Linkedin-in
(Guest)

LSCA Agency Audit Dashboard

Start, complete, revisit, analyse, store, print or send your essential Agency LSCA Audits by choosing from the menu below.

Agency Umbrella PAYE Audit

Important Information

This checklist has been developed to assist recruitment agencies in auditing umbrella companies operating PAYE models within their labour supply chain.

It ensures compliance, transparency, and mitigates risks related to tax evasion, disguised remuneration, worker exploitation, and commercial liability.

It also supports obligations under the Criminal Finances Act 2017 and safeguards reputational integrity.

Key assurance areas covered include:

  • Verification of umbrella company legitimacy, director integrity, and HMRC registration status
  • Transparency around PAYE deductions, margins, and take-home pay
  • Confirmation of statutory employment rights (e.g. NMW, auto-enrolment pensions, and holiday pay)
  • Assurance that the umbrella complies with the Criminal Finances Act 2017, Modern Slavery Act 2015, and GDPR
  • Controls to detect mini umbrella company (MUC) fraud and PAYE fragmentation
  • Evidence that grievance procedures, fair onboarding, and data safeguards are in place

Agencies may be expected to demonstrate:

  • That robust due diligence is performed on all umbrella partners
  • That contractual terms require compliance with employment law and tax standards
  • That documentation is reviewed and retained to evidence compliance with PAYE, NICs, and employment law
  • That any signs of non-compliance (e.g. disguised remuneration, excessive deductions, fragmented PAYE schemes) are escalated and acted upon
  • That heightened scrutiny is applied to high-risk setups, including loan models, hybrid PAYE/CIS structures, or opaque take-home projections

Incomplete answers or unsubstantiated claims may not satisfy HMRC or contractual due diligence requirements.

This checklist ensures risks are identified, evidence is assessed, and accountability is embedded within the agency’s labour supply procedures.

Evidence Expectations

In an HMRC audit, superficial responses will not meet compliance standards.

Agencies may be asked to provide:

  • Contracts, KIDs, onboarding scripts, pay breakdowns
  • Risk assessments, IR35/SDS logs, onboarding due diligence
  • Third-party audit outcomes, governance records, and escalation logs
  • Mini umbrella red flag checks, VAT/Kittel assurance, and group structure disclosures

By using the form, you acknowledge acceptance of OPRaaS LTD’s data handling policies and terms and conditions of use.

info@opraas.co.uk

Umbrella Company Details

This section captures the Umbrella Company main contact details that this form relates to.

 

Section 1 – Legal Entity & Controllers

This section ensures the umbrella company is a legitimate, compliant trading entity with verified tax registrations, PAYE credentials, and transparent controllers.

These checks prevent engagement with shell companies, phoenix firms, MUC fraud, or tax-evading entities.

They help meet duties under the Criminal Finances Act 2017 and protect commercial integrity.

🚩Red Flags

  • Companies House shows dormant/dissolved status, overdue accounts, or repeated phoenix activity
  • VAT number inactive, deregistered, or linked to HMRC Tax Loss/Veto letters
  • Directors appear across multiple failed companies, are disqualified, or have misconduct/insolvency history
  • Use of multiple small entities with overseas directors (potential Mini Umbrella Company structure)
  • Inconsistent trading names across contracts, payslips, and onboarding documents

Legal Entity & Controllers

001. Is the umbrella registered with Companies House and are details up to date? — Justification: Foundation & legal status. Red flags: dissolved/dormant status, inconsistent directors, missing filings.

Select answer

Upload evidence for HMRC

Screenshot or printout from Companies House (status, directors, SIC code)

Short reason if answered N/A

Comments / Notes (Optional)

002. Are trading names used consistently across contracts, payslips, and onboarding documents? — Justification: Brand transparency. Red flags: multiple/alias names, mismatches between contracts and payslips.

Select answer

Upload evidence for HMRC

Samples of contracts, payslips, onboarding emails

Short reason if answered N/A

Comments / Notes (Optional)

003. Is the Certificate of Incorporation available? — Justification: Document verification. Red flags: reluctance to provide, altered/poor quality copies.

Select answer

Upload evidence for HMRC

PDF or hard copy of Certificate of Incorporation

Short reason if answered N/A

Comments / Notes (Optional)

004. Have all annual accounts and company tax filings been submitted on time? — Justification: Financial compliance. Red flags: overdue accounts, late filing penalties, frequent company changes (phoenix risk).

Select answer

Upload evidence for HMRC

HMRC and Companies House filing confirmations

Short reason if answered N/A

Comments / Notes (Optional)

005. Is the VAT registration active and are the details current? — Justification: VAT compliance. Red flags: deregistered VAT, mismatch with HMRC checker, linked to Tax Loss or Veto letters.

Select answer

Upload evidence for HMRC

VAT registration certificate or HMRC confirmation screen

Short reason if answered N/A

Comments / Notes (Optional)

006. Is the PAYE scheme registered and active with HMRC? — Justification: PAYE compliance. Red flags: PAYE inactive/suspended, use of third-party PAYE numbers.

Select answer

Upload evidence for HMRC

HMRC PAYE reference letter or Government Gateway screenshot

Short reason if answered N/A

Comments / Notes (Optional)

007. Have you confirmed none of the listed directors are disqualified from directorship? — Justification: Governance risk. Red flags: director disqualification orders, repeat appearances across dissolved firms.

Select answer

Upload evidence for HMRC

Director declarations, Companies House checks

Short reason if answered N/A

Comments / Notes (Optional)

008. Have you confirmed none have been investigated, charged, or cautioned for financial misconduct? — Justification: Reputational risk. Red flags: ongoing FCA/HMRC investigations, adverse media.

Select answer

Upload evidence for HMRC

Written declarations, internal compliance logs

Short reason if answered N/A

Comments / Notes (Optional)

009. Have you confirmed none have run companies that entered insolvency (unless disclosed)? — Justification: Financial stability check. Red flags: directors linked to multiple insolvencies/phoenixing.

Select answer

Upload evidence for HMRC

Insolvency declarations, Companies House history

Short reason if answered N/A

Comments / Notes (Optional)

010. Have directors declared no late personal tax filings or improper benefit claims? — Justification: Individual tax integrity. Red flags: HMRC late filing notices, historic improper claims.

Select answer

Upload evidence for HMRC

Director self-certifications, HMRC correspondence

Short reason if answered N/A

Comments / Notes (Optional)

011. Has the umbrella disclosed whether it subcontracts any CIS or payroll services to other entities? — Justification: Governance scope & delegation. Red flags: undisclosed outsourcing, vague subcontractor details.

Select answer

Upload evidence for HMRC

Subcontractor agreements, scope of services

Short reason if answered N/A

Comments / Notes (Optional)

012. Does the umbrella conduct due diligence on any subcontractors (e.g., UTR, VAT, PAYE, directors)? — Justification: Prevents upstream fraud risk. Red flags: no subcontractor DD, unknown UTR/VAT, high turnover of subcontractors.

Select answer

Upload evidence for HMRC

Due diligence reports, Companies House/HMRC checks

Short reason if answered N/A

Comments / Notes (Optional)

013. Can the umbrella evidence that subcontractors do not use Mini Umbrella Company (MUC) structures? — Justification: Detects PAYE fragmentation. Red flags: multiple tiny companies, overseas directors, frequent company swaps.

Select answer

Upload evidence for HMRC

Subcontractor audit reports, due diligence logs, HMRC confirmations

Short reason if answered N/A

Comments / Notes (Optional)

014. Are payroll and compliance functions operationally separate from sales/commercial teams? — Justification: Minimises onboarding bias. Red flags: sales staff handling compliance, no segregation of duties.

Select answer

Upload evidence for HMRC

Org chart, job role descriptions

Short reason if answered N/A

Comments / Notes (Optional)

015. Are compliance overrides logged and independently reviewed (e.g., by a governance lead or NED)? — Justification: Tracks compliance breaches. Red flags: overrides not documented, reviewed by same person who approved.

Select answer

Upload evidence for HMRC

Override register, governance meeting minutes

Short reason if answered N/A

Comments / Notes (Optional)

016. Is the umbrella independently accredited by a recognised compliance or industry body (e.g., FCSA, APSCo Trusted Partner, or equivalent)? — Justification: Voluntary adherence to best practice. Red flags: no accreditation, expired membership, reliance on self-cert only.

Select answer

Upload evidence for HMRC

Membership certificate, audit summary

Short reason if answered N/A

Comments / Notes (Optional)

017. Is the membership valid and currently up to date? — Justification: Demonstrates ongoing scrutiny. Red flags: lapsed or suspended membership, no renewal evidence.

Select answer

Upload evidence for HMRC

Renewal notice, website verification

Short reason if answered N/A

Comments / Notes (Optional)

Section 2 – Banking, Money Flows & Outsourcing

This section ensures that umbrella companies manage funds through legitimate UK accounts, safeguard worker pay, and maintain transparency over any outsourced functions.

Early confirmation of banking, funds flow, and subcontracting arrangements helps prevent third-party routing risks, phoenix layering, or offshore diversion.

Banking, Money Flows & Outsourcing

001. Does the umbrella use a UK-based business bank account exclusively? — Justification: UK financial control. Red flags: offshore accounts, unrelated third-party accounts, frequent account changes.

Select answer

Upload evidence for HMRC

Bank letter, recent bank statements

Short reason if answered N/A

Comments / Notes (Optional)

002. Are umbrella workers paid directly into UK personal bank accounts (not joint, offshore, or pooled accounts)? — Justification: Worker pay integrity. Red flags: pooled/joint accounts, overseas transfers, payments routed via agencies.

Select answer

Upload evidence for HMRC

BACs logs, payroll reports

Short reason if answered N/A

Comments / Notes (Optional)

003. Are offshore entities excluded from involvement in worker payment processes? — Justification: Tax transparency. Red flags: offshore processors, nominee companies, unexplained foreign remittances.

Select answer

Upload evidence for HMRC

Ownership structure, payment processor overview

Short reason if answered N/A

Comments / Notes (Optional)

004. Are funds for wages and tax liabilities held in protected or ring-fenced accounts (per HMRC expectations)? — Justification: Safeguards worker money. Red flags: use of general trading account only, no separation of funds, history of frozen accounts.

Select answer

Upload evidence for HMRC

Bank setup confirmation, audit notes

Short reason if answered N/A

Comments / Notes (Optional)

005. Are audit trails in place to verify PAYE, NIC, and deductions in line with CFA 2017? — Justification: Financial compliance. Red flags: incomplete audit logs, manual adjustments without evidence, unexplained deductions.

Select answer

Upload evidence for HMRC

Sample payroll audit logs, software screenshots

Short reason if answered N/A

Comments / Notes (Optional)

006. Has the umbrella had accounts frozen or been investigated by regulators in the last 5 years? — Justification: Regulatory history. Red flags: HMRC/FCA freezing orders, settlements, history of insolvency protection.

Select answer

Upload evidence for HMRC

HMRC/FCA letters, internal compliance reports

Short reason if answered N/A

Comments / Notes (Optional)

007. Does the umbrella subcontract payroll, onboarding, or compliance functions to third parties? — Justification: Identifies outsourcing risk. Red flags: undisclosed subcontractors, no formal contracts, opaque service arrangements.

Select answer

Upload evidence for HMRC

Supplier contracts, SLAs, disclosure in onboarding packs

Short reason if answered N/A

Comments / Notes (Optional)

008. If yes, are these subcontractors named, disclosed, and audited? — Justification: Transparency across the supply chain. Red flags: unnamed processors, refusal to provide details, subcontractors linked to MUC setups.

Select answer

Upload evidence for HMRC

Subcontractor register, agency agreements, audit reports

Short reason if answered N/A

Comments / Notes (Optional)

009. Are subcontractors contractually bound to HMRC compliance standards? — Justification: Ensures downstream accountability. Red flags: contracts silent on compliance, reliance on verbal assurances.

Select answer

Upload evidence for HMRC

Contract clauses, compliance audit reports

Short reason if answered N/A

Comments / Notes (Optional)

010. Are all outsourced suppliers under contract and subject to regular compliance review? — Justification: Supplier due diligence. Red flags: expired contracts, no SLA monitoring, high churn of providers.

Select answer

Upload evidence for HMRC

SLA snapshots, review logs

Short reason if answered N/A

Comments / Notes (Optional)

011. Are subcontractor and service-chain relationships disclosed to agencies and workers? — Justification: Commercial transparency. Red flags: hidden intermediaries, workers unaware of true employer, multiple hand-offs.

Select answer

Upload evidence for HMRC

Onboarding packs, agency agreements

Short reason if answered N/A

Comments / Notes (Optional)

012. Are up-to-date contracts and SLAs in place for all outsourced providers? — Justification: Risk management. Red flags: outdated templates, unsigned contracts, no renewal tracking.

Select answer

Upload evidence for HMRC

Contract library, SLA tracker

Short reason if answered N/A

Comments / Notes (Optional)

013. Are internal audits or spot checks performed on outsourced payment processors? — Justification: Demonstrates proactive control. Red flags: no audit programme, reliance on supplier self-certification only.

Select answer

Upload evidence for HMRC

Internal audit logs, QA spot-check reports

Short reason if answered N/A

Comments / Notes (Optional)

Section 3 – Payroll Integrity:  PAYE, RTI & EIRR

This section confirms that the umbrella company applies PAYE/NIC correctly, reports earnings via Real Time Information (RTI), and meets quarterly Employment Intermediaries Reporting (EIRR) obligations.

Together, these form the statutory spine of a compliant umbrella payroll and protect agencies from HMRC enforcement.

Payroll Integrity – PAYE, RTI & EIRR

001. Has worker PAYE tax and NICs been correctly calculated? — Justification: PAYE accuracy. Red flags: net pay inflated vs gross, NIC deducted from worker, mismatch between payslips and RTI submissions.

Select answer

Upload evidence for HMRC

Sample payslips, payroll journals

Short reason if answered N/A

Comments / Notes (Optional)

002. Has the PAYE/NIC liability been paid on time to HMRC? — Justification: Payment timeliness. Red flags: late payments, HMRC arrears, Time to Pay arrangements not disclosed.

Select answer

Upload evidence for HMRC

HMRC payment confirmations, FPS/EPS records

Short reason if answered N/A

Comments / Notes (Optional)

003. Is Employer’s NIC correctly calculated and not deducted from workers? — Justification: Cost fairness. Red flags: Employer NIC shown as worker deduction, disguised charges under “admin” or “margin”.

Select answer

Upload evidence for HMRC

Payroll summary, payslip audits

Short reason if answered N/A

Comments / Notes (Optional)

004. Are bonuses, expenses and other earnings correctly subject to PAYE/NIC where applicable? — Justification: Full tax capture. Red flags: tax-free bonuses, expenses misclassified, inflated take-home projections.

Select answer

Upload evidence for HMRC

Expense records, payroll logs

Short reason if answered N/A

Comments / Notes (Optional)

005. Are Real Time Information (RTI) submissions accurate and submitted on time each pay period? — Justification: RTI compliance. Red flags: late/missed FPS, corrected submissions, HMRC error notices.

Select answer

Upload evidence for HMRC

FPS/EPS reports, HMRC submission receipts

Short reason if answered N/A

Comments / Notes (Optional)

006. Are regular payroll audits conducted to check for RTI and tax reporting accuracy? — Justification: Verification control. Red flags: no internal audit trail, discrepancies unresolved, reliance on third-party assurance only.

Select answer

Upload evidence for HMRC

Internal audit schedules, payroll audit outcomes

Short reason if answered N/A

Comments / Notes (Optional)

007. Has the umbrella been subject to HMRC investigations, penalties, or NIC challenges in the past 3–5 years? — Justification: Regulatory history. Red flags: penalty notices, settlement agreements, history of incorrect RTI.

Select answer

Upload evidence for HMRC

HMRC correspondence, settlement letters

Short reason if answered N/A

Comments / Notes (Optional)

008. Does the umbrella submit quarterly Employment Intermediary Reports (EIRRs) under ITEPA 2014? — Justification: Statutory obligation. Red flags: missed submissions, unexplained worker gaps, incomplete UTR/NINO data.

Select answer

Upload evidence for HMRC

HMRC EIRR submission receipts, tracking logs

Short reason if answered N/A

Comments / Notes (Optional)

009. Can the umbrella evidence its most recent EIRR submission? — Justification: Demonstrates compliance. Red flags: refusal to share, only draft files, mismatch with agency worker records.

Select answer

Upload evidence for HMRC

Screenshot or copy of latest EIRR

Short reason if answered N/A

Comments / Notes (Optional)

010. Are UTRs, NINOs, and other worker data verified for accuracy before EIRR submission? — Justification: Prevents audit risk. Red flags: missing NINOs, duplicate records, unverifiable worker details.

Select answer

Upload evidence for HMRC

QA logs, validation procedures, verification records

Short reason if answered N/A

Comments / Notes (Optional)

Section 4 – Worker Pay, Benefits & Deductions

This section ensures that umbrella workers receive lawful pay, benefits, and statutory protections.

It confirms transparency of deductions, proper holiday accrual, lawful expenses, and fair treatment of salary sacrifice schemes.

Agencies are exposed if umbrellas disguise remuneration, breach NMW, or mislead workers about entitlements.

Worker Pay, Benefits & Deductions

001. Are Key Information Documents (KIDs) issued before each assignment? — Justification: Fee transparency. Red flags: workers unaware of deductions, KIDs missing or generic.

Select answer

Upload evidence for HMRC

Sample KID, onboarding pack

Short reason if answered N/A

Comments / Notes (Optional)

002. Are payslips itemised to show all deductions, holiday pay, and pension contributions? — Justification: Cost clarity. Red flags: lump-sum deductions, hidden admin fees, holiday pay absorbed into margin.

Select answer

Upload evidence for HMRC

Payslip samples, payroll reports

Short reason if answered N/A

Comments / Notes (Optional)

003. Do payslips clearly show holiday pay or accrual, and is rolled-up holiday pay only used where legally permitted (irregular hours or part-year workers)? — Justification: WTR compliance. Red flags: rolled-up holiday pay applied to regular-hours staff; rolled-up holiday not shown separately on payslips; incorrect 12.07% calculation. Acceptable: rolled-up holiday pay for irregular/part-year workers, itemised clearly on payslips.

Select answer

Upload evidence for HMRC

Payslip samples, holiday policy

Short reason if answered N/A

Comments / Notes (Optional)

004. Is unused holiday fully paid out on termination? — Justification: Worker protection. Red flags: unpaid leave on exit, unclear policy, worker complaints.

Select answer

Upload evidence for HMRC

Final payslip, exit checklist

Short reason if answered N/A

Comments / Notes (Optional)

005. Are comparator rates reviewed and 12-week AWR parity tracked? — Justification: Agency Workers Regulations compliance. Red flags: no AWR tracker, mismatched pay rates, ignored client comparators.

Select answer

Upload evidence for HMRC

AWR tracker, client parity records

Short reason if answered N/A

Comments / Notes (Optional)

006. Are Regulation 10 (Swedish Derogation) contracts no longer used (post-April 2020)? — Justification: Legal compliance. Red flags: legacy templates, unclear worker status.

Select answer

Upload evidence for HMRC

Archived contracts, updated policies

Short reason if answered N/A

Comments / Notes (Optional)

007. Are expense claims restricted to HMRC-permitted categories and supported by receipts? — Justification: Prevents disguised remuneration. Red flags: flat-rate or “dispensation-style” claims, no receipts, SDC workers receiving tax-free travel.

Select answer

Upload evidence for HMRC

Expense claim forms, receipts, payslip audits

Short reason if answered N/A

Comments / Notes (Optional)

008. Do any deductions (e.g., PPE, admin, expenses) ever reduce pay below NMW? — Justification: NMW protection. Red flags: deductions breaching NMW Regs, workers repaying umbrella fees, clawbacks.

Select answer

Upload evidence for HMRC

NMW audits, gross-to-net calculations

Short reason if answered N/A

Comments / Notes (Optional)

009. Are salary sacrifice schemes (e.g., pensions, benefits) operated lawfully and voluntarily? — Justification: Transparency of deductions. Red flags: workers auto-enrolled without consent, NIC savings retained without disclosure, NMW breached post-sacrifice.

Select answer

Upload evidence for HMRC

Salary sacrifice policy, signed worker consents

Short reason if answered N/A

Comments / Notes (Optional)

010. Are workers told whether Employer NIC/Levy savings are retained by the umbrella or passed on? — Justification: Fairness & disclosure. Red flags: marketing “boosted take-home” without clarity, savings kept undisclosed.

Select answer

Upload evidence for HMRC

Payroll policy, payslip annotations

Short reason if answered N/A

Comments / Notes (Optional)

011. Has the umbrella conducted payslip spot checks to verify salary sacrifice does not disadvantage workers (e.g., SSP, SMP, pension)? — Justification: Protects entitlements. Red flags: workers lose statutory benefits due to sacrifice, no reconciliation process.

Select answer

Upload evidence for HMRC

Audit logs, benefit assessments

Short reason if answered N/A

Comments / Notes (Optional)

012. Are grievance and complaints processes accessible to workers for disputes over pay/deductions? — Justification: Worker voice & dispute prevention. Red flags: no grievance route, workers resorting to tribunal, repeat pay-related complaints.

Select answer

Upload evidence for HMRC

Complaints register, grievance policy

Short reason if answered N/A

Comments / Notes (Optional)

Section 5 – Identity, Right-to-Work & Data Protection

This section ensures that umbrella companies carry out statutory Right to Work checks, collect and retain identity documents, and comply with GDPR requirements for secure handling of worker data.

It also tests whether staff are trained to recognise risks such as document fraud, identity misuse, or modern slavery indicators.

Identity, Right-to-Work & Data Protection

001. Does the umbrella complete and document Right to Work (RTW) checks before each assignment? — Justification: Home Office compliance. Red flags: workers onboarded without RTW evidence, retrospective checks only, over-reliance on agency.

Select answer

Upload evidence for HMRC

RTW policy, completed RTW forms

Short reason if answered N/A

Comments / Notes (Optional)

002. Is photographic ID and proof of address consistently collected and retained? — Justification: Identity verification. Red flags: incomplete ID files, shared bank accounts/addresses, mismatched worker details.

Select answer

Upload evidence for HMRC

Scanned ID, audit logs

Short reason if answered N/A

Comments / Notes (Optional)

003. Are digital RTW methods (e.g. IDVT, share code) used appropriately? — Justification: Modern compliance. Red flags: share codes not verified, expired visas accepted, no process for EEA nationals.

Select answer

Upload evidence for HMRC

Screenshots, IDVT logs

Short reason if answered N/A

Comments / Notes (Optional)

004. Are RTW checks stored securely and retained for 2 years post-assignment? — Justification: Retention duty. Red flags: missing archives, insecure storage, early deletion, GDPR breaches.

Select answer

Upload evidence for HMRC

RTW retention policy, document archive

Short reason if answered N/A

Comments / Notes (Optional)

005. Has the umbrella ever received Home Office warnings or audit notices? — Justification: Regulatory risk. Red flags: non-compliance notices, repeated follow-up inspections.

Select answer

Upload evidence for HMRC

Home Office correspondence

Short reason if answered N/A

Comments / Notes (Optional)

006. Is there a GDPR/privacy policy covering the collection, use, and storage of worker data? — Justification: Data rights. Red flags: no published privacy policy, outdated templates, missing ICO registration.

Select answer

Upload evidence for HMRC

GDPR policy, ICO registration

Short reason if answered N/A

Comments / Notes (Optional)

007. Are documented procedures in place for Subject Access Requests (SARs), erasure, and consent? — Justification: Data subject rights. Red flags: SARs ignored, worker consent not recorded, blanket consents.

Select answer

Upload evidence for HMRC

SAR logs, consent records

Short reason if answered N/A

Comments / Notes (Optional)

008. Has the umbrella suffered an ICO investigation or data breach in the last 5 years? — Justification: Incident history. Red flags: repeated ICO notices, fines, unreported breaches.

Select answer

Upload evidence for HMRC

ICO letters, breach response logs

Short reason if answered N/A

Comments / Notes (Optional)

009. Are compliance staff trained on identifying RTW fraud, document forgery, and data security obligations? — Justification: Operational awareness. Red flags: no training logs, reliance on untrained onboarding staff, lack of refresher training.

Select answer

Upload evidence for HMRC

Training records, LMS logs

Short reason if answered N/A

Comments / Notes (Optional)

010. Are workers informed about how their personal data is used, stored, and shared (transparency notices)? — Justification: Transparency duty. Red flags: no privacy notice provided, workers unaware of data processors, subcontracted processing hidden.

Select answer

Upload evidence for HMRC

Worker onboarding packs, privacy notice

Short reason if answered N/A

Comments / Notes (Optional)

Section 6 – Modern Slavery Risk Oversight

This section ensures umbrella companies take active steps to detect, prevent, and respond to modern slavery and labour exploitation within their workforce and supply chain.

It tests whether policies, training, reporting channels, and subcontractor oversight are in place, in line with the Modern Slavery Act 2015 and wider HMRC labour supply guidance.

Modern Slavery Risk Oversight

001. Does the umbrella have a Modern Slavery policy that applies to all workers and subcontractors? — Justification: Baseline policy framework. Red flags: no policy published, outdated documents, workers unaware of protections.

Select answer

Upload evidence for HMRC

Modern Slavery Policy, supplier code of conduct

Short reason if answered N/A

Comments / Notes (Optional)

002. Has the umbrella conducted a modern slavery risk assessment of its workforce or supply chain in the last 12 months? — Justification: Risk identification. Red flags: no assessment done, focus only on Tier 1 suppliers, ignoring high-risk categories (agency labour, migrant workers).

Select answer

Upload evidence for HMRC

Risk assessment logs, heatmaps, supply chain mapping

Short reason if answered N/A

Comments / Notes (Optional)

003. Is modern slavery awareness training provided to onboarding, payroll, and compliance staff? — Justification: Operational awareness. Red flags: no training records, reliance on induction only, staff unable to identify red flags (e.g. debt bondage, coercion).

Select answer

Upload evidence for HMRC

LMS logs, signed training records

Short reason if answered N/A

Comments / Notes (Optional)

004. Are clear grievance, whistleblowing, or anonymous reporting channels available to workers? — Justification: Worker voice & escalation. Red flags: no hotline, fear of retaliation, workers unaware of reporting options.

Select answer

Upload evidence for HMRC

Whistleblowing policy, hotline logs, reporting procedures

Short reason if answered N/A

Comments / Notes (Optional)

005. Has the umbrella ever escalated or investigated a worker welfare or modern slavery concern? — Justification: Responsiveness. Red flags: zero reports despite large workforce (under-reporting risk), no documented investigations.

Select answer

Upload evidence for HMRC

Case logs, investigation reports

Short reason if answered N/A

Comments / Notes (Optional)

006. Are any workers housed or transported by the umbrella or affiliates? — Justification: Risk of control/coercion. Red flags: overcrowded housing, transport fees deducted from wages, restricted worker movement.

Select answer

Upload evidence for HMRC

Housing agreements, worker declarations

Short reason if answered N/A

Comments / Notes (Optional)

007. Are umbrella workers required to pay fees to join or remain with the umbrella (e.g., admin, margin, compliance)? — Justification: Prevents forced labour risk. Red flags: upfront fees, “joining” charges, unexplained deductions.

Select answer

Upload evidence for HMRC

Payslip samples, worker complaints

Short reason if answered N/A

Comments / Notes (Optional)

008. Does the umbrella monitor or restrict worker movement between agencies or end clients? — Justification: Freedom of employment. Red flags: restrictive covenants, worker “lock-in” clauses, penalties for leaving.

Select answer

Upload evidence for HMRC

Worker mobility policy, contracts

Short reason if answered N/A

Comments / Notes (Optional)

009. Do directors and senior staff undergo vetting for past involvement in exploitation scandals? — Justification: Governance accountability. Red flags: directors linked to Operation Fort cases, undisclosed histories.

Select answer

Upload evidence for HMRC

Background checks, director declarations

Short reason if answered N/A

Comments / Notes (Optional)

010. Are third-party subcontractors (e.g., CIS or onboarding providers) required to comply with anti-slavery standards? — Justification: Extends compliance down the chain. Red flags: subcontractors with no policy, refusal to sign codes, reliance on verbal assurances.

Select answer

Upload evidence for HMRC

Subcontractor due diligence, signed commitments

Short reason if answered N/A

Comments / Notes (Optional)

Section 7 – Tax & Model-Risk Assurance (VAT, MUC, IR35/Hybrid)

This section ensures umbrella companies are not exposing agencies to HMRC enforcement through VAT fraud (including MTIC/carousel fraud), Mini Umbrella Company (MUC) setups, or disguised remuneration via hybrid models.

It supports agency obligations under the Kittel principle, the Criminal Finances Act 2017, and upcoming Joint & Several Liability (JSL) 2026 rules.

Tax & Model-Risk Assurance (VAT, MUC, IR35/Hybrid)

001. Does the umbrella confirm it does not operate disguised remuneration or offshore loan/pension schemes? — Justification: Prevents HMRC high-risk models. Red flags: “loan”, “advance”, “rebate” schemes, unusual pay uplifts.

Select answer

Upload evidence for HMRC

Scheme declarations, HMRC Spotlight references

Short reason if answered N/A

Comments / Notes (Optional)

002. Has worker PAYE/NIC ever been bypassed by reclassifying staff into CIS or PSC models? — Justification: Identifies disguised PAYE. Red flags: PAYE staff shifted mid-contract, hybrid pay routes, offshore Ltd use.

Select answer

Upload evidence for HMRC

Payroll audit logs, reclassification records

Short reason if answered N/A

Comments / Notes (Optional)

003. Does the umbrella apply the Domestic Reverse Charge (DRC) correctly when invoicing under CIS? — Justification: VAT compliance in construction. Red flags: missing VAT lines, DRC misapplied, repeated invoice corrections.

Select answer

Upload evidence for HMRC

Sample CIS VAT invoices, DRC policy

Short reason if answered N/A

Comments / Notes (Optional)

004. Has the umbrella performed annual VAT/IR35 risk mapping across clients and sectors? — Justification: Proactive assurance. Red flags: no risk map, high-risk sectors ignored, repeat errors not tracked.

Select answer

Upload evidence for HMRC

Risk maps, compliance reviews

Short reason if answered N/A

Comments / Notes (Optional)

005. Can you confirm the umbrella VAT registration is valid and active? — Justification: Legitimacy test. Red flags: deregistration/re-registration cycles, HMRC “tax loss” letters, veto notices.

Select answer

Upload evidence for HMRC

VAT certificate, GOV.UK VAT check

Short reason if answered N/A

Comments / Notes (Optional)

006. Do invoices clearly show VAT number and detailed VAT breakdown? — Justification: Input tax recovery. Red flags: vague invoices, VAT number missing/mismatched, inconsistent totals.

Select answer

Upload evidence for HMRC

2–3 invoices with breakdown

Short reason if answered N/A

Comments / Notes (Optional)

007. Are input VAT claims based only on legitimate, VAT-eligible expenses with valid invoices? — Justification: Defends against Kittel liability. Red flags: input VAT claimed on wages, invalid invoices, expenses with no receipts.

Select answer

Upload evidence for HMRC

VAT ledger, expense invoices

Short reason if answered N/A

Comments / Notes (Optional)

008. Has the umbrella ever been subject to VAT deregistration, veto, or tax loss notices? — Justification: Flags phoenix/VAT fraud. Red flags: multiple deregistrations, group entities sharing VAT numbers.

Select answer

Upload evidence for HMRC

HMRC correspondence, written statement

Short reason if answered N/A

Comments / Notes (Optional)

009. Are compliance staff and directors trained on the Kittel principle and VAT fraud prevention? — Justification: Awareness duty. Red flags: no training, reliance on accountant only, no record of awareness briefings.

Select answer

Upload evidence for HMRC

Training logs, signed acknowledgments

Short reason if answered N/A

Comments / Notes (Optional)

010. Has the umbrella screened its PAYE structures for Mini Umbrella Company (MUC) risks? — Justification: Detects PAYE fragmentation. Red flags: multiple tiny companies, overseas directors, short-lived entities.

Select answer

Upload evidence for HMRC

MUC risk logs, red flag checklists

Short reason if answered N/A

Comments / Notes (Optional)

011. Does the umbrella operate multiple PAYE schemes across group companies, and if so is the rationale documented? — Justification: Prevents MUC abuse. Red flags: excessive PAYE schemes, no consolidation, vague justifications.

Select answer

Upload evidence for HMRC

PAYE registration records, group chart

Short reason if answered N/A

Comments / Notes (Optional)

012. Are payrolls consolidated to prevent unnecessary PAYE fragmentation? — Justification: Good practice. Red flags: fragmented payrolls, inconsistent scheme references, unexplained shifts.

Select answer

Upload evidence for HMRC

Payroll system diagram, policies

Short reason if answered N/A

Comments / Notes (Optional)

013. Has the umbrella received MUC-related warnings or audits from HMRC or agencies? — Justification: Transparency & remedial action. Red flags: ignored warnings, repeat non-compliance, failure to disclose.

Select answer

Upload evidence for HMRC

HMRC correspondence, audit reports

Short reason if answered N/A

Comments / Notes (Optional)

014. Does the umbrella confirm it does not promote hybrid PAYE/CIS or PAYE/PSC models without documented status checks? — Justification: Prevents disguised off-payroll. Red flags: workers steered into CIS/self-employment, hybrid onboarding defaults.

Select answer

Upload evidence for HMRC

Onboarding workflow, comms scripts

Short reason if answered N/A

Comments / Notes (Optional)

015. How does the umbrella assess and document employment status before offering CIS/self-employed terms? — Justification: Misclassification risk. Red flags: no SDC tests, blanket CIS classification, missing worker questionnaires.

Select answer

Upload evidence for HMRC

Status assessments, SDC records

Short reason if answered N/A

Comments / Notes (Optional)

016. Has the umbrella confirmed that no hybrid models are subcontracted to other entities or referral schemes? — Justification: Supply chain transparency. Red flags: outsourcing hybrids, opaque platforms, undisclosed partners.

Select answer

Upload evidence for HMRC

Subcontractor register, supplier contracts

Short reason if answered N/A

Comments / Notes (Optional)

017. Have legal/tax advisors reviewed hybrid or multi-model pay for IR35, NMW, and CFA 2017 compliance? — Justification: Defensibility. Red flags: no external review, “in-house only” sign-off, reliance on marketing claims.

Select answer

Upload evidence for HMRC

Legal/tax opinion, compliance review logs

Short reason if answered N/A

Comments / Notes (Optional)

Section 8 – Criminal Finances Act 2017 (CFA) – Reasonable Prevention Procedures

The CFA 2017 created the Corporate Criminal Offence (CCO) of failing to prevent the facilitation of tax evasion.

Agencies and umbrella companies must demonstrate they have taken reasonable prevention procedures. HMRC expects documented risk assessments, policies, staff training, and escalation processes.

Criminal Finances Act 2017 (CFA) – Reasonable Prevention Procedures

001. Has the umbrella completed and documented a CFA 2017 risk assessment? — Justification: Identifies facilitation risks. Red flags: no assessment, last review over 12 months ago, generic template with no relevance to operations.

Select answer

Upload evidence for HMRC

Risk assessment report, board minutes

Short reason if answered N/A

Comments / Notes (Optional)

002. Is the risk assessment reviewed annually or when business models change? — Justification: Keeps prevention live. Red flags: static assessments, no updates after onboarding new models (e.g., CIS, offshore).

Select answer

Upload evidence for HMRC

Latest dated risk assessment, update logs

Short reason if answered N/A

Comments / Notes (Optional)

003. Is there a written policy prohibiting the facilitation of tax evasion? — Justification: Policy foundation. Red flags: no standalone CFA policy, buried in generic handbook, not communicated to staff.

Select answer

Upload evidence for HMRC

CFA/anti-facilitation policy

Short reason if answered N/A

Comments / Notes (Optional)

004. Has the policy been shared internally with staff and externally with supply chain partners? — Justification: Creates awareness. Red flags: staff unaware of policy, no circulation to subcontractors/PSL.

Select answer

Upload evidence for HMRC

Intranet post, supplier comms

Short reason if answered N/A

Comments / Notes (Optional)

005. Have staff involved in onboarding, payroll, and compliance received CFA 2017 training? — Justification: Front-line awareness. Red flags: no training records, one-off induction only, no updates for new staff.

Select answer

Upload evidence for HMRC

Training logs, LMS completions

Short reason if answered N/A

Comments / Notes (Optional)

006. Are directors and compliance leads trained to identify facilitation red flags? — Justification: Leadership accountability. Red flags: directors unaware of CCO liability, training not extended to senior staff.

Select answer

Upload evidence for HMRC

Signed training acknowledgments, board briefing slides

Short reason if answered N/A

Comments / Notes (Optional)

007. Is there a named CFA compliance officer or escalation contact? — Justification: Governance clarity. Red flags: no owner, responsibilities split informally, staff unsure who to report to.

Select answer

Upload evidence for HMRC

Role description, governance chart

Short reason if answered N/A

Comments / Notes (Optional)

008. Are breaches, near misses, and escalations logged and reviewed? — Justification: Tracks culture & improvement. Red flags: no incident log, repeat near misses ignored, no corrective actions.

Select answer

Upload evidence for HMRC

Escalation logs, RCA reports

Short reason if answered N/A

Comments / Notes (Optional)

009. Is there a whistleblowing or hotline process for suspected facilitation of tax evasion? — Justification: Supports detection. Red flags: no confidential channel, workers unaware of reporting line, whistleblowers ignored.

Select answer

Upload evidence for HMRC

Whistleblowing policy, hotline details

Short reason if answered N/A

Comments / Notes (Optional)

010. Have any CFA breaches, investigations, or near misses been disclosed to HMRC in the past 5 years? — Justification: Transparency test. Red flags: unreported breaches, HMRC enquiries undisclosed, repeated “no issues” despite other red flags.

Select answer

Upload evidence for HMRC

HMRC correspondence, disclosure statements

Short reason if answered N/A

Comments / Notes (Optional)

Section 9 – Complaints, Disputes & Record-Keeping

This section ensures umbrella companies have robust systems for logging and resolving complaints, learning from disputes, and maintaining compliant records.

It protects agencies from tribunal claims, reputational damage, and shows transparency in line with HMRC and contractual due diligence expectations.

Complaints, Disputes & Record-Keeping

001. Does the umbrella log all worker and agency complaints systematically? — Justification: Transparency & service quality. Red flags: no complaint log, ad hoc handling, repeat issues ignored.

Select answer

Upload evidence for HMRC

CRM exports, complaints register

Short reason if answered N/A

Comments / Notes (Optional)

002. Are escalation routes and SLAs documented for complaint resolution? — Justification: Clear accountability. Red flags: unclear escalation, missed SLA targets, disputes handled by sales staff.

Select answer

Upload evidence for HMRC

SOPs, SLA matrix, escalation chart

Short reason if answered N/A

Comments / Notes (Optional)

003. Does the umbrella offer early dispute resolution (e.g., ACAS-style mediation)? — Justification: Tribunal avoidance. Red flags: no mediation option, all disputes escalated to litigation, high tribunal volume.

Select answer

Upload evidence for HMRC

Grievance procedure, ACAS logs

Short reason if answered N/A

Comments / Notes (Optional)

004. Are Root Cause Analyses (RCA) performed and fed into process improvement? — Justification: Continuous improvement. Red flags: recurring pay errors, no RCA log, repeat complaints from same workers.

Select answer

Upload evidence for HMRC

RCA templates, lessons-learned logs

Short reason if answered N/A

Comments / Notes (Optional)

005. Have any tribunal or ACAS claims been made in the last 3 years, and how were they resolved? — Justification: Litigation risk indicator. Red flags: frequent claims, costly settlements, gagging clauses.

Select answer

Upload evidence for HMRC

Tribunal summaries, settlement outcomes

Short reason if answered N/A

Comments / Notes (Optional)

006. Are records (payroll, RTW, complaints) retained in line with GDPR retention schedules? — Justification: Data governance. Red flags: missing files, over-retention beyond legal limits, insecure archives.

Select answer

Upload evidence for HMRC

Retention policy, deletion logs

Short reason if answered N/A

Comments / Notes (Optional)

007. Does the umbrella collect worker feedback (e.g., surveys, forums) on pay and service quality? — Justification: Worker voice. Red flags: no feedback mechanism, consistently poor ratings, ignored worker concerns.

Select answer

Upload evidence for HMRC

Survey reports, feedback forms, action outcomes

Short reason if answered N/A

Comments / Notes (Optional)

Section 10 – End-Hirer Governance & JSL Readiness

This section ensures that end-hirers and agencies can demonstrate oversight of umbrella partners in line with contractual obligations and the upcoming Joint & Several Liability (JSL) regime (2026).

It tests whether due diligence, contract clauses, escalation routes, and audit access are in place to prevent hidden tax risks, worker exploitation, or reputational damage.

End-Hirer Governance & JSL Readiness

001. Does the end-hirer/agency, have a formal policy for due diligence on umbrella companies? — Justification: Governance foundation. Red flags: no written DD policy, reliance on umbrella self-cert, no review cycle.

Select answer

Upload evidence for HMRC

Due diligence policy, audit framework

Short reason if answered N/A

Comments / Notes (Optional)

002. Do contracts with umbrellas mandate compliance with PAYE, NMW, pensions, and tax law? — Justification: Legal defensibility. Red flags: vague clauses, no reference to PAYE/NIC, reliance on generic T&Cs.

Select answer

Upload evidence for HMRC

Contracts, SLA extracts

Short reason if answered N/A

Comments / Notes (Optional)

003. Do umbrella partners have grievance, whistleblowing, and complaints procedures for workers? — Justification: Worker protection. Red flags: no grievance process, workers unaware of channels, complaints handled by sales/commercial only.

Select answer

Upload evidence for HMRC

Whistleblowing policies, hotline logs

Short reason if answered N/A

Comments / Notes (Optional)

004. Do umbrellas demonstrate transparency on margin, deductions, and net pay to workers? — Justification: Prevents disguised remuneration. Red flags: opaque deductions, inflated take-home claims, missing KIDs.

Select answer

Upload evidence for HMRC

Payslip samples, KIDs

Short reason if answered N/A

Comments / Notes (Optional)

005. Does the umbrella use secure, GDPR-compliant payroll/data systems? — Justification: Data protection. Red flags: no ICO registration, insecure portals, data processors undisclosed.

Select answer

Upload evidence for HMRC

ICO registration, payroll system certificates

Short reason if answered N/A

Comments / Notes (Optional)

006. Does the agency/end-hirer independently review umbrella compliance beyond self-certification? — Justification: Audit assurance. Red flags: reliance on umbrella’s word, no sample audits, gaps in PSL oversight.

Select answer

Upload evidence for HMRC

Third-party reviews, audit reports

Short reason if answered N/A

Comments / Notes (Optional)

007. Is there a formal escalation/disengagement process if non-compliance is found? — Justification: Remediation & continuity. Red flags: no exit plan, risks ignored, continued use of non-compliant umbrellas.

Select answer

Upload evidence for HMRC

Escalation SOPs, disengagement logs

Short reason if answered N/A

Comments / Notes (Optional)

008. Is the umbrella aware of the upcoming 2026 JSL regime on unpaid PAYE/NIC? — Justification: Future readiness. Red flags: no awareness, no board briefings, dismissive responses.

Select answer

Upload evidence for HMRC

Policy briefings, compliance memos

Short reason if answered N/A

Comments / Notes (Optional)

009. Have umbrella contracts been updated with indemnities, reporting, or audit rights to reflect JSL? — Justification: Contractual protection. Red flags: no indemnities, no audit clauses, outdated agreements.

Select answer

Upload evidence for HMRC

Updated contract templates

Short reason if answered N/A

Comments / Notes (Optional)

010. Are umbrellas willing to be audited annually or on demand by the agency/end-hirer? — Justification: Transparency & access. Red flags: refusal of audit rights, restricted data access, delaying tactics.

Select answer

Upload evidence for HMRC

PSL agreements, past audit logs

Short reason if answered N/A

Comments / Notes (Optional)

011. Do umbrellas confirm they are the employer and payer listed on payslips/BACs lines? — Justification: Liability traceability. Red flags: third-party names on payslips, payments routed through intermediaries.

Select answer

Upload evidence for HMRC

Payslip samples, BACs records

Short reason if answered N/A

Comments / Notes (Optional)

012. Are subcontracted or layered models (e.g., CIS, outsourced payroll) disclosed and risk-assessed? — Justification: Supply chain clarity. Red flags: hidden subcontractors, opaque CIS chains, multiple layers with no visibility.

Select answer

Upload evidence for HMRC

Subcontractor declarations, org charts

Short reason if answered N/A

Comments / Notes (Optional)

013. Does the umbrella have escalation processes for reporting suspected tax evasion or disguised remuneration? — Justification: Governance safeguard. Red flags: no whistleblowing route, no escalation logs, board not informed.

Select answer

Upload evidence for HMRC

Incident logs, escalation policies

Short reason if answered N/A

Comments / Notes (Optional)

014. Can the umbrella evidence that PAYE/NIC deductions are reported and remitted accurately to HMRC? — Justification: Tax integrity. Red flags: arrears, mismatched FPS/EPS, unexplained PAYE scheme changes.

Select answer

Upload evidence for HMRC

HMRC receipts, RTI submissions

Short reason if answered N/A

Comments / Notes (Optional)

015. Has the umbrella undertaken a PAYE/RTI self-assessment or external audit in the last 12 months? — Justification: Proactive compliance. Red flags: no internal reviews, no third-party checks, reliance on annual accounts only.

Select answer

Upload evidence for HMRC

Audit reports, spot-check logs

Short reason if answered N/A

Comments / Notes (Optional)

016. Can the umbrella provide a list of all agency workers matched to the correct PAYE scheme and entity? — Justification: MUC/ghosting prevention. Red flags: missing worker lists, mismatch between entity and payslip employer.

Select answer

Upload evidence for HMRC

Worker list, payroll entity records

Short reason if answered N/A

Comments / Notes (Optional)

017. Have senior staff (Directors, Compliance, Payroll Leads) been briefed on JSL personal accountability? — Justification: Leadership awareness. Red flags: no board minutes, no training, directors unaware of liability.

Select answer

Upload evidence for HMRC

Training records, board briefings

Short reason if answered N/A

Comments / Notes (Optional)

018. Can umbrellas provide real-time or periodic payroll data access (e.g., payslips, RTI, deductions)? — Justification: Oversight & monitoring. Red flags: no data access, only annual reports, refusal to share RTI data.

Select answer

Upload evidence for HMRC

Data-sharing agreements, access logs

Short reason if answered N/A

Comments / Notes (Optional)

Section 11 – Worker Pay, Benefits & Deductions – Complementing Oversight

This section ensures agencies and end-hirers conduct their own oversight of umbrella pay, benefits, and deductions, rather than relying solely on umbrella self-certification.

It reinforces accountability under the Employment Rights Act 1996, NMW Regulations 2015, and upcoming JSL 2026 regime.

Worker Pay, Benefits & Deductions – Complementing Oversight

001. Does the umbrella independently review sample payslips from to confirm lawful deductions and NMW compliance? — Justification: Verification beyond self-cert. Red flags: no spot checks, reliance on umbrella summaries, hidden admin fees.

Select answer

Upload evidence for HMRC

Payslip audits, worker feedback

Short reason if answered N/A

Comments / Notes (Optional)

002. Does teh umbrella monitor whether holiday pay is correctly accrued, paid, or rolled-up only where legally permitted (irregular/part-year workers)? — Justification: Protects statutory entitlements. Red flags: rolled-up holiday pay applied to regular-hours staff, no reconciliation on exit.

Select answer

Upload evidence for HMRC

Payslip samples, holiday pay policies

Short reason if answered N/A

Comments / Notes (Optional)

003. Does the umbrella cnfirm/ verify that salary sacrifice arrangements do not reduce worker pay below NMW or disadvantage statutory benefits (SSP, SMP, pensions)? — Justification: Prevents disguised remuneration and exploitation. Red flags: workers losing entitlements post-sacrifice, employer NIC savings undisclosed.

Select answer

Upload evidence for HMRC

Salary sacrifice policies, benefit assessments

Short reason if answered N/A

Comments / Notes (Optional)

004. Are worker complaints about pay or deductions tracked by the agency as well as by the umbrella? — Justification: Early warning system. Red flags: agency unaware of repeated complaints, reliance on umbrella-only logs.

Select answer

Upload evidence for HMRC

Complaints register, ACAS/tribunal summaries

Short reason if answered N/A

Comments / Notes (Optional)

005. Does the umbrella share reconciliation data (e.g., margins, expenses, holiday accrual) at agreed intervals? — Justification: Transparency & audit trail. Red flags: no reconciliation reports, unexplained gaps, opaque take-home illustrations.

Select answer

Upload evidence for HMRC

Reconciliation statements, audit reports

Short reason if answered N/A

Comments / Notes (Optional)

006. Has the umbrella's agency obtained insurance or indemnities to protect against umbrella non-compliance on worker pay? — Justification: Risk mitigation. Red flags: no cover for holiday pay/AWR liabilities, reliance on umbrella promises only.

Select answer

Upload evidence for HMRC

Insurance schedule, indemnity clauses

Short reason if answered N/A

Comments / Notes (Optional)

Section 12 – Insurance & Financial Resilience

This section ensures umbrella companies hold the legally required insurances and have financial safeguards in place to protect workers and agencies.

Insurance is critical to cover liabilities such as injury, holiday pay, AWR claims, or business interruption, especially if an umbrella collapses or faces enforcement action.

Insurance & Financial Resilience

001. Does the umbrella hold valid Employers’ Liability (EL) Insurance in its own name? — Justification: Legal requirement under Employers’ Liability (Compulsory Insurance) Act 1969. Red flags: no EL insurance, expired certificate, policy held by another entity.

Select answer

Upload evidence for HMRC

EL insurance certificate

Short reason if answered N/A

Comments / Notes (Optional)

002. Is Public Liability (PL) Insurance in place covering worker and client risks? — Justification: Protects against claims from third parties. Red flags: no PL insurance, very low cover limits, umbrella relies on agency/end-hirer policy only.

Select answer

Upload evidence for HMRC

PL insurance schedule

Short reason if answered N/A

Comments / Notes (Optional)

003. Does the umbrella maintain Professional Indemnity (PI) Insurance (or equivalent) for payroll/compliance services? — Justification: Covers advisory and payroll errors. Red flags: no PI cover, exclusions for payroll services, cover held offshore.

Select answer

Upload evidence for HMRC

PI insurance certificate

Short reason if answered N/A

Comments / Notes (Optional)

004. Is there insurance or a financial safeguard in place for holiday pay, AWR, or statutory pay liabilities? — Justification: Protects worker entitlements. Red flags: no liability cover, reliance on cashflow only, history of unpaid holiday/AWR claims.

Select answer

Upload evidence for HMRC

Holiday pay liability insurance, indemnity clauses

Short reason if answered N/A

Comments / Notes (Optional)

005. Has the umbrella had any claims rejected, policies cancelled, or gaps in insurance cover in the last 3 years? — Justification: Tests resilience & history. Red flags: policy cancellations, ongoing disputes with insurers, repeated unpaid claims.

Select answer

Upload evidence for HMRC

Insurance claim logs, correspondence

Short reason if answered N/A

Comments / Notes (Optional)

006. Does the umbrella have a business continuity plan (BCP) covering payroll failure, cyberattacks, or insolvency? — Justification: Operational resilience. Red flags: no BCP, outdated plan, no testing of payroll contingency.

Select answer

Upload evidence for HMRC

BCP document, testing logs

Short reason if answered N/A

Comments / Notes (Optional)

007. Are there financial safeguards (e.g., reserves, trust accounts, escrow) to ensure worker wages and PAYE liabilities can be met if cashflow is disrupted? — Justification: Protects worker pay. Red flags: reliance on overdrafts, no reserves, history of missed HMRC deadlines.

Select answer

Upload evidence for HMRC

Bank statements, reserve policies, escrow agreements

Short reason if answered N/A

Comments / Notes (Optional)

008. If the umbrella offers credit terms to agencies, does it hold credit insurance (or equivalent protection) against agency default/insolvency? — Justification: Protects payroll continuity. Red flags: no credit insurance despite offering terms, reliance on unsecured debt, history of bad debt write-offs.

Select answer

Upload evidence for HMRC

Credit insurance certificate, policy schedule, factoring/recourse agreements

Short reason if answered N/A

Comments / Notes (Optional)

Section 13 -Cybersecurity & Payroll System Resilience

Umbrella companies process highly sensitive payroll and worker data (bank details, NI numbers, passports, visas).

Cyberattacks, ransomware, or weak IT controls can expose agencies and workers to fraud, identity theft, and payroll disruption.

This section ensures umbrellas maintain secure systems, external accreditation, and business continuity.

Cybersecurity & Payroll System Resilience

001. Does the umbrella hold external cybersecurity certification (e.g., Cyber Essentials, ISO 27001)? — Justification: Confirms baseline cyber hygiene. Red flags: no certification, expired or failed renewal.

Select answer

Upload evidence for HMRC

Certificates, audit reports

Short reason if answered N/A

Comments / Notes (Optional)

002. Are payroll/HR systems encrypted, access-controlled, and protected by multi-factor authentication (MFA)? — Justification: Protects worker data. Red flags: shared logins, no MFA, legacy systems without encryption.

Select answer

Upload evidence for HMRC

System access policy, screenshots

Short reason if answered N/A

Comments / Notes (Optional)

003. Has the umbrella suffered a cyberattack, ransomware event, or payroll system outage in the last 3 years? — Justification: Tests resilience. Red flags: repeated outages, unreported ICO breaches, no remedial action.

Select answer

Upload evidence for HMRC

ICO reports, incident logs

Short reason if answered N/A

Comments / Notes (Optional)

004. Is there a tested disaster recovery (DR) and business continuity plan (BCP) for payroll IT failure? — Justification: Ensures payroll continuity. Red flags: no backups, outdated plans, no testing logs.

Select answer

Upload evidence for HMRC

BCP documents, test results

Short reason if answered N/A

Comments / Notes (Optional)

005. Are third-party processors (pension, benefits, payroll software) vetted for cybersecurity resilience? — Justification: Extends protection down the chain. Red flags: unvetted suppliers, offshore providers with no assurance.

Select answer

Upload evidence for HMRC

Supplier vetting docs, due diligence logs

Short reason if answered N/A

Comments / Notes (Optional)

006. Have staff with access to payroll/worker data received cybersecurity & phishing awareness training? — Justification: Operational awareness. Red flags: no training logs, no refreshers, high phishing “click rates”.

Select answer

Upload evidence for HMRC

Training records, LMS logs

Short reason if answered N/A

Comments / Notes (Optional)

Section 14 – Business Continuity & Exit Planning

This section ensures umbrella companies and agencies are prepared for unexpected disruption — including insolvency, deregistration, payroll system failure, or sudden disengagement.

Proper continuity and exit planning protects workers, agencies, and end-hirers from unpaid wages, lost PAYE/NIC, and reputational damage.

Business Continuity & Exit Planning

001. Does the umbrella have a documented Business Continuity Plan (BCP) covering payroll failure, insolvency, and IT outages? — Justification: Operational resilience. Red flags: no BCP, generic templates, untested plans.

Select answer

Upload evidence for HMRC

BCP document, testing logs

Short reason if answered N/A

Comments / Notes (Optional)

002. Has the BCP been tested or simulated in the last 12 months? — Justification: Checks readiness. Red flags: BCP written but never tested, staff unaware of roles.

Select answer

Upload evidence for HMRC

Test records, simulation outcomes

Short reason if answered N/A

Comments / Notes (Optional)

003. Is there an exit strategy for transferring workers to another umbrella if the current one fails? — Justification: Protects worker pay. Red flags: no migration process, delays leaving workers unpaid, no agency notification plan.

Select answer

Upload evidence for HMRC

Exit/migration policy, contingency agreements

Short reason if answered N/A

Comments / Notes (Optional)

004. Can the umbrella provide agencies with real-time payroll data access (e.g., payslips, RTI, deductions) to support continuity in a transfer? — Justification: Data portability. Red flags: no data export capability, proprietary lock-in, refusal to share.

Select answer

Upload evidence for HMRC

Data access agreements, sample exports

Short reason if answered N/A

Comments / Notes (Optional)

005. Have agencies/end-hirers been briefed on how payroll and compliance records would be handed over on exit? — Justification: Transparency duty. Red flags: agencies kept in dark, records lost on collapse, poor communication.

Select answer

Upload evidence for HMRC

Client comms, handover protocols

Short reason if answered N/A

Comments / Notes (Optional)

006. Does the umbrella maintain financial reserves or escrow to cover at least one payroll cycle in case of disruption? — Justification: Protects worker pay. Red flags: reliance on overdraft, no reserves, past missed payrolls.

Select answer

Upload evidence for HMRC

Bank statements, escrow agreements

Short reason if answered N/A

Comments / Notes (Optional)

007. Have there been any previous insolvencies, phoenix exits, or sudden disengagements in group history? — Justification: Risk indicator. Red flags: repeat phoenixing, history of “disappearing” with unpaid liabilities.

Select answer

Upload evidence for HMRC

Companies House filings, insolvency records

Short reason if answered N/A

Comments / Notes (Optional)

Section 15 – Purported Umbrella Model Risk Checks

This section helps agencies confirm that the supplier is a genuine PAYE umbrella and not a disguised intermediary.

 

Purported Umbrella Model Risk Checks

001. Is the umbrella named as the employer on the payslip and employment contract? — Justification: Confirms genuine employment. Red flags: agency or third-party named instead.

Select answer

Upload evidence for HMRC

Payslip + contract samples

Short reason if answered N/A

Comments / Notes (Optional)

002. Does the umbrella appear as the legal employer on the BACs line for worker payment? — Justification: Validates payroll flow. Red flags: third-party names, offshore processors.

Select answer

Upload evidence for HMRC

BACs screenshots, payroll reports

Short reason if answered N/A

Comments / Notes (Optional)

003. Does the umbrella operate its own PAYE reference (not via third-party)? — Justification: PAYE legitimacy. Red flags: using another company’s PAYE, outsourced PAYE number.

Select answer

Upload evidence for HMRC

HMRC PAYE reference letter

Short reason if answered N/A

Comments / Notes (Optional)

004. Are Employer NIC and holiday pay costs borne by the umbrella, not deducted from worker gross pay? — Justification: Protects statutory rights. Red flags: employer NIC charged to workers, holiday “rolled into” margin.

Select answer

Upload evidence for HMRC

Payslip breakdowns, audit logs

Short reason if answered N/A

Comments / Notes (Optional)

005. Does the umbrella provide Employers’ Liability Insurance in its own name? — Justification: Confirms employer accountability. Red flags: no EL certificate, cover held by another entity.

Select answer

Upload evidence for HMRC

EL insurance certificate

Short reason if answered N/A

Comments / Notes (Optional)

006. Can the umbrella evidence genuine employment obligations (holiday accrual, pension auto-enrolment)? — Justification: Prevents disguised models. Red flags: no pension, no holiday tracking, “zero-rights” contracts.

Select answer

Upload evidence for HMRC

Enrolment logs, holiday records

Short reason if answered N/A

Comments / Notes (Optional)

007. Does the umbrella avoid use of loans, advances, rebates, or non-PAYE elements in worker pay? — Justification: Detects disguised remuneration. Red flags: payslip references to “loan” or “advance”.

Select answer

Upload evidence for HMRC

Payslip audit, model declaration

Short reason if answered N/A

Comments / Notes (Optional)

Section 16 – Final Declaration and Signoff

This section captures accountability, confirms that the audit has been reviewed by a responsible person, and provides a complete audit trail for agencies, end-hirers, and regulators.

It ensures commitment to compliance and transparency under the Criminal Finances Act 2017, JSL 2026 regime, and wider HMRC supply chain expectations.

Final Declaration and Agency Signoff

I, the undersigned, hereby confirm the following on behalf of the agency that:

1) I have reviewed this self-audit in full and believe it to be complete, accurate, and evidence-based.
2) I confirm that all supporting documentation, contracts, policies, and audit records have been reviewed, retained, and can be provided to HMRC, end-hirers, or other regulators on request.
3) I understand that these findings may be shared across the supply chain, including with HMRC, GLAA, or other statutory bodies as part of compliance requirements.
4) I agree to notify relevant parties of any material risks, changes, or non-compliance identified after this declaration, and will review this declaration at least annually or upon contract renewal.
5) This declaration reflects our agency’s commitment to transparency, accountability, and compliance with tax law, employment law, and labour supply chain assurance obligations.