Construction 17 April 2026 7 min read

Subcontractor Management and CIS Compliance: What Software Needs to Handle

UK contractors must verify every subcontractor with HMRC under the Construction Industry Scheme before making a first payment, track insurance certificates that expire mid-project, maintain CSCS card records for every operative on site, and retain version-controlled RAMS documents per task. Most project management software handles some of this. None handles all of it without either gaps or add-on tools. This article covers the specific compliance requirements and what a complete subcontractor management system needs to do.

CIS: what verification actually requires

Under the Construction Industry Scheme (HMRC publication CIS340), contractors must verify every subcontractor with HMRC before making the first payment under each contract. The information required for verification is:

  • Subcontractor's full name
  • Unique Taxpayer Reference (UTR)
  • National Insurance number

Verification is done online through the HMRC business tax account or by phone (0300 200 3210). HMRC returns a verification reference number which must be recorded and retained as proof. The verification outcome determines the deduction rate:

  • 0% — subcontractor holds Gross Payment Status (GPS)
  • 20% — subcontractor is registered for CIS but does not hold GPS
  • 30% — subcontractor is not registered for CIS or cannot be verified

Re-verification is required if a subcontractor has not been included on a CIS return in the current or previous two tax years. For contractors using multiple subcontractors across projects over several years, managing which subcontractors need re-verification before each new engagement is a real administrative burden without software support.

Applying the wrong deduction rate is a liability. If a contractor pays a subcontractor at 0% or 20% when the correct rate is 30% — for example, because they relied on a previous verification without checking whether re-verification was required — the contractor is liable for the underpaid deduction. The deduction is the contractor's obligation to pay to HMRC, not the subcontractor's.

Software that handles CIS automatically

Several accounting and payroll platforms can connect to HMRC to verify CIS status and apply deductions automatically:

  • Xero — real-time CIS deduction calculation on invoices and bills; advanced CIS add-on for subcontractor verification and automatic validation of tax status with HMRC
  • QuickBooks UK — automatic deduction calculations and direct filing of CIS returns to HMRC
  • Clear Books — verifies subcontractor status with HMRC, auto-calculates deduction rate, auto-generates monthly CIS300 returns
  • Nomi — verification workflow, CIS payslips and certificates, full subcontractor management

These tools handle the tax mechanics. They do not typically handle the non-financial compliance elements — insurance certificates, CSCS cards, RAMS — which sit in a different category.

Insurance certificate management

Contractors operating under most main contractor or client agreements must ensure every subcontractor maintains minimum insurance levels. The two statutory and contractual requirements are:

  • Employers' Liability Insurance (ELI) — statutory requirement with a minimum £5 million cover. HSE can issue daily fines of £2,500 for periods where ELI cover lapses.
  • Public Liability Insurance (PLI) — required by most contracts at levels between £1 million and £10 million depending on the client and project type.

The failure mode is predictable: a subcontractor's ELI renews in March. The certificate in the contractor's records shows the previous year's policy. No one notices the expiry until an HSE visit or a RAMS audit. A 30-day pre-expiry alert from a document management system catches this; a folder of scanned certificates reviewed manually once a year does not.

Software that handles this must: store a scanned or PDF certificate per subcontractor, extract or allow manual entry of the expiry date, and send alerts at 30, 14, and 7 days before expiry. Ideally, it should block that subcontractor from being assigned to new work if their insurance is expired or within 14 days of expiry.

CSCS card management

CSCS (Construction Skills Certification Scheme) cards are not legally mandatory but are required for site access by virtually all main contractors and public-sector clients. The card colour indicates the holder's qualification level:

  • Green — labourer (CSCS Labourer card)
  • Blue — skilled worker
  • Gold — advanced craft or supervisory
  • Black — management
  • White — professionally qualified

For contractors managing multiple subcontractors with variable workforce compositions, the compliance task is ensuring every operative on each site has a valid CSCS card at the correct grade for their role. Cards expire and must be renewed. Workers who arrive at a gate with an expired card are turned away — which creates both a programme delay and a reputational problem with the client.

Software that manages this needs: a per-operative CSCS record linked to each subcontractor, automated expiry tracking, site-specific access requirements (role level required per site), and flagging of operatives whose cards are expired or about to expire.

RAMS document control

Under CDM 2015 Regulation 8, principal contractors must verify subcontractor competence before work starts. In practice, this means obtaining Risk Assessments and Method Statements (RAMS) from each subcontractor for each task type before work begins.

The common failures in RAMS management are:

  • Generic RAMS submitted — the subcontractor provides a document that describes the task type generally rather than the specific conditions on this project. On a CDM inspection, a generic RAMS without project-specific adaptation is often inadequate.
  • No version control — the RAMS submitted at tender is not the same as the one used on site, but there is no record of which version was current at any given time.
  • No link to incidents — if a defect or accident occurs, the relevant RAMS should be immediately retrievable. In systems where RAMS are stored as email attachments or in an unstructured folder, this retrieval is slow and sometimes impossible.

Software needs: a RAMS library per subcontractor and task type with version control, a mandatory project-specific adaptation requirement (the generic template must be reviewed and confirmed as project-specific before approval), and an audit trail linking each approved RAMS to the project, date, and approving manager.

The case for a unified subcontractor compliance system

CIS verification sits in the accounting platform. Insurance and CSCS cards sit in a document management system or a spreadsheet. RAMS sit in email or a shared folder. For a contractor managing 20–30 active subcontractors across multiple live projects, this fragmentation means compliance depends on individual vigilance rather than system alerts — which is how compliance gaps happen.

A unified system that holds CIS status, insurance certificates with expiry alerts, CSCS card records, and RAMS documents in a single searchable database per subcontractor, integrated with the project management and accounting tools, eliminates the most common failure modes. No single off-the-shelf construction platform covers all of this out of the box. The combination of Xero for CIS, a document management platform for certificates and RAMS, and a project management tool for assignment creates workable coverage — or a bespoke system can consolidate them.

Industry hub
Construction Software for UK Contractors

Related articles

Construction
Construction Project Management Software for UK SMEs: A Practical Guide
Construction
Construction Estimating Software UK: Cubit, Causeway, CANDY and Bluebeam Compared