Global HR Hot Topic: Globally Auditing Human Resources Compliance - May 2014


Globalization pushes multinationals to align more and more aspects of human resources across borders. Multinationals now routinely globalize many of their HR programs, policies, benefits and other "offerings" that, back in the old days, would have been purely local. But globalizing HR offerings causes ripple effects; a big ripple is that headquarters has to watch over what it has globalized. And so after HR initiatives go global, HR compliance initiatives need to go global as well. (See "The Return of the Global Employment Audit," Law 360, 12/21/09)

Cross-border HR compliance initiatives have many facets. A multinational has obvious incentives to verify that its overseas HR operations comply both with foreign local laws and with the growing list of "extraterritorial" laws that reach workplaces internationally. In addition to legal compliance, multinationals need to verify that their overseas operations conform to the organization's own in-house code of conduct, other international policies, employment agreements, and corporate values and norms.

This push for cross-border compliance assessments or audits of human resources operations can come from any of various constituencies within a multinational organization—for example, from compliance (of course), from upper management or the board of directors, from the general counsel's office, from human resources or from specific business functions— say, industrial safety (assessing global safety compliance), audit/ accounting (assessing global Sarbanes-Oxley compliance), or mergers and acquisition teams (assessing employment compliance of to-be-spun-off or to-be-acquired business units). In fact, international HR employment compliance audits actually transcend employment law and become relevant to operations within an organization well beyond HR. For example, the US Foreign Corrupt Practices Act and the US securities laws against insider trading are not employment laws, but the only way a multinational can ensure it complies with these particular rules internationally is to propagate cross-border HR policies against bribery and insider trading, to train employees on those HR policies, and then to enforce those HR policies against transgressing foreign staff. All of a sudden headquarters functions with no HR responsibilities—in this case, the in-house functions responsible for overseas bribery and international insider trading compliance—become concerned with internationally auditing HR practices.

Understanding why multinationals need to audit HR compliance internationally, the question becomes how? How does a multinational efficiently audit, assess, check or review its own ongoing compliance practices across HR operations overseas?

The first step in any global HR compliance check or audit is to assemble the compliance audit project team. In assembling that team, be sure to involve headquarters, involve foreign and local human resources staff, involve the in-house legal and compliance functions and consider involving the corporate audit function. Consider tapping outside counsel with attorney/client privilege or at least involving an outside international HR consultant.

Audit team in place, the issue becomes global audit project management—how to manage this particular cross-border HR audit cost-effectively and efficiently. The temptation here can be the quick-and-dirty approach, grabbing some global HR audit checklist off the shelf, diving in and just doing the audit. Unfortunately, this approach never works because no one ever finds that one-size-fits-all "global HR audit checklist" that will serve as an accurate, sufficiently detailed roadmap for this particular project. That is because each global HR audit project spins off in its own uncharted direction, with its own specific goals, its own pool of affected countries and its own particular industry issues. Give up that search for the perfect off-the-shelf global HR audit checklist. Instead, embrace the inevitable fact that your global HR compliance audit will require an organic or holistic approach.

The organic or holistic approach for any global HR audit breaks into five discrete steps, which we discuss here: Articulate audit context and scope; create a master audit checklist template; align local-country checklists off the master; conduct the audit; and report and implement remedial measures.

1. Articulate audit context and scope. To begin any international human resources compliance check or audit, first isolate the context and delineate the scope of this particular audit project. Put aside all irrelevant (but auditable) issues not in play.

HR compliance assessments and audits arise in very different contexts including, for example, implementing a new corporate structure, preparing for a corporate restructuring, launching a merger or acquisition (spin-off or post-merger integration), responding to a lawsuit/government investigation, or simply toughening compliance through a robust HR practices check-up. Some global HR audits focus externally on outside supplier compliance while others focus internally on specific employment law challenges like health/safety, wage/hour, worker data privacy, whistleblower hotlines, or—increasingly— corporate social responsibility and ethics. (See "How to Conduct an Ethics Audit," SHRM HR Mag., 4/10) As mentioned, some HR-context audits actually focus on concerns separate from employment law, like compliance with bribery and insider trading laws.

After setting context, delineate audit project scope. Which countries are involved here? Should this global HR audit focus on compliance with laws, with collective agreements, with corporate policies, with best practices—or with all of these? As to legal compliance, should this audit look at local laws, at headquarters-country laws that reach "extraterritorially"—or both? Should this audit confine itself to local host-country employees, or should it also check expatriates, contingent staff, consultants, independent contractors and employees of suppliers? Should this audit go beyond employment laws and policies to assess compliance with HR-context data privacy, corporate and tax laws? And which industry-specific issues require special focus here (for example, wage/hour in retail, conflicts of interest/insider trading in financial and professional services, health/safety in manufacturing)?

2. Create a master audit checklist template. "Compliance" means following rules. Because HR-context rules differ significantly from jurisdiction to jurisdiction, anyone who leads a multijurisdictional compliance assessment or audit will need aligned but localized checklists or questionnaires that allow for "apples-to-apples" comparisons across jurisdictions. To align local HR audit checklists, first craft a single master global audit template or compliance checklist. Create that master template organically—tailor it to fit your particular audit project. (We already mentioned that a perfect checklist will not exist "on the shelf"; some other audit project template might prove a helpful form, but will inevitably need tailoring.) Include in your global audit template all topics consistent with the specific audit project scope (discussed above as step 1), and then actively exclude all other topics. By definition, topics outside the scope are irrelevant.

Depending on context, topics possibly to include in a global HR compliance audit template or checklist might include:

  • Labor/employment laws and other laws reaching employees:
    • Local labor/employment laws, including rules that regulate candidate interviewing, "onboarding," negotiations/ consultations with unions/collective labor/"works councils" and health/safety committees, union "corporate campaigns," wage/hour (including overtime and flat caps on hours), holidays/vacation, substantive health/safety compliance, duty of care, workplace injury/compensation, employee communications/language, discrimination/ harassment/diversity (including laws requiring hiring/ accommodating the disabled), HR complaints, internal investigation procedures and termination/release/payout at separation
    • Headquarters-country employment laws that reach overseas—that is, "extraterritorial" US laws on audit/accounting fraud, "alien torts," bribery/foreign corruption, employment discrimination, Sarbanes-Oxley §301 whistleblower "procedures," securities trading laws, terrorism watch list and trade sanctions
    • Data privacy laws reaching employee data, personnel files and global Human Resources Information Systems, including employee notification/consents, registrations with data protection authorities, "sensitive" employee data, data security, HR data retention/purging practices, whistleblower hotline compliance with data laws, cross-border data transmissions and exports
  • Past and pending employment (and employee data privacy) claims/litigation
  • Benefits and compensation issues including employee benefits, equity plans, pension plans/schemes, medical and other employee insurance, statutorily mandated benefits, mandatory profit sharing and mandatory (inflation- adjusted) raises
  • Corporate, tax and other laws reaching employment including employee payroll law compliance (tax and social security reporting, deductions, withholding, contributions), employer corporate entity, employer registrations/corporate form, dual-employer exposure, "permanent establishment" exposure from "floating employees" (see our Global HR Hot Topic of October 2013), employee powers of attorney, directors' and officers' liability insurance, corporate law topics conceptually unrelated to employment law but that multinationals enforce through HR rules and practices (bribery/FCPA, insider trading, trade sanctions, intellectual property) and compliance with employment provisions in past M&A agreements
  • Written internal employment policies, rules and agreements:
    • Human resources policies including local HR policies and work rules, global codes of conduct (both internal ethics code and external supplier code), whistleblower hotline, industry codes, bribery/corruption policy and all headquarters-issued globally applicable HR policies (check whether these policies got properly launched and implemented locally)
    • Individual employment contract issues including contract/ offer letter template, individual employment contracts, "onboarding" documents, fixed term and probation compliance, restrictive covenants, intellectual property assignments, employee acknowledgements/consents/ waivers, computer-click intranet assents ("electronic signatures" and paperless contract execution) and employment contract execution/filing
    • Collective (union/works council) agreements including "framework"/union neutrality agreements, collective agreements to which the employer is a party, "sectoral" agreements applicable by force of law, "social plans" (past reduction-in-force agreements), agreements with works councils, ombudsmen, health and safety committees, and other non-union employee representatives
  • Contingent and irregular staffing issues including contractor/ consultant (mis)classification, compliance with laws regulating outsourcing, fixed-term/part-time employees, secondees/leased/agency employees, non-employee directors, probationary staff and expatriates (including visas/work permits for all non-citizen staff)

3. Align local-country audit checklists off the master. Next, "localize" the master HR audit checklist template (step 2) by spinning it off into a set of tailored but aligned audit checklists/questionnaires, one per jurisdiction subject to the audit project, each anchored in the local legal standards. For example, if bullet #18 on the global master template says "check compliance with local vacation laws," then the local Brazil checklist (for example), at its bullet #18, might say something like "confirm employees get 30+ vacation days per year and draw down vacation either in a 30-day uninterrupted block or a 20-day uninterrupted block plus a 10-day vacation time sell-back." And bullet #18 on the France checklist would address not only France's minimum vacation benefit but also France's ban on roll-over (French employees must use all vacation before year-end).

In addition to localizing topics from the master checklist for each affected jurisdiction, be sure to add into each local checklist all quirky local rules that, because they are inherently local, did not get picked up on the global template. For example, a local HR audit checklist for England should address overtime opt-outs, one for Canada should address contractually quantifying pre-dismissal notice, one for South Africa should address affirmative action plans, one for Saudi Arabia should address workplace gender segregation, and one for Indonesia or Korea should address mandatory menstruation leave. Again, these topics are mostly unique to these jurisdictions and so will not likely appear on the master template (step 2).

4. Conduct the audit. At last it becomes time to go out and conduct the global HR assessment or audit. Take the local checklists (step 3) into the field and do the global HR compliance check/audit, gathering compliance information in each jurisdiction. Decide how the audit process will work and decide how deep to plow. Will headquarters auditors travel onsite—or can auditors conduct the field piece remotely or delegate local audits to local HR staff? Will auditors interview employees? Will auditor inspections be announced or surprise? How to handle local HR staff that fail to respond adequately? How to handle the political issue of local management hostile to the audit? How to handle local staff refusing to cooperate? (Under law in many jurisdictions, local staff do not have to cooperate.) How granular will the audit be? Will auditors look only at policies/protocols/agreements? Or will auditors scrutinize specific employment agreements, employee-signed acknowledgements, minutes of union/works council meetings, paycheck stubs, timesheets, safety logs and the like? Will translations be needed? Will auditors get access to local outside providers like payroll agencies and benefits administrators? And how will the international audit process itself comply with local employment and data protection laws?

Be sure to apply appropriate "metrics" in the audit. For example, if the audit looks into diversity, it would be foolish to apply US EEO-1–style diversity metrics to employee populations in, say, Japan or Finland. (See our Global HR Hot Topic of January 2013)

If an audit uncovers any specific act of wrongdoing that merits its own discrete investigation, spin off that investigation as a separate project. (On cross-border internal investigations, see our Global HR Hot Topic of April 2013)

5. Report and implement remedial measures. Summarize the HR compliance check/audit findings. The summary report should avoid identifying specific employees (to minimize data protection and defamation exposure) and should account for attorney/ client privilege and evidentiary admissions issues. Could the report later get used against the employer as evidence of willful noncompliance?

Finally, the audit team should propose specific "remedial measures," or fixes. Then someone needs to follow up to check that the fixes actually get implemented locally.

Topics:  Audits, Compliance, Employer Liability Issues, Employment Policies, Global Economy, Multinationals

Published In: International Trade Updates, Labor & Employment Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© White & Case LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »