Most organizations don't think about 911 compliance until someone asks about it. Maybe it's a new security director. Maybe it's an insurance carrier. Maybe it's a letter from the FCC.
Whatever triggers the question, the next one is always the same: "Are we compliant?" And the honest answer for most organizations is: "We're not entirely sure."
This article walks through what a 911 compliance audit actually involves — what auditors look for, what documentation you'll need, and where most organizations discover gaps they didn't know existed.
Who's Asking and Why
911 compliance audits come from a few different directions:
FCC Enforcement. The FCC has authority to audit compliance with Kari's Law and Ray Baum's Act. These audits are relatively rare but increasing. They typically follow complaints, incidents, or spot-checks of organizations in regulated industries.
Insurance Carriers. Liability insurers are increasingly asking about 911 capabilities during policy renewals. They want to know that emergency calls connect, that responders can find the caller, and that the organization has documentation to prove it.
Internal Risk/Compliance Teams. Many audits are self-initiated. A new CISO, a facilities review, or a safety incident prompts someone to ask: "What happens when someone here calls 911?"
State and Local Authorities. Some states have their own 911 requirements beyond federal law. State public utility commissions or emergency services boards may audit organizations operating multi-line telephone systems.
The Three Things Every Audit Checks
Regardless of who's asking, 911 compliance audits focus on three core requirements from Kari's Law and Ray Baum's Act:
1. Direct 911 Dialing
The requirement: Anyone must be able to dial 911 directly without dialing a prefix, access code, or outside line. No "dial 9 for an outside line, then 911." Just 911.
What auditors check: They'll test phones — desk phones, soft phones, conference room phones, common area phones. They want to see that dialing 911 connects immediately to the PSAP without additional steps.
Common gap: Legacy PBX systems still configured with "9 + number" dialing patterns. The system might accept 911 as a special case, but it might also try to route "91" as an incomplete outside call. Test it.
2. On-Site Notification
The requirement: When someone dials 911, a designated person or location on-site must be notified immediately. This is typically a security desk, front desk, or facilities manager.
What auditors check: They'll ask to see your notification configuration. Who gets notified? How? Email, SMS, pop-up, dedicated console? They'll also ask about after-hours coverage — does notification work at 2 AM on a Saturday?
Common gap: Notification goes to a single person who's on vacation, or to a shared inbox nobody monitors. Auditors want to see redundancy and confirmation that someone actually receives and acts on the alert.
3. Dispatchable Location
The requirement: 911 calls must deliver a "dispatchable location" — the street address plus additional information like building, floor, room, or office number that allows responders to find the caller without searching.
What auditors check: This is where audits get detailed. They'll ask: What location is delivered for a phone in Conference Room B on the third floor? What about a remote worker in Ohio? A user on VPN from a hotel? A softphone on a cell phone?
Common gap: The big one. Many organizations deliver a building address but not floor or room. Many have no solution for remote workers — the 911 call delivers the corporate HQ address even though the employee is working from home 1,000 miles away. This is the gap that creates real liability.
Documentation They'll Want to See
Auditors don't just take your word for it. Expect requests for:
Phone system configuration records. Documentation showing how 911 calls are routed, what PSAP they connect to, and what caller ID/location data is delivered.
Location database or E911 service records. If you use an E911 provider, they'll want to see how your locations are registered. How many locations do you have? When were they last updated? Who's responsible for maintaining them?
Notification configuration and logs. Who receives 911 alerts? Can you show logs demonstrating that notifications were delivered during test calls?
Test records. When did you last test your 911 configuration? Many auditors expect to see regular testing — quarterly or at minimum annually — with documented results.
Remote worker policy. If you have remote or hybrid workers, what's your policy for their 911 coverage? Do they self-register their location? Is it automated? What happens if they move?
The Gaps That Catch People Off Guard
After hundreds of compliance conversations, these are the issues that surprise organizations most often:
"We thought Microsoft/Cisco/our vendor handled it." Platform vendors provide tools, but they don't configure your locations, maintain your database, or ensure your remote workers are covered. Compliance is your responsibility.
"Our office locations are fine, but…" …but what about the remote workers? The traveling executives? The people working from home three days a week? Post-2020, this is often the majority of your workforce.
"We set this up years ago." And then you moved floors, added a building, expanded the remote work policy, and switched phone systems. The configuration that was compliant in 2019 may have drifted significantly.
"We've never tested it." The only way to know 911 works correctly is to test it. Many organizations have never placed a test 911 call to verify location delivery. Auditors find this concerning.
What Happens If You're Not Compliant
If an audit reveals gaps, consequences vary by who's asking:
FCC: Potential fines starting at $10,000 per violation plus $500 per day until resolved. The FCC has issued enforcement actions, though they often start with warnings and compliance deadlines rather than immediate penalties.
Insurance: Possible policy exclusions, increased premiums, or non-renewal. If an incident occurs and you weren't compliant, coverage may be denied.
Internal: A compliance gap becomes a line item on a risk register, an action item for someone, and a topic for the next board meeting.
The real risk isn't the audit itself — it's what happens if there's an actual emergency and your system doesn't perform. An employee has a heart attack, calls 911, and responders go to the wrong building. That's not a compliance issue anymore. That's a tragedy and a lawsuit.
Preparing for an Audit
Whether you're facing an actual audit or just want to close gaps proactively, here's where to start:
1. Test your current setup. Place test 911 calls from different phone types and locations. Coordinate with your local PSAP — they're used to test calls and can confirm what location data they received.
2. Inventory your gaps. Where are your people? Offices, floors, remote homes, hotels? Which of those locations are covered by your current E911 configuration? Which aren't?
3. Document everything. Even if you're not fully compliant yet, documented awareness and a remediation plan demonstrates good faith.
4. Talk to your phone system vendor. Understand what your platform provides natively and where you need additional solutions.
5. Evaluate E911 providers. If your current setup has gaps — especially for remote workers or multi-building campuses — dedicated E911 solutions can close them faster than trying to DIY.
The Bottom Line
A 911 compliance audit isn't something to fear — it's an opportunity to verify that your emergency systems actually work. The organizations that struggle are the ones who assumed everything was fine without checking.
The ones that pass? They tested. They documented. They closed gaps before someone else found them.
Which one do you want to be?
Close the Gaps Before the Audit Finds Them
9Line helps organizations get 911 compliant and stay that way — from dispatchable location management to remote worker coverage to ongoing test documentation. Whether you're preparing for an audit or just realized you should be, we can show you exactly where you stand and what it takes to fix it.
