How to prepare for a proactive SRA visit without the panic

It often starts with a short letter.

A polite note from the Solicitors Regulation Authority (SRA) letting you know your firm has been picked for an audit. It's not personal but it still makes most firms a bit uneasy.

You’ll usually have seven days before they confirm the date, and within two weeks they’ll expect a whole stack of documents. That’s where many firms start to panic. But those that come through calmly and keep their reputation intact usually have one thing in common — they were ready before the letter dropped.

Let’s break it down into something manageable. This guide walks you through the whole process, clears the fog of jargon and gives you straightforward steps to make sure you're ready for the SRA when they come calling.

Don’t scramble. Store it.

Once that letter lands, the clock is ticking. Fourteen days sounds generous but in compliance terms it's tight.

You’ll need to pull together a full set of essential compliance documents. This includes your anti-money laundering (AML) policy, risk assessments (including previous versions), AML training records, recent file reviews, and any audits.

And that’s just the beginning. You’ll also get a questionnaire asking for figures you might not have to hand. How many people work at your firm? How many offices? What share of your income comes from conveyancing, commercial property or private client work? How much of it falls under AML rules? What proportion involves trusts or tax advice?

If that all sounds like a lot, it’s because it is. And if your paperwork isn’t already organised in a central tidy folder, those two weeks will feel very short indeed.

What the SRA will ask for.

Here’s a list of what you’re typically required to submit:

• Your firm-wide risk assessments
• A current AML policy
• AML training records
• Results from any file reviews or audits
• A list of high-risk clients or matters including PEPs (politically exposed persons)
• A detailed questionnaire with service lines and risk exposure

We've all seen what happens when things are pulled together at the last minute — important details get missed, and rushed answers lead to bigger issues. It's much easier (and far less stressful) to keep everything organised and up to date in one place, so when the time comes, you're ready without the scramble.

Two types of audit, same message.

The SRA might go for a desktop review or an on-site visit. Each works differently.

With an on-site audit, there’s often a bit of breathing room. You submit documents first and the assessor arrives a few weeks later. That gives you time to brief your team and get processes in shape.

A desktop review is faster. Everything is done over email but it’s just as thorough. Sometimes more so because there’s no opportunity to explain things in person. The paperwork has to speak for itself.

In both cases you’ll be asked for client files. You’ll have only a few days to provide everything, which includes ID checks, risk assessments, client care letters, ledgers, source of funds checks. If those aren’t already sorted, it won’t take long for it to show.

The interview.

Expect questions about your AML systems. How do you flag high-risk activity? What happens when a red flag goes up? How do you handle sanctions checks for overseas clients?

You’ll also need to show you understand your tech. If you use electronic ID tools you should be confident in reading the results. Can you tell a false positive from a real risk? Do you understand how your software works? If not, the SRA will want to know why.

If you're the Money Laundering Reporting Officer (MLRO) or Money Laundering Compliance Officer (MLCO), go over everything ahead of time. Talk to your compliance team. Review reports. Brush up on your responsibilities. Don't wing it on the day.

Can you fix things after the letter arrives?

Technically yes. If something is out of date or missing, update it. It is always better to submit a corrected document than none at all. Just be clear about what has changed and make sure the details are accurate. No cutting corners.

Still, it isn’t ideal. Stress levels rise, mistakes slip through, and there is only so much you can fix at the last minute. You cannot recreate historical documents once they are lost. The best approach is to do the work properly before the clock starts ticking.

 Write it down or it didn’t happen.

The SRA wants to see documented evidence. That includes your client risk assessments, source of funds and wealth checks. Many firms do the work but fail to document it properly. That is not enough.

It does not have to be long, but it does need to be clear. A simple tick-box marked "Check complete" will not cut it. 

And if you are still relying on generic risk templates, it is time for an upgrade.

What happens after the audit?

You will receive a report. If everything is in order, you will be told as much. More often, though, you will be given a list of areas to improve, such as updating policies, strengthening documentation, or improving training records.

Smaller changes usually come with a 21-day deadline. Larger issues might allow up to three months. In rare cases, enforcement action can follow — investigations, sanctions, or public reporting.

The usual red flags include outdated risk assessments, inadequate source of funds checks, and generic documentation.

The SRA doesn’t expect perfection, but they do expect a clear, risk-based approach.

Do this right now.

Start logging everything: keep registers of PEPs, high-risk matters, suspicious activity reports, and audits. Regularly review files, it’s no longer optional.

Ensure your MLRO and MLCO have the time and support they need to do their jobs properly. Too many are stretched too thin, and it shows.

Checklist.

• Centralise your compliance documents
• Keep updated and historic risk assessments and AML policies
• Maintain detailed AML training logs
• Run regular internal or external audits
• Log high-risk matters, PEPs, suspicious activity reports (SARs)
• Use narrative-based risk assessments
• Record source of funds and wealth checks
• Conduct regular file reviews
• Make sure compliance officers are prepared
• Understand your tech tools and their limits

Final thoughts.

Audits can be stressful, but they don’t have to be chaotic.

The firms that handle them most effectively don’t wait until the last minute to prepare. They build habits, document thoroughly, and treat compliance as an integral part of good business, not just a regulatory checkbox.

Ultimately, that’s what the SRA expects to see.