Linkedin-in
(Guest)

LSCA Umbrella's Audit Dashboard

Start, complete, revisit, analyse, store, print or send your essential LSCA Audits by choosing from the menu below.

Umbrella Self-Assessment PAYE Audit

Important Information

This Umbrella PAYE Self-Audit is designed to help umbrella companies evidence compliance with HMRC’s Labour Supply Chain Assurance standards.

It covers key risk areas including PAYE operation, tax deduction accuracy, employment rights, and obligations under the Criminal Finances Act 2017, the Modern Slavery Act 2015, and off-payroll legislation.

It also supports 2026 Joint & Several Liability (JSL) readiness, and identifies exposure to hybrid pay models or purported umbrella structures that may disguise employment or avoid tax obligations.

If supported by documentation, this self-assessment can demonstrate:

  • That PAYE is operated lawfully and transparently
  • That reasonable procedures are in place under CFA 2017
  • That employment rights, payroll deductions, and employer responsibilities are properly fulfilled.

Evidence Expectations

Self-certification must reflect real practice. HMRC or agencies may request payslips, BACs evidence, contracts, and audit logs.

In an HMRC audit, superficial responses will not meet compliance standards. HMRC may request contracts, remittances, audit logs, and onboarding evidence. Unsupported answers or box-ticking will not meet compliance expectations.

By using the form, you acknowledge acceptance of OPRaaS LTD’s data handling policies and terms and conditions of use.

info@opraas.co.uk

User and Company Details

Please enter the company details for the entity you are auditing.  If you are performing a Self-Assessment, please insert your own company details here.

Section 1 – Corporate Legitimacy & Structure

This section confirms that the umbrella company is legally established, correctly registered, and operationally transparent.

HMRC and agency clients expect robust due diligence on legal status, PAYE registration, VAT compliance, and corporate branding.

Corporate Legitimacy & Structure

001. Is the company registered with Companies House and details up-to-date? — Justification: Confirms legal status and transparency. Red Flags: Dormant filings, overdue accounts, frequent officer changes, SIC codes inconsistent with payroll activity.

Select answer

Upload evidence for HMRC

Companies House screenshot/printout (status, directors, SIC code)

Short reason if answered N/A

Comments / Notes (Optional)

002. Are trading names used consistently across correspondence, payslips, and contracts? — Justification: Prevents misrepresentation and supply chain layering. Red Flags: Different trading names on contracts vs payslips.

Select answer

Upload evidence for HMRC

Sample contracts, payslips, onboarding emails

Short reason if answered N/A

Comments / Notes (Optional)

003. Is the Certificate of Incorporation available? — Justification: Confirms corporate legitimacy. Red Flags: Unable/unwilling to share certificate.

Select answer

Upload evidence for HMRC

PDF or hard copy of certificate

Short reason if answered N/A

Comments / Notes (Optional)

004. Have all annual accounts and company tax filings been submitted timely? — Justification: Demonstrates financial compliance. Red Flags: Late filings, insolvency history, repeat phoenixing.

Select answer

Upload evidence for HMRC

HMRC / Companies House filing confirmations

Short reason if answered N/A

Comments / Notes (Optional)

005. Is VAT registration active and details current? — Justification: Shows VAT legitimacy. Red Flags: VAT deregistration, mismatch between company details and VAT number.

Select answer

Upload evidence for HMRC

VAT certificate, GOV.UK VAT check

Short reason if answered N/A

Comments / Notes (Optional)

006. Is the PAYE scheme registered and active? — Justification: Confirms PAYE employer status. Red Flags: Multiple PAYE schemes without rationale (mini umbrella risk).

Select answer

Upload evidence for HMRC

HMRC PAYE reference letter or Government Gateway dashboard

Short reason if answered N/A

Comments / Notes (Optional)

007. Are you a member of a professional compliance body (e.g., FCSA)? — Justification: Demonstrates voluntary adherence to best practice. Red Flags: False claims of membership.

Select answer

Upload evidence for HMRC

Membership certificate, compliance audit summary

Short reason if answered N/A

Comments / Notes (Optional)

008. Is your membership valid and up to date? — Justification: Demonstrates ongoing independent scrutiny. Red Flags: Lapsed membership, exclusions from scope.

Select answer

Upload evidence for HMRC

Renewal notice, website verification

Short reason if answered N/A

Comments / Notes (Optional)

Section 2 – Director Integrity & Group Transparency

This section assesses the credibility and transparency of the individuals controlling the umbrella company and its connected entities.

It helps uncover hidden risks such as disqualified directors, repeated insolvencies, or directors involved in non-compliant umbrella schemes.

Director Integrity & Group Transparency

001. Have all directors/officers been confirmed for name, address, and status? — Justification: Confirms leadership legitimacy. Red Flags: Overseas controllers with no UK footprint; false addresses; unverifiable ID.

Select answer

Upload evidence for HMRC

Companies House officer listings, internal director registers, ID/address checks (redacted if required)

Short reason if answered N/A

Comments / Notes (Optional)

002. Has none ever been disqualified, investigated, or insolvent without context? — Justification: Protects against phoenixing and high-risk controllers. Red Flags: Undeclared disqualifications, multiple insolvent entities.

Select answer

Upload evidence for HMRC

Director disqualification search results, voluntary declarations with explanations

Short reason if answered N/A

Comments / Notes (Optional)

003. No simultaneous roles in previously non-compliant umbrellas? — Justification: Prevents links to high-risk models. Red Flags: Directorships linked to mini umbrellas, disguised remuneration schemes, offshore tax abuse.

Select answer

Upload evidence for HMRC

Directorship history matrix, compliance history checks

Short reason if answered N/A

Comments / Notes (Optional)

004. No directors in HMRC/FCA investigations across associated companies? — Justification: Confirms integrity of group structure. Red Flags: Ongoing HMRC/FCA investigations, VAT loss notices, or criminal finance probes.

Select answer

Upload evidence for HMRC

Declarations of investigations with outcomes, internal due diligence logs

Short reason if answered N/A

Comments / Notes (Optional)

Section 3 – Financial Operations & Worker Pay Protection

Demonstrates tax flow integrity, segregation of worker funds, and red flags such as offshore risk or frozen accounts.

Meets standards in CFA 2017 and HMRC guidance.

Financial Operations & Worker Pay Protection

001. Is a UK-based business bank account used exclusively? — Justification: Ensures payroll funds are properly controlled. Red Flags: Offshore/third-party accounts; overseas directors; use of e-wallets.

Select answer

Upload evidence for HMRC

Bank letter, bank statements

Short reason if answered N/A

Comments / Notes (Optional)

002. Are worker payments made directly to individual UK personal accounts? — Justification: Confirms pay integrity. Red Flags: Shared/pooled bank accounts; multiple workers on one account (exploitation risk).

Select answer

Upload evidence for HMRC

BACs logs, payroll reports

Short reason if answered N/A

Comments / Notes (Optional)

003. Do you use any offshore entities or accounts to pay workers? — Justification: Ensures transparency of financial flows. Red Flags: Payments routed offshore; hidden processors; tax avoidance vehicles.

Select answer

Upload evidence for HMRC

Ownership structure, payment processor overview

Short reason if answered N/A

Comments / Notes (Optional)

004. Are client or ring-fenced accounts used for worker pay and liabilities? — Justification: Confirms protection of deductions and PAYE funds. Red Flags: Deductions mixed with company operating cash.

Select answer

Upload evidence for HMRC

Bank setup confirmation, audit notes

Short reason if answered N/A

Comments / Notes (Optional)

005. Are segregation controls in place to prevent co-mingling of employer funds and worker deductions? — Justification: Ensures liabilities are not misused. Red Flags: No separation; worker deductions used for cashflow.

Select answer

Upload evidence for HMRC

Bank structure diagrams, finance SOPs

Short reason if answered N/A

Comments / Notes (Optional)

006. Are audit trails in place for PAYE, NIC under Criminal Finances Act? — Justification: Confirms compliance with CFA 2017. Red Flags: No payroll audit logs; incomplete HMRC records.

Select answer

Upload evidence for HMRC

Audit logs, payroll software screenshots

Short reason if answered N/A

Comments / Notes (Optional)

007. Have you ever had accounts frozen or investigated by regulators? — Justification: Identifies high-risk history. Red Flags: HMRC veto notices; FCA action; account freezes.

Select answer

Upload evidence for HMRC

HMRC/FCA correspondence, internal reports

Short reason if answered N/A

Comments / Notes (Optional)

008. Do you outsource any services such as payroll, RTW checks, or pension processing? — Justification: Ensures outsourced risk is transparent. Red Flags: Hidden subcontractors; overseas processors.

Select answer

Upload evidence for HMRC

Supplier register, contracts

Short reason if answered N/A

Comments / Notes (Optional)

009. Are all outsourced providers covered by current contracts/SLAs and reviewed at least annually? — Justification: Confirms governance of outsourcing. Red Flags: No SLAs; no supplier reviews.

Select answer

Upload evidence for HMRC

Supplier contracts, SLA reviews

Short reason if answered N/A

Comments / Notes (Optional)

010. Are subcontractor relationships disclosed to clients and workers? — Justification: Ensures transparency in supply chain. Red Flags: Agencies/workers unaware of subcontractors.

Select answer

Upload evidence for HMRC

Onboarding packs, agency agreements

Short reason if answered N/A

Comments / Notes (Optional)

011. Are internal spot-checks or audits carried out on payment processes? — Justification: Ensures proactive prevention of payroll errors. Red Flags: No internal QA; anomalies unchecked.

Select answer

Upload evidence for HMRC

Audit logs, QA check records

Short reason if answered N/A

Comments / Notes (Optional)

Section 4 – PAYE Operations, RTI & Payroll Integrity

Demonstrates the correct handling of PAYE, RTI and all employment tax elements.

Core to HMRC’s Labour Supply Chain assurance.

PAYE Operations, RTI & Payroll Integrity

001. Are all earnings subject to PAYE tax and NIC in line with HMRC? — Justification: Confirms lawful operation of PAYE. Red Flags: Net-to-gross schemes, “loan” or “credit” elements, sham allowances.

Select answer

Upload evidence for HMRC

Sample payslips, payroll journals

Short reason if answered N/A

Comments / Notes (Optional)

002. Is Employer’s NIC correctly calculated and not passed to workers? — Justification: Protects workers from unlawful deductions. Red Flags: Employer NIC shown as deduction on payslips.

Select answer

Upload evidence for HMRC

Payroll summary showing NIC borne by employer

Short reason if answered N/A

Comments / Notes (Optional)

003. Do you cross-check gross pay calculations with assignment rate after accounting for employer costs? — Justification: Prevents disguised deductions or inflated margins. Red Flags: Deductions not reconcilable; margins inconsistent.

Select answer

Upload evidence for HMRC

Margin breakdowns, payslip audit trail

Short reason if answered N/A

Comments / Notes (Optional)

004. Are all bonuses, extras, and taxable expenses included in PAYE/NIC? — Justification: Ensures full tax capture. Red Flags: Untaxed bonuses; routine “expenses” offsetting gross pay.

Select answer

Upload evidence for HMRC

Bonus/expense policies, payroll logs

Short reason if answered N/A

Comments / Notes (Optional)

005. Are RTI submissions made timely and complete each pay period? — Justification: Confirms HMRC RTI compliance. Red Flags: Late FPS/EPS filings, submission gaps.

Select answer

Upload evidence for HMRC

FPS/EPS reports, HMRC submission receipts

Short reason if answered N/A

Comments / Notes (Optional)

006. Are regular audits conducted on RTI submissions and payroll accuracy? — Justification: Provides assurance over reporting. Red Flags: No independent review; unresolved discrepancies.

Select answer

Upload evidence for HMRC

RTI audit schedules, reports

Short reason if answered N/A

Comments / Notes (Optional)

007. Have any payroll/NIC investigations happened (HMRC), and resolved? — Justification: Identifies regulatory history and response. Red Flags: Ongoing HMRC disputes; unpaid settlements.

Select answer

Upload evidence for HMRC

HMRC correspondence, settlement agreements

Short reason if answered N/A

Comments / Notes (Optional)

Section 5 – Pension & Salary Sacrifice Compliance

Ensures transparency around auto-enrolment pensions and salary sacrifice schemes, especially in relation to Employer NICs and take-home pay.

This is a growing area of HMRC and BEIS scrutiny due to concerns over disguised deductions and mis-selling.

Pension & Salary Sacrifice Compliance

001. Do you offer a non-salary sacrifice pension option? — Justification: Ensures workers can access auto-enrolment without coercion. Red Flags: Only salary sacrifice offered; no alternative scheme.

Select answer

Upload evidence for HMRC

Pension opt-in forms, worker guidance documents

Short reason if answered N/A

Comments / Notes (Optional)

002. Do you operate any salary sacrifice arrangements for pensions or other benefits? — Justification: Confirms transparency of arrangements. Red Flags: Salary sacrifice marketed as “boosting take-home pay.”

Select answer

Upload evidence for HMRC

Scheme overview, employee communication samples

Short reason if answered N/A

Comments / Notes (Optional)

003. Do you ensure that salary sacrifice does not reduce pay below NMW thresholds? — Justification: Prevents unlawful reduction in pay. Red Flags: Payslips showing take-home below NMW after sacrifice.

Select answer

Upload evidence for HMRC

Payslip modelling, NMW compliance logs

Short reason if answered N/A

Comments / Notes (Optional)

004. Is the impact on take-home pay clearly explained to workers before enrolment? — Justification: Protects against mis-selling. Red Flags: No financial illustrations; no signed consent.

Select answer

Upload evidence for HMRC

Take-home pay illustrations, opt-in declarations

Short reason if answered N/A

Comments / Notes (Optional)

005. Are employer NIC savings retained or passed back to the worker? — Justification: Confirms fairness in handling employer savings. Red Flags: NIC savings withheld with no disclosure.

Select answer

Upload evidence for HMRC

Policy documents, payroll evidence

Short reason if answered N/A

Comments / Notes (Optional)

006. If employer NIC savings are retained or passed back to worker, is this communicated to the worker? — Justification: Ensures transparency of employer cost treatment. Red Flags: Workers unaware of NIC savings or how they’re applied.

Select answer

Upload evidence for HMRC

Payslip annotations, employee benefit summaries

Short reason if answered N/A

Comments / Notes (Optional)

Section 6 – Expenses, Subsistence & Reimbursement

This section ensures the umbrella’s expense and travel policies comply with ITEPA and HMRC rules.

It helps prevent disguised remuneration, protects against abuse of tax relief, and supports transparency for workers.

Expenses, Subsistence & Reimbursement

001. Do you reimburse expenses only when genuinely incurred? — Justification: Ensures compliance with ITEPA rules and prevents disguised remuneration. Red Flags: Blanket expense allowances, no receipts required, expenses used to inflate take-home pay.

Select answer

Upload evidence for HMRC

Sample expense claim forms, internal reimbursement policy

Short reason if answered N/A

Comments / Notes (Optional)

002. Are receipts and supporting documents collected and retained? — Justification: Provides audit trail and HMRC defensibility. Red Flags: Missing receipts; generic or duplicate receipts; reliance only on worker declarations.

Select answer

Upload evidence for HMRC

Receipt logs, scanned receipt samples, audit trail records

Short reason if answered N/A

Comments / Notes (Optional)

003. Is the scheme compliant with ITEPA 339A/289A rules? — Justification: Confirms legal adherence to allowable expenses. Red Flags: Home-to-work travel reimbursed tax-free; subsistence routinely reimbursed without justification.

Select answer

Upload evidence for HMRC

HMRC guidance cross-referenced policy, legal review statement

Short reason if answered N/A

Comments / Notes (Optional)

004. Do expenses undergo spot-checks or auditing? — Justification: Confirms internal controls against abuse. Red Flags: No spot-checks; repeated high-value claims; lack of audit log.

Select answer

Upload evidence for HMRC

Expense audit log, checklist template, spot-check policy

Short reason if answered N/A

Comments / Notes (Optional)

005. Is travel-to-work never paid tax-free under PAYE? — Justification: Travel to the ordinary workplace is not allowable for tax relief. Red Flags: Routine home-to-site commuting expenses paid gross.

Select answer

Upload evidence for HMRC

Payslip samples, compliance notes referencing HMRC travel rules

Short reason if answered N/A

Comments / Notes (Optional)

006. Are workers notified of what can and can’t be claimed? — Justification: Provides transparency for workers and reduces disputes. Red Flags: No handbook; onboarding omits expense rules; workers unclear on entitlements.

Select answer

Upload evidence for HMRC

Worker handbook, induction materials, expense guidance

Short reason if answered N/A

Comments / Notes (Optional)

Section 7 – Worker Rights & Consent

This section ensures the umbrella is meeting obligations under the Agency Workers Regulations (AWR) 2010, Working Time Regulations (WTR) 1998, and the Employment Rights Act 1996.

It verifies transparency in deductions, correct handling of holiday pay, and parity of rights after 12 weeks.

Worker Rights & Consent

001. Do you provide Key Information Documents (KIDs) before assignments? — Justification: Ensures workers understand pay, fees, and deductions before starting. Red Flags: Missing or inconsistent KIDs.

Select answer

Upload evidence for HMRC

Sample KID, onboarding checklist

Short reason if answered N/A

Comments / Notes (Optional)

002. Are all deductions, holiday pay, and pension contributions itemised on payslips? — Justification: Confirms cost transparency. Red Flags: Generic “admin fees,” unclear deductions.

Select answer

Upload evidence for HMRC

Sample payslips, payroll reports

Short reason if answered N/A

Comments / Notes (Optional)

003. Do payslips correctly show statutory holiday accrual or pay? — Justification: Ensures WTR compliance. Red Flags: Rolled-up holiday, missing accruals.

Select answer

Upload evidence for HMRC

Payslip examples, holiday policy

Short reason if answered N/A

Comments / Notes (Optional)

004. Are all accrued but untaken holidays paid out in full when a worker leaves? — Justification: Protects statutory entitlement. Red Flags: Complaints from leavers; unpaid balances.

Select answer

Upload evidence for HMRC

Final payslips, holiday pay policy

Short reason if answered N/A

Comments / Notes (Optional)

005. Do you track 12-week parity under AWR, and share with worker/agency? — Justification: Confirms compliance with Agency Workers Regulations. Red Flags: No parity tracking; reliance on agency assurances.

Select answer

Upload evidence for HMRC

AWR tracker, parity confirmation emails

Short reason if answered N/A

Comments / Notes (Optional)

006. Do you receive and review comparator rate details from the agency/end-client? — Justification: Ensures AWR pay parity is accurate. Red Flags: Comparator data missing or ignored.

Select answer

Upload evidence for HMRC

Comparator evidence, client emails

Short reason if answered N/A

Comments / Notes (Optional)

007. Are legacy Regulation 10 contracts no longer used post-April 2020? — Justification: Confirms legislative compliance. Red Flags: Old templates still used.

Select answer

Upload evidence for HMRC

Archived contracts, update policy

Short reason if answered N/A

Comments / Notes (Optional)

008. Is indemnity and insurance in place for holiday and AWR liabilities? — Justification: Protects against worker claims. Red Flags: No cover; exclusions.

Select answer

Upload evidence for HMRC

Insurance schedules, indemnity clauses

Short reason if answered N/A

Comments / Notes (Optional)

009. Are all deductions (margin, admin fees) explained and agreed before first payment? — Justification: Ensures informed consent on pay. Red Flags: Surprise deductions; hidden fees.

Select answer

Upload evidence for HMRC

KIDs, disclosure forms

Short reason if answered N/A

Comments / Notes (Optional)

010. Do workers receive a breakdown of employment rights and responsibilities? — Justification: Strengthens transparency. Red Flags: No rights summary given to workers.

Select answer

Upload evidence for HMRC

Rights summary docs, statutory notices

Short reason if answered N/A

Comments / Notes (Optional)

011. Are workers asked to reconfirm understanding of deductions annually? — Justification: Maintains ongoing consent. Red Flags: One-off consent only.

Select answer

Upload evidence for HMRC

Annual consent forms, LMS survey

Short reason if answered N/A

Comments / Notes (Optional)

012. Do you collect signed acknowledgment of terms from workers? — Justification: Evidences agreement. Red Flags: Missing signatures; disputes over deductions.

Select answer

Upload evidence for HMRC

Signed consent forms, e-signature logs

Short reason if answered N/A

Comments / Notes (Optional)

013. Do you disclose any financial relationships with agencies or service providers (e.g., pensions)? — Justification: Prevents conflicts of interest. Red Flags: Hidden referral commissions.

Select answer

Upload evidence for HMRC

Referral contracts, financial agreements

Short reason if answered N/A

Comments / Notes (Optional)

014. Do you or your directors hold any beneficial interest in providers recommended to workers? — Justification: Confirms independence. Red Flags: Undeclared ownership stakes.

Select answer

Upload evidence for HMRC

Declaration of interests, Companies House checks

Short reason if answered N/A

Comments / Notes (Optional)

Section 8 – Dispute, Complaint Handling & Record-Keeping

This section ensures the umbrella has robust grievance handling procedures, supports early resolution of disputes, and complies with employment tribunal protocols.

It also demonstrates the umbrella’s commitment to root-cause analysis, proper record-keeping, and transparency – all key to audit readiness and good governance.

Dispute, Complaint Handling & Record-Keeping

001. Do you log worker or client complaints systematically? — Justification: Service quality. Red Flags: Ad-hoc inboxes; no unique IDs; no trends.

Select answer

Upload evidence for HMRC

Complaints register / CRM export.

Short reason if answered N/A

Comments / Notes (Optional)

002. Are SLAs and escalation protocols documented for complaint resolution? — Justification: Response control. Red Flags: No timelines; unclear owners.

Select answer

Upload evidence for HMRC

SOPs; SLA matrices; process map.

Short reason if answered N/A

Comments / Notes (Optional)

003. Do you offer an early conciliation or ACAS-style process? — Justification: Early resolution. Red Flags: Immediate legal threats; no mediation route.

Select answer

Upload evidence for HMRC

EC policy; ACAS correspondence.

Short reason if answered N/A

Comments / Notes (Optional)

004. Is root-cause analysis carried out and fed into process improvement? — Justification: Continuous improvement. Red Flags: Repeat issues; no CAPA.

Select answer

Upload evidence for HMRC

RCA templates; CAPA logs; minutes.

Short reason if answered N/A

Comments / Notes (Optional)

005. Have there been any employment tribunal or ACAS claims over last 3 years? — Justification: Litigation risk. Red Flags: Patterned claims; similar causes.

Select answer

Upload evidence for HMRC

ET1 summaries; settlements; ACAS refs.

Short reason if answered N/A

Comments / Notes (Optional)

006. Are records retained in line with retention requirements? — Justification: Data governance. Red Flags: Missing files; expired retention.

Select answer

Upload evidence for HMRC

Retention policy; destruction logs.

Short reason if answered N/A

Comments / Notes (Optional)

007. Do you operate a feedback system to collect worker views on pay accuracy and service? — Justification: Worker voice. Red Flags: No surveys; low response without follow-up.

Select answer

Upload evidence for HMRC

Survey results; templates; action reports.

Short reason if answered N/A

Comments / Notes (Optional)

Section 9 – Tax Risk & VAT Assurance (IR35, Disguised Remuneration, Reverse Charge, Input VAT)

This section addresses HMRC’s core tax enforcement risks. It ensures the umbrella avoids high-risk tax schemes, applies the correct VAT treatment (especially under CIS via Domestic Reverse Charge), and maintains appropriate controls for both output and input VAT.

This supports off-payroll IR35 compliance, identifies disguised remuneration risks, and aligns with expectations under the Kittel Principle to prevent VAT fraud.

Tax Risk & VAT Assurance (IR35, Disguised Remuneration, Reverse Charge, Input VAT)

001. Do you operate disguised remuneration or offshore loan/pension schemes? — Justification: Prevents tax avoidance models. Red Flags: Net-to-gross schemes, loans, allowances, or “non-taxable” income elements.

Select answer

Upload evidence for HMRC

Scheme declarations, GAAR/Spotlight checks, assurance statements

Short reason if answered N/A

Comments / Notes (Optional)

002. Do you challenge client IR35 determinations and support appeals? — Justification: Ensures IR35 compliance and protects workers. Red Flags: Blanket determinations, no SDS disputes raised.

Select answer

Upload evidence for HMRC

SDS disagreement logs, contractor communications

Short reason if answered N/A

Comments / Notes (Optional)

003. Is Domestic Reverse Charge (DRC) VAT considered where applicable (e.g., CIS)? — Justification: Confirms correct VAT treatment. Red Flags: Incorrect VAT on CIS invoices, failure to apply DRC.

Select answer

Upload evidence for HMRC

Sample CIS VAT invoices, VAT treatment policy

Short reason if answered N/A

Comments / Notes (Optional)

004. Do you conduct annual IR35 and DRC risk mapping across all client verticals? — Justification: Identifies risk exposure. Red Flags: No IR35 risk mapping, no VAT/CIS risk assessment.

Select answer

Upload evidence for HMRC

Risk map report, SDS logs, compliance summaries

Short reason if answered N/A

Comments / Notes (Optional)

005. Are you VAT-registered, and is your VAT registration number valid and active? — Justification: Confirms VAT legitimacy. Red Flags: VAT deregistration, mismatched details, VAT veto.

Select answer

Upload evidence for HMRC

VAT certificate, GOV.UK VAT check

Short reason if answered N/A

Comments / Notes (Optional)

006. Do your invoices clearly show your VAT number and VAT breakdown? — Justification: Ensures outward VAT compliance. Red Flags: Invoices missing VAT breakdown or VAT number.

Select answer

Upload evidence for HMRC

Invoice samples with VAT breakdown

Short reason if answered N/A

Comments / Notes (Optional)

007. Are input VAT claims made only against legitimate, VAT-eligible expenses with valid invoices? — Justification: Prevents incorrect VAT reclaims. Red Flags: No proof of payment; invoices not VAT-compliant.

Select answer

Upload evidence for HMRC

Invoices, proof of payment, VAT ledger

Short reason if answered N/A

Comments / Notes (Optional)

008. Have you ever been deregistered, re-registered, or subject to a VAT veto, tax loss, or deregistration notice? — Justification: Identifies historical risk. Red Flags: VAT deregistration due to tax loss or phoenix activity.

Select answer

Upload evidence for HMRC

HMRC correspondence, deregistration notices

Short reason if answered N/A

Comments / Notes (Optional)

009. Are you aware of the Kittel Principle and your legal obligations to detect and avoid VAT fraud in your chain? — Justification: Confirms awareness of supply chain fraud risks. Red Flags: No training; no supplier due diligence.

Select answer

Upload evidence for HMRC

Signed acknowledgments, VAT fraud prevention policy, training evidence

Short reason if answered N/A

Comments / Notes (Optional)

Section 10 – Hybrid Pay Models (PAYE/CIS/PSC Mixes)

This section helps umbrella companies assess whether their own hybrid models (e.g., PAYE/CIS, PAYE/PSC) may risk breaching employment status laws, facilitating disguised remuneration, or triggering Joint & Several Liability (JSL) under the 2026 reforms.

It ensures transparency in worker classification, defends against HMRC scrutiny, and satisfies obligations under the Criminal Finances Act 2017.

Hybrid Pay Models (PAYE/CIS/PSC Mixes)

001. Do you operate or promote any hybrid models involving PAYE + CIS or PAYE + Ltd/PSC engagement? — Justification: Identifies use of non-standard models that may conceal off-payroll working. Red Flags: Marketing “higher take-home” via CIS/PSC.

Select answer

Upload evidence for HMRC

Model structure docs, onboarding packs

Short reason if answered N/A

Comments / Notes (Optional)

002. How do you assess and document worker employment status before using any CIS/self-employed models? — Justification: Ensures IR35 / Onshore Intermediaries Act compliance. Red Flags: No SDC/status tests; assessments not recorded.

Select answer

Upload evidence for HMRC

SDC logs, status test records, worker questionnaires

Short reason if answered N/A

Comments / Notes (Optional)

003. Are hybrid pay options introduced only after employment status review? — Justification: Prevents coercion or misclassification. Red Flags: Workers steered into CIS/self-employment without assessment.

Select answer

Upload evidence for HMRC

Workflow process, onboarding comms

Short reason if answered N/A

Comments / Notes (Optional)

004. Do you require valid UTR and VAT details for all CIS or self-employed engagements? — Justification: Ensures legitimacy of CIS arrangements. Red Flags: Missing or invalid UTR/VAT records.

Select answer

Upload evidence for HMRC

UTR/VAT logs, CIS onboarding checklist

Short reason if answered N/A

Comments / Notes (Optional)

005. Are workers ever reclassified into CIS to bypass PAYE tax/NIC deductions? — Justification: Detects disguised remuneration. Red Flags: Mid-assignment switch to CIS; reduced NICs.

Select answer

Upload evidence for HMRC

Reclassification logs, audit trail

Short reason if answered N/A

Comments / Notes (Optional)

006. Do any umbrella-employed workers also receive additional self-employed payments (e.g., expenses or commissions)? — Justification: Detects dual-payment risk. Red Flags: Workers receiving PAYE payslip + separate CIS invoice.

Select answer

Upload evidence for HMRC

Payslips, expenses/commission schedules

Short reason if answered N/A

Comments / Notes (Optional)

007. Have HMRC, clients, or compliance bodies ever raised concerns over your hybrid pay arrangements? — Justification: Identifies historic exposure. Red Flags: Prior warnings, audits, HMRC challenge letters.

Select answer

Upload evidence for HMRC

HMRC correspondence, audit findings

Short reason if answered N/A

Comments / Notes (Optional)

008. Can you confirm that no workers are steered into CIS/self-employment to inflate take-home pay? — Justification: Protects voluntary worker choice. Red Flags: Scripts or onboarding promising “higher net pay.”

Select answer

Upload evidence for HMRC

Worker declarations, recruitment scripts, training material

Short reason if answered N/A

Comments / Notes (Optional)

009. Are any hybrid or CIS arrangements promoted by external agencies on your behalf? — Justification: Ensures indirect arrangements are transparent. Red Flags: Unauthorised third-party promotions.

Select answer

Upload evidence for HMRC

Agency onboarding forms, promotional material

Short reason if answered N/A

Comments / Notes (Optional)

010. Are any hybrid models delivered by external parties or platforms on your behalf (e.g., subcontractors, payment agents)? — Justification: Prevents hidden outsourcing risk. Red Flags: Use of undeclared subcontractors/payment platforms.

Select answer

Upload evidence for HMRC

Subcontractor register, supplier contracts

Short reason if answered N/A

Comments / Notes (Optional)

011. Have your hybrid models been reviewed by external legal/tax experts for IR35, CFA 2017, and NMW compliance? — Justification: Confirms independent assurance. Red Flags: No external review, reliance only on internal judgement.

Select answer

Upload evidence for HMRC

Legal opinions, compliance review logs

Short reason if answered N/A

Comments / Notes (Optional)

Section 11 – Criminal Finances Act 2017 (CFA) Compliance

This section confirms that the umbrella has taken reasonable steps to prevent the facilitation of tax evasion as required by Section 45 of the CFA 2017.

It also evidences that a proper risk environment and response plan is in place.

Criminal Finances Act 2017 (CFA) Compliance

001. Have you conducted a risk assessment as required under Part 3 of the CFA 2017? — Justification: Required by law to evidence awareness of facilitation of tax evasion. Red Flags: No assessment; generic template not tailored to business model.

Select answer

Upload evidence for HMRC

CFA 2017 risk assessment report

Short reason if answered N/A

Comments / Notes (Optional)

002. Do you conduct annual scenario planning for future compliance risks (e.g., audit, legislative change, fraud exposure)? — Justification: Demonstrates proactive governance. Red Flags: No scenario planning; risks never updated.

Select answer

Upload evidence for HMRC

Risk register, board minutes, simulation outcomes

Short reason if answered N/A

Comments / Notes (Optional)

003. Have you mapped all roles with tax-touchpoints for CFA responsibility? — Justification: Confirms accountability for prevention procedures. Red Flags: Unclear ownership; gaps for contractors or agency staff.

Select answer

Upload evidence for HMRC

RACI chart, CFA training logs, role matrix

Short reason if answered N/A

Comments / Notes (Optional)

004. Do you have a documented CFA 2017 risk assessment in place? — Justification: Confirms structured compliance approach. Red Flags: Out-of-date document; no board review.

Select answer

Upload evidence for HMRC

Internal policy document, published version

Short reason if answered N/A

Comments / Notes (Optional)

005. Do you operate and publish a prevention policy to deter facilitation of tax evasion? — Justification: Required as part of “reasonable prevention procedures.” Red Flags: Policy not published; staff unaware.

Select answer

Upload evidence for HMRC

Prevention policy, training logs

Short reason if answered N/A

Comments / Notes (Optional)

006. Have staff received training on obligations under the CFA 2017? — Justification: Ensures staff awareness of obligations. Red Flags: Low training completion; directors excluded.

Select answer

Upload evidence for HMRC

Training records, LMS logs

Short reason if answered N/A

Comments / Notes (Optional)

007. Is there a named compliance officer or escalation route for CFA concerns? — Justification: Demonstrates clear accountability. Red Flags: No appointed officer; reliance on generic inbox only.

Select answer

Upload evidence for HMRC

Appointment letters, escalation chart

Short reason if answered N/A

Comments / Notes (Optional)

008. Have you ever disclosed a breach or near-miss under CFA 2017? If yes, provide context. — Justification: Confirms transparency. Red Flags: Repeat breaches; no remedial actions documented.

Select answer

Upload evidence for HMRC

Breach reports, HMRC correspondence

Short reason if answered N/A

Comments / Notes (Optional)

009. Is this policy reviewed at least annually or when business practices change? — Justification: Ensures policy remains current. Red Flags: No annual review; stale documents.

Select answer

Upload evidence for HMRC

Policy review logs, board minutes

Short reason if answered N/A

Comments / Notes (Optional)

010. Are all staff (including directors) trained on identifying and preventing tax evasion? — Justification: Ensures organisation-wide awareness. Red Flags: Frontline roles excluded from training.

Select answer

Upload evidence for HMRC

Training logs, signed acknowledgments

Short reason if answered N/A

Comments / Notes (Optional)

011. Do you have a whistleblowing process for reporting suspected tax evasion? — Justification: Encourages early detection. Red Flags: No hotline; no confidentiality assurance.

Select answer

Upload evidence for HMRC

Whistleblowing policy, hotline details

Short reason if answered N/A

Comments / Notes (Optional)

Section 12 – Modern Slavery

This section ensures the umbrella company meets its legal and ethical obligations under the Modern Slavery Act 2015, Criminal Finances Act 2017, and relevant GLAA standards.

Umbrella companies can play a direct or indirect role in exploitation—particularly where subcontracting chains, shared housing, bank accounts, or debt bondage practices exist.

Modern Slavery

001. Do you assess your internal operations and subcontractors for modern slavery risk? — Justification: Required under the Modern Slavery Act 2015. Red Flags: No risk mapping; reliance on boilerplate supplier declarations.

Select answer

Upload evidence for HMRC

Risk assessment logs, supply chain map

Short reason if answered N/A

Comments / Notes (Optional)

002. Are shared bank accounts, temporary housing, or debt bondage flagged as indicators in your screening? — Justification: Detects high-risk exploitation patterns. Red Flags: Workers sharing accounts/addresses; wage deductions for housing/transport.

Select answer

Upload evidence for HMRC

Screening templates, red flag matrix

Short reason if answered N/A

Comments / Notes (Optional)

003. Do you classify subcontractors or outsourced partners by risk level? — Justification: Focuses audits on high-risk suppliers. Red Flags: All suppliers rated low risk; no documented tiering.

Select answer

Upload evidence for HMRC

Supplier tiering registers, audit priorities

Short reason if answered N/A

Comments / Notes (Optional)

004. Do you request modern slavery self-assessments or policies from subcontractors? — Justification: Pushes compliance obligations down the chain. Red Flags: No supplier responses; outdated policies.

Select answer

Upload evidence for HMRC

Supplier questionnaires, policy documents

Short reason if answered N/A

Comments / Notes (Optional)

005. Do you conduct third-party or internal audits to confirm freedom from exploitation? — Justification: Strengthens assurance. Red Flags: No site visits; audits are desk-based only.

Select answer

Upload evidence for HMRC

Audit reports, site visit logs

Short reason if answered N/A

Comments / Notes (Optional)

006. Are workers interviewed directly during audits or grievance investigations? — Justification: Worker voice is essential for detection. Red Flags: No worker interviews; reliance solely on management.

Select answer

Upload evidence for HMRC

Interview notes, ACAS-style grievance records

Short reason if answered N/A

Comments / Notes (Optional)

007. Is your Modern Slavery Statement accessible and internally communicated? — Justification: Required transparency under MSA 2015. Red Flags: Statement published externally only; staff unaware.

Select answer

Upload evidence for HMRC

Internal comms, intranet links

Short reason if answered N/A

Comments / Notes (Optional)

008. Are workers and internal staff trained on identifying exploitation risks? — Justification: Ensures frontline staff awareness. Red Flags: No training completion logs.

Select answer

Upload evidence for HMRC

Training records, LMS logs

Short reason if answered N/A

Comments / Notes (Optional)

009. Are anti-exploitation clauses included in worker and subcontractor agreements? — Justification: Provides contractual enforceability. Red Flags: Contracts silent on exploitation.

Select answer

Upload evidence for HMRC

Worker contracts, subcontractor agreements

Short reason if answered N/A

Comments / Notes (Optional)

010. Do you have a whistleblowing process and escalation route for modern slavery? — Justification: Encourages safe reporting channels. Red Flags: No hotline; fear of retaliation.

Select answer

Upload evidence for HMRC

Whistleblowing policy, hotline details

Short reason if answered N/A

Comments / Notes (Optional)

011. Have you simulated or tested your response to a modern slavery incident? — Justification: Confirms operational readiness. Red Flags: No scenario testing; response untested.

Select answer

Upload evidence for HMRC

Scenario test plans, board minutes

Short reason if answered N/A

Comments / Notes (Optional)

012. Are policies reviewed annually or updated based on incidents? — Justification: Ensures continuous improvement. Red Flags: Static policies unchanged for years.

Select answer

Upload evidence for HMRC

Policy review logs, board minutes

Short reason if answered N/A

Comments / Notes (Optional)

Section 13 – Mini Umbrella Company (MUC) Fraud Controls

Mini umbrella fraud is a priority risk for HMRC.

This section ensures the umbrella does not operate or facilitate fragmentation to exploit VAT or Employment Allowance.

Mini Umbrella Company (MUC) Fraud Controls

001. Have you screened your PAYE schemes for signs of MUC risk? — Justification: Detects HMRC priority fraud risks. Red Flags: Multiple small PAYE schemes; overseas directors; high churn of short-lived companies.

Select answer

Upload evidence for HMRC

Internal MUC risk assessments, red flag checklists

Short reason if answered N/A

Comments / Notes (Optional)

002. Have you declared PAYE scheme rationale to your agency or end client? — Justification: Provides transparency and avoids suspicion of fragmentation. Red Flags: No rationale provided; agencies unaware of multiple PAYE registrations.

Select answer

Upload evidence for HMRC

PAYE scheme rationale notes, client communications

Short reason if answered N/A

Comments / Notes (Optional)

003. Do you operate multiple PAYE schemes across different companies? If yes, explain why. — Justification: Confirms legitimacy of group structure. Red Flags: Shell entities; unexplained PAYE registrations; phoenixing.

Select answer

Upload evidence for HMRC

Group structure charts, PAYE registration logs with rationale

Short reason if answered N/A

Comments / Notes (Optional)

004. Do you consolidate payrolls where possible and avoid scheme fragmentation? — Justification: Demonstrates good practice against MUC abuse. Red Flags: Artificial splitting to exploit VAT/Employment Allowance.

Select answer

Upload evidence for HMRC

Payroll system design, consolidation policy

Short reason if answered N/A

Comments / Notes (Optional)

005. Have you ever received an HMRC or agency warning about MUC links? — Justification: Identifies prior regulator attention. Red Flags: Ignored or repeated HMRC warnings; lack of corrective action.

Select answer

Upload evidence for HMRC

HMRC correspondence, agency audit reports, action logs

Short reason if answered N/A

Comments / Notes (Optional)

Section 14 – Identity, Right-to-Work & GDPR (incl. Article 30 RoPA & Processor Mapping)

This section ensures compliance with the Immigration (Restrictions on Employment) Order 2007 and UK GDPR.

It verifies that worker identity is checked correctly, employment is legal, and personal data is handled lawfully and transparently.

 

 

Identity, Right-to-Work & GDPR (incl. Article 30 RoPA & Processor Mapping)

001. Are ID checks made before work begins and documented? — Justification: Confirms compliance with Home Office rules. Red Flags: Worker starts before RTW check; incomplete ID files.

Select answer

Upload evidence for HMRC

RTW policy, completed RTW forms

Short reason if answered N/A

Comments / Notes (Optional)

002. Is photographic ID and proof of address collected and retained? — Justification: Provides audit trail and traceability. Red Flags: Shared addresses, repeated use of same documents.

Select answer

Upload evidence for HMRC

Scanned ID documents, audit logs

Short reason if answered N/A

Comments / Notes (Optional)

003. Are digital RTW checks used (IDVT/home-office share codes)? — Justification: Confirms use of modern, compliant verification. Red Flags: Expired share codes; manual-only processes.

Select answer

Upload evidence for HMRC

IDVT screenshots, share code logs

Short reason if answered N/A

Comments / Notes (Optional)

004. Are periodic re-verifications conducted on umbrella compliance (e.g., annually)? — Justification: Ensures ongoing compliance, not one-off checks. Red Flags: No re-checks post-onboarding.

Select answer

Upload evidence for HMRC

Due diligence tracker with refresh dates

Short reason if answered N/A

Comments / Notes (Optional)

005. Are RTW checks stored for the required 2 years post-employment? — Justification: Confirms statutory record retention. Red Flags: Missing or destroyed RTW records.

Select answer

Upload evidence for HMRC

RTW retention policy, storage logs

Short reason if answered N/A

Comments / Notes (Optional)

006. Have you ever been audited or warned by Home Office for RTW non-compliance? — Justification: Identifies regulatory risk. Red Flags: Prior Home Office sanctions or warnings.

Select answer

Upload evidence for HMRC

Home Office letters, audit reports

Short reason if answered N/A

Comments / Notes (Optional)

007. Do you have a documented GDPR policy and use for employee data? — Justification: Ensures lawful and transparent processing of data. Red Flags: No published privacy notice; vague policies.

Select answer

Upload evidence for HMRC

GDPR policy, privacy notice

Short reason if answered N/A

Comments / Notes (Optional)

008. Do you have documented procedures for SAR, erasure, consent, etc.? — Justification: Confirms workers’ data subject rights are upheld. Red Flags: No SAR log; delayed responses.

Select answer

Upload evidence for HMRC

SAR logs, consent forms, process notes

Short reason if answered N/A

Comments / Notes (Optional)

009. Have you had an ICO investigation or data breach? — Justification: Identifies risk history. Red Flags: Repeat breaches; no remediation steps taken.

Select answer

Upload evidence for HMRC

ICO correspondence, breach log

Short reason if answered N/A

Comments / Notes (Optional)

010. Do you maintain an Article 30 Record of Processing Activities (RoPA)? — Justification: Required under UK GDPR for most employers with >250 staff, and strongly recommended for all umbrellas processing sensitive payroll/ID data. Red Flags: No RoPA; outdated/incomplete records; processors not included.

Select answer

Upload evidence for HMRC

RoPA document, system screenshots, compliance logs

Short reason if answered N/A

Comments / Notes (Optional)

011. Are all third-party processors bound by up-to-date Data Processing Agreements (DPAs)? — Justification: Confirms lawful control of personal data when using payroll/HR software, pension providers, or IDVT vendors. Red Flags: No DPAs; expired contracts; generic T&Cs only; lack of audit rights.

Select answer

Upload evidence for HMRC

Executed DPAs, contract schedules, supplier assurance records

Short reason if answered N/A

Comments / Notes (Optional)

Section 15 – Insurance & Financial Resilience

This section ensures the umbrella company has adequate insurance protection (Employers’ Liability, Public Liability, Professional Indemnity, D&O) and demonstrates financial resilience through reserves, solvency, and stress testing.

It reassures agencies and HMRC that the umbrella can meet its obligations to workers, cover statutory liabilities, and manage risks without collapsing

Insurance & Financial Resilience

001. Do you maintain valid Employers’ Liability (EL) and Public Liability (PL) insurance? — Justification: Confirms legal cover and worker protection. Red Flags: Lapsed or insufficient cover; no policy schedule.

Select answer

Upload evidence for HMRC

Insurance policy certificates, renewal confirmations

Short reason if answered N/A

Comments / Notes (Optional)

002. Do you hold Professional Indemnity Insurance (PII) appropriate to your business size and risk? — Justification: Protects agencies/end-clients against negligence. Red Flags: No PII or inadequate limits.

Select answer

Upload evidence for HMRC

PII policy schedule, broker confirmation

Short reason if answered N/A

Comments / Notes (Optional)

003. Is your insurance cover reviewed and renewed annually? — Justification: Confirms ongoing protection. Red Flags: Expired or auto-renewed policies without review.

Select answer

Upload evidence for HMRC

Renewal notices, broker statements

Short reason if answered N/A

Comments / Notes (Optional)

004. Do you hold or plan for run-off cover if ceasing operations? — Justification: Protects against liabilities after closure. Red Flags: No run-off provision; financial exposure left open.

Select answer

Upload evidence for HMRC

Run-off policy or insurer statement

Short reason if answered N/A

Comments / Notes (Optional)

005. Do you maintain financial reserves or solvency ratios to cover statutory liabilities (holiday pay, NICs, pensions)? — Justification: Demonstrates resilience. Red Flags: No reserves; reliance on agency prepayments.

Select answer

Upload evidence for HMRC

Financial accounts, reserve policy

Short reason if answered N/A

Comments / Notes (Optional)

006. Have you conducted financial stress-testing or scenario planning (e.g., loss of key client, HMRC action)? — Justification: Confirms proactive financial governance. Red Flags: No stress testing; board unaware of financial risks.

Select answer

Upload evidence for HMRC

Stress test reports, board review minutes

Short reason if answered N/A

Comments / Notes (Optional)

007. Are directors’ and officers’ (D&O) liability insurance policies in place? — Justification: Protects senior leadership accountability. Red Flags: No D&O cover, leaving directors exposed.

Select answer

Upload evidence for HMRC

D&O insurance policy schedule

Short reason if answered N/A

Comments / Notes (Optional)

Section 16 – Cybersecurity & Payroll System Resilience

This section ensures the umbrella company has strong cybersecurity and payroll system controls in place to protect sensitive worker and client data, prevent payroll fraud, and guarantee business continuity. With HMRC submissions, BACs files, and RTW/ID records all processed digitally, robust IT governance is critical to compliance.

Demonstrating resilience against cyber-attacks, system outages, and data loss is now a core expectation for agencies and regulators.

Cybersecurity & Payroll System Resilience

001. Do payroll systems use encryption and secure authentication (e.g., 2FA)? — Justification: Protects sensitive worker data. Red Flags: No 2FA; passwords shared; unencrypted payroll files.

Select answer

Upload evidence for HMRC

System security settings, IT policy, screenshots

Short reason if answered N/A

Comments / Notes (Optional)

002. Are payroll and HR systems subject to regular penetration testing or IT security audits? — Justification: Confirms resilience to attack. Red Flags: No pen tests; reliance on supplier assurances only.

Select answer

Upload evidence for HMRC

Pen test reports, IT audit results, supplier assurance statements

Short reason if answered N/A

Comments / Notes (Optional)

003. Is there a documented disaster recovery (DR) and business continuity plan (BCP) covering payroll systems? — Justification: Ensures continuity of worker pay. Red Flags: No DR/BCP; untested backup systems.

Select answer

Upload evidence for HMRC

DR/BCP policies, test logs, board minutes

Short reason if answered N/A

Comments / Notes (Optional)

004. Are payroll backups carried out securely and tested regularly? — Justification: Confirms data recoverability. Red Flags: No backup schedule; untested restores.

Select answer

Upload evidence for HMRC

Backup logs, IT testing reports

Short reason if answered N/A

Comments / Notes (Optional)

005. Do you have a process for managing cyber incidents (e.g., ransomware, phishing)? — Justification: Ensures timely detection and response. Red Flags: No incident response plan; prior breaches unreported.

Select answer

Upload evidence for HMRC

Cyber incident policy, breach logs

Short reason if answered N/A

Comments / Notes (Optional)

006. Are third-party payroll or software providers subject to security due diligence? — Justification: Confirms supply chain resilience. Red Flags: No vendor IT checks; reliance on marketing claims only.

Select answer

Upload evidence for HMRC

Supplier contracts, security review records

Short reason if answered N/A

Comments / Notes (Optional)

007. Have staff handling payroll received cybersecurity awareness training? — Justification: Reduces insider risk. Red Flags: No training logs; phishing tests failed repeatedly.

Select answer

Upload evidence for HMRC

Training logs, LMS records

Short reason if answered N/A

Comments / Notes (Optional)

008. Have you experienced any cyber or data security incidents affecting payroll in the last 3 years? — Justification: Identifies operational risk history. Red Flags: Repeat incidents; no remedial action.

Select answer

Upload evidence for HMRC

Incident logs, ICO/HMRC correspondence

Short reason if answered N/A

Comments / Notes (Optional)

Section 17 – Employment Intermediary Reporting Compliance (EIRR)

Compliance with quarterly reporting of all non-direct PAYE workers is a legal requirement under ITEPA 2014.

This ensures transparency and prevents disguised remuneration.

Employment Intermediary Reporting Compliance (EIRR)

001. Do you submit quarterly employment intermediary reports (EIRRs) to HMRC? — Justification: Legal requirement under ITEPA 2014. Red Flags: Reports late or missing; discrepancies with RTI data.

Select answer

Upload evidence for HMRC

HMRC submission confirmations, EIRR tracking logs

Short reason if answered N/A

Comments / Notes (Optional)

002. Can you provide evidence of your most recent EIRR submission? — Justification: Confirms audit readiness and transparency. Red Flags: No retained copy; HMRC chaser letters.

Select answer

Upload evidence for HMRC

Screenshot or copy of latest EIRR file/report

Short reason if answered N/A

Comments / Notes (Optional)

003. Do you verify the accuracy of reported data (e.g., UTRs, NINOs)? — Justification: Ensures HMRC reporting integrity. Red Flags: Invalid UTRs; incomplete or mismatched NI numbers; incorrect worker data.

Select answer

Upload evidence for HMRC

Validation procedures, QA logs, verification reports

Short reason if answered N/A

Comments / Notes (Optional)

Section 18 – 2026 Joint & Several Liability (JSL) Readiness

This section assesses how well the umbrella company is prepared for the 2026 legislative changes introducing Joint & Several Liability (JSL). It confirms that internal processes, contracts, governance, and stakeholder awareness are in place to avoid liability transfer from agencies or clients.

HMRC will expect defensible controls against disguised employment, mini umbrella misuse, outsourcing chains, and tax irregularities.

2026 Joint & Several Liability (JSL) Readiness

001. Have you audited your payroll processes and payslip outputs within the last 12 months to ensure PAYE/NIC compliance and no disguised remuneration? — Justification: Confirms readiness for JSL regime. Red Flags: No payroll audit; anomalies unresolved.

Select answer

Upload evidence for HMRC

Payslip samples, variance reports, audit logs

Short reason if answered N/A

Comments / Notes (Optional)

002. Do you have a formal process for identifying unusual take-home pay anomalies? — Justification: Supports proactive fraud detection. Red Flags: No exception reporting; reliance only on complaints.

Select answer

Upload evidence for HMRC

Payroll exception reports, audit triggers

Short reason if answered N/A

Comments / Notes (Optional)

003. Are you the legal employer listed on payslips and the named BACs payer for all workers? — Justification: Ensures legal employer accountability. Red Flags: Third-party payer; mismatched employer names.

Select answer

Upload evidence for HMRC

Payslips, BACs exports, payroll records

Short reason if answered N/A

Comments / Notes (Optional)

004. Do you subcontract any part of payroll or worker engagement, and is this declared/contracted? — Justification: Provides transparency of subcontracting. Red Flags: Hidden providers; no contracts in place.

Select answer

Upload evidence for HMRC

Supplier contracts, SLA documents

Short reason if answered N/A

Comments / Notes (Optional)

005. Do your contracts include JSL clauses (indemnities, breach reporting, change notification duties)? — Justification: Ensures legal preparedness. Red Flags: Contracts silent on JSL obligations.

Select answer

Upload evidence for HMRC

Contract templates, legal memos, policy notes

Short reason if answered N/A

Comments / Notes (Optional)

006. Do you maintain a central mapping of all engaged workers confirming their legal employer entity? — Justification: Prevents ghost employment. Red Flags: No worker mapping; mismatched entities.

Select answer

Upload evidence for HMRC

Master payroll spreadsheets, onboarding logs

Short reason if answered N/A

Comments / Notes (Optional)

007. Have you conducted a JSL-specific risk assessment on your business model? — Justification: Demonstrates governance. Red Flags: No JSL assessment; board not engaged.

Select answer

Upload evidence for HMRC

Risk assessment reports, board review minutes

Short reason if answered N/A

Comments / Notes (Optional)

008. Do you log and investigate anomalies in worker pay (shortfalls, missing NICs, underpaid holiday)? — Justification: Identifies issues that could trigger liability. Red Flags: Repeated anomalies not addressed.

Select answer

Upload evidence for HMRC

Error logs, QA reports, complaints analysis

Short reason if answered N/A

Comments / Notes (Optional)

009. Is there a defined internal escalation route for compliance concerns or payroll law breaches? — Justification: Confirms governance readiness. Red Flags: No escalation SOP; unclear ownership.

Select answer

Upload evidence for HMRC

Escalation SOPs, organisation charts

Short reason if answered N/A

Comments / Notes (Optional)

010. Have directors and operational leads received a briefing on upcoming JSL responsibilities? — Justification: Ensures leadership accountability. Red Flags: No training; no board minutes evidencing awareness.

Select answer

Upload evidence for HMRC

Training attendance logs, board packs

Short reason if answered N/A

Comments / Notes (Optional)

011. Have you reviewed your umbrella model against JSL risks (mini umbrella exposure, split payrolls, disguised employment)? — Justification: Confirms proactive model review. Red Flags: No review carried out; reliance only on supplier assurances.

Select answer

Upload evidence for HMRC

Internal audit reports, structure maps, scheme reviews

Short reason if answered N/A

Comments / Notes (Optional)

Section 19 – Final Declaration and Signoff

This section formalises the audit submission. It evidences audit readiness, authorisation to sign, and intention to maintain ongoing compliance.

Final Declaration and Agency Signoff

I, the undersigned, hereby declare on behalf of [Umbrella Company Name] that:

1) The information provided in this Umbrella PAYE Self-Audit is complete, accurate, and reflects current operating practices.

2) I acknowledge that this audit covers statutory obligations including PAYE/NIC, VAT, Employment Rights, Modern Slavery Act 2015, Criminal Finances Act 2017, GDPR, and related compliance requirements.

3) I understand that this information may be shared with HMRC, enforcement agencies, or compliance bodies as required.

4) I agree to notify the engaging agency and/or end-hirer immediately of any material changes that affect compliance status.

5) I recognise that providing false, misleading, or incomplete information may constitute fraud and could give rise to civil or criminal liability.

6) I confirm that the umbrella has considered the forthcoming Joint & Several Liability (JSL) provisions effective April 2026, and that governance measures and contractual safeguards are in place to prepare for compliance.

7) This declaration will be reviewed at least annually, or earlier if business practices or relevant legislation change.