The contractual process and recommended steps to take

Information on how to incorporate principles of robust assurance throughout the key stages of a typical contracting process.

Taking the key stages of a typical contracting process, this section aims to help businesses consider how to incorporate the principles of robust assurance. This is relevant to various teams in businesses including:

  • procurement teams
  • HR and finance teams
  • tax teams

Designing your contract

Design contracts that:

  • simplify supply chains and enable you to assure your whole chain effectively to minimise risk
  • give you the means to check if suppliers are compliant with your contract throughout its duration

You will need to have sufficient knowledge about your chain and workforce to verify information.

If you do not currently have systems and processes to get information about all businesses and workers in your chains directly, and it is not practical to do this, it is particularly important to ensure your contractual terms contain what you need to assure yourself of the chains’ integrity.

You also need to think about how you will verify that your supplier is compliant. For example, if your terms include that your supplier must provide information about the chain and workers, you should do sample checks independently on those businesses and some workers to verify this.

Examples of what to include in your contracts

Terms and conditions and contractual requirements for supplier’s specific tax conditions and assurance requirements that apply to both the supplier and all sub-contractors they engage.

This could include:

  • requirement that workers must be employed and PAYE operated correctly
  • specific requirements to undertake checks on businesses below and the workforce
  • restrictions to onward sub-contracting by your supplier and any sub-contractors they engage — for example, sub-contracting only on your approval, limiting tiers in a chain

Sharing information about the chain. This should include requirements to provide information to you on request such as:

  • the key details of businesses sub-contracted by your supplier
  • the key details of any and all further businesses in the chain created by your suppliers’ sub-contracting arrangements as required
  • when there are changes to these details
  • information you need to support your compliance with legal or regulatory requirements
  • demonstrating a suppliers or chains compliance with such requirements — you require sub-contractors to provide information about how all workers are engaged so you can keep your key information documents updated, if you are an employment business

Upward reporting requires all businesses to have a contractual requirement to report key information ‘up’ to you through the chain. For example:

  • you should include the supplier’s responsibility for including this requirement in all onward sub-contracting arrangements
  • it could also be reflected in a supplier code of conduct which your supplier is responsible for replicating with its’ sub-contractors, and their onward sub-contractors — if your contract allows extended sub-contracting
  • you should make sure you have systems and processes in place to record and maintain the information provided

Key information might include:

  • sub-contractor details — company name, registration number and VAT registration number
  • confirmation of the employing business — the business paying the workers
  • confirmation of Income Tax and National Insurance contributions arrangements, including the details of any outsourced payroll provider
  • number of workers engaged to work on your contract by each employing business
  • details of any changes to businesses within the chain

Clear, enforceable consequences for suppliers who fail to comply with your requirements.

Supplier code of conduct and worker engagement

If you have a code of conduct for your supplier, consider contractually requiring your supplier to apply this to onward sub-contractors as well. Think about how you will check, verify, and enforce your supplier’s compliance with this.

Code of conduct requirements or minimum standards that might be applied across the chain are:

  • how workers must be engaged for example, on payroll, compliant with National Minimum Wage
  • tax compliance, with a requirement to provide evidence of this on request
  • health and safety and other regulatory assurances for example, Security Industry Authority approved businesses for security workforces
  • record keeping and data retention reporting requirements — this could include evidence of tax compliance, and specific information sharing requirements — such as upward reporting

Pre-contract

Consider :

  • the employment status of the workers you want to source and how they will be engaged — refer to guidance for example, on employment status and employment intermediaries use HMRC’s Check employment status for tax (CEST) to support this
  • directly engaging the workforce
  • any specialist information you might need — such as licence and accreditation requirements

Due diligence

Ensure your processes give you sufficient information for your supplier selection.

If you use a pre-qualification system provided by a third party, find out what due diligence is included and if the information provided by suppliers is verified.

Keep records of the due diligence you’ve undertaken.

Risk assessment

Consider potential risks that could be associated with how your workers will be engaged and any chain of businesses between you and them.

Be aware of potential risk indicators when selecting suppliers including:

  • unknown companies, entities and individuals making approaches directly to offer supply
  • new companies with limited trading history, where the service description is not associated with the supply required
  • new companies where the registered address, size and experience of the business does not correspond with the service offered
  • companies that have changed their name frequently or where directors have a history of failed businesses
  • the price seems  ‘too good to be true’ — considering the market rate
  • marketing includes promises of tax savings and minimal tax

Risk management

Considering your risk assessment, decide what you need to have in place to mitigate and reduce the likelihood and potential impact of risk.

This should include:

  • preventative measures
  • planning the frequency of reviews and what information you will need to do these, such as what to include in your due diligence during the contract
  • reporting and enforcement procedures, whether these will be your standard ones or if bespoke processes are needed — for example, where the workforce is subject to regulatory requirements

During the contract

Monitor and review

Monitor and review your existing supply chains regularly throughout the duration of the contract to inform your risk assessment.

Consider if your assurance practices are still giving you confidence in the integrity of your chains. For example, if you need any additional information.

You must:

  • be vigilant for changes within your supply chains
  • ensure that data about your chains is being recorded, updated, and used effectively throughout the contract
  • consider if you have sufficient information to assure your chains — for example, do you need specific information about the workforce or engagement arrangements that you do not currently have

The process for reviewing your chains should include:

  • getting up to date information about your chains and the workforce, including who pays the workers
  • assessing risk and updating your records
  • taking appropriate action to address and manage risks

In addition to your planned timetable of reviews, respond to key events that should prompt a review of your chains and practices.

More information can be found in the ‘Monitor and review’ section of the Recommended approach to assurance area of these guidelines.

Due diligence

Refresh your information about the structure of your chains, the businesses within them and your workforce frequently.

Know who is in your chain, how your workforce is engaged, how and what they are paid and who pays them.

You should ensure that data about your chains is recorded, updated and used effectively throughout the contract and:

  • record details of businesses your supplier contracts with
  • use HMRC’s VAT checker to regularly check the VAT registration status of all businesses in your chain — this can be done in bulk
  • use Companies House to set up reports that flag when a company’s details change — such as directorship
  • record key information document (KID)  data — if you are an employment business
  • record workers details and how they are engaged, who pays them, including where this only relates to a sample of the workforce
  • update the information when any of these details change

Where you do not undertake due diligence across your whole chain directly and manage your assurance through your direct supplier:

  • check and verify your supplier’s compliance with all terms and conditions and code of conduct
  • verify information about any onward subcontractors — for example, run sample checks on the businesses your supplier has told you they use
  • run sample checks on workforce information for example verify what you can — payslips, site attendance records, site visits
  • review relevant information available through other areas of risk management — for example, health and safety records of mandatory training or site-attendance

Where possible:

  • include payslips obtained from a sample of workers
  • select your own sample, rather than a sample provided by your supplier
  • use the umbrella company pay tool to check the information on the payslips

More information can be found in the ‘Due diligence’ section of the Recommended approach to assurance area of these guidelines.

Risk assessment

Use the information you have about your chains to assess the presence of risk, the likelihood of risk and the impact it could have on your business, particularly where there have been changes to suppliers or contractual engagement of workers.

Consider your own ongoing tax compliance. For example:

  • self-billing arrangements with suppliers
  • status determination statements as an end-user
  • compliance with Income Tax and National Insurance contributions rules for example as an agency
  • making payments within the Construction Industry Scheme

Assess if the behaviour and compliance of other businesses may expose you to risks. For example:

  • potential connection to tax fraud or tax avoidance by a person or business in your chain
  • reputational damage through association with tax risks, operational disruption, and risks to workers

You should update your risk assessment and keep records of any action you take.

You can find more useful information and examples in the ‘Risk assessment’ section of the Recommended approach to assurance area of these guidelines.

Risk management

Consider what you have already put in place to manage risk at the start of the contract and update this to include how you are responding to your recent risk assessment.

These actions support effective risk management

Signpost workers to guidance on GOV.UK. For example:

  • if they work for umbrella companies, tax avoidance schemes — using the HMRC app to check the Income Tax and National Insurance contributions records give workers opportunities to report concerns to you — for example, consider access to your whistle-blowing or grievance and complaints policies
  • act on concerns about risk promptly
  • work with your direct supplier, where appropriate, to address and mitigate risks
  • file a suspicious activity report to meet anti-money laundering requirements
  • report suspected fraud, evasion or avoidance schemes to HMRC

After you have taken action to address a risk you should review your practices and consider whether you need to introduce changes to reduce the likelihood of further risks arising.