steps in. The auditor’s job isn’t to look at what did happen; it is to look at what could happen.
Enter the “What If” Game
Auditors cannot just look at past records to find these gaps. Past records only show you when things went right. To find hidden risks, auditors conduct interviews and walkthroughs using “What If” scenarios.
These are stress tests. The auditor takes the process and mentally breaks it to see how the company reacts. Here are the most common “What If” techniques auditors use to find gaps in old processes.
1. The “Hit by a Bus” Scenario (Key Person Risk)
This is the most common vulnerability in 20-year-old processes. Usually, these old systems rely heavily on one specific person who knows everything.
- The Scenario: The auditor asks, “What if ‘Bob’, the payroll clerk, wins the lottery tomorrow and never comes back to work? Who knows the password to the bank file? Who knows how to fix the spreadsheet if it breaks?”
- The Discovery: often, the company realizes that Bob is the only one who knows how the system works. Nothing is written down. If Bob leaves, the process collapses. The gap here isn’t a financial error; it is a lack of documentation and cross-training.
2. The “Volume Spike” Scenario
Old processes are often manual. They involve printing paper, signing forms, or manual data entry. This works fine when the company has 100 customers. But if the company has grown, those manual steps become weak points.
- The Scenario: The auditor asks, “What if you receive 5,000 orders tomorrow instead of your usual 50? Can this manual process handle it, or will your team start skipping safety checks just to get the work done?”
- The Discovery: The manager might admit, “Well, if we get that busy, we usually stop checking the credit limits so we can ship faster.” The auditor has just found a control gap: under pressure, the safety rules are ignored.
3. The “Collusion” Scenario (The Trust Trap)
In older companies, staff members often become close friends. They trust each other completely. While trust is good for culture, it is bad for controls.
- The Scenario: The auditor asks, “What if the person requesting the payment and the person approving the payment decided to work together to steal money? Is there a third system that would catch them?”
- The Discovery: In many old processes, the “checker” stops checking because they trust the “doer.” The auditor might find that the manager blindly signs whatever the accountant gives him. The “What If” scenario reveals that the approval signature is just a formality, not a real control.
4. The “Tech Failure” Scenario
Many “tried and true” processes rely on older technology or specific spreadsheets that have been copied and pasted for years.
- The Scenario: The auditor asks, “What if the formula in this Excel sheet was accidentally deleted or changed three months ago? How would you know? Do you have a manual way to verify the total?”
- The Discovery: Often, the staff admits they trust the computer 100%. They assume the spreadsheet is always right. The auditor finds that there is no “sanity check” to ensure the data is accurate.
Why This Method Works
Using “What If” scenarios is effective because it forces people to think about the design of the process, not just the result.
When an auditor asks, “Has this ever failed?” the answer is usually “No.” But when an auditor asks, “What would happen if this failed?” the answer is often a long pause, followed by, “I don’t know.”
That “I don’t know” is the gap.
Real-Life Example: The “Safe” Petty Cash Box
Let’s look at a simple example. A company has kept $500 in a petty cash box for 20 years. The receptionist, Sarah, has the key. When someone needs cash for office supplies, they ask Sarah. It has worked perfectly. No money has ever gone missing.
The Auditor’s “What If” Questions:
Auditor: “What if Sarah is sick? Who has the key?”
- Manager: “Oh, she keeps the spare key in the unlocked drawer of her desk so we can grab it.”
- Gap Found: The cash isn’t actually secure; the key is accessible to everyone. The control relies on Sarah being at her desk.
The process seemed fine for 20 years only because Sarah was honest and no one tried to steal. The “What If” questions proved that the security was nonexistent.
Conclusion: Embracing the “What If”
Auditors do not use these scenarios to be pessimistic or difficult. They use them to “future-proof” the business.
A process that has worked for 20 years is a great achievement, but it is also a risk. The world changes. Technology changes. People change. What worked in 2005 might be reckless in 2025.
By asking “What If,” auditors help business owners see the difference between a process that is safe and a process that is merely lucky. The goal is to fix the roof while the sun is shining, rather than waiting for the storm to prove that the roof was leaking all along.
So, the next time someone tells you, “We’ve always done it this way,” try asking them, “But what if…?” You might be surprised by what you find.
