Risk

10 Things Your Internal Security Audit Cannot Overlook

By Daniel Young | July 23, 2022 | 3 min read
Internal audits

When you think of assessing security inside your buildings, you probably think of cameras, access control, and officers. What about your policies, however? How well your facility might hold up to a tornado? What about security against internal threats?

Internal security is about much more than physical countermeasures; it’s also about your company’s attitudes and policies when it comes to safety.

Need help with internal security? Contact us now for a demo.

10 things to include in your internal assessment

The following items should be included in your security assessment:

  1. Policies and procedures: Security assessments should include more than your cameras, doors, and other security countermeasures. Your policies and procedures should also be reviewed? Have they been updated recently? Where are the policies kept? When is each policy scheduled for a review and update? Learn more about best practices for reviewing your policies here.

  2. Background checks: You probably perform your own background checks on employees, but what about contracted security personnel? Don’t assume that your security provider is automatically checking all officers’ backgrounds. Make sure. If they don’t provide background checks, make plans to conduct your own.

  3. Scenario-based assessments: How prepared are you for an active shooter? A fire? A tornado? Assess your site for each scenario, rather than conducting one general assessment. The scenario-based approach lets you take into consideration how each countermeasure affects the scenarios. Learn more about scenario-based assessments here.

  4. Know whether you're doing a full or partial audit: A general audit takes a long time, and it means you can miss certain things. When you take a scenario-based approach to assessing security, you really zero in on specific items a more general assessment might miss.

  5. Penetration tests: Pen tests are not just for cybersecurity. When I conduct assessments, I like to walk around unescorted if I can. I want to see if employees will confront a stranger about being on the site. It’s a way for me to take the temperature of an organization’s security culture. Learn more about visitor control here.

  6. Cameras: Obviously a security assessment should include cameras, but are you checking the camera’s feed? I will verify in their command center if a camera is functioning, and ask the officers if there are areas that need a camera, or if there have been any problems with cameras.

  7. Test access control systems: Go beyond whether or not a site has access control. See if people are using it correctly. Are you able to borrow IDs from employees? If you ask someone to hold or open a door for you, do they do so? Security only works if people use it.

  8. Think like an assailant: As you conduct an audit, think to yourself: What is the assailant in this scenario hoping to achieve? When you think like a criminal, you tend to find a lot of gaps in security.

  9. Time of day: It’s one thing to assess the security of a site during the day when the business is open. It’s another thing to assess security when the site is closed. Try to be there at all hours when you’re conducting an assessment; time of day makes a huge difference in the security of a site. You may find that access control is less stringent at busy times, or that light at night blinds cameras.

  10. Know what you’re protecting: Every site has areas they want to protect, such as safes, data servers, labs, or executive suites. Spend time there, understand the assets that are being protected, and think about how an assailant might access them.

Internal security is critical

Your internal security is crucial to keeping your people and assets safe, so it’s important to make sure you are up to date on your assessments. By taking the time to examine the security inside your buildings, you can keep your site protected against everything from weather threats to assailants.


Ready to develop an internal security audit? Talk to us now about assessing your site.

Are you ready to improve your organization’s risk resiliency?

See Circadian Risk In Action Now
Watch a Demo