Hero illustration for the Compliance Evidence Record solution

The evidence pack the inspector asks for - already assembled, before you knew which inspector was coming

AML supervisor visit on the Tuesday. By the Saturday before, I was reconciling Credas PDFs out of one folder, Thirdfort exports out of another, SAR references out of a shoebox on the partner’s desk. I lost a weekend with my kids for a forty-minute meeting.

The HMRC AML supervisor on Tuesday. The EHO who walked into the bakery this morning. The Ofsted inspection in November. The CQC visit next month. The disputed C2 query six months after the EICR was signed. The 14-day Sale of Goods Act notice on the abandoned storage unit. The annual MCS surveillance audit. The pet-services council star rating that customers read on the council website before they ring you. Every regulated UK business has the same problem: the cert / photo / risk assessment / consent that the inspector wants existed at the moment the work was done, but it lives in eleven places - the iPad, the WhatsApp thread, the Google Drive, the bookkeeper’s email folder, the employee’s phone, the partner’s desk - and the assembly that turns it into the evidence pack the inspector accepts is what eats Friday afternoons for a fortnight before every visit.

This is the build that captures the evidence at the moment it’s true: the photo while the engineer’s on site, the cert PDF as it’s issued, the consent at the patient’s signature, the timestamp at the audit event. Each artifact stores against a structured per-property / per-patient / per-site / per-cohort / per-contract record. When the supervisor’s on the calendar - or the dispute lands six months later - the pack assembles to the format that regulator expects, version-stamped against the framework that was current the day it was issued. The shape is sealed against HC Electrical, where the audit-trailed cert record runs across EICR + EV-installer + commercial-CDM work and the disputed-C2-six-months-later question gets answered from the log, not from memory.

What gets lost between the work and the evidence

Every regulated business loses the same thing in a slightly different costume. A few moments - pick the ones that sound like your last visit:

EICR-specialist electriciansthe C2 the letting agent’s bookkeeper’s disputing six months on; you can remember which property but not which day, and the photo’s on a phone you’ve since traded in. The agent’s asking for the raw test readings to back up the call, and your defence is “I always do it the same way”.
Commercial-fit-out builders and commercial sparksthe CDM RAMS for the August site, the F10 the principal contractor needs to see the acknowledgement of, the construction-phase plan version the QS asked about, the RIDDOR notification five working days after the Thursday accident - four different folders, four different formats, and the HSE’s letter arrived on Tuesday.
MCS solar and heat-pump installersthe annual MCS surveillance audit; the assessor wants the commissioning measurements, the photo evidence at each stage, the customer handover signature, the DNO G99 confirmation, and the EPC uplift evidence on three random installs from the last twelve months. You can find two of them.
Letting-agent retainer workthe per-property compliance stack (EICR + gas + EPC + smoke-and-CO + Legionella ACoP L8 + HMO licence + selective licensing where it applies) on 200 properties, every cert with its own renewal cycle, and the agent who rings every Tuesday wanting to know which ones are coming due.
Accountants under AML supervisionthe per-client Credas / Thirdfort / SmartSearch ID-and-V record + Source-of-Funds narrative + risk-rating field + ongoing-monitoring log + the SAR-to-NCA references on the two high-risk clients; the HMRC supervisor’s checklist runs forty boxes and you’d rather not reconcile it on the Saturday before.
Solicitors on Lexcel / CQSthe AML pack the SRA looks for, the Source-of-Funds dossier on the conveyancing client, the per-matter file-review record, the per-employee training log, all of it ready for a firm-wide review with one week’s notice.
Aesthetic clinics and private GPthe photo-consent state per image, per use; the patient who’s withdrawn consent on the social media use but kept it on clinical record use; the JCCP-side evidence the practitioner is competent to that treatment; the MHRA Yellow Card the manufacturer wants on the bruising incident.
Tutors and nurseriesthe DBS-Update-Service monthly check, the KCSiE September refresh on every member of staff, the Prevent training cycle, the first-aid renewal cohort, the safeguarding-incident log; Ofsted want it in their format, on the morning of the visit.
Self-storage operatorsthe abandoned-unit cataloguing-and-photographing-and-statutory-notice timing under the Sale of Goods Act 1979; the auction at day 120 only stands up if the photo history and the notice timing did.
Holiday-let owners under the 2026 short-term-let registrationthe registration certificate, the gas safety, the EPC, the EICR (where it applies), the fire-risk assessment for the larger lets; broadcast to every listing channel without you typing the same number into eight portals.
Craft food and drinkthe FSA-expected 4-hour recall window; if a batch comes back, the trace-forward and trace-backward have to land while the EHO is still on the line.

These aren’t problems for a Drive folder and a hopeful spreadsheet. They’re the bit between the work and the evidence, which is where the regulator’s confidence in you actually lives.

The Friday-afternoon evidence-pack assembly - the weekend before the supervisor visit

What solved looks like

1. Capture at the moment it’s true, not a week later at the desk

The “I’ll write it up tonight” moment: the engineer takes the measurements on site, the practitioner takes the photo at the clinic, the foreman flags the near-miss on the scaffold - and the write-up doesn’t happen until Sunday evening, by which point three of the photos are gone, two of the readings are reconstructed from memory, and the timestamp on the audit log says Sunday 21:43 instead of Wednesday 10:18. The first regulator question is “when exactly did this happen” and you’d rather it didn’t say Sunday evening.

Solved looks like: the evidence is captured as part of the operational moment, not as a separate write-up. The engineer’s phone takes the photo at the install with the slug pre-filled - meter-cut-out / charge-point-against-wall / customer-ID-document / commissioning-screen - and the moment lands on the per-property record with the timestamp the phone says, the GPS coordinates the phone says, and the framework version (BS 7671 Amendment 2:2022, KCSiE 2026, MCS scheme version current) tagged on. The Sunday-evening write-up isn’t a smaller piece of work; it’s the work that doesn’t happen any more.

2. Structured per-record storage, not eleven folders

The “where’s the EPC on 14 Mill Lane” moment: the bookkeeper’s asking. You can find the EICR (it’s in the Drive folder labelled Mill Lane March), the gas safety (it’s in the bookkeeper’s email from August), the EPC (it’s on the energy assessor’s portal you haven’t logged into in two years), the smoke-and-CO (you remember installing them but the photo’s on a phone you traded), the Legionella risk assessment (the property manager has it). One property, five places.

Solved looks like: every customer / property / patient / site / contract is a record. The cert, the photo, the consent, the audit log all attach to the record at issuance. The agent asks about 14 Mill Lane; you open one row and every artifact for that property is on screen - EICR with the next-due date five years out, gas safety with the next-due date twelve months out, EPC with the rating, smoke-and-CO with the install photo, Legionella ACoP L8 with the temperature log. Same shape per vertical: per-patient at the clinic, per-site on the CDM-substrate job, per-cohort for the safeguarding register, per-contract for the AML record.

3. Per-regulator pack assembly, not a Word-document Saturday

The “they want it in their format” moment: the HMRC AML supervisor wants column-A column-B column-C, with retention periods in one place and the SAR references in another. The SRA’s Lexcel reviewer wants a different layout. The CQC inspector wants a different layout again. So Saturday is reformatting evidence three times for three regulators who all want the same underlying data.

Solved looks like: the underlying record is one. The pack template is per regulator - HMRC AML, SRA Lexcel / CQS, CQC, Ofsted, FSA, EHO, MCS surveillance, JCCP / Save Face, HSE F10 / RIDDOR, the council pet-services star-rating template. When the visit’s on the calendar (or when a dispute lands without warning), the pack generates to the format that regulator expects, with the retention periods, the redaction rules, and the column ordering already mapped. The Saturday-afternoon Word document stops being a quarterly event.

4. Audit trail by default, not as a retrofit when the dispute lands

The “I never received the cert” moment: the agent’s bookkeeper says she never got the cert. You sent it. You think you sent it. You can’t prove you sent it. So you re-send it and the conversation moves on, except this time it doesn’t - she’s saying the C2 wasn’t there, and you can’t show her the audit log of when the cert was issued and what was on it.

Solved looks like: every issuance, every download, every edit, every cert-tick, every consent change is timestamped and logged on the record. The agent disputes the C2 - you open the cert audit and the original test readings, the original photo set, and the original issued at 14:32 Wednesday 6 March 2024 with C2 noted on circuit 4 with photo evidence attached are there. Same for the consent that was withdrawn on the social media use but kept on clinical record use; same for the SAR reference that was added against client X on the date the partner authorised it; same for the safeguarding-incident note added on Tuesday at 09:18.

5. Anniversary-driven renewals on the same engine, not a wall planner

The “the EICR’s lapsed and the agent’s emailing” moment: the cert was due last week. You’d have got to it but the wall planner’s three rounds behind and the property’s already off the market for the inspection lapse. The agent’s email is testy. You hit November with twelve certs already over, and the bookkeeper queries who pays for the agent’s lost rent.

Solved looks like: each artifact carries its next-due date as a first-class field. The renewal cadence runs at -90 / -60 / -30 / -7 days on the channel the customer prefers, and the renewal hand-off to the Recurring Service Recall flow drafts the renewal proposal at -90 with the previous price plus the per-customer inflation rule. The KCSiE September refresh fires on every staff record in August; the DBS Update Service runs the monthly check on every cohort member; the MCS surveillance cycle queues the random-install audit pack four weeks before the assessor’s visit window opens.

6. Version-stamping so the framework moving doesn’t catch you out

The “but they did it under the old wiring regs” moment: the cert was issued under BS 7671 Amendment 2:2022. Three years on, Amendment 3 is in. The dispute asks why you didn’t flag a code that wasn’t a code under the version current at issuance. Without version-stamping, you reconstruct what the standard was on the day - and the assessor’s already lost confidence.

Solved looks like: every artifact is tagged at issuance with the framework version current that day - BS 7671 amendment number, KCSiE year, MCS scheme version, post-Grenfell Building Safety Act 2022 status, ACoP L8 revision, GDPR Article 9 framework. When the framework moves, existing artifacts retain their issued-version tag; new artifacts pick up the new version; the per-version pack is generable for the disputed-six-months-later case, with the wording that was current on the day it was issued.

One property, every cert - the row that ends the Tuesday-morning bookkeeper call

How the evidence engine runs, by default

The default trade-side cert-record cadence runs:

Issuance momentengineer / practitioner / foreman captures the artifact on the phone with the slug pre-filled. Photo + reading + timestamp + GPS + framework-version land on the record. The customer-facing PDF generates from the record, not as a separately-typed Word document.
Issuance + 1 daythe customer / agent / property manager gets the cert through the Customer & Third Party Portal with the per-property row updated and the per-pack download available.
-90 / -60 / -30 / -7 days before next-duethe renewal cadence fires in your voice on the channel the customer prefers, with the Recurring Service Recall proposal drafted at -90.
Past-duethe out-of-compliance flag surfaces on the dashboard with the recovery action queued.
Regulator-visit momentthe per-regulator pack assembles on demand. The HMRC AML pack at 09:00 on the morning of the supervisor visit. The Ofsted pack the moment the inspection’s confirmed. The HSE F10 pack the day after the notification was filed.
Dispute momentthe per-cert audit log opens with every state change, every download, every edit; the version-stamping shows what the framework was the day it was issued.

Per-vertical tuning lives on top - the aesthetic-clinic per-image-consent state with per-use granularity, the construction CDM substrate with the F10 / RIDDOR / construction-phase-plan layer, the AML per-client risk-rating with the ongoing-monitoring log, the Sale of Goods Act 14-day-notice timing on the abandoned-storage unit, the FSA 4-hour recall window with the trace-forward and trace-backward, the pet-services star-rating template that drives the council page.

Who this is for

The shape repeats across every UK regulated business that has to evidence its work to a third party who wasn’t in the room.

Reactive trades on a compliance substrate - electricians (EICR specialists, commercial sparks, EV installers), gas engineers (landlord CP12, boiler installers, heat-pump installers, commercial-catering gas), plumbers (commercial plant-room with ACoP L8, leak-detection insurer-panel evidence, property-management lettings), roofers (commercial-maintenance PPM, storm-damage loss-adjuster evidence), MCS installers (solar PV and battery), decorators (commercial-contract intumescent + FIRAS / IFC witness, property-maintenance HMO records), tree-surgery BS 3998 + LOLER + WAH.

Commercial trades on the CDM substrate - commercial-fit-out builders, construction GCs. RAMS, F10 acknowledgement, construction-phase plan, RIDDOR log, CHAS / SafeContractor / Constructionline / SSIP audit-trail.

Regulated professional services - accountants under AML supervision (HMRC / ICAEW / ACCA), solicitors on Lexcel / CQS, professional-services firms on FCA-adjacent and SRA-regulated work.

Clinical and care - aesthetic clinics on JCCP / Save Face, private GP CD register, vet practices, dental practices, domiciliary care under CQC.

Local-licensed businesses - pet-services on the council star-rating, tutors and nurseries on Ofsted + DBS + KCSiE + Prevent, holiday lets on the 2026 short-term-let registration, self-storage on Sale of Goods Act abandoned-goods workflow, funeral directors on disbursement and dignity-record evidence, lettings on the per-property compliance stack, hospitality and wedding venues on PRS / PPL / fire-safety / wedding-licence.

Agriculture and craft food and drink - agriculture multi-audit (Red Tractor / LEAF / SFI / supplier scheme), craft food and drink batch-traceability with 4-hour FSA recall (the batch-traceability-recall shape sits inside this engine - same record discipline, food-and-drink artifacts).

Same engine; different artifact; different regulator; different pack format.

The closest thing we’ve already built

HC Electrical - live audit-trailed cert record running across EICR + EV-installer + commercial-CDM work. Raw test readings + photos + timestamped notes + BS 7671 amendment version stored per cert; the disputed-C2 query six months later gets answered from the log, not from memory. The clearest reference for any trade business carrying a cert substrate that gets disputed by a third party. (Named pull-quote + final-£ outcome figures hold behind the permission checklist; see Hc Electrical for the build detail.)

pharmaceutical-analytics.com - the audit-trail-by-default dashboard pattern, applied to operational data captured at every event. The same shape underpins the evidence-pack assembly side of this build: structured data in, regulator-ready format out.

MMI Services - proof we can take over and modernise older internal compliance systems where they exist. Useful when a practice or trade firm has an existing compliance setup that has to keep running alongside the new flow - we wire to it rather than rip it out.

The cert-renewal hand-off uses the Recurring Service Recall cadence for the -90 / -60 / -30 / -7 anniversary nudges; the third-party view for the agent / property manager / supervisor uses the Customer & Third Party Portal read-only surface; the day-of-issuance comms run through the Booking & Review Loop cascade.

The Tuesday-morning pack download - supervisor visit at 10:00, pack ready at 09:00

Tell us where the evidence is now

What evidence you hold today - what’s in the iPad, what’s in the Drive, what’s in the WhatsApp thread, what’s in the bookkeeper’s email, what’s in the shoebox on the partner’s desk. Tell us the last regulator visit / dispute / audit you handled and how long the assembly took, and the next visit / supervision / inspection you’ve got coming up. Send an enquiry - we’ll come back with a sketch of what we’d capture, what we’d store, and what the pack would look like for your business. No demo, no calendar widget. Email reply, scoped sketch, you decide.

FAQ

Will it work with our existing practice / case-management / supervision system (Karbon, Senta, CCH, Iris, Cliniko, Dentally, Pabau, Reapit, Alto, MyDentist)?

Yes for all of those, and yes for the ones we haven’t named. The evidence engine reads cert / consent / audit / submission events from your system of record and writes the assembled pack back. Where you don’t run a system of record yet, the engine’s own record layer is the source of truth, and we can migrate when you’re ready. The bookkeeping / case-management side stays where it always was.

What about the regulator-specific formats - does it produce an SRA-format pack vs an HMRC-format pack vs an Ofsted-format pack vs a CQC-format pack?

Per regulator. The pack templates carry the format that supervisor expects - column ordering, field names, retention periods, redaction rules, the wording that’s current on their checklist. When the regulator updates the format, that’s a config update on the retainer; the underlying record doesn’t change.

Will it stand up in a tribunal / court / professional-conduct hearing?

The evidence record + audit log is the evidence pack a solicitor or regulator-defence advocate will ask for first. We’re not your solicitor - for contested matters past Letter Before Action you’d want one - but the trail the build produces is what they will ask you to produce, and we’re explicit about not crossing the line into giving you regulator-defence advice.

What about photo-consent - particularly for clinical, aesthetic, vet, and nursery work?

Per-image consent state with per-use granularity (treatment-plan reference yes, social-media use no, before-and-after-gallery yes-with-face-blurred, marketing-website no). The patient / parent / owner can withdraw consent at any point from her phone; the withdraw triggers a system-wide cascade that removes the image from the active uses she withdrew from, while keeping it on the clinical / treatment record where required. GDPR Article 9 / GDPR-UK special-category data is the baseline standard, not an add-on.

Does version-stamping mean my old certs get re-tagged when the framework moves?

No. The existing certs retain the version they were issued under (BS 7671 Amendment 2:2022, KCSiE 2025, MCS scheme version current that day). New certs pick up the new version. The per-version pack is generable on demand so the disputed-six-months-later case sees the wording that was current the day the work was done, not the wording current the day of the dispute.

Can we sign off our own pack templates, or does the regulator’s format have to be the only one?

Both. The default per-regulator pack template covers the supervisor’s checklist out of the box; a per-firm overlay carries any extra evidence you want included (the audit-prep notes, the partner sign-off field, the per-client risk-rating narrative the firm writes against the regulator’s framework). The pack assembles with the regulator format as the spine and your overlay layered on top.

What about the bits we don’t do - does the system know where our scope ends?

Yes. The build is shaped around evidencing the work you did against the framework you’re responsible for. It doesn’t hold scheme membership for you (Gas Safe, NICEIC, MCS, NFRC, RECC, CQC, SRA, FCA, Lexcel all stay with the named accountable party - we don’t replace your accreditation, we evidence what you do against it). It doesn’t act as your defence advocate. It evidences your work in the format the regulator expects.

Does it replace our PMS / case-management / supervision software?

No. It sits on top. The evidence engine reads the events your existing system already produces and writes the pack assembly back. If you don’t have a system of record yet, we can be it; if you do, we wire to it. The retainer covers framework updates as they move.