Employee File Audit Checklist

Export the active and terminated-within-retention-window employee list from Gusto, ADP, Paychex, or whichever payroll system the firm runs. Cross-check headcount to the prior period's audit roster — unexplained adds or drops are the first sign a file has gone missing.

Status drives which sections of this audit apply. Terminated employees skip benefits enrollment review but require separation paperwork; 1099 contractors should not be in this audit at all.

Personnel records, I-9s, and medical/benefits files must be stored separately. Confirm SmartVault, ShareFile, or your DMS folder structure keeps I-9s in a dedicated folder accessible only to authorized HR — commingling I-9s with the general personnel file is a common ICE-audit finding.

The name on the W-4, I-9, and Social Security card must match. Mismatches cause SSA no-match letters and W-2 rejection. Marriage and legal name changes are the usual cause — confirm an updated SS card was provided.

Address drives state withholding, SUTA assignment, and W-2 mailing. A state-line move that wasn't reported to payroll means wrong-state withholding all year — flag for a payroll correction if found.

Compare to the SSA TNS (Taxpayer Name Service) match if available. Do not store the SSN in plaintext outside the encrypted personnel system — this is a WISP control under IRS Pub 4557 and FTC Safeguards Rule.

Annual refresh — emergency contacts go stale fast. Send the employee a one-question form rather than copying forward last year's data.

Confirm both employee and authorized signer signatures, the start date, title, and stated comp. Unsigned offers are the most frequent finding — chase down via DocuSign audit trail if the paper copy is missing.

Section 1 must be completed by the employee on or before day one; Section 2 by the employer within three business days of hire. Check that List A or List B+C documents are recorded with title, issuing authority, document number, and expiration. Use the current Form I-9 edition — the prior edition becomes invalid on the date USCIS specifies.

Use the official I-9 correction protocol: line through the error, enter the correct information, initial and date — do not white out, do not backdate. For expiring work authorization, complete Supplement B (Reverification) before the document expiration date. Document retention is later of three years from hire or one year from termination.

The 2020+ W-4 redesign eliminated allowances; if the file still has a pre-2020 W-4, that's fine unless the employee has updated since. State withholding certificates (e.g., NY IT-2104, CA DE 4) must match the residence state, not just the federal form.

For CPA-licensed staff, confirm active license number and CPE compliance for the period. For EAs, confirm PTIN renewal. FCRA disclosure and authorization for any background check must be in the file as a standalone document.

Pull the active rate from Gusto/ADP and reconcile to the most recent signed comp letter. Unexplained variances are usually verbal raises that never made it to paper — request a retroactive comp memo.

FLSA salary threshold and duties test both apply. Confirm the role meets one of the white-collar exemptions (executive, administrative, professional, computer, outside sales) and that salary is at or above the federal and applicable state threshold — California, New York, and Washington thresholds run higher than federal.

Authorization must be signed and on file before the first ACH credit. Confirm the routing/account on file matches what's active in payroll — mid-year bank changes that didn't get re-authorized are a recurring finding.

For non-exempt staff, confirm timesheets are signed by the employee and approved by a manager for at least one randomly-selected pay period. Missing approvals are an FLSA recordkeeping deficiency. Retention: 3 years for time records under 29 CFR 516.

Match each active garnishment in payroll (child support, IRS levy, student loan AWG, state tax) to the underlying court order or notice in the file. Confirm CCPA disposable-earnings caps are respected when multiple orders are stacked.

Both employee and reviewing manager signatures (or e-sig audit trail) within the firm's stated review cycle. A review that's more than 18 months old usually means the cycle slipped during busy season — flag for the partner.

For CPAs and EAs, pull CPE certificates for the reporting period. Most state boards require 40 hours annually with a specific ethics carve-out (often 4 hours). EAs need 72 hours over the three-year cycle with at least 16 per year and 2 hours of ethics annually.

Each disciplinary record should be dated, describe the conduct factually, state the corrective expectation, and be acknowledged by the employee. Verbal warnings without contemporaneous notes are unenforceable in a wrongful-termination claim.

The acknowledgment must reference the edition currently in force. Material policy updates (PTO, remote work, harassment) issued mid-year need a fresh acknowledgment, not just the original onboarding signature.

Required by IRS Pub 4557 and the FTC Safeguards Rule for paid preparers. Confirm annual security-awareness training completion and signed acknowledgment of the firm's Written Information Security Plan, including incident-response and BYOD provisions.

Tie health, dental, vision, HSA, FSA, and 401(k) deferral elections in the personnel file to the carrier and 401(k) recordkeeper rosters. Mid-year qualifying-event changes (Section 125) are the most common source of mismatches.

401(k) and group life beneficiary forms go stale through divorce and family changes. Confirm a designation exists; flag any over five years old for the employee to refresh.

For each deficiency, record the document, the issue, the assigned owner, and the target close date. This log is the workpaper if a wage-and-hour, ICE, or DOL audit hits later.

Missing I-9s, classification errors, or unauthorized SSN storage need partner-level visibility before remediation begins. Document the conversation date and decisions in the audit log.

Final attest signature closes the audit cycle and starts the retention clock on the workpaper. File the signed audit packet to the firm's compliance archive.