Human resource management has become a very complex specialty because of the laws that govern how an organization manages its human capital.
Organizations are liable for improper human resource record keeping and file maintenance.
Having a well-defined process to audit the human resource function is imperative in safeguarding the organization from legal liability issues.
A process should be established to systematically review and maintain human resource files.
Particular areas of focus should be: I-9s, nondiscriminatory practices, HIPPA/medical privacy, record retention, record destruction, and personal information privacy.
We have created an HR file audit checklist to help you get started!
6 Human Resource Audits You Should Be Making
1. I-9 Records
Noncompliance with I-9 (employment eligibility verification) record-keeping can bring penalties.
Hence, it is essential to have a process in place to review all files and ensure that I-9 records are current and up-to-date.
Questions to ask:
- Are I-9 forms stored with security that controls access?
- What is the schedule to audit I-9 files?
- Are I-9 files kept in a separate location than employee personnel files?
2. Nondiscriminatory Practices
Documents that affect employment decisions should be maintained in employee files.
This is particularly important when social networking is used in hiring screening practices, or any other form of information gathering.
Documenting why one candidate was chosen over another is important information to keep on file.
This can be particularly important to comply with the Lily Ledbetter Fair Pay Act.
Questions to ask:
- Are EEO records securely stored and maintained in a separate file form the employee personnel file?
- Are EEO records only used for reporting purposes?
3. Medical Files
The Health Insurance Portability and Accountability Act (HIPPA) is intended to protect medical information privacy.
Violations can occur when patient information is shared without the patient’s permission.
Employers need to have specific procedures and policies in place to protect health information.
Medical information files should be kept and maintained separately from employee files.
Access to this information should be limited to a need-to-know basis only.
For example, an HR generalist may be the person communicating with the insurance company on specific aspects of an employee’s benefits and coverage for a particular medical condition.
This would warrant a need-to-know.
However, that employee’s supervisor may not have a need-to-know about the health condition.
Questions to ask:
- Are employee records containing medical information stored separately from employee personnel files?
- Are employee medical files stored in a secure location with limited access?
- How do you determine who needs to know about an employee’s medical condition?
4. Record Retention
Every state has different laws governing the retention of human resource records.
Both electronic and hard copy files should be kept.
But with electronic records becoming the norm, it is vital to ensure that access to electronic files is limited and controlled.
Questions to ask:
- Is there a written policy on record retention?
- Are terminated employee records securely stored?
- What is the process to destroy HR files once the retention period has expired?
- What is the schedule for identifying, destroying, and disposing of files?
- Are any files exempt from destruction once it meets retention criteria? For example, are files for employees involved in a lawsuit retained?
5. Employee Files
The human resources department has access to employee personal information.
Protection of personal information, such as social security number, home address, phone number, etc. should be considered confidential and shared only with a need-to-know basis.
A structured and systematic approach to human resource file audits can ensure the organization is prepared for an outside audit.
There should be policies and procedures in place to govern an organization’s practice on maintaining employee files.
Keep employee files up-to-date by conducting regularly scheduled file audits to ensure consistency in practice and compliance with policies.
Questions to ask:
- What is of maintaining files in a secure cabinet?
- How are passwords assigned for electronic file access?
- How are passwords revoked when an employee with access leaves employment?
- What is the process of removing personal and sensitive employee information from the file? For instance, a social security number.
- Are file audits done internally by staff or by an independent outside auditor?
- What is the policy for employee access to their HR file?
6. Electronic Files
Technology has come a long way, and many organizations now use electronic HR files.
While this new technology saves valuable time and resources, it can also pose some challenges.
Questions to ask:
- What policies and controls are in place to ensure that the information stored electronically is accurate and updated regularly?
- Is there an option to convert an electronic file to a paper printout if necessary?
- Is there a written policy for who has access to electronic files? How is that access controlled?
- How are passwords disseminated for those with access?
- How are passwords revoked when an employee with access leaves employment?
- How often is there a review of the technology to ensure that it meets changing HR needs?
- How are those with access trained to ensure proper use and protection of confidential information?
- How is the electronic data backed up?
The human resource function of a business is complex and requires constant review.
Depending on the size of the organization, file audits should be done on a semiannual basis.
For example, file audits should be part of the human resource departmental goals, which can be incorporated into an employee’s annual goals.
Incorporate the HR Audits into a performance management process so you can ensure that the time and focus is paid to this critical area.
How often do you audit your HR function?
