HR Audit Checklist for Indian Businesses (2026)

An HR audit is the cheapest insurance an Indian business can buy. The next EPFO inspector, the IT department TDS scrutiny notice, the pre-IPO due diligence team, the M&A buyer asking for a compliance pack. Each looks at the same eight areas. Most SMEs find out their files are thin only after the inspector flags it.

This checklist is for one HR head and one finance person, one working day. Score each area honestly. Below 64 out of 80 is a problem you fix this quarter.

1. Statutory Registration

Lapsed certificates are common.

  • PF (EPFO) certificate available, establishment code active on the EPFO portal.
  • ESIC registration in place once you crossed 10 employees in a wage-threshold state.
  • Shops & Establishments registration for every office, renewed per state rule (annual in Maharashtra, five-yearly in Karnataka).
  • Factories Act licence for any manufacturing unit above the worker threshold.
  • Professional Tax registration (PTRC and PTEC) for every state where you employ staff.
  • Labour Welfare Fund registration in states that levy it.

2. Payroll Compliance

Most penalties come from here. A clean payroll register, on time, is the single biggest predictor of a quiet audit.

  • PF challan filed by the 15th every month with zero ECR rejections.
  • ESI challan paid by the 15th, contribution period correctly mapped (April to September, October to March).
  • TDS on salary deducted under Section 192, deposited by the 7th, Form 24Q filed quarterly without 234E late fees.
  • Professional Tax remitted state by state on the correct due date.
  • Bonus calculated under the Payment of Bonus Act on basic + DA, not basic alone, with the ₹7,000 or minimum-wage cap applied correctly.
  • Gratuity provision created in the books and funded.
  • Form 16 issued by 15 June for the previous FY, Form 12BA where perquisites apply.

3. Documentation

Open any employee file at random. If a senior hire's NDA is missing, your IP protection story falls apart in the first round of diligence.

  • Signed offer letter with date, role, CTC breakdown, and notice period.
  • Signed appointment letter with confidentiality, non-solicit, and IP assignment clauses.
  • Standalone NDA for every employee with access to source code, financials, customer data, or board material.
  • PAN, Aadhaar (consent-based), and address proof on file.
  • Educational certificates verified with a written note from the HR who checked.
  • Prior employer relieving letter, last three salary slips, and Form 16.
  • Background verification for senior hires and roles with financial authority.

4. Leave Records

A missing accrual log across 200 employees becomes a real liability at exit.

  • Leave policy approved by management, dated, and circulated to all employees.
  • Year-wise accrual log per employee with opening, accrued, availed, lapsed, and closing balances.
  • Every leave application has written or system-recorded approval before the leave was taken.
  • Encashment register showing dates, days, rate, and TDS impact under Section 10(10AA).
  • Maternity leave records meeting the 26-week minimum with payment continuity.
  • Comp-off entries reconciled against actual extra working days.

5. Attendance Records

Attendance feeds payroll, leave, overtime, and any wage dispute. The records have to survive a hostile reading.

  • Muster roll (Form 25 in most states) maintained physically or digitally with daily entries.
  • Biometric or GPS attendance backup retained for at least three years.
  • Regularisation requests for missed punches go through a written approval chain.
  • Overtime register (Form 10 in Maharashtra, equivalent elsewhere) with double-rate calculation.
  • Shift roster published in advance and matching what was actually worked.

6. POSH Compliance

POSH is where small companies most often fail. The Sexual Harassment of Women at Workplace Act, 2013 has hard requirements that cannot be papered over.

  • Internal Committee constituted at every workplace with 10 or more employees: senior woman as presiding officer, two internal members, one external member from an NGO or legal background.
  • POSH policy displayed in English and the local language at every office and on the intranet.
  • Annual POSH training records for all employees with sign-in sheets or LMS completion logs.
  • Complaint register maintained, even if empty.
  • Annual report under Section 21 filed with the District Officer for every calendar year.
  • Section 22 disclosure in the directors' report stating complaints received, disposed, and pending.

7. Data Protection and Privacy

The DPDP Act, 2023 is passed; rules are still being notified. Auditors are already asking.

  • Written employee consent for collecting and processing personal data, captured at onboarding.
  • Privacy notice covering what data is collected, why, where it is stored, and how long.
  • Retention policy stating how long ex-employee records are kept (typically seven years for tax records).
  • Access controls on HR systems with role-based permissions, no shared admin logins.
  • Audit trail of who accessed which employee record and when.
  • Vendor agreements with payroll and background-check providers covering data processing terms.
  • Breach response plan with named owners and a 72-hour notification path.

8. Exit Records

Missing relieving letters and unpaid FnF balances are findings every diligence team flags.

  • Resignation letter on file with date received and agreed last working day.
  • Notice period served in full, or shortfall recovered through FnF.
  • Full and final settlement signed by both sides, showing earnings, deductions, leave encashment, gratuity, and notice recovery.
  • Relieving letter and experience letter issued within the policy timeline.
  • NOC for laptop, ID card, access cards, and any company asset.
  • PF and gratuity settlement initiated within 30 days of LWD.

Scoring Framework

Score each area out of 10. Total is out of 80.

  • 72 to 80: audit-ready.
  • 64 to 71: minor gaps. Close this quarter.
  • 50 to 63: serious gaps. 60-day remediation with a board update.
  • Below 50: stop other HR projects until you climb back above 64.

Award a 10 only with written policy, system records, signed evidence, and a named owner. A 7 means the work happens but the paper trail is patchy. A 4 is informal. A 0 means the area does not exist.

Common Audit Findings in Indian SMEs

After a few hundred audits, the same gaps show up. None are exotic; all cost real money once a notice arrives.

  • NDAs missing for senior hires (CTOs, finance heads, product leads who joined in the early scramble).
  • PF registration delayed past the 20-employee trigger, with retrospective contributions and Section 14B damages looming.
  • POSH IC not constituted at 10 employees, or only on paper without an external member.
  • Bonus calculated on basic only, when the law says basic plus dearness allowance.
  • Form 24Q not matching the employee's Form 12BB declaration, leading to TRACES defaults.
  • Gratuity provisioned in books but not actually funded.
  • S&E registration done for the head office but missed for branch offices opened later.

How Often to Audit

Annual is the floor. Run a full eight-area audit once a financial year, ideally January to March so corrections land before the next FY closes. Companies adding 50+ employees a year should add a half-year check in October. Pre-funding, pre-IPO, or pre-M&A, run it two months before diligence is expected.

Audit-Ready by Default

Indian HRM keeps an immutable audit trail across payroll runs, leave accruals, attendance edits, and document uploads. "Show me the FY 2024-25 compliance pack" becomes a single export. More on our compliance management software page.