Ongoing Compliance for Small Firms: What Happens After the Onboarding Is Done
Marcus runs a 22-person accounting firm in Columbus. His onboarding process is solid: offer letter, W-4, I-9, handbook acknowledgment, all collected through a structured workflow before each hire's first day. New employees don't start until the packet is complete. He's been proud of that discipline.
What happened in February was different.
His data security compliance consultant asked for documentation of annual security awareness training completions across the firm. Marcus went to his folder system. He found the original onboarding training acknowledgments — all present, all signed. He found nothing for the annual renewal. He pulled his calendar. He found a recurring reminder he'd set in December 2024 that he'd marked complete without sending the renewal. Fourteen employees had never received a renewal.
The original training was current as of their hire dates. Some of those hire dates were two years ago.
For a firm handling client tax data under state data privacy requirements, a two-year gap in documented security training is not a minor administrative oversight. It's a documented failure of the firm's own stated security practices.
Ongoing compliance is not a continuation of onboarding. It's a separate operational problem with its own requirements, deadlines, and failure modes. Most small firms have a reasonable answer to the onboarding problem. Very few have a systematic answer to the ongoing compliance problem. The gap between the two is where the Marcus situation happens.
What does "ongoing compliance" actually cover for small firms?
Ongoing compliance is the set of recurring requirements that must be met continuously throughout an employee's or contractor's tenure — not just during onboarding. The specific requirements vary by industry, firm size, and state, but common categories include:
Annual training and acknowledgment renewals. Anti-harassment training (required annually in California, New York, Illinois, and others), security awareness training, data privacy training, and handbook acknowledgments when policies change.
I-9 reverification. When a work authorization document has an expiration date, Section 3 of the Form I-9 must be completed before that date expires. Firms that don't track work authorization expiration dates face compliance exposure that compounds with each missed reverification.
Industry-specific renewals. CPE credits for licensed accountants, HIPAA training for healthcare staff, continuing legal education for law firm employees, NMLS renewal requirements for lending staff. Each has its own deadline and documentation requirement.
Policy change acknowledgments. When a significant policy changes — AI use policy, remote work policy, expense policy — firms in regulated industries often need documented acknowledgment from employees before the new policy applies.
Why does the spreadsheet approach break down?
The spreadsheet approach breaks down because it relies on a human being to convert a static list of requirements into a series of timed actions across a changing workforce over an indefinite period. That's a high-failure task.
Specifically, it fails in four predictable ways:
The due-date problem. A spreadsheet can hold a "training due date" column. It cannot alert you when that date is 30 days away. Someone has to look at the spreadsheet, notice the date is coming, and take action. In a small firm where that someone is also handling client work, tax season, and hiring, "look at the compliance spreadsheet" loses to everything else.
The roster problem. When an employee terminates, their compliance requirements terminate with them. When a new employee joins, their compliance clock starts. A spreadsheet that isn't actively maintained falls out of sync with actual headcount within months.
The evidence problem. A spreadsheet can record "completed" next to a name. It cannot produce the signed acknowledgment, the training completion record, and the timestamp that an auditor asks for. Those live in a different place — email threads, shared folders, a separate LMS — and assembling them under audit pressure is exactly the reconstruction exercise that creates risk.
The continuity problem. The person who built and maintains the spreadsheet usually holds the institutional knowledge of what goes in it and why. When they leave, the compliance tracking often degrades to the person who inherited a spreadsheet they don't fully understand.
Here's how spreadsheet-based compliance tracking compares to an integrated system:
| Compliance task | Spreadsheet | OnboardingGenie |
|---|---|---|
| Surface requirements due in next 30 days | Manual review of date column | Automatic 30-day horizon dashboard |
| Send renewal packet to everyone due | Manual email per employee | One-click targeted send by tag or date range |
| Track completion after sending | Manual follow-up and update | Auto-updated on recipient completion |
| Export audit documentation | Assemble from emails and folders | Per-employee compliance package, exportable on demand |
| Handle workforce changes (new hires, terminations) | Manual spreadsheet update | System-of-record updates with each new onboarding or status change |
| Track expiring I-9 work authorization dates | Manual column + manual reminder | Flagged in compliance dashboard with renewal deadline |
How does ongoing compliance work inside OnboardingGenie?
OnboardingGenie manages ongoing compliance through a compliance module that sits alongside the onboarding workflow — not separate from it.
You define a recurring compliance requirement: a name, a frequency (annual, biannual, or custom), and the packet that fulfills it. The system tracks when each employee or contractor last completed that requirement based on their actual completion record — not a manually entered date. When the next fulfillment window approaches, the requirement surfaces in the compliance dashboard.
The dashboard organizes upcoming requirements into three horizon buckets: 30 days, 60 days, and 90 days out. You can filter by requirement, by population, or by status (on track, due soon, overdue). When you're ready to send renewals, you select the affected group — by tag, by date range, or individually — and send a magic link renewal packet. The recipients complete it the same way they completed original onboarding. Completion updates their compliance record immediately.
The audit export covers the full history: original onboarding completion, each renewal completion, timestamps for each step, and the specific packet version that was completed. If a policy changed between the 2024 and 2025 annual acknowledgment, the record shows which version each employee acknowledged and when.
What are the penalties for missing ongoing compliance requirements?
Penalties vary by requirement and jurisdiction, but the common thread is that they escalate significantly when the failure is systematic rather than isolated.
A single missed I-9 reverification in a 20-person firm draws a paperwork penalty in the $281–$2,861 range. The same failure across ten employees, discovered in an audit, draws the same per-form penalty multiplied by ten — plus the elevated scrutiny that comes with a pattern of non-compliance.
Anti-harassment training failures in California, where annual training is required for all employers with 5+ employees, can result in DFEH enforcement actions and civil liability exposure when a complaint surfaces that the firm's training was not current.
The more common cost for small firms is the audit preparation expense: legal fees, consultant fees, and staff time spent reconstructing records that a proper compliance system would have made instantly available.
Frequently asked questions about ongoing compliance for small firms
Do I need a separate LMS to manage training alongside OnboardingGenie?
No. OnboardingGenie doesn't host a built-in library of training courses, but it manages the distribution, completion tracking, and recurrence of any training materials you include in a packet — videos linked from your hosting platform, PDF training documents, acknowledgment forms. The platform handles the workflow; you provide the content.
How does OnboardingGenie handle compliance for 1099 contractors versus W-2 employees?
The compliance module tracks any recipient who completed an onboarding packet through the system — W-2 employees, 1099 contractors, and clients. You can tag populations separately and send compliance renewals to contractors independently of employees. Requirements that apply only to W-2s (like I-9 reverification) can be scoped to the employee tag; requirements that apply across all workers can be sent to all tags.
Can I send compliance renewal packets to a subset of employees rather than the whole firm?
Yes. Tag-based targeting lets you send a renewal to any subset: everyone hired before a certain date, everyone in a specific role, everyone assigned to a particular department. You define the tags during onboarding; compliance sends use the same tag structure.
What does the compliance audit export actually contain?
The compliance export includes, per employee: each completed compliance requirement, the packet version completed, the completion date and timestamp, the signatures collected, and the form data submitted. You can export as a formatted PDF (branded with your firm's name) or as a CSV for import into another system. Both formats are designed to be handed directly to an auditor without additional preparation.
Is there a way to see which employees are overdue without generating a report?
Yes. The compliance dashboard shows a live status view filterable by overdue status. You can see at a glance which employees are past-due on which requirements without running a report. The overdue flag stays active until the renewal is completed.
Founder, OnboardingGenie