RM6310 Lots 2 & 4 | RM6219 DPS | RM6237 DPS

Compliance is your asset

Public sector organisations now own the audit-readiness question.
The OPRaaS Virtual Compliance Director turns it into a continuously evidenced asset
for councils, NHS Trusts and central government.

OPRaaS established

Step methodology: map, train, audit, evidence

UK central government framework routes

Time-stamped evidence file, produced on demand

WHAT CHANGED FOR PUBLIC SECTOR END-HIRERS

The audit-readiness question is now yours.

Since 6 April 2026, new rules in the Finance Act 2026, amending Chapter 11, Part 2 of ITEPA 2003, let HMRC recover unpaid PAYE, NIC and the Apprenticeship Levy from other parties in umbrella supply chains, not just the umbrella itself. These are targeted umbrella-market measures, distinct from the older PAYE debt transfer powers.

HMRC’s GfC12 guidance expects organisations to run their own risk-based checks and keep an audit trail of what they did. Industry accreditations can be part of that picture, but on their own they are not treated as sufficient assurance. The standard has moved from holding a supplier list to demonstrating a governed, evidenced process.

Public bodies rely on complex labour supply chains to deliver essential services, major projects and specialist capacity. Each link in that chain is now part of your audit position.

HOW OPRAAS WORKS

Four steps. One evidenced governance record.

We bring the rigour we apply across the UK labour supply chain to your public sector estate.

We map

We map your supplier base across agencies, umbrellas and Statement of Work providers, so you can see your whole estate.

We train

We train your finance, procurement and compliance teams to run the right checks and read the evidence with confidence.

We audit

We audit the controls you and your suppliers run, against the kinds of tests HMRC, tribunals and auditors apply in real cases.

We evidence

We evidence the outcome in a single, time-stamped file the OPRaaS Virtual Compliance Director platform produces on demand, including risk heat-maps, exception reports and sampling results.

WHAT YOU GET WITH OPRAAS

Practical assurance across your whole labour supply chain.

OPRaaS turns regulatory exposure into a structured, audit-ready asset. Across your agencies, umbrellas and Statement of Work providers, you gain:

Payroll-by-payroll auditing across PAYE, NIC, CIS and IR35.
Fraud detection for holiday-pay abuse, payslip skimming and prohibited models.
Due diligence aligned to the Corporate Criminal Offence of failing to prevent the facilitation of tax evasion under the Criminal Finances Act 2017.
Evidence that supports your reasonable prevention procedures defence under the Criminal Finances Act 2017, where appropriate.
Evidence packs ready for HMRC, the National Audit Office and your internal audit team.

WHY IT MATTERS FOR PUBLIC BODIES

Assurance protects more than the tax position.

For public sector leaders accountable to Parliament, regulators and citizens, a governed supply chain protects four things at once.

Financial

Protect taxpayer funds from fraud, penalties and unplanned tax recovery.

Operational

Safeguard service continuity by keeping critical suppliers compliant.

Reputational

Stay clear of National Audit Office, parliamentary and media scrutiny.

Ethical

Ensure fair pay and prevent worker exploitation in your supply chain.

THE OPRAAS VIRTUAL COMPLIANCE DIRECTOR

A named, retained governance function.

Without hiring a new director-level board member, you gain a senior compliance function that runs the cycle and signs off the evidence, aligned to HMRC’s GfC12 guidance from pre-contract checks through to in-life monitoring. The OPRaaS Virtual Compliance Director (VCD):

Chairs your monthly governance calls, keeping suppliers, risks and actions on one agenda.

Runs the quarterly risk-check cycle on your supplier list: payslips, credit scores, director changes and VAT registration, via Companies House and Creditsafe.

Translates HMRC guidance into action so changes in the rules become tasks, not surprises.

Signs off the daily evidence file that gives your board, your auditors and HMRC a clear view of the checks you run.

APPROVED PROCUREMENT ROUTES

Accessible through UK Government Commercial Agency procurement routes.

OPRaaS is available through the UK Government Commercial Agency, formerly Crown Commercial Service, giving public sector bodies compliant and efficient routes to procure our services.

RM6310
Audit and Assurance Services

Lot 2: External Audit, including PAYE, NIC, IR35 and CIS. Lot 4: Independent Assurance, including governance, ESG and controls.

RM6219 DPS
Learning and Training Services DPS

Compliance training for procurement, HR, finance and operational teams, including workforce and Labour Supply Chain Assurance.

RM6237 DPS
(Low Value Purchase System)

A cost-effective route for smaller LSCA consultancy and training engagements below relevant procurement thresholds.

OPRaaS has operated within live supply chains since 2019.

Our methodology is trusted by councils, NHS Trusts and education bodies. Read more about LSCA compliance and solutions or explore the OPRaaS LSCA self-certification course.

ONLINE LSCA TRAINING

Build your in-house compliance capability.

Enrol your procurement, HR, finance and compliance teams on the OPRaaS LSCA self-certification course and audit platform, already trusted by councils, NHS Trusts and education bodies. The LSCA course builds the in-house capability your teams need to get the most from the Virtual Compliance Director service.

PUBLIC SECTOR VCD INFO PACK

Download the Public Sector VCD Info Pack.

A short, practical guide for public sector buyers: what changed under JSL, how the four-step OPRaaS method works, what the Virtual Compliance Director does, and the Government Commercial Agency routes to engage us.

Complete the short form and we will email a link to the PDF pack straight to your inbox.

Full name

Work email

Organisation

Type of organisation

Privacy consent

I have read and accept the OPRaaS Privacy Policy. I understand OPRaaS will use my details to send the Public Sector VCD Info Pack and respond to my enquiry.

Marketing opt-in

Yes, please keep me updated by email with occasional OPRaaS news, compliance updates and events.

LATEST INSIGHT

Public sector news and analysis.

Recent OPRaaS analysis on labour supply chain assurance for public bodies.

Abstract graphic representing Supplier Due Diligence

Why supplier due diligence is becoming the continuous control public sector buyers can defend.

May 27, 2026

A near-£1bn NHS construction contract in Wales has reopened supplier-integrity questions for every UK public sector buyer.

Why labour supply chain assurance matters when Whitehall is told to buy British.

May 25, 2026

Rachel Reeves has told cabinet colleagues to award government contracts in shipbuilding, steel, energy infrastructure and AI to British companies. For public-sector buyers, the procurement reset moves the same question on to labour supply chains. Labour supply chain assurance is the discipline that lets boards in NHS Trusts, central departments and local authorities evidence who is paying the workforce behind every contract awarded in Britain.

PAYE and NIC compliance review in an Edinburgh end-hirer finance back-office, three colleagues mid-discussion

HMRC’s £471.5bn receipts line continues to raise the bar for PAYE and NIC compliance in 2026

May 22, 2026

PAYE and NIC compliance is no longer a supplier-side payroll assumption. HMRC's latest bulletin puts combined PAYE Income Tax and NIC receipts at £471.5 billion for April 2025 to March 2026, just over half of every pound HMRC collects. With April 2026 Joint and Several Liability moving unpaid umbrella PAYE risk upstream to agencies and end-hirers, board directors are now answering a continuous evidence question, not a one-off supplier-confidence question.

Editorial 3D illustration of an open audit dossier with an OPRaaS Navy band and yellow corner tab, set against a stylised silhouette of nuclear cooling towers, conveying NAO value-for-money scrutiny of public sector labour supply chain assurance

Sizewell C, Value for Money and the Public-Sector Labour Supply Chain

May 20, 2026

The National Audit Office's report on Sizewell C is not only a judgement on one nuclear programme. It is a reminder of how public-sector value for money is tested when risk, cost, delivery and accountability sit across a long chain of suppliers. For public-sector buyers, MSPs and major programme teams, that value-for-money question now reaches directly into the labour supply chain, and the answer is evidence, not reassurance. OPRaaS's Labour Supply Chain Assurance methodology operationalises that evidence discipline through the OPRaaS VCD platform.

PUBLIC SECTOR FAQS

Questions public sector buyers ask.

What does Joint and Several Liability mean for public sector buyers?

Joint and Several Liability (JSL) came into force on 6 April 2026 under the Finance Act 2026 (Chapter 11, Part 2 ITEPA 2003). It is a new umbrella-market measure, distinct from the older PAYE debt transfer powers, that enables HMRC to recover unpaid PAYE and NIC from other parties in the labour supply chain where an umbrella has not met its obligations. In practice, public bodies are now expected to evidence the governance their agencies, umbrellas and Statement of Work providers run on their behalf, and to show how this aligns with HMRC’s GfC12 guidance.

Do our suppliers’ industry accreditations cover us?

Not on their own. HMRC’s GfC12 guidance expects you to run your own risk-based checks and keep an audit trail. Accreditations are a useful signal, but they must be tested and supplemented with your own evidence. The standard has moved from holding a supplier list to demonstrating a governed, evidenced process you can show on demand.

How does OPRaaS work with public sector procurement?

OPRaaS is approved on the UK Government Commercial Agency (formerly Crown Commercial Service): RM6310 Audit and Assurance Services Lots 2 and 4, RM6219 DPS and RM6237 DPS. That gives councils, NHS Trusts and central government a compliant, efficient route to engage us. See LSCA compliance and solutions.

What does the OPRaaS Virtual Compliance Director do?

The OPRaaS Virtual Compliance Director (VCD) is a named, retained governance function. It chairs your monthly governance calls, runs the quarterly risk-check cycle on your supplier list (payslips, credit scores, director changes and VAT registration, via Companies House and Creditsafe), translates HMRC guidance into action and signs off the daily evidence file your board, auditors and HMRC expect to see.

Will this add work for our finance and procurement teams?

No. The point of the OPRaaS VCD is that you gain a senior compliance function that runs the cycle for you, without hiring a new director-level board member. We map, we train, we audit and we evidence, so your teams have a governed process rather than another spreadsheet to maintain.

What evidence will we have for auditors, our board and the NAO?

A single, time-stamped evidence file the OPRaaS VCD platform produces on demand, covering the checks run across your supplier base and the references behind them. It is built to stand up to your internal audit team, the National Audit Office and HMRC.

Is the OPRaaS Info Pack legal or tax advice?

No. This page and the Info Pack are provided for general information and do not constitute legal or tax advice. OPRaaS Virtual Compliance Director services are provided subject to terms and conditions of use; full details are available on request.

Acronym	Full Term	Definition
CFA 2017	Criminal Finances Act 2017	UK legislation introducing Corporate Criminal Offence (sections 45/46): failure to prevent the facilitation of tax evasion. Requires businesses to implement 'reasonable prevention procedures' (RPP). The only defence is having adequate RPP or showing it was not reasonable to expect such procedures.
MSA 2015	Modern Slavery Act 2015	UK legislation mandating supply chain transparency and worker safeguarding. Section 54 requires commercial organisations with ≥£36m turnover to publish annual modern slavery statements (board-approved, signed by director, published on website with prominent homepage link).
IR35	Off-Payroll Working Rules	Tax legislation determining whether a contractor should be treated as employed or self-employed for tax purposes. Since April 2021, medium and large private sector clients must determine contractor status and deduct employment taxes if inside IR35. Requires Status Determination Statement (SDS).
JSL	Joint & Several Liability	2026 legislation imposing strict liability on agencies and end-hirers for umbrella company tax debts, even where due diligence checks have been undertaken. Makes supply chain participants jointly responsible for unpaid PAYE taxes.
AWR	Agency Workers Regulations 2010	UK regulations giving agency workers the right to the same basic working and employment conditions as permanent employees after 12 weeks in a qualifying assignment (12-week parity rule).
Good Work Plan	Good Work Plan 2020	UK employment law reforms requiring written 'section 1 statement' of employment particulars to be given to employees and workers on or before day 1 of engagement (effective 6 April 2020). Sets out key terms but is not itself the contract.
Construction Act	Housing Grants, Construction and Regeneration Act 1996	UK legislation governing payment practices in construction contracts. Section 113 renders "pay when paid" clauses ineffective (except where upstream payer is insolvent). Requires clear due dates, final dates for payment, and compliant payment/pay less notices.
Pensions Act 2008	Pensions Act 2008	UK legislation establishing workplace pension auto-enrolment requirements. Employers must automatically enrol eligible workers into qualifying pension schemes and make minimum contributions.

Acronym	Full Term	Definition
HMRC	HM Revenue & Customs	UK government department responsible for tax collection, payment of tax credits and benefits, and enforcement of tax law. Operates PAYE, CIS, RTI systems and conducts compliance audits. Business Tax Account provides reconciliation data.
GLAA	Gangmasters and Labour Abuse Authority	UK government body regulating labour providers in certain sectors (agriculture, horticulture, shellfish gathering, food processing/packaging) and investigating worker exploitation. Operates licensing regime and has criminal investigation powers. Hotline: 0800 432 0804 (03000 718234 out of hours).
ICO	Information Commissioner's Office	UK independent authority upholding information rights. Enforces UK GDPR and Data Protection Act 2018. Personal data breaches must be reported to ICO within 72 hours where there's risk to individuals' rights. Provides guidance on lawful bases, DSARs, and data-sharing.
CITB	Construction Industry Training Board	Industry body that collects levy from construction employers (payroll ≥£80k in PAYE in last tax year, or ≥£80k net CIS payments) and provides training grants. CITB levy compliance is audited in construction-focused compliance audits.

Acronym	Full Term	Definition
PAYE	Pay As You Earn	HMRC's system for collecting Income Tax and National Insurance Contributions from employees' wages. Employers deduct tax before paying employees, then remit to HMRC. Operates under Real Time Information (RTI) reporting requirements.
CIS	Construction Industry Scheme	Tax deduction scheme for payments to subcontractors in construction industry. Contractors must verify subcontractors with HMRC before first payment and make deductions (20% for verified, 30% for unverified) on labour element only (excluding VAT and allowable materials). CIS300 returns due by 19th following tax month.
GPS	Gross Payment Status	CIS status allowing subcontractors to be paid without deductions. Must apply to HMRC and meet compliance tests (business test, turnover test, compliance test). Contractors must verify GPS and keep evidence; continue to file CIS300 but make no deduction.
CIS300	CIS Monthly Return	HMRC return submitted by contractors detailing total payments made to each subcontractor and CIS tax deductions applied. Must be filed by the 19th following the tax month (6th–5th). Should reconcile to subcontractor statements and bank payments.
CIS340	CIS340 Guidance	HMRC's official guidance document defining what constitutes 'construction operations' for CIS purposes. Only work qualifying under CIS340 can legitimately be paid through the Construction Industry Scheme. Includes site preparation, construction, alteration, repairs, demolition.
RTI	Real Time Information	HMRC system requiring employers to report PAYE information at or before each pay run. Consists of Full Payment Submission (FPS) for regular pay data and Employer Payment Summary (EPS) for adjustments/recoveries. Must reconcile to payslips and Business Tax Account.
FPS	Full Payment Submission	RTI submission reporting gross taxable pay, Income Tax, and NICs for each employee on each payday. FPS values must match payslips. Should not be used to mask under-deductions.
EPS	Employer Payment Summary	RTI submission used only for adjustments, such as recoveries, statutory payments, employment allowance claims, or apprenticeship levy. Should not be used to mask PAYE under-deductions.
Bacs	Bankers' Automated Clearing Services	UK electronic payment system used for direct debits and credits, including salary payments. Net pay on payslip must match Bacs transfer to worker's bank account. Never use "BACS" (incorrect).
UTR	Unique Taxpayer Reference	10-digit number issued by HMRC to identify individuals and businesses for tax purposes. Required for CIS verification and self-assessment tax returns. Note: UTR alone isn't proof of CIS verification; contractor must verify with HMRC before first payment.
NIC / NICs	National Insurance Contributions	UK social security tax paid by employees (via PAYE), employers (as on-costs), and the self-employed (Class 2/4 via self-assessment). Funds state benefits including state pension, statutory sick pay, and maternity allowance. CIS deductions are payments on account of Income Tax and Class 4 NICs.
NMW	National Minimum Wage	Legal minimum hourly rate employers must pay workers in the UK. Rates vary by age band. Post-deduction pay (after deductions for employer's own use/benefit) must not fall below NMW. Records must be kept for 6 years.
NLW	National Living Wage	Higher rate of National Minimum Wage for workers aged 21 and over. Often referred to together as "NMW/NLW". Different from voluntary Real Living Wage calculated by Living Wage Foundation.
AE	Auto-Enrolment (Pensions)	Workplace pension scheme where employers must automatically enrol eligible workers (aged 22+ to state pension age, earning ≥£10k annually) into a qualifying pension. Minimum contributions, opt-out rights, and re-enrolment (every 3 years) required.
P45	P45 (Leaving Employment)	HMRC form given to employees when they leave employment, showing pay and tax details for the year to date. New employer uses P45 to operate correct tax code. Emergency codes (e.g., 1257L W1/M1) apply without P45/P6.

Acronym	Full Term	Definition
DRC	Domestic Reverse Charge (VAT)	VAT mechanism for construction services where the customer accounts for VAT instead of the supplier. Applies to most construction services under CIS340. Designed to combat missing trader fraud in construction supply chains.
Kittel	Kittel Principle	EU/UK legal principle that a taxpayer who knew or should have known their transaction was connected to VAT fraud may be denied the right to deduct input VAT. Creates due diligence obligations for supply chain participants.
DR	Disguised Remuneration	Tax avoidance arrangements designed to pay individuals while avoiding income tax and NICs, often involving loans, offshore entities, or trusts. HMRC actively targets such schemes. Loan charge applies to outstanding loans.

Acronym	Full Term	Definition
SDC	Supervision, Direction or Control	Key factor in determining employment status under agency rules (ITEPA 2003 s44). If a worker is under supervision, direction or control by any person (client, agency, end-hirer) over how they work, PAYE must be operated. SDC alone is not the general CIS status test—apply usual status tests (control, substitution, mutuality).
MOO	Mutuality of Obligation	Employment status indicator examining whether the employer is obliged to provide work and the worker is obliged to accept it. Absence of MOO suggests self-employment; presence suggests employment.
SDS	Status Determination Statement	Document required under IR35 reforms (April 2021) where medium/large clients must provide written reasons for their determination of a contractor's employment status for tax purposes. Must be given before contract starts or worker begins work.
CEST	Check Employment Status for Tax	HMRC's online tool for determining whether a worker should be classified as employed or self-employed for tax purposes. Results are binding on HMRC if information provided is accurate and not relating to highly complex arrangements.
PSC	Personal Service Company	Limited company through which a contractor provides their services. Often used by contractors working outside IR35, but subject to IR35 rules if the underlying relationship is one of employment. Requires SDS from medium/large clients.
KID	Key Information Document	Plain-English factsheet (not a contract) that agencies must give to workers before they agree to an assignment (Conduct of Employment Agencies and Employment Businesses Regulations 2003). Includes worked pay illustration, deductions, who pays the worker, benefits. Must be updated within 5 working days of any change.
ITEPA 2003	Income Tax (Earnings and Pensions) Act 2003	UK tax legislation governing employment income. Section 44 contains agency rules requiring PAYE where worker is under SDC. Section 61N–61R cover off-payroll working (IR35) for public sector and (from 2021) medium/large private sector.
DBS	Disclosure and Barring Service	UK government service providing criminal record checks for employment purposes (particularly roles working with children or vulnerable adults). Processing DBS data requires DPA 2018 Schedule 1 condition and appropriate policy document.

Acronym	Full Term	Definition
UK GDPR	UK General Data Protection Regulation	UK data protection law (retained EU law post-Brexit) governing processing of personal data. Requires lawful basis (Art 6), data minimisation, security, transparency (Arts 13-14), and respect for data subject rights. Works alongside Data Protection Act 2018.
DPA 2018	Data Protection Act 2018	UK legislation supplementing UK GDPR. Schedule 1 sets conditions for processing special category data (health, biometric, union membership) and criminal offence data (e.g., DBS checks). Provides exemptions (crime prevention, tax collection, legal professional privilege).
DSAR	Data Subject Access Request	Individual's right under Art 15 UK GDPR to obtain copy of their personal data. Must respond within one month (extendable by 2 months for complex requests). Usually no fee. Must verify identity proportionately.
DPO	Data Protection Officer	Required role for public authorities or organisations conducting large-scale systematic monitoring or processing special category data (Art 37). Oversees data protection compliance, advises on DPIAs, and acts as contact point for ICO and data subjects.
LIA	Legitimate Interests Assessment	Assessment required when relying on legitimate interests (Art 6(1)(f)) as lawful basis. Three-part test: identify legitimate interest → demonstrate necessity → balancing test (interests vs individual rights). Appropriate for audit/assurance; avoid consent for audits.
DPIA	Data Protection Impact Assessment	Required assessment where processing is likely to result in high risk to individuals (Art 35). Must complete for large-scale, systematic monitoring or extensive special category data processing. Documents risks, mitigation measures, and necessity/proportionality.
RoPA	Records of Processing Activities	GDPR requirement (Art 30) documenting all personal data processing activities. Must include purposes, lawful bases, data categories, recipients, retention periods, security measures, and international transfers. Must be available to ICO on request.
IDTA	International Data Transfer Agreement	UK mechanism for lawfully transferring personal data outside the UK (replacing EU Standard Contractual Clauses post-Brexit). Required unless recipient country has adequacy decision or other derogation applies. Alternative: UK Addendum to EU SCCs.
SCCs	Standard Contractual Clauses	EU Commission-approved contract templates for international data transfers. For UK data exports, use UK Addendum to EU SCCs or UK IDTA.
Art 28 DPA	Article 28 Data Processing Agreement	Mandatory contract between controller and processor (Art 28 UK GDPR). Must cover: subject matter, duration, data types, processing instructions, confidentiality, security, sub-processors, data subject rights assistance, breach notification, data deletion/return, audit rights.
Art 26	Article 26 (Joint Controllers)	UK GDPR provision for parties who jointly determine purposes and means of processing. Requires arrangement setting out respective responsibilities, data subject rights, and contact points. Different from controller-processor (Art 28) or controller-controller data-sharing.
Controller	Data Controller	Organisation that determines the purposes and means of processing personal data. Bears primary GDPR obligations. Agencies, umbrellas, and end-hirers usually act as independent controllers for their own audit/compliance purposes.

Acronym	Full Term	Definition
Instance	Audit Form Instance	Individual audit submission. Users can create unlimited instances, each stored as WordPress custom post type with responses in wp_opraas_audit_responses table. Assigned to logged-in user via post_author field.
Completion	Completion Score	Frontend metric showing percentage of questions answered (any answer counts). Includes ALL sections: Section 1 checkbox, Section 2 (8 fields), Declaration (7 fields), and all audit questions. N/A responses count as answered.
Compliance	Compliance Score	Backend metric measuring quality of compliance. Scoring: Yes=5 points, No=0 points, N/A=0 points (excluded from maximum), Don't Know=1 point. EXCLUDES Sections 1, 2, and Declaration entirely. ≥80% = Compliant, 60-79% = Partially Compliant, <60% = Non-Compliant.
Evidence	Evidence Files	Supporting documents uploaded to substantiate audit responses. Stored in AWS S3 via WP Offload Media plugin, with Evidence Table providing S3-aware ZIP downloads that temporarily download from cloud before adding to archives.
Red Flags	Red Flags	Warning indicators in audit questions identifying practices that may indicate non-compliance, fraud risk (phoenixism, MUCs, disguised remuneration), or regulatory breaches requiring immediate attention and remediation.