The last two years have seen fewer people on worksites. There have been fewer employees — many of whom have been working from home — fewer auditors and regulators have been visiting worksites as well. Due to the pandemic, many industry physical security audits have been postponed, waived or held in abeyance, but that state of affairs is about to end.
In the second half of this year, as workers return to the office, regulators will be coming back to your sites as well — and you’d better be ready for them.
The reduced need for security audits during lockdown
At the height of the pandemic in 2020, nearly one third of the employed population of the U.S. worked from home, and many workers remained remote through 2021 as well. With so few people on site, it wasn’t worth the while of regulators to assess sites for compliance. This applied to both federal and internal security audits; there were some audits, but the volume was much lighter.
Now those auditors are making up for lost time, and companies can expect to see a wave of security assessors appear on site as we move into Quarters 3 and 4 of this year.
“As we emerge from the Covid-19 lockdowns, compliance audits are returning,” said Gustave Lipman, chairman of Circadian Risk and former COO of Guardsmark. “Those overdue are seen as urgent in the eyes of regulators. Those regularly scheduled remain on schedule. Thus, the demand for risk assessment audits will be surging throughout 2022 and into 2023.”
Need help with internal audits? Contact us now for a demo.
Is your company prepared for an audit?
You haven’t had an assessment in more than two years. Should you be concerned? That will depend on what you’ve been doing in the past two couple of years. The companies who will be in the worst position for an audit are the ones who’ve gotten lax with their own internal assessments and remediations.
If you’ve been assessing risk internally regularly and correcting issues when you find them, you’re likely to come through an audit with flying colors. Below are some questions to ask yourself as you prepare for regulators to arrive on site:
Have you been keeping up with your internal self-assessments?
Are your returning employees getting up to speed on new requirements, and have they been refreshed on ones they haven't been drilled on live for almost two years?
Have you thought about how to accomplish compliance requirements with a smaller workforce population, if applicable?
Is the last self-assessment that you accomplished representative of where your organization is currently positioned?
If you’ve answered “yes” to those four questions, you’re probably in good shape, but there is still plenty of work you need to do in order to be ready when auditors show up at your doorstep.
Steps every company should take before an audit
Review the results of your last official audit. Take note of when that audit was done and what changes have been made since that audit was completed. Has the number of employees changed? Have regulations changed? Are there increased safety protocols now? Make a note of each change.
List your remediations. Make a note of any remediation you’ve made based on that last official audit. Be as specific as possible — I would recommend a detailed list of what has been done about each finding and the current status of each.
List your internal audits. Between the last official audit and now, how many internal audits were accomplished, and are those ready to be shown to an external auditor? If not, tidy those reports up.
Prepare to explain your internal audit process. If you are in an industry where you have had audits delayed or canceled during the pandemic, can you document that you still had an aggressive internal audit practice that included findings and remediation activity?
Don’t just hand a printed report of your internal audit to the auditor. Yes, it’s the auditor’s job to look at your internal assessments, but if you hand the assessor two or three long reports, they probably won’t thank you. Long reports are tedious to read, and important information can get lost in them. An interactive report, showing the auditor how your organization has been tracking findings and remediations is much more effective. Unlike a static report, a dynamic assessment tool can also show when and how those assessments were accomplished.
What tool can you use to present your internal audits?
Circadian Risk’s assessment platform gives you the ability to conduct self-assessments which then become a trackable list of remediations. Our platform also allows you to import the hard copies of your previous internal audits into our Risk Analysis Dashboard, where you’ll have concrete examples and artifacts to show your auditors. This will enable you to track findings and remediations on a near real time basis.
Ready to learn how to make your audit findings into living documents? Talk to us now about assessing your security.