BS7858 Audit Failures: The Most Common Gaps and How to Fix Them Before the Auditor Arrives

A security compliance guide published this year found that up to 70% of UK security incidents trace back to compliance audit failures. Not technology failures. Not external threats. Failures in the internal processes organisations put in place to manage who they hire and how they document it.

That number did not surprise me. In 18 years of running employment screening operations, I watched exactly that play out. Organisations that were confident they had it covered. Organisations that had been running BS7858 screening for years. And then an auditor arrived and the gaps appeared, one after another, in the files.

The question is never whether you are running the checks. It is whether you can prove it, correctly, when someone sits across from you with a clipboard.

What Most Organisations Get Wrong

The most common mistake I saw was not cutting corners on the checks themselves. It was the assumption that doing the checks was the same as being compliant. Those are two entirely different things.

BS7858 is not just a list of tasks. It is a documented framework. Every check needs a paper trail. Every decision needs a recorded rationale. Every file needs to be complete, retained correctly and reviewable by anyone who needs to examine it.

When organisations treated BS7858 as a checklist to run through rather than an audit trail to build, that is when the problems appeared. I trained my own teams and the clients using our screening service. The gap I saw most often was not ignorance of what the standard required. It was the assumption that process alone was enough. It is not.

The Audit Failures That Come Up Again and Again

Here are the specific gaps that auditors find. These are not theoretical. They are the things I saw in real organisations, repeatedly.

Employment history gaps left unexplained

BS7858 requires a continuous five year employment history. Any gap of 31 days or more must be accounted for. Not noted. Accounted for, meaning explained and evidenced. I saw files where gaps were clearly visible in the timeline but nothing had been done to document what the candidate said, whether the explanation was credible or how the decision to proceed was reached. That is an immediate audit failure.

No documented rationale for decisions

Passing a file is a decision. So is proceeding with a candidate who has a gap, a financial issue or an adverse finding. That decision must be recorded in writing, with the reasoning set out by the person who made it. Files that showed the checks but no evidence of who reviewed them or why the outcome was reached left organisations completely exposed when challenged.

Consent records incomplete or missing

Screening under BS7858 requires informed candidate consent. The consent must be documented, signed and retained in the file. I saw consent forms that were incomplete, unsigned or simply absent. If the consent record is not in the file, the entire screening file is legally compromised regardless of what checks were run.

Overseas checks missed or not evidenced

Any candidate who has lived overseas for six months or more within the last five years requires an international criminal record check. This tripped organisations up repeatedly. Either the overseas history was not identified during screening, the check was not run, or it was run but the evidence was not retained in the file. Auditors look for this specifically.

Credit check records not retained

BS7858 requires a financial probity check including a six year credit search. The certificate must be retained as part of the file. I regularly found organisations that had run the check but kept no copy, or had recorded only a tick in a box. That is not sufficient evidence for an auditor.

Files not retained for seven years

BS7858 is clear. Screening files must be kept for a minimum of seven years after the individual leaves the organisation. I found organisations deleting files on a shorter cycle because nobody had formally set a retention policy. That is both a standard failure and a potential issue under UK data protection law.

What Getting This Wrong Actually Costs

Failing a BS7858 audit carries real consequences that extend well beyond the audit room.

Loss of SIA Approved Contractor Scheme status can effectively end your ability to operate in the security sector. Contracts are conditional on certification and they will not survive its removal. Where an organisation cannot demonstrate a compliant process and someone hired under that process goes on to cause harm, negligent hiring claims become a serious civil liability. Litigation in those cases is expensive and unpredictable regardless of outcome.

For organisations operating under government contracts, an audit failure can trigger a formal contract review and in some cases termination. Reputational damage in a sector built entirely on trust is harder to recover from than any financial penalty. I saw it take years.

Charlotte Is the Solution

If this post has raised questions about where your own BS7858 process stands, Charlotte can give you answers right now. She is not a generic AI tool. She is the closest thing to having me available to your organisation every hour of every day, built on 18 years of real operational experience across 352 compliance topics covering the full scope of UK employment screening, vetting, compliance and risk.

Whatever this post has raised about your audit trail, Charlotte can go further. Ask her what your file documentation should look like, how to handle an adverse finding, what evidence an overseas check needs to leave in the file or where your consent records are likely to fall short. You will get a clear, practical, expert answer immediately.

To give you a sense of what Charlotte can do on this topic, here is the question I put to her and the answer she came back with.

Your subscription also includes 18 CPD certified vetting and screening courses and 22 digital compliance toolkits, all built from real operational experience, all included from day one. The depth and the tools are there whenever you need them.

Everything described above for £79 per person per month. Named user licence. Everything included from day one. Nothing extra to buy.

Related Courses

The following courses are included in your subscription and cover this topic in depth.

• BS7858 Screening Standard: Audit Ready Compliance
• Defensible Screening Decisions: How to Assess Risk, Record Judgements and Survive an Audit
• Employment Screening Essentials: The Complete Professional Guide

Related Toolkits

The following toolkits are ready to download from day one and are included in your subscription.

• BS7858 Screening Audit Preparation Toolkit
• BS7858 Employer and Manager Guidance Toolkit
• Screening Audit Preparation Checklist

Related Posts

If you want to understand the full scope of what BS7858 requires before working through the audit trail, I covered it in full in yesterday's post. It is the right place to start: https://vettinghub.co.uk/post/bs7858-screening-employer-guide

If your screening is outsourced, the assumption that your provider carries the audit liability is one of the most costly mistakes I see. I addressed it directly here: https://vettinghub.co.uk/post/outsourcing-screening-accountability-employer-responsibility

Frequently Asked Questions

What are the most common BS7858 audit failures?

The most frequent failures are undocumented employment gaps, missing decision rationale, incomplete consent records, absent overseas check evidence and files not retained for the full seven year period. Any one of these is enough to fail an audit.

How long must BS7858 screening files be retained?

BS7858 requires screening files to be retained for a minimum of seven years after the individual leaves the organisation. This applies whether they were employed for a week or for many years.

What counts as an employment gap under BS7858?

Any gap in a candidate's five year employment history of 31 days or more must be accounted for. The candidate must explain it, you must document the explanation and you must record how you assessed whether it was credible.

Do I need overseas criminal record checks under BS7858?

Yes. If a candidate has lived overseas for six months or more at any point in the last five years, an international criminal record check is required. The evidence must be retained in the file.

Who is responsible for the BS7858 audit trail if I outsource my screening?

You are. The standard makes clear that accountability sits with the organisation, not the screening provider. Your provider can run the checks. The obligation to ensure the file is complete, retained and reviewable remains with you.

Try Charlotte for Free

The clearest way to understand what Charlotte can do is to ask her a question yourself. The free demo is at https://demo.vettinghub.co.uk/charlotte-demo. No sign up required. Charlotte is trained on DBS topics for the demo and you can ask her anything in that area and see exactly how she works.

The full Vetting Hub subscription gives Charlotte across all 352 topics, the 18 CPD certified vetting and screening courses built from real operational experience and the 22 digital compliance toolkits, from day one, for £79 per person per month. Everything your organisation needs to screen and vet people correctly, in one place, available the moment you subscribe.