The HR Legal Hub
The HR Audit
A structured review of a company's employment compliance — registrations, contracts, classification, policies, payroll, and records — that turns unknown exposure into a graded list of findings and a remediation sequence, before an inspector, a claimant, or an acquirer runs the same exercise adversarially.
Every article in this hub describes a piece of the Pakistani employment compliance stack. This one describes how to find out where you actually stand against all of it. An HR audit is a structured reconstruction of a company's employment position — who works for it, on what terms, under which statutes, with which registrations, payments, and records — graded for risk and converted into a remediation sequence. It is the same reconstruction an EOBI inspector, a labour department, a claimant's lawyer, or an acquirer's counsel performs adversarially. The only question is who does it first. This article sets out the method as of July 2026.
What the audit is for
Employment exposure in Pakistan has a specific shape: it accrues silently and surfaces suddenly. Contribution arrears grow by the month without a reminder from anyone. A misclassified workforce is free until the first grievance. A missing harassment committee costs nothing until a complaint arrives. The audit exists because none of these produce warning signs in the ordinary course — the financial statements do not show them, and the people responsible often inherited the gaps rather than created them.
The output that justifies the exercise is not a report; it is a findings register — each gap identified, graded, quantified where money is involved, and assigned an owner and a deadline. A fifty-page narrative that ends in general recommendations is a failed audit. Ten findings with numbers, grades, and dates is a successful one.
Scoping: drawing the boundary honestly
Scope decides whether the audit measures the real workforce or a flattering subset of it. Three boundaries need explicit decisions at the start.
Who counts. The audit population is everyone the business pays to work — payroll employees, consultants and retainers, workers supplied by manpower contractors, interns and trainees. Limiting the audit to the payroll excludes precisely the arrangements where classification risk concentrates.
Which sites and statutes. Each location is mapped to its province's instruments — standing orders, shops and establishments or factories legislation, minimum wage notifications, the social security institution — plus the federal layer of EOBI, tax withholding, and the harassment Act. The applicability map described in the labour-laws overview in this hub is the audit's first work product if it does not already exist.
How far back. Contribution and tax exposures are retrospective, so the look-back matters. A twelve-month deep reconciliation with a longer high-level sweep for registration dates and arrears is a common structure; the right depth depends on the company's age and the state of its records.
One structural decision sits alongside scope: whether the audit runs through counsel. Where findings may bear on disputes or transactions, engaging the review for the purpose of legal advice matters, because communications with legal advisers attract privilege under the Qanun-e-Shahadat Order, 1984 [SCOPE OF PRIVILEGE FOR AUDIT WORK PRODUCT — TO BE VERIFIED BY REVIEWING LAWYER].
The document review: five files, read against each other
The core of the audit is documentary, and its method is cross-reading — each source tested against the others, because gaps live in the differences.
The registration file. Every certificate the business holds — establishment registrations under the shops or factories legislation, EOBI, the provincial social security institution — checked for existence, currency, and above all dates, since the distance between when coverage began and when registration happened is where arrears live.
The people file. A contract, appointment letter, or engagement agreement for every person in the audit population, tested for statutory floors, for consistency with the person's actual category, and for the silent population: workers with no signed terms at all. Classification — workman or non-workman, employee or contractor — is tested here on duties and facts, with the reasoning recorded.
The money file. Twelve months of payroll registers reconciled three ways: withholding computed, deposited, and reported; EOBI contributions against headcount; social security contributions against headcount; wages against the current minimum wage notification per province; deductions against the Payment of Wages Act heads.
The policy file. Handbook, harassment policy and inquiry committee appointments, disciplinary and grievance procedures — tested for existence, for consistency with the statutes and each other, and for evidence of operation: display photographs, acknowledgement records, training logs, committee minutes.
The dispute file. Live and threatened claims, inspection notices, demand letters, and past settlements — read as a map of where the company's practices have already failed once.
Beyond the documents
Paper compliance and actual practice diverge, and the audit has to test the divergence. Short interviews with the HR lead, the payroll operator, and a line manager reliably surface what the files conceal: the "consultants" who sit in the office on fixed hours, the leave approved on chat and never recorded, the deductions taken by custom, the committee that exists on paper and has never met. A site walk does the rest — the displayed harassment code, the attendance system in actual use, the registers an inspector would ask for first. Fifteen minutes of conversation routinely reprices an entire findings category.
Risk grading: making the register decision-ready
Findings are graded so that remediation can be sequenced and budgeted. A three-band scale works if the bands are defined by consequence rather than adjectives.
High: quantified liabilities accruing now, or gaps that convert into immediate orders when triggered — unregistered establishments, contribution arrears, systematic under-withholding, wages under the notified minimum, no harassment committee. These carry statutory additions, personal-liability features, or per-month growth.
Medium: exposures waiting on a trigger event — misclassified populations, missing contracts, disciplinary practice that ignores the standing orders, deduction habits outside the authorised heads. The cost arrives with the first dispute, inspection, or diligence exercise.
Low: defects that weaken the company's position without independent liability — outdated policies, thin record-keeping, missing acknowledgements. Cheap to fix, and they determine how well the company defends everything else.
Each money finding gets a number, computed from the company's own records — because in every later negotiation, with an institution or an acquirer, the party that computed the figure first sets the anchor.
Remediation sequencing: the order of operations
The register is worked in an order dictated by how each exposure behaves, not by ease.
First, stop the accrual. Register everything unregistered, start current-month compliance on all contribution and withholding streams, and lift any wage below the notified minimum. Every month of delay here has a price printed on it.
Second, deal with the past deliberately. Quantify arrears from your own records and take advice on the settlement approach per institution — sequencing matters, because approaching an authority before the numbers are reconstructed surrenders the anchor.
Third, fix classification and contracts. Convert or restructure misclassified workers, paper the unpapered, and correct category errors — these decide the cost of every future exit and dispute.
Fourth, stand up the machinery: harassment committee and displays, disciplinary and grievance procedures aligned with the applicable standing orders, policy set reissued with acknowledgements.
Fifth, make it stay fixed. A compliance calendar with named owners for each monthly and annual obligation, and a re-test of the findings register once the deadlines pass. An audit whose findings are re-tested once tends to be the last full audit the company needs for years; the annual exercise thereafter is an update, not an excavation.
The First Counsel conducts HR audits on this method, from scoping through remediation and re-test, and the downloadable checklist on this page is the preparation list it issues to clients before fieldwork begins.
The Checklist
HR audit preparation checklist
What to assemble and decide before an employment compliance audit begins, so the review measures reality instead of guessing at it.
- Appoint one internal owner for the audit with authority to obtain documents from HR, finance, and operations.
- Decide the audit's scope in writing: which entities, which locations, which worker populations, and how far back.
- Engage the audit through counsel and route findings through them where privilege over the output matters [PRIVILEGE POSITION — TO BE VERIFIED BY REVIEWING LAWYER].
- Produce a headcount snapshot as at the audit date: every person paid, by entity, location, category, and payroll or non-payroll status.
- Pull every registration certificate the business holds — shops and establishments, factories, EOBI, provincial social security — with dates.
- Collect the signed contract, appointment letter, or engagement terms for every current worker, and flag everyone for whom none exists.
- Export twelve months of payroll registers with the tax withholding, EOBI, and social security lines visible per person.
- Gather the deposit and payment evidence for tax withholding and both contribution schemes for the same twelve months.
- Assemble the policy set: handbook, harassment policy and committee appointments, disciplinary and grievance procedures, leave rules.
- List all current and threatened employment disputes, inspection notices, and demand letters from any authority.
- List every manpower, outsourcing, and consultancy arrangement, with the underlying agreements.
- Locate the wage, attendance, and leave registers each applicable statute requires, and note which are missing.
- Identify who in the company decided each worker's workman or non-workman classification, and on what recorded basis.
- Agree the risk-grading scale with the auditor before findings are written, so grades mean the same thing across domains.
- Block time for the people the auditor will need: HR lead, payroll operator, finance controller, and a site manager per location.
- Fix the output format in advance: a findings register with grade, exposure estimate, owner, and deadline per item.
- Set the remediation review date before the audit starts, so the findings register has a scheduled second life.
Questions, Answered
What clients ask most.
Before someone else runs it for you. The common triggers are an approaching fundraise or sale, a first inspection notice, a dispute that revealed a gap, or crossing a growth threshold — a second province, a hundredth employee. The cheapest audit is the one run while every finding is still merely a task; the same finding inside a transaction becomes an escrow, and inside an inspection becomes a demand.
A findings register is discoverable in principle, which is why structure matters. Communications with legal advisers attract privilege under the Qanun-e-Shahadat Order, 1984, and audits run through counsel for the purpose of legal advice are ordinarily conducted so the analysis sits within that protection [SCOPE OF PRIVILEGE FOR AUDIT MATERIALS — TO BE VERIFIED BY REVIEWING LAWYER]. The greater risk runs the other way: the exposures exist whether or not they are written down, and the unwritten version is the one you cannot manage.
Same exercise, opposite incentives. Diligence counsel reconstructs your compliance from the outside to price risk against you; an audit reconstructs it from the inside so you learn the numbers first and fix what can be fixed. Companies that audit before a raise walk into diligence with a findings register, remediation evidence, and answers — which shortens the process and shrinks what ends up in the indemnities.
Because knowing a gap exists is not the same as knowing its size, its priority, or its fix. An audit converts a vague unease into a graded register: which findings are quantified arrears, which are claims waiting for a trigger, which are paperwork. Remediation budgets and sequencing come from that register. Companies that skip the measurement stage habitually fix the visible items and leave the expensive ones.
It must, or it measures the wrong workforce. Non-payroll workers are where classification risk lives, and contribution authorities and labour courts do not stop at the payroll boundary. A proper scope covers everyone the business pays to work: employees, consultants, contractor-supplied staff, and interns, with the classification of each tested on facts rather than labels.
Sequenced work, not a blitz. Registrations and accruing arrears are stopped first, because they compound monthly. Classification and contract gaps come next, because they price every future dispute. Policies and committees follow, then record-keeping, then a compliance calendar so the fixes hold. Each finding gets an owner and a date, and the register is re-tested after the deadlines pass — remediation without a re-test is a plan, not a result.
Prepared by The First Counsel · As of 2026-07-12 · Pending professional review — statements flagged in the text are being verified
This publication is provided for general information only. It is not legal advice, and neither reading it nor corresponding with the firm about it creates a lawyer–client relationship. The position stated must be verified against current law before it is relied upon.
