How to Conduct an I-9 Audit: A Step-by-Step Guide for HR
By Eddy Team — June 24, 2026
What is an I-9 audit?
Every employer in the U.S. has to complete a Form I-9 for every person they hire to verify identity and work authorization. Simple in theory—but I-9 files have a way of quietly accumulating problems: a missing signature here, an expired form version there, a new hire whose form never got finished at all.
An I-9 audit is how you find those problems before someone else does. "Someone else" could be Immigration and Customs Enforcement (ICE), the Department of Justice, or a Department of Labor investigator—any of whom can show up with a Notice of Inspection and give you just three business days to produce your forms.
This guide walks through how to run an internal I-9 audit start to finish. It's written to apply to any employer, however you store your forms. Where it helps, we've flagged how Eddy makes specific steps faster—but the process itself is the same whether you're working from a filing cabinet or a dashboard.
The snapshot
- What it is: A systematic review of your Form I-9 records to confirm each one exists, is complete, is accurate, and is being retained correctly.
- Why it matters: Civil penalties for I-9 paperwork violations run into the hundreds to thousands of dollars per form, and "we didn't know" isn't a defense.
- The big risk people miss: A sloppy audit can create discrimination liability of its own. How you correct and re-verify matters as much as what you find.
- The four phases: Inventory → Review each form → Correct what's fixable → Document the whole thing.
- Where Eddy helps most: Instantly seeing who's missing a form, and producing a timestamped, actor-level audit trail for every digital I-9.
Why run an internal I-9 audit?
Because the cost of waiting until someone is knocking is steep. A Notice of Inspection typically gives you only three business days to hand over your I-9s. That is not enough time to fix years of accumulated errors—but it is plenty of time for an investigator to count them.
A few realities worth keeping in mind:
- Paperwork violations are penalized on their own. You don't have to have knowingly hired an unauthorized worker to be fined. A missing date or unsigned section is a substantive violation in its own right, and civil penalty amounts are adjusted annually.
- Errors compound quietly. A form that was filled out wrong in 2019 stays wrong until someone looks. Multiply one recurring mistake across a few hundred hires and the exposure adds up fast.
- Good-faith correction counts. Investigators and courts generally look more favorably on employers who can show a real, documented internal audit process—even when that process surfaced mistakes.
The point of a self-audit isn't to achieve a perfect file. It's to find what's fixable, fix it correctly, and be able to show your work.
Before you start: internal audit ≠ government audit
One framing matters before you open a single form. You are conducting a voluntary internal review. You are not ICE, and you should not run your audit like an enforcement action against your own employees.
That distinction drives two rules that run through this entire guide:
- You cannot single people out. Don't audit only certain employees based on national origin, citizenship status, accent, or how "foreign" a name sounds. Either audit everyone, or audit a genuinely neutral subset (for example, everyone hired in a specific date range, or one location).
- You cannot demand specific documents or re-verify without cause. The employee always chooses which acceptable documents to present. An audit is not a license to ask for "papers" again.
We'll come back to both of these. For now, just know that the way you conduct the audit is itself something a regulator can scrutinize.
⚠️ This guide is educational, not legal advice. I-9 rules are federal, they change, and the right answer to a specific correction can depend on the facts. For anything ambiguous—or for a large-scale cleanup—loop in qualified immigration counsel.
Step 1: Build your master list of who should have an I-9
You can't tell what's missing until you know who you're checking. Start by pulling a complete roster of everyone who needs a Form I-9 on file:
- All current employees hired after November 6, 1986.
- Recently terminated employees still inside their retention window (more on retention in Step 6).
Then compare that roster against the I-9s you actually have. Every name without a matching form is your first finding.
This reconciliation is the single most tedious part of a manual audit—cross-referencing a headcount report against a stack of paper or a shared drive, name by name.
💡 In Eddy: This is the step that collapses from hours to seconds. The Form I-9 status report (Reports → Form I-9 status) lists every employee with a single status tag:
You can filter by employment status (e.g., Active only) and Download CSV to start your audit worksheet immediately. The "MISSING" rows are your gap list, already built.
- MISSING — no I-9 on file. These are your priority findings.
- PAPER — a paper form uploaded to the employee's profile.
- DIGITAL — a form completed through Eddy's guided e-sign flow.
Step 2: Review each form, section by section
For every I-9 you do have, check it against what the form actually requires—the authoritative reference is USCIS's M-274, Handbook for Employers. Work through it in the order the form is built.
Section 1 (the employee's part):
- Completed no later than the employee's first day of work for pay.
- Name, address, date of birth, and attestation of status all filled in.
- Exactly one status box checked (a citizen, a noncitizen national, a lawful permanent resident, or an authorized alien).
- For lawful permanent residents and authorized aliens, the required identifying numbers and—where applicable—a work-authorization expiration date.
- Signed and dated by the employee. An unsigned Section 1 is one of the most common substantive errors there is.
- If a preparer or translator helped, the corresponding supplement is completed.
Section 2 (the employer's part):
- Completed within three business days of the employee's start date.
- Documents recorded from the correct lists: one document from List A, or one from List B and one from List C. Never List A plus List B/C.
- Document titles, issuing authorities, numbers, and expiration dates transcribed accurately.
- The employer's attestation signed and dated, with the reviewer's name, title, and business address.
- The "first day of employment" date entered.
Form version: Confirm each form is the correct edition. Using an outdated I-9 version is itself a finding, and it's an easy one to miss when you're focused on the fields.
💡 In Eddy: Two things make this review far less manual:
First, the completed I-9 lives in a dedicated Form I-9 section on each employee's profile (under Documents), so you're never hunting for the actual form. If a form has ever been replaced, a Form I-9 history keeps every version submitted—each one viewable and downloadable with its date—so the full lineage of a corrected form is preserved, not overwritten.
Second, the Form I-9 audit trail report turns the "did this get done correctly" question into a record you can read. For every digital form it captures, action by action: who completed and signed each section, the exact date and time, the actor's email, IP address, and authentication method (e.g., Password + MFA)—plus the document version used and the List A/B/C document titles and expiration dates. So "was the right form edition used?" and "who attested to Section 2, and when?" are answered in the report rather than reconstructed from memory.
One honest caveat: uploaded paper forms show up in the trail as an "Uploaded" event, but the field-level detail (IP, expiration dates, version) only exists for forms completed digitally in Eddy. That gap is itself a good argument for moving future hires onto the digital flow.
Step 3: Categorize what you find
Not every error is equal, and not every error is fixed the same way. As you go, sort findings into buckets:
- Missing forms — no I-9 at all. Highest priority.
- Substantive errors — missing signatures, missing dates, no documents recorded, wrong document combinations, unchecked status box. These carry real penalty exposure.
- Technical/procedural errors — things like a missing employee maiden name or a transposed address. Often correctable, and sometimes excused if fixed in good faith.
- Reverification gaps — work authorization that has expired without a timely reverification (see Step 5).
Keep a simple log: employee, form, error found, how you resolved it, and the date. That log is your audit documentation, and it's what demonstrates good faith later.
Step 4: Make corrections the right way
This is where well-intentioned audits go wrong. Resist the urge to "clean up" a form by erasing, whiting out, or backdating anything. The correction method depends on who made the error and how serious it is.
For minor errors on an existing form: Draw a single line through the incorrect information, enter the correct information, then initial and date the change. Never obscure the original entry—the whole point is a transparent record of what changed and when. The employee corrects their own Section 1 errors; the employer corrects Section 2.
For a missing or badly incomplete form: Complete a new Form I-9 using the current version. Do not backdate it. Attach it to any prior incomplete form and a brief written note explaining the correction. The honest gap between the start date and the correction date is far less risky than a forged-looking backdate.
A note on missing documents: If Section 2 was never completed, you may have the employee present acceptable documentation now—but remember the employee still chooses which documents to provide. You cannot demand a specific one.
💡 In Eddy: Corrections are handled by assigning a new Form I-9 task to the employee (and a Section 2 review task to the chosen reviewer).
The new form runs through the same guided, e-signed flow—so the correction lands in the audit trail with its own timestamps and actor records, rather than as an untracked edit. When the new form is filed via Replace, Eddy doesn't discard the old one: it keeps a Form I-9 history of every version submitted, each viewable and downloadable. That's exactly the "show your work" paper trail an auditor wants—the original error and its correction sit side by side, both dated.
Step 5: Handle reverification and rehires
Some employees presented work authorization that expires. When it does, you generally must reverify before it lapses—using Supplement B (Reverification and Rehire), not a brand-new Section 2. Reverification applies to expiring work authorization, not to expiring identity documents like a driver's license, and never to U.S. passports or permanent resident cards.
During the audit, flag anyone whose recorded work authorization has expired or is about to, and confirm a timely Supplement B exists.
And the discrimination rule applies here too: you reverify based on the document's expiration date, full stop—not based on someone's national origin or your assumptions about their status.
💡 In Eddy: Because the audit trail captures List A/B/C document titles and their expiration dates, you can spot expiring authorization rather than discovering it after the fact.
When reverification is needed—or when you're rehiring or recording a legal name change—an admin can complete a Supplement B directly in Eddy, keeping the reverification attached to the same employee record.
Step 6: Confirm retention—and don't purge early
You have to keep each I-9 for the later of:
- 3 years from the date of hire, or
- 1 year from the date employment ends.
For current employees, that means you keep the form the entire time they work for you, plus the applicable window after. The audit is a good moment to confirm you haven't destroyed anything too early—and to identify forms that are genuinely past their retention date and eligible for disposal.
💡 In Eddy: Completed I-9s are retained in the employee's profile indefinitely, so you won't accidentally lose a form you were still required to keep. Eddy doesn't currently auto-calculate each form's retention or purge date, so the "is this one eligible for disposal yet?" math is still a judgment call for the auditor—but everything you need (hire date, termination status, the form itself) is in one place to make that call.
Step 7: Document the audit and close the loop
Finish by writing down what you did: the scope (who was reviewed and why that scope is neutral), the date range, what you found, and what you corrected. Store that summary alongside your I-9s.
This record is the difference between "we think our files are fine" and "here is our documented, good-faith audit, completed on [date], with these corrections logged." The second one is what you want to be able to hand over.
A quick worked example
Rectangle Group runs a self-audit across its active workforce.
The HR admin opens the Form I-9 status report, filters to Active employees, and downloads the CSV. Out of the roster, a handful come back MISSING—including a few recent hires whose forms slipped through. Those become the priority list, and the admin assigns each a new Form I-9 onboarding task; the employee completes and e-signs Section 1, and the designated reviewer gets a task to complete and e-sign Section 2.
For the DIGITAL forms already on file, the admin pulls the audit trail report and scans it: every form used the current edition, each Section 2 shows the reviewer who attested and when, and the document expiration columns surface one employee whose work authorization is approaching expiry. That person gets a timely Supplement B reverification.
The two PAPER uploads get a manual eyeball—signatures, dates, document lists—since the field-level detail isn't captured for uploads. One has an unsigned Section 2; rather than backdate it, the admin assigns a fresh Form I-9 task and uses Replace to file the corrected form—Eddy keeps the original in the Form I-9 history, so both versions stay on record, dated.
Total findings: logged. Corrections: made through tracked tasks. Audit summary: saved. The whole thing is defensible because every step left a record.
Common I-9 errors to watch for
- Form not completed at all
- Employee signature or date missing
- Section 2 not completed within 3 business days
- List A document recorded alongside List B/C
- Employer attestation unsigned
- Status box unchecked or multiple boxes checked
- Outdated form version used
- Work authorization expired without Supplement B
- Address, name, or document number transcribed wrong
A word on what not to do during an audit
It's worth repeating, because it's the part that turns a helpful audit into a liability:
- Don't audit selectively based on national origin, citizenship, accent, or name.
- Don't ask for specific documents or demand "better" ones—the employee always chooses.
- Don't reverify identity documents, U.S. passports, or permanent resident cards.
- Don't backdate corrections or new forms.
- Don't erase or conceal original entries—line through, initial, and date instead.
- Don't terminate someone over a paperwork error you could have corrected, without first understanding your obligations.
Be consistent, be transparent, and let the documents—and the people—speak for themselves.
Frequently asked questions
How often should we run an internal I-9 audit? There's no legal mandate, but an annual internal review is a common and reasonable cadence. Many employers also audit after a leadership change, an acquisition, or a switch in HR systems—any moment when records are likely to have gaps.
How long do you have to keep I-9 forms? You must retain each Form I-9 for the later of these two periods: 3 years from the date of hire, or 1 year from the date employment ends. For a current employee, that means keeping the form for their entire tenure plus the applicable window after they leave. Only once a form is past that date is it eligible for disposal.
Do we audit terminated employees too? Yes, if they're still inside the retention window (the later of 3 years from hire or 1 year from termination). Once a form is genuinely past retention, it's eligible for disposal.
We found a missing signature from years ago. Are we already in trouble? Not necessarily. The constructive move is to correct it now, properly and without backdating, and to log the correction. A documented good-faith fix is exactly what an audit is for—and it's viewed far more favorably than an uncorrected error discovered by an investigator.
Should the same person who completed the forms be the one auditing them? A second set of eyes is better when you can manage it—people tend not to catch their own mistakes. If that's not possible, a structured checklist (like the one above) helps keep a single reviewer honest and consistent.
Can we just re-do everyone's I-9 to be safe? No. Blanket re-verification can itself be a discrimination problem, and it's unnecessary. Correct what's actually wrong; leave correct forms alone.
What's the difference between the PAPER and DIGITAL tags in Eddy? DIGITAL forms were completed through Eddy's guided e-sign flow and carry the full audit trail—actor, timestamp, IP, authentication method, form version, and document expirations. PAPER forms were uploaded as documents; they're stored and counted, but they don't carry that field-level detail. MISSING means no form on file at all.
If we replace an I-9 in Eddy, do we lose the old one? No. Replacing a form files the new version while preserving the prior one in the Form I-9 history, where every version is viewable and downloadable with its date. For audit purposes that's ideal: you keep an unbroken record of what the form said before and after a correction.
Make your next audit boring
The goal of all of this is a future audit that turns up nothing—because the gaps got caught early and the corrections got logged. The hard part has always been visibility: knowing who's missing a form and being able to prove who did what, when.
That's the part Eddy is built to take off your plate. The Form I-9 status report tells you instantly where the gaps are, the audit trail gives you a defensible record for every digital form, and new hires flow through a guided, e-signed process so the next audit starts from a much cleaner baseline.
How to Conduct an I-9 Audit: A Step-by-Step Guide for HR
By Eddy Team — June 24, 2026
What is an I-9 audit?
Every employer in the U.S. has to complete a Form I-9 for every person they hire to verify identity and work authorization. Simple in theory—but I-9 files have a way of quietly accumulating problems: a missing signature here, an expired form version there, a new hire whose form never got finished at all.
An I-9 audit is how you find those problems before someone else does. "Someone else" could be Immigration and Customs Enforcement (ICE), the Department of Justice, or a Department of Labor investigator—any of whom can show up with a Notice of Inspection and give you just three business days to produce your forms.
This guide walks through how to run an internal I-9 audit start to finish. It's written to apply to any employer, however you store your forms. Where it helps, we've flagged how Eddy makes specific steps faster—but the process itself is the same whether you're working from a filing cabinet or a dashboard.
The snapshot
- What it is: A systematic review of your Form I-9 records to confirm each one exists, is complete, is accurate, and is being retained correctly.
- Why it matters: Civil penalties for I-9 paperwork violations run into the hundreds to thousands of dollars per form, and "we didn't know" isn't a defense.
- The big risk people miss: A sloppy audit can create discrimination liability of its own. How you correct and re-verify matters as much as what you find.
- The four phases: Inventory → Review each form → Correct what's fixable → Document the whole thing.
- Where Eddy helps most: Instantly seeing who's missing a form, and producing a timestamped, actor-level audit trail for every digital I-9.
Why run an internal I-9 audit?
Because the cost of waiting until someone is knocking is steep. A Notice of Inspection typically gives you only three business days to hand over your I-9s. That is not enough time to fix years of accumulated errors—but it is plenty of time for an investigator to count them.
A few realities worth keeping in mind:
- Paperwork violations are penalized on their own. You don't have to have knowingly hired an unauthorized worker to be fined. A missing date or unsigned section is a substantive violation in its own right, and civil penalty amounts are adjusted annually.
- Errors compound quietly. A form that was filled out wrong in 2019 stays wrong until someone looks. Multiply one recurring mistake across a few hundred hires and the exposure adds up fast.
- Good-faith correction counts. Investigators and courts generally look more favorably on employers who can show a real, documented internal audit process—even when that process surfaced mistakes.
The point of a self-audit isn't to achieve a perfect file. It's to find what's fixable, fix it correctly, and be able to show your work.
Before you start: internal audit ≠ government audit
One framing matters before you open a single form. You are conducting a voluntary internal review. You are not ICE, and you should not run your audit like an enforcement action against your own employees.
That distinction drives two rules that run through this entire guide:
- You cannot single people out. Don't audit only certain employees based on national origin, citizenship status, accent, or how "foreign" a name sounds. Either audit everyone, or audit a genuinely neutral subset (for example, everyone hired in a specific date range, or one location).
- You cannot demand specific documents or re-verify without cause. The employee always chooses which acceptable documents to present. An audit is not a license to ask for "papers" again.
We'll come back to both of these. For now, just know that the way you conduct the audit is itself something a regulator can scrutinize.
⚠️ This guide is educational, not legal advice. I-9 rules are federal, they change, and the right answer to a specific correction can depend on the facts. For anything ambiguous—or for a large-scale cleanup—loop in qualified immigration counsel.
Step 1: Build your master list of who should have an I-9
You can't tell what's missing until you know who you're checking. Start by pulling a complete roster of everyone who needs a Form I-9 on file:
- All current employees hired after November 6, 1986.
- Recently terminated employees still inside their retention window (more on retention in Step 6).
Then compare that roster against the I-9s you actually have. Every name without a matching form is your first finding.
This reconciliation is the single most tedious part of a manual audit—cross-referencing a headcount report against a stack of paper or a shared drive, name by name.
💡 In Eddy: This is the step that collapses from hours to seconds. The Form I-9 status report (Reports → Form I-9 status) lists every employee with a single status tag:
You can filter by employment status (e.g., Active only) and Download CSV to start your audit worksheet immediately. The "MISSING" rows are your gap list, already built.
- MISSING — no I-9 on file. These are your priority findings.
- PAPER — a paper form uploaded to the employee's profile.
- DIGITAL — a form completed through Eddy's guided e-sign flow.
Step 2: Review each form, section by section
For every I-9 you do have, check it against what the form actually requires—the authoritative reference is USCIS's M-274, Handbook for Employers. Work through it in the order the form is built.
Section 1 (the employee's part):
- Completed no later than the employee's first day of work for pay.
- Name, address, date of birth, and attestation of status all filled in.
- Exactly one status box checked (a citizen, a noncitizen national, a lawful permanent resident, or an authorized alien).
- For lawful permanent residents and authorized aliens, the required identifying numbers and—where applicable—a work-authorization expiration date.
- Signed and dated by the employee. An unsigned Section 1 is one of the most common substantive errors there is.
- If a preparer or translator helped, the corresponding supplement is completed.
Section 2 (the employer's part):
- Completed within three business days of the employee's start date.
- Documents recorded from the correct lists: one document from List A, or one from List B and one from List C. Never List A plus List B/C.
- Document titles, issuing authorities, numbers, and expiration dates transcribed accurately.
- The employer's attestation signed and dated, with the reviewer's name, title, and business address.
- The "first day of employment" date entered.
Form version: Confirm each form is the correct edition. Using an outdated I-9 version is itself a finding, and it's an easy one to miss when you're focused on the fields.
💡 In Eddy: Two things make this review far less manual:
First, the completed I-9 lives in a dedicated Form I-9 section on each employee's profile (under Documents), so you're never hunting for the actual form. If a form has ever been replaced, a Form I-9 history keeps every version submitted—each one viewable and downloadable with its date—so the full lineage of a corrected form is preserved, not overwritten.
Second, the Form I-9 audit trail report turns the "did this get done correctly" question into a record you can read. For every digital form it captures, action by action: who completed and signed each section, the exact date and time, the actor's email, IP address, and authentication method (e.g., Password + MFA)—plus the document version used and the List A/B/C document titles and expiration dates. So "was the right form edition used?" and "who attested to Section 2, and when?" are answered in the report rather than reconstructed from memory.
One honest caveat: uploaded paper forms show up in the trail as an "Uploaded" event, but the field-level detail (IP, expiration dates, version) only exists for forms completed digitally in Eddy. That gap is itself a good argument for moving future hires onto the digital flow.
Step 3: Categorize what you find
Not every error is equal, and not every error is fixed the same way. As you go, sort findings into buckets:
- Missing forms — no I-9 at all. Highest priority.
- Substantive errors — missing signatures, missing dates, no documents recorded, wrong document combinations, unchecked status box. These carry real penalty exposure.
- Technical/procedural errors — things like a missing employee maiden name or a transposed address. Often correctable, and sometimes excused if fixed in good faith.
- Reverification gaps — work authorization that has expired without a timely reverification (see Step 5).
Keep a simple log: employee, form, error found, how you resolved it, and the date. That log is your audit documentation, and it's what demonstrates good faith later.
Step 4: Make corrections the right way
This is where well-intentioned audits go wrong. Resist the urge to "clean up" a form by erasing, whiting out, or backdating anything. The correction method depends on who made the error and how serious it is.
For minor errors on an existing form: Draw a single line through the incorrect information, enter the correct information, then initial and date the change. Never obscure the original entry—the whole point is a transparent record of what changed and when. The employee corrects their own Section 1 errors; the employer corrects Section 2.
For a missing or badly incomplete form: Complete a new Form I-9 using the current version. Do not backdate it. Attach it to any prior incomplete form and a brief written note explaining the correction. The honest gap between the start date and the correction date is far less risky than a forged-looking backdate.
A note on missing documents: If Section 2 was never completed, you may have the employee present acceptable documentation now—but remember the employee still chooses which documents to provide. You cannot demand a specific one.
💡 In Eddy: Corrections are handled by assigning a new Form I-9 task to the employee (and a Section 2 review task to the chosen reviewer).
The new form runs through the same guided, e-signed flow—so the correction lands in the audit trail with its own timestamps and actor records, rather than as an untracked edit. When the new form is filed via Replace, Eddy doesn't discard the old one: it keeps a Form I-9 history of every version submitted, each viewable and downloadable. That's exactly the "show your work" paper trail an auditor wants—the original error and its correction sit side by side, both dated.
Step 5: Handle reverification and rehires
Some employees presented work authorization that expires. When it does, you generally must reverify before it lapses—using Supplement B (Reverification and Rehire), not a brand-new Section 2. Reverification applies to expiring work authorization, not to expiring identity documents like a driver's license, and never to U.S. passports or permanent resident cards.
During the audit, flag anyone whose recorded work authorization has expired or is about to, and confirm a timely Supplement B exists.
And the discrimination rule applies here too: you reverify based on the document's expiration date, full stop—not based on someone's national origin or your assumptions about their status.
💡 In Eddy: Because the audit trail captures List A/B/C document titles and their expiration dates, you can spot expiring authorization rather than discovering it after the fact.
When reverification is needed—or when you're rehiring or recording a legal name change—an admin can complete a Supplement B directly in Eddy, keeping the reverification attached to the same employee record.
Step 6: Confirm retention—and don't purge early
You have to keep each I-9 for the later of:
- 3 years from the date of hire, or
- 1 year from the date employment ends.
For current employees, that means you keep the form the entire time they work for you, plus the applicable window after. The audit is a good moment to confirm you haven't destroyed anything too early—and to identify forms that are genuinely past their retention date and eligible for disposal.
💡 In Eddy: Completed I-9s are retained in the employee's profile indefinitely, so you won't accidentally lose a form you were still required to keep. Eddy doesn't currently auto-calculate each form's retention or purge date, so the "is this one eligible for disposal yet?" math is still a judgment call for the auditor—but everything you need (hire date, termination status, the form itself) is in one place to make that call.
Step 7: Document the audit and close the loop
Finish by writing down what you did: the scope (who was reviewed and why that scope is neutral), the date range, what you found, and what you corrected. Store that summary alongside your I-9s.
This record is the difference between "we think our files are fine" and "here is our documented, good-faith audit, completed on [date], with these corrections logged." The second one is what you want to be able to hand over.
A quick worked example
Rectangle Group runs a self-audit across its active workforce.
The HR admin opens the Form I-9 status report, filters to Active employees, and downloads the CSV. Out of the roster, a handful come back MISSING—including a few recent hires whose forms slipped through. Those become the priority list, and the admin assigns each a new Form I-9 onboarding task; the employee completes and e-signs Section 1, and the designated reviewer gets a task to complete and e-sign Section 2.
For the DIGITAL forms already on file, the admin pulls the audit trail report and scans it: every form used the current edition, each Section 2 shows the reviewer who attested and when, and the document expiration columns surface one employee whose work authorization is approaching expiry. That person gets a timely Supplement B reverification.
The two PAPER uploads get a manual eyeball—signatures, dates, document lists—since the field-level detail isn't captured for uploads. One has an unsigned Section 2; rather than backdate it, the admin assigns a fresh Form I-9 task and uses Replace to file the corrected form—Eddy keeps the original in the Form I-9 history, so both versions stay on record, dated.
Total findings: logged. Corrections: made through tracked tasks. Audit summary: saved. The whole thing is defensible because every step left a record.
Common I-9 errors to watch for
- Form not completed at all
- Employee signature or date missing
- Section 2 not completed within 3 business days
- List A document recorded alongside List B/C
- Employer attestation unsigned
- Status box unchecked or multiple boxes checked
- Outdated form version used
- Work authorization expired without Supplement B
- Address, name, or document number transcribed wrong
A word on what not to do during an audit
It's worth repeating, because it's the part that turns a helpful audit into a liability:
- Don't audit selectively based on national origin, citizenship, accent, or name.
- Don't ask for specific documents or demand "better" ones—the employee always chooses.
- Don't reverify identity documents, U.S. passports, or permanent resident cards.
- Don't backdate corrections or new forms.
- Don't erase or conceal original entries—line through, initial, and date instead.
- Don't terminate someone over a paperwork error you could have corrected, without first understanding your obligations.
Be consistent, be transparent, and let the documents—and the people—speak for themselves.
Frequently asked questions
How often should we run an internal I-9 audit? There's no legal mandate, but an annual internal review is a common and reasonable cadence. Many employers also audit after a leadership change, an acquisition, or a switch in HR systems—any moment when records are likely to have gaps.
How long do you have to keep I-9 forms? You must retain each Form I-9 for the later of these two periods: 3 years from the date of hire, or 1 year from the date employment ends. For a current employee, that means keeping the form for their entire tenure plus the applicable window after they leave. Only once a form is past that date is it eligible for disposal.
Do we audit terminated employees too? Yes, if they're still inside the retention window (the later of 3 years from hire or 1 year from termination). Once a form is genuinely past retention, it's eligible for disposal.
We found a missing signature from years ago. Are we already in trouble? Not necessarily. The constructive move is to correct it now, properly and without backdating, and to log the correction. A documented good-faith fix is exactly what an audit is for—and it's viewed far more favorably than an uncorrected error discovered by an investigator.
Should the same person who completed the forms be the one auditing them? A second set of eyes is better when you can manage it—people tend not to catch their own mistakes. If that's not possible, a structured checklist (like the one above) helps keep a single reviewer honest and consistent.
Can we just re-do everyone's I-9 to be safe? No. Blanket re-verification can itself be a discrimination problem, and it's unnecessary. Correct what's actually wrong; leave correct forms alone.
What's the difference between the PAPER and DIGITAL tags in Eddy? DIGITAL forms were completed through Eddy's guided e-sign flow and carry the full audit trail—actor, timestamp, IP, authentication method, form version, and document expirations. PAPER forms were uploaded as documents; they're stored and counted, but they don't carry that field-level detail. MISSING means no form on file at all.
If we replace an I-9 in Eddy, do we lose the old one? No. Replacing a form files the new version while preserving the prior one in the Form I-9 history, where every version is viewable and downloadable with its date. For audit purposes that's ideal: you keep an unbroken record of what the form said before and after a correction.
Make your next audit boring
The goal of all of this is a future audit that turns up nothing—because the gaps got caught early and the corrections got logged. The hard part has always been visibility: knowing who's missing a form and being able to prove who did what, when.
That's the part Eddy is built to take off your plate. The Form I-9 status report tells you instantly where the gaps are, the audit trail gives you a defensible record for every digital form, and new hires flow through a guided, e-signed process so the next audit starts from a much cleaner baseline.
Eddy's HR Newsletter
Sign up for our email newsletter for helpful HR advice and ideas.
