Employment Law WatchdogBlog

· Employment Law Watchdog

How to Run an HR Compliance Audit: Step-by-Step Guide with Free Template

TL;DR: An HR compliance audit assesses your organization's adherence to federal and state employment laws across six critical phases: employee classification, wage and hour practices, personnel files, workplace postings, employee handbooks, and data security. Use our free scoring rubric to identify gaps, calculate compliance risk, and prioritize remediation. Most companies complete an audit in 4–6 weeks.


What Is an HR Compliance Audit?

An HR compliance audit is a systematic review of your company's employment practices, policies, and documentation against federal, state, and local labor laws. It answers one question: Are we following the law? The audit uncovers gaps—misclassified employees, missing wage records, undisclosed wage deductions, lack of required postings—and prioritizes them by legal and financial risk so you can fix them before regulators or litigants find them.

Unlike a one-time legal review, a compliance audit is a repeatable process. Most organizations should conduct an internal audit every 12–24 months, or after significant employment-law changes in their state (e.g., wage-increase rules, classification restrictions, new data-breach notification requirements).


Phase 1: Employee Classification – Are Your Workers Classified Correctly?

The starting point for any audit is classification accuracy. Misclassifying full-time employees as independent contractors or salaried workers as hourly (without overtime pay) can expose you to wage-and-hour lawsuits and state DOL penalties ranging from $5,000 to $50,000+ per violation.

What to audit:

  • Pull a current roster of all active W-2 employees, 1099 contractors, and consultants (separate by department).

  • For each contractor or non-employee, document the criteria used for classification:

    • Control test: Do you control how/when/where the work is done?
    • Economic reality: Is the worker economically dependent on your company?
    • State-specific ABC tests: If you operate in CA, NY, or MA, stricter ABC tests apply (worker controls work, work is outside usual business, worker operates independently). Review HR Compliance Checklist 2026 for your state's rules.
  • For salaried exempt employees, verify:

    • Salary is at or above the federal FLSA threshold ($35,568/year as of June 2024; your state may be higher).
    • Employee actually performs exempt duties (executive, professional, administrative, sales, or outside-sales capacity), not just "manager" title.

Action: Create a classification matrix (spreadsheet: employee name, classification type, basis for classification, annual salary if exempt). Flag any where the basis is unclear or outdated. Remediate by reclassifying and back-paying any affected workers.


Phase 2: Wage-Hour Compliance – Are You Paying Correctly?

Wage-hour violations are the most common source of settlements and DOL audits. This phase checks overtime calculations, minimum-wage compliance, deductions, and record-keeping.

What to audit:

  • Overtime: Review timesheets for the past 2 years. Are all non-exempt employees earning 1.5× their regular rate for all hours over 40/week (or your state's threshold—CA and several other states have daily overtime rules)? Check for "off-the-clock" work or excluded time (meal breaks, training, commute).
  • Minimum wage: Verify the lowest hourly rate you paid in the past 2 years against both the federal minimum ($7.25) and your state/local minimums (CA: $16.00/hour as of June 2026; NYC: $15.00+). Document raises and effective dates.
  • Deductions: Audit recent pay stubs. Any wage deductions (uniform costs, equipment, shortages, "disciplinary" deductions) are often unlawful. Federal law prohibits deductions that reduce pay below minimum wage; most states are stricter.
  • Unpaid time: Identify any unpaid work: setup, teardown, training, administrative tasks. If required or controlled by you, it's compensable.
  • Records: Verify you maintain required wage records: hours worked, rates, pay dates, deductions, gross and net pay. Retention varies by state (2–4 years is standard).

Action: Calculate back-pay liability for any shortfalls. Use a simple formula: (actual hours × underpaid rate) × # of affected employees. Example: 5 employees owed 2 hours of unpaid overtime/week for 1 year = 5 × 104 hours × $22.50 (1.5× their $15 rate) = $11,700 liability. Create a remediation plan (repay promptly and confidentially, or settle via PACT—a Department of Labor amnesty process).


Phase 3: Personnel Files – Is Your Documentation Complete?

Incomplete or missing records are a red flag in any DOL or plaintiff-attorney audit. Each employee file should contain proof of legal work eligibility, wage-agreement acknowledgment, and tax withholding.

What to audit:

  • I-9 compliance: Do you have a completed, signed I-9 (or an e-Verify result) for every current and former employee? Form must be completed within 3 days of hire and retained for 3+ years (1 year if terminated). Check for common errors: missing Section 3 signature, undated, or listing invalid ID documents.
  • Tax documents: W-4, state income-tax withholding forms, signed offer letters or job descriptions.
  • Wage agreements: Written acknowledgment of base pay, hourly rate, and any deductions (even if lawful, some states require written consent).
  • State-specific disclosures: Many states require written notice of pay practices, wage deduction policies, or data-collection consent before hire. Check your state's requirements.
  • Separation records: For terminations, retain final paycheck documentation, any severance agreements, and separation notices for 3+ years.

Action: Use a file checklist (provided in our free template) to score each file 0–100 based on completeness. Files scoring <80 are at risk; prioritize getting missing items from the employee or your systems. If documents are truly lost, document the search effort and note "file established [date]; prior records unavailable."


Phase 4: Workplace Postings – Are Required Notices Visible?

Federal and state labor law require visible postings in the workplace (or digital equivalent for remote workers). Missing postings can trigger OSHA, DOL, or state agency fines of $200–$5,000 per violation.

What to audit:

  • Federal postings required:

    • Fair Labor Standards Act (FLSA) minimum-wage and overtime notice
    • Title VII (EEO) anti-discrimination notice
    • FMLA (if 50+ employees)
    • OSHA safety poster
    • Workers' Compensation notice
    • Whistleblower protections (OSHA, Sarbanes-Oxley, Dodd-Frank, etc.)
  • State/local postings (varies wildly; use our 50-state matrix to verify):

    • Wage deduction consent, pay-frequency, and final-paycheck rules
    • Anti-harassment/discrimination policies
    • Retaliation protections
    • Paid leave (sick, family, bereavement, jury duty)
    • Background check/ban-the-box notices
  • Placement: Postings must be conspicuous—typically in a breakroom, entrance, or HR office where employees regularly pass. For fully remote teams, email the postings to all staff and maintain a delivery log.

Action: Print or download current posters from OSHA.gov, your state DOL website, and the federal DOL Wage & Hour Division. Photograph your actual postings (date the photo). For remote teams, send digital copies with a read receipt. Add to your audit checklist: "Postings reviewed and current as of [date]."


Phase 5: Employee Handbooks & Policies – Are Your Policies Legal and Enforced?

Outdated, vague, or contradictory policies create legal exposure. You're also liable for violations of policies you've promised but don't enforce uniformly.

What to audit:

  • Handbook completeness: Does it cover:

    • At-will employment statement (and any exceptions under state law)?
    • Anti-harassment, anti-discrimination, and retaliation policies?
    • Wage-and-hour practices (pay frequency, deductions, overtime, exempt vs. non-exempt)?
    • Paid time off (vacation, sick leave, holidays) accrual, use, and payout rules?
    • Performance management and termination procedures?
    • Confidentiality, intellectual property, and social-media guidelines?
    • Data security and device-use policies (especially if handling personal data)?
  • Legal accuracy: Review policies against your state's requirements. For example:

    • California requires employers to pay out accrued vacation upon termination.
    • New York requires a notice-to-employees (NY Department of Labor, Form PF-1) describing wage and hour rules—must be in writing.
    • Connecticut requires a written notice of rate and frequency of pay.
  • Enforcement: Spot-check: have you consistently applied your attendance, performance, or discipline policies? Or has your manager bent the rules for favorites? Inconsistency can undermine a termination defense.

Action: Update handbook with current policy language (consult a local employment attorney for state-specific requirements). Ensure all managers sign an acknowledgment that they've read and understand the policies. Add policy review to your annual audit cycle.


Phase 6: Data Security & Privacy – How Are You Protecting Employee Data?

As a final step, audit how you store and access sensitive employee information (SSN, health data, background-check results, salary). Breaches or inadequate access controls trigger mandatory notifications and fines under state data-breach and privacy laws.

What to audit:

  • Data inventory: Catalog all systems storing employee data (payroll software, HRIS, email, shared drives, paper files). Which data do you collect (SSN, medical info, criminal history, banking details)?
  • Access controls: Who can view each data type? Payroll staff should not see health records; managers should not see HR investigations. Verify role-based access is enforced.
  • Security: Is sensitive data encrypted at rest and in transit? Are systems password-protected and log-in attempts audited? For cloud systems (SaaS), verify the vendor's security certifications (SOC 2, ISO 27001).
  • Breach protocol: If a breach occurs, can you identify affected individuals and notify them within your state's required timeframe (usually 30–45 days)? Do you have a written incident-response plan?

Action: Create a data-security matrix: data type, storage location, access controls, encryption status, retention period. Work with IT to close gaps (e.g., add encryption, revoke access, move files to secure folders). For more detail, see our sister product Breach Trigger, which alerts you to emerging privacy laws and breach trends.


Scoring and Prioritization

Use our free audit template to calculate a compliance score for your organization:

  • File completeness: Average score of all employee files (0–100). Target: 95+.
  • Wage-hour accuracy: Calculate back-pay liability as a percentage of annual payroll. Target: <0.5%.
  • Posting coverage: % of required postings displayed. Target: 100%.
  • Policy adherence: % of policies reviewed, updated, and consistently enforced. Target: 100%.
  • Data security: % of systems with encryption, access controls, and audit logs. Target: 90+.

Assign each gap a risk score (low, medium, high) based on likelihood of audit/lawsuit and dollar exposure. For example:

  • High risk: Misclassified employees (DOL focuses here; penalties: $5,000–$50,000+).
  • Medium risk: Missing postings ($200–$2,000 per violation).
  • Low risk: Outdated handbook language (fix during next review cycle).

Create a remediation task list: for each high-risk gap, assign an owner, deadline (30–90 days), and success criteria. Track in a shared spreadsheet or tool like Task Drain, which helps teams stay on top of compliance to-dos.


When to Repeat Your Audit

Run a full audit every 12–24 months, or immediately after:

  • A significant employment-law change in your state (wage increases, new classifications, paid-leave rules). Subscribe to HR Compliance Watch to stay informed.
  • A DOL inquiry, wage-and-hour complaint, or discrimination allegation.
  • A major operational change (opening a new state, remote expansion, significant headcount change).
  • A data breach or security incident.

Getting Help

This guide provides a framework; for specific legal advice tailored to your state and industry, consult an employment attorney. This content is informational only, not legal advice. Verify all requirements against your state DOL website and the federal Department of Labor before acting.

Start your audit today using our free template—download it from HR Compliance Watch and schedule a 30-minute kickoff with your HR and finance teams. Most companies complete the audit in 4–6 weeks and close 80% of gaps within 90 days.


Last updated: June 28, 2026. Data sourced from federal FLSA, OSHA, and state Department of Labor websites (public domain).

How to Run an HR Compliance Audit: Step-by-Step Guide with Free Template — Employment Law Watchdog