HR Audit: What It Is, the 7-Step Process, and a Complete Checklist
How to conduct an HR audit at a small business. 7-step process, 5 audit types, compliance checklist, common gaps, and how to fix them without an HR team.
HR Audit
How to review your HR compliance, find the gaps, and fix them
An HR audit is a structured review of everything your business does (and should be doing) related to employees: documentation, compliance, policies, classification, onboarding, and offboarding. The output is a list of gaps between what the law requires and what your company actually has in place, ranked by how much risk each gap creates.
Most HR audit guides assume you have an HR department. This one does not. If you are running a business with 5 to 50 employees, there is a good chance the founder, office manager, or operations lead is handling HR alongside everything else. The audit process is the same. The scope is simpler. And the stakes are just as high: a single I-9 violation carries fines from $252 to $2,507 per form, and FLSA misclassification can result in back pay plus liquidated damages for every affected employee. The HR laws guide covers every federal law by employee threshold.
What Is an HR Audit?
Think of an HR audit the way you think of a financial audit: it verifies that the records are accurate, the processes are followed, and the organization is meeting its legal obligations. The difference is that financial audits are often required by investors or regulators, while HR audits are typically voluntary. The fact that they are voluntary means most small businesses never conduct one, which is why the most common time for a small business to discover an HR compliance gap is when a government agency finds it first.
An audit is not a one-time fix. It establishes a baseline: here is what we have, here is what we are missing, here is the plan to close the gaps. After the first audit, annual reviews maintain the baseline and catch new requirements triggered by growth, new states, or regulatory changes. The HR rules and regulations guide covers the practical compliance steps that feed into every audit.
Why Small Businesses Need an HR Audit
Small businesses face the same employment laws as large companies but have fewer resources to track compliance. The laws do not scale down. A 20-person company must complete I-9s with the same rigor as a 2,000-person company, maintain the same OSHA logs, and follow the same FLSA classification rules. The difference is that a 2,000-person company has an HR team checking these things. A 20-person company usually does not. SHRM estimates the average cost of replacing a single employee at over $4,700, which means compliance gaps that lead to preventable turnover carry a concrete financial cost beyond fines.
Three situations make an audit especially urgent. First, you have never conducted one. If your business has been operating for more than a year and has never reviewed its HR documentation and compliance, there are almost certainly gaps. Second, you recently crossed an employee threshold. At 15 employees, Title VII, ADA, and GINA apply. At 20, ADEA and COBRA. At 50, FMLA and ACA. Each threshold adds legal obligations that did not exist at the previous headcount. Third, you expanded into a new state. Each state adds its own wage, leave, anti-discrimination, and reporting requirements. The compliance hub covers requirements for all 50 states.
Research from the Work Institute consistently shows that 20% of employee turnover occurs within the first 45 days. An onboarding audit specifically often reveals why: paperwork is incomplete, training is inconsistent, and new hires are not receiving the structured first-week experience that correlates with retention.
5 Types of HR Audits
Not every audit needs to cover everything. The five types below are listed in order of priority for businesses that have never conducted an audit. Start with compliance and documentation, then expand to the others annually.
For a first-time audit at a company with 15 to 30 employees, a combined compliance and documentation audit is the right starting point. These two types catch the highest-risk gaps (missing I-9s, misclassified employees, unsigned policies) and produce the most actionable remediation list. The employee vs contractor guide covers the classification test in detail.
When to Run Your First HR Audit
| Trigger | Why It Matters | What to Audit |
|---|---|---|
| You have never conducted one | Gaps accumulate over time. The longer you wait, the larger the remediation effort. | Full compliance and documentation audit |
| You crossed 15 employees | Title VII, ADA, GINA, Pregnancy Discrimination Act, and PWFA now apply | Anti-discrimination policies, reasonable accommodation process, EEO poster |
| You crossed 20 employees | ADEA and COBRA apply | Age discrimination policy, COBRA notification process |
| You crossed 50 employees | FMLA and ACA employer mandate apply | Leave policy, health insurance offering, FMLA eligibility tracking |
| You hired in a new state | State employment laws now apply to those employees | State-specific wage, leave, posting, and reporting requirements |
| You received a complaint or agency notice | Immediate compliance review needed | Targeted audit of the specific area cited |
| It has been more than 12 months since your last audit | Laws change annually, records accumulate gaps | Annual refresh of full compliance checklist |
The threshold crossings are the most commonly missed triggers. Most founders do not realize that hiring their 15th employee changes their legal obligations. An audit at that point takes 2 to 4 hours and catches whether you have the required policies, posters, and processes in place. The HR processes guide covers the core workflows that should be in place at each threshold.
The HR Audit Process: 7 Steps
This process works whether you are conducting the audit yourself or briefing a consultant. The steps are the same at every company size. The scope and depth scale with your headcount.
Step 1: Define the Audit Scope
Decide what you are auditing. A first-time audit should cover compliance (are we meeting legal requirements?) and documentation (are employee files complete?). You can expand to onboarding, classification, and policies in subsequent audits. Trying to audit everything at once on your first attempt is overwhelming and unnecessary. Focus on the areas with the highest legal risk first.
Step 2: Gather All HR Documents and Records
Collect every employee file, including I-9 forms, W-4s, signed offer letters, handbook acknowledgments, emergency contacts, training records, performance documentation, and any signed policies. If files are scattered across filing cabinets, email attachments, and Google Drive folders, this step will take the longest. It also reveals your first finding: if gathering the documents is difficult, the organization system is a gap.
Step 3: Build Your Compliance Checklist
Create a checklist of requirements based on your employee count and the states where you have employees. The HR functions guide covers the 8 core areas to include in your checklist. Your state-specific requirements come from your state's labor agency. The checklist should include every document that should exist, every poster that should be displayed, every training that should be completed, and every process that should be in place.
Step 4: Review Each Item Against the Checklist
Go through every employee file and every HR process, checking each item against your requirements list. For each item, mark it as: compliant (present and correct), incomplete (present but missing information), or missing (not present at all). This is the most time-consuming step. For 25 employees, expect 4 to 8 hours depending on how organized your files are.
Step 5: Identify and Categorize Gaps
List every gap found during the review. Categorize each as high risk (creates legal exposure, such as missing I-9s or misclassified employees), medium risk (creates process failure, such as inconsistent onboarding or missing training records), or low risk (best practice improvement, such as outdated emergency contacts or missing optional policies).
Step 6: Prioritize by Legal Risk
Address high-risk gaps first. The prioritization is straightforward: items that carry fines or legal exposure come before items that are best-practice improvements. Missing I-9s, misclassified employees, missing required training, and unsigned handbook acknowledgments are almost always at the top of the list. The record retention guide covers which documents must be kept and for how long.
Step 7: Create a Remediation Plan
Assign each gap an owner, a deadline, and a specific action. Track completion. Schedule a follow-up review in 90 days for high-risk items to verify they were closed. The remediation plan is the output of the audit. Without it, the audit is just a list of problems. The HR operations guide covers how to build the operational systems that prevent gaps from recurring.
HR Audit Checklist for Small Businesses
| Category | Audit Item | Required For |
|---|---|---|
| Employee Files | I-9 completed and signed for every employee | All employers (1+ employees) |
| Employee Files | W-4 on file for every employee | All employers |
| Employee Files | Signed offer letter or employment agreement | Best practice (strongly recommended) |
| Employee Files | Signed employee handbook acknowledgment | Best practice (required in some states) |
| Employee Files | Emergency contact information | Best practice |
| Employee Files | Personnel, medical, and I-9 files stored separately | ADA, GINA (15+ employees) |
| Compliance | Federal and state labor law posters displayed | All employers |
| Compliance | New hire reports filed with state within 20 days | All employers |
| Compliance | OSHA 300 log maintained (if 10+ employees in most industries) | OSHA (10+ employees) |
| Compliance | EEO-1 report filed (if 100+ employees) | EEOC (100+ employees) |
| Classification | Each role documented as exempt or non-exempt | FLSA (all employers) |
| Classification | Salary meets minimum threshold for exempt classification | FLSA |
| Classification | Workers classified as employees vs contractors correctly | IRS, DOL (all employers) |
| Policies | Employee handbook exists and is current | Best practice (required content varies by state) |
| Policies | Anti-harassment policy included | Required in many states |
| Policies | At-will employment statement included | Best practice (all at-will states) |
| Policies | Equal employment opportunity statement | Required for 15+ employees |
| Training | Anti-harassment training completed where required by state | CA, NY, IL, CT, DE, ME, and others |
| Training | Safety training completed for applicable industries | OSHA (industry-specific) |
| Onboarding | Consistent onboarding process documented | Best practice |
| Onboarding | Onboarding completion rate tracked | Best practice |
| Offboarding | Exit process documented and followed | Best practice |
| Offboarding | Final pay delivered within state-required timeline | State law (varies) |
| Records | Records retained for required periods by document type | FLSA, OSHA, Title VII, ERISA |
This checklist covers federal requirements and the most common state-level requirements. Your specific state may have additional obligations. The personnel file guide explains what goes in each file category and the required separation. For the onboarding-specific compliance steps, the compliance onboarding guide covers every task from offer acceptance through Day 90.
The 5 Most Common Gaps Small Businesses Find
| Gap | Why It Happens | How to Fix It |
|---|---|---|
| Missing or incomplete I-9s | Completed late, Section 2 skipped, not re-verified for rehires | Audit every I-9 on file. Complete missing ones immediately. Set up a system to ensure completion by Day 3 for every future hire. |
| Employees misclassified as exempt | Job title confused with classification. 'Manager' title given but duties are non-exempt. | Review each exempt classification against the FLSA duties test. Reclassify and adjust pay going forward for any misclassified roles. |
| Missing signed handbook acknowledgments | Handbook was emailed but never signed. Updated handbook distributed without collecting new signatures. | Re-distribute the current handbook with e-signature. Collect signed acknowledgments from every current employee. |
| Inconsistent onboarding process | First few hires got thorough onboarding. Later hires got less as the founder got busier. | Document a standard onboarding checklist. Use task workflows to ensure every hire receives the same process. |
| Outdated or missing labor law posters | Posters from year of founding never updated. Remote employees never received required notices. | Order current federal and state posters. Send electronic notices to remote employees. |
These five gaps appear in the majority of first-time audits at companies that have grown to 15 to 30 employees without dedicated HR. The good news: all five are fixable within 2 to 4 weeks. The employee file organization guide covers the three-file system that prevents documentation gaps from recurring. For the handbook specifically, the employee handbook guide covers what to include and the sample handbook provides copy-paste language.
How an HRIS Makes Audits Faster
The most time-consuming part of an audit is gathering and verifying documents. If employee files are scattered across filing cabinets, Google Drive folders, email attachments, and the founder's laptop, the gathering phase alone can take days. An HRIS with document management eliminates this problem because the documents are already centralized, organized, and searchable.
| Audit Task | Without HRIS | With HRIS |
|---|---|---|
| Gathering I-9s | Check filing cabinet, scan email, call former office manager | Search by document type, export list of missing forms |
| Verifying handbook acknowledgments | Search email for signed PDFs, check physical files | Filter employees by signed/unsigned status |
| Checking training completion | Review email confirmations, ask managers | Dashboard showing completion rates by employee |
| Verifying classification | Review spreadsheets, check payroll records | Employee profiles with classification field and audit trail |
| Generating audit report | Manual compilation from multiple sources | Export structured report from employee database |
A platform like FirstHR handles the document layer that audits depend on: e-signature for collecting signed documents, document management for storing and organizing them, employee profiles with classification and compliance fields, and training modules with completion tracking. When audit time comes, the data is already there. The HRIS guide covers what to look for in a platform. For the broader question of how these systems support ongoing compliance, the HR technology guide covers the full landscape.
Frequently Asked Questions
What is an HR audit?
An HR audit is a systematic review of an organization's HR policies, practices, documentation, and compliance status. The goal is to identify gaps between what the company should be doing (based on federal and state employment law) and what it is actually doing. An HR audit covers areas like employee documentation (I-9s, W-4s, signed policies), classification (exempt vs non-exempt), compensation practices, onboarding and offboarding processes, and required training. The output is a prioritized list of gaps with remediation steps.
How do you conduct an HR audit?
The HR audit process has seven steps: (1) Define the scope by choosing which areas to audit. (2) Gather all employee documentation and HR records. (3) Build a checklist of requirements based on your employee count and state. (4) Review each document and process against the checklist. (5) Identify gaps where requirements are not met. (6) Prioritize gaps by legal risk and impact. (7) Create a remediation plan with deadlines and owners. A first-time audit for a company with 15-30 employees typically takes 8-16 hours spread over 1-2 weeks.
How often should you do an HR audit?
Annually for a comprehensive review. Additionally, conduct a focused audit whenever you cross an employee threshold that triggers new legal requirements (15 employees for Title VII and ADA, 20 for ADEA and COBRA, 50 for FMLA and ACA). State law changes, new hire spikes, and expansion into new states are also triggers for targeted audits. Companies in regulated industries or those that have experienced recent complaints should audit more frequently.
Who should conduct an HR audit?
At a small business without an HR department, the founder or operations manager can conduct the audit using a structured checklist. For the first audit, consider hiring an HR consultant (typically $2,000-$5,000 for a company under 50 employees) to establish a baseline. Subsequent annual audits can be done internally if you use the same framework. For compliance-sensitive areas like wage and hour classification, an employment attorney review is worthwhile even if the rest of the audit is done internally.
What does an HR audit checklist include?
A comprehensive HR audit checklist covers: employee files (I-9 for every employee, W-4, signed offer letter, handbook acknowledgment, emergency contact), compliance (labor law posters, new hire state reporting, required training records), classification (exempt vs non-exempt documentation for each role), policies (employee handbook with required policies for your state, anti-harassment policy, at-will statement), onboarding (consistent process documentation, compliance paperwork completion rates), and record retention (files kept for required periods by document type).
What are the types of HR audits?
The five main types are: compliance audit (reviews legal requirements by federal and state law), documentation audit (checks completeness of employee files), onboarding and offboarding audit (evaluates process consistency), compensation and classification audit (verifies exempt/non-exempt status and pay equity), and policy and handbook audit (reviews handbook for required and outdated policies). Most small businesses should start with a compliance and documentation audit because these carry the highest legal risk.
How much does an HR audit cost?
A self-conducted audit costs only time: 8-16 hours for a company with 15-30 employees. Hiring an HR consultant for a first-time audit typically costs $2,000 to $5,000 for companies under 50 employees. A full audit from a specialized firm ranges from $5,000 to $15,000 depending on company size and complexity. The cost of not auditing is usually higher: I-9 violations carry fines of $252 to $2,507 per form, FLSA misclassification can result in back pay plus liquidated damages, and missing required training exposes the company to liability.
Can I do an HR audit without an HR department?
Yes. Most small businesses conduct their first HR audit without dedicated HR staff. The key is having a structured checklist that covers federal and state requirements for your employee count, a system for organizing employee files (personnel, medical, and I-9 files stored separately), and a clear process for tracking what you find. HR software with document management and compliance tracking makes the audit significantly faster because the data is already organized and searchable rather than scattered across folders and email.