HR Audit Checklist for Indian Companies (2026)

HR Audit Checklist for Indian Companies (2026)

Most HR problems are invisible until they are expensive. An offer letter with a clause that contradicts the appointment letter, a set of provident fund records that don't reconcile, a sexual harassment committee that exists on paper but has never met, a pile of statutory registers last updated two years ago—none of these announce themselves. They surface during an inspection, a litigation, a due diligence, or an employee dispute, at the worst possible moment and at the highest possible cost. An HR audit is how you find them first.

An HR audit is a structured, periodic review of your people function—its compliance, its documentation, its policies, and its processes—to confirm that what you think is happening is actually happening, and that it meets legal and good-practice standards. For Indian companies in 2026, with the new labour codes reshaping the compliance landscape and investors and acquirers scrutinising HR hygiene more closely than ever, a regular HR audit has shifted from "nice to have" to "essential operating discipline."

This guide gives you a comprehensive, practical HR audit checklist tailored to Indian companies, organised by area, with guidance on how to run the audit, who should own it, and how to turn findings into fixes. It is written for HR managers, founders, compliance leads, and finance teams who want to know exactly where they stand. As always, statutory specifics vary by state and change over time, so use this as a framework and confirm current requirements for your jurisdictions and the latest position under the labour codes.

What an HR audit is—and is not

An HR audit is a health check, not a witch hunt. Its purpose is to surface gaps so they can be closed, not to assign blame. The best audits are approached with curiosity and rigour: we want to know the truth about our compliance and our processes so we can improve them, and a clean finding is as valuable as a problem found, because it gives you confidence.

It is useful to distinguish a few types. A compliance audit focuses narrowly on statutory obligations—registrations, returns, registers, contributions. A process audit examines whether HR workflows (hiring, onboarding, payroll, exits) are well-designed and consistently followed. A policy audit reviews whether your documented policies are complete, lawful, current, and actually communicated. A records audit checks that documentation exists, is accurate, and is retained appropriately. A comprehensive HR audit covers all of these. Most companies benefit from a full audit annually, with lighter compliance checks more frequently.

What an HR audit is not: it is not a one-time event you do before a funding round and forget, and it is not a substitute for everyday discipline. It is a periodic confirmation that your everyday discipline is working.

How to run an HR audit

Before the checklist itself, a word on method, because a checklist applied carelessly produces false comfort.

Decide on scope and ownership. Will this be a full audit or focused on a high-risk area? Who owns it—internal HR, internal audit, or an external specialist? External auditors bring objectivity and benchmark knowledge; internal audits are cheaper and build capability. Many companies alternate or combine the two.

Gather evidence, don't accept assertions. The discipline of an audit is that every "yes, we do that" must be backed by a document, a record, or a demonstrated process. "We have a POSH committee" must be evidenced by the constitution order, member details, and meeting records. "We deduct PF correctly" must be evidenced by reconciled records and filed returns. Auditing is the practice of replacing belief with evidence.

Rate and prioritise findings. Not every gap is equally urgent. Classify findings by risk—high (legal exposure, penalty risk, or employee harm), medium (process weakness that could become a problem), and low (housekeeping). This lets leadership focus remediation where it matters.

Produce an action plan with owners and dates. An audit that ends in a report nobody acts on is wasted effort. Each finding should become an action item with a named owner and a deadline, tracked to closure. The real value of an audit is realised in the remediation, not the report.

With method established, here is the checklist, area by area.

Area 1: Statutory registrations and licences

This is the foundation. Confirm that the entity holds every registration and licence it needs for where and how it operates. Check your provident fund registration and that it is active and correctly reflects your establishment. Check ESI registration and coverage status for each work location. Confirm professional tax registration and enrolment in every state where you have employees in levying states. Verify Shops and Establishments registration for each establishment in each state, with renewals current. Confirm Labour Welfare Fund enrolment in states where it applies. Check any industry-specific or contract-labour-related registrations relevant to your operations. For multi-state employers, this section alone often surfaces gaps—an office opened in a new state where registrations were never completed.

For each registration, the audit confirms three things: that it exists, that it is current (not lapsed), and that it accurately reflects the entity's present operations (address, headcount band, nature of business).

Area 2: Statutory contributions and returns

Having the registrations is necessary but not sufficient; you must also be contributing and filing correctly and on time. Reconcile provident fund contributions—employee and employer—against payroll and against filed returns, and confirm timely deposit. Do the same for ESI. Verify professional tax deductions match each state's slabs and that remittances and returns are filed on schedule per state. Confirm TDS on salary is computed, deducted, deposited, and reported in quarterly returns, and that year-end salary TDS certificates are issued. Check Labour Welfare Fund remittances against each state's cycle. Confirm gratuity provisioning and, where applicable, any insurance or fund arrangement. Verify statutory bonus computation and payment where applicable, and minimum wage compliance for all roles in all states.

The audit here is fundamentally a reconciliation exercise: the numbers in payroll, the numbers deducted, the numbers deposited, and the numbers reported should all agree. Discrepancies are red flags whether they favour the company or the employee.

Area 3: Employment documentation

Every employee relationship should rest on clean, consistent paperwork. Confirm that every employee has a signed appointment letter or employment contract with terms that are lawful and internally consistent. Check that offer letters, appointment letters, and any subsequent revisions don't contradict one another. Verify that probation, confirmation, and any promotion or increment letters exist where relevant. Confirm that key policies are acknowledged by employees. Check that personnel files—whether physical or digital—are complete, with identity and statutory documents, educational and background verification records where collected, nominee and declaration forms, and so on. Confirm that data privacy and consent practices around employee personal data are sound, an increasingly important area.

A common finding here is inconsistency at scale: templates that drifted over the years, employees hired in a hurry without complete paperwork, or files missing key signed documents. The fix is standardised templates and a documentation checklist enforced at onboarding.

Area 4: Statutory registers and records

Indian labour law requires employers to maintain various registers and records—of employees, wages, attendance, leave, overtime, and more—often in prescribed formats, with the labour codes pushing toward more consolidated and digital record-keeping. The audit confirms that the required registers are maintained, are current, are in the correct format, and are retained for the required period. It also checks displays and notices that must be posted at the workplace. Stale or missing registers are among the most common inspection findings precisely because they are unglamorous and easy to neglect. Moving to a system that maintains these records automatically removes a whole category of risk.

Area 5: POSH and workplace safety compliance

Prevention of sexual harassment compliance is both a legal obligation and a duty of care. The audit confirms that an Internal Committee is properly constituted with the required composition (including the external member), that employees know it exists and how to reach it, that the mandatory awareness and training has been conducted, that the committee has met as required and maintained records, and that the annual reporting obligation has been met. A committee that exists only on paper is a serious gap. Separately, the audit reviews workplace safety and occupational health obligations relevant to your operations, which the occupational safety code framework has consolidated and which apply with particular force in certain establishments.

Area 6: HR policies

Policies are where good intentions become operational reality. The audit reviews whether the company has the policies it needs—covering leave, attendance, code of conduct, POSH, grievance redressal, data protection, IT and acceptable use, travel and reimbursement, remote and hybrid work, and others relevant to your context—and whether each policy is lawful, current, internally consistent, and actually communicated to and acknowledged by employees. A policy nobody has read, or one that contradicts another policy or the law, is worse than no policy because it creates false expectations and legal exposure. The audit also checks that policies have owners and review dates so they don't ossify.

Area 7: Hiring and onboarding processes

Process audits examine whether workflows are sound and consistently followed. For hiring, confirm that the process is fair and non-discriminatory, that offers and approvals follow a controlled workflow, that background and reference checks are conducted consistently and lawfully where used, and that candidate data is handled responsibly. For onboarding, confirm that every new hire receives a consistent experience—documentation collected, statutory enrolments completed promptly, policies acknowledged, assets and access provisioned, and induction delivered. Gaps here create both compliance risk (late statutory enrolment) and experience risk (a shaky start that hurts retention).

Area 8: Payroll process integrity

Beyond the statutory contributions covered above, the audit examines payroll as a process: are inputs (attendance, leave, new joiners, exits, changes) captured reliably; is there appropriate segregation of duties and approval control; are off-cycle payments and adjustments controlled; is payroll reconciled each month; and is sensitive payroll data secured. Payroll is high-value and high-trust, so control weaknesses here—however well-intentioned the team—are serious. The audit looks for the controls that prevent both error and fraud.

Area 9: Leave, attendance, and working hours

Confirm that leave balances are tracked accurately and policies applied consistently, that attendance capture is reliable, that working hours and overtime comply with applicable limits and that overtime is paid correctly where due, and that weekly offs and holidays are administered properly. With the labour codes touching working hours and related provisions, this is an area to re-examine against current rules. Discrepancies between policy and practice—say, overtime worked but not recorded or paid—are both a compliance and a trust issue.

Area 10: Exit and full-and-final settlement

The end of the employment relationship carries its own obligations. Confirm that resignations, notice periods, and terminations are handled per policy and law, that full-and-final settlements are computed correctly and paid within reasonable timelines, that statutory dues like gratuity and leave encashment are settled where applicable, that exit documentation (relieving and experience letters, settlement statements) is issued, and that access and assets are recovered. Exit-stage errors are a frequent source of disputes and a common audit finding, especially where settlements are delayed or miscalculated.

Area 11: HR data, systems, and analytics

Finally, the audit examines the backbone: are HR records accurate and complete in your systems; is access to sensitive data controlled; are backups and continuity arrangements in place; and can the organisation produce reliable reports when needed. A company that cannot quickly produce accurate headcount, contribution, or compliance reports has a data-hygiene problem that undermines every other area. This is also where the audit assesses whether manual, spreadsheet-bound processes have become a risk in themselves.

A condensed HR audit checklist you can run today

If you want a rapid self-assessment before committing to a full audit, work through these questions honestly. Each "no" or "not sure" is a candidate finding.

On registrations: Are our provident fund, ESI, professional tax, Shops and Establishments, and Labour Welfare Fund registrations all active, current, and accurate for every state we operate in? Have we registered in every state where we now have employees, including remote hires?

On contributions: Do our provident fund, ESI, professional tax, and TDS deductions reconcile exactly with payroll and with our filed returns? Have all deposits been made on time, every month, with no gaps? Are gratuity, statutory bonus, and minimum wages handled correctly across all roles and states?

On documentation: Does every single employee have a signed, lawful, internally consistent appointment letter? Are personnel files complete? Have employees acknowledged key policies? Is employee personal data handled with proper consent and security?

On registers and notices: Are all statutory registers maintained, current, in the correct format, and retained for the required period? Are required notices and the registration certificates displayed where they must be?

On POSH: Is our Internal Committee properly constituted with an external member, known to employees, trained, meeting as required, keeping records, and filing the annual report?

On policies: Do we have all the policies we need, are they lawful and current, do they contradict each other or the law anywhere, and have employees actually read and acknowledged them?

On processes: Are hiring, onboarding, payroll, leave, attendance, and exit handled through consistent, controlled workflows, or do they vary by who happens to be doing them?

On exits: Are full-and-final settlements accurate and paid promptly, with all statutory dues settled and documentation issued, and access and assets recovered?

On data and systems: Can we produce accurate headcount, contribution, and compliance reports on demand, and is access to sensitive data controlled?

If you answered all of those with a confident, evidence-backed "yes," your HR hygiene is strong. Most companies, honestly assessed, find several "not sures"—and that is exactly the point of auditing.

An annual audit calendar

Audits work best as a rhythm rather than a single annual event. A practical cadence spreads the load and catches issues early. Each month, reconcile statutory contributions (provident fund, ESI, professional tax, TDS) against payroll and confirm timely deposits—this is the highest-frequency, highest-risk check. Each quarter, review registrations and renewals for any approaching expiry, confirm quarterly TDS returns, and spot-check statutory registers and POSH committee activity. Twice a year, review policies for currency and consistency and reconcile Labour Welfare Fund and other periodic levies. Once a year, run the comprehensive audit across all eleven areas, refresh the documentation review, confirm year-end statutory activities, and reset the audit action register. Ahead of any major event—fundraising, acquisition, large expansion, or entry into a new state—run a focused pre-event audit on the areas the event will expose. This calendar turns auditing from a dreaded annual scramble into a series of manageable, routine confirmations.

The HR audit in due diligence

A specific and increasingly common trigger for HR audits is external due diligence—when an investor, acquirer, or lender examines your company. HR and labour compliance is a standard due-diligence workstream, and gaps discovered here can reduce valuation, delay deals, or require indemnities and escrows. The items diligence teams probe most are precisely the high-risk audit findings: unreconciled statutory contributions, missing or lapsed registrations across states, contractor and gig-workforce classification, POSH compliance, pending or potential employment disputes, employee stock and incentive arrangements, and the cleanliness of employment documentation. The lesson is to audit proactively rather than discover problems under deal pressure. A company that runs regular HR audits walks into diligence with a clean, evidenced file and negotiates from strength; one that has neglected HR hygiene scrambles to fix years of issues in days, usually at a cost.

A simple HR compliance maturity model

It helps to think about where your organisation sits on a maturity curve, because it sets realistic expectations for improvement. At the most basic level, compliance is reactive and personality-dependent—things get done because a particular person remembers to do them, records live in scattered spreadsheets, and audits surface many findings. A step up, compliance is documented—there are checklists and calendars, records are more organised, and routine items are reliably handled, though much is still manual. Higher still, compliance is systematised—an HRMS maintains registers and reconciles contributions automatically, workflows are enforced rather than hoped for, and audits surface few findings, mostly minor. At the most mature level, compliance is continuous and data-driven—the system flags issues in real time, dashboards show compliance status at a glance, and the annual audit is largely a confirmation of what leadership already knows. The goal of each audit cycle is not just to fix findings but to move the organisation up this curve, so that next year's audit is easier and cleaner than this year's. Progress up the curve is overwhelmingly driven by replacing manual, fragmented effort with systematised, automated processes.

Turning the audit into improvement

An audit's value is realised only when findings are fixed. Compile findings into a register, rate each by risk, assign an owner and a target date to each, and track to closure. Tackle high-risk items—lapsed registrations, contribution discrepancies, a non-functioning POSH committee—first and fast. Use medium and low findings to drive process improvements: standardised templates, automated registers, self-service onboarding, system-enforced approvals. Re-audit the closed items to confirm the fixes held. Over a few cycles, this discipline transforms HR from a function that hopes it is compliant into one that knows it is.

Many of the recurring findings—stale registers, missed multi-state remittances, inconsistent documentation, manual reconciliation errors—share a root cause: too much done manually across disconnected tools. A capable HRMS closes these gaps structurally by maintaining statutory records automatically, computing and reconciling contributions, enforcing consistent onboarding and exit workflows, securing employee data with proper access controls, and producing audit-ready reports on demand. The audit tells you where you stand; the right system helps you stay there.

Red flags that mean you should audit now

Some signals suggest you should not wait for the scheduled cycle and should audit the relevant area immediately. If your statutory contributions or returns have ever been deposited late, audit your payroll compliance now, because late deposits compound. If you have recently expanded into a new state, audit registrations there before the gap ages. If you have had employee disputes, grievances, or a POSH complaint, audit the related processes and documentation. If you are preparing for fundraising, acquisition, or a large client's vendor assessment, audit ahead of the scrutiny. If your HR team has had significant turnover, audit to confirm institutional knowledge didn't walk out the door with departing staff. If you still run core HR on spreadsheets and email at meaningful scale, audit your data integrity and controls. And if it has simply been more than a year since your last comprehensive review, that alone is reason enough. Treating these red flags as triggers, rather than waiting for an inspection or a dispute to force the issue, is the difference between proactive and reactive compliance.

Building an audit-ready culture

The companies that sail through audits and inspections are not the ones that work frantically the week before; they are the ones for whom audit-readiness is a byproduct of how they operate every day. Building that culture rests on a few habits. Make compliance a named responsibility rather than an orphan task, so someone owns each obligation. Document processes so they survive staff changes—institutional memory should live in systems and written procedures, not in one person's head. Keep records in real time rather than reconstructing them under pressure, which is far easier when a system captures them automatically. Treat findings as improvements rather than failures, so people surface problems instead of hiding them. And review periodically rather than only when forced, so small issues are caught while they are still small. A company with this culture experiences the audit not as an ordeal but as a routine confirmation, and its people spend their energy on work that matters rather than on retroactive cleanup. The investment in good habits and good systems pays for itself many times over the first time an inspection, a dispute, or a diligence process arrives and you can answer every question with a document instead of an apology.

Frequently asked questions

How often should we conduct an HR audit? A comprehensive HR audit annually is a sensible baseline, supplemented by lighter, more frequent compliance checks—monthly reconciliation of statutory contributions and quarterly reviews of registrations and registers. Conduct an additional focused audit ahead of major events like fundraising, an acquisition, or significant expansion.

Should we use an internal or external auditor? Both have merit. External auditors bring objectivity and benchmark knowledge and are valuable before high-stakes events; internal audits are cheaper, build internal capability, and suit routine cycles. Many companies combine them—internal for routine checks, external periodically for an independent view.

What are the most common findings in Indian HR audits? Lapsed or missing state registrations (especially for multi-state employers), stale or missing statutory registers, contribution discrepancies that don't reconcile, POSH committees that exist only on paper, inconsistent employment documentation, and delayed or miscalculated full-and-final settlements.

How do the new labour codes affect the audit? The codes change registration, record-keeping, wage-definition, and working-hours provisions, among others, and push toward consolidated, digital compliance. Audits should explicitly test the current position under the codes—particularly the standardised wage definition's effect on contributions and gratuity, and updated register and return requirements—and confirm the operative status for your states.

Who should own the HR audit? Ideally a designated owner with authority to convene the relevant functions—often the HR head or a compliance lead—working with finance for the contribution reconciliations. Leadership sponsorship matters, because remediation often requires cross-functional action and resourcing.

What's the difference between an HR audit and routine compliance? Routine compliance is the everyday execution—deducting, depositing, filing, recording. An HR audit is the periodic independent check that this everyday execution is actually happening correctly and completely. One is the work; the other confirms the work.

How long does an HR audit take? It depends on company size and scope, ranging from a focused review of a few days to a comprehensive multi-week exercise for a large, multi-state employer. The evidence-gathering stage takes the most time; good systems that produce records on demand shorten it considerably.

Can software reduce our audit findings? Substantially. Many recurring findings stem from manual, disconnected processes. An HRMS that maintains registers automatically, reconciles contributions, enforces consistent workflows, and produces reports on demand structurally prevents whole categories of findings and makes future audits faster.

What documents should we keep ready for an HR audit? Have the entity's registration certificates, recent statutory returns and challans, payroll reconciliations, statutory registers, the POSH committee constitution and meeting and annual-report records, your current policy set with acknowledgement records, a sample of complete employee files spanning appointment letters and statutory declarations, and recent full-and-final settlement statements. If these can be produced from a system on demand rather than assembled by hand, the audit moves quickly and confidently.

How do we prioritise findings when there are many? Rate each by risk to people and to the business. Anything creating legal exposure, penalty risk, or potential employee harm—lapsed registrations, contribution shortfalls, a non-functioning POSH committee, delayed settlements—is high priority and should be remediated immediately. Process weaknesses that could become problems are medium priority, and housekeeping items are low. Fix high-risk items first, then use the rest to drive systematic process improvement.

Conclusion

An HR audit is the discipline of replacing assumptions with evidence across every part of your people function—registrations, contributions, documentation, registers, POSH, policies, hiring, payroll, leave, exits, and data. For Indian companies in 2026, with the labour codes redrawing the compliance map and external scrutiny rising, a regular, structured audit is how you find the expensive, invisible problems before they find you. Run it with rigour, evidence every claim, rate and remediate findings with named owners and deadlines, and re-check that fixes hold.

The most durable way to keep audit findings low is to remove the manual, fragmented processes that cause most of them. CozyHR maintains your statutory records automatically, reconciles provident fund, ESI, professional tax, and TDS, enforces consistent onboarding and exit workflows, secures employee data, and generates audit-ready reports on demand—turning audit season from a scramble into a confirmation. Use this checklist to see where you stand, confirm current requirements for your states and under the labour codes, and consider a demo to see how much of your compliance can simply run itself.