Help with labour supply chain assurance — GfC12

Recommended approach to assurance

Information on principles and activities that businesses can use to help strengthen their supply chain assurance practices, including practical examples of checks that can be done as part of due diligence processes, and information that can be used to inform risk assessments.

Your business will already have assurance practices in place to help you identify, assess and manage various risks across your supply chains.

HMRC recommends you review these and consider strengthening them. For example, consider adapting them to give you improved information about your labour supply chains (the businesses in them and the workforce they engage).

The diversity, scale and complexity of a larger business’s operations and supply chains mean each business must decide what to do, to assure itself of the ongoing integrity of its LSCs.

Key messages to be aware of are:

• know the businesses that make up your supply chains, and how the workforce is engaged and paid
• review your entire supply chains regularly to assess and manage the risks you could be exposed to
• consider how you could design future contracts and simplify supply chains to minimise risk
• robust supply chain assurance can provide long-term value, build supply chain resilience, and attract and retain contracts and investors

The guiding principles of robust supply chain assurance

Supply chain assurance is an ongoing cycle, involving the following activities:

• due diligence
• risk assessment
• risk management
• monitor and review

The cycle is supported by:

• senior commitment
• communication and training
• integration with other risk management

Due diligence

Due diligence is defined as the appropriate reasonable care a business uses when entering trading relationships or contracts with other businesses. It involves checking information about those businesses.

Your business is connected to all other businesses within a supply chain through transactions and robust due diligence increases your knowledge when making judgements and decisions about these.

It is a business’s responsibility to determine what checks to make and what action to take, considering the information it has about its own supply chains.

Where you contract your supplier to undertake due diligence on the chain below, your checks should provide you with information that assures you of your suppliers’ contractual compliance and the integrity of the chain.

Checking only your ‘immediate’ suppliers and customers will not necessarily be enough to make sound judgements on the integrity of your supply chains, potentially leaving your business exposed.

You should:

• get the information you need to understand how your chain operates and assess potential and find actual risks — this is important before and during the contract
• repeat regularly during the contract, adapting your checks and actions as appropriate
• verify information you gather, particularly when given by other people, as far as possible
• keep records of the steps you have taken to inform your decisions about supply chains and associated transactions
• act on what the information tells you, risk management practices

Examples of checks you can make as part of your due diligence

Understanding your suppliers — any supplier in your chain

These are examples of some of the recommended checks that can provide you with key information to assess risks.

These apply whether you are:

• completing your own due diligence on your chains and the workforce
• seeking assurance that your suppliers meet your due diligence requirements on their suppliers, any chain below, and workforce

Examples of checks may include:

• business credentials — actively trading, directorship, trade matches services to be supplied
• google search — online commercial presence
• financial and insurance credentials
• price quoted compared to market rate
• contractual conditions that are in place relating to supply chains, assurance, tax compliance and sub-contracting
• licence and accreditation status for example, security supply, food production
• tax status relating to VAT and the Construction Industry Scheme (CIS)
• payroll arrangements
• key information documents (KIDs)

Verify what you can by reviewing:

• Companies House directorships, previous business failures — bankruptcies
• timesheets, site records — expected numbers of workers, type of activity provided by the supplier
• pay deductions in line with National Minimum Wage and Income Tax and National Insurance contributions requirements
• deductions for accommodation, transport, loans and other non-taxable amounts
• PAYE reference number is appropriate for supplier — where available
• GOV.UK tools, including the:
  • VAT checker to check the names match and they are registered
  • Check employment status for tax (CEST) status
  • CIS online service
• Security Industry Authority (SIA), Gangmasters and Labour Abuse Authority (GLAA) licence and accreditation confirmation
• compliance with contractual requirements
• accounts
• HMRC’s published lists — defaulters and scheme promoters
• evidence of PAYE and VAT returns to HMRC — where requested and provided

Understanding your supply chain

Examples of checks include:

• chain length — how many businesses sit between you and the workforce
• supplier’s compliance with contractual terms and conditions, code of conduct
• credentials of businesses your direct supplier has sub-contracted
• who provides the workforce for example, are workers providing services through an intermediary
• who pays the workforce — if this is different or the workforce is not employed
• quality of work

Verify what you can by reviewing:

• copies of contracts for example your direct suppliers’ contract with sub-contractors to check if your requirements are being met
• evidence of sub-contractor compliance
• payslips and KIDs

See the ‘Understanding your suppliers — any supplier in your chain’ section for checking and verifying business credentials.

Understanding your workforce

Examples of checks include:

• records of workers contracted
• payslip information
• contracts
• site visits or records — attendance records

Examples of information from other internal records include:

• complaints
• health and safety records
• training records
• quality of work

Verify what you can by reviewing the:

• umbrella company pay tool on GOV.UK
• employer named on payslips
• deductions in line with National Minimum Wage and Income Tax and National Insurance contributions requirements
• deductions for accommodation, transport, loans and other non-taxable amounts
• employing business credentials — see the ‘Understanding your suppliers — any supplier in your chain’ section
• timesheets
• worker records, KIDs — where available
• employment status — CEST and off-payroll working determination statements
• nationality, National Insurance number, ID — where available

Check supply chain due diligence principles to find our more information on labour supply chain due diligence and examples of checks you can make.

Risk assessment

To assess risk effectively, you need to understand:

• the labour supply chain risks that may be present in your chains
• the potential implications and impact of those risks for your business
• what indicators of risk you should look for.

This also applies to your supplier-selection process before awarding a contract.

Use the information, from due diligence checks and other sources, to identify and assess multiple LSC risks at the same time, throughout the contract.

For example, checking businesses who employ the workforce can inform your risk assessment of tax fraud, avoidance and the application of rules such as off-payroll working, as well as health and safety, modern slavery policies and other regulatory requirements.

Examples of information about your LSCs that can help with risk assessment

This is not a checklist but provides some examples of how information from your due diligence checks and other sources can be used to assess multiple labour supply chain risks simultaneously.

Online tools that you can use to check information about your supply chain include:

• the UK VAT registration tool — checks can be done in bulk
• the Check employment status for tax (CEST)
• the CIS online service
• the umbrella company pay tool
• Companies House
• the published list of defaulters
• the published list of promoters (avoidance schemes)

VAT registration status information of your direct suppliers and other businesses in your chain

Risks that VAT registration status information can help you assess are:

• self-billing arrangements — ensuring your VAT treatment is correct throughout the contract
• VAT fraud — assessing if your transactions could be connected
• other fraud and avoidance risks — VAT risks can be present alongside other risks within fraud and avoidance models

Potential risk indicators are:

• a business name does not match the GOV.UK VAT checker tool
• a VETO letter — notification of de-registration
• a tax loss letter
• an invalid VAT registration number (where there is no trace on the GOV.UK VAT checker tool)
• not being VAT registered but VAT being charge on invoice

CIS status information

The risks that CIS status information can help you assess are:

• ensuring you are treating payments to sub-contractors correctly throughout the contract
• employment status
• fraud, as CIS risks can be present alongside other risks within fraud models

Potential risk indicators are:

• the notification of change of status from HMRC
• a status has changed on the CIS online service

Details of suppliers in the chain and the number of tiers

Information that is helpful to have:

• business name, company registration number, VAT registration number
• directorship
• business address
• accreditation, licence compliance
• complaints — made to your business
• health and safety records for example, site attendance, training, incidents
• site visits and records
• copies of contracts — supplier, sub-contractors and worker

This will help you assess the following risks:

• fraud, including organised labour fraud — assessing if your transactions could be connected
• disguised remuneration and avoidance schemes — assessing if you could be associated
• credibility, reliability — assessing sustainability of labour provision, work quality, compliance with regulatory requirements such as landfill tax and waste disposal
• health and safety risks

Potential risk indicators are:

• more tiers between you and the workforce than expected
• unknown suppliers in your chain
• chains that seem long for no clear commercial reason
• profit margins seem unrealistic given number of tiers in the chain
• multiple layers of umbrella companies
• supplier is reluctant or unable to provide information
• change of bank details
• change of directorship, multiple directorships, previous failures, bankruptcies
• change of business name — subtle changes — similar names
• business address on Companies House is registered as Companies House
• prices seems ‘too good to be true’
• payment requests received from third party or offshore entities
• new companies with limited trading history or where the service description is not associated with the supply required
• supplier insolvency where new supplier continues supply of same workforce below
• commercial feasibility or credibility of supply — particularly by smaller or newer businesses with new high-volume supply

Details about the businesses employing and paying the workers

Information that is helpful to have:

• business name, company registration number
• directorship
• business address
• number of businesses employing the workforce
• accreditation and licence information

This will help you assess the following risks:

• fraud, including organised labour fraud — assessing if your transactions could be connected
• disguised remuneration avoidance schemes — assessing if you could be associated
• credibility, reliability — assessing sustainability of labour provision, work quality, compliance with regulatory requirements such as landfill tax and waste disposal
• health and safety risks
• illegal workers
• labour abuse and exploitation

Potential risk indicators are:

• changes to who is employing and engaging the same workforce — particularly after insolvency of the previous employing business
• extensive use of umbrella companies
• no online presence
• non-compliance with regulatory requirements
• not accredited or licensed — for example, SIA and GLAA
• new company registration
• multiple small businesses employing the workforce
• trade description does not match supply
• volume of supply required does not seem manageable
• multiple directorships
• changes to directorship (such as UK to foreign national)
• history of dissolved businesses
• overseas directors

Pay details and arrangements for the workforce

Information that is helpful to have:

• employment status
• contract details
• payslip information — check against the umbrella company pay tool
• key information documents — employment businesses and umbrella companies
• evidence of compliance with PAYE scheme — if contractually required

This will help you assess the following risks:

• correct application of the off-payroll working rules
• ensuring what your responsibility is (if any) for calculations, deductions and payment to HMRC relating to employment status, Income Tax, National Insurance contributions and the apprenticeship levy — for example, where payment arrangements might affect your responsibility or possible liability for associated tax losses
• fraud, including organised labour fraud — assessing if your transactions could be connected
• disguised remuneration, avoidance schemes-assessing if you could be associated
• off-record workers — such as illegal workers

Potential risk indicators are:

• gaps between worker numbers, details, timesheets and payslips
• non-taxable payments
• employer, company name does not match your information or the key information document
• pay does not reflect agreed rates
• net pay is more than the umbrella company pay tool
• Income Tax, National Insurance contributions deductions have not been made or seem understated
• discrepancies between payslips obtained from worker and the employing business
• discrepancies in the key information document

Other information about your supply chain

These include:

• complaints you receive
• training records
• quality of work
• site and work records
• audit reports

This will help you assess the following risks:

• health and safety risks
• compliance with other regulatory requirements

Risks of labour abuse and exploitation including:

• pay below National Minimum Wage
• illegal workers
• modern slavery

Potential risk indicators are:

• frequent changes to workforce
• missing National Insurance number information
• concerns over work quality gaps between worker details you hold and work records — site records, training records

Risk management

Managing risk includes deciding how to mitigate and reduce the likelihood of potential risks as well as addressing suspected or confirmed risks.

When you have assessed the potential risks presented by your chain and the likely impact of these on your business, decide what action is reasonable for you to take to reduce the likelihood of them happening. This will include considering the cost to the business of taking preventative or mitigating measures, and the potential cost to the business if the risk resulted in significant impact.

If you have identified a current risk, decide what action to take to address the risk and reduce reoccurrence.

Preventing and reducing the likelihood of risk

Good practices include measures that can help to prevent risk.

Where supply chains may be more complex and harder to monitor and prevent risk in real time, aim to limit the impact of any risks found.

For example:

• make sure that your contracts enable you to manage risks in your chain effectively, including assuring your direct supplier’s compliance with your requirements
• make sure that your systems and processes give you sufficient information to identify and report risk quickly

Enforcement procedures — addressing risk

Procedures that enable you to address an identified risk quickly and effectively can reduce the amount of money diverted through non-compliance within a chain. This also minimises the potential financial and reputational implications for your business.

For example:

• ensure you have visible reporting procedures internally and externally
• have enforcement procedures that enable you to take effective action for example, clear and enforceable terms and conditions in contracts

Monitor and review

Changes to supply chains during the contract can be a key risk indicator for multiple labour supply chain risks — for example, frequent changes to businesses in the chain.

Changes can happen due to genuine commercial reasons but can also be hallmarks of supply chain fraud models, tax avoidance and other risks.

Reviewing your chains

Monitoring your chains includes having systems and processes to record and report on, information about your chains during the contract, including any changes.

Reviewing your labour supply chains throughout the contract helps you to:

• ensure your own ongoing tax compliance
• assess if the behaviour and compliance of other businesses may expose you to risks
• take prompt action to reduce the risk of potential financial and reputational damage

Businesses might consider involving internal or external audit functions to contribute to, or undertake, periodic reviews of the integrity of the chains.

Reviewing your practices

Regularly review your businesses’ assurance policies and practices to support your ongoing effective assessment and management of risk.

Your policies and practices relating to supply chain management should include how frequently your business will undertake due diligence on a chain during a contract and what information is needed. This might differ across types of contracts and supply chains.

Key events

In addition to your timetable of planned reviews during contracts, there are other key events that should prompt you to review your supply chains and practices. They are:

• an identified risk — self-identified or notified by HMRC, a customer, supplier, or worker
• an identified gap in practices
• a change of supplier — anywhere in the chain
• information from other sources that may indicate or help mitigate supply chain risk for example audit findings, off-payroll working rule reviews, complaints
• changes to workforce requirements for example demand pressures, contract types
• changes to legislation
• changes to internal policies, governance, systems, processes that affect supply chain management
• a new procurement or contract opportunity
• a forthcoming acquisition and merger

Senior commitment

This underpins assurance practices and policies, ensuring there is oversight and accountability, particularly where changes may have cost and resource implications internally or across different departments. This might include the board commissioning, endorsing and reviewing appropriate policies relating to labour supply chains.

Communication and training

Ensure staff training includes risk indicators and that key messages about assurance practices, reporting procedures and policies are communicated internally and externally where appropriate. This should also include awareness of where there are associated legal requirements and implications.

Training should deliver outcomes that support the business to identify, report and enforce risks. For example, it supports: 

• raising awareness of risks internally — finance, audit and procurement teams are aware of risk indicators
• making sure front-line staff know what to look for — staff on site, staff doing site visits, staff in contact with workers

Integration with other risk management

Relevant business risk management practices are strengthened by integrating information across multiple areas, supporting robust assurance. Examples of areas of information include:

• tax compliance information
• HR, payroll and finance information
• health and safety
• audit
• regulatory requirements
• modern slavery and other corporate reporting requirements around supply chains