Linkedin-in
(Guest)

LSCA Agency Audit Dashboard

Start, complete, revisit, analyse, store, print or send your essential Agency LSCA Audits by choosing from the menu below.

Agency Umbrella CIS Audit

Important Information

This audit supports agencies in reviewing CIS umbrella suppliers within their labour supply chains.

It is designed to demonstrate reasonable and proportionate due diligence, aligned with HMRC CIS340, the Criminal Finances Act 2017, and the forthcoming Joint & Several Liability (JSL) regime from 2026.

It helps agencies evidence compliance, mitigate tax and reputational risk, and ensure that worker engagement models are lawful and transparent.

Scope of Assurance

The audit focuses on key control areas:

  • Corporate integrity – structure, directors, registrations (UTR, VAT, PAYE)
  • Employment status checks – CIS subcontractor assessments, SDC compliance
  • CIS tax compliance – correct deductions, RTI, and remittance to HMRC.
    Fraud prevention – detection of mini umbrella, phoenix, or payroll layering risks
  • Hybrid/payroll models – segregation of PAYE vs CIS, substitution clauses, third-party payrolling.
    Readiness for JSL – traceability, escalation, and governance procedures

Agency Expectations

Agencies may be required to evidence that they:

  • Conduct structured due diligence on all CIS umbrella suppliers
  • Retain evidence of worker status, payments, and audit trails (not just declarations)
  • Identify and escalate non-compliant or high-risk practices (e.g., hybrid models, undisclosed PAYE, excessive subcontracting)
  • Apply contractual controls, audit rights, and disengagement processes to support HMRC or legal scrutiny

Note on High-Risk Models

Enhanced scrutiny is required where suppliers use:

  • Unclear employment status or disguised employment
    Hybrid PAYE/CIS arrangements
  • Substitution clauses that lack credibility
  • Outsourced/third-party payroll structures

Evidence Expectations

In an HMRC audit, superficial responses will not meet compliance standards.

Tick-box exercises without supporting documentation are insufficient and may not satisfy HMRC or regulator expectations.

Agencies may be asked to provide:

  • Contracts, KIDs, onboarding scripts, pay breakdowns
  • Risk assessments, IR35/SDS logs, onboarding due diligence
  • Third-party audit outcomes, governance records, and escalation logs
  • Mini umbrella red flag checks, VAT/Kittel assurance, and group structure disclosures

By using the form, you acknowledge acceptance of OPRaaS LTD’s data handling policies and terms and conditions of use.

info@opraas.co.uk

User and Company Details

Please enter the company details for the entity you are auditing.  If you are performing a Self-Assessment, please insert your own company details here.

[audit_section0_company entry="{form_instance_id}"]
Section 1 – Legal Entity & Controllers

This section confirms that the CIS umbrella supplier is a properly registered and transparent legal entity with fit-and-proper directors.

Weaknesses here indicate phoenixing, offshore control, or governance risk.

🚩Red Flags

Legal Entity & Controllers

001. Has the umbrella provided its legal name and Companies House registration number? — Justification: Confirms legal identity. Red flags: trading names only, no CH record.

Select answer

Upload evidence for HMRC

Certificate of Incorporation, CH extract

Short reason if answered N/A

Comments / Notes (Optional)

002. Has the umbrella confirmed its UTR and CIS registration? — Justification: Confirms HMRC recognition as a CIS operator. Red flags: no CIS registration.

Select answer

Upload evidence for HMRC

HMRC UTR letter, CIS registration notice

Short reason if answered N/A

Comments / Notes (Optional)

003. Has the umbrella confirmed its VAT registration and provided its VAT number? — Justification: Ensures VAT legitimacy. Red flags: deregistration, mismatched name/number.

Select answer

Upload evidence for HMRC

VAT certificate, GOV.UK VAT checker printout

Short reason if answered N/A

Comments / Notes (Optional)

004. Have all umbrella directors, PSCs and shadow directors been disclosed? — Justification: Confirms transparency of control. Red flags: hidden or nominee directors.

Select answer

Upload evidence for HMRC

CH PSC register, shareholder records

Short reason if answered N/A

Comments / Notes (Optional)

005. Are any umbrella directors or PSCs overseas-based or using non-UK addresses? — Justification: Flags offshore control or tax evasion risk.

Select answer

Upload evidence for HMRC

Passport/ID, address verification

Short reason if answered N/A

Comments / Notes (Optional)

006. Have you confirmed no directors are disqualified from directorship? — Justification: Ensures fitness to manage. Red flags: Insolvency Service bans.

Select answer

Upload evidence for HMRC

CH disqualification search, declarations

Short reason if answered N/A

Comments / Notes (Optional)

007. Have directors/PSCs been screened for insolvency, phoenix activity or financial misconduct? — Justification: Protects against phoenixing and reputational risk.

Select answer

Upload evidence for HMRC

Insolvency records, CH event log

Short reason if answered N/A

Comments / Notes (Optional)

008. Have there been changes to name, directors, or registered office in the past 12 months? — Justification: Frequent changes = control instability/phoenix risk.

Select answer

Upload evidence for HMRC

CH event history

Short reason if answered N/A

Comments / Notes (Optional)

009. Does the umbrella hold current industry accreditation (e.g. FCSA, Professional Passport)? — Justification: Demonstrates external oversight. Red flag: expired or none.

Select answer

Upload evidence for HMRC

Membership certificate, audit report

Short reason if answered N/A

Comments / Notes (Optional)

Section 2 – Banking, Money Flows & Outsourcing

This section ensures CIS umbrella income and deductions flow transparently through the correct UK bank accounts and that no outsourcing arrangements conceal risks.

🚩Red Flags

HMRC highlight offshore accounts, third-party payments, and complex layering as fraud red flags.

Banking, Money Flows & Outsourcing

001. Are all CIS worker payments made from a UK business bank account in the umbrella’s legal name? — Justification: Confirms legitimacy. Red flags: personal, offshore, or third-party accounts.

Select answer

Upload evidence for HMRC

Bank statement, BACS screenshots

Short reason if answered N/A

Comments / Notes (Optional)

002. Do invoice and payment bank details match the registered umbrella entity? — Justification: Prevents diversion of funds. Red flags: mismatch with CH records.

Select answer

Upload evidence for HMRC

Invoices, bank confirmation

Short reason if answered N/A

Comments / Notes (Optional)

003. Has the umbrella disclosed any subcontractors used for CIS or payroll processing? — Justification: Ensures supply chain transparency. Red flags: undisclosed intermediaries.

Select answer

Upload evidence for HMRC

Subcontractor list, service contracts

Short reason if answered N/A

Comments / Notes (Optional)

004. Has due diligence been carried out on subcontractors (UTR, VAT, PAYE, directors)? — Justification: Prevents upstream fraud or disguised MUC structures.

Select answer

Upload evidence for HMRC

Subcontractor DD reports

Short reason if answered N/A

Comments / Notes (Optional)

005. Are compliance and payroll functions independent of sales/commercial teams? — Justification: Prevents sales overriding compliance. Red flag: commissions linked to onboarding.

Select answer

Upload evidence for HMRC

Org chart, job descriptions

Short reason if answered N/A

Comments / Notes (Optional)

006. Are any outsourced payroll/finance providers disclosed and contractually accountable? — Justification: Avoids hidden intermediaries or purported umbrella risk.

Select answer

Upload evidence for HMRC

Outsourcing contracts, SLA

Short reason if answered N/A

Comments / Notes (Optional)

007. Are compliance overrides (e.g. forced onboarding) logged and independently reviewed? — Justification: Tracks governance breaches. Red flag: unrecorded overrides.

Select answer

Upload evidence for HMRC

Override register, governance minutes

Short reason if answered N/A

Comments / Notes (Optional)

008. Do agency/client remittances reconcile to the umbrella’s bank receipts (entity name and account)? — Justification: Catch diverted funds

Select answer

Upload evidence for HMRC

Remittance + bank statement match.

Short reason if answered N/A

Comments / Notes (Optional)

Section  3 – CIS Integrity – Deductions, RTI & Submissions

This section tests whether the umbrella correctly applies CIS rules, deducts and remits tax, and files RTI/CIS returns on time.

Failures here are high-risk, linking directly to HMRC penalties, debt transfer under the Kittel principle, and future JSL liability.

CIS Integrity – Deductions, RTI & Submissions

001. Are Umbrella CIS deductions calculated in line with HMRC rules and guidance (CIS340)? — Justification: Confirms correct tax treatment. Red flag: flat-rate or estimated deductions.

Select answer

Upload evidence for HMRC

Payroll records, deduction breakdowns

Short reason if answered N/A

Comments / Notes (Optional)

002. Are CIS deductions remitted to HMRC on time each month? — Justification: Protects against tax loss. Red flag: arrears or late payments.

Select answer

Upload evidence for HMRC

Bank payment logs, HMRC receipts

Short reason if answered N/A

Comments / Notes (Optional)

003. Are CIS monthly returns filed accurately and on time? — Justification: Timely compliance. Red flag: missed deadlines, penalties.

Select answer

Upload evidence for HMRC

CIS portal confirmations, HMRC letters

Short reason if answered N/A

Comments / Notes (Optional)

004. Does the umbrella retain subcontractor verification results (gross/net status)? — Justification: Confirms HMRC authorisation. Red flag: no evidence of verification.

Select answer

Upload evidence for HMRC

HMRC CIS verification logs

Short reason if answered N/A

Comments / Notes (Optional)

005. Where Umbrella PAYE schemes are operated, are RTI submissions accurate and consistent with CIS records and payment — Justification: Ensures alignment of PAYE/NI vs CIS. Red flag: mismatches.

Select answer

Upload evidence for HMRC

RTI submission receipts, payroll reports

Short reason if answered N/A

Comments / Notes (Optional)

006. Have there been any HMRC penalties, disputes, or investigations linked to CIS returns in the last 12 months? — Justification: Red flag: repeat errors or non-compliance.

Select answer

Upload evidence for HMRC

HMRC correspondence, penalty notices

Short reason if answered N/A

Comments / Notes (Optional)

007. Is there an internal control process for reviewing CIS calculations and RTI filings (e.g. monthly audit)? — Justification: Demonstrates governance. Red flag: unchecked filings.

Select answer

Upload evidence for HMRC

Internal review logs, audit reports

Short reason if answered N/A

Comments / Notes (Optional)

008. Are digital CIS and RTI records securely stored and audit-ready for HMRC inspection? — Justification: Confirms audit traceability.

Select answer

Upload evidence for HMRC

System screenshots, access policy

Short reason if answered N/A

Comments / Notes (Optional)

Section 4 – Worker Contracts, Pay & Deductions

This section ensures that CIS umbrella contracts and pay processes clearly establish self-employment, margin transparency, and tax compliance.

Failures here risk disguised employment, hidden PAYE models, or unlawful deductions — all of which could expose agencies to HMRC challenge or JSL liability.

Worker Contracts, Pay & Deductions

001. Is every CIS worker issued with a self-employed subcontractor contract? — Justification: Confirms correct legal status. Red flag: no written contract or employment-style terms.

Select answer

Upload evidence for HMRC

Signed contracts, contract template

Short reason if answered N/A

Comments / Notes (Optional)

002. Do contracts include a valid right of substitution clause? — Justification: Key test of genuine self-employment. Red flag: impractical or restricted substitution.

Select answer

Upload evidence for HMRC

Contract clauses

Short reason if answered N/A

Comments / Notes (Optional)

003. Do contracts exclude mutuality of obligation (MOO)? — Justification: Ensures no expectation of ongoing work. Red flag: continuous employment-like obligations.

Select answer

Upload evidence for HMRC

Worker agreements

Short reason if answered N/A

Comments / Notes (Optional)

004. Do contracts specify that the worker carries liability for defects or rework? — Justification: Confirms commercial risk. Red flag: no liability clause.

Select answer

Upload evidence for HMRC

Contract terms

Short reason if answered N/A

Comments / Notes (Optional)

005. Do contracts deny entitlement to statutory employee rights (e.g. sick pay, holiday pay)? — Justification: Clarifies self-employed status. Red flag: disguised employment.

Select answer

Upload evidence for HMRC

Contract clauses

Short reason if answered N/A

Comments / Notes (Optional)

006. Is the umbrella’s margin clearly disclosed to the worker in financial illustrations? — Justification: Promotes transparency. Red flag: hidden deductions.

Select answer

Upload evidence for HMRC

KID, margin breakdown

Short reason if answered N/A

Comments / Notes (Optional)

007. Do financial illustrations include assumptions (e.g. hours, rates) and a disclaimer that figures are estimates? — Justification: Prevents mis-selling. Red flag: misleading take-home claims.

Select answer

Upload evidence for HMRC

Pay illustration documents

Short reason if answered N/A

Comments / Notes (Optional)

008. Are “pay-when-paid” clauses prohibited in contracts? — Justification: Ensures worker income is not contingent on upstream payments.

Select answer

Upload evidence for HMRC

Contract clauses

Short reason if answered N/A

Comments / Notes (Optional)

009. Are updated contracts or project variations provided when required? — Justification: Demonstrates transparency and traceability.

Select answer

Upload evidence for HMRC

Contract amendment logs

Short reason if answered N/A

Comments / Notes (Optional)

Section 5 – Identity, Right-to-Work & Data Protection

This section ensures that every CIS worker has the legal right to work in the UK and that sensitive worker data is processed lawfully.

Weaknesses here can result in illegal working, modern slavery risks, or ICO investigations under GDPR.

Agencies are jointly responsible for ensuring checks are robust, documented, and audit-ready.

Identity, Right-to-Work & Data Protection

001. Are right-to-work (RTW) checks conducted for every CIS worker before engagement? — Justification: Prevents illegal working. Red flag: missing RTW records.

Select answer

Upload evidence for HMRC

Passport/visa copies, RTW logs

Short reason if answered N/A

Comments / Notes (Optional)

002. Are ID documents verified against government-approved databases or tools? — Justification: Ensures authenticity. Red flag: forged or inconsistent IDs.

Select answer

Upload evidence for HMRC

ID check system reports, audit logs

Short reason if answered N/A

Comments / Notes (Optional)

003. Are RTW and ID records securely stored with controlled access? — Justification: Prevents data breaches. Red flag: unsecured or paper-only storage.

Select answer

Upload evidence for HMRC

Access policy, system screenshots

Short reason if answered N/A

Comments / Notes (Optional)

004. Does the umbrella maintain a GDPR Article 30 Record of Processing Activities (RoPA)? — Justification: Required for lawful data processing. Red flag: no RoPA register.

Select answer

Upload evidence for HMRC

RoPA register, system evidence

Short reason if answered N/A

Comments / Notes (Optional)

005. Have all third-party data processors (e.g. payroll, pensions, benefits) been mapped? — Justification: Confirms supply chain transparency. Red flag: unknown processors.

Select answer

Upload evidence for HMRC

Processor inventory, supply chain map

Short reason if answered N/A

Comments / Notes (Optional)

006. Are Data Processing Agreements (DPAs) in place with third-party providers? — Justification: Protects against liability for breaches. Red flag: unsigned or outdated DPAs.

Select answer

Upload evidence for HMRC

Executed DPAs, contract clauses

Short reason if answered N/A

Comments / Notes (Optional)

007. Are digital worker records version-controlled and audit-ready for HMRC/ICO inspection? — Justification: Confirms compliance and readiness. Red flag: no audit trail.

Select answer

Upload evidence for HMRC

System logs, versioning reports

Short reason if answered N/A

Comments / Notes (Optional)

008. Has the umbrella provided evidence of ICO registration? — Justification: Legal requirement for processing worker data. Red flag: no registration.

Select answer

Upload evidence for HMRC

ICO certificate, register search

Short reason if answered N/A

Comments / Notes (Optional)

Section 6 – Modern Slavery Risk Oversight

This section confirms that the CIS umbrella has robust measures to prevent, detect, and report modern slavery or labour exploitation.

Construction and CIS supply chains are high-risk categories.

Weak controls here expose agencies and umbrellas to legal breaches under the Modern Slavery Act 2015, reputational damage, and potential GLAA investigation.

Modern Slavery Risk Oversight

001. Does the umbrella have a formal Modern Slavery & Worker Safeguarding Policy? — Justification: Confirms policy framework. Red flag: no policy or outdated statement.

Select answer

Upload evidence for HMRC

Policy document, staff handbook

Short reason if answered N/A

Comments / Notes (Optional)

002. Are umbrella staff trained to identify red flags of exploitation (e.g. debt bondage, shared accounts, coercion)? — Justification: Prevents exploitation. Red flag: no training logs.

Select answer

Upload evidence for HMRC

Training records, LMS logs

Short reason if answered N/A

Comments / Notes (Optional)

003. Are workers given confidential channels to report concerns (hotline, whistleblowing)? — Justification: Enables early detection. Red flag: no reporting route.

Select answer

Upload evidence for HMRC

Hotline info, comms material

Short reason if answered N/A

Comments / Notes (Optional)

004. Does the umbrella monitor shared bank accounts, addresses or unusual contact details across workers? — Justification: Detects forced labour patterns. Red flag: clustering of accounts.

Select answer

Upload evidence for HMRC

Payroll system reports

Short reason if answered N/A

Comments / Notes (Optional)

005. Have any suspected cases of exploitation been escalated in the past 12 months? — Justification: Demonstrates active risk management. Red flag: no process for escalation.

Select answer

Upload evidence for HMRC

Incident logs, referral evidence

Short reason if answered N/A

Comments / Notes (Optional)

006. Is worker accommodation voluntary and not tied to employment/deductions? — Justification: Prevents bonded labour. Red flag: compulsory or deducted accommodation.

Select answer

Upload evidence for HMRC

Worker declarations, deduction logs

Short reason if answered N/A

Comments / Notes (Optional)

007. Are on-site checks or worker interviews carried out to confirm no SDC or coercion? — Justification: Protects independence of status. Red flag: workers reporting supervision under duress.

Select answer

Upload evidence for HMRC

Worker surveys, interview notes

Short reason if answered N/A

Comments / Notes (Optional)

Section 7 – Tax & Model-Risk Assurance (VAT, MUC, IR35/Hybrid, Purported Umbrella)

This section ensures the CIS umbrella is not exposing agencies to VAT fraud (Missing Trader/Carousel), Mini Umbrella Company (MUC) risks, or disguised remuneration.

It also checks readiness for the 2026 reforms on “purported umbrellas”, where entities claim umbrella status but fail to operate as genuine employers.

Failures here risk HMRC penalties, VAT denial under the Kittel principle, and future JSL liability.

Tax & Model-Risk Assurance (VAT, MUC, IR35/Hybrid, Purported Umbrella)

001. Can the umbrella confirm its VAT registration is valid and active? — Justification: Confirms legitimacy. Red flag: deregistration or mismatched VAT no.

Select answer

Upload evidence for HMRC

VAT certificate, GOV.UK VAT checker

Short reason if answered N/A

Comments / Notes (Optional)

002. Does the umbrella apply the Domestic Reverse Charge (DRC) correctly when invoicing under CIS? — Justification: Prevents VAT exposure. Red flag: misapplied VAT on construction services.

Select answer

Upload evidence for HMRC

Sample CIS invoices, DRC policy

Short reason if answered N/A

Comments / Notes (Optional)

003. Are all input VAT claims supported by valid, VAT-eligible expenses and invoices? — Justification: Prevents fraudulent VAT recovery.

Select answer

Upload evidence for HMRC

VAT ledger, expense invoices

Short reason if answered N/A

Comments / Notes (Optional)

004. Has the umbrella or related companies ever been subject to HMRC VAT veto, tax loss, or deregistration notices? — Justification: Flags phoenix/Missing Trader risk.

Select answer

Upload evidence for HMRC

HMRC correspondence, declarations

Short reason if answered N/A

Comments / Notes (Optional)

005. Are umbrella directors and compliance staff trained on the Kittel principle (supply chain VAT fraud liability)? — Justification: Demonstrates awareness. Red flag: no training records.

Select answer

Upload evidence for HMRC

Training logs, signed acknowledgements

Short reason if answered N/A

Comments / Notes (Optional)

006. Has the umbrella screened its PAYE or CIS schemes for Mini Umbrella Company (MUC) indicators (fragmentation, multiple PAYE refs)? — Justification: Prevents disguised structures.

Select answer

Upload evidence for HMRC

Scheme overview, MUC red flag checklist

Short reason if answered N/A

Comments / Notes (Optional)

007. If multiple PAYE/CIS schemes exist, is the rationale documented and legitimate? — Justification: Detects artificial fragmentation.

Select answer

Upload evidence for HMRC

Scheme mapping, explanation log

Short reason if answered N/A

Comments / Notes (Optional)

008. Does the umbrella operate or promote hybrid models (e.g. PAYE + CIS for same engagement)? — Justification: High risk of misclassification. Red flag: “switchable” pay modes.

Select answer

Upload evidence for HMRC

Worker contracts, onboarding scripts

Short reason if answered N/A

Comments / Notes (Optional)

009. If hybrid or borderline models exist, has the umbrella sought legal/tax advice? — Justification: Provides assurance.

Select answer

Upload evidence for HMRC

Legal opinions, advisory letters

Short reason if answered N/A

Comments / Notes (Optional)

010. Do CIS contracts and pay statements identify the worker as a subcontractor (not an employee)? — Justification: Confirms CIS model. Red flag: umbrella listed as employer.

Select answer

Upload evidence for HMRC

Contracts, remittance statements

Short reason if answered N/A

Comments / Notes (Optional)

011. Does the umbrella avoid applying PAYE-style deductions (Employer NIC, holiday pay, pensions) to CIS workers? — Justification: Prevents disguised employment.

Select answer

Upload evidence for HMRC

Contract terms, deduction audit

Short reason if answered N/A

Comments / Notes (Optional)

012. Does the umbrella avoid loans, advances, rebates, or non-CIS pay elements? — Justification: Prevents disguised remuneration.

Select answer

Upload evidence for HMRC

Payslip audit, model declaration

Short reason if answered N/A

Comments / Notes (Optional)

013. Has the agency independently reviewed the umbrella’s payroll/tax structure (not just relied on declarations)? — Justification: Confirms active oversight. Red flag: blind reliance on self-certification.

Select answer

Upload evidence for HMRC

Audit notes, compliance reports

Short reason if answered N/A

Comments / Notes (Optional)

Section 8 – CITB Levy & Lodge Payments

This section ensures CIS umbrellas comply with Construction Industry Training Board (CITB) levy rules and apply lodge payments only where permitted.

Failures here risk levy evasion exposure, HMRC challenge, or loss of audit traceability.

CITB Levy & Lodge Payments

001. Is the umbrella registered with the CITB levy scheme (where applicable)? — Justification: Confirms statutory levy recognition. Red flag: trading in scope but not registered.

Select answer

Upload evidence for HMRC

CITB registration letter

Short reason if answered N/A

Comments / Notes (Optional)

002. Does the umbrella retain CIS workforce and payroll records suitable for CITB audits? — Justification: Ensures audit readiness. Red flag: incomplete or inconsistent records.

Select answer

Upload evidence for HMRC

Payroll reports, subcontractor registers

Short reason if answered N/A

Comments / Notes (Optional)

003. Has the umbrella undergone a recent CITB audit or spot check? — Justification: Confirms external oversight. Red flag: failed or absent audit history.

Select answer

Upload evidence for HMRC

CITB audit letter, correspondence

Short reason if answered N/A

Comments / Notes (Optional)

004. Are policies in place to prevent levy misclassification of roles? — Justification: Prevents underpayment. Red flag: blanket exclusions.

Select answer

Upload evidence for HMRC

Internal guidance, levy checklist

Short reason if answered N/A

Comments / Notes (Optional)

Section 9 – Expenses & Reimbursement Compliance  

This section ensures that CIS umbrellas only reimburse legitimate expenses, supported by evidence, and do not use expenses to disguise income.

HMRC highlight this as a fraud risk in CIS supply chains.

Expenses & Reimbursement Compliance

001. Are expenses reimbursed only when genuinely incurred and evidenced? — Justification: Prevents disguised income. Red flag: flat-rate expense allowances.

Select answer

Upload evidence for HMRC

Receipts, claim forms

Short reason if answered N/A

Comments / Notes (Optional)

002. Does the umbrella collect and retain itemised receipts for all expense claims? — Justification: Confirms audit trail. Red flag: no receipts.

Select answer

Upload evidence for HMRC

Receipt logs, ledger

Short reason if answered N/A

Comments / Notes (Optional)

003. Are expenses validated against HMRC rules and policies? — Justification: Ensures tax compliance. Red flag: blanket approvals.

Select answer

Upload evidence for HMRC

Expense policy, validation logs

Short reason if answered N/A

Comments / Notes (Optional)

004. Is home-to-work travel excluded from tax-free treatment unless HMRC “temporary workplace” test applies? — Justification: Prevents disguised remuneration. Red flag: home-to-site travel reimbursed.

Select answer

Upload evidence for HMRC

Travel policy, payslip samples

Short reason if answered N/A

Comments / Notes (Optional)

005. Do umbrella workers receive clear written guidance on allowable expenses? — Justification: Prevents confusion and misclaims. Red flag: no guidance.

Select answer

Upload evidence for HMRC

Worker expense guide

Short reason if answered N/A

Comments / Notes (Optional)

006. Are expense claims subject to internal audits or spot checks? — Justification: Confirms quality assurance. Red flag: no monitoring.

Select answer

Upload evidence for HMRC

Audit logs, compliance reports

Short reason if answered N/A

Comments / Notes (Optional)

007. Are lodge payments only made under HMRC exemptions or Working Rule Agreements (WRA)? — Justification: Ensures compliance. Red flag: lodge paid without exemption.

Select answer

Upload evidence for HMRC

Worker declarations, WRA policy

Short reason if answered N/A

Comments / Notes (Optional)

008. Are signed lodge allowance forms retained for workers receiving accommodation support? — Justification: Maintains audit trail. Red flag: cash lodge with no forms.

Select answer

Upload evidence for HMRC

Signed forms, audit log

Short reason if answered N/A

Comments / Notes (Optional)

009. Are lodge payments only made where the “temporary workplace” test is satisfied? — Justification: Prevents disguised remuneration. Red flag: lodge paid for permanent sites.

Select answer

Upload evidence for HMRC

Job role mapping, site travel records

Short reason if answered N/A

Comments / Notes (Optional)

Section 10 – Criminal Finances Act 2017 (CFA) – Reasonable Prevention Procedures

🚩Red Flags

Criminal Finances Act 2017 (CFA) – Reasonable Prevention Procedures

001. Has the umbrella conducted a documented CFA 2017 risk assessment covering tax evasion facilitation risks? — Justification: Confirms legal compliance. Red flag: no risk assessment or out-of-date document.

Select answer

Upload evidence for HMRC

CFA risk assessment report

Short reason if answered N/A

Comments / Notes (Optional)

002. Is the umbrella risk assessment reviewed annually or following material business changes? — Justification: Ensures controls remain current. Red flag: one-off assessment only.

Select answer

Upload evidence for HMRC

Review logs, board minutes

Short reason if answered N/A

Comments / Notes (Optional)

003. Does the umbrella operate a formal tax evasion prevention policy? — Justification: Required as “reasonable procedures.” Red flag: no policy published.

Select answer

Upload evidence for HMRC

Policy document, staff handbook

Short reason if answered N/A

Comments / Notes (Optional)

004. Have all relevant staff (directors, payroll, onboarding, compliance) been trained on CFA 2017 risks? — Justification: Demonstrates awareness. Red flag: no training records.

Select answer

Upload evidence for HMRC

Training logs, LMS completion records

Short reason if answered N/A

Comments / Notes (Optional)

005. Has the umbrella named a compliance officer or escalation route for CFA concerns? — Justification: Confirms governance accountability. Red flag: no assigned officer.

Select answer

Upload evidence for HMRC

Role description, org chart

Short reason if answered N/A

Comments / Notes (Optional)

006. Are suspected breaches, near misses, or facilitation attempts logged and escalated? — Justification: Demonstrates active monitoring. Red flag: no breach register.

Select answer

Upload evidence for HMRC

Incident logs, escalation reports

Short reason if answered N/A

Comments / Notes (Optional)

007. Is there a umbrella whistleblowing or hotline process for staff/workers to report suspected facilitation? — Justification: Encourages early detection. Red flag: no reporting route.

Select answer

Upload evidence for HMRC

Whistleblowing policy, hotline info

Short reason if answered N/A

Comments / Notes (Optional)

008. Are CFA policies and controls tested periodically (e.g. scenario planning, mock audits)? — Justification: Shows resilience and readiness. Red flag: untested policies.

Select answer

Upload evidence for HMRC

Test results, compliance reports

Short reason if answered N/A

Comments / Notes (Optional)

Section 11 – Insurance & Financial Resilience

This section checks whether the umbrella has adequate insurance cover to protect agencies and workers against financial loss, and whether it demonstrates financial resilience.

HMRC and clients expect umbrellas to hold valid insurance and to be free of outstanding penalties or disputes.

Weaknesses here increase risk exposure if liabilities arise.

Insurance & Financial Resilience

001. Does the umbrella hold valid Professional Indemnity (PI) insurance? — Justification: Protects against negligence claims. Red flag: no PI cover.

Select answer

Upload evidence for HMRC

PI certificate, policy schedule

Short reason if answered N/A

Comments / Notes (Optional)

002. Does the umbrella hold valid Employers’ Liability (EL) insurance (where relevant)? — Justification: Covers “grey area” worker claims. Red flag: no EL policy despite PAYE fallback.

Select answer

Upload evidence for HMRC

EL certificate

Short reason if answered N/A

Comments / Notes (Optional)

003. Does the umbrella hold valid Public Liability (PL) insurance? — Justification: Protects against injury/property damage claims. Red flag: expired PL cover.

Select answer

Upload evidence for HMRC

PL certificate

Short reason if answered N/A

Comments / Notes (Optional)

004. Do PI/EL/PL policies include appropriate indemnity limits and any required run-off cover?” — Justification: Ensures cover is adequate and continuous. Red flag: limits below sector norms or no run-off cover.

Select answer

Upload evidence for HMRC

Schedules with limits/endorsements

Short reason if answered N/A

Comments / Notes (Optional)

005. Does the umbrella hold Credit Insurance (or other cover for client insolvency risk)? — Justification: Supports continuity of worker payments. Red flag: no cover for insolvency exposure.

Select answer

Upload evidence for HMRC

Credit policy, broker confirmation

Short reason if answered N/A

Comments / Notes (Optional)

006. Are all insurance policies current, with coverage limits appropriate to business size and risk? — Justification: Confirms adequacy. Red flag: lapsed or minimal cover.

Select answer

Upload evidence for HMRC

Insurance schedules, renewal notices

Short reason if answered N/A

Comments / Notes (Optional)

007. Does the umbrella have any outstanding HMRC penalties or disputes related to CIS or VAT? — Justification: Flags financial and compliance risk. Red flag: unresolved penalties.

Select answer

Upload evidence for HMRC

HMRC correspondence, penalty log

Short reason if answered N/A

Comments / Notes (Optional)

008. Has the umbrella demonstrated financial resilience (e.g. filed accounts, no overdue filings)? — Justification: Provides confidence in stability. Red flag: overdue CH accounts.

Select answer

Upload evidence for HMRC

Companies House filings, management accounts

Short reason if answered N/A

Comments / Notes (Optional)

009. nan

Select answer

Upload evidence for HMRC

Upload Evidence for HMRC

Short reason if answered N/A

Comments / Notes (Optional)

Section 12 – Business Continuity, Cybersecurity & Exit Planning

This section ensures that the CIS umbrella has systems in place to maintain payroll and compliance continuity, protect sensitive worker data, and transfer records securely if operations cease.

Failures here can cause payment delays, data breaches, or loss of evidence required by HMRC, exposing agencies to financial and reputational risk.Flags

Business Continuity, Cybersecurity & Exit Planning

001. Does the umbrella have a documented Business Continuity Plan (BCP) covering CIS payroll disruption (e.g. IT outage, insolvency)? — Justification: Ensures worker payments continue. Red flag: no BCP.

Select answer

Upload evidence for HMRC

BCP document, board approval

Short reason if answered N/A

Comments / Notes (Optional)

002. Are CIS payroll systems backed up regularly and tested for recovery? — Justification: Protects against data loss. Red flag: no backup logs.

Select answer

Upload evidence for HMRC

Backup schedules, test reports

Short reason if answered N/A

Comments / Notes (Optional)

003. Are umbrella cybersecurity controls in place (e.g. data encryption, firewalls, access restrictions)? — Justification: Prevents unauthorised access to sensitive data. Red flag: weak IT controls.

Select answer

Upload evidence for HMRC

IT security policy, penetration test reports

Short reason if answered N/A

Comments / Notes (Optional)

004. Is the umbrella system access restricted by user roles, with logs of changes and audit trails? — Justification: Protects integrity of payroll data. Red flag: unrestricted admin access.

Select answer

Upload evidence for HMRC

Access control logs

Short reason if answered N/A

Comments / Notes (Optional)

005. Has the umbrella registered with the ICO as a data processor and conducted GDPR risk assessments for systems? — Justification: Confirms lawful data handling. Red flag: no ICO registration.

Select answer

Upload evidence for HMRC

ICO certificate, GDPR risk register

Short reason if answered N/A

Comments / Notes (Optional)

006. Does the umbrella have an exit plan for transferring CIS records and audit trails to agencies/HMRC if it ceases trading? — Justification: Prevents data loss in closure. Red flag: no exit plan.

Select answer

Upload evidence for HMRC

Exit plan, contract clauses

Short reason if answered N/A

Comments / Notes (Optional)

007. Are Umbrella CIS and payroll records stored securely and retained for HMRC’s required 3–6 year period? — Justification: Ensures regulatory compliance. Red flag: early deletion.

Select answer

Upload evidence for HMRC

Record retention policy

Short reason if answered N/A

Comments / Notes (Optional)

Section 13 – Agency Governance & Oversight

This section ensures the agency itself is actively managing CIS umbrella risk, not simply relying on supplier declarations.

HMRC’s Labour Supply Chain Due Diligence guidance and the 2026 Joint & Several Liability regime expect agencies to evidence their own oversight.

Weaknesses here may result in liability for umbrella failings, reputational damage, or regulatory penalties.Flags

Agency Governance & Oversight

001. Does the agency have a written due diligence policy for CIS umbrella providers? — Justification: Confirms structured approach. Red flag: ad hoc or undocumented checks.

Select answer

Upload evidence for HMRC

Policy document, board approval

Short reason if answered N/A

Comments / Notes (Optional)

002. Do agency–umbrella contracts include clauses requiring compliance with CIS340, CFA 2017, and JSL 2026? — Justification: Embeds compliance into commercial terms. Red flag: generic or missing clauses.

Select answer

Upload evidence for HMRC

Contract extracts, SLAs

Short reason if answered N/A

Comments / Notes (Optional)

003. Has the agency retained its own audit notes (not just relied on umbrella self-certifications)? — Justification: Demonstrates independent oversight. Red flag: tick-box reliance only.

Select answer

Upload evidence for HMRC

Audit logs, assurance reports

Short reason if answered N/A

Comments / Notes (Optional)

004. Is there an escalation process if non-compliance is identified (e.g. remediation, disengagement)? — Justification: Ensures active risk management. Red flag: no process for handling breaches.

Select answer

Upload evidence for HMRC

Escalation policy, incident records

Short reason if answered N/A

Comments / Notes (Optional)

005. Does the agency periodically review umbrella compliance (e.g. annual re-audit, spot checks)? — Justification: Confirms continuous oversight. Red flag: one-off onboarding only.

Select answer

Upload evidence for HMRC

Audit schedule, monitoring reports

Short reason if answered N/A

Comments / Notes (Optional)

Section 14 – Complaints & Worker Grievances

This section confirms that CIS umbrellas provide workers with accessible, fair, and transparent routes to raise concerns or disputes.

Even though workers are subcontractors, HMRC and regulators expect agencies to ensure workers can challenge incorrect deductions, mistreatment, or unethical practices.

Weak controls here increase risks of exploitation, reputational damage, and regulatory intervention.

Complaints & Worker Grievances

001. Does the umbrella have a documented complaints and grievance procedure available to workers? — Justification: Confirms fair treatment. Red flag: no documented process.

Select answer

Upload evidence for HMRC

Policy, worker handbook

Short reason if answered N/A

Comments / Notes (Optional)

002. Are umbrella workers informed of the complaints procedure at onboarding (e.g. handbook, induction pack)? — Justification: Ensures transparency. Red flag: workers unaware of how to complain.

Select answer

Upload evidence for HMRC

Onboarding pack, comms material

Short reason if answered N/A

Comments / Notes (Optional)

003. Are complaints logged, investigated, and resolved within reasonable timeframes? — Justification: Demonstrates accountability. Red flag: no complaint logs or unresolved disputes.

Select answer

Upload evidence for HMRC

Complaints register, resolution reports

Short reason if answered N/A

Comments / Notes (Optional)

004. Is there a process for escalation (e.g. to agency or independent body) if the worker is not satisfied with the umbrella’s response? — Justification: Provides worker protection. Red flag: closed loop with no external route.

Select answer

Upload evidence for HMRC

Escalation policy, comms evidence

Short reason if answered N/A

Comments / Notes (Optional)

005. Are grievance records retained and auditable for review by the agency or HMRC? — Justification: Confirms oversight. Red flag: no documentation of complaints handling.

Select answer

Upload evidence for HMRC

Records of complaints, audit trail

Short reason if answered N/A

Comments / Notes (Optional)

Section 12 – Final Declaration and Signoff

Captures accountability and ensures the umbrella formally signs off on the audit, confirming commitment to truthful responses and future compliance cooperation.

Final Declaration and Agency Signoff

I, the undersigned, hereby confirm the following on behalf of the agency that:

1) I have reviewed this self-audit in full and believe it to be complete, accurate, and evidence-based.

2) I confirm that all supporting documentation, contracts, policies, and audit records have been reviewed and retained.

3) I understand that these findings may be shared with HMRC or other regulators as part of statutory or compliance requirements.

4) I agree to notify relevant parties of any material risks, changes, or non-compliance identified after this declaration.

5) This declaration reflects our agency’s commitment to transparency, accountability, and compliance with tax law, employment law, and labour supply chain assurance obligations.

[audit_declaration entry="{form_instance_id}"]