Security Audit Secrets
PROPERLY DESIGNED and executed audits of an organization’s security program provide added value to the enterprise by enhancing effectiveness and ensuring compliance with corporate goals and professional responsibilities. Audits are commonly used to find flaws, weaknesses, and areas of concern. However, audits can also be used to optimize improvements and to identify best practices and exceptional performers within the team. This article discusses a Six Sigma approach to auditing a security program and provides guidance on developing an internal audit capacity.
Developed by Motorola in the 1980s, the Six Sigma business management strategy focuses on finding the cause of errors or defects in a manufacturing process and taking steps to remove those causes through quality control. It requires an organization to spend significant time gathering data and using statistical analysis. While this methodology is great for manufacturing and other areas of business where minutiae can make a difference in the results, it’s not the right fit for security operations. As a result, implementation of a total Six Sigma strategy for a security program is not the best choice. However, using a simplified version of one of Six Sigma’s two project methodologies—to be combined later with its audit tools— can generate outstanding results.
DMAIC. DMAIC—which stands for define, measure, analyze, improve, and control—is used for improving processes that already exist. The DMAIC process can be adapted to security program auditing through the application of a qualitative, as opposed to a quantitative, approach. Used qualitatively, it can provide a structure for creating effective security program audits.
The “define” phase can be used to determine what is being audited and can serve as the mission statement of the audit. “Measure” allows a comparison of internal and external requirements to standards of practice. Disparities can be qualified during the “analyze” phase to determine root causes. Prevention and problem solving theories are proposed during the “improve” phase. Finally, “control” is used to reassert managerial responsibility for solving problems and optimizing the program.
To illustrate how this would work, let’s use the example of one large city government in the southeastern United States that used DMAIC to address its local problem with violent crime. After conventional methods such as adding police officers, patrols, and overtime shifts failed, the police department decided to apply DMAIC.
The mission was defined as assessing the level, type, and causes of crime. Next was the measure phase. Data was gathered on where crime was occurring most frequently, as well as how it was identified and measured. For example, the department looked at how crimes were categorized and defined. Statistical analysis determined that certain crimes had a common nexus. For example, nonviolent gang activity was closely correlated with shootings. That nexus then became the focus of a future prevention strategy. If gang activities—thefts, loitering, graffiti—were spotted, extra patrols were dispatched in anticipation of possible gunplay.
By using ongoing analyses of crime reports, citizen complaints, and developing trends, the department kept officers updated about crime hot spots. The city was able to deploy fewer officers by placing them in the right locations. As the program gained success, specialized units were dedicated to fugitive apprehension, violent crime reduction, and felony response. After the program was expanded across the city, crime dropped 28 percent in two years.
SIPOC. Another Six Sigma tool that can be effective for auditing performance within a security program is SIPOC, which stands for suppliers, inputs, processes, outputs, and customers. It provides a better fit for auditing service-based programs such as training and uniformed guard services.
Analysis of suppliers should be based on needs specific to a certain business. For example, a company that plans to contract with a service provider to get armed security officers should first assess exactly what certifications, qualifications, and training methods are best practices for armed security personnel. It can then assess whether the suppliers bidding on the project meet those standards.
Inputs are the training and policy requirements for employees. Organizational culture, leadership, vision, and management can be examined under “processes.” Outputs are what staff or systems achieve, such as policy compliance and program effectiveness. Outputs, to the extent that they are quantifiable, can be used to calculate a program’s ROI. Finally, evaluating customers provides the opportunity to determine the satisfaction of internal and external stakeholders.
Let’s look at how this SIPOC was applied by a large guard services company with a high-profile government contract. The company had a problem retaining qualified staff despite high regional unemployment and superior pay and benefits. This turnover affected client relationships as well as the bottom line. The company had no problem attracting new qualified applicants, despite mandatory physical fitness and weapons qualifications requirements. However, there were significant new-hire costs due to psychological and medical screenings, background investigations, and preemployment training. The increased turnover also affected client satisfaction because the constant turnover resulted in a loss of confidence.
The company wanted to assess the cause of the high turnover and to reduce it. Through the application of SIPOC, the external supply of employees was not difficult to determine. A survey of employees further revealed satisfaction with the pay and benefits. An examination of inputs—in the form of daily duties—and processes—represented by supervisory expectations—revealed the problem: Officers made a variety of comments regarding mandatory overtime and long hours affecting their job readiness and their ability to meet ongoing mandatory fitness requirements.
The cost of supporting the overtime reduced company profits. However, the chronic shortfall of personnel forced the company to routinely violate its own policy against excessive overtime.
The company needed a way to reduce the overtime burden. It reached out to local law enforcement and military personnel and expanded its use of part-time personnel to reduce overtime as well as provide surge capability without requiring additional hours from guards. This one change reduced turnover, reduced job demands, decreased overtime costs, enhanced guard force morale, and increased client satisfaction.
While the use of DMAIC or SIPOC as a standalone tool may be effective, combining either of these paradigms with a well-planned audit process is the best way to enhance the effectiveness of a security program.
Audits have different forms and all of these forms have certain components.
Forms. There are three generally accepted forms of auditing: the attribute audit, the performance audit, and the assurance audit.
Attribute. Attribute audits are the most common audits conducted. They are generally used to test the effectiveness of controls and determine the rate of compliance with established criteria. The results of these audits provide a statistical basis for the auditor to conclude whether controls are functioning as intended, reflecting either compliance or noncompliance, resulting in a “yes or no” result.
Performance. The performance audit evaluates organizational activities such as fire drills or specific requirements such as whether document-control mandates are being followed. Unlike an attribute audit that typically results in a simple yes-or-no result, a performance audit is used to examine a program, function, or operation to assess whether the entity is achieving economy, efficiency, and effectiveness in the employment of available resources and typically ends with a measured result.
Assurance. The assurance audit contains elements of the attribute and performance audits, but its primary goal is an independent and objective evaluation of whether a defined standard is being met. While an attribute audit tells us whether a control is functioning, and a performance audit tells us if we are operating efficiently, an assurance audit determines not only whether an organization’s systems are in place and being followed but also whether improvements are needed and whether legal and regulatory requirements are being satisfied. A successful assurance audit concentrates on the present and future needs of the organization.
Components. Regardless of the type of audit, it must include certain components, such as a charter, an audit team, documents, metrics, testing, and postaudit evaluation.
Charter. The audit charter is critical for audit success. It defines the key stakeholders, personnel needs, supporting documentation, and other requirements, as well as the scope of the audit and its expected critical outcomes. The audit charter also spells out what performance metrics will be used and what the audit schedule will be.
Team. Successful audit projects require the assistance of a variety of key organizational stakeholders. While having an accomplished security professional as the head of the audit team is important, an audit sponsor is critical to providing support to the audit team and making critical introductions to cross-functional personnel.
Depending on the scope of the audit program, the team may need to function under decentralized leadership while still providing a collaborative final product. There should be unlimited access to necessary information. Any conflicts should be resolved in this initial phase.
Documents. The team needs an audit document. The audit document serves as both a checklist and a guide to prevent differences between individual people from skewing the data gathered from the audit. It must spell out the purpose, procedure, data to be gathered, and conclusions drawn in a consistent manner that is valid and repeatable.
Managers should consider requiring photographs as supporting documentation to illustrate such issues as whether an area is properly maintained or meets appearance or life-safety standards. Other documentation might include supplementary checklists specific to certain issues or areas, specific interview questions, and copies of performance evaluations.
Metrics. The development of consistent metrics is crucial for making comparisons across an organization. Using policy as a baseline can allow the development of minimum performance standards. Any number of systems can be used, but an audit must contain objective information. Subjective opinions or impressions may be allowed in the final report, but a properly designed audit will provide consistent and repeatable results.
Test. The final component of an audit is a test of the audit process. This should be done on a micro scale by each member of the audit team. This evaluation phase will ensure consistency in both the auditor’s conduct and in the reported results. Feedback from this process can be used to assess whether the right data are being collected and to refine how the findings are being notated on the audit documents. Once these results are approved by the audit sponsor, the audit team can commence operations.
Postaudit. Once the audit has been completed, issues of noncompliance must be analyzed to see whether there are any commonalities. For example, personnel in different functions and with different managers who are not in compliance with a specific directive may have been trained by the same person. Similarly, a single group’s lax attitude towards a specific policy may be a reflection of weak leadership. In each case, the objective data from the audit, along with suspected causes, should be documented in the final report, including recommendations for corrective action.
Final steps. Once the audit has been completed and the report written, two final steps should be taken by the security manager. All of the deficiencies identified in the audit should be corrected, meaning that areas out of compliance should be brought into compliance and ineffective programs should be revised.
The second step is to distribute audit results to senior management and the supervisory teams of the departments or groups that were audited. Detailed briefs on findings as well as recommended courses of action for improvement should be offered. Both praise and criticism should be carefully delivered when conducting these briefs. There should also be a plan for enhancing understanding of program policies and goals.
The audit process should be used as a tool to monitor both progress and change within the overall security program. Once policy has been rewritten, training has been conducted, and operations resumed, the cycle can start over again.
M. David West, CPP, is a Lean/Six Sigma Black Belt and has developed enterprise-wide security policies for numerous government and commercial organizations. He is a member of the ASIS International Leadership and Management Practices Council. Devin G. Reynolds, CPP, provides training and consulting services to security organizations, law enforcement agencies, and U.S. government contractors.