← Back to Case Studies

Case Study

From Spreadsheet Mapping to Audit-Ready Traceability

A mid-market fund administrator replaced fragmented AML/CFT mapping with defensible, inspection-ready traceability in a 6-week pilot.

6-week pilot Fund Administration AML/CFT Audit Readiness Regulatory Mapping
6 wks → 3 days Audit prep time for AML/CFT domain
47 Interpretation conflicts identified & resolved
38 → 12 pages AML/CFT policy, role-aligned
23 Control gaps identified, 19 remediated
100% AML/CFT obligations linked to evidence

The Firm

The firm is a mid-market fund administrator headquartered in Jersey, with operations in Guernsey and Luxembourg. With approximately 300 employees and a dedicated compliance team of 12, they administer more than 150 fund structures across the three jurisdictions — a mix of private equity, real estate, and debt funds serving institutional and high-net-worth investors.

Like many firms of this size, their compliance function had grown organically. AML/CFT regulatory mapping — the process of connecting regulatory requirements to internal policies, procedures, and controls — lived in spreadsheets. Three different team leads, one in each jurisdiction, maintained their own versions. There was no single source of truth, no structured link between a regulatory obligation and the evidence that demonstrated compliance with it.

The trigger for the pilot was straightforward: a JFSC thematic review on AML/CFT effectiveness was announced, and the Head of Compliance knew the current state of their mapping would not hold up to scrutiny.

The Challenge

The firm's compliance team was not underperforming. They were experienced, diligent, and well-regarded by the board. But the tools and processes they relied on had not kept pace with the complexity of their obligations. The problems they faced were structural, not personnel-driven.

Mapping drift was the most immediate concern. The spreadsheets that documented how the firm met its AML/CFT obligations under the Proceeds of Crime (Jersey) Law 1999, the relevant JFSC Codes of Practice, and equivalent Guernsey and Luxembourg requirements had not been systematically reviewed in 18 months. Individual entries had been updated ad hoc — when someone noticed a change, or when a new procedure was introduced — but there had been no structured reconciliation. Nobody could say with certainty whether the mapping was complete or current.

Inconsistent interpretation compounded the problem. The Jersey team had mapped certain requirements from the POCML Handbook to specific client due diligence procedures, while the Guernsey team had mapped substantially similar requirements from their own regulatory framework to different controls. Neither interpretation was wrong in isolation, but the inconsistency meant the firm could not demonstrate a coherent, group-level approach to AML/CFT compliance. A regulator comparing the two would see gaps where there were actually just different naming conventions — or, worse, real gaps masked by apparent coverage.

Evidence was scattered across multiple platforms. Policy documents sat in SharePoint. Procedural sign-offs lived in a ticketing system. Board approvals and training attestations were stored in an e-signature platform. When asked to demonstrate compliance with a specific obligation, the compliance team had to manually trace through three or four systems to assemble a complete picture. This was manageable for spot-checks, but not for a systematic review.

The cost of this fragmentation was most visible at audit time. Preparation for the firm's last regulatory inspection — a routine examination, not a thematic review — had consumed six weeks of dedicated effort from two senior compliance officers. That was six weeks of pulling together evidence packs, cross-referencing spreadsheet entries against source regulations, and manually verifying that nothing had been missed. With a thematic review approaching, the Head of Compliance estimated the same exercise would take longer, involve more people, and still leave her uncertain about completeness.

The Pilot Approach

The firm engaged Govix for a 6-week pilot focused exclusively on the AML/CFT domain. The scope was deliberately narrow: rather than attempting to map the firm's entire regulatory landscape, the pilot concentrated on the regulatory domain that the upcoming thematic review would examine. This allowed the team to see tangible results quickly and evaluate the approach before committing to a broader rollout.

Weeks 1–2

Foundation & Ingestion

The firm's profile was defined in Govix: jurisdictions (Jersey, Guernsey, Luxembourg), regulated activities, licence types, and fund structures administered. Existing AML/CFT policies, procedures, and the three jurisdiction-level spreadsheet mappings were ingested into the platform. This phase established the baseline — what the firm had, where it lived, and how it was currently structured.

Weeks 3–4

Mapping, Filtering & Gap Analysis

Govix delivered relevance-filtered AML/CFT obligations — only those that applied to this firm, given its specific activities and jurisdictions. The mapping chain was built: regulation to obligation, obligation to policy, policy to procedure, procedure to control, control to evidence. This was where the 47 interpretation conflicts between jurisdictional teams surfaced, and where 23 control gaps were identified.

Weeks 5–6

Policy Outputs, Traceability & Remediation

Readable, role-aligned policy outputs were generated from the structured mapping. The AML/CFT policy was reduced from a 38-page monolithic document to a 12-page, role-specific version. A complete traceability pack was assembled for the upcoming thematic review. Remediation actions for identified gaps were tracked within the platform, with 19 of 23 gaps remediated within the pilot period.

Results

The pilot produced measurable outcomes across five areas that the firm's compliance leadership had identified as priorities.

Audit Preparation: From 6 Weeks to 3 Days

The most immediately valuable outcome was the reduction in audit preparation time. For the AML/CFT domain, assembling a complete traceability pack — every obligation linked to the corresponding policy, procedure, control, and evidence — went from a six-week manual exercise to a three-day structured review. The three days were not spent building the pack; they were spent reviewing it, confirming it was complete, and adding contextual notes for the regulatory examiner.

This matters because audit prep is typically dead time for senior compliance staff. They are not doing proactive compliance work during those six weeks. They are assembling evidence that should already be assembled. The 3-day figure represents not just a time saving, but a fundamental shift in how the firm produces evidence of compliance.

Mapping Consistency: 47 Conflicts Resolved

The mapping exercise identified 47 instances where the three jurisdictional teams had interpreted or mapped the same or equivalent AML/CFT requirements differently. Some of these were genuinely different — reflecting legitimate jurisdictional nuances. But 31 of the 47 were inconsistencies: the same underlying requirement mapped to different controls, or mapped using different terminology that obscured the fact that the firm was applying the same approach in all three jurisdictions.

Resolving these inconsistencies gave the firm a coherent, defensible group-level view of its AML/CFT compliance posture for the first time. It also meant that future regulatory changes could be assessed against a single, consistent mapping rather than three divergent ones.

Policy Readability: 38 Pages to 12

The firm's existing AML/CFT policy was a 38-page document that attempted to serve every audience: the board, the compliance team, client-facing staff, and the regulator. In practice, it served none of them well. Client-facing staff found it impenetrable. The compliance team used it as a reference but relied on separate procedure notes for day-to-day work. The board received a summary that was disconnected from the source document.

Govix generated role-aligned policy outputs: a board-level summary, a compliance-team operational view, and a client-facing procedures extract. The core document was reduced to 12 pages — not by removing content, but by structuring it so that each audience received only what was relevant to their role and responsibilities. The full mapping and traceability remained available for audit purposes.

Control Gaps: 23 Identified, 19 Remediated

The structured mapping process surfaced 23 control gaps — obligations that were either unmapped, mapped to controls that no longer existed, or mapped to controls that did not adequately address the requirement. Of these, 19 were remediated within the pilot period, typically by updating procedures, creating new controls, or formalising existing practices that had never been documented. The remaining 4 required changes to third-party processes and were placed on a tracked remediation timeline.

Evidence Traceability: 100% Coverage

By the end of the pilot, every AML/CFT obligation that applied to the firm was linked to specific, identifiable evidence. This was the single capability the firm had never been able to demonstrate before. Previously, they could point to policies, and they could point to evidence, but they could not systematically show the chain that connected a specific regulatory requirement through to the specific evidence that demonstrated compliance.

“We knew our mapping had gaps, but we didn’t know how many or where. Govix showed us in week 3. By week 6, we had a traceability pack we’d never been able to produce before.”

— Head of Compliance

What Happened Next

The JFSC thematic review on AML/CFT effectiveness was completed successfully. The firm was able to produce a complete traceability pack within the regulator's requested timeframe, demonstrate a coherent group-level approach to AML/CFT compliance, and show evidence of proactive gap identification and remediation. The examiner specifically noted the quality of the firm's obligation-to-evidence mapping.

Following the pilot, the firm expanded its use of Govix to cover two additional regulatory domains: outsourcing obligations and corporate governance requirements. The same structured approach — firm profile, relevance filtering, obligation mapping, gap analysis, and policy generation — was applied to these domains over subsequent quarters.

The compliance team reported a reallocation of approximately 2 FTE-equivalent hours per week from mapping maintenance and evidence assembly to proactive risk assessment and advisory work. The Head of Compliance described this as the most significant long-term benefit: freeing experienced compliance professionals from administrative mapping work and enabling them to focus on the interpretive, advisory work that actually requires their expertise.

Key Takeaways

  • Spreadsheet-based mapping creates invisible drift that only surfaces under regulatory scrutiny
  • Multi-jurisdictional firms are particularly vulnerable to interpretation inconsistencies
  • A focused, domain-specific pilot can deliver defensible traceability in weeks, not months
  • The value is not just in finding gaps — it is in producing evidence chains that survive inspection
  • Audit prep time reduction is the most immediately measurable ROI, but the real value is in freeing compliance professionals for higher-value work

See what a focused pilot could look like for your firm

Start with one regulatory domain. Get defensible traceability in weeks, not months.

Book a Demo Start a Pilot