The situation: A global business commissioned a risk and compliance audit across their extended workforce suppliers. What started as a structured review of supplier compliance quickly revealed a deeper problem: the organisation didn’t have basic visibility into how their own programme operated.
What we did: We ran the audit end-to-end — reviewing supplier compliance across multiple countries and risk areas, identifying gaps, and building a framework to get remediation back under the client’s control. When one supplier couldn’t evidence any of their claims, we built a documentation request framework to establish what should exist — and surface what didn’t.
What’s changing: Two suppliers resolved all audit findings with clear evidence. A third is still working through remediation. The more significant shift is the client’s growing understanding of what visibility they’re entitled to — and what to do when they’re not getting it.
Most organisations that use a Managed Service Provider assume a certain baseline. Someone is tracking compliance. Documentation exists. If something goes wrong, there’s an audit trail. The programme is being run professionally, even if the day-to-day detail sits with the MSP rather than internally.
That assumption deserves more scrutiny than it usually gets.
The audit started with suppliers. It ended with a governance question.
We were brought in to run a risk and compliance audit across the client’s extended workforce suppliers — a structured review covering tenure management, data privacy, pay parity, and worker classification across multiple European countries.
Two suppliers engaged openly. They provided evidence, addressed the findings, and demonstrated mature compliance management. Tenure processes were tightened. Data privacy frameworks were validated. A two-year gap in pay parity monitoring in one country was identified, resolved quickly through a seven-point action plan, and a proactive monitoring trigger was put in place to prevent it happening again. Satisfactory outcomes, properly evidenced.
The third supplier was different.
When we reviewed their audit findings, we were told verbally that everything had been addressed. When we asked for evidence, none was provided. What followed was months of follow-up, escalation, and a documentation request process designed to establish — from the ground up — what information the client should have access to, and what the supplier could actually produce.
The answer, in too many areas, was that the documentation either lived on the supplier’s own systems (inaccessible to the client) or didn’t exist in any meaningful form at all.
The documentation gap is more common than you’d think
This isn’t a story about one difficult supplier. It’s a pattern we see regularly with large global MSPs.
When pushed on the quality of their documentation, the response from this supplier was revealing: they suggested that other large MSPs probably weren’t doing any better. That may well be true. It doesn’t make it acceptable.
The documentation framework we built for this client sets out what any organisation should expect as a baseline from their MSP — not sophisticated strategic reporting, just the fundamentals. Operational procedures. Compliance frameworks. KPI reporting. Evidence that the processes described on paper actually match what’s happening on the ground.
That last part is the critical one. In our experience, documented processes and actual operational practice frequently diverge — particularly in large, complex programmes that have grown over time. The audit process exists precisely to surface that gap. But if the supplier controls all the documentation and the client has no independent access, the gap can stay hidden indefinitely.
What the client now knows — and what they’re doing about it
The audit closed with clear outcomes for two of the three suppliers. Remediation plans are in place. Monitoring frameworks have been established. The client now has structured processes for ongoing supplier oversight that didn’t exist before.
For the third supplier, remediation is ongoing. The documentation framework we built gives the client a clear structure for what to request, when to expect it, and how to assess whether what’s submitted is genuinely fit for purpose. Critically, the client is now managing this process directly — with our support — rather than accepting reassurances at face value.
That shift in posture matters as much as any specific compliance outcome.
There’s also a broader transition underway — a significant operational change to new managed systems that creates fresh risks around headcount tracking and compliance reporting. We’ve flagged these clearly. They’ll need monitoring in future audit cycles. The work isn’t finished; it’s moved into a new phase.
You cannot govern what you cannot see
The principle at the heart of this engagement is simple: outsourcing the operation of your extended workforce programme doesn’t mean outsourcing accountability for it. The compliance risk sits with you. The regulatory exposure sits with you. If something goes wrong, it’s your organisation that answers for it.
That’s why independent oversight matters — not as a check on suppliers who are doing something wrong, but as a baseline expectation for any organisation that has handed significant operational responsibility to a third party. As we explore in our article Is Your Extended Workforce Missing a Conductor?, the governance function — the independent view across the whole programme — is the piece that most commonly gets lost when operations are outsourced. And it’s the piece that’s hardest to recover once it’s gone.
Compliance audits are one mechanism. But the more fundamental question is whether your organisation has the visibility, the access, and the independent capability to know what’s actually happening in your programme — not just what you’re being told.
If you’re not sure of the answer, that’s worth exploring.
If supplier compliance or programme visibility is on your radar, we’d love an informal conversation about what you’re trying to achieve. No agenda, no pitch — just a conversation. Book a time with us here →
RedWizard — Operating at the heart of the workforce ecosystem.
Written by:
Founder
I’m Jools, founder of RedWizard. I’ve spent 20 years in strategic PMO design — the last 12 of which has been working at the heart of the extended workforce ecosystem inside major global organisations. We’re deeply customer-centric because that’s where we come from. For over a decade, we’ve acted as an extension of our clients’ capability, bridging their gaps in extended workforce management knowledge.
I started RedWizard because I kept seeing the same problem – brilliant people across HR, Procurement, Finance, and Operations all trying to solve workforce challenges in isolation. Nobody was connecting the dots. That’s what we do — we help organisations connect the functions that manage their extended workforce, whether that’s governance, compliance, supplier enablement, training, or strategic planning.