Vetting &Compliance

Compliance that's built in, not bolted on

Run as a project, in a panic before each audit, compliance always leaves gaps in between. Popay builds the guardrails into how people already work, so being audit-ready is a by-product of normal use, not a project you launch.

Vetting before day one
checked · logged
Role & access changes
checked · logged
Offboarding
checked · logged
The problem today

The audit-week scramble

When compliance is something you do before an audit rather than during the work, the gaps show up at the worst moment. This is what that feels like.

The auditor wants proof, and you open three spreadsheets and a mailbox. Are the certifications current? You can't say at a glance.
A hire started in a sensitive role. The background check? “The manager did it, I think.” No record, no evidence.
Certifications expire quietly. Nobody's watching until one has already lapsed.
Every audit is a reconstruction. Evidence assembled after the fact, under time pressure.
The rules moved, and catching up is a project. Another roll-out, another round of change management.
The difference

Two ways to run compliance

One treats compliance as an event you survive. The other makes it a property of how work already happens.

Compliance as a project
Scramble to assemble evidence before every audit.
Gaps between audits that nobody is watching.
Proof scattered across Excels, mailboxes and managers' memory.
“The manager did the check, I think.”
A change-management push every time the rules move.
Compliance by design
Guardrails run in the daily flow, in the background.
Audit-ready is the by-product. The evidence is already there.
One record, one trail: who did what, and when.
Checks gated into the process, so they can't be skipped.
Nothing to roll out. It's how people already work.
Vetting

Compliance starts before day one

Right-to-work and work-permit verification, a valid ID, a background check, a professional registration where the role demands one, captured and documented as part of the joiner flow, and gated, so a hire into a sensitive role can't start with the check still marked "to do".

The evidence sits on the record from the beginning, not reconstructed months later when someone asks. Compliance begins before the first day, not after the first incident.

The check is part of joining. Not a favour someone remembers to do.

Credentials

The things a person must hold, and keep valid

Vetting isn't only a day-one check. Many roles carry credentials with an expiry date, and an expired one is a live compliance exposure. Popay holds them on the record and watches their validity.

Right to work

Work permit and right-to-work status, with the permit's own expiry tracked.

Identity & licences

A valid ID; a driving licence where a company car is involved; a professional registration or nursing licence where the role requires it.

Clearances

Security clearance or medical fitness where the role demands it. Verified, dated, and on file.

Each carries a validity date, monitored in the background. When one nears expiry, a re-verification task fires through Employee lifecycle; if one lapses, the Validation Framework can raise a blocking rule, so nobody is scheduled or paid against an invalid credential. These are things the person must hold; things you issue and want back, the laptop, the badge, the car itself, live in Asset management.

Ready for what's next

When AI enters HR, the guardrails are already there

AI agents will take on screening, scheduling and answering employee questions, and your role shifts from executing to orchestrating and controlling. Compliance by design is what makes that safe: a record of which agent may touch what data, an audit trail of every automated action, and explainability for how a decision was reached. No black boxes.

From executing to orchestrating, with a trail behind every decision.

How it holds together

Compliance isn't one feature. It's enforced across the record

The hard questions don't live in a single module. Popay answers them across the Core HR record, and proof of mandatory training lives in Learn.

Stop running compliance as a project

Build the guardrails into how your people already work, and let audit-ready be the result, not the goal.

Request a demo →
Or talk to one of our product specialists.