Introduction
Routine on-site visits, thematic reviews, targeted inspections: your preparation determines the outcome. This guide covers a phased approach to inspection readiness that reduces last-minute pressure and builds a defensible compliance posture.
1. Pre-Inspection Assessment
Understand the scope
Regulators signal their focus through published thematic priorities, recent enforcement actions, industry letters, or the inspection notification itself. Align your preparation to the likely focus areas.
Conduct an internal readiness review
For each obligation likely to be examined, can you show the control that addresses it, the policy that governs it, and the evidence that it has been executed? Wherever the answer is uncertain, you have found your preparation priorities.
2. Evidence Preparation
Regulators want documented proof that your controls are designed, implemented, and operating. Your evidence exists, but it sits scattered across multiple systems and is hard to assemble under time pressure.
Catalogue your evidence sources
Catalogue where control evidence resides: board and committee minutes, policy documents, risk assessments, training records, client file reviews, transaction monitoring reports, screening logs, and compliance monitoring outputs. Map each evidence type to the obligations and controls it supports.
Validate completeness
For each control, confirm that supporting evidence exists and is current. Look for controls that were designed but not evidenced, evidence that is outdated, and policies that reference procedures which have since changed. Find these gaps before the inspector does.
Organise for accessibility
Structure your evidence so you can produce it fast during the inspection. If an inspector asks “Show me the evidence that your CDD procedures are being followed,” you should not need a two-day search through shared drives. An evidence repository indexed by regulatory domain, obligation, and control gives you that speed.
3. Mapping Validation
Your regulatory mapping (the structured link between regulations, obligations, controls, policies, and evidence) is the backbone of a defensible compliance framework. If your mappings are outdated, incomplete, or inconsistent, the chain breaks down.
Review mapping currency
Confirm that your mappings reflect the current regulatory landscape. Mapping drift (gradual divergence between your mapped position and actual regulatory requirements) is one of the most common inspection findings.
Check mapping completeness
Verify that every relevant regulation maps to specific obligations, that each obligation has one or more controls assigned, and that each control links to evidence. Focus on newer regulations or amendments not yet integrated into your compliance framework.
Validate mapping logic
Does each control address the obligation it is mapped to? Have you documented the mapping rationale? You need to explain why each link exists, not only that it exists.
4. Traceability Artefact Preparation
Traceability packs demonstrate the end-to-end chain from regulation through to evidence. They pre-answer the regulator's core question: “How do you know you are compliant?”
What a traceability pack should contain
For a given regulatory domain: the applicable legislation, the specific obligations extracted from it, the controls implemented to meet those obligations, the policies and procedures that govern those controls, and the evidence that those controls are operating. Each link should be documented and navigable.
Build traceability packs by domain
Prepare packs for the regulatory domains most likely to be examined. For a fund administrator: AML/CFT, client due diligence, governance, and outsourcing. For a corporate service provider: beneficial ownership, governance arrangements, and regulatory reporting.
5. Team Coordination
Assign roles and responsibilities
Designate a lead coordinator (typically the MLCO, MLRO, or Head of Compliance) to manage the relationship with the inspection team. Assign subject-matter leads for each area likely to be examined. Each lead should know which evidence they are responsible for producing, which policies they should be familiar with, and your position on any known gaps.
Conduct preparation sessions
Brief all staff who may interact with inspectors on the likely scope, your key messages, and practical logistics (room setup, document access, confidentiality protocols). Staff should answer questions with honesty and directness, referring questions outside their area to the appropriate lead.
Prepare for document requests
Regulators issue document request lists in advance. Respond on time and in full. Have a process for tracking requests, assigning responsibility for each item, and quality-checking responses before submission.
6. Common Inspection Themes
AML/CFT effectiveness
The most common inspection theme. Regulators want to see that your AML/CFT framework works in practice: current customer risk assessments, disciplined CDD and EDD procedures, calibrated transaction monitoring, timely suspicious activity reporting, and substantive training.
Governance and oversight
Inspectors examine board composition, meeting frequency and quality, management information, and the role of compliance within the organisation. They want to see compliance integrated into decision-making and a clear escalation path for compliance issues.
Outsourcing and delegation
For firms that outsource regulated activities, inspectors will scrutinise due diligence on service providers, documented SLAs, ongoing monitoring of provider performance, and evidence that you retain adequate oversight. You can delegate tasks but not responsibility.
Other recurring themes
Depending on your jurisdiction and firm type, inspectors may also focus on: conduct risk and conflicts of interest, especially where you act in a fiduciary capacity; data protection and information security, including how client data is stored, accessed, and transmitted; regulatory reporting, including the accuracy and timeliness of mandatory filings; and financial crime risk assessments, including how your business risk assessment is structured and maintained.
7. The Inspection Day
Set the right tone
Provide a brief overview of your firm, its structure, services, client base, and regulatory framework. This opening demonstrates that you run a structured approach to regulatory obligations.
Be responsive, not reactive
Answer questions with clarity and specificity. Point to documented evidence rather than making verbal assertions. If a question falls outside someone's expertise, refer it to the appropriate lead rather than speculating.
Document everything
Keep a log of all questions asked, documents requested, and responses provided. This log is essential for the post-inspection phase and for tracking follow-up commitments. Assign someone to this role.
8. Post-Inspection Follow-Up
Conduct an internal debrief
Within days of the inspection, bring together all staff who participated. Capture what questions were asked, where the team struggled to produce evidence, and any areas where inspectors signalled concern. This gives you early intelligence on likely findings and lets you begin remediation planning before the formal report arrives.
Respond to findings constructively
Distinguish between findings that reflect genuine gaps and those that may result from miscommunication. Prepare a response that acknowledges valid findings, outlines specific remediation actions with timelines, and provides additional context or evidence not available during the visit.
Build remediation into business-as-usual
Integrate remediation actions into your compliance monitoring plan and governance reporting. Track completion, test effectiveness, and address underlying causes rather than symptoms. The next inspection will ask about previous findings.
From Preparation to Permanent Readiness
Keep your regulatory mappings current, your evidence chains intact, your traceability packs exportable, and your gaps visible and under active management. An inspection notification becomes a calendar event rather than a crisis. The payoff: reduced preparation time, fewer findings, lower remediation costs, and a compliance team focused on value-adding work.