Linkedin-in
    LISTEN ALONG
    Pause
    00:00
    1X
    Sorry, no results.
    Please try another keyword

    Email Communications Example from End-hirer to Agency OR Agency to Umbrella to request data

    The below text is an example of email communications to request data for the purpose of audit.

    RECORDS AND RIGHTS OF AUDIT

    1. Record Keeping

    1.1 The Supplier shall maintain full and accurate records and accounts relating to this Agreement and each Order for a minimum of seven (7) years (or such longer period as may be required by law) after the expiry or termination of this Agreement or any Order. For personal data, records must be retained only for as long as necessary for the stated purposes and then securely deleted or archived in accordance with UK GDPR.

    2. Access to Records

    2.1 Upon request by XXXXXXXX, the Supplier shall promptly make available to XXXXXXXX or any Auditor:

    · Accounts and financial records.

    · Non-financial records, including payroll information such as:

    · Evidence of payment of wages to staff.

    · National Insurance contributions.

    · Any and all tax deductions.

    2.2 These records, files, or documents (including those in electronic form) must relate to the performance of the Supplier’s obligations under this Agreement or any Order, to allow XXXXXXXX or the Auditor to audit the Supplier’s compliance, limited to the minimum personal data necessary.

    3. Consequences of Non-Compliance

    3.1 XXXXXXXX shall be entitled to withhold payment of the Charges related to any Candidates for whom the Supplier fails to provide the required records and information under this Agreement, to the extent lawfully permitted. Where disclosure would breach law, the Supplier must offer redacted copies or supervised/on-site access. This includes, but is not limited to, payroll information, evidence of payment of wages, National Insurance contributions, and tax deductions.

    4. Provision of Documentation and Reports

    4.1 The Supplier shall provide XXXXXXXX with any documentation, explanations, management reports, or other information as requested by XXXXXXXX at any time.

    5. Audit Rights and Access to Premises

    5.1 XXXXXXXX or an Auditor may enter the Supplier’s premises at all reasonable times to audit any file or document relating to the provision of the Services. 5.2 To the extent permitted, XXXXXXXX will:

    · Provide the Supplier with a minimum of twenty-four (24) hours’ notice of any such visit, except in cases where prior notice is restricted by an Auditor.

    · Be provided access to all relevant information, records, files, documents, plans, specifications, and other materials necessary to perform the audit. 5.3 The Supplier shall:

    · Provide XXXXXXXX or the Auditor with reasonable assistance to understand the information provided.

    · Allow access to its staff as required for the audit. 5.4 Following an audit, the Supplier shall promptly discuss the implementation of any additional measures requested in writing by XXXXXXXX.

    6. Data Protection and Security

    6.1 Each party will (a) implement appropriate technical and organisational measures (encryption in transit/at rest, role-based access, audit logs); (b) ensure any processors are bound by Article 28 UK GDPR terms; (c) avoid email for file transfer and use the designated secure portal; (d) document the lawful basis for audits (legitimate interests/legal obligation/contract as applicable).

    7. International Transfers

    7.1 If data is accessed from or stored outside the UK, the parties will implement UK IDTA or the UK Addendum to the EU SCCs (as applicable).

    Email Communications Example from End-hirer to Agency OR Agency to Umbrella to request data

    The below text is an example of email communications to request data for the purpose of audit.

    Dear XXXXX

    I hope you have had a great start to Q1/Q2/Q3 2025

    We [End-hirer/Agency] are currently auditing our labour supplier chain in relation to their payroll procedures with the objective to ensure all temporary workers are being paid the correct hourly rates, and the correct deductions are being passed to HMRC.

    XXXXXX has a legal obligation (e.g., Criminal Finances Act 2017, Modern Slavery Act 2015) to ensure there are proper procedures in place as well as reasonable care is being taken in relation to worker payroll and Right To Work compliance.

    We are auditing the below workers from the payroll runs w/e [XX.XX.25], [XX.XX.25], [XX.XX.25], [XX.XX.25] (e.g. 17th Nov, 24th Nov, 1st Dec, 8th Dec 2024). If the worker has not submitted 4 weeks of timesheets for this period due to holidays, start dates etc then please provide the requested data for week/s in e.g. Sept/Oct/Nov or later in Dec.

    You will shortly receive a link to our Sharepoint/Dropbox/Box.net/Google Account and below is a list of workers we wish to audit.

    • Worker name
    • Worker name
    • Worker name

    Data access and additional information required.

    The Sharepoint/Dropbox/Box.net/Google link will allow you to access your agency audit folder. Your audit folder contains a Worker Information Folder.

    The Worker Spreadsheet is available in the secure portal; please do not return it by email. All fields need to be completed and upload to the Box.net folder to comply with this audit.

    1. Worker Information Folder: within this folder, please create an additional folder for each worker (named as the worker e.g., Joe Bloggs). Please upload unredacted documents only where strictly necessary for reconciliation; otherwise redact account numbers to last 4 digits and mask NI number except the last 3 characters. Please upload the following into the relevant individual worker folder:

    • Copy of Worker Right to Work including Home Office Digital certificate if the worker is from outside the UK & Ireland. Please provide share codes rather than full passport scans by email; upload scans only to the secure portal.
    • Copy of Employment Contract or Contract for Services for each worker.
    • A copy of the KID/assignment letter/schedule with pay details for this worker’s assignment if applicable.
    • An unredacted copy of worker payslips/invoices for w/e 17th Nov, 24th Nov, 1st Dec, 8th Dec 2024.
    • An unredacted screenshot of bank/Bacs transfer to the worker bank account w/e 17th Nov, 24th Nov, 1st Dec, 8th Dec 2024.
    • An unredacted screenshot of the worker RTI/CIS returns report for payslips/invoices w/e 17th Nov, 24th Nov, 1st Dec, 8th Dec 2024.
    • Explanation of any further deductions not itemised on the worker PAYE payslip.

    Please can you ensure that up to date and valid Right To Work documents (including Share Codes) are attached to the worker record on Engage as this forms part of the audit.

    If the worker is a PSC and being paid gross, please provide a copy of the Outside IR35 determination and Status Determination Statement (SDS) provided by [End-hirer], copies of the PSC invoices, evidence of Bacs transfers and a copy of the Employers Intermediaries Reporting related to this worker.

    If the worker is being pay rolled via an umbrella company, please provide name of the umbrella company, point of contact/contact details. Please request all the above from them and, populate the Worker Information Folder.

    If the worker is being paid CIS by your agency please provide CIS registration details, including your unique taxpayer reference (UTR) number and if paid CIS by an umbrella please provide their CIS registration details, including unique taxpayer reference (UTR) number.

    2. Worker spreadsheet file of the selected workers is attached. It is key for compliance in this audit that you populate this spread sheet with the requested information and upload, via your link, to Box.net.

    Please note that we will be contacting selected workers to understand their payroll experience so please provide worker contact details where requested. We’ll contact workers under our legitimate interests; this is reflected in our privacy notice.

    We are looking to get information back by e.o.p. [xx.xx.xx] latest and we will be performing audits on a quarterly basis moving forward.

    Where audits are large-scale or systematic, we will complete a DPIA. If any DBS/health data is processed, we will rely on DPA 2018 Sch.1 conditions and maintain an Appropriate Policy Document.

    I will be the point of contact for all communications on this project and please do not hesitate to get in touch if you have any queries.

    Best wishes

    Example Worker Spreadsheet

    Click on the button to view an example of a Worker Spreadsheet to use as part of your own audit and due diligence. This file is saved as a Google Sheet; either make a copy in order to edit, or download to use within Microsoft Excel.

    Download Example Spreadsheet HERE

    Email Communications Example – Justification for Requesting Data

    The below text is an example of email communications that you can send to encourage suppliers cooperate with your audit requirements in line with GDPR.

    Hi XXXXXX

    Thanks for your response and for taking the steps needed to ensure GDPR compliance and the protection of those workers’ data.

    I thought I’d clarify the legal basis on which such details can legitimately be shared in the context of an audit…

    1. Contractual Obligation:

    The information we are requesting is essential to fulfill the contractual obligations between the agency/umbrella and the end-hirer – so the pay details of the worker must be accessed with full accuracy and transparency in order to assess whether the worker is being paid correctly and in accordance with the terms originally agreed between the agency/umbrella and the worker, and so that the end-hirer complies with tax, National Minimum Wage (NMW) regulations and other statutory requirements. Due to the need to access worker pay detail for employment law compliance, data processing is lawful under GDPR provision Article 6(1)(b) under the condition that ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’. This contractual necessity applies mainly to the agency/umbrella → worker relationship. For the end-hirer, the primary lawful bases are legitimate interests (audit/assurance) and legal obligation (tax/wage compliance). The audit is intended to ensure that workers are paid the correct amount in accordance with the terms agreed by the worker with the agency/umbrella, and that the agency/umbrella and the end-hirer, in turn, comply with employment laws. This is ultimately in the interests of the worker to ensure s/he is paid the correct amount in accordance with the terms agreed and reduces the potential for a legal dispute regarding such issues as unpaid wages.

    2. Legitimate Interests:

    The second lawful basis for legitimate interest applies when processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (referred to as ‘legitimate interest’ in Article 6(1)(f)) provided that such legitimate interest is not overridden by the interests or fundamental rights and freedoms of the data subject. The legitimate interest is to carry out due diligence to ensure that we are complying with our legal obligations, for example, to ensure that workers are paid at the correct rate under PAYE, that the NMW is adhered to, and that the agency and end-hirer are not being used to exploit vulnerable workers. The audit is for the benefit of the workers by ensuring that they are not underpaid or otherwise exploited. Inspections and holding firms to account protect and safeguard the worker, agency/umbrella and end-hirer from the criminal, financial and reputational risks associated with a failure to comply with our legal obligations.

    3. Legal Obligation:

    Further, contracts mean that payments and payroll processes themselves need to satisfy requirements under HMRC legislation and wider statutory obligations (e.g., the requirement that workers be paid at least the NMW, and that all statutory deductions – including those for tax and National Insurance – are calculated and reported correctly). Without these audits, relevant parties (including the agency itself) could be liable to significant legal and financial sanctions, so demand of the information makes sense as a means of meeting these statutory obligations.

    Agencies/umbrellas and end-hirers usually act as independent controllers for their own audit/compliance purposes; we have appropriate data-sharing terms in place.

    4. Data Minimisation and Safeguards:

    We understand the importance of data protection and will ensure that any data shared is done so in a secure manner, with access limited strictly to those who need to review it for the purposes of the audit. Additionally, any data shared will be handled with the utmost care, ensuring compliance with GDPR’s principles of data minimisation and security.

    5. Transparency and Worker Protection:

    Lastly, this audit is meant to uphold the interests of the workers so that they are paid correctly; that is how people are meant to do business, and is probably one aspect of ‘due diligence’ in relation to the labour supply chain – ensuring that workers are paid for their work, as they ought – and a very important one at that.

    In addition, please see ICO link…. This refers for reasons why personal data can be shared without consent.

    https://ico.org.uk/for-organisations/sme-web-hub/whats-new/blogs/information-sharing-without-consent-advice-for-small-organisations

    I hope this explains the legal basis of our request in full. I would be happy to discuss any remaining concerns.

    Best regards,

    XXXXX

    Previous Topic
    Back to Module
    Next Topic
    LSCA Glossary of Terms

    Glossary of Terms

    Comprehensive definitions for Labour Supply Chain Assurance compliance terminology

    No matching terms found. Try a different search.
    Acronym Full Term Definition
    CFA 2017 Criminal Finances Act 2017 UK legislation introducing Corporate Criminal Offence (sections 45/46): failure to prevent the facilitation of tax evasion. Requires businesses to implement 'reasonable prevention procedures' (RPP). The only defence is having adequate RPP or showing it was not reasonable to expect such procedures.
    MSA 2015 Modern Slavery Act 2015 UK legislation mandating supply chain transparency and worker safeguarding. Section 54 requires commercial organisations with ≥£36m turnover to publish annual modern slavery statements (board-approved, signed by director, published on website with prominent homepage link).
    IR35 Off-Payroll Working Rules Tax legislation determining whether a contractor should be treated as employed or self-employed for tax purposes. Since April 2021, medium and large private sector clients must determine contractor status and deduct employment taxes if inside IR35. Requires Status Determination Statement (SDS).
    JSL Joint & Several Liability 2026 legislation imposing strict liability on agencies and end-hirers for umbrella company tax debts, even where due diligence checks have been undertaken. Makes supply chain participants jointly responsible for unpaid PAYE taxes.
    AWR Agency Workers Regulations 2010 UK regulations giving agency workers the right to the same basic working and employment conditions as permanent employees after 12 weeks in a qualifying assignment (12-week parity rule).
    Good Work Plan Good Work Plan 2020 UK employment law reforms requiring written 'section 1 statement' of employment particulars to be given to employees and workers on or before day 1 of engagement (effective 6 April 2020). Sets out key terms but is not itself the contract.
    Construction Act Housing Grants, Construction and Regeneration Act 1996 UK legislation governing payment practices in construction contracts. Section 113 renders "pay when paid" clauses ineffective (except where upstream payer is insolvent). Requires clear due dates, final dates for payment, and compliant payment/pay less notices.
    Pensions Act 2008 Pensions Act 2008 UK legislation establishing workplace pension auto-enrolment requirements. Employers must automatically enrol eligible workers into qualifying pension schemes and make minimum contributions.
    Acronym Full Term Definition
    HMRC HM Revenue & Customs UK government department responsible for tax collection, payment of tax credits and benefits, and enforcement of tax law. Operates PAYE, CIS, RTI systems and conducts compliance audits. Business Tax Account provides reconciliation data.
    GLAA Gangmasters and Labour Abuse Authority UK government body regulating labour providers in certain sectors (agriculture, horticulture, shellfish gathering, food processing/packaging) and investigating worker exploitation. Operates licensing regime and has criminal investigation powers. Hotline: 0800 432 0804 (03000 718234 out of hours).
    ICO Information Commissioner's Office UK independent authority upholding information rights. Enforces UK GDPR and Data Protection Act 2018. Personal data breaches must be reported to ICO within 72 hours where there's risk to individuals' rights. Provides guidance on lawful bases, DSARs, and data-sharing.
    CITB Construction Industry Training Board Industry body that collects levy from construction employers (payroll ≥£80k in PAYE in last tax year, or ≥£80k net CIS payments) and provides training grants. CITB levy compliance is audited in construction-focused compliance audits.
    Acronym Full Term Definition
    PAYE Pay As You Earn HMRC's system for collecting Income Tax and National Insurance Contributions from employees' wages. Employers deduct tax before paying employees, then remit to HMRC. Operates under Real Time Information (RTI) reporting requirements.
    CIS Construction Industry Scheme Tax deduction scheme for payments to subcontractors in construction industry. Contractors must verify subcontractors with HMRC before first payment and make deductions (20% for verified, 30% for unverified) on labour element only (excluding VAT and allowable materials). CIS300 returns due by 19th following tax month.
    GPS Gross Payment Status CIS status allowing subcontractors to be paid without deductions. Must apply to HMRC and meet compliance tests (business test, turnover test, compliance test). Contractors must verify GPS and keep evidence; continue to file CIS300 but make no deduction.
    CIS300 CIS Monthly Return HMRC return submitted by contractors detailing total payments made to each subcontractor and CIS tax deductions applied. Must be filed by the 19th following the tax month (6th–5th). Should reconcile to subcontractor statements and bank payments.
    CIS340 CIS340 Guidance HMRC's official guidance document defining what constitutes 'construction operations' for CIS purposes. Only work qualifying under CIS340 can legitimately be paid through the Construction Industry Scheme. Includes site preparation, construction, alteration, repairs, demolition.
    RTI Real Time Information HMRC system requiring employers to report PAYE information at or before each pay run. Consists of Full Payment Submission (FPS) for regular pay data and Employer Payment Summary (EPS) for adjustments/recoveries. Must reconcile to payslips and Business Tax Account.
    FPS Full Payment Submission RTI submission reporting gross taxable pay, Income Tax, and NICs for each employee on each payday. FPS values must match payslips. Should not be used to mask under-deductions.
    EPS Employer Payment Summary RTI submission used only for adjustments, such as recoveries, statutory payments, employment allowance claims, or apprenticeship levy. Should not be used to mask PAYE under-deductions.
    Bacs Bankers' Automated Clearing Services UK electronic payment system used for direct debits and credits, including salary payments. Net pay on payslip must match Bacs transfer to worker's bank account. Never use "BACS" (incorrect).
    UTR Unique Taxpayer Reference 10-digit number issued by HMRC to identify individuals and businesses for tax purposes. Required for CIS verification and self-assessment tax returns. Note: UTR alone isn't proof of CIS verification; contractor must verify with HMRC before first payment.
    NIC / NICs National Insurance Contributions UK social security tax paid by employees (via PAYE), employers (as on-costs), and the self-employed (Class 2/4 via self-assessment). Funds state benefits including state pension, statutory sick pay, and maternity allowance. CIS deductions are payments on account of Income Tax and Class 4 NICs.
    NMW National Minimum Wage Legal minimum hourly rate employers must pay workers in the UK. Rates vary by age band. Post-deduction pay (after deductions for employer's own use/benefit) must not fall below NMW. Records must be kept for 6 years.
    NLW National Living Wage Higher rate of National Minimum Wage for workers aged 21 and over. Often referred to together as "NMW/NLW". Different from voluntary Real Living Wage calculated by Living Wage Foundation.
    AE Auto-Enrolment (Pensions) Workplace pension scheme where employers must automatically enrol eligible workers (aged 22+ to state pension age, earning ≥£10k annually) into a qualifying pension. Minimum contributions, opt-out rights, and re-enrolment (every 3 years) required.
    P45 P45 (Leaving Employment) HMRC form given to employees when they leave employment, showing pay and tax details for the year to date. New employer uses P45 to operate correct tax code. Emergency codes (e.g., 1257L W1/M1) apply without P45/P6.
    Acronym Full Term Definition
    DRC Domestic Reverse Charge (VAT) VAT mechanism for construction services where the customer accounts for VAT instead of the supplier. Applies to most construction services under CIS340. Designed to combat missing trader fraud in construction supply chains.
    Kittel Kittel Principle EU/UK legal principle that a taxpayer who knew or should have known their transaction was connected to VAT fraud may be denied the right to deduct input VAT. Creates due diligence obligations for supply chain participants.
    DR Disguised Remuneration Tax avoidance arrangements designed to pay individuals while avoiding income tax and NICs, often involving loans, offshore entities, or trusts. HMRC actively targets such schemes. Loan charge applies to outstanding loans.
    Acronym Full Term Definition
    SDC Supervision, Direction or Control Key factor in determining employment status under agency rules (ITEPA 2003 s44). If a worker is under supervision, direction or control by any person (client, agency, end-hirer) over how they work, PAYE must be operated. SDC alone is not the general CIS status test—apply usual status tests (control, substitution, mutuality).
    MOO Mutuality of Obligation Employment status indicator examining whether the employer is obliged to provide work and the worker is obliged to accept it. Absence of MOO suggests self-employment; presence suggests employment.
    SDS Status Determination Statement Document required under IR35 reforms (April 2021) where medium/large clients must provide written reasons for their determination of a contractor's employment status for tax purposes. Must be given before contract starts or worker begins work.
    CEST Check Employment Status for Tax HMRC's online tool for determining whether a worker should be classified as employed or self-employed for tax purposes. Results are binding on HMRC if information provided is accurate and not relating to highly complex arrangements.
    PSC Personal Service Company Limited company through which a contractor provides their services. Often used by contractors working outside IR35, but subject to IR35 rules if the underlying relationship is one of employment. Requires SDS from medium/large clients.
    KID Key Information Document Plain-English factsheet (not a contract) that agencies must give to workers before they agree to an assignment (Conduct of Employment Agencies and Employment Businesses Regulations 2003). Includes worked pay illustration, deductions, who pays the worker, benefits. Must be updated within 5 working days of any change.
    ITEPA 2003 Income Tax (Earnings and Pensions) Act 2003 UK tax legislation governing employment income. Section 44 contains agency rules requiring PAYE where worker is under SDC. Section 61N–61R cover off-payroll working (IR35) for public sector and (from 2021) medium/large private sector.
    DBS Disclosure and Barring Service UK government service providing criminal record checks for employment purposes (particularly roles working with children or vulnerable adults). Processing DBS data requires DPA 2018 Schedule 1 condition and appropriate policy document.
    Acronym Full Term Definition
    Umbrella Umbrella Company Employment intermediary that employs agency workers and contractors. Handles PAYE, pension, and employment administration while the worker performs assignments for end-clients arranged through agencies. Employer NICs/apprenticeship levy must be funded from assignment rate, not charged to workers as deductions.
    MUC Mini Umbrella Company Fraudulent scheme where multiple small umbrella companies are created to exploit employment allowances and avoid tax obligations. Often phoenixing after accumulating tax debt. A significant compliance risk that supply chain audits help detect.
    Phoenix Phoenix Company Scheme Fraudulent practice where a company accumulates tax debts, is dissolved, and re-emerges as a new entity to escape liabilities. A key risk factor in supply chain due diligence. Tolerance of phoenix suppliers by end users enables fraud cycle.
    Purported Purported Umbrella Company Entity presenting itself as a legitimate umbrella company but failing to meet compliance standards, potentially operating tax avoidance schemes or misclassifying workers.
    Hybrid Hybrid Payment Model Pay arrangement combining different payment methods (e.g., PAYE + CIS, or PAYE + PSC). Requires careful status assessment to avoid disguised remuneration or employment status breaches.
    Acronym Full Term Definition
    UK GDPR UK General Data Protection Regulation UK data protection law (retained EU law post-Brexit) governing processing of personal data. Requires lawful basis (Art 6), data minimisation, security, transparency (Arts 13-14), and respect for data subject rights. Works alongside Data Protection Act 2018.
    DPA 2018 Data Protection Act 2018 UK legislation supplementing UK GDPR. Schedule 1 sets conditions for processing special category data (health, biometric, union membership) and criminal offence data (e.g., DBS checks). Provides exemptions (crime prevention, tax collection, legal professional privilege).
    DSAR Data Subject Access Request Individual's right under Art 15 UK GDPR to obtain copy of their personal data. Must respond within one month (extendable by 2 months for complex requests). Usually no fee. Must verify identity proportionately.
    DPO Data Protection Officer Required role for public authorities or organisations conducting large-scale systematic monitoring or processing special category data (Art 37). Oversees data protection compliance, advises on DPIAs, and acts as contact point for ICO and data subjects.
    LIA Legitimate Interests Assessment Assessment required when relying on legitimate interests (Art 6(1)(f)) as lawful basis. Three-part test: identify legitimate interest → demonstrate necessity → balancing test (interests vs individual rights). Appropriate for audit/assurance; avoid consent for audits.
    DPIA Data Protection Impact Assessment Required assessment where processing is likely to result in high risk to individuals (Art 35). Must complete for large-scale, systematic monitoring or extensive special category data processing. Documents risks, mitigation measures, and necessity/proportionality.
    RoPA Records of Processing Activities GDPR requirement (Art 30) documenting all personal data processing activities. Must include purposes, lawful bases, data categories, recipients, retention periods, security measures, and international transfers. Must be available to ICO on request.
    IDTA International Data Transfer Agreement UK mechanism for lawfully transferring personal data outside the UK (replacing EU Standard Contractual Clauses post-Brexit). Required unless recipient country has adequacy decision or other derogation applies. Alternative: UK Addendum to EU SCCs.
    SCCs Standard Contractual Clauses EU Commission-approved contract templates for international data transfers. For UK data exports, use UK Addendum to EU SCCs or UK IDTA.
    Art 28 DPA Article 28 Data Processing Agreement Mandatory contract between controller and processor (Art 28 UK GDPR). Must cover: subject matter, duration, data types, processing instructions, confidentiality, security, sub-processors, data subject rights assistance, breach notification, data deletion/return, audit rights.
    Art 26 Article 26 (Joint Controllers) UK GDPR provision for parties who jointly determine purposes and means of processing. Requires arrangement setting out respective responsibilities, data subject rights, and contact points. Different from controller-processor (Art 28) or controller-controller data-sharing.
    Controller Data Controller Organisation that determines the purposes and means of processing personal data. Bears primary GDPR obligations. Agencies, umbrellas, and end-hirers usually act as independent controllers for their own audit/compliance purposes.
    Acronym Full Term Definition
    LSCA Labour Supply Chain Assurance Due diligence framework ensuring compliance with tax, employment, and ethical standards throughout the labour supply chain. Covers PAYE/CIS compliance, modern slavery, CFA 2017, worker rights, and IR35. Aims to detect exploitation, fraud, and phoenixism.
    PSL Preferred Supplier List Vetted list of approved suppliers (typically umbrella companies or agencies) that meet compliance standards. Key governance control for managing supply chain risk. Should be reviewed regularly and require re-certification.
    End-Hirer End-Hirer / End Client The organisation where agency or contract workers ultimately perform their work. Under current regulations, medium/large end-hirers have IR35 status determination responsibilities and supply chain due diligence obligations.
    CCO Corporate Criminal Offence CFA 2017 offence: failure to prevent facilitation of tax evasion by an associated person. Three-stage liability: (1) taxpayer evades tax, (2) associated person criminally facilitates it, (3) organisation failed to prevent. Only defence: reasonable prevention procedures (RPP).
    RPP Reasonable Prevention Procedures The only defence to Corporate Criminal Offence under CFA 2017. HMRC's six principles: risk assessment, proportionate procedures, top-level commitment, due diligence, communication (training), monitoring & review. Must be risk-based and documented.
    SRO Senior Responsible Owner Senior person accountable for CFA 2017 compliance, risk assessments, and implementation of reasonable prevention procedures. Provides top-level commitment and board oversight.
    MSAT Modern Slavery Assessment Tool UK Government tool (Home Office/Cabinet Office) for assessing modern slavery risks in supply chains. Free to organisations registered on UK Government Supplier Registration Service.
    Acronym Full Term Definition
    ASCA Agency Self-Certification Audit Most comprehensive audit form with 174 questions across 18 sections. Enables recruitment agencies to self-assess compliance with tax, employment, and supply chain obligations including PAYE, CIS, Modern Slavery, CFA 2017.
    AUCIS Agency Umbrella CIS Audit Audit evaluating recruitment agencies' compliance with CIS requirements when engaging umbrella companies, ensuring proper tax treatment and supply chain integrity.
    AUPAYE Agency Umbrella PAYE Audit Audit assessing recruitment agencies' oversight of umbrella companies' PAYE compliance, including tax deductions, National Insurance contributions, and payroll accuracy.
    EHUCIS End-Hirer Umbrella CIS Audit Audit evaluating end-hirers' due diligence when engaging umbrella companies under CIS, ensuring supply chain compliance and proper contractor treatment.
    EHUPAYE End-Hirer Umbrella PAYE Audit Audit assessing end-hirers' oversight of umbrella PAYE arrangements, covering payroll transparency and worker rights compliance.
    EHSA End-Hirer Self-Assessment Audit Audit enabling end-hirers to self-assess their compliance with supply chain, tax, and employment obligations.
    EHAA End-Hirer Assurance Audit Audit providing end-hirers with an independent assessment of their supply chain compliance, risk management, and due diligence practices.
    UMBCIS Umbrella CIS Audit Audit evaluating umbrella companies' compliance with CIS requirements, including proper contractor treatment, tax deductions, and verification processes.
    UMBPAYE Umbrella PAYE Audit Audit assessing umbrella companies' PAYE compliance, payroll integrity, and worker protection standards. Contains 21 sections (Section 1 info-only, Sections 2-20 audit, Section 21 declaration) vs 18 for most other audits.
    Self-Cert Self-Certification Audit Generic term for labour supply chain compliance audits where organisations self-assess against tax, employment, and ethical standards. Provides documented evidence of due diligence for HMRC inspections.
    Acronym Full Term Definition
    Instance Audit Form Instance Individual audit submission. Users can create unlimited instances, each stored as WordPress custom post type with responses in wp_opraas_audit_responses table. Assigned to logged-in user via post_author field.
    Completion Completion Score Frontend metric showing percentage of questions answered (any answer counts). Includes ALL sections: Section 1 checkbox, Section 2 (8 fields), Declaration (7 fields), and all audit questions. N/A responses count as answered.
    Compliance Compliance Score Backend metric measuring quality of compliance. Scoring: Yes=5 points, No=0 points, N/A=0 points (excluded from maximum), Don't Know=1 point. EXCLUDES Sections 1, 2, and Declaration entirely. ≥80% = Compliant, 60-79% = Partially Compliant, <60% = Non-Compliant.
    Evidence Evidence Files Supporting documents uploaded to substantiate audit responses. Stored in AWS S3 via WP Offload Media plugin, with Evidence Table providing S3-aware ZIP downloads that temporarily download from cloud before adding to archives.
    Red Flags Red Flags Warning indicators in audit questions identifying practices that may indicate non-compliance, fraud risk (phoenixism, MUCs, disguised remuneration), or regulatory breaches requiring immediate attention and remediation.