IR35 SDS Audit Verifier

(Audit Bundle Verification)

Verify the integrity of an IR35 Status Determination Statement (SDS) audit bundle in seconds. This verifier checks that the documents and supporting evidence inside a Docoply audit bundle ZIP have not been altered after generation — producing a clear PASS/FAIL result plus a detailed file-by-file report.

Important: Docoply is not affiliated with or endorsed by HMRC. This page provides an independent verification tool to support audit workflows.

Verify an Audit Bundle
Request Verifier Access
Verify an SDS audit bundle
Verify tamper-evidence (MANIFEST hashes + optional signature) and evidence traceability for a Docoply bundle ZIP.
HMRC / Audit
Access key is required to prevent public/bot uploads.
Drag & drop your bundle ZIP
or click to choose a file
ZIP • up to 50MB • processed and deleted immediately • ⚖️ Not legal advice
Tip: Download the verification JSON for recordkeeping. If signature verification shows “sodium missing”, install the PHP sodium extension to verify Ed25519 signatures (hash checks still pass/fail).

Why Verification Matters for IR35 SDS Audits

When an SDS is reviewed, the key question isn’t only what the outcome was — it’s whether the supporting artifacts are complete, consistent, and unchanged since the report was produced.

This verifier helps auditors and stakeholders validate:

  • Integrity: the audit ZIP matches its manifest (hashes + file sizes)
  • Consistency: evidence references resolve correctly (where included)
  • Optional authenticity signal: detached signature verification (when present)

What the Verifier Checks

1) MANIFEST Integrity

  • Confirms MANIFEST.json exists and is well-formed
  • Confirms the manifest’s self-hash is correct (tamper-evident manifest)

2) File-by-File SHA-256 Verification

  • Recomputes SHA-256 for each file listed in the manifest
  • Confirms recorded hash + recorded byte length match the actual file

3) Optional Signature Verification

  • If a detached signature and public key are included, the verifier can validate the signature (environment-dependent)

4) Evidence Traceability

  • Checks evidence IDs and cross-references in the bundle’s evidence index where applicable
  • Surfaces missing or inconsistent references as warnings/failures

How It Works (3 Steps)

1

Upload

Upload the audit bundle ZIP file to the verifier

2

Verify

The verifier performs manifest + hash checks (and optional signature/evidence checks)

3

Results

You receive an instant PASS/FAIL result plus a downloadable verification report

Privacy note: Uploads are processed for verification and then removed (site configuration may affect caching/log retention).

Who This Is For

Auditors

Reviewing SDS documentation and supporting evidence

HR / Procurement

Validating audit packs before sharing externally

Compliance Teams

Needing a repeatable verification step in their SOP

Security and Access

To prevent public misuse, the verifier page can require an access key. For convenience, the access key can also be pre-filled from the page URL (e.g. ?key=...) while still enforcing the same server-side verification rules.

What You'll See in the Verification Report

  • Overall PASS/FAIL status
  • Manifest checks summary
  • File-by-file results (OK / FAIL / MISSING)
  • Details for mismatches (expected vs actual hash/length)
  • Optional signature status (if applicable)
  • Downloadable verification JSON for audit records

Need a Demo Audit Bundle?

If you’d like a sample bundle format for internal testing, contact us and we’ll provide a non-sensitive example pack.

Contact Docoply

Frequently Asked Questions

Is this an HMRC tool?

No. Docoply is not affiliated with or endorsed by HMRC. This verifier is provided to support audit-style review and integrity checks.

PASS means the audit ZIP’s manifest + file hashes match the recorded values (and optional checks passed where present). It indicates the bundle contents match what the bundle claims they are.

A FAIL typically indicates alteration, corruption, or mismatch between the bundle and its manifest. The report shows which file failed and what differed.

The verifier is designed to process uploads for verification and remove temporary files. Your hosting and security stack (cache, backups, WAF logging) may still retain metadata per your configuration.

Yes. The verifier can be exposed as a normal webpage so auditors can use it without admin access (access key controls can still apply).

Hash verification still works. Signature verification is optional and depends on whether signature files are included.

Related Tools & Resources

IR35 SDS Generator
IR35 Contract Checker
IR35 Compliance Guide