HR Audit Checklist: Finding and Fixing Compliance Gaps Before They Find You

Personnel files: Verify a complete file exists for each employee with consistent organization across files. Check for signed offer letters, current job descriptions, documented performance reviews, disciplinary actions with employee acknowledgment, and complete separation documents for former employees.

I-9 compliance: Confirm an I-9 is on file for every employee, Section 1 was completed by the first day of work, Section 2 was completed within 3 business days, reverification was completed when required, and retention schedules are followed (3 years from hire OR 1 year after termination, whichever is later). Verify you're using the current form version. See I-9 compliance guide.

Medical records: Confirm medical records are stored separately from personnel files, access is limited to need-to-know personnel, FMLA certifications are properly handled, ADA accommodation documentation is secure, and workers' comp records are maintained properly. Medical information mixing with general personnel files is a common and preventable violation.

Record retention: Verify your retention schedule is documented and followed, personnel files are retained per state requirements, payroll records are retained for 3+ years, tax records for 4+ years, benefits records per ERISA requirements, and terminated employee files are properly archived. Missing records create adverse inferences in litigation.

Classification review: Verify all employees are classified as exempt or non-exempt, exempt employees meet the current salary threshold ($43,888 federal as of 2024), exempt employees meet the applicable duties test, classifications are reviewed when duties change, independent contractors are properly classified, and documentation supports each classification decision. Review our FLSA guide for the specific tests.

Time tracking: Confirm non-exempt employee time is accurately tracked, all hours worked are recorded including pre-shift and post-shift activities, meal breaks are properly handled, overtime is calculated correctly using the full regular rate, time records are retained for the required period, and managers aren't editing time records without documentation.

Pay practices: Check minimum wage compliance at both federal and state levels, overtime payment by the next regular payday, final pay provided per state-specific requirements, deductions comply with state law, pay stubs include all required information, and equal pay for substantially equal work across genders.

Exemption-specific items: Verify exempt employees are paid on a salary basis without improper deductions, computer employee hourly rates meet the $27.63 minimum, highly compensated employees meet the $107,432 threshold, and outside sales exemptions are properly documented.

FMLA compliance (for employers with 50+ employees): Confirm the FMLA poster is displayed, eligibility is determined correctly using the 12-month/1,250-hour/50-within-75-miles criteria, required notices are provided (eligibility, rights, designation), medical certifications are requested appropriately, leave is tracked accurately, job restoration is honored, and health benefits are maintained during leave. See FMLA guide.

State leave laws: Identify all state-specific leave requirements that apply to your workforce, verify paid family leave is administered correctly where applicable, state sick leave requirements are followed, pregnancy disability leave is provided where required (California, etc.), and domestic violence leave is available where mandated.

Other leave types: Verify jury duty leave is provided as required by law, military leave under USERRA is administered correctly, voting leave is provided where required, workers' comp leave is coordinated with FMLA, and ADA leave is considered as a reasonable accommodation when other leave is exhausted.

PTO administration: Confirm your PTO policy is clearly documented, accruals are tracked accurately, any use-it-or-lose-it policy complies with state law, payout at termination follows state-specific requirements, and carryover limits are documented and communicated.

Policy review: Verify your anti-discrimination policy covers all applicable protected classes (federal and state), sexual harassment policy is current and comprehensive, multiple reporting channels are available to employees, non-retaliation protection is clearly stated, policies have been distributed to all employees, and signed acknowledgments are on file. See EEOC guidelines.

Training: Confirm harassment training has been provided to all employees, manager-specific training covers their additional responsibilities, training meets state-specific requirements (California, New York, Illinois, etc.), training records are maintained, and refresher training is scheduled.

Investigation process: Verify investigation procedures are documented, investigators are trained, complaints are documented and tracked, investigations are conducted promptly, findings and corrective actions are documented, and follow-up is conducted to prevent recurrence.

ADA and accommodation: Confirm your accommodation request process is documented, the interactive process is followed and documented for each request, reasonable accommodations are provided, any undue hardship claims are thoroughly documented, and medical information is kept confidential and separate from general files. See ADA compliance guide.

Job postings: Verify descriptions are accurate and current, essential functions are clearly identified, minimum qualifications are genuinely job-related, language is free of discriminatory terms, EEO tagline is included, and pay transparency requirements are met where applicable.

Application process: Confirm applications collect only job-related information, no prohibited pre-employment inquiries are included, ban-the-box compliance is maintained where applicable, applications are retained per requirements (1 year minimum), and applicant tracking is consistent across positions.

Interview process: Verify interview questions are job-related, consistent questions are used across candidates for the same position, interview assessments are documented, no prohibited inquiries occur (age, disability, family status, etc.), and interview scorecards are used consistently.

Background checks: Confirm FCRA disclosure is provided before the check, separate authorization is obtained, pre-adverse action notice is provided when considering adverse action, adverse action notice follows if the decision stands, ban-the-box and fair chance laws are followed, and individualized assessment is conducted for criminal history rather than blanket disqualification.

Benefits administration: Verify plan documents are current and available, Summary Plan Descriptions are distributed to participants, eligibility is applied consistently, COBRA notices are timely, HIPAA privacy notices are provided, Section 125 plan documents are current, and non-discrimination testing is completed where applicable.

Retirement plans: Confirm plan documents are current, required disclosures are provided to participants, contribution limits are monitored, fiduciary responsibilities are documented, required testing is completed, and Form 5500 is filed timely.

Compensation review: Verify compensation benchmarking data is current, pay equity analysis has been conducted, pay decisions are documented with business rationale, bonus and incentive plans are clearly documented, commission plans are written and acknowledged, and pay bands have been reviewed and updated.

Review your employee handbook: Is it current (reviewed within the past year)? Is the at-will disclaimer prominent? Are all legally required policies included? Are state-specific requirements addressed? Is distribution documented? Are signed acknowledgments on file for all current employees?

Required postings: Verify federal labor law posters are displayed, state-required posters are displayed, all posters are current versions, posters are in all required locations (including for remote workers where applicable), and posters are available in appropriate languages for your workforce.

Policy consistency: Confirm written policies match actual practices, policies are applied consistently across employees, managers are trained on policy application, documentation supports how policies are applied, and no outdated policies remain in circulation.

Document your findings in a written audit report listing all issues categorized by risk level: critical, high, medium, and low. Include specific examples and affected employees or documents. Store the report securely because it may be discoverable in litigation.

Prioritize remediation by risk level. Address critical issues immediately since these involve ongoing legal violations. High-risk items should be resolved within 30 days. Medium within 90 days. Low-priority items can be addressed in the next annual cycle. Assign a responsible person and deadline for each item.

For significant compliance gaps, involve employment counsel. Attorney-client privilege may protect certain audit communications. Counsel can advise on remediation approach, whether disclosure or corrective payments are needed, and how to mitigate future risk.

Track remediation progress. Document that fixes are complete. Include audit follow-up items in the next audit cycle. Consider quarterly check-ins on high-risk areas to ensure problems don't recur.