HR Learning
5 mins to read

HR Compliance Guide: Checklist and 90-Day Plan

HR compliance guide with a clear checklist and 90-day plan. Learn laws, thresholds, audits, and workflows to reduce risk and stay compliant as you scale.

Overview

Compliance of HR is the practice of aligning all people policies, processes, and records with applicable labor, employment, privacy, and safety laws while documenting proof of adherence. Done well, it cuts fines and litigation risk. It also builds trust and improves performance.

For context, the federal minimum wage is $7.25/hour (U.S. DOL). The FMLA provides up to 12 workweeks of unpaid, job‑protected leave for eligible employees (U.S. DOL).

Compliance isn’t just “checking boxes.” It’s designing repeatable workflows that prevent errors and prove diligence during audits. A practical program pairs clear ownership with templates, training, and audit trails so you can scale without surprises.

Compliance of HR vs. “HR compliance” (and why the wording matters)

The terms are synonymous in practice. Both refer to ensuring HR policies and procedures meet employment law requirements and are consistently executed and documented.

The nuance matters mainly for search and document naming conventions. Use the phrasing your employees will recognize (“HR compliance policy” beats “compliance of HR policy”) and the phrase customers or candidates expect on your site.

In your documentation, keep titles plain and consistent (e.g., “Wage and Hour Compliance Policy”). Align folder and file names with the policy index for quick retrieval during audits.

In risk discussions, distinguish “compliance” (following specific rules) from “HR risk management” (prioritizing broader people risks and controls).

Legal frameworks and headcount thresholds

Different laws apply as you grow. Knowing your headcount triggers prevents accidental noncompliance.

While many rules apply regardless of size, several federal statutes turn on employee thresholds. Most employers with more than 10 employees must keep OSHA injury and illness records (OSHA).

Use this quick-reference guide to spot your obligations by size:

  1. 1+ employees: Form I‑9 for work eligibility; FLSA wage and hour rules; OSHA general duty to provide a safe workplace.
  2. 10+ employees: OSHA injury/illness recordkeeping for most industries.
  3. 15+ employees: Title VII (anti‑discrimination/harassment), ADA, and GINA coverage.
  4. 20+ employees: ADEA (age discrimination) coverage; COBRA continuation for group health plans.
  5. 50+ employees: FMLA (50 employees within 75 miles), ACA employer shared responsibility (50+ full‑time equivalents).
  6. 100+ employees: EEO‑1 Component 1 reporting for most private employers.

State and local laws (paid sick leave, wage statements, pay transparency, harassment training, meal/rest rules) add additional obligations. Localize your policy set anywhere you have employees.

U.S. anchors: wage and hour (FLSA), anti-discrimination (EEOC), safety (OSHA), leave (FMLA), benefits (ERISA), eligibility (I‑9)

Core HR compliance rests on a few pillars.

Under the FLSA, ensure correct minimum wage, overtime eligibility, and timekeeping. Exemptions hinge on salary basis/level and duties.

EEOC‑enforced laws (Title VII, ADA, ADEA, GINA) prohibit discrimination, harassment, and retaliation. Coverage thresholds are noted above.

OSHA requires a safe workplace and specific training. It also requires injury/illness recordkeeping (300/300A) and prompt reporting of serious incidents.

FMLA gives eligible employees up to 12 weeks of unpaid, job‑protected leave. It demands notices, tracking, and job restoration.

ERISA governs benefit plan fiduciary duties, SPDs, and certain filings (e.g., Form 5500 for larger plans).

Form I‑9 is required for every new hire. Complete Section 1 on or before day 1 and Section 2 within three business days. Retain for three years after hire or one year after termination, whichever is later.

Global highlights: GDPR, cross‑border hiring, and local regulators

If you employ or recruit in the EU/UK, GDPR applies to employee/candidate data. It requires a lawful basis, transparency, minimization, access rights, security, and cross‑border transfer safeguards.

For non‑U.S. hiring, expect localization in contracts, benefits, leave, and termination processes. Engage local counsel or an EOR to avoid permanent establishment and misclassification risks.

Build a data map early to handle data residency and transfer needs confidently.

HR compliance checklist by function

A tight HR compliance checklist turns ambiguity into action. It keeps you audit‑ready even as you scale.

Use the following high‑level list to spot quick wins before diving into each functional area.

  1. Confirm headcount thresholds and required postings by location.
  2. Validate I‑9 and E‑Verify processes and retention.
  3. Reconfirm wage/hour classifications, timekeeping, and overtime.
  4. Refresh anti‑harassment/discrimination policies and training.
  5. Review OSHA training, incident logging, and reporting.
  6. Lock down data access, retention, and breach response.
  7. Align benefits/leave notices and processes with ERISA/FMLA/state laws.
  8. Document investigations, disciplinary actions, and accommodations.

The sections below expand each area with practical, prioritized steps your team can execute.

Recruiting and hiring

Hiring creates early‑stage compliance risk that’s easy to prevent with disciplined process and documentation.

  1. Write job ads with essential functions and nondiscrimination/EOE language; avoid “screen‑out” terms.
  2. Use structured interviews; prohibit unlawful questions (age, disability, family status) and salary history where banned.
  3. Run background checks only after conditional offers; provide FCRA disclosures/authorizations and adverse action notices.
  4. Disclose and audit AI or automated assessments where required (e.g., notice/bias testing in certain jurisdictions).
  5. Complete I‑9s on time; track reverification dates; use the authorized remote verification method only if eligible.
  6. Keep hiring records (applications, interview notes, adverse action) per retention rules; train managers on do’s and don’ts.

Strong intake, consistent rubrics, and clean documentation reduce bias risk and simplify responses to EEOC inquiries.

Wages and hours

Wage/hour is a top enforcement target, and small classification mistakes compound quickly.

  1. Classify roles correctly (exempt vs. nonexempt) using duties and salary basis tests.
  2. Pay at least applicable minimum wage and overtime (1.5x) for nonexempt hours over 40/week or as state law requires.
  3. Use reliable timekeeping; prohibit off‑the‑clock work; pay for training, travel, and on‑call time as required.
  4. Honor meal/rest breaks and compliant rounding; include required pay‑stub elements and timely final pay.
  5. Review independent contractor arrangements against federal/state tests; adjust where risk is high.

Quarterly self‑audits of timecards, overtime, and job descriptions prevent expensive course corrections later.

Employee benefits and leave

Benefits and leave rules sit at the intersection of ERISA, COBRA, ACA, FMLA, and state programs.

  1. Provide SPDs and required notices; file plan documents and forms as applicable.
  2. Implement FMLA processes (eligibility checks, notices, tracking, job restoration) for covered employers.
  3. Administer COBRA continuation timely after qualifying events for eligible plans.
  4. Coordinate ADA accommodations with leave; integrate state paid sick/family leave rules.
  5. Maintain accurate eligibility, enrollment, and dependent verification records.

Document every leave determination and communication to streamline audits and reduce retaliation claims.

Workplace safety and health

Safety obligations apply to all employers, with recordkeeping and reporting for most.

  1. Deliver required OSHA training and hazard communication; maintain written programs where required.
  2. Log work‑related injuries/illnesses (300), post the annual summary (300A), and report severe incidents on time.
  3. Conduct routine hazard assessments and corrective actions; document inspections and follow‑ups.
  4. Ensure workers’ comp coverage; coordinate return‑to‑work with HR and managers.
  5. Include remote and hybrid safety guidance (ergonomics, incident reporting).

Regular safety walk‑throughs and quarterly log reviews keep you ahead of inspections and claims.

Data privacy and security

HR holds sensitive personal and health data that must be protected by design and by default.

  1. Map HR data (what, where, who can access); apply least‑privilege, role‑based access, and MFA.
  2. Encrypt data in transit/at rest; enable audit logs; restrict exports and downloads.
  3. Set and enforce a data retention schedule; purge data when no longer needed.
  4. Run DPIAs/PIAs for high‑risk processing (monitoring, biometrics, AI assessments).
  5. Apply HIPAA safeguards for group health plan PHI; segregate employment records from PHI.

Annual access reviews and incident response drills dramatically reduce breach impact and regulatory exposure.

Employee relations, harassment, and discipline

Solid ER processes prevent small issues from becoming legal crises.

  1. Publish anti‑harassment and anti‑retaliation policies; provide multi‑channel complaint intake (including anonymous).
  2. Acknowledge and triage complaints promptly; assign impartial investigators.
  3. Use a consistent investigation protocol; document facts, findings, and corrective actions.
  4. Train managers on documentation and consistency; apply progressive discipline fairly.
  5. Track closure, follow‑ups, and no‑retaliation checks.

A consistent, documented workflow is your strongest defense in EEOC or state agency reviews.

Union and labor relations

Even non‑union workplaces are governed by the NLRA’s protection of concerted activity.

  1. Avoid policies or actions that interfere with, restrain, or surveil protected activity.
  2. Honor NLRA election rules and timelines; respect Weingarten rights where applicable.
  3. For unionized sites, follow the CBA on wages, hours, and working conditions; meet bargaining obligations.
  4. Train managers on what they can and can’t say or do during organizing.

Clear boundaries and training help you navigate employee rights without escalating risk.

Immigration compliance

Immigration compliance is a documentation exercise with strict timelines.

  1. Complete Form I‑9 on time; make corrections per USCIS guidance—never backdate.
  2. Reverify only when required; never reverify U.S. citizens or permanent residents due to expired documents.
  3. Retain I‑9s for the proper period and purge promptly when eligible.
  4. If using E‑Verify, follow program rules and timelines; address TNCs correctly.
  5. For cross‑border work, confirm authorization up front; avoid relying on visitor visas for productive work.

A quarterly tickler for reverification and retention dates keeps audits short and uneventful.

Common compliance failures and how to fix them

A handful of errors drive a disproportionate share of penalties: misclassification, I‑9 gaps, weak harassment handling, data access sprawl, and unlawful interference with concerted activity. Tackle these fast with targeted reviews, documented fixes, and refreshed training.

A simple playbook—detect, document, correct, and retrain—will resolve most issues and prevent recurrence.

Employee misclassification

Misclassification occurs when an employee is treated as exempt from overtime without meeting salary and duties tests. It also occurs when a worker is treated as a contractor despite being controlled like an employee.

Audit roles against FLSA criteria and state tests (e.g., ABC tests) and reclassify where required. Correct payroll going forward, calculate and pay back overtime where owed, and update job descriptions and offer letters.

Communicate changes clearly. Retrain managers on scheduling. Calendar a follow‑up review.

I‑9 errors and documentation gaps

The fastest compliant self‑audit: export a roster, pull matching I‑9s, and segregate “current,” “terminated,” and “missing/deficient” files. Make corrections per USCIS instructions (single‑line strikeout, initials/date), complete missing forms immediately, and add an audit memo.

Purge eligible I‑9s using the three‑years‑after‑hire/one‑year‑after‑termination rule (whichever is later). Implement a monthly tickler for reverifications.

Keep I‑9s separate from personnel files and limit access.

Harassment and complaint handling

Breakdowns happen when complaints languish or investigations lack structure. Stand up a clear intake‑to‑resolution workflow: acknowledge receipt, assess risk, implement interim measures, investigate promptly and impartially, document findings, take proportionate corrective action, and follow up to prevent retaliation.

Train managers on duty to report and confidentiality. Track timelines to show diligence.

Data privacy and access control lapses

Common pitfalls include shared inboxes, excessive admin rights, and stale exports on laptops. Apply least‑privilege access, enforce MFA and SSO, encrypt data at rest/in transit, and enable immutable audit logs.

Establish an incident response plan covering detection, containment, assessment, and notifications. Timelines may be strict under sectoral and global privacy laws.

Review access quarterly. Require secure destruction when data expires.

How to build an HR compliance program: a 30/60/90‑day plan

A 90‑day sprint can stand up a durable HR compliance program with clear owners, artifacts, and rhythms. Assign a single accountable owner, designate functional leads (recruiting, payroll, benefits, safety, IT/security), and create a shared tracker with due dates and evidence links.

By day 90, you should be able to produce an audit pack on request. Show training completion, demonstrate policy acknowledgment, and run a dashboard that surfaces leading indicators of risk.

Days 0–30: Baseline and triage

  1. Confirm legal coverage by headcount and locations; list required postings and filings.
  2. Inventory artifacts (handbook, policies, training rosters, OSHA logs, I‑9s, timekeeping).
  3. Run a quick I‑9 self‑audit; fix deficiencies; set reverification/retention ticklers.
  4. Review wage/hour classifications, overtime, and timekeeping; correct high‑risk roles.
  5. Publish or refresh anti‑harassment policy and complaint channels; schedule training.
  6. Build a risk heatmap and 90‑day calendar of deadlines and audits.
  7. Engage IT to set RBAC, MFA/SSO, offboarding, and encryption for HR systems.

Close the month with an executive check‑in and a one‑page plan highlighting risks and owners.

Days 31–60: Policies, training, and tooling

  1. Update/publish the employee handbook and key SOPs; capture acknowledgments.
  2. Roll out manager training (wage/hour, interviewing, conduct) and all‑hands anti‑harassment.
  3. Implement or tune systems: timekeeping, leave tracking, incident logging, and document management.
  4. Configure OSHA 300/300A processes and workers’ comp protocols.
  5. Finalize job descriptions and exemption analyses; lock offer letter templates.
  6. Establish a data retention schedule and privacy notices; start DPIAs where needed.

Aim for consistency: one process per task, one system of record per domain, and clear audit trails.

Days 61–90: Audit-ready operations

  1. Conduct an internal “mock audit” (DOL/OSHA/EEOC/I‑9) and remediate gaps.
  2. Assemble documentation packs: policy index, training rosters, acknowledgment logs, I‑9 summary, OSHA logs, leave records.
  3. Launch an HR compliance dashboard (e.g., I‑9 completion, training completion, overtime trends, incident rates, complaint cycle times, leave utilization).
  4. Complete vendor due diligence (DPAs, SOC 2/ISO 27001, subprocessors, breach SLAs) and finalize DPAs/DPIAs.
  5. Set quarterly audit cadence and an annual policy/training refresh.

End with an executive review and a roadmap for the next two quarters.

Remote, hybrid, and cross‑border teams

Distributed teams change where you owe taxes, which posters and trainings you need, and how you secure data and devices. A single remote hire can trigger payroll tax registration, unemployment insurance, workers’ comp, and new leave/safety requirements in that state.

Create a location intake workflow that flags registrations and local policy addenda before onboarding.

For cross‑border hiring, consider an EOR to avoid permanent establishment and to localize contracts, benefits, and terminations. Address data residency and cross‑border transfers early. Standardize endpoint security (MDM, encryption, patching) and offboarding for all devices.

In‑house vs. PEO/EOR vs. software: choosing a compliance approach

Your compliance operating model should balance control, speed, and risk transfer. In‑house gives maximum control but demands expertise and tooling. A PEO co‑employs U.S. staff to offload payroll/benefits administration and some compliance tasks. An EOR employs workers abroad for you. Software augments any model with workflows and audit trails.

Use these criteria to decide (or blend):

  1. Scope and control: Keep in‑house if you need bespoke policies/processes or complex bargaining/benefits.
  2. Risk and speed: Use PEO/EOR to accelerate compliant hiring or expansion when you lack local expertise.
  3. Cost model: Typical ranges—PEO admin fees around a small percentage of payroll, EOR per‑employee monthly fees, HR software per‑employee monthly fees; compare total cost of ownership, not sticker price.
  4. Global coverage: EORs shine for quick international starts; transition to entities when scale justifies.
  5. System maturity: If processes are manual, prioritize software with strong auditability before scaling headcount.

Many organizations blend models: PEO domestically during growth, EOR for first hires in new countries, and software as the connective tissue.

Vendor and HR software due diligence checklist

Third‑party tools process sensitive data and must meet your compliance bar. Build procurement gates that verify security, privacy, and feature depth before you sign.

  1. Independent assurance: SOC 2 Type II/ISO 27001, penetration tests, and security whitepapers.
  2. Data processing: DPA with role definitions, subprocessor list/transparency, and cross‑border transfer terms.
  3. Access and identity: SSO/MFA, role‑based access controls, and granular permissions/audit logs.
  4. Breach and uptime: Notification SLAs, incident response commitments, disaster recovery/RTO/RPO, and uptime SLAs.
  5. Data lifecycle: Export/portability, retention controls, field‑level deletion, and sandbox/test environments.
  6. Compliance features: I‑9/E‑Verify support, leave and OSHA logs, configurable workflows, and reporting.
  7. AI governance: Bias testing documentation for automated assessments and admin controls to disable/opt‑out.

Close by assigning an internal owner for vendor monitoring and scheduling annual re‑reviews.

Penalties, audits, and investigations: what to expect

Audits are usually triggered by a complaint, incident, data match, or random selection. They move quickly.

Common patterns include DOL wage/hour investigations seeking back wages plus liquidated damages. OSHA inspections can result in citations and per‑violation fines. EEOC charges can lead to position statements, investigations, and possible conciliation or litigation.

Expect formal notices with short response timelines, document requests (policies, training records, timecards, I‑9s, logs), and interviews. Designate a single point of contact, preserve documents, and respond completely and on time. Avoid any retaliation against complainants or witnesses.

A prepared “audit pack” and clear audit trails often determine whether matters close swiftly or escalate.

Sources and further reading

For authoritative guidance and current thresholds, consult official regulators: USCIS Form I‑9 (https://www.uscis.gov/i-9), EEOC laws enforced (https://www.eeoc.gov/laws), HHS HIPAA (https://www.hhs.gov/hipaa/index.html), EU GDPR (https://gdpr.eu/), and NLRB (https://www.nlrb.gov/).

The World's Largest
HR Community
for Learning AI
Learn More
Learn More

Explore Our Latest Blog Posts

Online Human Resources Degree Guide: Programs & Careers
HR Learning
Online Human Resources Degree Guide: Programs & Careers
Accredited online HR degree guide: compare programs, verify accreditation and SHRM alignment, estimate total cost and timeline, and map coursework to real HR careers.
Ariana Wen
  |  
Dec 8, 2025
Sequoia One Blog: PEO Guide for Founders & CFOs
HR Learning
Sequoia One Blog: PEO Guide for Founders & CFOs
Explore the Sequoia One blog for clear PEO guidance, pricing, ROI, and compliance insights built for founders, CFOs, and People leaders at growing companies.
Ariana Wen
  |  
Feb 2, 2026
SHRM Certification Cost: Breakdown, Savings & Budgeting
HR Learning
SHRM Certification Cost: Breakdown, Savings & Budgeting
SHRM certification cost guide with exam fee breakdown, early-bird savings, membership ROI, prep budget, reschedule/retake fees, and 3-year recert costs.
Ariana Wen
  |  
Nov 24, 2025
See More ->
Ready to get started?

Use AI to help improve your recruiting!

Book a Demo
Book a Demo
Litespace Logo
© 2025 litespace, Inc.
MORE FROM LITESPACE
About UsContact Us
BlogHub
Terms of ServicePrivacy Policy