9:15am on a Wednesday. A Fair Work Agency inspector walks into a distribution centre in Leeds. No appointment. No advance notice. She shows her credentials, asks for the site manager, and says five words that change his morning: "I'd like to see your right-to-work records."
The site manager leads her to the office. He opens a spreadsheet on his laptop. It lists employee names, start dates, and a column marked "RTW Check" with "Yes" or "No" next to each name.
The inspector looks at the spreadsheet. "Can you prove when these checks were done?"
Silence.
"Who performed the verification?"
Silence.
"Was the document examined in person or over email? Was it an original or a copy? How did you confirm it was genuine?"
The site manager gestures vaguely at the spreadsheet. "We checked. It's all in here."
The inspector has heard this before. Hundreds of times. What she's looking at isn't an audit trail. It's a list of claims with no supporting evidence. And under the Fair Work Agency's enforcement framework, it's essentially worthless.
The Difference Between "We Checked" and Proof
Most businesses believe they're compliant because they perform right-to-work checks. And they probably do — in some form. Someone asks the candidate for their passport. Someone looks at it. Someone decides it looks legitimate. Someone updates a spreadsheet or ticks a box in an HR system.
But compliance isn't about whether you checked. It's about whether you can prove you checked, what you checked, when you checked, who performed the check, and whether the outcome was valid.
That's the difference between a process and an audit trail.
A process is: "We ask everyone for their passport before they start."
An audit trail is: "On 14 January 2026, at 09:42am, Sarah Williams (HR Manager) verified the identity of James Patterson using UK Passport number [redacted], confirmed biometric match, confirmed right-to-work status as 'Settled Status — no restrictions,' and generated verification record CRT-2026-00847."
One of these survives a regulatory inspection. The other gets you a letter you don't want to receive.
What Regulators Actually Want to See
The Fair Work Agency, CQC, and other regulatory bodies aren't looking for perfection. They're looking for evidence of a systematic, reliable process. Specifically, they want:
Timestamped records. Not "we checked sometime in January." The exact date and time of each verification. This proves the check was performed before the worker started, not retroactively when the inspector called ahead.
Verifier identity. Who performed the check? A named individual with the authority and training to conduct right-to-work verification. "The office handled it" isn't an answer.
Document details. What was checked? A UK passport, a biometric residence permit, a share code result? The type of document matters because it determines the scope and duration of the right to work.
Verification method. Was the document examined in person? Was a biometric check performed? Was the Home Office online checking service used? The method determines the reliability of the outcome.
Outcome and any follow-up dates. What was the result, and does the right to work require a follow-up check? Time-limited permissions need re-verification, and your audit trail needs to show you scheduled and performed those follow-ups.
Tamper-proof storage. Can the records be altered after the fact? A spreadsheet that anyone with access can edit is not tamper-proof. A system that locks records at the point of creation and logs any subsequent access is.
Why Spreadsheets Fail
The spreadsheet is the most common "audit trail" in UK businesses. It's also the least defensible.
Spreadsheets can be edited by anyone with access. There's no reliable way to prove that the data wasn't changed after the fact. There's no timestamp that can't be overwritten. There's no verifier identity that's automatically captured. There's no link between the record and the actual verification event.
An inspector looking at a spreadsheet sees a list of assertions. She has no way to confirm that any of those assertions are true. And the burden of proof sits with the employer, not the regulator.
This is why businesses that rely on spreadsheets for compliance are the most vulnerable to enforcement action. Not because they didn't check — many of them did — but because they can't prove it.
What a Real Audit Trail Looks Like
A compliance-ready audit trail generates evidence automatically at the point of verification. It doesn't rely on someone remembering to update a spreadsheet later. It doesn't depend on the HR manager being available. It captures the data in real time and locks it.
With Certifyd, every verification event creates a record that includes:
- Who was verified — linked to a confirmed identity, not just a name
- When it happened — timestamped to the second, immutable
- What was verified — right-to-work status, document type, biometric confirmation
- Who performed the check — the verifier's identity, automatically captured
- The outcome — verified, failed, or requires follow-up, with the reason
- Any follow-up actions — scheduled re-verification dates for time-limited permissions
These records are tamper-proof. They can't be edited after creation. They can be retrieved instantly. And they present a complete, verifiable history of every compliance check your business has ever performed.
When the Fair Work Agency inspector arrives, the conversation changes. Instead of opening a spreadsheet and hoping for the best, you open a dashboard. Every worker verified. Every check timestamped. Every document recorded. Every follow-up scheduled.
That's not just compliance. That's confidence.
The Cost of Getting It Wrong
Under current legislation, the civil penalty for employing an illegal worker is up to £60,000 per worker. That's not a typo. Per worker. A business with five unverified workers faces potential fines of £300,000.
But the financial penalty is only part of the cost. Enforcement action brings reputational damage, potential criminal prosecution for the most serious cases, and the operational disruption of a full compliance investigation.
The Fair Work Agency's walk-in audit powers mean this risk is no longer theoretical. Inspectors can arrive without notice. And when they do, "we asked and they said yes" is the most expensive sentence in UK employment law.
If you want to replace spreadsheets with audit trails that actually hold up, learn how Certifyd automates compliance. And if you're preparing for the Fair Work Agency, read our detailed guide on what every UK business needs to know before April 2026.