# Playbook: Prepare for an ACRA inspection

> Pull together the evidence a regulator asks for — per client — using the tools available today, while the one-click inspection pack is on its way.

_Updated 2026-07-11_

Source: /help/scenarios/prepare-for-inspection

**In short:** CorpSec AI is built to keep you inspection-ready: an append-only audit trail, a complete CDD dossier per client, and integrity fingerprints on documents. Generate a dedicated one-click inspection pack from Settings → Inspection Pack (admin only), or assemble evidence yourself using the CDD dossier export per client and the firm-wide data export (JSON / CSV / ZIP).

> **Note:** The regulator-ready inspection pack is available today in Settings → Inspection Pack (admin only); the CDD dossier and data export are there too if you want a raw snapshot. For the underlying obligations, see AML/CFT obligations for CSPs.

## Legal basis — what an inspector is testing

An ACRA inspection of a CSP tests whether you met your due-diligence and record-keeping duties. The basis below is from CorpSec AI’s verified citation table; this is general information, not legal advice.

- Records for at least 5 years: a registered CSP must keep records for at least 5 years and must have completed CDD before providing services — the Corporate Service Providers Act 2024 (in force 9 June 2025; verified). Your dossiers and audit log are that record.
- At least one RQI: the CSP must have a Registered Qualified Individual (verified; the exact firm cap is to be confirmed by counsel).
- Beneficial ownership: the register of registrable controllers must be current (internal 7 days, ACRA central 2 business days; verified).

> **Note:** For the framework, see MAS, AML/CFT & the CSP Act. Be transparent about anything that ran on demo data (screening) — the record flags it.

## Why you are already in good shape

Because of how CorpSec AI records work as you go, a lot of inspection readiness is already done for you:

- The audit log is append-only — a tamper-evident history of every action, enforced by the database.
- Each client has a CDD dossier capturing identity, risk, screening snapshots, documents, the review schedule and a decision trail.
- Generated documents carry an integrity fingerprint (a hash) so you can prove they were not altered.
- Identity numbers are masked everywhere by default.

## Step 1 — Confirm each client’s KYC is current

Use the compliance review radar to make sure no client is overdue for review. Clear anything outstanding first (see Run a periodic KYC review) so the evidence you hand over is up to date.

## Step 2 — Export the CDD dossier for each client in scope

Open a client’s Compliance tab and click Export CDD Dossier. You get a complete, reconstructable due-diligence record for that client — the core of what an inspector wants to see.

_[screenshot: The Compliance tab with the "Export CDD Dossier" button highlighted.]_

1. **Compliance tab → Export CDD Dossier** — Do this for each client the inspection covers.
2. **Check the honesty flags** — Where screening ran on demo data, the record says so — be ready to explain your screening arrangements.

## Step 3 — Take a firm-wide data export (live)

For the broader picture, an admin can export the whole firm from Settings → Account → Export firm data. The ZIP option bundles the JSON snapshot, the ACRA-style CSV registers, and every generated document file, with a manifest of what is included — a single evidence bundle.

> **Note:** Exports mask identity numbers by default. If the inspection needs unmasked identifiers, an admin can produce the unmasked export via the explicit confirmation step — which is itself recorded in the audit log.

## Step 4 — Show the audit trail

If asked to demonstrate controls — who approved what, that four-eyes was applied, that a document was blocked until KYC passed — open Settings → Audit Log. Because it cannot be edited or deleted, it stands as reliable evidence of your process.

## Generate the inspection pack (live)

The built-in inspection pack produces all of this as a single, admin-gated bundle in one action — a cover attestation, each client’s dossier, a firm summary, and an integrity manifest a third party can re-verify. Open Settings → Inspection Pack, choose the pack type (ACRA CSP AML/CFT, PDPC data protection, or general due-diligence), and generate it. The steps above remain a useful walkthrough of what the pack contains.

## Common pitfalls & edge cases

- Overdue reviews left unaddressed. An inspection will surface a client whose periodic KYC is overdue. Clear the review radar first so the evidence you hand over is current (see the periodic KYC playbook).
- Hiding the demo-data screening. The honest move is to disclose it — the record flags where screening ran on demo data. Be ready to explain your screening arrangements rather than presenting demo results as live checks.
- RORC out of date. The register of registrable controllers must be current (internal 7 days, ACRA central 2 business days). A stale RORC is a common finding — reconcile it before the inspection.
- Unmasking identifiers without recording it. Exports mask identity numbers by default. If an inspector needs unmasked data, use the explicit confirmation step — which is itself recorded in the audit log — rather than working around masking.
- No RQI cover. A CSP must have a Registered Qualified Individual involved. If the RQI position has lapsed or is unclear, that is a gap to fix before an inspection, not during one.
- Assembling by hand when the pack exists. The one-click inspection pack (Settings → Inspection Pack, admin only) bundles the cover attestation, per-client dossiers, firm summary and integrity manifest. Prefer it over hand-assembling piecemeal exports.

> **Note:** Transparency beats polish. An inspector values an honest, complete, tamper-evident record — including flags on anything that ran on demo data — over a tidy but misleading one. Not legal advice.

## Frequently asked questions

### Is there a single "inspection pack" button today?

Yes — in Settings → Inspection Pack (admin only). It generates a regulator-ready bundle in one action. The per-client CDD dossier export and the firm-wide data export are also available if you want a raw snapshot.

### How do I prove documents were not altered?

Each generated document carries an integrity fingerprint (a hash), and the append-only audit log records when it was created and edited. Together these give tamper-evidence.

### What about the demo-data screening?

Be transparent: where screening ran on demo data, the record flags it. Explain your screening arrangements, and connect a screening provider before an inspection if live watchlist checks are expected.

## Related

- [Security & your data](/help/security-and-data)
- [Run a periodic KYC review (playbook)](/help/scenarios/periodic-kyc)
- [KYC & compliance](/help/kyc-compliance)
- [MAS, AML/CFT & the CSP Act](/help/regulatory/mas-aml)
- [Statutory requirements & deadlines](/help/regulatory/requirements)
