Run this 12-item checklist across every system in your HR tech stack and you leave with a prioritized action list — not a document. Each control area has a pass/fail criterion and a named remediation action. Assign system owners before you start. That is the only prerequisite.

This satellite drills into the operational audit layer of the broader HR data governance strategy for AI compliance and security covered in the parent pillar. Start there if you need the strategic framework. Come here when you are ready to run the check.

How to Use This Checklist

Assign a system owner to each item before you begin. Run each check, record findings in a shared tracker, and assign a severity rating — Critical, High, Medium, or Low — to every gap. Any Critical finding requires a remediation owner and a 30-day resolution deadline before the audit is considered complete. Medium and Low items feed the next quarterly review cycle.

#1 — Complete System and Integration Inventory

You cannot govern data you have not mapped. The first audit item is a full inventory of every system, application, and integration that stores or transmits employee data.

• List every HR platform: HRIS, ATS, payroll, performance management, LMS, benefits administration, scheduling, and engagement survey tools.
• Document every integration and automated workflow that moves data between systems — including any Make.com scenario pipelines.
• Capture the data types handled by each system: PII, financial data, health data, performance data, protected class information.
• Note the vendor, hosting model (cloud, on-premise, or hybrid), and data residency location for each system.
• Flag shadow IT: spreadsheets, shared drives, or personal email chains used to store employee data outside governed systems.

Verdict: If you cannot produce a complete, current system map in under two hours, your inventory is a gap — not a governance control. Document the map. It is the foundation of every other item on this checklist.

#2 — Role-Based Access Control (RBAC) Review

Over-permissioned accounts are the most common internal data risk finding in HR tech audits. This item verifies that every user has the minimum access required to do their job — and nothing more.

• Pull a full user access report from each HR system. Verify every active account maps to a current, active employee or contractor.
• Identify accounts that have not been used in the past 90 days. Inactive accounts with active credentials are a persistent vulnerability.
• Check for role mismatches: HR generalists with payroll admin access, IT contractors with read access to performance records, managers with access to compensation data outside their direct reports.
• Verify that offboarding procedures include a same-day access revocation step for all HR systems — not just the HRIS.
• Confirm that privileged admin accounts are MFA-protected and subject to a separate recertification schedule.

Verdict: Every user account that cannot be matched to a current business need is a Critical finding. Remediate immediately. Do not wait for the next scheduled review cycle. Pair your access review findings with the HRIS breach prevention practices that address what happens when access controls fail.

#3 — Data Retention and Deletion Policy Enforcement

Most organizations have a written data retention policy. Few can demonstrate it is enforced inside the systems that hold HR data. This item checks whether your policy is operational, not just documented.

• Confirm that every HR system has a documented retention schedule aligned to applicable law — FLSA, EEOC, HIPAA, and state-specific requirements.
• Verify that the retention schedule is configured in the system, not just referenced in a policy document.
• Test whether terminated employee records are being archived, anonymized, or deleted at the correct trigger points.
• Check that Make.com automation workflows that move or copy HR data do not create unintended data copies that fall outside the retention schedule.
• Confirm that you have a process for responding to employee deletion requests under applicable state privacy laws.

Verdict: A retention policy that lives in a Word document but is not enforced in system settings is not a control — it is a liability. If you cannot run a deletion report and verify it against your schedule, mark this High and assign it to a system admin before your next audit cycle.

#4 — Vendor Security and Data Processing Agreement Review

Every HR platform vendor is a data processor. If you share employee data with a vendor and do not have a signed Data Processing Agreement on file, you are exposed regardless of what the vendor’s marketing says about security.

• Confirm that every vendor on your system inventory has a signed DPA or Business Associate Agreement on file where required.
• Review each DPA for subprocessor disclosure. Vendors that hand your data to third parties must disclose that list and notify you of changes.
• Check the incident notification language in each DPA. Many agreements require vendor notification within 72 hours of a breach. Verify your vendor meets that threshold.
• Confirm that vendors with access to health or financial data have completed a SOC 2 Type II or equivalent audit within the past 12 months.
• Flag any vendor whose DPA has not been reviewed or updated in the past 24 months — regulations and subprocessor lists change.

Verdict: A missing DPA is a Critical finding. An expired or unreviewed DPA is High. Do not treat vendor security posture as an assumed control — verify it on paper and in practice.

#5 — Data Minimization and Purpose Limitation

Collecting data you do not need creates risk you do not have to carry. This item audits whether your HR systems capture the minimum data required for each business purpose — and nothing more.

• Review intake forms, onboarding workflows, and ATS data capture fields. Identify any fields collecting data that is not required for a defined HR purpose.
• Check whether systems are storing protected class data — race, religion, disability status, pregnancy — in fields accessible to line managers or non-HR personnel.
• Verify that fields collecting sensitive data have a documented business reason that maps to a legal obligation or legitimate HR purpose.
• Audit Make.com automation workflows that pull data from HR systems. Confirm they retrieve only the fields needed for the specific process, not full employee records.
• Flag any integration that passes raw employee data through an unsecured webhook endpoint without field-level filtering.

Verdict: Every data field without a documented business purpose is an unnecessary liability. Review your HRIS required fields versus manual data validation decisions and trim what you do not need before the next system audit.

#6 — Consent and Employee Notice Records

Several states now require employers to provide specific notice when employee data is collected, processed, or shared — including notice related to AI-assisted HR processes. This item verifies your notice records are current and auditable.

• Confirm that your employee privacy notice covers all current data collection activities, including any AI-assisted performance, scheduling, or monitoring tools.
• Verify that you have documented consent records for any data collection that requires explicit employee consent under applicable law.
• Check that notice documents are versioned. If your practices changed in the past 12 months, employees should have received updated notice.
• Review whether your ATS applicant privacy notice is current and displayed at the point of application.
• If you operate in California, Colorado, Connecticut, Virginia, or Texas, confirm your notice meets state-specific employee privacy law requirements.

Verdict: A notice that covers your 2022 HR tech stack but not your 2026 stack is a gap. Treat any missing or outdated consent record for a required data practice as a High finding.

#7 — Breach Detection and Incident Response Readiness

Data governance audits routinely skip breach response readiness because it reads as a security function, not an HR function. That logic fails the moment an HR system is compromised. This item verifies your team knows what to do when something goes wrong.

• Confirm that your HRIS and payroll platform have audit logging enabled and that logs are retained for a minimum of 12 months.
• Verify that someone in HR knows the vendor’s breach notification process and has direct contact information for the vendor’s security team.
• Check that your incident response plan specifically addresses HR data scenarios: employee record exposure, payroll data compromise, and unauthorized benefits data access.
• Test whether your Make.com scenarios include alerting steps that fire when a data pipeline fails or produces anomalous output. Silent failures are a detection gap.
• Confirm that your legal and compliance teams have a documented notification process for the regulators and employees who must be notified in the event of an HR data breach.

Verdict: If your HR team cannot answer the question — who do we call and what do we do in the first four hours — from memory or a single reference document, your incident readiness is a gap. Mark it High and close it before your next audit.

#8 — Cross-Border and Cross-State Data Transfer Controls

Remote and distributed workforces create data transfer compliance obligations that did not exist when all employees worked in one state. This item audits whether your data transfer practices are keeping pace with your headcount geography.

• Map where your employees are located — not where your company is incorporated — and identify which state and country privacy laws apply to their data.
• If you have employees in the EU or UK, verify that HR data transfers to US-based systems are covered by an appropriate transfer mechanism such as Standard Contractual Clauses or the EU-US Data Privacy Framework.
• Check that Make.com automation workflows routing employee data to third-party platforms are not inadvertently moving data to servers in jurisdictions with restricted transfer requirements.
• Confirm that your HR vendors disclose where data is stored and processed. Data residency matters when employees are located in jurisdictions with localization requirements.

Verdict: Cross-border transfer gaps range from High to Critical depending on jurisdiction. If you have EU employees and no transfer mechanism documentation, treat it as Critical and engage legal immediately.

#9 — Audit Log Completeness and Review

An audit log that nobody reviews is infrastructure, not a control. This item verifies that your HR systems log the right events and that someone reads those logs on a scheduled basis.

• Confirm that every HR system logs these events: login attempts (successful and failed), record access by user, record modifications, data exports, and admin configuration changes.
• Verify that logs are stored in a location that HR admins cannot modify or delete. Self-modifiable audit logs are not evidence.
• Check whether there is a documented log review process. Weekly or monthly review of access anomalies is the minimum acceptable standard.
• Identify any HR systems that do not produce audit logs or that retain logs for fewer than 30 days. Flag these as High.
• If you use Make.com to automate HR processes, verify that execution logs for those scenarios are retained and that error alerts route to a monitored channel.

Verdict: Every HR system without complete audit logging is a blind spot. Prioritize enabling logging in systems that hold payroll or benefits data first. Review the HRIS configuration defaults that small HR teams most commonly miss and confirm your logging setup is not on that list.

#10 — Automated Workflow Data Handling Review

Every Make.com scenario that touches employee data is a governance surface. This item audits whether your automation layer handles HR data with the same rigor as your core systems.

• Inventory every Make.com scenario that reads from, writes to, or routes employee data across your HR tech stack.
• Confirm that each scenario is documented with its data flow: what data it accesses, where it sends it, and what it does with that data after processing.
• Verify that no scenario stores raw employee data in Make.com data stores beyond the minimum time required for processing.
• Check that every HTTP module in employee-data scenarios uses HTTPS and that webhook endpoints are protected by authentication or signature verification.
• Confirm that scenarios with access to sensitive HR data are owned by a named operator — not a shared or generic connection — and that access is reviewed on the same cadence as your RBAC review.

Verdict: An automated workflow is not exempt from data governance because it runs without a human in the loop. It requires more scrutiny, not less. Review the ways the Make MCP changes automation governance for HR teams and apply those controls to your existing scenario inventory.

#11 — Employee Data Subject Rights Process

Employees in states with active privacy laws have the right to access, correct, and in some cases delete their personal data. This item verifies your organization can fulfill those requests within statutory deadlines.

• Confirm that you have a documented process for receiving and tracking employee data subject rights requests — access, correction, deletion, and portability.
• Verify that your HR team knows which systems hold employee data and can produce a complete data inventory for a specific individual within 30 days.
• Check that your correction and deletion workflows actually work. Test at least one end-to-end request per system annually.
• Identify any HR systems that do not support data export in a portable format. Flag these as Medium with a vendor conversation required.
• Confirm that your process logs when requests were received, acknowledged, and completed. You need that record if a regulator requests evidence of compliance.

Verdict: A missing data subject rights process is a High finding in any state with an active privacy law. If you have employees in California, Colorado, Virginia, Connecticut, or Texas, this is not optional. Build the process before you need to use it.

#12 — Training and Accountability Records

Data governance controls fail when the people responsible for enforcing them do not know the rules. This item audits whether your HR team has completed documented training on data handling obligations and whether accountability for governance outcomes is assigned to named individuals.

• Confirm that every HR team member who accesses employee data has completed data privacy training within the past 12 months. Keep completion records.
• Verify that your training content covers the specific obligations relevant to your industry and states of operation. Generic data privacy training does not satisfy HIPAA or state-specific requirements.
• Check that each data governance control on this checklist has a named owner. Shared ownership is no ownership.
• Confirm that your governance accountability structure is documented in a format that survives HR team turnover. Institutional knowledge must live in a system, not a person.
• Schedule the next audit date before you close this one. A governance program without a cadence is a point-in-time exercise, not a control.

Verdict: Undocumented training and diffuse accountability are the fastest way to turn a solid governance framework into a compliance liability. Name the owners. Keep the records. Set the next audit date.

Turning Audit Findings Into a Remediation Plan

When you complete all 12 items, you have a prioritized findings list with severity ratings, named owners, and deadlines. The next step is converting that list into a structured remediation plan your leadership team can track and fund.

If your audit reveals that the underlying HR operations infrastructure has deeper problems — not just governance gaps — the HR operations repair playbook for solo and small HR teams covers the operational layer that governance controls sit on top of. If you need a structured discovery process before automating any remediation workflows, the OpsMap™ audit framework is the starting point — covered in full at What Is OpsMap?

Run this checklist once and you have a snapshot. Run it every quarter and you have a governance program.