HR Compliance Checklist

Pull the new-hire record from Workday, BambooHR, or Rippling. W-2 employees, contractors, and interns get different access profiles and account-expiry rules. Misclassification is the single most common cause of contractor accounts living forever with full employee privileges.

Create the account through the SCIM connector from the HRIS where possible — manual creation skips the source-of-truth link and creates orphans later. Confirm UPN matches the company naming convention and that the manager attribute resolves to a current user.

Windows hardware ships through Autopilot with the company gold profile; Mac hardware ships through Apple Business Manager and JAMF or Kandji. Confirm BitLocker or FileVault recovery key escrows to Entra ID before the device leaves IT custody.

YubiKey or equivalent FIDO2 token paired with the user's Entra ID account on Day 1. SMS and authenticator-app fallback should be disabled for privileged roles — phishable factors invite adversary-in-the-middle attacks regardless of MFA being technically enforced.

Reference the role-to-group matrix maintained in IT Glue or Hudu. Avoid copying access from a peer's account — that's how privilege creep starts. Document any exceptions on the ticket with the manager's approval.

Contractor accounts get a hard expiry matching the SOW end date in Entra ID, plus calendar reminder 30 days before. Indefinite contractor accounts are an audit finding and a SOC 2 access-review headache.

Attach the countersigned AUP, BYOD policy, and confidentiality agreement to the user's record in IT Glue or the HRIS. Auditors sample new-hire packets for these signatures during SOC 2 and ISO 27001 reviews.

Corporate-issued devices follow the standard MDM profile. BYOD devices need the work-profile / managed-app variant so personal data stays out of scope when wipe is invoked at offboarding.

Push the work-profile configuration with app-protection policies for Outlook, Teams, and OneDrive. Selective wipe at offboarding removes corporate data only — confirm the user understands this before enrollment to avoid the offboarding-day argument.

Confirm the user is in scope for the org-wide CA policy that blocks IMAP, POP, SMTP basic auth, and legacy Exchange Web Services. Password-spray attacks against the legacy endpoints bypass MFA entirely; a green MFA dashboard is meaningless if basic auth is still listening.

Pull the access report from Workday or BambooHR and reconcile against the documented role matrix. HR admins, payroll admins, and IT-with-emergency-access are the three tiers; anyone outside those tiers reading PII is a finding.

For SaaS HRIS, capture the vendor SOC 2 report and confirm AES-256 at rest. For self-hosted, confirm TDE or column-level encryption on PII columns and that backup copies inherit encryption — unencrypted backups are the loophole that catches teams during breach response.

Run a sample data subject access request end-to-end against a test user in HRIS, payroll, and connected SaaS apps. CCPA and GDPR both have hard response windows (45 and 30 days respectively). Discovering the export workflow doesn't work on the day a real DSAR lands is a regulator-visible miss.

Document the failure mode — missing system, broken export, ownership gap — and assign a remediation owner with a 30-day target. Loop in legal so privacy-counsel knows the workflow is currently non-compliant during the gap.

Pull the last 90 days of separations from the HRIS and pick five at random across departments. Reviewing only the easy ones — voluntary, advance-notice — misses the harder failure modes around involuntary same-day terminations.

Compare the HRIS termination timestamp to the Entra ID account-disabled timestamp for each sampled departure. Internal SLA is typically four hours for voluntary and immediate for involuntary. Capture the audit-log evidence as the SOC 2 control artifact.

Each sampled mailbox should be shared, hidden from the GAL, and have user-created forwarding rules removed. The classic miss: license revoked but the user's pre-departure forwarding rule still pushes mail to a personal Gmail for months.

Cross-reference RMM device-retirement logs against the HRIS termination list. Devices logged as returned but never wiped sit in the IT closet with cached domain credentials and a still-valid BitLocker key — that's a pass-the-hash starter kit.

Compile findings into the quarterly access-review report for the security committee. Track each orphaned account or unrevoked SaaS license to a remediation owner. The report is the artifact auditors sample during SOC 2 Type II fieldwork.