HR Audit Checklist

Export applicant tracking data (ATS) for the audit period: applications received, demographics, source, requisition, disposition reason. Reconcile against EEO-1 Component 1 categories. Gaps in disposition reasons are the most common audit finding — every rejected applicant needs a documented, job-related reason.

Federal contractor status drives OFCCP obligations: written affirmative action plan, applicant tracking, VEVRAA and Section 503 self-ID. The threshold is generally a single contract of $50,000+ with 50+ employees. If the company subcontracts to a prime federal contractor, the obligation flows down.

Verify the AAP is updated annually, includes utilization analyses by job group, identifies placement goals where applicable, and that good-faith outreach efforts are documented. OFCCP audits routinely request the prior two AAPs plus supporting data within 30 days of scheduling letter.

Pull a 10-20% sample of I-9s plus 100% of new hires from the audit period. Common defects: Section 1 not signed by employee on day 1, Section 2 completed past the three-business-day deadline, List A document combined with List B/C, expired re-verification deadlines. ICE assesses per-form penalties for substantive errors — confirm the current ICE schedule before quoting figures.

FCRA requires a stand-alone disclosure (no liability waivers, no extraneous text) and separate written authorization before pulling a consumer report. Pre-adverse action notice with copy of the report and Summary of Rights, then a reasonable waiting period (commonly 5 business days), then adverse action notice. Ban-the-box and clean-slate state laws layer on top.

Every active employee should have a signed acknowledgment for the current handbook version. At-will language, arbitration clauses, and EEO/anti-harassment policies are the ones plaintiff counsel checks first. Re-acknowledgment after material updates — not just annually.

State mandates vary: California (SB 1343) requires 2 hours for supervisors and 1 hour for non-supervisors every two years; New York requires annual; Illinois requires annual under the Workplace Transparency Act; Connecticut, Delaware, Maine all have specific cadences. Track by jurisdiction of work, not headquarters.

Beyond harassment: California wage-theft notices (Labor Code 2810.5), pregnancy disability accommodation training, workplace violence prevention plans (CA SB 553 effective 2024), and OSHA-required safety trainings for applicable roles. Build a training matrix by state and role.

Pull the 30/60/90-day onboarding milestone completion report from the HRIS. Stalled tasks usually cluster around manager-driven items: goal-setting meetings, equipment access, role-specific training. Surface managers with chronic gaps for follow-up.

Pull a stratified sample across departments and ratings. Look for boilerplate ratings, identical narratives across multiple employees, and ratings that contradict the prior year's PIP outcome. Disparate-impact litigation usually starts with rating distribution by protected class.

Each PIP should have specific measurable objectives, a defined duration (typically 30/60/90 days), check-in cadence, and a clear outcome decision. Missing close-out documentation is the most common defect — a PIP that just trails off creates a wrongful-termination exposure when the employee is later separated.

Sample employee goals across the org and trace upward to department and company-level objectives. Goals that don't ladder up are a flag for either the goal or the strategy.

Verify managers completed bias-awareness and calibration training before the most recent review cycle. Calibration session attendance logs should show cross-team participation, not just the manager rating their own team in isolation.

Every complaint — formal and informal, anonymous hotline included — should have a unique case ID, intake date, category, investigator, outcome, and closure date. Time-to-acknowledgment under 48 hours is the typical service standard. Patterns by department or manager are the signal worth surfacing in the audit report.

Each file should show: prompt acknowledgment, interim measures considered, neutral investigator, witness interviews documented, evidence preserved, written findings, and remedial action proportionate to the finding. EEOC enforcement guidance is the bar — a finding of "unsubstantiated" without documented interviews is the file weakness most often cited in litigation.

Pull the separations report from the HRIS. Voluntary, involuntary, and reduction-in-force should each be flagged. A single termination triggers COBRA, final-pay, and benefits-continuation obligations; a RIF additionally triggers WARN Act analysis at 50+ affected employees in some scenarios.

Initial COBRA notice is due within 90 days of plan enrollment; election notice within 14 days of the qualifying event (44 days if employer is also plan administrator). State mini-COBRA stacks on top in CA, NY, MA, and others. Late notices carry per-day excise tax under Section 4980B.

Federal posters: EEOC "Know Your Rights," FMLA, FLSA, EPPA, USERRA, OSHA. State posters layer on. Remote employees need electronic equivalents accessible from any company device — physical break-room posters alone don't satisfy DOL guidance for distributed workforces.

Run a regression-based analysis grouping by similar work (job, level, location), controlling for legitimate factors (tenure, performance, prior experience). Unexplained gap thresholds: under 1% is generally inside noise; 1-5% warrants review; over 5% almost always warrants remediation. Several states (CA, IL, OR) require pay-data reporting and create rebuttable presumptions on unexplained gaps.

For unexplained gaps over 5%, build a remediation schedule — target adjustments at the next merit cycle or sooner, with a written rationale tied to the regression. Privilege the analysis through counsel if litigation exposure is real. Track adjustments in a closed-loop file the next audit can verify.

Test each exempt role against the duties test (executive, administrative, professional, computer, outside sales) — not just the salary threshold. Confirm the current DOL salary basis amount before stress-testing borderline roles. State thresholds (CA, NY, WA, CO) are higher than federal and must be applied.

Welfare and retirement plans subject to ERISA require Form 5500 filed by the last day of the seventh month after plan year-end. Confirm the SAR (Summary Annual Report) was distributed to participants. Late filings can be remediated under DOL's DFVCP at lower penalty than discovery.

Applicable Large Employers (50+ FTEs) must report offers of coverage on Form 1095-C and aggregate via 1094-C. Common errors: incorrect Line 14 offer codes, wrong Line 16 safe-harbor codes, mismatched SSNs that trigger IRS Letter 226-J penalty assessments. Reconcile against payroll and benefits enrollment files.

Structure the report by section with risk-rated findings (high/medium/low), root cause, remediation owner, and target date. Distribute to the CHRO, CEO, and audit committee. Schedule a 90-day check-in on remediation owners — findings without owners and dates are the ones that reappear next audit.