HR Records Audit: What Records Should Your HR Team Audit?
Properly maintaining records is one of the most important responsibilities of any HR department, as improper record-handling can lead to regulatory violations, fines, lawsuits, and reputational damage.
In addition to helping your company avoid these liabilities, conducting an HR audit can expedite corporate processes by identifying areas of inefficiency and financial waste.
The more heavily regulated your industry, the more important it is to ensure your HR practices are buttoned up. In this blog, we’ll highlight which key HR records to target during an audit and why.
Although each company has its own system for organizing personnel files, every business should be sure to audit the following:
- Performance records: Performance information is vital when evaluating employees for a promotion or raise, so it’s important to regularly update these records using the required level of detail.
- Disciplinary warnings: Written and verbal disciplinary warnings must be promptly and thoroughly documented, as failure to do so could put the company at risk of being unprepared to handle repeat offenses or even lawsuits.
- Security and access: Whether physical or digital, access to personnel files must be secured to restrict access for everyone except the relevant managers and administrators.
Audits of personnel files should also consider the following:
- Storage: Are personnel files stored with other types of files that may have tighter or less stringent access restrictions?
- Employee access: Is each employee permitted to look at their own records and no one else’s?
- Level of organization: Are files easy to access and use? If someone has a question, can you quickly consult the relevant file and provide an answer?
Each country has its own laws that must be adhered to. In the United States, laws such as the Americans With Disabilities Act (ADA), the Health Insurance Portability and Accountability Act (HIPAA), and Health Information Technology for Economic and Clinical Health Act (HITECH) protect citizens’ medical data. In Europe, the General Data Protection Regulation (GDPR) provides similar protections.
With this in mind, your company should have strict and clear processes in place to ensure that employees’ medical records are only accessed by approved individuals for permitted purposes — such as an insurer looking to validate an individual’s coverage.
Moreover, medical and personnel files should be kept separate. When you audit medical records, check that:
- Access is limited
- The list of people with access is documented
- The files are not commingled with other types of records
Employers and regulators use identification forms to determine whether employees are legally authorized to work in a given country. In the EU, a valid identity card or a passport from an EU member country are used to verify an individual’s identity and eligibility to work. Across the pond, an I-9 or Employment Eligibility Verification form serves this purpose.
In the U.S., sanctions related to improper paperwork have gotten more expensive over the years. SHRM reported the following in 2020:
”The minimum fine per individual for paperwork or technical violations increased from $230 to $234, while the maximum fine increased from $2,292 to $2,332. Fines for knowingly hiring or continuing to employ unauthorized workers went up as well. The range for a first offense went from $573–$4,586 to $583–$4,667.”
As part of an I-9 audit, a company should make sure that all I-9 forms have been fully filled out by employees and that all documentation is valid and up to date.
After a certain time period has elapsed, records pertaining to employees and contractors who are no longer employed by a company can be destroyed. In the U.S., the Fair and Accurate Credit Transactions Act of 2003 (FACTA) states that any business that obtains employee information via a consumer report must take appropriate measures to properly dispose of outdated information— such as by shredding or burning physical records in such a way that they can’t be reconstructed, and by completely wiping digital records.
Similar rules apply in the UK, where the Chartered Institute of Personnel and Development (CIPD) recommends not keeping records “any longer than is necessary for a legitimate purpose.” That said, specific kinds of records — including application and recruitment documents, training records, and parental leave requests — do have minimum retention periods. As NaturalHR explains, the GDPR requires employers to demonstrate why they’re keeping personal data, so companies should be prepared to destroy outdated records unless there is a good reason to retain them.
To ensure compliance with regulations pertaining to outdated records, it’s important to conduct a yearly file audit. This should include auditing the disposal process itself.
For non-salaried employees, compensation is incumbent upon time sheets. The accuracy of these records is vital, as time sheets are a company’s primary defense against wage-related lawsuits. To make sure employees aren’t logging more hours than they worked, companies’ audits should also compare timecards to payroll.
In addition, a time record audit should evaluate the actual system used to track employee time by considering the following:
- Employee training: Have all employees been trained on using the system correctly?
- Data validity: Is the system using the metrics needed to keep accurate time data?
- Relevant policies: Are time-related expectations clearly delineated and communicated?
Read more: How the New York Department of Education increased accuracy and consistency with an advanced workforce management solution
Equal Employment Opportunity Records
Equal Employment Opportunity (EEO) laws compel companies to treat all people equally with respect to hiring, promotions, compensation, benefits, and termination regardless of race, gender, religion, etc. According to the U.S. Equal Employment Opportunity Commission:
“EEOC regulations require that employers keep all personnel or employment records for one year. If an employee is involuntarily terminated, his/her personnel records must be retained for one year from the date of termination.”
Many other countries have similar laws on the books. For example, the Anti-Discrimination Act of 1977 prohibits Australian businesses from discriminating on the basis of race, work status, gender, and sexual orientation.
To ensure EEO compliance, ascertain that policies are in place to retain previous employees’ files for at least a year, and make sure all compensation and promotion plans are adequately documented. In the event of an EEO complaint, you will need robust record-keeping to prove your compliance.
Don't Forget Data Security
Companies possess an enormous amount of employee data, from identification forms and medical records to compensation and performance information. Failure to protect this data from being hacked or accessed by unauthorized people can bring about lawsuits and fines related to noncompliance.
To ensure robust data security, audit your systems to determine whether they follow the latest security best practices, then work with your IT team to identify and implement a software platform that provides the level of security your industry requires.
The Bottom Line
Although every business is different, most employers are required to collect and maintain personnel files, medical files, identification forms, time records, and EEO records — as well as to maintain data security and facilitate compliant disposal of outdated records. While regular audits of these key HR records may seem daunting and costly, they are much less expensive than the lawsuits, fines, and reputational damage that can come with poor record-handling.
Now that you know what records need to be audited, it's time to put a process in place. Read "How to Create a Robust HR Records Audit Process" to get started.