Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

​Have You Seen the Greenies?​

Comments Views

Stop me if you’ve heard this one.

(Actually, I know I’ve never told this story in a blog post. But, if you’ve attended any seminar, conference, or lunch where I’ve been presenting, there’s a chance you’ve heard the story. Don’t worry, it’s worth repeating.)

Many, many moons ago — so many that I was still a lowly intermediate internal auditor — we were conducting an audit over a process within insurance policy administration. This was in the days shortly after papyrus and quill, so almost all of the transactions were transacted via paper. (Some IBM cards were occasionally involved, but that just goes to prove how long ago this was.)

There was one form we considered integral to controlling the process because it included policy information, payment updates, and the ubiquitous approvals that every sheet of paper seemed to require back in those days.

Therefore, employee after employee was asked the same question, “Are you using the SRN-71755?” (Okay, that’s not the real number. Time has fogged my memory on the important things, so something as inconsequential as an actual form number has no chance. Suffice to know that it was definitely an “SRN” form because all  our forms were “SRN” forms, a fact that time seems unable to flense from my memory.)

And employee after employee gave us the same look. You know the one … the look that says, “I wish this nice little boy would go back into his room, play with his toys, and stop bothering me with these nonsense words.”

No one had heard of the SRN form.

We had a significant issue.

Report time came rolling around and we were close to finishing up, including our write-up regarding the disappearance of the deadly-important SRN form. Needing a few more details, we spoke one last time to a supervisor. This time, bringing along a blank copy of the form.

When we showed it to the supervisor, her face lit up as she looked at the SRN-71755. “Oh! You mean the greenies!.”

It was a green form. And green was the only thing the employees noticed. They could not have cared less what it was called, let alone what the SRN number was. Everyone just used the term “greenies,” and the job got done.

When I tell this story, I am usually trying to emphasize the importance of nomenclature — the importance of understanding how the client speaks about the way they work. I try to drive home the point that the words the auditors use do not always match those used by the client, and we need to make sure our communication is clear and understood by both parties.

But there is a much more important lesson here, one that it has taken me 30 years and a recent epiphany to realize. (I may be slow, but I usually get there.)

The discussion of not calling things by the “common” name isn’t even the important thing here. (A good lesson, but not the most important thing.) The real lesson relates to how we were doing our job. We were focused on finding a form, so we never asked ourselves the most important question:

If they weren’t using the SRN-71755, how were they getting the job done?

Because, at no point in the audit did we ever see any indication that work wasn’t being accomplished. It was just not being done with the form that was required.

That being the case — if the work was getting done when absolutely no one knew about the form — then the question we should have asked ourselves was how the work was getting done.

We never even thought to ask that question.

We had couched the “greenie” question around the necessity for approvals (because part of the reason we were so adamant about seeing the form was that we wanted to make sure everything was being approved). However, it should have been a process question. How was the process — the transference of the information contained on the form — getting done without that form?

Mind you, that means we never even managed to get to the next set of important questions. Was the form even needed? And had they found a more efficient and effective way to handle the process? Which then leads to the other questions we should have been asking: What risks might be involved in the new process and how were they being controlled?

But all we were trying to do was make sure they were using the SRN-71755.

It is way to easy to find the “problem,” write it up (including the corrective action),​ and then think internal audit’s job is done.

But every problem, issue, or discovery should lead to a whole new set of questions. How is the work getting done, does a change in the way work is done cause a new set of issues, and is the change actually a much better way to get things done?

And you may also want to ask if your “SRN” is their “greenie.”

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • Your-Voices-Recruitment-January-2022-Blog-1
  • Fraud-Virtual-Conference-January-2022-Blog-2
  • IT-General-Controls-Certificate-January-2022-Blog-3