There's a specific exercise that takes about fifteen minutes and produces a remarkably clear picture of whether your organization has financial infrastructure risk. The exercise doesn't require external consultants, comprehensive data analysis, or extended diagnostic engagements. It requires a leadership team willing to ask seven specific questions and answer them honestly. The questions are designed to surface the conditions that consistently indicate structural infrastructure inadequacy. The answers, examined together, tell you whether your organization is operating with significant infrastructure risk that hasn't yet produced visible consequences. Most leadership teams that do this exercise discover that their risk level is higher than they thought, in ways they hadn't recognized as risk because the conditions had become normalized.

Here are the seven questions, with brief explanation of what each one is testing.

Question one. When was the last time the chart of accounts was examined against current operational reality, and was the examination structural or just maintenance?

This question tests whether the foundation of your financial reporting reflects how the organization actually operates today. Most charts of accounts have been maintained, in the sense that new accounts get added and old ones get retired, but rarely examined structurally. Structural examination asks whether the chart's design supports current decision-making needs, whether the categories reflect current programs and funding streams, whether the hierarchy supports the analyses leadership requires, and whether the chart is producing intelligence aligned with how the organization currently works. If the answer to this question is that the chart hasn't been examined structurally in three or more years, or that the team isn't sure when it was last examined, the chart is probably operating against an organizational reality that no longer exists, and the reports running on it are producing intelligence that's drifted from operational truth.

Question two. If you had to defend your indirect cost rate to a federal reviewer with rigorous testing intent, would your documentation support what the rate currently claims?

This question tests whether your indirect cost recovery is operating on defensible foundation or on accumulated assumptions. Most rates were defensible when they were originally negotiated, against the documentation that existed at the time. The rate then continued in effect, the organization changed underneath it, and the documentation infrastructure may or may not have kept pace. A rigorous federal review tests not just the rate calculation but the documentation supporting every cost included in the rate, the methodology defending allocation decisions, and the consistency of treatment across the organization. If the answer to this question involves uncertainty, hesitation, or recognition that significant reconstruction work would be required to defend the rate at the level a rigorous review demands, the rate is operating on documentation foundation that wouldn't survive examination, which is structural risk regardless of whether examination ever happens.

Question three. How long does it take, from a leadership request, to produce custom financial intelligence for a major decision, and what does the production process actually involve?

This question tests whether your data infrastructure supports decision-making at the speed strategic work requires. Sound infrastructure produces custom analyses within days because the underlying data is queryable and the analytical capacity is positioned to respond. Inadequate infrastructure produces custom analyses over weeks because the underlying data requires assembly, cleaning, and reconciliation before analysis can occur, and the analytical work involves more data preparation than analysis. If the answer to this question describes a process that takes weeks for routine strategic questions, involves substantial data assembly work, requires the team to pull from multiple sources and reconcile differences, the infrastructure isn't supporting the strategic work the organization is doing. The custom analytical work is filling an infrastructure gap that should have been closed structurally.

Question four. If your CFO left the organization tomorrow, how much of the institutional knowledge required to run the finance function would leave with them?

This question tests whether your finance function operates on documented systems and processes or on accumulated individual knowledge. Sound infrastructure embeds institutional knowledge in systems, documentation, and processes that survive transitions. Inadequate infrastructure depends on individuals to compensate for system limitations through their personal knowledge of how things actually work. The CFO transition test reveals which condition you're in. If the answer involves recognition that significant knowledge would walk out the door, that documentation doesn't capture how the function actually operates, that the new CFO would face a learning curve disproportionate to a transition into well-documented infrastructure, the organization has key-person risk in the finance function that's actually infrastructure risk in disguise.

Question five. Across the past two audit cycles, did findings address the conditions that produced them, or did they address specific instances while leaving the conditions in place?

This question tests whether your compliance infrastructure produces sustained improvement or perpetuates a cycle of remediation. Sound compliance infrastructure addresses the conditions that produce findings, which means findings stop recurring in the same areas. Inadequate compliance infrastructure addresses specific instances of findings without changing the conditions, which means similar findings appear cycle after cycle in the same domains. The two-cycle test reveals which pattern you're in. If the answer recognizes that the same kinds of findings keep appearing, that remediation has been instance-specific rather than structural, that the corrective action plans satisfied the audit but didn't change how the operation produces compliance, the compliance infrastructure is reactive and the cycle of repeated findings will continue regardless of remediation effort applied to specific instances.

Question six. If a federal program officer arrived next month for substantive monitoring of your subrecipient program, what would they find about how the monitoring is actually operating?

This question tests whether your subrecipient management is documentation theater or substantive operation. Sound subrecipient management produces evidence of monitoring as a byproduct of normal operations, with risk assessments, ongoing monitoring activity, follow-up on findings, and documentation that demonstrates substantive engagement with subrecipient compliance. Inadequate management produces policies that describe monitoring without operational evidence that monitoring is actually happening at the level the policies describe. The substantive monitoring test reveals what's really there. If the answer involves recognition that the operational evidence doesn't fully match what the policies describe, that documentation would require reconstruction to satisfy a substantive review, that the actual monitoring activity has been less rigorous than the framework suggests, the organization is carrying federal liability through subrecipient relationships that wouldn't withstand examination.

Question seven. When AI or technology deployment has been considered or attempted in your finance or operations function, what's the foundation those deployments would actually be operating on?

This question tests whether your data, process, and documentation infrastructure can support technology deployments that produce value, or whether deployments would amplify structural conditions the infrastructure can't support. Sound infrastructure means deployments operate on clean data, well-documented processes, and integration frameworks that support technology effectively. Inadequate infrastructure means deployments would surface every gap the human-mediated operations have been compensating for, producing outputs at scale that look authoritative and embed underlying problems into automated decision flow. If the answer to this question involves recognition that the foundation isn't ready for what's being considered, that significant foundation work would be required before deployment, that deployments under current conditions would risk producing the failure patterns that are common in AI initiatives, the infrastructure isn't ready for the technology direction the organization is moving in.

These seven questions, examined together, produce a picture of structural risk that's clearer than most diagnostic exercises produce. Each individual question tests a specific dimension of infrastructure adequacy. The pattern across the questions reveals whether the organization is operating on sound foundation or on accumulated compensation that hasn't yet been forced into visible failure. Most organizations doing this exercise honestly find that they have multiple risk indicators across multiple questions, which is exactly the pattern that produces eventual structural failure under external pressure.

The point of the exercise isn't to produce comprehensive diagnostic depth. It's to surface, in fifteen minutes of focused examination, whether the conditions that consistently indicate infrastructure risk are present in your organization. The conditions are observable. The exercise doesn't require special expertise. It requires leadership willing to look at the answers honestly rather than reflexively defending the organization against the implications.

The most common reaction to this exercise, when it's done honestly, is recognition that the risk level is higher than the leadership team had been carrying mentally. The risk had been distributed across so many specific operational conditions that no single condition triggered concern. The aggregate, surfaced through structured examination, is materially higher than the sum of the individual concerns. The recognition is uncomfortable. It's also the precondition for considering whether to address the conditions before external pressure forces a more difficult response.

If you've done this exercise and recognized risk indicators across multiple questions, your organization has structural infrastructure risk that hasn't yet produced visible consequences. The conditions are real. The risk is operating now. The consequences are accumulating in ways that aren't yet visible but will become visible under specific kinds of external pressure. The choice is whether to address the conditions proactively, with the time and structural focus that produces sustained change, or to wait for the pressure that forces response under conditions less favorable to good decisions.