thinkQSi

Operational Blind Spot #1: Onboarding and I-9s

Jan 16, 2026

This article is the first in a series on operational audits as a strategic tool for risk reduction and enterprise value.

The Hidden I‑9 Risk in Your Onboarding Process

Most employers think their onboarding process is “good enough” until an I‑9 audit proves otherwise. Recent reviews show that roughly three out of four paper I‑9s contain at least one error, and national examples illustrate that a 65–75% error rate can drive potential penalties into the hundreds of thousands or even millions of dollars for larger employers. With 2025 penalty ranges now $288–$2,861 per I‑9 paperwork violation, even a modest number of mistakes can easily translate into five‑figure exposure for small and midsize businesses.​

This is not just a technical HR issue. It is a governance, risk, and operational discipline problem.

Compliance blue theme

Who Owns This Risk? (Hint: Not Just HR)

One of the most dangerous misconceptions in this area is that “HR owns the I‑9 problem.” HR may administer the process, but the risk sits squarely with ownership and executive leadership.

  • Regulators and enforcement agencies do not fine the HR department; they fine the employer entity and, in serious cases, may pursue additional sanctions for repeated or willful violations.​
  • Boards, investors, and buyers increasingly treat immigration and I‑9 compliance as part of overall enterprise risk and leadership accountability, not a back‑office detail.​

When executives treat I‑9 compliance as “HR paperwork,” it sends a clear cultural signal: precision and controls are optional. When they treat it as a governance issue, behavior changes.

What I‑9 Sloppiness Reveals About Your Operations

I‑9 errors rarely exist in isolation. In operational audits, a messy I‑9 environment almost always correlates with broader issues:

  • Undocumented or outdated processes
    If there is no written onboarding procedure or checklist, there are usually other critical processes (payroll changes, terminations, vendor onboarding) that also rely on tribal knowledge.

  • Informal handoffs and weak second‑line review
    When managers “just send paperwork to HR,” there are often no defined checkpoints, no second‑level review, and no clear ownership for quality control in other workflows.

  • A “we’ll fix it later” culture
    If signatures, dates, or documents are routinely “cleaned up later” on I‑9s, the same mindset often appears in contract management, approvals, and financial controls.

In other words: if your I‑9 process is sloppy, it is unlikely that this is the only place. It is an indicator light for systemic operational risk.

Why So Many Executives Are Overconfident

Many owners and CEOs are quietly relying on assumptions that do not hold up under scrutiny.

  • “We’ve never been audited.”
    Enforcement focus is increasing, with I‑9 audits projected in the thousands annually and penalties adjusted upward for inflation. A clean past is not a predictor of a safe future.​

  • “We use E‑Verify.”
    E‑Verify only checks work authorization status against government databases; it does not fix incomplete I‑9s, missing signatures, late completion, or retention failures.​

  • “Our payroll or HRIS vendor handles this.”
    Vendors may provide tools and templates, but they do not own your process or your legal exposure. If your staff uses a compliant system in a non‑compliant way, the liability still sits with you.​

  • “We’ve always done it this way and it’s been fine.”
    Enforcement intensity, fine levels, and expectations for documentation have all changed. Practices that went unnoticed in 2015 may be unacceptable in 2026.​

False confidence is itself a risk factor. It delays investment in controls until the only “audit” that matters is an ICE inspection.

How ICE Turns a Few Bad Forms Into Big Fines

ICE does not just fine the handful of forms that look obviously wrong. It uses a structured, percentage‑based approach that can turn what looks like a minor problem into a material liability.

  • Step 1: Calculate the error rate
    ICE compares the number of defective I‑9s to the total number reviewed to determine a violation percentage. For example, 17 defective forms out of 100 is a 17% error rate.​

  • Step 2: Map to the fine matrix
    That percentage is then mapped to a fine matrix where higher error rates result in higher base fines per violation. For 2025, paperwork violations range from $288 to $2,861 per form, with higher tiers triggered by higher percentages and repeat or serious issues.​

  • Step 3: Multiply and adjust
    ICE multiplies the base amount by the number of violations and then adjusts the total up or down (often by as much as 25%) based on factors such as business size, good‑faith efforts, seriousness, prior history, and whether unauthorized workers are involved.​

This is how a seemingly small number of defective files, say, 16 or 17 folders with missing signatures or incomplete sections can create exposure in the $10,000–$20,000+ range for a smaller employer, and much more for larger organizations.​

And ICE is not the only agency that can scrutinize your files - agencies such as the U.S. Department of Labor, the Department of Justice’s Civil Rights Division, and other federal or state regulators can also review HR records and impose consequences for non‑compliance.

Transaction Readiness: The Overlooked I‑9 Landmine

I‑9 hygiene matters long before an enforcement agency shows up. It also matters when:

  • You are being acquired or seeking investment

    Immigration and I‑9 compliance are now routine parts of due diligence in mergers, acquisitions, and private equity deals. Buyers often review a sample of I‑9s, assess processes, and quantify potential exposure.​

  • You are acquiring another company

    As a buyer, inherited I‑9 problems can translate into inherited liabilities, workforce disruptions, or required remediation work before or after closing.​

  • You are scaling rapidly

    Rapid hiring multiplies whatever process you already have—good or bad. A weak I‑9 process at 20 employees becomes a serious liability at 200.

In short, I‑9 discipline is part of transaction readiness. Weakness here can delay deals, reduce valuations, or force costly clean‑up under tight timelines.

Business performance checklist, Businessman using laptop online survey filling out check digital form task, business performance monitoring and evaluation. online survey question form. online exam.

A Practical Control System for Onboarding (Built for SMB Reality)

The goal is not perfection; it is a defensible system that materially reduces errors and demonstrates good faith. For small and midsize businesses, a practical structure looks like this.

1. Compliance‑driven onboarding checklist

Every new hire should trigger a standardized checklist that captures:

  • Federal requirements: Form I‑9, W‑4, and other mandated federal notices and acknowledgments.​ To download the latest version visit https://www.uscis.gov/i-9
  • State and county requirements: State‑specific notices, wage statements, tax forms, and local documentation where applicable.​
  • Internal requirements: Handbook acknowledgment, confidentiality/IP agreements, policy sign‑offs, and system access requests.

This checklist should live both in your HR database and, for paper‑based companies, as a physical cover sheet in each personnel file. It becomes your first line of evidence that you have a structured process.

2. Dual review and executive sign‑off

A single review is where most organizations fail. A two‑step review materially improves quality and defensibility:

  • First‑level review (pre‑filing)

    The HR associate or onboarding coordinator completes the I‑9 within the required timelines, verifies documents, and checks the onboarding checklist. They ensure every field is completed, every required signature and date is present, and any document copies are handled consistently with policy.

  • Second‑level review (before filing)

A more senior leader performs a second check:

  • HR manager in larger organizations.
  • Senior manager, controller, or office manager in smaller companies.
  • Founder or owner in very small firms.

This reviewer initials and dates the checklist or audit log to confirm that all onboarding paperwork including the I‑9 was complete before filing. That signature is a control, not a formality. It creates an audit trail that regulators, buyers, and auditors can follow.

3. Documentation discipline as a cultural norm

To sustain this:

  • Apply the same documentation rules to every employee, every time.
  • Train anyone who might touch the I‑9 process, including backups and managers who may step in during absences.
  • Make it clear that “fix it later” is not acceptable for legally sensitive documents.

When onboarding is treated like a core control process similar to banking, payroll, or revenue recognition error rates fall and risk becomes manageable.

US Department of Homeland Security

Why Periodic Operational Audits Are Not Optional

Even a well‑designed process will drift. People change roles, shortcuts appear, and exceptions accumulate. Operational audits exist to measure and correct that entropy before regulators or buyers do it for you.

  • Informal spot checks create false reassurance
    Pulling a couple of random files once in a while often reassures leadership without exposing the real pattern. Given that national error rates hover around 65–75%, a small convenience sample is more likely to hide risk than reveal it.​

  • Structured audits provide real visibility
    A proper operational audit defines scope, selects a meaningful sample, documents findings, and ties them back to process design. It does not exist to assign blame; it exists to give leadership visibility while there is still time to remediate.​

  • External audits reduce blind spots
    Independent reviewers bring current regulatory knowledge, objectivity, and distance from internal habits. They can benchmark your error rate, quantify likely exposure using the current fine matrix, and prioritize remediation actions.​

This is not about perfection; it is about being able to show regulators, investors, and buyers that you know your own risk profile and are actively reducing it.

Where ThinkQSI Fits: From First Look to Full Fix

ThinkQSI performs operational audits across the entire company, not just HR and uses I‑9 compliance as one of several lenses into how work really gets done. This article is a guideline; the real value comes from turning insight into action.

For most clients, the path looks like this:

    1. Initial focused audit

      Start with a targeted review of I‑9s and the onboarding process to quantify error rates, identify patterns, and size the risk. This can often be done on a representative sample without disrupting day‑to‑day operations.

    2. Clear next‑step roadmap

      Translate findings into specific next steps: policy updates, checklist design, role clarity, training, and, where appropriate, technology or filing changes. The goal is a prioritized, realistic plan—not a 100‑page report that sits on a shelf.

    3. Broader operational audit (when appropriate)

      Because I‑9 sloppiness often signals wider process issues, many organizations then expand the scope to look at adjacent areas: hiring, terminations, approvals, cross‑department handoffs, and data integrity. That is where the real operational risk and value usually sits.​

Executives are not expected to solve this alone, and many internal teams simply do not have the time or specialized knowledge to design and test a robust control system on their own. There is no shame in that. It is precisely why firms like ThinkQSI exist.

The Executive Question

At the end of the day, this is not a form problem. It is a leadership problem with operational consequences.

You have three practical options:

    1. Ignore it and hope enforcement or due diligence never looks too closely.
    2. Ask already‑stretched internal staff to “look at a few files” and assume that’s enough.
    3. Commission a structured, time‑boxed audit that tells you, with evidence, where you truly stand and what to do next.

If your next board meeting, lender, buyer, or an ICE inspector asked to see your I‑9s and onboarding process, would you be confident or hoping?

If you are not sure, your first action item is simple: run an initial audit. If you have the internal capacity and expertise, do it. If you do not, contact ThinkQSI. The firm has spent many years inside hundreds of companies, building and auditing onboarding and operational processes. The work is about protecting your business and strengthening how it runs before someone else forces the issue.

---
Insights from Anwer Qureishi, Thought Leader & Entrepreneur
Ready to accelerate growth? Schedule a Consultation with Anwer Qureishi, Founder, Q&S International (ThinkQSi).