This guide explains what contractor and supplier compliance management genuinely means for businesses operating under Work Health and Safety (WHS) legislation, principal contractor arrangements, client audit regimes, and increasing supply chain scrutiny.
It is written for business owners, directors, operations managers, and HSEQ professionals who engage contractors or suppliers and remain legally and commercially accountable for how that work is performed.
This guide focuses on system design, oversight, and evidence, not document collection. It explains why contractor and supplier compliance fails in practice, how audits and investigations assess contractor controls, and what defensible compliance looks like when scrutiny increases.
The objectives of this guide are to help organisations:
Contractor and supplier compliance is one of the most misunderstood areas of WHS and operational risk management. Many businesses assume that because work is outsourced, responsibility transfers with it.
Under WHS law, this assumption is incorrect.
Where contractors or suppliers introduce risk, the engaging business retains duties. From a regulator, auditor, insurer, or principal contractor perspective, contractor incidents are not third-party problems — they are failures of governance, oversight, and system design.
This is why contractor and supplier compliance is examined closely during:
WHS legislation recognises that multiple PCBUs can owe duties at the same time. Engaging a contractor does not remove or dilute a business’s obligation to ensure risks arising from that work are identified, controlled, and coordinated.
Auditors and regulators assess whether the business that engaged the contractor:
If a contractor is injured, causes harm, or exposes others to risk, investigators do not ask only what the contractor did. They ask why the system allowed the work to proceed in that way.
The concept of due diligence is central to contractor and supplier compliance, yet it is often poorly understood.
Due diligence does not mean eliminating all risk. It means taking reasonable steps to understand and manage risk in proportion to the work being performed.
In contractor and supplier management, due diligence is demonstrated when a business can show that it:
Auditors, insurers, and investigators assess due diligence retrospectively. They reconstruct decisions and ask whether a reasonable person in the same position would have taken similar steps.
Where systems rely on assumptions, informal knowledge, or undocumented decisions, due diligence is difficult to prove.
Most contractor compliance failures are not deliberate. They occur because systems are fragmented, informal, or overly administrative.
Common failure patterns include contractor prequalification being treated as a one-off approval, licences and insurances being collected but not verified for relevance or currency, and inductions being completed without confirming understanding or task-specific application.
Another frequent issue is scope drift. Contractor tasks change over time, but risk assessments, controls, and approvals are not revisited. From an audit or investigation perspective, unreviewed scope changes represent unmanaged risk.
These failures are not usually visible day-to-day. They surface when an audit, incident, or insurance review forces the system to be examined under pressure.
Contractor prequalification is often misunderstood as a document collection exercise. While licences, insurances, and certifications are important, auditors look beyond whether documents exist.
They assess whether the prequalification process:
Collecting large volumes of irrelevant documents while failing to verify task-critical competencies weakens the credibility of the entire process. Effective prequalification is risk-based, targeted, and proportionate.
Contractor inductions are a critical control, yet they are frequently rushed or treated as administrative.
Auditors assess whether inductions:
A signed induction record alone does not demonstrate effective risk communication. Where high-risk work is involved, auditors expect evidence that contractors understood their obligations and how risks are managed on site.
Inductions should be refreshed when conditions, scope, or risks change. Static induction records in dynamic environments are a common audit finding.
Contractor compliance does not end once work begins. Many incidents and audit findings occur during execution, not onboarding.
Auditors and investigators look for evidence that contractor activities are:
A common gap is informal intervention. Unsafe behaviours may be corrected verbally, but without documentation. From an audit perspective, undocumented actions did not occur.
Effective systems embed oversight into normal operations and record decisions consistently.
Supplier compliance is often treated as separate from contractor management. From a risk perspective, this distinction is artificial.
Suppliers may introduce significant safety, quality, and environmental risks through:
Auditors assess whether suppliers are evaluated based on the risk they introduce, not simply cost, availability, or reputation.
Effective supplier compliance systems classify suppliers by risk. Low-risk suppliers may require minimal oversight, while high-risk suppliers require verification, monitoring, and review.
Examples of higher-risk suppliers include:
Failure to assess supplier risk can result in unsafe equipment, non-compliant materials, or inadequate support — all of which may expose the business to enforcement action.
Strong compliance systems produce traceable evidence. This includes records showing that contractors and suppliers were assessed, approved, monitored, and reviewed, and that issues were addressed consistently.
Weak systems rely on email trails, informal knowledge, or individual memory. During audits or investigations, this form of evidence is difficult to verify and rarely sufficient.
Traceability is what allows a business to demonstrate that risks were managed deliberately rather than incidentally.
Contractor and supplier compliance failures often surface during insurance reviews rather than audits.
Insurers assess:
Poor contractor oversight can result in increased premiums, exclusions, or denial of claims. From an insurer’s perspective, unmanaged contractor risk is a leading indicator of future loss.
Businesses with structured, traceable contractor compliance systems are better positioned to demonstrate risk control when claims arise.
After an incident involving a contractor or supplier, investigators reconstruct the system that allowed the work to proceed.
They examine:
Where controls were informal or undocumented, they are treated as non-existent. This is why documentation alone is not enough — evidence must align with practice.
Spreadsheets, shared drives, and email reminders are common tools for managing contractors and suppliers. While workable at small scale, they struggle as complexity increases.
Common issues include:
Auditors increasingly expect structured systems that support consistency, accountability, and visibility across contractor and supplier engagement.
Effective compliance systems are proportionate, consistent, and integrated into normal operations.
Contractors and suppliers are assessed based on risk. Inductions are meaningful. Work is monitored. Issues are documented. Management has visibility over performance and emerging risks.
In these systems, compliance is embedded rather than reactive.
A fit-for-purpose compliance system supports contractor and supplier management by centralising records, enforcing document control, tracking competencies and expiries, and linking contractor activities to risk management and incident reporting.
When designed correctly, digital systems reduce administrative burden while increasing confidence during audits, investigations, and client reviews.
Sherm supports contractor and supplier compliance management by enabling organisations to manage prequalification, inductions, licences, competencies, insurances, and ongoing monitoring within a structured, audit-ready system.
Sherm allows contractor and supplier activities to be linked to risk assessments, incidents, audits, and corrective actions, creating clear audit trails and supporting defensible compliance.
This guide is intended for organisations that engage contractors or suppliers and operate under WHS legislation, principal contractor arrangements, or client audit regimes.
It is particularly relevant to construction, transport, manufacturing, infrastructure, utilities, agriculture, and any business that relies on third-party services to deliver work.
Contractor compliance management is the process of ensuring contractors meet legal, safety, and operational requirements before and during work. It includes verifying capability (not just collecting documents), completing effective inductions, coordinating work activities, monitoring performance, and keeping traceable records that demonstrate due diligence.
Yes. Engaging a contractor does not remove a business’s duties under WHS laws. Multiple PCBUs can hold duties at the same time, and businesses must ensure risks arising from contracted work are identified, controlled, and coordinated. Regulators and auditors assess the system that allowed the work to proceed, not just the contractor’s actions.
Documents should be collected based on the risk and scope of work. Common requirements include relevant licences and competencies, insurances (such as public liability and workers’ compensation where applicable), and evidence of capability for the tasks being performed. Effective prequalification focuses on relevance and verification rather than collecting large volumes of paperwork.
Auditors look for evidence that contractor and supplier risks are managed systematically and consistently. They assess whether contractors are assessed appropriately for the work, inducted before commencing, coordinated with other activities, monitored during work, and reviewed when scope changes. They also expect clear records that demonstrate oversight and follow-through.
Contractor licences and insurances should be verified before engagement and then monitored for currency throughout the relationship. The frequency depends on risk, contract duration, and audit requirements, but many organisations use expiry tracking with periodic reviews to ensure evidence remains current and defensible during audits.
Contractor compliance relates to how work is performed by third parties on your sites or under your control, including inductions, supervision, and coordination. Supplier compliance relates to risks introduced by what is supplied—such as plant, equipment, materials, chemicals, or services—and whether those supplies meet safety, quality, and environmental requirements relevant to your operations.
If contractor and supplier compliance is a material risk area for your business, the next step is to assess whether your current systems genuinely support oversight, traceability, and due diligence.
You can start by using the Contractor Compliance Checklist, or by booking a Sherm demo to see how structured contractor and supplier compliance works in practice.
Book a Sherm Demo to explore contractor and supplier compliance workflows designed for audit-ready operations.
