Redacting Audit Reports and Investigation Files: Compliance

This guide is educational. It is not legal or compliance advice. Verify regulatory requirements with your DPO, compliance counsel, or relevant regulator before acting.

A financial services firm in Manchester receives a written request from the FCA for internal audit reports covering a two-year period. The compliance team has three weeks. Some reports contain client identifiers, some contain details of employee conduct investigations, and one references a Suspicious Activity Report filed with the NCA. What stays in, what comes out, and how do you prove the process was defensible?

That scenario plays out in various forms across regulated sectors every year. This guide covers the redaction requirements that apply to the documents compliance teams handle most often: audit reports prepared for external review, regulatory submissions, internal investigation files, and financial Suspicious Activity Reports. It is focused on process and defensibility - the things compliance officers actually need to get right.

Two SARs, one acronym - understanding the difference

The word "SAR" appears in two completely different regulatory contexts, and confusing them is an easy mistake with real consequences.

A financial SAR - a Suspicious Activity Report - is a mandatory disclosure filed with the UK Financial Intelligence Unit (UKFIU) at the National Crime Agency. It is required under the Proceeds of Crime Act 2002 (POCA) and the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017). Firms in the regulated sector - banks, solicitors, accountants, estate agents, among others - have a legal obligation to file one when they know or suspect that another person is engaged in money laundering. The SAR is filed to the NCA, not to the data subject.

A data subject access request (DSAR) - sometimes called a Subject Access Request or SAR in a data protection context - is filed by an individual under Article 15 of UK GDPR. It gives that person the right to access personal data your organisation holds about them. It is filed to your organisation, and you respond to the individual. These two things are legislatively, procedurally, and operationally distinct.

This guide covers financial SARs as compliance documents (the filing process, confidentiality obligations). The DSAR response process - including redacting personal data from disclosure bundles - is covered separately in our guide to redacting documents for disclosure.

Preparing audit reports for external review

Internal audit reports contain a concentrated mix of commercially sensitive information, employee conduct details, and personal data. When a regulator, external auditor, or legal counterparty requests them, the compliance team faces a scoping problem: what leaves the building in what form.

Common categories that typically require redaction before external sharing:

• Personal data of individuals not party to the recipient's remit - employee names in conduct references, client identifiers in file reviews, third-party contact details
• Legally privileged material - advice from in-house or external legal counsel sought for legal purposes
• Commercially sensitive information beyond the scope of the specific request
• Information about other regulatory investigations or proceedings that the requesting party has no authority to access

The defensibility question is not just "did we redact the right things" but "can we show why we redacted each item." Many compliance teams run a redaction log alongside the document - a spreadsheet or table noting the document reference, the redacted content category, and the legal or policy basis. This log stays internal. It is the evidence base if the recipient later argues that material was wrongly withheld.

The ICO's guidance on disclosing documents securely is a practical starting point for understanding what "secure disclosure" means in practice - including the risks of metadata embedded in documents and the difference between overlay and permanent redaction.

Regulatory submissions and enforcement responses

When the FCA, PRA, or another sectoral regulator requests documents under its investigatory powers, the stakes are different from a routine audit. The firm is typically under a legal obligation to produce specified documents, and selective redaction without authority can itself constitute non-cooperation.

Common practice in these situations is to produce documents in full to the regulator while redacting material that falls outside the scope of the specific request - and to flag any redactions explicitly in a covering schedule. Regulators have indicated that they expect firms to identify any redacted material and the basis for withholding it. Silent redaction - blacking out text with no explanation - is rarely appropriate in an enforcement context.

Legally privileged material is the most defensible redaction category in regulatory submissions. Privilege is not lost simply because a regulator requests the document. But privilege claims in this context are routinely challenged, and a defensible approach typically includes a privilege log: a document-by-document schedule identifying the privileged item, the nature of the legal advice sought, and the name of the legal advisor, without disclosing the privileged content itself.

The FCA Handbook at SYSC 9.1 sets out general record-keeping obligations for authorised firms. These rules do not directly govern redaction, but they establish the retention and accessibility standards that underpin what you are expected to be able to produce when requested.

Internal investigations and investigation files

Investigation files are among the most sensitive documents a compliance team handles. They typically contain witness accounts, interview notes, HR correspondence, and sometimes external legal advice - all mixed together in a file that may eventually need to be shared with multiple parties: the individual under investigation, senior management, an external auditor, or in some circumstances a regulator.

Before any investigation file leaves the team, work through three questions. First: who is the recipient and what is their legitimate purpose? An individual under investigation has different entitlements than an external auditor. Second: what categories of information are present? Witness names in an internal investigation are a common source of difficult redaction decisions - the subject may be entitled to the substance of allegations while the witness's identity warrants protection. Third: what is the legal basis for any redaction you apply?

Employee personal data in investigation files sits under UK GDPR. The individual subject to investigation generally has a DSAR right to their own personal data in those files - but third-party data (witness details, co-worker observations) can typically be redacted under the third-party exemption. The ICO has published Q&A guidance specifically on SARs from employees, which covers this tension in practical terms.

RedactProof handles detection and permanent redaction in one browser-based workflow. Files never leave your browser.

Financial SARs: the tipping-off problem

Filing a Suspicious Activity Report with the NCA creates a specific confidentiality obligation that has direct implications for document redaction. Under section 333A of POCA 2002, it is a criminal offence to "tip off" a person that a SAR has been filed about them, or that a money laundering investigation is underway or contemplated, if that disclosure is likely to prejudice the investigation.

The practical consequence: if investigation files, audit reports, or any document bundle might be shared externally - with the subject, with another party, or even in a regulatory submission - any reference to the existence of a SAR filing must be reviewed carefully. In many cases, redacting the reference entirely is the correct approach. The redaction basis is statutory (POCA s.333A) rather than discretionary.

NCA guidance on SAR filing is available through the UKFIU. For the redaction question specifically, the key point is that the obligation runs to the existence of the SAR as much as its content. A document that mentions "we have filed a SAR in relation to this account" may need that passage removed before the document is produced in any context where the subject could become aware of it.

Building a redaction policy that holds up

Regulated firms are increasingly expected to have a written redaction policy - not as a box-ticking exercise, but as evidence that redaction decisions are made consistently, with documented legal bases, rather than ad hoc by whoever is under deadline pressure that week.

A defensible redaction policy for a compliance team typically covers:

• Scope - which document types and workflows the policy applies to
• Roles - who is authorised to make redaction decisions, and who signs off
• Categories - the standard categories of information subject to redaction, with the legal basis for each
• Method - the requirement to use permanent (pixel-burn) redaction rather than overlay methods
• Verification - the steps taken to confirm redaction before documents leave the organisation
• Logging - what is recorded, where, and for how long
• Review - how often the policy is reviewed and updated

We are working on a detailed policy template for compliance teams. When published, it will walk through each of these elements with example language for regulated firms in financial services, legal, and professional services sectors.

Tools and audit trails

For compliance teams, the tool question is less about features and more about evidence. You need to be able to show - to a regulator, an auditor, or in litigation - that redaction was applied correctly, permanently, and at a specific point in time.

RedactProof processes documents in your browser - files are not uploaded to servers - and generates tamper-evident verification certificates with Ed25519 digital signatures. Each certificate records the document state at export and includes a QR code for offline verification. The Pro plan includes a full audit trail documenting every redaction decision, which is the kind of contemporaneous record that supports a defensible compliance posture. See our guide to verifying redacted document integrity for more on what those certificates cover.

For teams handling documents subject to multiple regulatory frameworks, our guide to redacting documents for disclosure covers the DSAR and FOI workflows in detail.