A specialist consultancy with twenty-five staff has held a place on a Crown Commercial Service framework for four years and built a steady book of work with a central-government department and two NHS integrated care boards. In year five, a department-wide value-for-money review picks up the consultancy's largest call-off — a £1.6m programme-management engagement supporting a workforce transformation — and triggers the right-to-audit clause in the call-off contract. The auditors ask for the timesheets, the deliverables, the steering committee minutes, the day-rate calculations, the sub-contractor invoices, and the consultancy's quality-assurance records for the engagement. Three months later, the audit report finds that two deliverables fell short of the specification, that a sub-contractor was charged at a rate above the framework ceiling, and that the consultancy cannot evidence the QA process its bid response described. The department issues a formal notice under the call-off contract claiming a refund of £340,000 and reserving the right to terminate.
Public-sector consultancy looks like ordinary consulting from the outside. The work is similar, the deliverables are similar, and the people doing it have often moved between commercial and public-sector engagements throughout their careers. What is different is the legal architecture around the work: the framework rules above the contract, the right-to-audit and information-rights clauses inside the contract, the assignment and novation provisions that determine what happens when departments restructure, the transparency expectations that mean documents may end up in the public domain, and the political risk that turns a routine commercial dispute into something the firm's wider client base will read about.
This guide is for partners, principal consultants and finance directors at UK consultancies that bid for and deliver public-sector work — central government, NHS, local authorities, devolved administrations, arm's-length bodies and combined authorities. It is a companion to our management consultants PI guide, which covers the wider PI landscape for the sector, and to our scope-of-engagement risk guide, which covers the engagement-letter discipline that protects all consulting work.
The framework layer — MCF4, G-Cloud and the rest
Public-sector consultancy is increasingly procured through Crown Commercial Service frameworks rather than standalone tenders. CCS frameworks are pre-competed agreements that allow contracting authorities to call off services from a pre-qualified panel of suppliers without running a full procurement each time. For management consultancy, the principal framework is the Management Consultancy Framework, now in its fourth iteration as MCF4, organised into lots covering business, strategy, financial, organisational, change, procurement, communications and data work. Suppliers bid for a place on the framework, satisfy the technical and financial selection criteria, and then compete for individual call-offs at lot level.
Other CCS routes that matter for consultancies include the Consultancy Framework for programme and project management, G-Cloud where digital advisory and software combine, Digital Outcomes for outcome-based digital delivery, and various department-specific call-off vehicles run by individual departments and arm's-length bodies. The NHS uses its own frameworks operated by NHS Shared Business Services and other intermediaries. Local authorities use frameworks operated by ESPO, YPO, NEPO and similar regional bodies, as well as CCS routes.
Every framework specifies its own minimum insurance requirements at lot level, and individual call-offs sometimes vary those requirements upwards. MCF4 in particular sets out PI minima for the lots within it, alongside public liability and employer's liability requirements. The contracting authority will usually ask for evidence in the form of a broker letter or insurer certificate before the call-off is signed, and may ask for confirmation annually thereafter for the life of the engagement.
The practical point is that framework PI minima are floors, not recommendations, and a firm doing one large call-off may find the call-off itself imposes a higher requirement than the framework lot specifies. The bid response should not assume the framework minimum will be enough; the firm should check the specific call-off documentation against the policy before signing.
Right-to-audit and information-rights clauses
Public-sector call-off contracts include rights for the contracting authority — and frequently for the National Audit Office, internal audit functions, and other oversight bodies — to audit the supplier's records relating to the engagement. These rights typically run for the life of the contract and for a defined period afterwards, often six years, in some cases longer.
The scope of those rights is broad. A typical right-to-audit clause will allow the authority to inspect:
- Timesheets, day-rate calculations and invoicing detail
- Deliverables and underlying working papers
- Sub-contractor arrangements, rates and invoices
- The supplier's quality-assurance and project-governance records
- Records evidencing compliance with the bid response — particularly the technical capability and methodology described at tender
- Records evidencing compliance with framework-level requirements on equality, environmental performance, social value, modern slavery and data protection
In practice the auditor is looking for three things: that the work was delivered to the specification, that the charges match the work, and that the supplier did what it said it would do in the bid response. Discrepancies on any of those — a deliverable that fell short, a day rate above the framework ceiling, a QA process described in the bid that cannot be evidenced — can trigger a refund demand, a contract termination, or in serious cases a finding that affects the supplier's framework status.
PI insurance does not directly respond to an audit finding the way it responds to a damages claim. What it can respond to is the underlying civil liability the audit finding crystallises — a deliverable that fell short of the specification, on facts that amount to professional negligence, may produce both an audit-driven refund demand and a separately framed damages claim. The PI policy responds to the claim; whether it responds to the refund demand depends on how the demand is framed and whether the contractual basis for it is characterised as compensation for the firm's breach of duty.
The practical implication is that record-keeping discipline on public-sector engagements matters more than on commercial engagements. The audit may come three or four years after delivery; the firm needs to be able to produce the records on demand and to evidence the methodology its bid response described. A bid response that overstates the firm's QA process or its delivery methodology creates an audit exposure that can outlast the engagement.
Contract assignment and novation
Public-sector contracts move. Departments restructure, arm's-length bodies are created or dissolved, machinery-of-government changes transfer functions from one department to another, NHS bodies are merged or reorganised, local authorities form combined authorities. The call-off contract a consultancy signed at the start of an engagement may, by the end, be held by a different legal entity than the one that signed it.
Most public-sector call-off contracts contain assignment and novation provisions that allow the authority to transfer the contract to another public body without the supplier's consent, subject to notice. The supplier's rights and obligations transfer to the new entity. The supplier's ability to consent to that transfer is usually limited; the practical effect is that the supplier needs to be able to operate the engagement under whichever entity ends up holding the contract.
This matters for PI in three specific ways.
First, the identity of the client for PI purposes may change mid-engagement. If the consultancy notifies a circumstance under its PI policy and identifies the client as the original department, the policy file will need to be updated when the contract is novated. Brokers and insurers handle this routinely but it is worth flagging at the point of novation so the file stays accurate.
First-but-related, the scope of the engagement may change with novation. A workforce transformation programme that made sense for the original department may be modified by the receiving body to fit its own structure. The change-order discipline that protects scope in commercial engagements is just as important here, and arguably more so because the public-sector audit trail will look at it closely later.
Second, post-delivery cover obligations survive novation. If the call-off contract requires the supplier to maintain PI cover for six or eight years after delivery, that obligation runs in favour of whichever entity ends up holding the contract at the relevant time. A firm exiting public-sector work needs to be able to honour that obligation through any subsequent assignment of the underlying client relationship.
Third, dispute resolution clauses may interact with the assignment. Many public-sector contracts route disputes through escalation procedures within the contracting authority before any external resolution; an assignment can affect who the supplier escalates to and on what basis. The consultancy's commercial team should track which entity holds the contract at any time and which escalation chain applies.
Transparency and Freedom of Information
Public-sector contracts above defined thresholds are subject to the government's transparency requirements, including publication of contract awards and key terms. The contract itself may be subject to disclosure under the Freedom of Information Act 2000 if requested, with the standard exemptions applying. Documents created in the course of the engagement — deliverables, reports, business cases — may also be subject to FOIA in the hands of the authority, though commercial-confidentiality and prejudice exemptions are commonly applied.
The practical implication for a consultancy is that the firm should expect its deliverables to end up, in whole or in part, in the public domain at some point. Drafting discipline matters: a deliverable written for the eyes of a steering committee reads differently in a FOIA release than a deliverable written with public release in mind. Recommendations should be substantiated, language should be measured, and assumptions should be stated. Reputational risk from a poorly drafted deliverable that is later released is real and is not something PI responds to.
Data protection and information security
Public-sector consultancy almost always involves access to data — personal data on employees or service users, commercial data on the authority's contracts, sometimes operationally sensitive information. The contracting authority is a controller; the consultancy is usually a processor or, in some cases, a joint controller, and the call-off contract will include data-processing terms that bind the supplier to UK GDPR-compliant handling.
The consultancy's obligations typically include security measures (technical and organisational), sub-processor management, breach notification within tight windows (often 24 hours to the authority, ahead of the 72-hour ICO window), data-return or data-destruction obligations at the end of the engagement, and audit rights specifically over data handling. NHS engagements add an extra layer through the Data Security and Protection Toolkit, which suppliers handling NHS data are usually required to complete.
A data incident on a public-sector engagement is a particularly high-stakes event. The authority will manage its own regulatory response; the consultancy will need to manage its own response, defend the incident under its contract, and may face third-party claims from individuals affected. PI responds to the third-party claims arising from a breach of professional duty; cyber insurance responds to the first-party incident-response costs, the forensics, and the costs of regulatory engagement. Both are usually needed, and the two policies should be placed in a way that avoids gaps.
Claim sources specific to public-sector consultancy
The recurring claim patterns are different in tone from commercial work, even when the underlying allegation is similar.
Specification-shortfall claims following audit. As in the opening scenario — an audit triggered by routine review or by a value-for-money exercise finds that deliverables fell short of the framework or call-off specification. The authority demands a refund or contract variation. The PI exposure depends on how the demand is framed.
Day-rate and time-recording disputes. A right-to-audit exercise identifies time charged at a rate above the framework ceiling, or for time the records do not support. These usually start as commercial disputes; they can escalate into reputational exposure on the framework and, in serious cases, into framework status reviews.
Sub-contractor compliance findings. A sub-contractor used on the engagement did not hold the insurance the framework required, or charged at a rate the framework did not allow, or fell short of social-value or modern-slavery requirements. The main contractor is responsible for the chain.
Bid-response inconsistencies. The bid response described a methodology, a team, or a QA process that the delivered engagement did not match. These claims are uncomfortable because they go to the integrity of the bid as well as the delivery, and they can affect framework status.
Delivery delays on transformation programmes. A workforce or digital transformation programme runs late or delivers less than the business case projected. The authority's review concludes the supplier's advice on planning or governance was inadequate. Defence costs and settlement on contested cases can run into significant six-figure sums.
Conflicts between contracting authority and a downstream beneficiary. A consultancy advises a central department on a policy that affects local authorities or NHS trusts. A downstream body alleges the consultancy's advice produced an outcome it suffered loss from. Third-party reliance principles apply, and the deliverable's reliance language matters.
What to ask your broker before bidding for public-sector work
The pre-bid review should be done by the firm with its broker, not as an afterthought after award. The questions that matter are the following.
Does the policy meet the framework's PI minima and the specific call-off requirements? MCF4 and equivalent frameworks set out lot-level minima; some call-offs exceed those. The certificate of insurance and any specific endorsements need to match.
How does the policy respond to right-to-audit findings? PI does not respond directly to audit refund demands, but it responds to civil liability that an audit finding might crystallise. The wording's response to contractual liability assumed under the call-off contract is worth checking specifically.
How is the policy set up for the long-tail cover obligation? Public-sector call-offs commonly require post-delivery cover for six or eight years; a firm with a four-year framework engagement may end up with a ten-year combined obligation. The run-off question — what happens if the firm ceases trading mid-obligation — needs an answer at engagement, not at retirement.
How are sub-contractors covered? Public-sector engagements often pull in specialist sub-contractors who may not be on the framework themselves. The main contractor's PI policy needs to respond appropriately, and the sub-contractor flow-down terms in the call-off need to be reflected in the sub-contractor's own engagement letter.
How does the policy interact with the firm's cyber cover for data-handling obligations? The Data Security and Protection Toolkit for NHS work and the security schedules in central-government call-offs impose specific obligations that PI alone may not fully respond to.
Where does the firm stand on contractual indemnities the framework or call-off imposes? Public-sector contracts sometimes include indemnity wordings that go beyond what the firm would owe at common law. A wide contractual indemnity that is not picked up by the PI policy is uninsured exposure.
Frequently asked questions
Do CCS frameworks set a single PI limit for all suppliers?
No. Each framework specifies minimum insurance requirements at lot level, and individual call-offs sometimes vary those requirements upwards. MCF4 sets out PI minima for its lots, but a specific call-off may require higher cover, particularly for large or sensitive engagements. The contracting authority will usually ask for evidence in the form of a broker letter or certificate before the call-off is signed. The framework minimum should be treated as a floor for bidding, not a recommendation for the engagement.
What is a right-to-audit clause and what does it allow?
A right-to-audit clause allows the contracting authority — and frequently the National Audit Office, internal audit functions and other oversight bodies — to inspect the supplier's records relating to the engagement. The scope typically covers timesheets, day-rate calculations, invoicing, deliverables, working papers, sub-contractor arrangements and QA records. The rights usually run for the life of the contract and for a defined period afterwards, often six years. A consultancy bidding for public-sector work should build record-keeping discipline to match.
Does PI insurance respond to an audit refund demand?
PI does not respond directly to a contractual refund demand; it responds to civil liability for professional negligence. Where an audit finding crystallises into a claim that is framed as compensation for the firm's breach of duty, PI may respond, depending on how the claim is presented and how the policy treats contractual liability. The same factual position can produce both an audit-driven contractual demand and a separately framed damages claim; the policy responds to the latter. Early notification to the broker and insurer is important.
What happens to my contract if the department restructures?
Public-sector call-off contracts contain assignment and novation provisions that allow the authority to transfer the contract to another public body without the supplier's consent, subject to notice. The supplier's rights and obligations transfer to the new entity. The supplier's commercial and PI position needs to keep pace — the broker should be notified of the novation so that policy records remain accurate, and the consultancy's scope-management discipline should treat the novation as a moment to reconfirm the engagement boundary.
How long do I need to keep records of a public-sector engagement?
The right-to-audit period in most call-off contracts is six years from the end of the engagement, though some sit at seven or eight, and a small number sit longer where the engagement supports a long-term programme. The firm's record-retention policy should match the longest right-to-audit period it has signed up to. Six years is also the standard PI run-off period and aligns to the ordinary contractual limitation period under English law.
Are my deliverables subject to Freedom of Information?
Possibly. Documents held by the contracting authority are subject to FOIA on request, with the standard exemptions applying. Deliverables prepared by the consultancy and held by the authority may be released, though commercial-confidentiality and prejudice exemptions are commonly applied. The practical implication is to draft deliverables on the assumption that they may end up, in whole or in part, in the public domain at some point.
What insurance do I need for NHS engagements specifically?
NHS engagements typically require PI cover at framework level, public liability and employer's liability, and compliance with the NHS Data Security and Protection Toolkit for any engagement that involves NHS data. Standalone cyber cover is increasingly expected for data-handling engagements. NHS Shared Business Services and other NHS framework operators publish minimum insurance requirements at lot level; the bid response should confirm compliance before submission.
How do I cover sub-contractors on a public-sector engagement?
The main contractor is responsible for the performance of the engagement, including sub-contractor work. The PI policy's treatment of sub-contractors needs to match — either covering sub-contractor work performed under the firm's supervision, or requiring sub-contractors to hold their own cover with the main contractor's policy responding to vicarious liability. The flow-down terms in the call-off need to be reflected in the sub-contractor's engagement letter, and the sub-contractor's insurance evidence should be obtained and retained on file.
Related guides
- Management consultants PI insurance UK guide 2026
- Strategy consultancy PI — scope-of-engagement risk
- Management consultants sector page — speak to a broker
About Apex Insurance Brokers — Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, FCA firm reference 724952. Registered in England and Wales, Companies House 07014570. Last reviewed: May 2026.
This guide is general information about Professional Indemnity Insurance for UK public-sector consultancies and is not advice tailored to any individual firm's circumstances. For advice on your own renewal please speak to a broker — contact@apexinsurancebrokers.co.uk or 0117 325 0027.
FAQPage JSON-LD (hand-rolled — add via Yoast Custom Field or theme injection)
{
"@context": "https://schema.org",
"@type": "FAQPage",
"mainEntity": [
{
"@type": "Question",
"name": "Do CCS frameworks set a single PI limit for all suppliers?",
"acceptedAnswer": {
"@type": "Answer",
"text": "No. Each framework specifies minimum insurance requirements at lot level, and individual call-offs sometimes vary those requirements upwards. MCF4 sets out PI minima for its lots, but a specific call-off may require higher cover, particularly for large or sensitive engagements. The contracting authority will usually ask for evidence in the form of a broker letter or certificate before the call-off is signed."
}
},
{
"@type": "Question",
"name": "What is a right-to-audit clause and what does it allow?",
"acceptedAnswer": {
"@type": "Answer",
"text": "A right-to-audit clause allows the contracting authority — and frequently the National Audit Office, internal audit functions and other oversight bodies — to inspect the supplier's records relating to the engagement. The scope typically covers timesheets, day-rate calculations, invoicing, deliverables, working papers, sub-contractor arrangements and QA records. The rights usually run for the life of the contract and for a defined period afterwards, often six years."
}
},
{
"@type": "Question",
"name": "Does PI insurance respond to an audit refund demand?",
"acceptedAnswer": {
"@type": "Answer",
"text": "PI does not respond directly to a contractual refund demand; it responds to civil liability for professional negligence. Where an audit finding crystallises into a claim that is framed as compensation for the firm's breach of duty, PI may respond, depending on how the claim is presented and how the policy treats contractual liability. The same factual position can produce both an audit-driven contractual demand and a separately framed damages claim; the policy responds to the latter."
}
},
{
"@type": "Question",
"name": "What happens to my contract if the department restructures?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Public-sector call-off contracts contain assignment and novation provisions that allow the authority to transfer the contract to another public body without the supplier's consent, subject to notice. The supplier's rights and obligations transfer to the new entity. The broker should be notified of the novation so policy records remain accurate, and the consultancy's scope-management discipline should treat the novation as a moment to reconfirm the engagement boundary."
}
},
{
"@type": "Question",
"name": "How long do I need to keep records of a public-sector engagement?",
"acceptedAnswer": {
"@type": "Answer",
"text": "The right-to-audit period in most call-off contracts is six years from the end of the engagement, though some sit at seven or eight, and a small number sit longer where the engagement supports a long-term programme. The firm's record-retention policy should match the longest right-to-audit period it has signed up to. Six years is also the standard PI run-off period and aligns to the ordinary contractual limitation period under English law."
}
},
{
"@type": "Question",
"name": "Are my deliverables subject to Freedom of Information?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Possibly. Documents held by the contracting authority are subject to FOIA on request, with the standard exemptions applying. Deliverables prepared by the consultancy and held by the authority may be released, though commercial-confidentiality and prejudice exemptions are commonly applied. The practical implication is to draft deliverables on the assumption that they may end up, in whole or in part, in the public domain at some point."
}
},
{
"@type": "Question",
"name": "What insurance do I need for NHS engagements specifically?",
"acceptedAnswer": {
"@type": "Answer",
"text": "NHS engagements typically require PI cover at framework level, public liability and employer's liability, and compliance with the NHS Data Security and Protection Toolkit for any engagement that involves NHS data. Standalone cyber cover is increasingly expected for data-handling engagements. NHS Shared Business Services and other NHS framework operators publish minimum insurance requirements at lot level; the bid response should confirm compliance before submission."
}
},
{
"@type": "Question",
"name": "How do I cover sub-contractors on a public-sector engagement?",
"acceptedAnswer": {
"@type": "Answer",
"text": "The main contractor is responsible for the performance of the engagement, including sub-contractor work. The PI policy's treatment of sub-contractors needs to match — either covering sub-contractor work performed under the firm's supervision, or requiring sub-contractors to hold their own cover with the main contractor's policy responding to vicarious liability. The flow-down terms in the call-off need to be reflected in the sub-contractor's engagement letter."
}
}
]
}