What is a body leasing supplier audit?

Definition and purpose of supplier audit

A body leasing vendor audit is the process of systematically reviewing and evaluating a company that provides IT specialist staffing services (body leasing / IT staff augmentation), conducted by a current or prospective client. The purpose of the audit is to verify that the supplier meets certain standards of quality, security, and legal compliance, and that its processes and practices are consistent with the client’s expectations and requirements. It is an instrument of vendor risk management and quality assurance of the cooperation.

In an industry where IT specialists have direct access to sensitive systems, source code, and business data, a thorough supplier audit is not just a best practice but often a regulatory necessity. According to industry research, over 75% of large enterprises conduct regular audits of their IT staffing providers.

When is an audit conducted?

An audit of a body leasing supplier can be conducted at various points in the engagement lifecycle:

Before establishing cooperation (Pre-Engagement Audit)

As part of the process of selecting and evaluating potential suppliers to ensure they meet the customer’s minimum requirements. This is particularly important for:

• First-time engagements with a new supplier
• High-value contracts with significant financial commitment
• Projects with elevated security requirements (e.g., financial sector, healthcare)
• Requirements for specific certifications (ISO 27001, SOC 2)

During the course of cooperation (Ongoing Audit)

Periodically (e.g., annually) or ad-hoc (e.g., in response to an incident or change in requirements) to monitor service quality, contractual compliance, and adherence to standards. Regular audits ensure the supplier continuously maintains the agreed-upon standards.

For specific requirements (Triggered Audit)

When a customer has specific data security requirements (e.g., from industry regulations like GDPR, PCI DSS, NIS2) or quality standards (e.g., ISO). Triggers may include:

• Security incidents or data breaches
• Changes in regulatory requirements
• Mergers, acquisitions, or organizational restructuring
• Complaints about the quality of provided specialists

Scope of the audit

The scope of the audit can vary depending on the client’s goals and needs. Most commonly, it includes an assessment of the following areas:

Recruitment and selection processes

• Sourcing strategies: How and where are candidates identified?
• Screening procedures: What technical tests, interviews, and assessments are conducted?
• Reference checking: How are references from previous employers and clients verified?
• Qualification verification: Are educational credentials and certifications validated?
• Background checks: Are background checks performed, especially for security-sensitive positions?

Human resource management

• Practices related to hiring, training, development, and management of specialists (contractors)
• Onboarding processes for new staff members
• Performance evaluation systems and feedback mechanisms
• Employee retention strategies and turnover rates
• Continuing education programs and technology upskilling

Information security

Audit Area	Checkpoints
Policies	Information security policy, acceptable use policy, BYOD policy
Access control	Authentication, authorization, privileged access management
Data protection	GDPR compliance, data processing agreements, privacy by design
Network security	VPN, firewall, network segmentation
Endpoint security	Device encryption, MDM, antivirus/EDR
Training	Security awareness training, phishing simulations
Incident management	Incident response plan, reporting procedures
Certifications	ISO 27001, SOC 2 Type II, Cyber Essentials

Service quality and contract management

• Processes for managing customer relationships and SLA monitoring
• Customer satisfaction measurement and feedback processing
• Handling of requests and complaints
• Compliance with contract terms and conditions
• Escalation procedures for performance deviations

Financial stability and business continuity

• Assessment of the supplier’s financial health (credit rating, revenue trends)
• Business Continuity Plans (BCPs) for unforeseen events
• Disaster recovery plans and testing schedules
• Insurance coverage (professional liability, cyber insurance)
• Key person dependency and succession planning

Legal compliance

• Compliance with applicable labor, civil, and tax laws
• Proper contract structuring (service agreement vs. temporary staffing)
• Temporary staffing licenses and permits (where applicable)
• Misclassification risk assessment (employee vs. contractor)
• Compliance with anti-bribery and anti-money laundering regulations

Methods of conducting an audit

The audit can be carried out through various methods:

Documentation review (Desk Review)

Analysis of policies, procedures, certificates, contracts, and other documents provided by the supplier. This is often the first step and can be conducted remotely. Key documents to review include:

• Information security policies and procedures
• Recruitment process documentation
• Quality management system documentation
• Business continuity and disaster recovery plans
• Insurance certificates and financial statements

Questionnaires and surveys

Sending detailed self-assessment questionnaires to the supplier. Standardized frameworks like SIG (Standardized Information Gathering) or CAIQ (Consensus Assessments Initiative Questionnaire) can serve as a foundation.

Interviews

Conversations with key supplier personnel responsible for specific areas — e.g., CISO, HR Director, Quality Manager, Compliance Officer. Interviews provide deeper insight than documentation alone and can reveal gaps between documented policies and actual practices.

On-site visit (On-Site Audit)

A direct visit to a vendor’s site to observe processes and verify security features. While less common for IT services than in manufacturing, on-site audits may be required for high-security engagements.

External audits and certifications

Leveraging the results of audits conducted by independent certification bodies (e.g., ISO 27001 audit, SOC 2 Type II report). A current SOC 2 Type II report can significantly reduce the audit effort required by the client.

Audit scoring system

A structured approach to evaluating audit findings typically includes:

Rating	Meaning	Action
Compliant	Requirement fully met	No action required
Partially compliant	Requirement partially met, low risk	Improvement action with deadline
Non-compliant	Requirement not met, significant risk	Immediate corrective action required
Critical	Severe deficiency, high risk	Escalation, possible suspension of cooperation

Benefits of the audit

Regular audits of body leasing suppliers allow the client to:

• Risk minimization: Reduce risks associated with working with external partners, including security, compliance, and quality risks
• Standards assurance: Ensure compliance with internal standards and regulatory requirements
• Quality verification: Verify the quality of services provided using objective criteria
• Continuous improvement: Identify areas for improvement in the cooperation
• Trust building: Build more transparent and trusting relationships with suppliers
• Regulatory compliance: Demonstrate due diligence to regulatory authorities
• Benchmarking: Compare different suppliers against consistent criteria

Common audit findings

Based on industry experience, the most frequently identified issues during body leasing supplier audits include:

• Insufficient background checks: Candidates not properly screened before placement
• Weak access management: Former contractors retaining system access after engagement ends
• Missing or outdated NDAs: Non-disclosure agreements not in place or not regularly renewed
• Inadequate security training: Contractors not receiving client-specific security awareness training
• Poor documentation: Incomplete records of candidate qualifications and project assignments
• Subcontracting without approval: Suppliers using subcontractors without client knowledge or consent

Best practices for supplier audits

1. Risk-based approach: Focus the audit scope on the areas of highest risk for your organization
2. Regularity: Conduct audits on a fixed schedule (annually for strategic suppliers)
3. Standardization: Use consistent audit checklists and evaluation criteria across all suppliers
4. Follow-up: Track identified deficiencies persistently until resolution
5. Collaboration: View the audit as a shared improvement opportunity, not a punitive exercise
6. Documentation: Record all findings, actions, and deadlines in writing
7. Escalation paths: Define clear escalation processes for critical findings
8. Proportionality: Scale the audit depth to the risk profile and value of the engagement

Summary

A body leasing supplier audit is an essential instrument for vendor risk management and quality assurance in the IT staffing industry. It enables clients to verify adherence to security, quality, and compliance standards and to establish an informed basis for selecting and continuously evaluating suppliers. In an era of increasing regulatory requirements and growing cyber threats, the systematic auditing of IT staffing providers is not merely a best practice but a business necessity for any organization that relies on external IT talent.