marcyano79 - Fotolia

CEST: Putting HMRC’s IR35 status checker under the microscope

Since its launch in March 2017, HMRC's online IR35 status checker tool has come under fierce criticism and scrutiny, only exacerbated in recent weeks by the disclosure it has not been updated in five years

This article can also be found in the Premium Editorial Download: Computer Weekly: Casting a critical eye on HMRC’s IR35 checker tool

Ever since HM Revenue & Customs’ (HMRC) Check Employment Status for Tax (CEST) made its debut just one month before the roll-out of the public sector IR35 reforms in April 2017, the tool has been subject to scrutiny and criticism.

Almost immediately on release, CEST was described as error-prone and unfit for use, and the results it returned were assessed by independent contracting experts as being misaligned with employment status law.

The tool was rolled out in March 2017 to relieve the added administrative burden the IR35 reforms saddled public sector organisations with, as they were now required to individually assess the employment status of every single contractor they hired.

Some high-profile public sector users of CEST have since been landed with multimillion-pound tax bills for misclassifying their contractors. Use of the tool has also been linked to mass walkouts of contractors from government projects, who disagreed with CEST’s view of their employment status.

When CEST was released, HMRC was criticised for releasing it long after many government departments and public sector entities had already finished preparing for the incoming changes.

In May 2022, a Public Accounts Committee (PAC) inquiry concluded that HMRC’s “rushed implementation” of the April 2017 IR35 reforms resulted in widespread non-compliance in the public sector, as it led to “poor guidance” being shared on how to comply with the changes, and “public bodies struggled with its tools to assess [employment] status”.

Incidentally, several public sector entities (including the Department for Work and Pensions, the Department for Environment, Food and Rural Affairs, and NHS Digital) that relied on CEST during the 2017–2019 financial years to determine their contractors’ employment status were later found in breach of the IR35 rules – and issued with multimillion-pound tax bills by HMRC.

Market perception

During the intervening years, there has been little improvement in how the online tool, which reportedly cost HMRC at least £1.8m to develop, is perceived by the market.

Andy Chamberlain, director of policy at the Association of Independent Professionals and the Self-Employed (IPSE), told Computer Weekly there has been “persistent doubts” about how CEST works, and – in its view – businesses and public sector organisations would be well-advised not to use it.

“[IPSE] always believed CEST is fundamentally flawed, as are the IR35 rules themselves,” said Chamberlain. “Both should be scrapped. We’d all be better off – contractors, hirers and HMRC alike.”

What are the IR35 reforms?

The IR35 reforms were first introduced to the public sector in April 2017, before being extended to medium-sized and large private sector firms in April 2021, and saw contractors cede control of determining how they should be taxed to the end-user organisations that engaged them.

Previously, contractors were able to self-declare whether the work they do, and how it is performed, meant their engagements were in or out of scope of the IR35 rules, but – according to HMRC – this system was being abused by some to deliberately misclassify themselves as working outside IR35 and artificially minimise the amount of tax they pay.

This is because engagements that were classified as being inside IR35 meant the contractors concerned would be treated as employees for tax purposes and expected to make the same pay-as-you-earn (PAYE) and NICs as permanent employees.

The roll-out of the changes to both public and private sectors brought about huge amounts of upheaval for IT contractors as some end-hirers sought to side-step the additional administrative burden this shift in responsibility put on them by introducing contractor hiring bans.

Other organisations decided to issue blanket determinations, whereby all contractors were deemed to be working inside IR35 as a means of ensuring compliance and to reduce the risk of being saddled with a sizeable tax bill later down the line for incorrectly assessing the tax status of their contractors.

HMRC has always staunchly defended CEST in the face of such criticism, and said it will stand by its results “providing the correct information” is entered into it.

Along with its guidance documents, HMRC has repeatedly reiterated that CEST has an important role to play in recouping the millions of pounds in unpaid tax lost each year to non-compliance with the IR35 rules – particularly since the CEST user-base expanded significantly in April 2021, when the scope of the IR35 reforms was extended to include medium-to-large private sector businesses.

With so many more organisations now relying on CEST, a disclosure by HMRC in March 2024 that the tool’s underlying source code has not been updated since October 2019 has prompted a fresh outpouring of scorn for the tool.

“CEST has been plagued with issues from day one, and this latest calamity is yet another reason not to trust it to determine the IR35 status of contractors – nor the employment status of sole traders for that matter,” Seb Maley, CEO IR35 compliance company Qdos, told Computer Weekly.

No updates since 2019

The source of the March 2024 disclosure was a Freedom of Information (FOI) request filed by Dave Chaplin, CEO of contractor compliance company IR35 Shield.

After going public with the contents of the FOI response, Chaplin said organisations using CEST are now are at risk of “significant tax liabilities and penalties” because its results are even less aligned with case law now than they were at the time of its launch.

Since October 2019, at least 20 IR35-related tribunals and cases have concluded, including a pivotal hearing at the Court of Appeal involving TV personality Kaye Adams’ company, Atholl House, in April 2022.

The Court of Appeal in that case ruled HMRC’s view of employment status (which forms the basis of the decisions CEST makes) is incorrect, and this example alone suggests the tool should have been updated at least once since 2019.

“From April 2022, the CEST tool is objectively wrong, because it is misaligned with law,” Chaplin told Computer Weekly. “The code base and decision log tables (version 2.4) combined with the source code objectively prove what I am saying. HMRC cannot claim black is white when it comes to unequivocal evidence.”

For this reason, organisations that use CEST are making decisions on logic that is no longer reflective of the current legal landscape, he claimed.  

“CEST has remained frozen since 2019 … and the FOI response provides irrefutable evidence proving CEST’s decision engine has been collecting dust for half a decade,” added Chaplin.

Broken promises

What makes the contents of Chaplin’s FOI response all the more significant is that HMRC head Jim Harra went on record in March 2019, during a Public Accounts Committee (PAC) briefing, to state that updating CEST would be an “unending” and “continuing” process to ensure the decision it makes aligns with case law. It is now a matter of public record that, within six months of making this statement, updates to the underlying decision engine of CEST ceased.

This situation puts HMRC at direct odds with the Cabinet Office’s 14-point Service Standard guidance, which coaches public sector entities on how to “create and run great public services”.

Point eight of this guidance states public sector IT teams must “iterate and improve the service frequently” beyond just doing “basic maintenance”, such as “fixing bugs in code and deploying security patches”. The document stated: “If that’s all you do, you’ll be fixing symptoms rather than underlying problems. And over time, the service will stop meeting user needs.”

When Computer Weekly queried CEST’s lack of updates, HMRC played down the significance of Chaplin’s findings by stating the tool is subject to testing to ensure its results align with case law.

“These claims are wrong – the tool is fully up to date with the latest cases,” the HMRC spokesperson said. “We constantly test the CEST tool to ensure it reflects employment status case law, and have done so since it launched.”

Computer Weekly then asked HMRC to clarify which part of Chaplin’s claims are wrong, and to confirm when the underlying logic for CEST was last updated. “It’s true – the underlying logic hasn’t been changed for five years,” the spokesperson stated.

In a follow-up interview with Computer Weekly, Chaplin slammed HMRC for conflating updating CEST with testing it. “The tool not being updated for five years is not the same as the tool being continually tested,” he said. “If there is a fault with a car discovered during its MOT and then nothing is done to fix the fault, it doesn’t matter how many times you keep retesting the car, the fault will still exist.”

Removed from public view

Chaplin’s FOI request asked HMRC to confirm the URL where the most up-to-date version of CEST’s source code resides online, and the response directed readers to a public Github repository with time stamps that clearly showed CEST’s source code had not been updated in five years.

Within a fortnight of the FOI response’s contents being made public, the source code for CEST’s underlying decision engine was deleted from the Github repository, with sources first alerting Computer Weekly to its erasure on Friday 5 April 2024.  

HMRC recreated it within days in a new repository, and claimed the deletion was done by mistake during the decommissioning phase of the work it has been doing to migrate CEST to a new, in-house developed platform known as Ocelot.

How CEST squares with the Cabinet Office Service Standard

The disappearance of CEST’s source code from public view – momentarily – saw HMRC infringe on point 12 (as well as point eight) of the Service Standard guidance, which states that IT teams “must write code in the open” and “publish it to an open repository”. And, if it is not possible to do so, provide a convincing explanation [about] why this cannot be done.”

Computer Weekly contacted the Cabinet Office for comment on this, but was told the department would be deferring to HMRC to respond on its behalf.

According to an HMRC source, the deletion came about because “someone somewhere mistakenly thought that taking the [underlying decision] logic off Github was part of that decommissioning work, which it wasn’t”.

HMRC later confirmed to Computer Weekly that the deletion and recreation of the source code on Github had wiped clean all of the update history pertaining to CEST since it first entered the public domain in March 2017.

This meant all of the repository’s time stamps reset to the point in time HMRC recreated it, erasing all references to the fact CEST’s decision engine was last updated five years ago.

Cock-up or cover-up?

This chain of events has been picked over and speculated upon by numerous members of the IT contractor community on professional social networking site LinkedIn, who have responded with scepticism to HMRC’s claim the repository was deleted in error so soon after the FOI request confirmed CEST’s source code had remained untouched for so long.

“It’s somewhat of a coincidence that HMRC removed the source code from public scrutiny just as the five-year stagnation revelations came out,” said Chaplin, in response.

HMRC has denied any link between the emergence of the FOI response and the deletion of CEST’s Github repository during its correspondence with Computer Weekly, and repeatedly reiterated that its removal was a “genuine error”.

Speaking to Computer Weekly, Julrich Kieffer, a former head of enterprise architecture and programme turned freelancer, said the source code’s deletion may have been done in error, but it was not accidental.

“The explanation is that [this was] a deliberate deletion due to an internal misunderstanding,” he said, adding that this does not reflect well on how tech teams inside HMRC operate or are supervised.

“Should the public infer that sign-off was given for the deletion, but the operator is now blamed for doing so? Or was sign-off absent but an admin-privileged operator, being misinformed, deleted digital assets with no controls whatsoever? Moreover, where is the parliamentary scrutiny of HMRC, given it has no regulator?”

Erased from history

HMRC’s claim the full update history of CEST is irretrievably deleted has been repeatedly called into question since Computer Weekly reported this on 11 April 2024 by numerous members of the software developer community who are well-versed in how Github works.

Speaking to Computer Weekly, on condition of anonymity, one developer described HMRC’s approach to safeguarding the source code and update history of CEST as “negligent”, and said it does not paint the department’s backup and recovery protocols in a very good light either.

According to several software developers Computer Weekly spoke to while compiling this article, the backup history should be retrievable from any machine that has previously been used to pull down a copy of the CEST Github repository.

How much did CEST cost?

Based on the publicly available data, it is known that CEST has cost at least £1.84m to produce up to early 2019.

This is based on figures previously published by HMRC that state the original build cost £610,000, with £21,500 spent on the service’s continuing development to February 2019.

In addition to this, HMRC estimates that agile development and iterative testing of the tool cost a further £1.1m, and an additional £110,000 was also spent during the first six weeks after it went live to “cover staff costs to correct any issues that might have arisen.”

This is due to the distributed nature of Github, which means all copies of a repository come with a complete history, meaning a deletion from Github only gets rid of the main copy of a repository.

“Best practice would be to ensure backups were made of any repository before any buttons were pressed, but there must have been copies on the hard drives of its developers that would have made it possible to reinstate the update history, too,” said the unnamed developer.  

Computer Weekly asked HMRC for a response to these statements, but the department did not directly address them in its reply.

Instead, an HMRC representative supplied the following statement: “The CEST tool logic was taken down by mistake and was put back up.”

According to HMRC, the last major change made to the logic was done to accommodate the private sector roll-out of the IR35 reforms, and there were also some accessibility-related enhancements made to the tool in 2019.

The erasure of CEST’s update history could be played down on the basis that, by HMRC’s own admission, the tool was last updated five years ago. Owen Sayers, a senior partner at IT security consultancy Secon Solutions with more than 20 years’ experience in delivering public sector IT systems, takes issue with that point of view.

Drawing parallels with the Post Office Horizon scandal, the lack of updates and loss of CEST’s update history is concerning, he said. “In light of the Horizon situation, I’d suggest that maintaining the integrity and control of records of source code [changes] for HM government or public sector systems has never been more important, personally,” added Sayers.

Missing test data

As previously mentioned, HMRC has defended CEST’s lack of updates by saying the tool has been “rigorously tested” against employment status law.

As proof of that, HMRC shared a document with Computer Weekly that listed all of the First-Tier Tribunal decisions CEST had been tested against and how its results compared with the court’s findings.

Among them is Kaye Adams’ Atholl House case, which is cited as an example of where CEST’s results (that state IR35 applies) align with the findings of the First-Tier Tribunal. What the document neglects to mention is that the Court of Appeal later ruled Adams’ engagements were outside IR35.

“Since the tool’s launch … we have been committed to continuous testing of CEST against emerging employment status case law,” the HMRC testing document stated.

Computer Weekly asked HMRC to clarify what it means by the term “rigorously tested”, but the department did not directly answer the question.

It was also asked if records were kept, detailing when and how frequently CEST is tested, and if the department retains details of the responses that led CEST to return the results it does.

“The tests are carried out on an ongoing basis as case law is published to ensure the tool is up to date,” an HMRC spokesperson said.

HMRC also used its response to point Computer Weekly to a web page that it said detailed the enhancements that were made to CEST in 2019 – with the help of more than 300 stakeholders. “Details of the work involved in enhancing CEST can be found here,” the HMRC spokesperson said.

Digging into HMRC’s CEST test data

Other individuals have also sought further information from HMRC over the years about its testing procedures for CEST, though the submission of FOI requests, and received similar responses.  

A document passed to Computer Weekly, dated March 2020, includes a critique by data architect, engineer and former IT testing manager David Kirkwood, of the responses he received to an FOI request for access to HMRC’s documentation for testing CEST.

The request saw HMRC respond with links to the same webpage about the enhancements made to the tool in 2019, and details of the tests it has done to compare how CEST worked in 2017 with the revamped version that came out two years later.

“[HMRC] claim to have carried out extensive testing, but it all seems to have involved comparing the 2019 tool’s output against the 2017 tool – modified by current and settled litigation,” wrote Kirkwood. “HMRC said they identified no significant issues and the service produced results in line with HMRC’s view of status.”

He stated in the document that HMRC’s approach to testing CEST has left him “shocked”, before going on to flag concerns about the lack of “test scenarios or test scripts, nor any formal test reports” shared by HMRC in its response.

“There is no description of the rules that define the operation of the 2019 product, simply a statement that it was tested by comparison,” said Kirkwood. “Without any justification for the quality of the gauges, these comparisons are simply meaningless.

“We only have HMRC’s assurance that they identified ‘no significant issues’ and that ‘the service provided results in line with HMRC’s view of status’. These statements are completely meaningless without any appropriate context.”

No record kept

Back in April 2018, in response to another FOI request filed by IR35 Shield’s Chaplin, HMRC confirmed the only records kept of the “rigorous testing” CEST undergoes is the end result it produces. At no point during these tests was any record kept of how CEST came to its conclusions.

The admission prompted Chaplin to call for an immediate inquiry by the PAC into how HMRC approached the testing and development of CEST, on the basis that a “fundamental piece of the CEST jigsaw is missing”. “The lack of rigour involved in its testing methodology is astonishing,” he said. “HMRC publicly claimed that CEST gives the right result provided the correct answers are entered into the tool, but has chosen not to document any of those answers used during the testing process.”

All things considered, what we have in CEST is a seven-year-old government service that its creators have neglected to update, that has patchy update documentation and scant detail on how it is “rigorously” tested. 

“We have already seen what happens when code is poorly tested, documented or maintained in the Post Office Horizon outcomes,” said Secon Solutions’ Sayers. “A software product that has not been rigorously tested cannot be 100% relied upon, and any disclosure that identifies or suggests HMRC have not properly tested or maintained this software must be considered most seriously.

“While CEST might have been tested, the lack of comprehensive records of that testing, and detailed change management of the codebase, breaks the chain of evidence required to inherently rely on the software’s outputs.”

For this reason, HMRC can no longer afford to leave CEST to wither on the vine or ignore demands for further details about how it is tested.

“HMRC should embark on a transparent third-party code review to create a baseline for it moving forward, and retrospective analysis of its use to ensure its outputs have in fact been consistent and accurate,” said Sayers.

Computer Weekly’s reporting of CEST: A timeline

30 March 2017: HMRC contractors leave over inside IR35 ruling.

04 April 2017: IR35 reforms: HMRC ‘delays’ blamed for last-minute public sector compliance panic.

01 March 2018: Contractor confidence in HMRC IR35 online assessment tool remains low.

01 May 2018: HMRC dismisses criticism of ‘perfectly good’ IR35 online assessment tool.

05 April 2018: IR35 reforms: Calls for inquiry into pre-launch tests of HMRC IR35 assessment tool.

09 August 2018: Ex-HMRC tax inspector sounds alarm over suitability of IR35 online status checker tool.

11 December 2020: HMRC data shows online IR35 status check tool does not return a result in nearly 20% of cases.

22 May 2019: HMRC's defence of IR35 online status checker tool likened to ‘climate change denial’.

24 June 2019: Release date clarification sought for revamped CEST tool as private sector IR35 reforms near.

04 November 2019: NHS Digital hit with £4.3m IR35-related tax bill after using HMRC CEST tool to assess contractors.

26 November 2019: Revamped HMRC IR35 status checker tool still lacks key functionality, contractor groups claim.

28 June 2021: IR35 reforms: HMRC questioned about CEST as tax status of 210,000 contractors left ‘undetermined’.

23 July 2021: DWP hit with £87.9m tax bill by HMRC over ‘historic’ IR35 status contractor assessment errors.

24 August 2021: HMCTS discloses £12.5m HMRC tax bill over IR35 status contractor assessment errors.

20 December 2021: Defra and MoJ hit with £120m IR35 tax bill despite using HMRC guidance.

13 January 2022: IR35: Impact survey suggests downturn in use of HMRC CEST tool by enterprises.

10 February 2022: IR35: NAO slams HMRC’s ‘haphazard’ roll-out of off-payroll reforms to public sector.

25 March 2022: IR35 reforms: PAC report blames HMRC for ‘widespread non-compliance’ in public sector.

17 November 2022: NHS Digital confirms final settlement of £3.95m with HMRC following conclusion of IR35 investigation.

21 February 2023: HMRC slammed for ‘needlessly’ pursuing CEST-assured outside-IR35 contractor.

04 October 2023: IR35: HMRC completes first phase of CEST upgrades with Ocelot platform migration.

27 March 2024: HMRC’s online IR35 status checker tool CEST not updated in five years, FOI confirms.

10 April 2024: IR35: HMRC rushing to restore CEST source code deleted from Github ‘in error’.

11 April 2024: IR35: HMRC restores Github access to deleted CEST source code, but confirms update data lost.

Read more on IT for government and public sector

Data Center
Data Management