Employee File Audit Checklist

Pull the I-9, W-4, and the latest payroll register and confirm the name matches character-for-character. Marriage, divorce, and immigration name changes are the most common drift sources — a mismatch between the I-9 and SSA records triggers an SSA no-match letter and a payroll tax filing exception.

Year-end W-2 and 1095-C mailings rely on the address on file. Ask the employee to confirm directly rather than infer from a recent expense reimbursement — secondary residences cause misdelivered tax forms every January.

Confirm primary and secondary emergency contacts with current phone numbers. Stale records (ex-spouse, deceased parent) cause delays during medical events and are a common audit finding even though there is no specific regulation.

Confirm Section 1 was signed on or before the first day of work and Section 2 was signed within three business days of hire. Common defects: missing List A or List B+C entries, expired document numbers transcribed, employer signature blank. ICE I-9 audits levy per-form penalties for technical errors.

Mirror what the employee attested in I-9 Section 1. If status is work-authorized non-citizen, the next step captures the visa expiration so reverification lands on the calendar before authorization lapses.

Record the EAD or visa expiration and set a 90-day reminder for I-9 reverification. Letting authorization lapse without a Section 3 update is a hard ICE audit hit and creates an immediate work-stoppage problem for the employee.

Federal contractors and firms in mandatory-E-Verify states (FL, GA, NC, others) must keep the case verification number in the file. Tentative Non-Confirmations that were not resolved are the audit finding to look for.

Confirm the W-4 is the current IRS revision (post-2020 redesign) and that any claimed exemption is renewed annually by February 15. Pre-2020 forms are still valid until the employee makes a change, but flag them for refresh.

Most states require a separate certificate (CA DE-4, NY IT-2104, IL W-4, etc.). Remote employees working from a different state than the firm's office need a withholding form for their work state — not the firm's state.

If the employee elected extra per-paycheck withholding or claimed exempt status, confirm the supporting form is signed and dated. Exempt elections require a fresh W-4 each year.

Confirm the job description on file reflects the employee's actual responsibilities and FLSA exempt/non-exempt classification. Paralegals doing substantive legal work without supervision and 'administrators' performing exempt duties are the misclassifications that surface in DOL audits.

Review memos, PIPs, and write-ups should be in the personnel file with employee acknowledgment. Keep medical/ADA accommodation records and investigation notes in a separate confidential sub-file — co-mingling them is a privacy finding.

Every attorney and staff member should have a signed confidentiality agreement extending Rule 1.6 obligations to non-lawyer staff (Rule 5.3 supervisory duty). Lateral hires need an additional screening acknowledgment if any matters required an ethical wall.

Pull beneficiary designations from the 401(k) recordkeeper and the group-life carrier. Marriage, divorce, and births since the last election are the events that make stale designations a problem — ERISA pays the named beneficiary regardless of intent.

For equity partners, confirm the current capital account schedule and any buy-in/buy-out terms are in the file. For non-equity partners and senior associates with deferred comp, confirm the 409A-compliant election forms match the employment agreement.

Attorney records require bar-status and CLE checks; paralegal and staff records do not. Capture the role here so the next two steps only fire for licensed attorneys.

Pull the current standing certificate from each state bar where the attorney is licensed. Watch for administrative suspensions for unpaid dues or missed CLE — these are common, recoverable, but disqualifying for active practice until cured.

State minimums vary (commonly 12–15 hours/year, with separate ethics, diversity, and mental-health categories). Pull the transcript directly from the state CLE board, not the attorney's spreadsheet — self-reporting drift is the failure mode that suspends licenses every December.

NY, CA, IL, CT, ME, DE, and WA mandate annual or biennial harassment prevention training for all employees. Confirm the completion date is within the state's lookback window.

Model Rule 1.6(c) requires reasonable safeguards over client confidential information. Most carriers now require documented annual phishing-and-data-handling training as a condition of cyber liability coverage.

The firm administrator records the overall finding, notes any remediation items, and signs the audit certificate. File the completed audit record alongside the personnel file with the audit date — bar examiners and EPLI underwriters both ask for evidence of recurring audit discipline.