Employee Background Check Process

Why it matters

Background checks reduce the risk of hiring individuals with criminal histories who could compromise customer data, intellectual property, or system integrity. A missing or incomplete screening process creates an unmitigated people risk that cannot be compensated for by technical controls, potentially exposing the organization to data breaches, fraud, or regulatory violations.

Evidence to collect

• Background check vendor contract and service agreement (e.g., Checkr, Sterling, First Advantage) showing scope and criminal history coverage
• Completed background check reports for a sample of 5–10 recent hires with hire dates and access grant dates
• Signed acknowledgment forms from employees confirming receipt of background check disclosure and consent
• Contractor employer certification letters or equivalent screening evidence for a sample of 3–5 active contractor accounts with system access

Testing procedure

Request the background check vendor list and reconcile against active employee and contractor records with system access. Verify that background checks were completed *before* access was provisioned by comparing check completion dates to access grant timestamps in your identity management system. For a sample of 10 hires, validate that signed consent forms and actual check reports exist in the personnel file. Confirm contractor screening by obtaining employer certifications or equivalent third-party reports. Identify any system users who lack documented evidence of background screening and trace why (e.g., legacy accounts, oversight).

Common gotchas