An HR data audit is a structured review of employee records across your HRIS, payroll, benefits, and I-9 files to find errors, inconsistencies, and compliance gaps. Run it in four phases: scope and inventory, field-level reconciliation, compliance verification, and remediation. Complete audits prevent payroll errors, carrier overcharges, and regulatory fines.

One transcription error — a single digit transposed in a salary field — cost David, an HR Manager at a mid-market manufacturer, $27,000 in overpayments before anyone caught it. The affected employee eventually quit. The error lived undetected in his HRIS for months because no structured audit process existed to surface it. That’s not an edge case. It’s what happens when HR data goes unreviewed.

If you’ve inherited an HR operation or simply haven’t run a formal audit in the past 12 months, this guide walks you through every step — from scoping what to audit to closing the gaps you find. For a broader look at what broken HR operations look like before an audit, 11 warning signs your inherited HR operation is bleeding money is a useful starting point. And if you’re deciding whether to handle this in-house or bring in outside support, the in-house HR cleanup vs. fractional HR consultant decision guide covers the tradeoffs clearly.

Before automating anything you find during the audit, run these 7 questions before you automate anything — process clarity must come before tooling.

What Does an HR Data Audit Actually Cover?

An HR data audit is not the same as a compliance audit, though the two overlap. A compliance audit checks whether your policies and practices meet legal requirements. An HR data audit checks whether the underlying records that drive those practices are accurate, complete, and consistent across systems.

A complete HR data audit covers six data domains:

• Employee master records — names, SSNs, addresses, job titles, department assignments, hire dates, termination dates
• Compensation and payroll data — base pay, overtime classifications, bonus structures, pay rates synced to payroll
• Benefits enrollment — carrier feeds, dependent eligibility, enrollment effective dates, deduction amounts
• I-9 and work authorization records — completion status, re-verification deadlines, document expiration tracking
• Time and attendance — hours worked, PTO balances, leave classifications (FMLA, state leave)
• Training and certification records — required certifications, completion dates, renewal deadlines

Most small HR teams find the most errors in compensation data and benefits enrollment — precisely the two categories where errors cost the most money. The $27K overpayment case study illustrates how quickly a single HRIS data entry error compounds. And on the benefits side, carrier feed mismatches create overcharges that accumulate for months before anyone reconciles them — a problem detailed in the broken benefits carrier feed reconciliation guide.

Step 1: Define Scope, Assign Ownership, and Set a Deadline

The single biggest reason HR data audits fail is scope creep. Teams start auditing everything at once, get overwhelmed, and stop before completing anything. The fix is to define your audit boundaries before touching a single record.

Choose your audit scope

Decide upfront whether you’re running a full audit (all six data domains, all employees) or a targeted audit (one or two domains, or a specific employee population). For teams with fewer than 200 employees, a full audit is achievable in 30–45 days. For teams over 500 employees without automation support, start with compensation and benefits — the two highest-risk domains.

Assign a single owner per data domain

Each domain needs one named person accountable for its completion. If you’re an HR team of one, that’s you for every domain — but document it explicitly so nothing gets assumed away. If you have HR partners or a payroll administrator, assign domains by expertise.

Set a hard deadline with interim checkpoints

An audit without a deadline is a project that never closes. Set a final delivery date and two or three checkpoints along the way. A 30-day audit with weekly check-ins keeps momentum without creating paralysis.

If you’re working through an inherited operation for the first time, HR triage risk mapping gives you a framework for deciding which domains to audit first based on financial and compliance exposure.

Step 2: Extract and Inventory All Active Data Sources

Before you can audit anything, you need a complete picture of where your HR data lives. Most organizations have more data sources than they realize.

Map every system that holds employee data

Pull a complete inventory of every system that stores or touches employee records:

• Your HRIS (primary system of record)
• Payroll platform (if separate from HRIS)
• Benefits administration platform or carrier portals
• ATS (applicant tracking — hire date and offer letter data)
• Time and attendance system
• Learning management system (certifications and training)
• Physical or scanned I-9 files
• Spreadsheets maintained outside any system

That last item is where most teams find their largest problems. Off-system spreadsheets maintained by individual managers or HR coordinators are almost never reconciled against the HRIS. They drift, accumulate errors, and create a shadow record that contradicts the official one.

Export a full employee roster from each system

Pull a headcount report from every system above. Compare them against each other immediately. If the HRIS shows 187 active employees and payroll shows 191, you have terminated employees still on payroll — a compliance and financial risk that needs to be resolved before anything else.

The HRIS required fields vs. manual data validation comparison explains why system-enforced field requirements catch fewer errors than most HR leaders expect — and why the export-and-compare approach is more reliable.

Step 3: Run Field-Level Reconciliation Across Systems

This is the core of the audit — the systematic comparison of individual data fields across every system that holds that data point.

Build a reconciliation matrix

Create a spreadsheet with one row per employee and columns for each data field you’re auditing across systems. For compensation, that means columns for: HRIS pay rate, payroll pay rate, offer letter pay rate, and most recent pay change approval. Any row where those values don’t match is a discrepancy that requires investigation.

For a compensation audit, the fields to reconcile are:

• Base salary or hourly rate (HRIS vs. payroll vs. offer letter)
• FLSA classification — exempt vs. non-exempt (HRIS vs. time and attendance setup)
• Department and cost center allocation
• Most recent effective date of pay change
• Bonus or commission structure

For benefits, reconcile enrollment against carrier invoices

Pull your carrier invoice and compare every enrolled individual against your HRIS benefits enrollment data. Any employee on the carrier invoice who is not in your HRIS as actively enrolled is either a billing error or an off-system enrollment that was never entered. Any employee in your HRIS as enrolled who does not appear on the carrier invoice is a coverage gap — an employee who believes they have coverage but does not.

Carrier mismatches at this level are common. The carrier overpayment case study shows how a single HR professional worked through a $500K discrepancy using this exact reconciliation approach.

Flag discrepancies — don’t resolve them yet

During reconciliation, flag every discrepancy in a separate tracking column. Note the field, the conflicting values, and which system shows what. Do not start correcting records mid-audit. Premature corrections create new errors and make it impossible to track what the original state of the data was.

Step 4: Verify I-9 and Work Authorization Compliance

I-9 records require a separate verification track because the compliance requirements are specific and the errors are easy to create inadvertently during the original completion process.

Confirm every active employee has a completed I-9

Pull your active employee roster and verify that every employee hired after November 6, 1986 has a corresponding I-9 on file. Missing I-9s for current employees are one of the most common — and most costly — compliance violations found during government audits.

Check Section 2 completion dates

Section 2 of the I-9 must be completed within three business days of the employee’s first day of work. Any I-9 where Section 2 was completed after that window has a timeliness error. Document these — they are not correctable in the traditional sense, but they should be annotated with an explanation and not left silently in the file.

Identify re-verification deadlines

Any employee whose work authorization document has an expiration date requires re-verification before that date. Pull all I-9s with expiration dates and build a re-verification calendar. For a detailed walkthrough of this process in inherited situations, auditing inherited I-9 records without creating new violations covers every scenario you’re likely to encounter.

Purge I-9s for terminated employees past the retention window

Retaining I-9s longer than required creates liability. The retention rule: keep the I-9 for three years from the hire date, or one year after termination — whichever is later. Any terminated employee whose I-9 falls outside this window should have their form properly purged and the purge documented.

Step 5: Audit Compensation for Classification and Equity Risks

Pay data carries two distinct risk categories: classification errors (FLSA exempt vs. non-exempt) and pay equity gaps. Both require structured review, and both are increasingly subject to regulatory scrutiny.

Review every exempt classification

An exempt classification under the FLSA requires meeting both a salary threshold test and a duties test. Pull every employee classified as exempt and verify they meet the current salary threshold. Then review the duties test — an employee classified as exempt who performs primarily non-exempt duties is a misclassification that creates back-pay liability.

Flag pay rate anomalies within job families

Group employees by job title or job family and compare base pay rates. Any employee whose pay rate falls more than one standard deviation from the group median warrants a documented explanation. That explanation might be legitimate — tenure, geographic differential, specialized skill. But it needs to be documented, not silent.

The broken HR operations guide for small HR teams addresses how compensation anomalies accumulate over time when no one is tasked with periodic review.

Step 6: Check HRIS Configuration for Systemic Error Sources

Individual data errors are addressable record by record. Systemic configuration errors produce the same wrong output for every employee in a category — and they’re the hardest to catch because the data looks internally consistent.

Audit your HRIS defaults

Most HRIS platforms ship with defaults that are wrong for most organizations. Common culprits include: default PTO accrual rates applied to the wrong employee groups, default FLSA classifications applied at hire, and default benefit deduction amounts that don’t match current carrier rates. The 9 HRIS configuration defaults every small HR team should change gives you a direct checklist for this step.

Verify automated workflows produce correct outputs

If your HRIS triggers automated actions — onboarding task assignments, benefits enrollment windows, pay change notifications — spot-check whether those triggers fire correctly and whether the data they carry is accurate. A workflow that auto-populates a benefits enrollment with the wrong plan year, for example, creates errors in bulk.

Step 7: Document All Findings in a Centralized Audit Log

Before moving to remediation, consolidate every discrepancy, gap, and configuration error into a single audit log. This document becomes your remediation roadmap and your evidence that the audit was conducted.

The audit log should capture for each finding:

• Employee ID (not name — use IDs for the working document)
• Data domain (compensation, I-9, benefits, etc.)
• Field affected
• Current (incorrect) value
• Required (correct) value
• Source of correct value (offer letter, carrier invoice, government table)
• Risk rating (high / medium / low)
• Owner assigned to resolve
• Target resolution date

Risk-rate every finding before remediation begins. High-risk items — active terminated employees in payroll, missing I-9s, FLSA misclassifications — require immediate resolution. Medium-risk items — pay rate discrepancies within tolerance, missing secondary beneficiary data — get resolved in the first 30 days. Low-risk items — incomplete optional fields, stale emergency contacts — get batched and addressed on a rolling basis.

Step 8: Execute Remediation With a Controlled Change Log

Remediation is not the same as the audit. It is a separate, controlled phase with its own discipline requirements. Every correction made to the HRIS or a record file during remediation must be logged: what was changed, who changed it, when, and what documentation authorized the change.

For payroll corrections

Payroll corrections that result in employee back-pay require a formal adjustment process, not a casual system edit. Work with your payroll administrator to run corrections through an off-cycle payroll if the amount is material, or batch them into the next regular payroll with proper documentation. Either way, retain the authorization trail.

For benefits corrections

Benefits corrections — particularly removing terminated employees from carrier roilers — require direct coordination with the carrier, not just an HRIS update. Update your HRIS and contact the carrier to confirm the off-enrollment was processed. Get written confirmation from the carrier. That confirmation belongs in your audit remediation file.

For I-9 corrections

I-9 corrections follow specific USCIS guidance. Draw a line through the incorrect information, enter the correct information, initial and date the correction. Do not use correction fluid. Do not obscure the original entry. Attach an explanation if the correction requires one. The I-9 audit guide covers correction protocols in detail.

How to Know Your HR Data Audit Worked

A completed audit should produce measurable, verifiable outcomes — not just a sense that things are more organized. Here are the markers that confirm your audit achieved its purpose:

• Headcount reconciles across all systems. HRIS, payroll, and benefits administration all show the same active employee count.
• No terminated employees appear in active payroll. Every termination processed in the past 24 months is reflected correctly in payroll and benefits.
• Every active employee has a complete, compliant I-9. Re-verification calendars are built for all documents with expiration dates.
• Compensation data matches across HRIS, payroll, and supporting documentation. No pay rate discrepancy exists without a documented explanation on file.
• Benefits enrollment matches carrier invoices. Overpayments have been claimed and recovered or are in active recovery.
• A complete audit log and remediation change log exist. Every finding and every correction is documented with dates and authorization.
• A next audit date is calendared. The audit is now a recurring process, not a one-time event.

Common Mistakes That Undermine HR Data Audits

Correcting records during the audit phase

Making corrections while still auditing destroys your baseline. You can no longer see what the original state of the data was, and you lose the ability to quantify total error volume. Audit fully, document completely, then remediate.

Auditing only the HRIS

The HRIS is the system of record, not the only source of truth. Payroll, carrier portals, physical I-9 files, and off-system spreadsheets all hold data that must be reconciled against the HRIS. An audit that only reviews the HRIS misses the most common error source: data that never made it into the system correctly in the first place.

Skipping the configuration review

Individual record errors get the most attention, but configuration errors are more dangerous because they scale. One wrong default setting applies incorrectly to every employee in a group. Always include a configuration review in your audit scope.

No remediation ownership

An audit log with no named owner for each finding becomes a list of problems with no resolution path. Every finding needs a name, a deadline, and a follow-up date.

No follow-up audit

A one-time audit that produces temporary clean data is not a solution — it’s a temporary state. Data degrades continuously as employees are hired, promoted, transferred, and terminated. Build the audit into your annual or semi-annual operational calendar. If you want to understand which processes to standardize before the next audit cycle, how TalentEdge saved $312K with HR process standardization shows what systematic process consistency produces over time.

What to Automate After the Audit Is Complete

Once your data is clean, automation becomes safe and effective. Automating before the audit embeds errors into automated workflows — the worst possible outcome. After the audit, the highest-value automation targets are:

• Termination offboarding checklists that automatically trigger system access removal, payroll termination, and benefits carrier notification in sequence
• I-9 re-verification alerts that surface expiring documents 90, 60, and 30 days before the deadline
• Benefits reconciliation reports that compare HRIS enrollment to carrier invoices on a monthly basis
• HRIS-to-payroll sync validation that flags pay rate mismatches before each payroll run

For HR teams ready to build these workflows, how a non-technical HR team started building their own automations with Make and AI walks through the practical build process. The 6 ways the Make MCP changes automation work for HR teams explains how the current tooling makes these builds faster than they’ve ever been.

If you want structured discovery before building anything, how to run an OpsMap™ audit before automating gives you the pre-automation framework that ensures your workflows are built on verified process logic — not assumptions.

Additional Reading

• 11 Warning Signs Your Inherited HR Operation Is Bleeding Money
• The $27K Overpayment: How One HRIS Data Entry Mistake Cost a Manufacturer a Year of Salary
• How to Reconcile a Broken Benefits Carrier Feed: Step by Step
• How to Audit Inherited I-9 Records Without Creating New Violations
• 9 HRIS Configuration Defaults Every Small HR Team Should Change
• HRIS Required Fields vs Manual Data Validation: Which Is Safer for Small HR Teams?
• What Is HR Triage Risk Mapping? How HR Leaders Prioritize Inherited Messes
• How an HR of One Cleaned Up a $500K Carrier Overpayment: A Case Study
• In-House HR Cleanup vs Fractional HR Consultant: 2026 Decision Guide
• Drowning in Admin: How Solo and Small HR Teams Can Fix Broken HR Operations Without Burning Out
• How TalentEdge Saved $312K with HR Process Standardization
• How to Run an OpsMap Audit Before Automating Anything
• How a Non-Technical HR Team Started Building Their Own Automations With Make + AI
• 7 Questions to Ask Before You Automate Anything (The OpsMap Checklist)
• What Is a Minimum Viable HR Process? A Plain-Language Definition