COLUMN – OLAF RANSOME | By his own admission, dealing with auditors has, for Olaf Ransome, all the hallmarks of a Liverpool versus Manchester United derby – full-on, no love lost, red cards highly likely for fiery tempers. This month, he puts his focus on accountability reporting, with the aim of getting your auditor to at least like you – not a promise of love or even a Christmas card, just “like”.
Through a series of six column articles for PostTrade 360° in 2025, banking operations veteran Olaf Ransome digs into everyday operations – seeking to help us understand some of the everyday challenges and how to master them. Find Olaf’s articles indexed here.
Audit processes are essential; those auditors have a job to do and you are accountable, but you have a day job to do. At best, they are a distraction. At worst, they make you feel that somebody is out to get you. No matter how you cut it, these distractions eat up a lot of time. One input suggests that just dealing with one internal audit each year consumes between 25 and 50 days of work. That’s 10 to 20 per cent of a single full-time equivalent (FTE).
What are the challenges of accountability reporting?
Let’s use a typical internal audit process to illustrate.
An internal audit has some things in common with a visit to the dentist, which has three levels of pain: the upfront anticipation of the pain of having the work done, the actual pain when you have the visit, and the big pain when you get the bill. An audit has preparation too, as well as the actual inquisition. Then, there is the pain of dealing with the audit report.
A typical internal audit might go something like this:
First, upfront:
• Auditor asks: “What have you done this year?” This is followed by a request for the latest updated procedure documents and any changes since last year.
• Ops sends a list of “everything” with status, timestamps, and the latest procedure documents.
Second, the audit:
• Auditor asks: “For these three controls: cash recon, position recon, net asset value (NAV) sign-off, and for these 10 to 60 dates, show me how you know it’s done, by whom, when, and how you know the outcome was correct.
• Ops digs out the detail: searches for the audit trail and underlying evidence (pdfs, csv, and print screens) for these controls on these dates.
• In the process, Ops finds that for 10 to 20 per cent, someone forgot to save the underlying evidence, or mark it as done.
• Ops does the work to fill in any of the gaps it can and then shares with it the auditor.
Third, post-audit:
• There are many questions, which might cover: “why has the procedure not been changed since last year?”, “It looks like the procedure has changed. What changed, who authorised the changes, and why?”, “Why was step X in procedure Y not done on day Z?” Step X might not even be a key control but absolutely needs to be done every day.
My experience of everyday operations can be distilled into three general truisms:
• Ops folk do a thorough job each day; if things go wrong, they know about it and fix things quickly.
• For the most part, operation teams have to juggle at least a handful of different systems and are often reliant on that stalwart of financial services – good old Excel, for a simple checklist of daily tasks. More often than not, operation teams have “key man risk” – things work because there are trusted old hands in the team who know what do, can juggle through each day, and deal with the things which go wrong. They “just know”.
• As necessary as accountability reporting is for internal auditors, regulators, and clients who are doing one or more forms of due diligence, for Ops, scraping together what is asked for and dealing with all the questions is a real distraction.
What does nirvana look like?
For me, good control is a function of processes, people, and tools or systems.
To have good control, Ops people need well defined processes and the tools or systems to help them ensure the process is consistently followed. Each day for any Ops process, be that equity, rates / IRS or FX settlement, there are a certain number of steps which make up a regular day. Let’s say there are 23, and on a Friday, there is one more, and at month-end, another two. Let’s say 15 of those controls must be done each day, but at any time, another five are time specific, so no later than a certain deadline, and for three, if they are not done on any one day it’s fine, but it is not good if they are not done for a week. And at least once per year, there should be a check to see if the procedure and checklist need updating. Then, there should be notes on any changes, or a rationale when there are no changes.
On most days, all that an Ops team needs is a checklist to get through the day. But there are days when things go wrong and consulting a procedure document is necessary. Of course, Murphy’s Law tells you that when something does go wrong, nobody will remember what was done last time and the person normally doing the job will be on holiday or otherwise not available.
Even if there were not any form of accountability reporting, a really good tool would let you define those 23 daily tasks, marking the 15 essential ones, as well as the five time-dependent ones. Ideally, the extra tasks on Fridays and month-ends magically appear. The process would force you to upload evidence to show controls being performed – for example, a pdf of a reconciliation – all with four-eyes control. There would be an audit trail: who did what and when. There would also be an audit trail of any changes to the procedure, including the rationale if an annual review concluded no changes were needed.
Then, to minimise the pain of an audit or accountability reporting, you would be able to let any auditors access and export the data. They would have all the evidence they need, with a clear audit trail. The distraction and drain on your time would go away and, just maybe, you might find yourself liking each other.
How might you help yourself?
Some of you reading this will have nothing more than a good old Excel spreadsheet. Some will be relying on one long-time superhero employee who has it all in her head. One or two might have their own in-house tool, maybe based on SharePoint. I’d be very surprised if any reader was totally relaxed about all the accountability reporting and simply able to wave their hand and meet all those challenges with a bare minimum of effort.
I talked with Carl-Fredrik Svensson, who is the CEO of Daymi*, a specialist solution provider in exactly this control space. His view of the challenges that Ops face confirmed my general observation – the toolsets in use do not offer a lot of help with these audits; “prove it!” is a major challenge. Specialist tools are needed. The tools built by industry leaders like Daymi are certainly more robust than the usual Excel spreadsheet and will more often than not be superior to tools built in-house. Remember the CIO mantra: “1) Reuse or 2) buy, and only then 3) build, but if you do get to 3, go back to 1.”
For me, an interesting aspect of these accountability reporting challenges is that they are universal and totally independent of whether we are talking about legacy technology or all this new digital and tokenisation stuff. Good controls really make the difference. Solutions like those from Daymi can help you deliver that good control.
Editor’s note: Olaf is a global ambassador for Daymi.
