Security Audits for Compliance: How to Prepare for Internal and External Audits

Written By: James Hart

Conducting a security audit of your business or property isn’t just a good idea. Sometimes, it’s required for compliance reasons. 

Organizations may have to complete a review as a condition of their insurance policies. Sometimes regulations or business partners demand it, especially if those audits are related to cybersecurity or data protection. In some cases, the would-be buyer of a business or property will ask for a security review before finalizing the deal. 

However, compliance audits shouldn’t be seen as just checking a box. They also allow companies to test and improve their emergency response and continuity plans, said Bryan Taylor, vice president at Chesley Brown International, the national security consulting and management firm. 

Those reviews almost always uncover something that surprises the client, he said. The knowledge gained from a security assessment can be used to refine operations and improve contingency planning, preventing major financial losses down the line. In the most severe cases, it could even save lives.

In this post, you’ll learn about some of the standard parts of an audit and share advice on how organizations can prepare for them. Doing a little extra work can ensure that your organization receives the full benefit from a security assessment.  

What a security audit typically covers

To prepare for a security audit, make sure that your written emergency plans and security policies are available to the team that will be conducting the assessment.

“We will review the written policies, and we always ask for those in advance,” Taylor said. “We know what the policy is or what it should be and if it’s being followed.”

As part of its assessments, Chesley Brown will review those plans and look for possible gaps, covering a range of potential incidents. How will the client’s team respond if there is an active shooter scenario? What if a pipe bursts? 

The audit will also see if the client’s team knows how to apply those policies. 

Reviewing a facility’s physical security is an essential part of an audit, Taylor said. His team will conduct penetration tests to see if it’s possible to evade security officers and access parts of the building that should be off-limits, such as server rooms. 

They will also check the facility’s access controls and security cameras to ensure that equipment is in good working order and set up to provide complete coverage. That can include site visits, even at night or on weekends. 

“We might find issues with a property’s security lights because we went there at 2 in the morning,” Taylor said. “We can tell them those lights aren’t working, and they’ll say, oh my gosh, we had no idea that our timers were messed up. And they wouldn’t have known because, normally, nobody’s at the facility at that time of day.”

Cybersecurity and data security audits have become an increasingly common requirement for multiple types of companies. Those tests may include a check of the company’s incident logs, a review of which personnel have access to sensitive data and systems, a closer look at its network, firewalls and infrastructure, and more. 

Security experts may also consider the tenants inside an office building, which can affect its risk level. A suburban office building in a safe, secure area — something that seems low risk on its face — might be a higher risk because one of its tenants is a federal judge. 

Considering other factors

A good security audit will also cover factors that might not be immediately obvious when surveying the property, such as crime reports for the surrounding area, Taylor said. They will also check the licensing status for security officers to make sure that staff is in compliance with regulations.

Some of an audit’s most useful information comes from open-source intelligence: news reports, social media posts, review sites and other online content. It’s become an increasingly important part of assessments, Taylor said. Those reviews can reveal problems that might otherwise be overlooked. 

Those issues aren’t always related to security. For example, a business might believe its foot traffic and sales are down because of car break-ins in its parking lot. But the slowdown might actually tie back to customers being unhappy about service or products.  

It’s critical to train and test your team members on emergency plans, Taylor said. Conducting drills can reinforce skills and reveal opportunities for improvement.

“Doing an audit, having policies in place, finetuning them — those are all helpful,” he said. “But if you only open that binder once every five years, you won’t know how to respond when you have an incident.” 

How often should you schedule a security audit?

It’s smart to schedule security audits on a regular basis, either annually or semiannually, Taylor said. That lets you keep up with updates to regulations — for example, if your local government increases the number of fire drills that larger buildings must hold in a calendar year. 

“Policies, procedures, certifications, standards — they all change, so you need to make sure your organization is up to speed,” he said. “Audits keep you from being caught with your pants down. I recommend doing an assessment at least annually. 

“Depending on the property, you might plan something more often. A facility like a power plant might require penetration testing on a regular basis because its risk profile is higher.”

The secret to successful security audits for compliance

If there’s one key to a successful security audit, it’s openness. Provide full disclosure about any issues to the team that’s conducting the review. Many times, a client already knows about recurring problems on the property. 

Disclosure can be uncomfortable sometimes for managers who feel protective about information or worry they will be blamed for things that are out of their control. 

“They feel like it’s a failure on their part, but withholding information sets up the audit for failures,” Taylor said. “As a result, you won’t get the full benefit of the review. So you need to be an open book and show us everything that you have, so we can make a real assessment.”

Most security audits don’t just point out what’s wrong. They also include recommendations for addressing those issues and making improvements. 

This is why it can be helpful to have a firm like Chesley Brown in charge of the audit. Their team also provides daily security for a range of clients, so they can make practical, actionable suggestions that are a good fit for the client’s needs and circumstances.  

“We’re going to share best practices, but we’re also going to make sure they’re something that can be executed,” Taylor said. “We’re not just going in and saying, ‘Hey, here’s some great ideas.’ We also know what it’s like to implement them.”

The bottom line on security audits

Conducting a security review is like getting a checkup from your doctor. A regularly scheduled assessment can reduce the risk that an undiagnosed problem will blindside your team and create significantly worse problems than if it had been addressed earlier.

To maximize the impact of your security audits:

• Share the organization’s emergency plans and policies ahead of the review
• Disclose any known, existing issues with security
• Use the findings to address any weaknesses uncovered by the assessment

If your organization needs expert assistance with its compliance audits, Chesley Brown can help. The firm provides a wide range of security consulting and services to clients across North America, including large office complexes, shopping centers, stadiums and data centers. 

Contact Chesley Brown today for a consultation.