Originally Published: 7 January 2026

This analysis is based on Nimble Global's proprietary research and 30+ years of practical experience across over 90 countries.

© 2019 - 2026 Nimble Global. All rights reserved.

I've been in the external workforce industry for over 30 years and have reviewed hundreds of RFPs across multiple countries. And I can tell you with certainty: most are missing the most critical compliance questions.

Here's what typically happens:

1. A procurement team issues an RFP for a service or technology vendor.

2. The vendors respond with impressive presentations and demos.

3. They include a compliance section, typically a few paragraphs on their 'robust compliance framework' and 'dedicated compliance team.'

4. They promise quarterly compliance reports.

5. Everything looks professional and thorough.

6. The procurement team selects a vendor, and the contract is signed.

7. And every quarter, like clockwork, the vendor presents its compliance update: a single slide in the QBR deck. Nearly everything is green. Nearly everything is 'compliant.' The vendor moves quickly to the next slide.

   
   

Here's what that slide doesn't tell you:

1. Who conducted the audit? (Often: the vendor's own employees)

2. What was actually audited? (Often: a checkbox exercise)

3. What qualifications do the auditors have? (Often: minimal to none in the areas they're auditing)

4. Were any issues found? (Rarely reported)

5. Were the audit results independently verified? (Almost never)

The uncomfortable truth: Most vendors 'compliance audits' are self-attestations.

And would you accept a self-audited financial statement from your CFO? Of course not. So why do we accept self-audited compliance from workforce providers, often your second or third largest spend category, who have access to all enterprise and worker confidential information?

The Solution: 5 Questions That Change Everything

I'm going to share five questions that should be included in every RFP.

Not in an RFP process right now? Send these 5 questions to your current providers today as a standalone compliance inquiry. You don't need to wait for a contract renewal. You don't need procurement approval. You can email these questions to your provider contact now: Subject: Compliance Verification Request.

These questions separate providers who take compliance seriously from those who simply talk about it.

Question 1: Independent Third-Party Auditing

Do you engage independent third-party compliance auditors to verify your compliance attestations?

• If Yes: Name the independent auditing firm(s) you use. Provide the auditing firm's direct contact information. Describe the scope of their audits.

• If No: Describe your internal audit process: Who conducts your compliance audits (title, qualifications). Explain why you do not use independent verification.

  
  

Why this matters: Independence is everything. A vendor auditing itself has an inherent conflict of interest. When issues are found, fixing them costs money and may require difficult client conversations. Self-audits are incentivised to show green, not truth.

Question 2: Audit Results and Transparency

Provide the results summary from your last four quarterly independent compliance audits. For each quarter, include:

• Audit date and scope

• Number of compliance areas reviewed

• Number of findings requiring remediation

• Status of remediation (open/closed)

• Overall compliance rating or certification status

• Name of the auditor who signed off

Why this matters: Real audits find real issues. If a vendor presents four quarters of perfect compliance with zero findings, one of two things is true: either they're extraordinary (rare), or the audit isn't rigorous (common). Patterns of findings and remediation indicate that a provider takes compliance seriously and identifies and resolves issues.

Question 3: Audit Rigor and Finding Rates

What percentage of your compliance audits in the past 12 months resulted in findings requiring remediation?

• 0-10% (Few or no issues found)

• 11-30% (Some issues requiring attention)

• 31-50% (Moderate issues identified)

• 51%+ (Significant compliance gaps)

• Explain your approach to remediation when non-compliance findings are identified

Why this matters: Counterintuitively, a 0% finding rate is a red flag. Real audits uncover issues because compliance is complex, regulations change, and human error exists. An audit that finds nothing often isn't looking hard enough. The question isn't whether issues exist; it's whether your provider has the discipline to find and fix them.

Question 4: Auditor Qualifications and Expertise

Do the individuals conducting compliance audits hold professional certifications in the specific areas they audit?

For each compliance domain you audit (check all that apply and provide qualifications):

• Insurance compliance (required qualifications: insert)

• Employment law/worker classification (required qualifications: insert)

• Tax compliance (required qualifications: insert)

• Data protection & information security (required qualifications: insert)

• Health & safety (required qualifications: insert)

• Industry-specific regulations (required qualifications: insert)

• Provide resumes/CVs or qualification summaries for your compliance audit team.

Why this matters: Reviewing a certificate of insurance means nothing if the reviewer doesn't understand insurance. Auditing worker classification requires knowledge of employment law. Tax compliance audits demand tax expertise. Yet many 'compliance auditors' are operations staff with no specialised training. Would you trust a financial audit conducted by someone without accounting credentials?

Question 5: Client Access to Audit Documentation

Will you provide our organisation with direct access to full independent audit reports (not summaries) throughout our contract term?

• Yes, full audit reports will be provided quarterly.

• Yes, available upon request.

• No, only compliance summaries will be provided.

• If No or limited access, explain why:

Why this matters: Summary slides can hide anything. 'Everything is compliant' is easy to write. The details matter. Direct access to audit methodology, findings, evidence, and remediation plans allows you to verify that compliance isn't just claimed, it's proven. Providers confident in their compliance welcome this transparency. Those who resist it should raise immediate concerns.

What Happens When You Ask These Questions

Providers using independent auditors will welcome these questions. They'll provide detailed responses because they have nothing to hide. In fact, they'll use their independent certification as a competitive differentiator.

Providers who don't use independent auditors will struggle. They'll explain why their internal process is 'just as rigorous.' They'll emphasise their 'experienced team.' They'll talk about their technology and workflows. What they won't provide is independent verification. That difference should tell you everything.

The New Standard

The workforce compliance landscape is changing. Regulatory scrutiny is increasing globally. Misclassification penalties are severe. Data protection violations carry massive fines. Tax authorities are aggressively auditing workforce arrangements.

In this environment, 'trust us, we're compliant' is no longer acceptable. Independent verification is a requirement, not a luxury. Leading vendors already understand this. They're engaging independent auditors because it protects both them and their clients. They're building compliance into their value proposition, not hiding it in the fine print.

The question for procurement is simple: Do you want a provider that can prove compliance, or one that simply claims it?

Take Action

If you're issuing an RFP:

1. Copy these five questions.

2. Add them to your compliance section.

3. Require detailed responses.

4. Evaluate providers based on their answers.

If you're evaluating an existing vendor relationship:

1. Ask your current provider these questions.

2. Request the documentation.

3. If they can't or won't provide it, or delay responding, ask why. Consider what that tells you about your compliance risk.

A Final Thought

I spent three decades building workforce solutions, implementing technology platforms, and helping organisations manage external workforces worldwide. I've seen what real compliance looks like and what theatre looks like. The difference isn't subtle.

Theatre is green slides and confidence. Your organisation deserves better than theater. Your stakeholders, your shareholders, and your workforce deserve providers who can prove, not just promise, compliance. It starts with asking the right questions.

Ready to implement these questions in your next RFP?

This is the exact template we use when supporting live procurements.

Stay Nimble. Stay Compliant.

About the Author: With extensive experience in workforce compliance and global workforce solutions, David Ballew has consistently driven innovation and operational excellence. As the Founder and CEO of Nimble Global, David combines deep industry expertise with a unique perspective shaped by his neurodiverse AuDHD profile, enabling creative problem-solving and multidimensional insight. A pioneer in MSP models and workforce technologies, he is dedicated to bridging global compliance gaps and helping organisations build resilient, future-ready workforces.

Real People. Real Action. Real Innovation.

Disclaimer: This content is intended for informational purposes only and does not constitute legal, tax, or employment advice. Readers should consult qualified professionals in relevant jurisdictions before acting on the guidance provided. Nimble Global disclaims any liability for actions taken based on this publication.