Compliance FAQs
A reference guide to the questions that come up in every audit we conduct. If you don’t know the answer to one, that’s not a failing — it’s a flag worth investigating. Each section explains why the question matters, what compliant businesses look like, and the warning signs we see most often.
Personnel files & recordkeeping
Are employee medical records stored separately from personnel files?
Federal law (the ADA and FMLA at minimum) requires employee medical information to be stored separately from the general personnel file, with restricted access. When medical information lives inside a personnel file — doctor’s notes, accommodation requests, FMLA paperwork — any manager who reviews that file for a promotion or discipline decision has now had access to protected medical information. That’s the foundation of a failure-to-accommodate or disability discrimination claim, whether or not the medical info actually influenced the decision.
Medical records live in a separate, locked file (physical or digital) with access limited to HR and, in very narrow circumstances, people with a legitimate need to know. Personnel files contain performance, discipline, and employment history — nothing medical. Workers’ comp records are also stored separately.
I-9 compliance
Are I-9 forms stored separately from personnel files?
I-9 forms are one of the most common items cited in federal audits, and the fines are per-form. ICE and the Department of Labor can request your I-9s with three business days’ notice. If they’re scattered through personnel files, you not only slow your own response — you expose unrelated employee information to a federal auditor who didn’t ask for it. Current I-9 fines run from several hundred to several thousand dollars per form for paperwork violations alone, before any substantive issues.
All I-9s stored together in a single file (physical or digital), separate from personnel files, organized by active vs. terminated employees. Terminated employee I-9s retained for three years after hire date or one year after termination, whichever is later. Annual internal audit to catch errors before a federal auditor does.
Worker classification
Do you know the legal difference between a W-2 employee and a 1099 independent contractor?
Misclassifying a W-2 employee as a 1099 contractor is one of the highest-dollar mistakes a small business can make. The IRS, Department of Labor, and most state agencies now coordinate on misclassification cases, and the back-end cost includes unpaid payroll taxes, unemployment contributions, workers’ comp premiums, overtime back pay, and penalties — often for multiple years. The people most commonly misclassified: long-term “contractors” who work only for your business, people using your equipment or office, and anyone you manage day-to-day.
Every worker classified using the IRS common-law test and the applicable state test (which is often stricter — California’s ABC test and similar rules in other states). Written contractor agreements. Regular review of long-term contractors to confirm they still qualify. When in doubt, classified as W-2.
Exempt & non-exempt classification
Have your employees’ exempt/non-exempt classifications been reviewed against FLSA duties tests in the past two years?
The most expensive HR mistake most small businesses make is classifying salaried employees as exempt from overtime when they don’t actually meet the Fair Labor Standards Act duties test. Salary alone doesn’t make someone exempt — the work they actually do has to fit specific legal criteria. A misclassified “exempt” employee is owed overtime back pay, often for the previous two or three years, plus liquidated damages equal to the back pay itself. A single claim can cost $30,000 to $100,000+ per employee. Class actions are worse.
Every salaried-exempt employee tested against the current FLSA duties tests (executive, administrative, professional, outside sales, or computer) at hire and whenever their role materially changes. Documentation showing how each exempt role meets the applicable test. Regular review — at minimum, every two years or when salary thresholds change.
Pay deductions for exempt staff
Do you know when you can legally deduct from a salaried exempt employee’s wages within a pay period?
Improperly deducting from a salaried exempt employee’s pay can destroy the exemption itself — not just for that employee, but potentially for every exempt employee in the same job category, going back years. The FLSA is very specific about when you can dock an exempt employee’s salary, and “they only worked half the day” is almost never one of them. This is a gap where managers acting in good faith routinely create significant liability.
A written pay policy that clearly lists the narrow circumstances where exempt pay deductions are legal (full-day absences for personal reasons, certain disciplinary suspensions, intermittent FMLA, etc.). Managers trained on what they can’t deduct for. A safe-harbor complaint policy giving employees a way to flag improper deductions.
Meal & rest breaks
Do you know your state’s minimum required length for an unpaid meal break?
Federal law has no meal break requirement, but 20+ states do — and the rules vary significantly. California, Oregon, Washington, Colorado, New York, Illinois, and several others have specific minimum meal and rest break requirements tied to shift length, and several require premium pay if breaks are missed or cut short. For multi-state employers, the complexity multiplies. Break violations are one of the most common wage-and-hour claims because they’re easy to document and easy to turn into class actions.
Written break policies that reflect each state where you have employees. Timekeeping that captures break start and end times. Managers trained not to pressure employees through breaks or allow voluntary break-skipping. Multi-state employers default to the most protective state’s rules when simpler.
Employee handbook
Does your handbook include state-specific required policies for every state where you have employees, and has it been updated in the last 18 months?
A handbook that was fine two years ago is probably out of compliance today. State and local employment law changes constantly — new paid sick leave laws, pay transparency requirements, protected leave expansions, harassment training mandates. Multi-state employers need state-specific policies for every state where they have even one employee. A handbook that’s outdated or state-generic isn’t just missing information; it can affirmatively create liability by stating policies that contradict current law.
Handbook reviewed and updated at least annually, ideally every 12 to 18 months. State-specific addenda or sections for each state where employees work. Acknowledgment signatures on file from every employee for every version. At-will employment disclaimer that’s current and legally sound. Complaint and reporting procedures that match current federal and state requirements.
Discipline & termination
Do you have a written, consistent progressive discipline process that all managers follow?
Having different managers handle discipline differently is one of the most common reasons terminations turn into discrimination claims. An employee who was written up for something a peer wasn’t, or fired after a verbal warning when a peer got three written warnings, has the raw material for a wrongful termination or disparate treatment case. Progressive discipline isn’t legally required in most states — but inconsistency across managers is what creates liability.
A written progressive discipline framework (verbal, written, final warning, termination) that managers are trained to follow, with documented exceptions for serious misconduct. Every discipline event documented with dates, witnesses, and employee acknowledgment. HR review of every termination before it happens. Consistency across departments, managers, and protected classes.
Hiring & recruiting
Do your job applications, interview questions, and offer letters comply with your state’s ban-the-box, salary history, and pay transparency laws?
Hiring is the most heavily regulated moment in the employment relationship, and it’s where state law varies most. Ban-the-box laws restrict when and how you can ask about criminal history. Salary history bans prohibit asking what candidates made previously. Pay transparency laws require salary ranges in job postings. These laws exist in most populous states and many cities, and they carry real penalties — including private rights of action that let rejected candidates sue directly. A generic job application pulled off the internet years ago is almost certainly out of compliance somewhere.
Job applications reviewed against current state and local law for every state and city where you recruit. Interview questions scripted and reviewed for legal compliance. Offer letters that comply with pay transparency requirements. Managers trained not to ask protected-class questions (age, marital status, disability, etc.) even casually. Applicant tracking that documents why decisions were made.
Manager training
Have all managers received harassment prevention or anti-discrimination training in the past two years?
Several states (California, Connecticut, Delaware, Illinois, Maine, New York, and Washington, among others) legally require harassment prevention training for supervisors, with specific content and frequency requirements. Even in states where it’s not required, a documented training program is one of the most effective defenses against hostile work environment claims — the EEOC and most juries treat lack of training as strong evidence of negligence. Training your managers isn’t a nice-to-have. It’s one of the single most cost-effective liability reductions available to a small business.
All supervisors trained on harassment prevention, anti-discrimination, and retaliation within their first 90 days of becoming a supervisor, then refreshed at least every two years. State-specific training content where required. Documented attendance and completion. Training that covers real scenarios — how to receive a complaint, how to document, what to escalate.
Seven days to know exactly where your business sits on every one of these — with the findings, the custom documents, and the support to fix what needs fixing.