Linkedin-in
(Guest)

LSCA End-Hirer's Audit Dashboard

Start, complete, revisit, analyse, store, print or send your essential Agency LSCA Audits by choosing from the menu below.

End-Hirer Self-Assessment Audit

Important Information

This End-Hirer Self-Assessment has been developed to assist organisations in evidencing compliance with their responsibilities under the Criminal Finances Act 2017, the Modern Slavery Act 2015, Off-Payroll Working (IR35) reforms, and HMRC’s Labour Supply Chain Due Diligence requirements.

It evaluates internal governance over supply chain compliance, payroll transparency, contractor classification, and risk management practices.

New from April 2026:

HMRC’s upcoming legislation introduces Joint and Several Liability for unpaid PAYE and NICs when non-compliant umbrella companies are used.

Liability will apply to the umbrella and the top agency or end-client, with no statutory defence, even if due diligence checks were performed.

End-hirers must now show clear oversight of umbrella arrangements, including:

  • Use of a vetted PSL
    Payslip monitoring to flag disguised remuneration or skimming
  • Exit from high-risk or legacy umbrella setups
  • Documented action against suspected non-compliance

These duties build on — not replace — existing obligations under the Criminal Finances Act, IR35, and HMRC’s labour supply chain guidance

If completed accurately and with documentary support, this self-assessment helps demonstrate:

  • That the end-hirer has implemented “reasonable procedures” to prevent the facilitation of tax evasion
  • That effective controls are in place to prevent disguised remuneration, mini umbrella models, and non-compliant intermediaries
  • That the end-hirer exercises informed oversight of their contingent workforce, in line with regulatory and ethical standards
  • However, this self-assessment must reflect real and verifiable practice.

HMRC or commercial audits may request:

  • Labour supply contracts, KIDs, pay reconciliation records, and onboarding documentation
  • Internal audit logs, SDC and IR35 determinations, and third-party audit reports
  • Evidence of due diligence on PSL members and reporting processes for non-compliance

Evidence Expectations

Superficial completion without proper evidence will not meet legal obligations.

Enhanced scrutiny applies in high-risk areas – including the use of multiple tiers in the supply chain, non-standard pay models, or vulnerable worker cohorts.

By using the form, you acknowledge acceptance of OPRaaS LTD’s data handling policies and terms and conditions of use.

info@opraas.co.uk

User and Company Details

Please enter the company details for the entity you are auditing.  If you are performing a Self-Assessment, please insert your own company details here.

Section 1 – CFA 2017 & Risk Assessment

This section ensures the end-hirer meets its obligations under the Criminal Finances Act 2017 (Corporate Criminal Offence – CCO), which makes businesses criminally liable if they fail to prevent associated persons (including agencies, umbrella companies, or subcontractors) from facilitating tax evasion.

To demonstrate compliance, the organisation must evidence “reasonable prevention procedures.”

This includes:

  • A formal policy and governance structure
  • A documented risk assessment covering labour supply chain risks
  • Communication of CFA responsibilities across the business and supply chain
  • Training for staff and relevant suppliers
  • Whistleblowing and escalation mechanisms
  • Regular monitoring and review to keep procedures proportionate and up to date.

Failure to do so risks criminal liability, unlimited fines, reputational harm, and regulatory enforcement.

CFA 2017 & Risk Assessment

001. Does your organisation have a formal CFA 2017 / CCO policy and risk assessment process in place? — Justification: Establishes core compliance framework. Red flag: No policy or informal/unwritten approach = no “reasonable procedures” defence.

Select answer

Upload evidence for HMRC

Policy document, risk register

Short reason if answered N/A

Comments / Notes (Optional)

002. Has a documented risk assessment been conducted to identify facilitation risks across business units, finance, procurement, and the labour supply chain? — Justification: Identifies realistic exposure points. Red flag: No cross-functional coverage (finance/procurement/HR left out) = blind spots.

Select answer

Upload evidence for HMRC

Risk assessment reports, board papers

Short reason if answered N/A

Comments / Notes (Optional)

003. Are CFA risk assessments reviewed regularly and updated in response to business or regulatory changes? — Justification: Keeps controls current and relevant. Red flag: Outdated/one-off risk assessment = risks not monitored.

Select answer

Upload evidence for HMRC

Review schedules, update logs

Short reason if answered N/A

Comments / Notes (Optional)

004. Are prevention procedures tailored to risk level (e.g., higher scrutiny for umbrellas, offshore PSCs, or cash-heavy suppliers)? — Justification: Aligns with HMRC principle of proportionality. Red flag: One-size-fits-all checks = insufficient against high-risk models.

Select answer

Upload evidence for HMRC

Tiered control matrix, procedure manuals

Short reason if answered N/A

Comments / Notes (Optional)

005. Are internal controls (e.g., segregation of duties, approvals for high-value supplier payments) in place to reduce facilitation risk? — Justification: Prevents collusion and unchecked access. Red flag: Same person initiates and approves payments = fraud risk.

Select answer

Upload evidence for HMRC

Org charts, approval matrices

Short reason if answered N/A

Comments / Notes (Optional)

006. Is a senior manager or board member formally accountable for CFA/CCO compliance, with oversight reported to the board? — Justification: Demonstrates leadership commitment. Red flag: No named accountable officer = poor governance and tone from the top.

Select answer

Upload evidence for HMRC

Org chart, board minutes, responsibility statements

Short reason if answered N/A

Comments / Notes (Optional)

007. Are CFA/CCO risks and incidents reported to the board or risk committee, and are corrective actions tracked? — Justification: Shows governance and accountability. Red flag: Incidents logged but not escalated/tracked = weak follow-up.

Select answer

Upload evidence for HMRC

Board packs, action logs

Short reason if answered N/A

Comments / Notes (Optional)

008. Are agencies, umbrellas, and subcontractors vetted for CFA compliance before engagement (e.g., tax checks, PSL approval)? — Justification: Ensures risky suppliers are screened out. Red flag: Suppliers onboarded without tax checks or declarations = exposure to known HMRC watchlist risks.

Select answer

Upload evidence for HMRC

Supplier vetting records, HMRC tax check results

Short reason if answered N/A

Comments / Notes (Optional)

009. Are suppliers required to certify CFA compliance and disclose subcontractors or downstream providers? — Justification: Extends obligations across the chain. Red flag: No subcontractor disclosure = hidden labour tiers.

Select answer

Upload evidence for HMRC

Supplier declarations, subcontractor logs

Short reason if answered N/A

Comments / Notes (Optional)

010. Is supplier certification of compliance renewed on a periodic basis? — Justification: Keeps supplier due diligence current. Red flag: One-off onboarding only = reliance on stale information.

Select answer

Upload evidence for HMRC

Renewal schedule, updated declarations

Short reason if answered N/A

Comments / Notes (Optional)

011. Is the CFA/CCO policy communicated to all staff and relevant suppliers (e.g., onboarding, handbooks, supplier packs)? — Justification: Ensures awareness across organisation and supply chain. Red flag: Policy exists but is not cascaded = ineffective.

Select answer

Upload evidence for HMRC

Communication records, onboarding materials

Short reason if answered N/A

Comments / Notes (Optional)

012. Is CFA/CCO training delivered to relevant staff (HR, finance, procurement) and suppliers, tailored by role/risk level? — Justification: Builds practical awareness of red flags. Red flag: Generic training only = staff miss sector-specific evasion risks.

Select answer

Upload evidence for HMRC

Training logs, attendance records, supplier training evidence

Short reason if answered N/A

Comments / Notes (Optional)

013. Are training completion rates tracked, with follow-up for non-compliance? — Justification: Proves reach and effectiveness. Red flag: Training records incomplete = no proof to HMRC.

Select answer

Upload evidence for HMRC

Training dashboards, compliance trackers

Short reason if answered N/A

Comments / Notes (Optional)

014. Are whistleblowing/reporting channels in place (confidential, GDPR-compliant) for staff and suppliers to report suspected facilitation? — Justification: Enables early escalation of risks. Red flag: No anonymous channel = whistleblowers deterred.

Select answer

Upload evidence for HMRC

Whistleblowing policy, hotline logs, incident reports

Short reason if answered N/A

Comments / Notes (Optional)

015. Are incidents of suspected facilitation logged, investigated, corrective actions taken, and lessons learned applied to future risk assessments? — Justification: Demonstrates continuous improvement cycle. Red flag: Incidents closed with no remediation or lessons = repeat risks.

Select answer

Upload evidence for HMRC

Incident registers, remediation reports, updated risk assessments

Short reason if answered N/A

Comments / Notes (Optional)

Section 2 – Supplier Compliance & Risk Assessment – Section Justification

This section ensures that the end-hirer actively verifies and monitors the compliance of all labour supply chain members (agencies, umbrella companies, subcontractors, PSCs).

It combines supplier verification and risk assessment into one process of continuous due diligence.

Robust compliance practices are essential to:

  • Meet obligations under the Criminal Finances Act 2017 (Corporate Criminal Offence), the Onshore Intermediaries Legislation, and HMRC’s Labour Supply Chain Assurance guidance
  • Prevent facilitation of tax evasion, disguised remuneration, mini-umbrella fraud, phoenixing, and false self-employment
  • Detect payroll non-compliance such as payslip skimming, unlawful deductions, and breaches of the National Minimum Wage
  • Protect against reputational and financial damage, including Joint & Several Liability (JSL) from April 2026 for unpaid PAYE/NIC in umbrella supply chains
  • Support ethical worker protection and compliance with the Modern Slavery Act 2015.

Failure to conduct effective compliance checks and risk assessments exposes end-hirers to HMRC enforcement (Stop Notices, Promoter Action Notices), civil penalties, criminal liability, and reputational harm.

Supplier Compliance & Risk Assessment – Section Justification

001. Are Preferred Supplier List (PSL) members subject to documented compliance checks and regular risk assessments? — Justification: Ensures ongoing due diligence and monitoring in line with HMRC guidance. Red flag: PSL created but not actively monitored; checks are ad hoc or undocumented.

Select answer

Upload evidence for HMRC

Audit logs, risk reviews, board minutes

Short reason if answered N/A

Comments / Notes (Optional)

002. Is there a designated person/team responsible for supplier compliance and risk governance? — Justification: Clarifies accountability and senior oversight. Red flag: No clear owner = gaps in responsibility, diluted accountability.

Select answer

Upload evidence for HMRC

Org chart, compliance team responsibilities

Short reason if answered N/A

Comments / Notes (Optional)

003. Do checks include HMRC high-risk indicators (DOTAS/POTAS, mini-umbrellas, phoenixing, disguised remuneration)? — Justification: Targets avoidance models flagged by HMRC. Red flag: Checks ignore HMRC Spotlight risks = high chance of missed non-compliance.

Select answer

Upload evidence for HMRC

Due diligence logs, independent audit reports, HMRC watchlists

Short reason if answered N/A

Comments / Notes (Optional)

004. Are supplier VAT numbers, PAYE references, and bank accounts verified against HMRC records? — Justification: Detects VAT/MTIC fraud and prevents Kittel exposure. Red flag: Reliance on supplier self-certification only; no HMRC verification = high Kittel risk.

Select answer

Upload evidence for HMRC

VAT checker printouts, bank verification logs

Short reason if answered N/A

Comments / Notes (Optional)

005. Do audits verify payslip transparency and correct worker classification (PAYE vs CIS)? — Justification: Prevents misclassification and disguised remuneration. Red flag: Payslip skimming or unlawful deductions not checked; CIS used where SDC applies.

Select answer

Upload evidence for HMRC

Payslip audits, worker classification matrix

Short reason if answered N/A

Comments / Notes (Optional)

006. Are suppliers required to disclose subcontractors, umbrellas, and any payroll providers used? — Justification: Provides transparency across tiers and prevents hidden intermediaries. Red flag: No subcontractor disclosure = hidden tiers or payroll delegation risk.

Select answer

Upload evidence for HMRC

Supplier declarations, subcontractor lists

Short reason if answered N/A

Comments / Notes (Optional)

007. Are supplier due diligence records reviewed and suppliers re-certified periodically? — Justification: Prevents reliance on outdated compliance checks. Red flag: One-off onboarding only; no recertification = reliance on stale records.

Select answer

Upload evidence for HMRC

Recertification logs, updated certificates

Short reason if answered N/A

Comments / Notes (Optional)

008. Are suppliers’ financial health and solvency monitored (credit checks, VAT returns, insolvency alerts)? — Justification: Early detection of phoenix risks. Red flag: Supplier collapses without warning due to no solvency monitoring.

Select answer

Upload evidence for HMRC

Credit reports, insolvency alerts

Short reason if answered N/A

Comments / Notes (Optional)

009. Do contracts include compliance obligations (audit rights, clawback clauses, duty to report HMRC action, prohibition of mini-umbrellas)? — Justification: Embeds enforceable safeguards. Red flag: Weak contracts with no enforcement clauses = no recourse for non-compliance.

Select answer

Upload evidence for HMRC

PSL contracts, enforcement logs

Short reason if answered N/A

Comments / Notes (Optional)

010. Do suppliers confirm awareness of compliance obligations, receive training, and notify risks encountered? — Justification: Builds accountability and capability. Red flag: Suppliers sign onboarding but receive no training = “tick-box” only.

Select answer

Upload evidence for HMRC

Signed supplier declarations, training records

Short reason if answered N/A

Comments / Notes (Optional)

011. Are incidents of non-compliance documented, escalated, and reported to HMRC/regulators where required? — Justification: Demonstrates active management and CFA 2017 “reasonable procedures.” Red flag: Incidents not logged or silently dropped = systemic risk.

Select answer

Upload evidence for HMRC

Incident logs, SARs, HMRC referrals

Short reason if answered N/A

Comments / Notes (Optional)

012. Are mitigation strategies and corrective actions implemented for identified risks? — Justification: Shows risks are managed operationally. Red flag: Risks logged but no corrective follow-up = recurring breaches.

Select answer

Upload evidence for HMRC

Corrective action reports, closure logs

Short reason if answered N/A

Comments / Notes (Optional)

013. Do you monitor HMRC enforcement activity (Tax Loss, Veto, Stop Notices, PANs) relevant to your supply chain? — Justification: Confirms responsiveness to HMRC warnings. Red flag: No monitoring of Stop Notices/PANs = continued use of blacklisted suppliers.

Select answer

Upload evidence for HMRC

HMRC letters, compliance tracker logs

Short reason if answered N/A

Comments / Notes (Optional)

014. Do you use independent audits or certifications to verify supply chain compliance, including payroll and tax risk? — Justification: Adds independent assurance and credibility. Red flag: Reliance only on self-certification = unverified compliance.

Select answer

Upload evidence for HMRC

External audit reports, certifications

Short reason if answered N/A

Comments / Notes (Optional)

Section 3 – Labour Supply Chain Documentation

This section ensures that organisations maintain clear, accessible, and secure records that underpin all aspects of labour supply chain compliance.

Accurate documentation is essential for evidencing adherence to due diligence processes, internal controls, and regulatory expectations — especially under the Criminal Finances Act 2017 and HMRC enforcement.

Well-maintained records support operational transparency, audit readiness, and legal defensibility, while enabling swift response to client queries or investigations.

Without proper documentation, even compliant practices can be undermined by an inability to demonstrate accountability or action.

This section also helps end-hirers build trust with clients and regulators by ensuring issues such as non-compliance, supply chain risks, or PSL changes are communicated in a timely and structured way.

In essence, this section underpins the credibility and integrity of the entire compliance framework.

Labour Supply Chain Documentation

001. Are all compliance, audit, and due diligence records stored in a centralised system with defined retention periods and secure access controls? — Justification: Demonstrates robust record management. Red flag: Records fragmented across teams/systems; retention inconsistent = risk of gaps at audit.

Select answer

Upload evidence for HMRC

DMS screenshots, retention policy, access logs

Short reason if answered N/A

Comments / Notes (Optional)

002. Is access to compliance records restricted to authorised personnel, with audit trails? — Justification: Prevents unauthorised access and data breaches. Red flag: Shared access or no audit trail = data breach or ICO fine risk.

Select answer

Upload evidence for HMRC

Access control logs, user permissions, security settings

Short reason if answered N/A

Comments / Notes (Optional)

003. Are your records structured to support a CFA 2017 “reasonable procedures” defence? — Justification: Ensures alignment with HMRC expectations. Red flag: Records exist but not tagged/indexed to CFA procedures = weak defence in investigation.

Select answer

Upload evidence for HMRC

Policy documents, CFA training logs, procedures

Short reason if answered N/A

Comments / Notes (Optional)

004. Can documentation be retrieved quickly for audit or regulatory purposes? — Justification: Supports timely client/regulator responses. Red flag: Retrieval takes weeks; disorganised filing = “non-cooperation” perception by HMRC.

Select answer

Upload evidence for HMRC

Audit response logs, retrieval tracking reports

Short reason if answered N/A

Comments / Notes (Optional)

005. Have you conducted an internal audit of documentation practices in the last 12 months? — Justification: Shows proactive review of controls. Red flag: No regular audit; reliance on “business as usual” = blind spots in compliance.

Select answer

Upload evidence for HMRC

Internal audit reports, management meeting notes

Short reason if answered N/A

Comments / Notes (Optional)

006. Have corrective actions from documentation audits been implemented and tracked? — Justification: Demonstrates continual improvement. Red flag: Audit findings noted but never actioned = recurring issues.

Select answer

Upload evidence for HMRC

CAPA reports, closure logs

Short reason if answered N/A

Comments / Notes (Optional)

007. Do you share compliance documentation with clients upon request (subject to confidentiality)? — Justification: Builds client trust and transparency. Red flag: Client requests delayed or refused without valid reason = reputational damage.

Select answer

Upload evidence for HMRC

Client disclosure packs, sample reports

Short reason if answered N/A

Comments / Notes (Optional)

008. Are confidentiality and GDPR measures applied when sharing records externally (e.g., redaction, NDAs)? — Justification: Prevents breaches while meeting audit obligations. Red flag: Full unredacted records sent = ICO/data breach liability.

Select answer

Upload evidence for HMRC

Data sharing policies, NDAs, redacted templates

Short reason if answered N/A

Comments / Notes (Optional)

009. Do you maintain a GDPR-compliant data retention schedule for worker and supplier records? — Justification: Ensures personal data is not retained longer than necessary. Red flag: “Keep everything” approach = unlawful retention risk.

Select answer

Upload evidence for HMRC

Retention schedules, DPIAs

Short reason if answered N/A

Comments / Notes (Optional)

010. Is there a process to manage and audit Subject Access Requests (SARs) from workers relating to supply chain records? — Justification: Demonstrates compliance with GDPR access rights. Red flag: SARs delayed beyond 30 days or unmanaged = ICO penalties.

Select answer

Upload evidence for HMRC

SAR logs, response templates, case tracker

Short reason if answered N/A

Comments / Notes (Optional)

011. Does your organisation maintain a GDPR Article 30 Record of Processing Activities (RoPA) covering temporary and contracted workers? — Justification: ICO statutory requirement; ensures visibility of processing across systems and suppliers. Red flag: RoPA missing or incomplete = no visibility of umbrella/agency data flows.

Select answer

Upload evidence for HMRC

RoPA register, data inventory, processor mapping

Short reason if answered N/A

Comments / Notes (Optional)

Section 4 – Contingent Workforce Visibility

This section ensures the end-hirer can accurately identify, classify, and monitor all contingent workers engaged through direct or indirect labour supply routes.

Under HMRC’s Labour Supply Chain Assurance framework, Criminal Finances Act 2017, and pending 2026 umbrella reforms, visibility over the contingent workforce is essential to prevent legal, tax, and ethical breaches.

Tracking contingent workers is critical to:

  • Prevent worker misclassification (e.g., disguising employment under CIS or Personal Service Companies (PSCs) labels)
  • Monitor umbrella and agency compliance, especially where payslip anomalies or disguised remuneration schemes may be present
  • Ensure legal Right To Work (RTW) checks, status assessments, and IR35 decisions are properly applied and retained
  • Support audits and regulatory inspections, including those by HMRC, GLAA, and internal or third-party auditors
  • Identify and mitigate exploitation risks, particularly around Modern Slavery, poor onboarding practices, or inappropriate payment structures
  • Demonstrate end-hirer oversight, fulfilling responsibilities under CFA 2017’s “reasonable procedures” requirement.

Failure to track contingent workers increases the risk of non-compliance with employment, tax, and immigration laws and exposes the end-hirer to reputational and regulatory damage.

Contingent Workforce Visibility

001. Can you accurately identify and track all contingent workers engaged through agencies, umbrellas, PSCs, or CIS? — Justification: Visibility across workforce prevents disguised remuneration and misclassification. Red flag: Lack of a single source of truth = hidden intermediaries or ghost workers.

Select answer

Upload evidence for HMRC

Workforce database exports, HRIS reports, contractor logs

Short reason if answered N/A

Comments / Notes (Optional)

002. Are systems in place to securely manage and regularly update contingent workforce data? — Justification: Ensures accuracy of workforce records and reduces classification errors. Red flag: Outdated or manual spreadsheets = misreporting or inability to defend against HMRC queries.

Select answer

Upload evidence for HMRC

IT system specs, security audits, vendor assurance reports

Short reason if answered N/A

Comments / Notes (Optional)

003. Do tracking systems distinguish between PAYE, umbrella, CIS, PSC, and self-employed categories? — Justification: Supports correct status determination and tax treatment. Red flag: All workers lumped into “contractor” category = high IR35/CIS misclassification risk.

Select answer

Upload evidence for HMRC

Worker classification mapping, system screenshots

Short reason if answered N/A

Comments / Notes (Optional)

004. Are Right to Work checks performed and retained for all contingent workers, including PSCs? — Justification: Prevents illegal working and reduces risk of Modern Slavery. Red flag: No RTW evidence stored or reliance on agency verbal assurances = legal liability for illegal working.

Select answer

Upload evidence for HMRC

RTW check logs, ID verification audits

Short reason if answered N/A

Comments / Notes (Optional)

005. Are IR35 and CIS classification decisions documented, reviewed, and updated when roles or terms change? — Justification: Prevents IR35 breaches and false self-employment. Red flag: One-off status check at onboarding only = decisions outdated when role changes.

Select answer

Upload evidence for HMRC

SDSs, CIS assessments, review logs

Short reason if answered N/A

Comments / Notes (Optional)

006. Is there an escalation/dispute process where worker classification decisions are challenged (e.g. outside IR35 disagreements)? — Justification: Demonstrates fairness and protects end-hirer responsibility. Red flag: Disputes handled informally with no paper trail = weak evidence base at tribunal/HMRC challenge.

Select answer

Upload evidence for HMRC

Escalation policy, dispute logs, legal correspondence

Short reason if answered N/A

Comments / Notes (Optional)

007. Are workforce risk assessments conducted to identify potential exploitation or Modern Slavery risks? — Justification: Reduces exposure to reputational and legal risks. Red flag: Risk assessments generic, not role/supplier-specific = failure to detect high-risk roles (e.g., migrant workers).

Select answer

Upload evidence for HMRC

Risk matrix, job risk flags, vulnerability indicators

Short reason if answered N/A

Comments / Notes (Optional)

008. Do risk assessments consider high-risk payment models (mini-umbrellas, offshore payments, expense-based schemes)? — Justification: Prevents financial exposure and regulatory penalties. Red flag: No linkage of pay model reviews to risk assessments = disguised remuneration slips through.

Select answer

Upload evidence for HMRC

Risk reports, flagged payments, expense reviews

Short reason if answered N/A

Comments / Notes (Optional)

009. Are risks linked to specific suppliers and intermediaries, not just roles? — Justification: Confirms risks are assessed across the whole supply chain. Red flag: Supplier-level blind spots = upstream phoenix/mini-umbrella risk.

Select answer

Upload evidence for HMRC

Supplier due diligence files, supplier risk logs

Short reason if answered N/A

Comments / Notes (Optional)

010. Are Modern Slavery risks specifically reviewed for migrant and low-paid roles? — Justification: Reduces exploitation and strengthens assurance. Red flag: No distinction by vulnerability group = exploitation overlooked in high-risk cohorts.

Select answer

Upload evidence for HMRC

Modern slavery risk assessments, site audits, pay analysis

Short reason if answered N/A

Comments / Notes (Optional)

Section 5 – Payroll Transparency & Payslip Assurance

This section ensures that all workers engaged under PAYE or CIS — whether directly or through agencies/umbrellas — are paid lawfully, transparently, and in compliance with HMRC rules.

End-hirers must demonstrate oversight of intermediary payroll practices to prevent disguised remuneration, unlawful deductions, and mini-umbrella fraud.

Effective payroll assurance protects against:

  • Tax risk (incorrect PAYE/NIC, RTI/CIS reporting failures)
  • Employment law breaches (NMW/NLW underpayment, Agency Worker Regulations (AWR) violations)
  • Worker exploitation (hidden deductions, hybrid schemes, non-disclosure of rights)
  • Joint & Several Liability (JSL 2026) for unpaid PAYE/NIC in umbrella chains.

Failure to monitor payroll risks exposes end-hirers to HMRC enforcement, worker claims, and reputational harm.

Payroll Transparency & Payslip Assurance

001. Are payroll controls in place to ensure workers are paid correctly, on time, and at least at NMW/NLW rates? — Justification: Protects against underpayment and wage theft. Red flag: Consistent late or underpayments; pay falling below NMW after deductions.

Select answer

Upload evidence for HMRC

Payroll policies, NMW/NLW audit logs

Short reason if answered N/A

Comments / Notes (Optional)

002. Are intermediary deductions (agency/umbrella) monitored to prevent unlawful skimming or disguised remuneration? — Justification: Prevents erosion of take-home pay. Red flag: Unexplained “admin” or “service” fees on payslips.

Select answer

Upload evidence for HMRC

Payslip audits, deduction breakdowns

Short reason if answered N/A

Comments / Notes (Optional)

003. Are expense payments (e.g., travel, accommodation) processed under correct HMRC rules? — Justification: Prevents misuse of expenses. Red flag: Blanket tax-free travel applied despite SDC.

Select answer

Upload evidence for HMRC

Expense policies, reimbursement logs

Short reason if answered N/A

Comments / Notes (Optional)

004. Are payslips reconciled against Bacs payments and RTI submissions to HMRC? — Justification: Detects fraud, discrepancies, misreporting. Red flag: Net pay on payslip not matching Bacs transfer.

Select answer

Upload evidence for HMRC

Payslip vs Bacs/RTI reconciliation logs

Short reason if answered N/A

Comments / Notes (Optional)

005. Are Agency Worker Regulations (AWR) checks performed to ensure equal treatment after 12 weeks? — Justification: Ensures statutory protections. Red flag: Temps not receiving pay parity or holiday after qualifying period.

Select answer

Upload evidence for HMRC

AWR audits, pay comparator logs

Short reason if answered N/A

Comments / Notes (Optional)

006. Do contracts and Key Information Documents (KIDs) clearly state pay, deductions, benefits, and rights — and match actual payslips? — Justification: Prevents misleading disclosures. Red flag: KID rates/pay structure inconsistent with payslip reality.

Select answer

Upload evidence for HMRC

KIDs, contracts, audit logs

Short reason if answered N/A

Comments / Notes (Optional)

007. Do contracts with intermediaries align with end-hirer agreements and prohibit hybrid/mini umbrella models? — Justification: Avoids disguised remuneration. Red flag: Evidence of hybrid PAYE/CIS or mini umbrella structures.

Select answer

Upload evidence for HMRC

Contract review logs, umbrella audits

Short reason if answered N/A

Comments / Notes (Optional)

008. Are CIS workers verified with HMRC, and are Supervision, Direction & Control (SDC) tests/audits performed before engagement? — Justification: Confirms correct classification. Red flag: CIS engaged without SDC check or HMRC verification.

Select answer

Upload evidence for HMRC

HMRC CIS verification, SDC assessments

Short reason if answered N/A

Comments / Notes (Optional)

009. Do intermediaries disclose subcontractors and payroll models to ensure visibility across tiers? — Justification: Ensures transparency and accountability. Red flag: Unknown third-party payroll providers in chain.

Select answer

Upload evidence for HMRC

Supplier declarations, subcontractor contracts

Short reason if answered N/A

Comments / Notes (Optional)

010. Are suppliers required to confirm no prohibited schemes (loans, salary sacrifice misuse) are offered? — Justification: Blocks high-risk avoidance. Red flag: Loan notes, offshore trusts, or pension “wraps” appear in worker pay.

Select answer

Upload evidence for HMRC

Signed declarations, supplier attestations

Short reason if answered N/A

Comments / Notes (Optional)

011. Are payroll discrepancies, complaints, or late payments logged, escalated, and resolved? — Justification: Protects workers and shows governance. Red flag: High volume of unresolved payroll complaints.

Select answer

Upload evidence for HMRC

Payroll logs, escalation policies

Short reason if answered N/A

Comments / Notes (Optional)

012. Do payroll systems include automated anomaly detection (variance thresholds, duplicate payments)? — Justification: Adds system-level fraud prevention. Red flag: No exception reporting or detection tool in payroll.

Select answer

Upload evidence for HMRC

Payroll system trigger logs

Short reason if answered N/A

Comments / Notes (Optional)

013. Do you verify that any salary sacrifice schemes (e.g., pensions) are voluntary, lawful, NMW-compliant, and do not reduce statutory benefits (SSP, SMP, pension rights)? — Justification: Ensures salary sacrifice is not misused to disguise remuneration, breach NMW, or disadvantage workers. Meets CFA 2017 and Finance Act 2017 obligations. Red flag: Workers “auto-enrolled” into sacrifice schemes without consent; post-deduction pay < NMW.

Select answer

Upload evidence for HMRC

Signed worker consent forms, payslip audits, NMW analysis, HR/pension review logs, reconciliation reports

Short reason if answered N/A

Comments / Notes (Optional)

014. Do you audit expenses and holiday pay to confirm they are compliant (receipts retained, SDC rules applied, deductions not breaching NMW, holiday accrual calculated transparently and not rolled-up)? — Justification: Ensures expense reimbursements are lawful, holiday pay complies with Working Time Regulations, and disguised remuneration is prevented. Red flag: Holiday pay rolled into rates or not transparently shown.

Select answer

Upload evidence for HMRC

Expense policy, payslip audits, holiday records, 52-week pay calculations

Short reason if answered N/A

Comments / Notes (Optional)

015. Do you verify that all self-employed/CIS workers are correctly assessed (SDC, substitution, IR35/Agency Worker Rules) with a documented rationale, and monitor suppliers to prevent misuse of CIS for PAYE avoidance? — Justification: Prevents disguised employment, supports CFA 2017 “reasonable procedures,” and ensures compliance with CIS/IR35/JSL obligations. Red flag: Large CIS population with roles identical to PAYE employees.

Select answer

Upload evidence for HMRC

CIS verification logs, SDS reports, CEST outcomes, supplier contracts, dispute logs

Short reason if answered N/A

Comments / Notes (Optional)

Section 6 – Modern Slavery 

This section ensures end-hirers have effective systems to prevent and detect modern slavery across their labour supply chains.

It aligns with the Modern Slavery Act 2015, the Criminal Finances Act 2017, and GLAA guidance.

End-hirers must demonstrate that suppliers are screened, trained, and contractually bound by anti-slavery requirements; that risks are monitored through audits and red-flag checks; and that escalation, investigation, and corrective action procedures are in place.

Failure to act leaves organisations exposed to legal, financial, and reputational risks, as well as potential civil or criminal liability.

Modern Slavery

001. Do you screen suppliers for modern slavery risks using internal tools and external watchlists (e.g., GLAA, NGO databases)? — Justification: Ensures risks are identified consistently and early. Red flag: Suppliers not screened against GLAA or NGO databases; unknown subcontractors.

Select answer

Upload evidence for HMRC

Screening logs, risk assessment framework, subscription confirmations

Short reason if answered N/A

Comments / Notes (Optional)

002. Are suppliers risk-rated (e.g., high/medium/low) and are high-risk suppliers subject to enhanced monitoring? — Justification: Focuses oversight where exploitation risk is greatest. Red flag: No risk-rating methodology; high-risk suppliers treated same as low-risk.

Select answer

Upload evidence for HMRC

Supplier risk matrix, review logs

Short reason if answered N/A

Comments / Notes (Optional)

003. Are suppliers required to complete self-assessments and provide evidence of compliance? — Justification: Promotes proactive supplier accountability. Red flag: No evidence provided, or suppliers refuse questionnaires.

Select answer

Upload evidence for HMRC

Supplier questionnaires, declarations

Short reason if answered N/A

Comments / Notes (Optional)

004. Do you conduct independent third-party audits, including worker interviews, at appropriate frequency? — Justification: Provides objective validation of conditions. Red flag: No worker interviews, reliance solely on supplier self-certification.

Select answer

Upload evidence for HMRC

Audit contracts, schedules, inspection reports

Short reason if answered N/A

Comments / Notes (Optional)

005. Is your Modern Slavery Statement publicly available, communicated to suppliers, and backed by regular training (including managers)? — Justification: Meets statutory duty and raises awareness. Red flag: Statement not published, out of date, or not cascaded to suppliers.

Select answer

Upload evidence for HMRC

Published statement, training logs, comms records

Short reason if answered N/A

Comments / Notes (Optional)

006. Are risk assessments conducted regularly on worker exploitation risks, including pay practices and high-risk roles? — Justification: Detects systemic risks such as withheld wages or debt bondage. Red flag: No review of pay practices; migrant/low-paid roles not risk-assessed.

Select answer

Upload evidence for HMRC

Risk assessment logs, payroll reviews

Short reason if answered N/A

Comments / Notes (Optional)

007. Do contracts include anti-exploitation clauses, disclosure of subcontractors, and penalties for breaches? — Justification: Embeds enforceable obligations across the chain. Red flag: No anti-slavery clauses in PSL contracts; subcontractors undisclosed.

Select answer

Upload evidence for HMRC

PSL contracts, subcontractor declarations

Short reason if answered N/A

Comments / Notes (Optional)

008. Are confidential worker reporting and whistleblowing mechanisms in place, with protections for those reporting? — Justification: Encourages disclosure and protects workers. Red flag: No anonymous hotline; fear of retaliation deters reporting.

Select answer

Upload evidence for HMRC

Hotline posters, whistleblower policy, system screenshots

Short reason if answered N/A

Comments / Notes (Optional)

009. Do you have defined procedures for escalation, investigation, and case tracking of suspected modern slavery? — Justification: Ensures concerns are managed systematically. Red flag: Escalations handled informally; no audit trail of investigations.

Select answer

Upload evidence for HMRC

SOPs, investigation logs, tracking tools

Short reason if answered N/A

Comments / Notes (Optional)

010. Are corrective actions required and follow-up audits conducted after confirmed cases? — Justification: Ensures remediation and continuous improvement. Red flag: Corrective actions not tracked; same issues reoccur.

Select answer

Upload evidence for HMRC

Remediation plans, follow-up audit reports

Short reason if answered N/A

Comments / Notes (Optional)

011. Are stakeholders (clients, regulators) notified of confirmed cases and is progress transparently reported? — Justification: Builds trust and demonstrates accountability. Red flag: Non-disclosure to clients/regulators of confirmed exploitation cases.

Select answer

Upload evidence for HMRC

Client notifications, published reports

Short reason if answered N/A

Comments / Notes (Optional)

012. Are lessons learned from incidents used to update training, onboarding, and risk processes? — Justification: Drives ongoing improvement in prevention. Red flag: No integration of lessons learned; repeat exploitation risks in supply chain.

Select answer

Upload evidence for HMRC

Training materials, updated procedures

Short reason if answered N/A

Comments / Notes (Optional)

Section 7 – Financial & Insurance Checks

This section ensures that labour suppliers are financially stable and properly insured, reducing the risk of sudden business failure, unpaid taxes, or uninsured claims being passed to the end-hirer.

Unlike active compliance checks (e.g., payslips, classification), these checks are about supplier resilience — ensuring that suppliers can meet obligations to workers, HMRC, and clients.

They provide assurance that:

  • Suppliers are solvent and not at risk of collapse (which could trigger unpaid PAYE/NIC, VAT, or CIS liabilities)
  • VAT and PAYE registrations are legitimate and up to date, protecting against Kittel principle exposure
  • Insurance cover protects both workers and the end-hirer from financial/reputational damage
  • Contractual indemnities are enforceable in case of tax or employment claims.

Failing to monitor supplier solvency and insurance increases the risk of supply chain disruption, HMRC debt transfer, uninsured liability, and reputational damage.

Financial & Insurance Checks

001. Do suppliers undergo financial due diligence checks (e.g., credit rating, insolvency searches, filed accounts)? — Justification: Confirms supplier solvency and flags risks of sudden failure. Red flag: No financial checks; reliance on outdated Companies House data; no monitoring of insolvency events.

Select answer

Upload evidence for HMRC

Credit reports, Companies House filings, insolvency monitoring logs

Short reason if answered N/A

Comments / Notes (Optional)

002. Are suppliers registered with HMRC for VAT and PAYE, and are filings up to date? — Justification: Prevents VAT/PAYE fraud exposure under the Kittel principle. Red flag: VAT/PAYE numbers invalid, deregistered, or frequent late filings.

Select answer

Upload evidence for HMRC

VAT/PAYE registration certificates, HMRC account screenshots

Short reason if answered N/A

Comments / Notes (Optional)

003. Do suppliers hold valid insurance cover (Employer’s Liability, Public Liability, Professional Indemnity where relevant)? — Justification: Protects against uninsured claims affecting workers or the end-hirer. Red flag: No valid EL insurance (illegal in UK), expired policies, or umbrella insurance not in own name.

Select answer

Upload evidence for HMRC

Insurance certificates, renewal schedule

Short reason if answered N/A

Comments / Notes (Optional)

004. Are suppliers insurance adequate in scope (e.g., cover limits appropriate to workforce size and risk)? — Justification: Ensures policies are not nominal/minimal and actually provide protection. Red flag: Cover limits too low for workforce scale; exclusions that negate worker protection.

Select answer

Upload evidence for HMRC

Policy schedules, broker confirmations

Short reason if answered N/A

Comments / Notes (Optional)

005. Do suppliers contracts include indemnities protecting the end-hirer against tax, NIC, or employment claims? — Justification: Provides contractual recourse if liabilities arise. Red flag: No indemnities in supplier contracts; clauses one-sided in supplier’s favour.

Select answer

Upload evidence for HMRC

Supplier contracts, legal review notes

Short reason if answered N/A

Comments / Notes (Optional)

Section 8 – Tax Fraud & Liability Risk

End-hirers have a statutory duty to prevent VAT fraud, mis-declared invoices, and disguised remuneration in their labour supply chains.

Under the Kittel principle, organisations can be denied input VAT recovery if they “knew or should have known” of fraud.

From April 2026, Joint & Several Liability (JSL) will extend end-hirer liability for unpaid PAYE/NIC and VAT in umbrella supply chains, even where supplier fraud is only detected later.

This section ensures that:

  • Labour suppliers are correctly VAT registered, solvent, and not engaging in phoenixing
  • VAT invoicing is accurate, compliant, and reconciled against payments/returns
  • Domestic Reverse Charge (DRC) is applied correctly for CIS-relevant services
  • Mini-umbrella, disguised intermediary models, and off-payroll avoidance are excluded
  • Payments flow only through verified UK bank accounts of the invoicing entity
  • End-hirers can demonstrate reasonable prevention procedures through documented checks.

Failure to address these controls exposes organisations to denied VAT recovery, HMRC Stop Notices, CFA 2017 facilitation offences, and JSL liability from 2026.

Tax Fraud & Liability Risk

001. Are all labour suppliers VAT-registered, and have VAT numbers been independently checked via HMRC/VIES? — Justification: Confirms legitimacy of VAT registration and prevents phoenix/invalid numbers. Red flag: Invalid, recently re-registered, or multiple VAT numbers for linked entities.

Select answer

Upload evidence for HMRC

VAT certificates, HMRC/VIES screenshots, Companies House filings

Short reason if answered N/A

Comments / Notes (Optional)

002. Have supplier directors/ultimate beneficial owners (UBO) been verified to rule out phoenixing, hidden ownership, or tax loss letter exposure? — Justification: Detects high-risk ownership structures and tax avoidance flags. Red flag: Directors linked to dissolved/phoenix companies; HMRC “tax loss letter” received.

Select answer

Upload evidence for HMRC

UBO registers, director checks, supplier disclosures

Short reason if answered N/A

Comments / Notes (Optional)

003. Do supplier invoices meet HMRC standards (entity name, VAT number, breakdown) and reconcile with payment records and VAT returns? — Justification: Ensures invoices are valid, prevents carousel fraud, confirms VAT remittance. Red flag: Missing VAT numbers, mismatched entity names, or invoices not matching VAT100 returns.

Select answer

Upload evidence for HMRC

Invoice samples, reconciliation logs, VAT100 returns, HMRC receipts

Short reason if answered N/A

Comments / Notes (Optional)

004. Is VAT/Domestic Reverse Charge (DRC) applied correctly for CIS-relevant services? — Justification: Prevents incorrect VAT claims under Notice 735; shares liability under DRC. Red flag: DRC missing where applicable, incorrect treatment inflating VAT claims.

Select answer

Upload evidence for HMRC

DRC policies, annotated invoices, supplier confirmations

Short reason if answered N/A

Comments / Notes (Optional)

005. Do controls block input VAT claims on invoices from mini-umbrella or disguised intermediaries? — Justification: Prevents VAT abuse via fragmented labour chains. Red flag: Numerous low-turnover “clone” companies issuing invoices; VAT claims from suppliers without employees.

Select answer

Upload evidence for HMRC

Supply chain map, supplier due diligence reports

Short reason if answered N/A

Comments / Notes (Optional)

006. Are hybrid models (e.g., workers engaged via umbrella but invoiced as self-employed) explicitly excluded? — Justification: Detects disguised remuneration and PAYE/CIS misclassification via VAT. Red flag: Umbrella workers invoiced as CIS/self-employed; misaligned payroll and invoicing records.

Select answer

Upload evidence for HMRC

Contract reviews, payroll audits, status determination logs

Short reason if answered N/A

Comments / Notes (Optional)

007. Are supplier payments only made to UK bank accounts in the legal name of the invoicing entity, and is a due diligence log maintained? — Justification: Confirms payment integrity; provides audit trail for CFA/JSL defence. Red flag: Payments made to offshore or personal bank accounts; mismatch between invoicing entity and payee.

Select answer

Upload evidence for HMRC

Bank confirmations, payment ledgers, due diligence log

Short reason if answered N/A

Comments / Notes (Optional)

Section 9 – Umbrella Integrity – Purported & Disguised Models

This section ensures that umbrella companies used in the labour supply chain are legitimate employers and not “purported” umbrellas that disguise remuneration, misapply PAYE/NIC, or exploit workers.

Purported umbrellas may present payslips that look compliant but:

  • Fail to remit PAYE/NIC to HMRC
  • Deduct unlawful costs or inflate take-home pay via loans, rebates, or salary sacrifice misuse
  • Conceal employer obligations such as holiday accrual, pensions, and insurance.

From April 2026, under Joint & Several Liability (JSL), end-hirers may be held liable for unpaid PAYE/NIC even if due diligence was attempted.

Having explicit umbrella integrity checks strengthens your defence and demonstrates “reasonable procedures” under the Criminal Finances Act 2017.

Umbrella Integrity – Purported & Disguised Models

001. Does the umbrella appear as the legal employer on contracts, payslips, and BACs payment line? — Justification: Confirms employer legitimacy; prevents “payroll-as-a-service” fraud. Red flag: BACs payments made by a different entity; payslips not showing umbrella name as employer.

Select answer

Upload evidence for HMRC

Payslip samples, employment contracts, BACs audit

Short reason if answered N/A

Comments / Notes (Optional)

002. Can the umbrella evidence direct PAYE/NIC remittance to HMRC under its own PAYE reference? — Justification: Prevents routed or disguised PAYE that risks non-payment. Red flag: Umbrella unable to show HMRC receipts; PAYE reference belongs to another entity or unlinked group company.

Select answer

Upload evidence for HMRC

HMRC PAYE reference, remittance receipts

Short reason if answered N/A

Comments / Notes (Optional)

003. Does the umbrella meet statutory employment obligations (holiday accrual, pensions, Employer’s Liability Insurance)? — Justification: Confirms umbrella is acting as a genuine employer. Red flag: Rolled-up holiday pay, missing pension enrolments, no valid EL insurance.

Select answer

Upload evidence for HMRC

EL insurance certificate, holiday/pension schedules

Short reason if answered N/A

Comments / Notes (Optional)

004. Does the umbrella confirm that no disguised remuneration schemes (loans, advances, salary sacrifice abuse, rebates) are used? — Justification: Prevents HMRC Spotlight scheme risks and JSL exposure. Red flag: Payslips showing unexplained deductions, “loan advances,” or salary sacrifice uplifts not consented to by workers.

Select answer

Upload evidence for HMRC

Signed supplier declarations, payslip audits

Short reason if answered N/A

Comments / Notes (Optional)

005. Are umbrella payslip deductions (e.g., admin fees, insurance, training levies) transparent and lawful? — Justification: Protects workers and prevents hidden skimming. Red flag: Non-itemised or excessive deductions lowering pay below NMW.

Select answer

Upload evidence for HMRC

Payslip audits, deduction breakdowns

Short reason if answered N/A

Comments / Notes (Optional)

006. Does the umbrella prohibit subcontracting or “pass-through” arrangements without prior approval? — Justification: Prevents hidden tiers that obscure liability. Red flag: Undisclosed subcontracting or multiple umbrella entities processing the same workforce.

Select answer

Upload evidence for HMRC

PSL contracts, subcontractor disclosures

Short reason if answered N/A

Comments / Notes (Optional)

007. Are suspected non-compliant umbrella practices escalated internally and acted upon? — Justification: Demonstrates oversight and readiness under CFA 2017 and JSL. Red flag: Issues logged repeatedly with no remediation or exit of high-risk umbrellas.

Select answer

Upload evidence for HMRC

Escalation logs, issue tracker, incident reports

Short reason if answered N/A

Comments / Notes (Optional)

Section 10 – 2026 Umbrella Legislation Readiness – Joint & Several Liability (JSL)

From 6 April 2026, umbrella companies remain primarily liable for PAYE/NIC obligations.

However, under new Joint & Several Liability (JSL) rules, HMRC may also pursue unpaid PAYE/NIC from:

  • The top agency/MSP, where an agency supplies the worker, or
  • The end-hirer, if the umbrella contracts directly with them

Due diligence checks will not provide a statutory defence — meaning liability is automatic if non-compliance is found.

Oversight must therefore be proactive, contractual, and risk-based.

This section ensures that:

  • Only audited/pre-approved umbrellas are engaged
  • Payslip and payroll audits are carried out regularly
  • Umbrella employment legitimacy is verified
  • Contracts contain JSL indemnities and notification clauses
  • Escalation and exit procedures exist for non-compliance
  • Senior managers and PSL decision-makers are briefed on JSL risks
  • Umbrella workers are mapped to payroll entities for PAYE/NIC traceability.

Failure to implement these measures risks automatic liability for unpaid PAYE/NIC under JSL, reputational damage, and HMRC enforcement — even if the umbrella itself collapses or disappears.

2026 Umbrella Legislation Readiness – Joint & Several Liability (JSL)

001. Do you maintain a pre-approved list of umbrella companies subject to audit or third-party certification (e.g., FCSA)? — Justification: Ensures only trusted umbrellas are engaged under JSL. Red flag: No PSL or reliance on self-certification → high risk of “purported” umbrellas.

Select answer

Upload evidence for HMRC

Approved supplier list, certification records, PSL policy

Short reason if answered N/A

Comments / Notes (Optional)

002. Have you conducted payslip and pay model audits of umbrella workers within the past 12 months? — Justification: Detects disguised remuneration, skimming, unlawful deductions. Red flag: No audits or only sample checks → HMRC assumes lack of oversight.

Select answer

Upload evidence for HMRC

Payslip audits, reconciliation logs, anomaly reports

Short reason if answered N/A

Comments / Notes (Optional)

003. Do you verify that the umbrella provider is the actual employer (appears on payslip and BACs line)? — Justification: Confirms employer legitimacy; prevents hidden delegation. Red flag: Employer name mismatch between payslip, BACs, and contracts → sign of payroll-as-a-service fraud.

Select answer

Upload evidence for HMRC

Payslip samples, BACs records, payroll audit logs

Short reason if answered N/A

Comments / Notes (Optional)

004. Are umbrella company risks integrated into your wider Labour Supply Chain risk framework? — Justification: Ensures umbrellas are treated as a formal risk category. Red flag: Umbrella risks not covered in supply chain registers → creates governance blind spots.

Select answer

Upload evidence for HMRC

Risk registers, assessment logs, supply chain assurance reports

Short reason if answered N/A

Comments / Notes (Optional)

005. Have PSL/agency contracts been updated with JSL indemnities and notification clauses? — Justification: Provides contractual protection under JSL. Red flag: No indemnity or notification clauses → hirer cannot recover losses or track HMRC actions.

Select answer

Upload evidence for HMRC

Updated contracts, legal reviews, PSL agreement schedules

Short reason if answered N/A

Comments / Notes (Optional)

006. Do you have a clear process to escalate, suspend, or exit non-compliant umbrellas? — Justification: Demonstrates governance and active risk management. Red flag: No exit/escalation logs → HMRC infers tolerance of non-compliance.

Select answer

Upload evidence for HMRC

Escalation logs, exit procedure documents, issue trackers

Short reason if answered N/A

Comments / Notes (Optional)

007. Are senior managers and PSL decision-makers briefed on JSL accountability, and have umbrella workers been mapped to payroll entities? — Justification: Ensures leadership awareness and PAYE/NIC traceability. Red flag: No board briefing or incomplete mapping → HMRC challenges defensibility.

Select answer

Upload evidence for HMRC

Training logs, board minutes, contractor mapping spreadsheets

Short reason if answered N/A

Comments / Notes (Optional)

Section 11 – Final Declaration & Signoff

Captures accountability and sign-off from the end-hirer, confirming that the audit has been completed, reviewed, and authorised by a suitably responsible individual.

This declaration confirms commitment to transparency, compliance, and continuous improvement.

Final Declaration and End-Hirer Signoff

I, the undersigned, hereby confirm the following on behalf of the end-hirer that:

1) The information provided in this self-audit is, to the best of my knowledge, accurate, complete, and a true reflection of our compliance controls and processes.

2) I confirm that supporting documentation referenced in this audit can be made available for review upon legitimate request.

3) This declaration signifies our commitment to transparency, accountability, and ongoing compliance with relevant employment, tax, and supply chain regulations.