CEO & Leadership 11 min read

How to diagnose a broken fintech in 30 days. A five-domain audit.

Updated

When a fintech needs a turnaround, the person doing the assessment usually has limited time. An incoming CEO has a board mandate that includes “make decisions fast.” A fractional executive has a defined engagement window that does not allow indefinite discovery. A board director or investor has an acquisition timeline that does not wait for a comprehensive consultancy review.

Thirty days is enough for diagnosis - if you know where to look. The diagnoses that fail did not run out of time. They went deep in one domain and missed the others. A turnaround diagnosis that has perfect understanding of the financial model and zero understanding of the compliance posture is a partial picture, and the part that is missing is usually where the real failure mode hides.

I have done variants of this audit across several turnaround engagements and one full CEO transition. The framework that holds up across them is a five-domain audit: commercial health, product and engineering, compliance and regulatory, operations and team, financial discipline. The domains are sequenced so that the questions in each one inform the questions in the next, and the synthesis at the end produces specific decisions rather than a list of concerns.

The five-domain audit

Each domain has the same structure: what to look at, what “broken” looks like, and the specific outputs the audit needs to produce. The five domains are not equally weighted - their weight depends on the specific situation - but they are all necessary. Skipping a domain produces a diagnosis that the operating reality will eventually contradict.

Domain 1. Commercial health

What to look at.

The pipeline, the recent closed-won and closed-lost deals, the customer roster with revenue concentration, the contract terms in active accounts, the renewal calendar, and the discount discipline of the last 12 months. The conversations with sales, customer success, and the CEO about why specific deals closed and why specific accounts are at risk.

What “broken” looks like.

Top three customers represent more than 50% of revenue, with no contractual lock-in beyond 12 months. The sales pipeline has a “stretch” character: every deal assumes best-case timing, headline pricing, and no scope concessions. Recent closed-won deals show a pattern of concessions (free PS, free modules, deferred payment) that the team treats as one-off but that have actually become standard. Renewals coming up in the next two quarters have no formal commercial conversation scheduled. The discount discipline of the last 12 months shows that what should be a delegated commercial process has actually been a sequence of CEO interventions.

What to produce.

A revenue-at-risk number for the next four quarters. A list of accounts that need immediate commercial attention. An assessment of whether the current pricing structure is defensible at the current rate of concessions. A view on whether the pipeline is real or whether it is a CRM artifact.

Domain 2. Product and engineering

What to look at.

The roadmap as it exists today versus the roadmap as it was twelve months ago. The integration backlog and its age. The production incident log for the last six months. The technical debt as understood by the engineering leadership. The deployment frequency, mean time to recovery, and the on-call rotation reality. The vendor and platform dependencies, and the contractual exit terms of each.

What “broken” looks like.

The roadmap from twelve months ago has 60% of items unshipped and now appears on the current roadmap with no acknowledgement that they are overdue. The integration backlog has tickets that are more than six months old. The production incident log shows recurring incidents in the same components, with post-mortems that identify causes but no completed remediation. Deployment frequency has dropped over the last year. Engineering leadership cannot answer “what would it take to ship feature X” with a credible timeline.

What to produce.

A list of the three or four engineering items that, if they continue unaddressed, will create either commercial damage or compliance exposure within two quarters. An assessment of whether engineering leadership is capable of executing on these, or whether the bottleneck is structural. A view on the technical debt as a financial liability - not just a “we should clean this up someday” backlog.

Domain 3. Compliance and regulatory

What to look at.

The current licence status with each regulator. The history of regulatory communications, especially any open items or matters requiring action that indicate regulator concern. The audit history (internal and external). The AML/KYC programme: documented policies, actual practice, transaction monitoring outputs, suspicious activity report (SAR) volume and quality. The data protection posture (GDPR or equivalent). The cybersecurity posture (ISO 27001 status, penetration test history, incident response readiness). Board reporting on compliance.

What “broken” looks like.

Regulatory correspondence with open items that were due more than three months ago, with no documented remediation plan. Audit findings from the most recent external review that are unaddressed in management responses. AML/KYC documented policies that do not match what the operations team actually does. Suspicious activity monitoring that produces alerts the team cannot triage in volume. Data protection processes with known gaps the privacy team has flagged but the executive layer has not addressed. ISO certifications that have lapsed or where surveillance audits are overdue.

What to produce.

A list of compliance items that constitute regulatory exposure if a supervisor walked in tomorrow. An assessment of whether the compliance function has the authority and the resourcing to fix the gaps. A view on whether the regulator relationship is healthy, neutral, or strained - because the same gap looks different depending on the relationship.

Domain 4. Operations and team

What to look at.

The org chart as published and the org chart as it functions in practice. The senior leadership team: who reports to whom, who actually makes decisions on what, where authority is delegated and where it is bottlenecked. Key person risk: which individuals hold institutional knowledge, customer relationships, or regulatory standing that the organisation cannot easily replace. The performance management and compensation reality. The communication patterns: what gets discussed in writing, what gets discussed in chat, what gets discussed only in meetings, and what gets avoided.

What “broken” looks like.

The published org chart has roles that do not match how decisions actually flow. Two or three senior leaders hold disproportionate institutional knowledge with no documented succession. Compensation is misaligned with retention risk on the people the organisation cannot afford to lose. Decisions that should be delegated cluster at the CEO level, which is a leading indicator of a CEO who cannot trust the team. Communication patterns show the topics the organisation is avoiding - usually the topics that need to be addressed first.

What to produce.

A list of key person risks with specific mitigation actions. An assessment of whether the senior team is the team the next stage requires, with specific role-by-role views. A view on the cultural pattern that the CEO will need to either reinforce or change to make the turnaround executable.

Domain 5. Financial discipline

What to look at.

The cash position and the runway, with explicit assumptions. The accounts receivable ageing and the recent trend. The accounts payable position. The unit economics by customer segment. The financial controls: who can spend what without approval, what gets booked monthly versus quarterly, the journal entry process, the bank reconciliation cadence. The management accounts versus the statutory accounts: where they diverge and why.

What “broken” looks like.

Cash position is plausible but the underlying assumptions (collections timing, payable deferral, one-off receipts) are optimistic. AR ageing shows accounts more than 60 days past due that customer success has not escalated. Unit economics by segment are not actually known: the leadership team has a blended number but cannot explain it by customer type. Spending approvals are theoretical: the actual practice allows expenses to be incurred and then justified retroactively. Bank reconciliations are behind. Management and statutory accounts diverge in ways the CFO cannot fully explain.

What to produce.

A revised cash runway with stress-tested assumptions. A list of AR items that require immediate action. An assessment of whether the financial controls are sufficient for the company’s stage and licence requirements. A view on whether the CFO function is at the level the next stage requires.

Review in 30 days

The five domains are sequenced through the month in a specific order. The order matters because each domain’s findings inform the questions in the next.

Week 1. Data room and document review.

The first week is desk work. Pull the data room and read every document. Pricing decks, recent board materials, audit reports, regulatory correspondence, the engineering roadmap, the compliance handbook, the org chart, the management accounts. The goal is to understand what the organisation believes to be true, before you start asking what is actually true.

By the end of week 1, you should have a list of inconsistencies between documents: cases where the pricing page says one thing and the contracts say another, cases where the org chart shows one structure and the management accounts show another, cases where the engineering roadmap and the recent board update disagree. The inconsistencies are the starting points for week 2.

Week 2. Stakeholder interviews.

The second week is one-on-one conversations with the senior team, key managers, and selected individual contributors. Same five domains, structured questions, listening for what is not said as much as what is. Each interview should test one or two of the inconsistencies from week 1 - not as a gotcha but as a calibration exercise.

The interviews produce a map of where the organisation has shared understanding and where different leaders carry different pictures of the same reality. The places where senior leaders disagree on basic facts (revenue trajectory, customer concentration, regulatory status) are usually the places where the audit needs to dig hardest.

Week 3. Customer and operational deep dives.

The third week is external and operational. Two or three customer conversations, ideally with a mix of “happy” and “at risk” accounts. A regulator-facing review of the compliance posture. A walk-through of the production incident response. A real read of the AR and cash position.

The customer conversations especially tend to reset the internal picture. The team’s view of a key customer’s satisfaction often differs significantly from the customer’s actual view, and the difference is structural information about the organisation - not just about the account.

Week 4. Synthesis and recommendations.

The fourth week is back at the desk. The five domains roll up into a structured assessment, with specific decisions to make and specific actions to take. The output is short - twelve to twenty pages including appendices - and it names what is broken, names what is working, sequences the decisions for the next 90 days, and identifies the resources required.

The synthesis should be discussed with the board or the engaging party before the engagement window closes. The conversation around the synthesis is where the audit becomes operational. The document on its own does not change anything.

What 30 days cannot reveal

The first is anything that requires a market or operational cycle longer than the audit window. Renewal patterns that emerge over four quarters. Regulatory communications that follow annual examination schedules. Customer behaviour patterns that emerge in seasonal businesses. The audit can flag the absence of data on these dimensions, but it cannot generate the data inside 30 days.

The second is anything that requires depth of relationship to the surface. A team that is dysfunctional but performing professionally during the audit will look healthier than it is. A founder dynamic that is breaking down will not show itself fully in 30 days of professional interaction. A culture that is decaying will appear as a series of small signals that the audit can catalogue but not yet weight properly.

The audit should declare what it could not assess, with as much rigour as it declares what it did assess. Diagnoses that pretend to be completeness produce worse decisions than diagnoses that admit limits.

What the audit is for

The companies that benefit from this kind of audit are the companies whose leadership is prepared to act on the output. The audit that produces good decisions but lands in front of a board or CEO who is not ready to make those decisions is wasted work. The right audit, in front of the right decision-maker, compresses what would otherwise be six months of operational discovery into thirty days of structured assessment - which is the whole point.

Turnaround Diagnostic audit Fintech leadership Incoming CEO Due diligence
Ivan Sharov
Ivan Sharov

CEO at Crassula

Ivan Sharov is CEO of Crassula, a white-label digital banking platform. He writes on fintech infrastructure, pricing, market entry, and CEO leadership.

More about Ivan →