# Inspection pack

> One click turns your compliance records into a regulator-ready evidence bundle — with a fingerprint on every file so an inspector can verify nothing was altered, without having to trust you.

_Updated 2026-07-11_

Source: /help/inspection-pack

**In short:** From Settings → Inspection Pack (admin / RQI only), pick a scope (whole firm or selected companies), a pack type (ACRA CSP AML/CFT, PDPC data protection, or general due-diligence), and an output format (ZIP or JSON), then generate. The bundle carries a cover attestation, each company’s CDD dossier, a firm summary, and a SHA-256 integrity manifest a third party can re-compute. Identity numbers are masked; any company still on demo/mock screening is flagged red as "not independently screened". This feature is live.

## What it is and when to use it

An inspection pack is a self-contained evidence bundle you can hand to a regulator during an ACRA CSP AML/CFT inspection, a PDPC enquiry, or a client’s due-diligence review. Instead of scrambling to assemble dossiers by hand, you generate the whole thing in one action — and it is built so the recipient can verify its integrity independently.

Reach for it whenever someone needs proof of your due-diligence posture: a scheduled inspection, an ad-hoc regulator request, an audit, or onboarding a bank that wants to see how you handle KYC.

## Where to find it (live)

Open Settings → Inspection Pack. It is restricted to firm admins and the responsible qualified individual (RQI) — anyone else sees a short message explaining that only those roles can generate a pack.

_[screenshot: Settings → Inspection Pack: a Scope selector (Entire firm / Selected companies), a Pack type chooser (ACRA CSP AML/CFT, PDPC, General), an Output toggle (ZIP / JSON) and a "Generate inspection pack" button.]_

## Generate a pack (live)

1. **Choose the scope** — Pick Entire firm, or Selected companies and tick the ones you need from the list.
2. **Choose the pack type** — ACRA CSP AML/CFT (customer due-diligence, screening, UBO, decision trail), PDPC data protection (retention, masking, access control), or General due-diligence (a broad evidence pack for any reviewer).
3. **Optionally add the PDPC section** — Tick Include PDPC data-protection posture section to append it to any pack type.
4. **Choose the output format** — ZIP (the full bundle with files) or JSON (the structured data on its own).
5. **Click "Generate inspection pack"** — CorpSec AI assembles the pack — allow up to around 15 minutes for a large firm — and downloads it to your browser.

> **Note:** Identity numbers are L1-masked in the pack by default (for example S****567A), and generating a pack is written to the append-only audit log.

## What’s inside — and why an inspector can trust it

The pack contains a cover attestation, each in-scope company’s CDD dossier (identity, risk rating, screening snapshots, UBO look-through, documents and the decision trail), a firm summary, and an integrity manifest.

The manifest is the key: every file carries a SHA-256 fingerprint the inspector re-computes themselves. If a single byte were changed, the hash would not match — so they can trust the record without trusting the CSP. That is what makes the pack credible in an inspection.

## Honest disclosure of degraded records (live)

The pack tells the truth about its own limits. Any company that is still on demo/mock screening, or whose screening was unavailable, is flagged red on the cover as "not independently screened" rather than being passed off as clean. CorpSec AI never hides a degraded record — a credible pack is worth more than a flattering one.

> **Heads up:** This is why connecting a real screening provider matters before a formal inspection: until then, screening runs on demo data (see KYC & compliance) and every affected company is disclosed as not independently screened.

## Frequently asked questions

### Who can generate an inspection pack?

Only firm admins and the responsible qualified individual (RQI). Other roles see a message explaining the restriction.

### How can a regulator be sure the pack wasn’t edited?

Every file carries a SHA-256 fingerprint recorded in the integrity manifest. The regulator re-computes the hashes themselves; any alteration breaks the match. They do not have to trust the CSP to trust the record.

### Does the pack expose clients’ NRIC numbers?

No. Identity numbers are L1-masked by default (e.g. S****567A). A raw, unmasked snapshot is only available through the admin data-export path, which itself requires explicit confirmation and is audit-logged.

### What if some companies were only screened on demo data?

They are flagged red on the cover as "not independently screened". The pack discloses this honestly rather than implying a clean bill of health.

### ZIP or JSON — which should I choose?

ZIP gives you the full bundle including document files and is what you would normally hand over. JSON is the structured data on its own, useful for programmatic checks.

## Related

- [KYC & compliance](/help/kyc-compliance)
- [Security & your data](/help/security-and-data)
- [Prepare for an ACRA inspection (playbook)](/help/scenarios/prepare-for-inspection)
