CEST: Putting HMRC’s IR35 status checker under the microscope

Market perception

During the intervening years, there has been little improvement in how the online tool, which reportedly cost HMRC at least £1.8m to develop, is perceived by the market.

Andy Chamberlain, director of policy at the Association of Independent Professionals and the Self-Employed (IPSE), told Computer Weekly there has been “persistent doubts” about how CEST works, and – in its view – businesses and public sector organisations would be well-advised not to use it.

“[IPSE] always believed CEST is fundamentally flawed, as are the IR35 rules themselves,” said Chamberlain. “Both should be scrapped. We’d all be better off – contractors, hirers and HMRC alike.”

HMRC has always staunchly defended CEST in the face of such criticism, and said it will stand by its results “providing the correct information” is entered into it.

Along with its guidance documents, HMRC has repeatedly reiterated that CEST has an important role to play in recouping the millions of pounds in unpaid tax lost each year to non-compliance with the IR35 rules – particularly since the CEST user-base expanded significantly in April 2021, when the scope of the IR35 reforms was extended to include medium-to-large private sector businesses.

With so many more organisations now relying on CEST, a disclosure by HMRC in March 2024 that the tool’s underlying source code has not been updated since October 2019 has prompted a fresh outpouring of scorn for the tool.

“CEST has been plagued with issues from day one, and this latest calamity is yet another reason not to trust it to determine the IR35 status of contractors – nor the employment status of sole traders for that matter,” Seb Maley, CEO IR35 compliance company Qdos, told Computer Weekly.

No updates since 2019

The source of the March 2024 disclosure was a Freedom of Information (FOI) request filed by Dave Chaplin, CEO of contractor compliance company IR35 Shield.

After going public with the contents of the FOI response, Chaplin said organisations using CEST are now are at risk of “significant tax liabilities and penalties” because its results are even less aligned with case law now than they were at the time of its launch.

Since October 2019, at least 20 IR35-related tribunals and cases have concluded, including a pivotal hearing at the Court of Appeal involving TV personality Kaye Adams’ company, Atholl House, in April 2022.

The Court of Appeal in that case ruled HMRC’s view of employment status (which forms the basis of the decisions CEST makes) is incorrect, and this example alone suggests the tool should have been updated at least once since 2019.

“From April 2022, the CEST tool is objectively wrong, because it is misaligned with law,” Chaplin told Computer Weekly. “The code base and decision log tables (version 2.4) combined with the source code objectively prove what I am saying. HMRC cannot claim black is white when it comes to unequivocal evidence.”

For this reason, organisations that use CEST are making decisions on logic that is no longer reflective of the current legal landscape, he claimed.  

“CEST has remained frozen since 2019 … and the FOI response provides irrefutable evidence proving CEST’s decision engine has been collecting dust for half a decade,” added Chaplin.

Broken promises

What makes the contents of Chaplin’s FOI response all the more significant is that HMRC head Jim Harra went on record in March 2019, during a Public Accounts Committee (PAC) briefing, to state that updating CEST would be an “unending” and “continuing” process to ensure the decision it makes aligns with case law. It is now a matter of public record that, within six months of making this statement, updates to the underlying decision engine of CEST ceased.

This situation puts HMRC at direct odds with the Cabinet Office’s 14-point Service Standard guidance, which coaches public sector entities on how to “create and run great public services”.

Point eight of this guidance states public sector IT teams must “iterate and improve the service frequently” beyond just doing “basic maintenance”, such as “fixing bugs in code and deploying security patches”. The document stated: “If that’s all you do, you’ll be fixing symptoms rather than underlying problems. And over time, the service will stop meeting user needs.”

When Computer Weekly queried CEST’s lack of updates, HMRC played down the significance of Chaplin’s findings by stating the tool is subject to testing to ensure its results align with case law.

“These claims are wrong – the tool is fully up to date with the latest cases,” the HMRC spokesperson said. “We constantly test the CEST tool to ensure it reflects employment status case law, and have done so since it launched.”

Computer Weekly then asked HMRC to clarify which part of Chaplin’s claims are wrong, and to confirm when the underlying logic for CEST was last updated. “It’s true – the underlying logic hasn’t been changed for five years,” the spokesperson stated.

In a follow-up interview with Computer Weekly, Chaplin slammed HMRC for conflating updating CEST with testing it. “The tool not being updated for five years is not the same as the tool being continually tested,” he said. “If there is a fault with a car discovered during its MOT and then nothing is done to fix the fault, it doesn’t matter how many times you keep retesting the car, the fault will still exist.”

Removed from public view

Chaplin’s FOI request asked HMRC to confirm the URL where the most up-to-date version of CEST’s source code resides online, and the response directed readers to a public Github repository with time stamps that clearly showed CEST’s source code had not been updated in five years.

Within a fortnight of the FOI response’s contents being made public, the source code for CEST’s underlying decision engine was deleted from the Github repository, with sources first alerting Computer Weekly to its erasure on Friday 5 April 2024.  

HMRC recreated it within days in a new repository, and claimed the deletion was done by mistake during the decommissioning phase of the work it has been doing to migrate CEST to a new, in-house developed platform known as Ocelot.

According to an HMRC source, the deletion came about because “someone somewhere mistakenly thought that taking the [underlying decision] logic off Github was part of that decommissioning work, which it wasn’t”.

HMRC later confirmed to Computer Weekly that the deletion and recreation of the source code on Github had wiped clean all of the update history pertaining to CEST since it first entered the public domain in March 2017.

This meant all of the repository’s time stamps reset to the point in time HMRC recreated it, erasing all references to the fact CEST’s decision engine was last updated five years ago.

Cock-up or cover-up?

This chain of events has been picked over and speculated upon by numerous members of the IT contractor community on professional social networking site LinkedIn, who have responded with scepticism to HMRC’s claim the repository was deleted in error so soon after the FOI request confirmed CEST’s source code had remained untouched for so long.

“It’s somewhat of a coincidence that HMRC removed the source code from public scrutiny just as the five-year stagnation revelations came out,” said Chaplin, in response.

HMRC has denied any link between the emergence of the FOI response and the deletion of CEST’s Github repository during its correspondence with Computer Weekly, and repeatedly reiterated that its removal was a “genuine error”.

Speaking to Computer Weekly, Julrich Kieffer, a former head of enterprise architecture and programme turned freelancer, said the source code’s deletion may have been done in error, but it was not accidental.

“The explanation is that [this was] a deliberate deletion due to an internal misunderstanding,” he said, adding that this does not reflect well on how tech teams inside HMRC operate or are supervised.

“Should the public infer that sign-off was given for the deletion, but the operator is now blamed for doing so? Or was sign-off absent but an admin-privileged operator, being misinformed, deleted digital assets with no controls whatsoever? Moreover, where is the parliamentary scrutiny of HMRC, given it has no regulator?”

Erased from history

HMRC’s claim the full update history of CEST is irretrievably deleted has been repeatedly called into question since Computer Weekly reported this on 11 April 2024 by numerous members of the software developer community who are well-versed in how Github works.

Speaking to Computer Weekly, on condition of anonymity, one developer described HMRC’s approach to safeguarding the source code and update history of CEST as “negligent”, and said it does not paint the department’s backup and recovery protocols in a very good light either.

According to several software developers Computer Weekly spoke to while compiling this article, the backup history should be retrievable from any machine that has previously been used to pull down a copy of the CEST Github repository.

This is due to the distributed nature of Github, which means all copies of a repository come with a complete history, meaning a deletion from Github only gets rid of the main copy of a repository.

“Best practice would be to ensure backups were made of any repository before any buttons were pressed, but there must have been copies on the hard drives of its developers that would have made it possible to reinstate the update history, too,” said the unnamed developer.  

Computer Weekly asked HMRC for a response to these statements, but the department did not directly address them in its reply.

Instead, an HMRC representative supplied the following statement: “The CEST tool logic was taken down by mistake and was put back up.”

According to HMRC, the last major change made to the logic was done to accommodate the private sector roll-out of the IR35 reforms, and there were also some accessibility-related enhancements made to the tool in 2019.

The erasure of CEST’s update history could be played down on the basis that, by HMRC’s own admission, the tool was last updated five years ago. Owen Sayers, a senior partner at IT security consultancy Secon Solutions with more than 20 years’ experience in delivering public sector IT systems, takes issue with that point of view.

Drawing parallels with the Post Office Horizon scandal, the lack of updates and loss of CEST’s update history is concerning, he said. “In light of the Horizon situation, I’d suggest that maintaining the integrity and control of records of source code [changes] for HM government or public sector systems has never been more important, personally,” added Sayers.

Missing test data

As previously mentioned, HMRC has defended CEST’s lack of updates by saying the tool has been “rigorously tested” against employment status law.

As proof of that, HMRC shared a document with Computer Weekly that listed all of the First-Tier Tribunal decisions CEST had been tested against and how its results compared with the court’s findings.

Among them is Kaye Adams’ Atholl House case, which is cited as an example of where CEST’s results (that state IR35 applies) align with the findings of the First-Tier Tribunal. What the document neglects to mention is that the Court of Appeal later ruled Adams’ engagements were outside IR35.

“Since the tool’s launch … we have been committed to continuous testing of CEST against emerging employment status case law,” the HMRC testing document stated.

Computer Weekly asked HMRC to clarify what it means by the term “rigorously tested”, but the department did not directly answer the question.

It was also asked if records were kept, detailing when and how frequently CEST is tested, and if the department retains details of the responses that led CEST to return the results it does.

“The tests are carried out on an ongoing basis as case law is published to ensure the tool is up to date,” an HMRC spokesperson said.

HMRC also used its response to point Computer Weekly to a web page that it said detailed the enhancements that were made to CEST in 2019 – with the help of more than 300 stakeholders. “Details of the work involved in enhancing CEST can be found here,” the HMRC spokesperson said.

Digging into HMRC’s CEST test data

Other individuals have also sought further information from HMRC over the years about its testing procedures for CEST, though the submission of FOI requests, and received similar responses.  

A document passed to Computer Weekly, dated March 2020, includes a critique by data architect, engineer and former IT testing manager David Kirkwood, of the responses he received to an FOI request for access to HMRC’s documentation for testing CEST.

The request saw HMRC respond with links to the same webpage about the enhancements made to the tool in 2019, and details of the tests it has done to compare how CEST worked in 2017 with the revamped version that came out two years later.

“[HMRC] claim to have carried out extensive testing, but it all seems to have involved comparing the 2019 tool’s output against the 2017 tool – modified by current and settled litigation,” wrote Kirkwood. “HMRC said they identified no significant issues and the service produced results in line with HMRC’s view of status.”

He stated in the document that HMRC’s approach to testing CEST has left him “shocked”, before going on to flag concerns about the lack of “test scenarios or test scripts, nor any formal test reports” shared by HMRC in its response.

“There is no description of the rules that define the operation of the 2019 product, simply a statement that it was tested by comparison,” said Kirkwood. “Without any justification for the quality of the gauges, these comparisons are simply meaningless.

“We only have HMRC’s assurance that they identified ‘no significant issues’ and that ‘the service provided results in line with HMRC’s view of status’. These statements are completely meaningless without any appropriate context.”

No record kept

Back in April 2018, in response to another FOI request filed by IR35 Shield’s Chaplin, HMRC confirmed the only records kept of the “rigorous testing” CEST undergoes is the end result it produces. At no point during these tests was any record kept of how CEST came to its conclusions.

The admission prompted Chaplin to call for an immediate inquiry by the PAC into how HMRC approached the testing and development of CEST, on the basis that a “fundamental piece of the CEST jigsaw is missing”. “The lack of rigour involved in its testing methodology is astonishing,” he said. “HMRC publicly claimed that CEST gives the right result provided the correct answers are entered into the tool, but has chosen not to document any of those answers used during the testing process.”

All things considered, what we have in CEST is a seven-year-old government service that its creators have neglected to update, that has patchy update documentation and scant detail on how it is “rigorously” tested. 

“We have already seen what happens when code is poorly tested, documented or maintained in the Post Office Horizon outcomes,” said Secon Solutions’ Sayers. “A software product that has not been rigorously tested cannot be 100% relied upon, and any disclosure that identifies or suggests HMRC have not properly tested or maintained this software must be considered most seriously.

“While CEST might have been tested, the lack of comprehensive records of that testing, and detailed change management of the codebase, breaks the chain of evidence required to inherently rely on the software’s outputs.”

For this reason, HMRC can no longer afford to leave CEST to wither on the vine or ignore demands for further details about how it is tested.

“HMRC should embark on a transparent third-party code review to create a baseline for it moving forward, and retrospective analysis of its use to ensure its outputs have in fact been consistent and accurate,” said Sayers.