Challenge: Multinationals' efforts to conduct global compliance audits and risk assessments of their human resources operations get complicated, because each country's employment laws are unique.
The globalizing economy has pushed multinationals to align more and more aspects of human resources globally. Multinationals now routinely globalize HR programs, policies, benefits and other "offerings" that, back in the old days, used to be purely local. As headquarters watches over its new cross-border HR offerings, compliance initiatives go global as well. Headquarters also has strong incentives to oversee compliance with the growing list of "extraterritorial" laws that reach workforces internationally. See "The Return of the Global Employment Audit," Law 360, 12/21/09.
But how can a multinational efficiently audit, assess, check or review HR compliance across borders? First, assemble a project team. Involve headquarters, foreign-local human resources staff, and the in-house legal and compliance functions. Consider tapping outside counsel with attorney/client privilege or an outside international HR consultant.
Team in place, the question becomes: How to project-manage a cross-border HR audit cost-effectively and efficiently? It seems the temptation here is always the quick-and-dirty approach—grab a "global HR audit checklist" off the shelf, dive in and just do the audit. But this never works, because no one-size-fits-all "global HR audit checklist" exists that can do the job. Each global HR audit project spins off in its own direction, with its own particular goals, its own pool of affected countries, focused in its own particular industry. A global HR compliance audit requires an organic, holistic approach in five steps:
1. Articulate context and scope. Isolate the context and delineate the scope of this particular global HR audit project. HR audits/assessments arise in very different contexts, for example: implementing a new corporate structure; preparing for a restructuring; doing a merger or acquisition (spin-off or post-merger integration); responding to a lawsuit/government investigation; or simply toughening compliance through a robust HR practices check-up. Some global HR audits focus externally on outside supplier compliance while others focus internally, but on specific legal challenges such as health/safety, wage/hour, data privacy, bribery, whistleblower hotlines, or—increasingly—corporate social responsibility and ethics. See "How to Conduct an Ethics Audit," SHRM HR Mag., 4/10. Isolating the context of your particular audit is vital because it lets you put aside all irrelevant issues not in play here. After setting context, delineate project scope. Should the project focus on compliance with employment laws, with collective agreements, with corporate policies—or with all three? As to legal compliance, should the project look at local employment laws, at laws of the headquarters country that reach "extraterritorially"—or at both? Should the project be confined to local employees or should it reach expatriates, consultants, independent contractors and suppliers? Should the project go beyond employment laws and policies to assess compliance with HR-context data privacy, corporate and tax laws? What industry-specific issues require special focus—like wage/hour in retail, conflicts of interest/insider trading in professional services, health/safety in manufacturing?
Tip: Think through, in advance, the challenges to a cross-border HR compliance audit or risk assessment. Proceed strategically. Craft-aligned, locally tailored checklists from a master template.
2. Create master template. "Compliance" means following mandates. Because employment law mandates differ significantly by jurisdiction, localized HR compliance audit checklists (or questionnaires) are essential, and should align to allow for "apples-to-apples" comparisons across jurisdictions. Align local HR audit checklists by spinning each one off of a single master template (or outline). Create that master template organically— tailor it to fit this unique audit project. Include all topics consistent with the project scope (step 1), but exclude all other topics. Depending on context, HR compliance audit topics might include:
- Local labor/employment laws including rules regulating: candidate interviewing, "onboarding," union/collective labor/"works councils," wage/hour (including overtime and flat caps on hours), holiday/vacation, health/safety, employee communications/language, discrimination/harassment, complaints and internal investigation procedures, termination/release/payout at separation.
- Internal policies and collective (union/"works council") agreements including: local HR policies, global code of conduct, industry codes, bribery/corruption policy, globally applicable HR policies issued by headquarters, "framework"/union neutrality agreement, collective agreements to which the organization is a party and "sectoral" agreements that apply by force of law (be sure to inventory all internal policies and collective agreements).
- Benefits and compensation issues including: employee benefits, equity plans, statutory mandatory benefits laws, mandatory profit sharing, payroll compliance (deductions, withholding, reporting).
- Individual employment contract issues including: contact/ offer letter template, restrictive covenants, employee acknowledgements/consents/waivers, computer-click intranet assents ("electronic signatures").
- Contingent and irregular employment issues including: contractor/consultant misclassification, fixed-term/part-time employees, secondees/leased/agency employees, non-employee directors, expatriates (including visas/work permits).
- Headquarters-country employment laws that reach overseas such as "extraterritorial" US laws on: accounting, "alien torts," bribery/foreign corruption, discrimination, Sarbanes-Oxley whistleblower "procedures," securities, terrorism watch list, trade sanctions.
- Corporate and tax issues reaching employment including: employer entity, employer registrations/corporate form, dual-employer exposure, "permanent establishment" exposure from "floating employees," employee powers of attorney.
- Data privacy laws that reach employee data, personnel files and global Human Resources Information Systems, including: employee notification/consents, registrations with data protection authorities, "sensitive" employee data, data security, HR data retention/purging practices, cross-border data transmissions.
3. Align local-country checklists off the master. "Localize" the master project template into a set of aligned audit checklists (or questionnaires), one per jurisdiction. Spin off a local checklist for each jurisdiction and localize each point with the applicable local standard. For example, if bullet #18 on a master template says "check compliance with local vacation laws," then the local Brazil checklist (for example), at its bullet #18, might say something like "confirm employees get 30+ vacation days per year and draw down vacation in periods of 10+ days per vacation break." Be sure each local checklist captures any one-off local rules too quirky to merit coverage on the master template. (For example, a local HR audit checklist for England might address overtime opt-outs; one for Saudi Arabia might address gender segregation; one for Korea might address menstruation leave.)
4. Conduct the audit. Take the local checklists into the field and conduct the global audit. Gather data in each jurisdiction applying appropriate "metrics." Decide how deep to go in and how the audit process works. Will headquarters auditors travel on-site, or can the field piece be conducted remotely? Will inspections be announced or surprise? How to handle local HR staff that fails to respond adequately? What translations will be needed? Will auditors look only at policies/protocols/agreements, or will they inspect specific employment agreements, acknowledgements, paycheck stubs, timesheets, safety logs and the like? Will auditors interview employees? What will be the role of local outside providers like payroll agencies and benefits administrators? How will the audit process itself comply with local data laws?
5. Report and implement remedial measures. Summarize audit findings and implement "remedial measures"/fixes. Any summary report should avoid identifying specific employees (to minimize data protection and defamation exposure) and should account for privilege and evidentiary "admissions" issues (could the report later get used against the employer as evidence of willful noncompliance?). Finally, propose specific remedial measures— and then ensure the fixes actually get implemented locally.