Security Audit – Consistency in Practice

By: Rahmat Ibrahim, Malaysia

Audit or commonly known in Malaysia as inspection is little known to the security industry till the arrival of the US multinationals in Malaysia in the early 70s.  The usual outcry after a loss or a break-in followed by a rush to over protect a facility was the order of the day.  In today management term it is called the “fire fighting” approach.

Auditing was normally the job of insurers or accounting firms then.  Now you hear about ISO 9000 audits, Quality audits and audits in non-accounting fields.  In the security industry, the auditors are normally the corporate management of multinationals.  We have evolved from external auditors to internal auditors.  The trend now is towards audits by users or “owners” of a particular process or area.  This is also known as the internal self-audits.

Why Audit?

An effective security programs involves a dynamic security system and procedures; skilled and motivated security force; total support from the people of the organization and finally a workable monitoring mechanism or audit.  These four attributes form a consistency cycle for improvement and enhancement of the system.

The general security maxim is “where there are people there is abuse”.  The criminal mind always wants to beat the system.  All physical barriers or any form of prevention or detection system will always be tested by the human mind. This forms a vicious crime cycle between the enforcers and the offenders.  The audit helps to break this cycle in the favor of the enforcers and the moral society.

Security Standards

No audit is viable if we do not have standards to compare or benchmark.  Hence the setting of standards is the first step of audits.  TAPA or Technology Assets Protection Association in the US has a comprehensive audit format to check on warehouses, transport security and even airports or areas of external threats.  They set a series of security standards for the technology industry which is also the electronics industry and the cargo transporters.  The scorig measures the effectiveness of the system.

As we implement a security audit program for our organization we start by setting minimum standards for all criteria of risk.  Some basic security criteria or standards for an electronics industry manufacturing concern can be as follows:-

a)   Physical barriers

We may have to go to fine details even to the extent of spelling out the minimum height of a fence, the number of doors, type of lightings, etc.  Some industrial engineers can assist us to even set the light intensity of the parking areas, external compounds, etc.

b)   Security Systems

This is the favorite subject for security practitioners, but a night mare to the Finance Department.  How many cameras shall be enough and what will be an over kill?  The vulnerability of the product or areas we need to protect is the measure of how we want to protect.  The latest integrated CCTV & detection or early warning systems can be well deployed for effective coverage.

c)   Process Standardization or Procedures

The process standardization is the key to ensuring proper enforcement.  Here again we should review the core responsibilities in asset protection or emergency actions and develop minimum acceptable standards or process. Some of the procedures to be considered are:-

Access Control Procedures – the standards on access restriction of visitors and employees either to the whole or part of areas; badge color coding, etc.

Property Pass/Control Procedures – Standards and Forms for the movement of property outside and within the premises.

Shipping Procedures – Here the focus is on security checking of shipment or truck monitoring.

Finished Goods Security Procedures – Classification of high risk products, storage and handling security.

Scrap Control Procedures – Focus more on the collection storage and disposal of finished goods which are considered rejects, but fetch a street value at the grey market.

Incident Reporting & Investigation Procedures – In a people oriented organization this becomes a good form of data gathering (incidents) and the “do’s and don’ts” in evidence gathering, interviewing and corrective actions, etc.

Employee Discipline Procedures – Normally drawn up by the Human Resources Department to ensure standard enforcement of non-conformation of procedures.

High Risk Area Security Procedure – This classification is important if a particular storage or production area needs additional security protection.

Security Awareness – One of the main components of an effective security program is to ensure people support.  This can only be attained if the people are aware on the need to secure company property; how they can assist by suggesting improvement or by participation in decision-making, etc.  The best approach is to have a comprehensive security orientation program for new employees.

After the September 11th of 2002 we can add more to the list, e.g. anti terrorist programs, bomb threat, expatriate protection and issues related to crisis management and people protection.

Audits

Monitoring or to watch over, is a key factor for security.  That was how the term watchman came about. We carry out surveillance to detect abuse in the early stage, we enforce procedures to catch abusers and investigate crimes to prevent future abuse.  Audits or monitoring involves surveillance, enforcement and investigations – all in one.  Hence auditing is like looking at the big picture.  If done effectively, it is the guardian of the security program.  It is the main tool for the security practitioner to measure his own effectiveness and that of his team.

The audit involves a SWOT (strength, weakness, opportunities and threats) evaluation of the organization in the security aspect. Hence a well-defined audit format involving all the attributes of the security program is vital.  In general it should contain the following, but need not be limited to:-

a)   Physical Security (or barrier) evaluation.
b)   Review of the security procedures against actual practice.
c)   Evaluation of the security systems in place, i.e. the CCTV system, alarm system, card access system. etc.
d)   Adequacy of the manpower and their training needs.

One can draw out a format with the above as a guideline.  The format should be simple and with a good score system.  The score system helps to compare between two separate audits by time and by location. It is the barometer to gauge improvements.

The recommendation to rectify weakness is a crucial part of the audit.  Recommendations can be a simple action to rectify or a long term plan to improve the overall security of the area.  They are both cost and time related.  It is important to evaluate the weaknesses against the potential threat or risk they pose.  A cost effective approach should be taken.  Most management would like to know what is the payback if a large investment is needed.  Statistics showing reduction in loss (reflecting value or loss of business) will be a good measure to evaluate a payback.

Constraints

The management does not see the pay back from an audit.  Loss prevention is something not very tangible until the loss occurs.  So there may be no management support to recruit auditors, send auditors for training or acquire auditing software, benchmark audits in other organization or engage consultants to audit the facility.

Audit formats and the system used to evaluate may be too lengthy and may not pose a challenge to the auditors.  Inter plant ranking or competition and evaluation will help to appreciate auditors the areas being audited and the facility itself.

The objective of audits should be more so as a monitoring or feedback mechanism rather than a “fault finding” mission.  The simple rule of “don’t find fault, find solutions” should be used as rule of thumb.  It should be made a last resort to punish people who may not have conformed especially if detected during an audit.

The filling up too many reports or forms, too many reviews with auditors or auditees may also cause people to lose interest.  Too stringent standards set will virtually make every audit a failure.  Audits should be tailored to enhance the system progressively.

The Future of Audits

Security is a relatively new field compared to other professions.  Professional qualification and certification are not widespread, especially in Asia.  The effort taken by Security Professionals Associations worldwide to institutionalize the security profession is very encouraging.  Presently only experienced police or armed forces officers are termed as security professionals.  This is now changing with fresh university graduates taking up the challenge in this field. As the profession gains recognition, the need for standards and systems will change.    Once this happens we will see greater emphasis on security audits and certification in the same manner as Quality, Environment and Safety certification.  More computer-aided systems will be introduced.  Benchmarking and recognition of organization with Security Standards will prevail.  This will be a reality in the next decade in our country.

(This paper was presented  by Rahmat Ibrahim, a  Security Manager in a multinational company in Johor, Malaysia,  during the Security Practitioners Meet 2002 jointly organized  by MALSEC DOT COM  and IGB Corporation on 28-29 October 2002 at  the Cititel Hotel Kuala  Lumpur).