Human resources professionals may shudder at the sound of an “audit.” For starters, it is difficult to make available the time and personnel needed for day-to-day work. And what if the audit uncovers “bad news?”
To answer the second question first, it is far better to discover problems internally, before outside agencies or lawyers do so. As for the first point, a well-planned and executed human resources audit may prevent or reduce potential employment law liabilities, saving money and time.
What is a Human Resources Audit?
A Human Resources Audit (“HRA”) usually involves looking at historical practices to assess legal risks, as well as to understand ingrained institutional behaviors. The audit’s subjects may include issues like onboarding procedures, wage practices, compliance with anti-harassment or discrimination policies, Form I-9 compliance, other recordkeeping requirements, and more. Some HRAs are more records-intensive. Others probe matters such as a department’s turnover, reasons for employee dissatisfaction, or compliance with policies and adherence to employer values.
The HRA may be comprehensive, or may be limited to one or two narrow issues. The subject matter, scope, and the form of the auditor’s output depend on the organization’s priorities, resources, and desires.
Why Conduct a Human Resources Audit?
The HRA helps organizations identify potential areas for correction and improvement. They allow organizations to proactively address risks and vulnerabilities. Regular audits allow even vigilant and compliant organizations to review their practices in light of changes to the law, shifts in technology, and the changing needs and nature of the workforce.
Who Conducts Human Resources Audits?
HRAs may be performed by internal or external personnel. Each option has its own potential advantages and disadvantages. Management must consider the time involved, other duties, subject matter expertise, confidentiality, and whether there are conflicts of interest precluding an effective audit.
Larger employers may employ dedicated auditors within their accounting, legal compliance, or risk management departments. In other businesses, an internal, experienced HR professional or in-house attorney may conduct a self-audit, depending on the subject and complexity.
Third-party professionals, such as consultants, law firms, and even accounting firms may offer HRA services. External auditors are able to devote the needed time to the work, and have necessary subject matter expertise. However, they obviously lack internal “institutional” knowledge, and will require cooperation.
To state the obvious, external auditors also must be paid, so budgeting is a concern. Attorneys and CPAs likely will cost more than HR consultants.
When deciding who should conduct an HRA, employers must consider the potential vulnerabilities that could be exposed, which may be discoverable in the event of litigation or a government investigation. A retained or in-house attorney’s audit is most likely to remain privileged from disclosure. That privilege may be important in the event of litigation.
An internal audit conducted by a non-lawyer is likely discoverable, on the other hand. Audit results exposing potential liability issues naturally are potentially disastrous. Courts generally do not recognize a “self-critical analysis” privilege.
Even a report that might qualify as attorney-client privileged or attorney work-product will lose its protection, if the privilege is waived. Employers must ensure audit results are maintained with confidentiality in mind. Dissemination or non-secure storage of audit results can result in waiver of otherwise privileged information. In addition, non-privileged audit results could be leaked outside the organization to third parties, such as lawyers or government agencies.
How to Choose an Auditor
Management should consider factors such as an auditor’s availability, subject matter expertise, experience conducting audits, cost, and the privilege issues. In addition to existing relationships with consultants and law firms, employers may have access to referrals from professional networks or organizations. Auditors should be willing to meet, answer questions, submit a proposal including a timeline, and provide references. Management should assess whether the auditor’s approach, demeanor, etc. will be a good fit for the organization as well.
An HRA generally involves gathering information and documents, and then reporting on the results. The auditor will review static documents like forms, handbooks, policies, and notices. Some HRAs will require electronic data, such as communications, payroll databases or electronic personnel records.
Interviews will be important aspects of many HRAs. The auditor may interview HR or payroll management. Depending on the audit subjects, it may be necessary to speak with line managers, or even hourly employees. Another key part of the planning process will be anticipating questions from managers and employees, and how to deal with suspicion, lack of cooperation, interference, or even unanticipated reports of unlawful or non-compliant activity.
The auditor typically will prepare a report summarizing opportunity areas and potential risks. As stated, management must plan for confidentiality and privilege issues. The auditor may offer recommendations to address area of vulnerability.
The purpose of the HRA is to identify issues, confirm what works well, and implement needed improvements. If an HRA identifies problem areas, management must work with counsel to formulate options, prioritize, and sound strategies for implementation. Depending on the organization’s relationship with the auditor, the auditor may or may not be involved in implementing recommended changes.
Some may elect to deal with lower cost, easily fixable problems first, like simple changes to outdated forms or policies. At the same time, it may be necessary to promptly deal with larger systemic problems like restructuring processes, changing vendors or amending vendor agreements, or adjusting pay practices.
HRAs are a valuable opportunity for an organization to identify potential problems before they escalate—in litigation, in the press, or even internally. Properly planned and implemented, they may prevent more headaches than they cause and lead to better processes and a better-run organization.