A friend who is an extremely experienced security surveyor and auditor has frequently remarked on the increasing tendency among clients to use the two terms ‘survey’ and ‘audit’ interchangeably. As he’s quick to point out, there really is a world of difference between the two, not only in terms of the skills sets required, but also in terms of the essential purpose of each.
Charles Sennewald described the security survey as: “The process whereby one gathers data that reflects the who, what, how, where, when and why of the client’s existing operation. The survey is the fact-finding process.”
Going further, it’s a fact-finding process that involves examining and understanding the client’s business, processes, policies and procedures and their day-to-day operation. It requires an examination of assets, threats and vulnerabilities particular to the company, site, building and personnel, etc. It also requires a review of existent security measures, as well as recommendations going forward.
In short, it’s a significant task and a fundamental part of the larger security strategy.
Security audits: checking and inspection
In contrast, the security audit follows on from the survey as a means of checking that the measures implemented as a result of that survey are in place and adhered to. If the security survey is a ‘fact-finding process’ that informs security strategy and determines responses, the security audit is a checking or ‘inspection process’ that seeks to identify whether or not the responses are being carried out as specified.
The audit is by no means a poor relation to the survey. It’s a different but nonetheless equally important task. Effective auditing follows on from the survey providing an essential, swift and cost-effective way of ensuring that security procedures and measures are in place.
If the concern were only that the two terms are sometimes used interchangeably or erroneously it would not be that great an issue. However, there’s a greater confusion surrounding the two terms that has the potential to cloud and even misdirect the whole security management strategy.
As mentioned, the security audit is both time and cost-efficient and that’s where the benefits and the dangers lie. Like any other, the security sector is conscious of cost and, in the current weak economic climate, the audit process provides a comparatively inexpensive method of determining security.
If used in conjunction with a survey process all well and good but, if the audit is used independently of the survey process, it really becomes an end in itself.
Audit-driven security: over-focused on compliance?
Audit-driven security can become over-focused on compliance with standards at the expense of security itself. Put simply, auditing for compliance seeks only to check the function is in place, not whether it’s effective. A security audit will check for compliance, not for security.
A key area of compliance, of course, is the Security Industry Authority’s required training and qualifications for security officers, Public Space CCTV operators and door supervisors, etc. While an extremely good benchmark as far as a standard goes, it doesn’t take into account where and how these operatives are specifically used, and may not be supported by any additional training or direction which would help them operate in a particular environment.
A security officer, for example, receives much the same Security Industry Authority-proscribed training and qualification whether they operate in a retail, industrial or banking environment. If we then audit our provision of security officers solely against whether or not they are licensed they could well be compliant but not necessarily effective.
A security audit of compliance independent of the survey will deduce that the standards are being met; but the standards are not ‘security’. Only security officers operating as part of a well-researched security plan drawn from the larger security strategy, informed by the survey process and supported by role-specific training can hope to be truly effective.
Significance of compliance auditing
The significance of compliance auditing can reach beyond the basic Security Industry Authority requirements to embrace a host of legislation – including British Standards, EU Standards and International Standards – where these impact directly or indirectly on security. As with the Regulator’s provision, adherence to these legal requirements and standards, while beneficial, is not in itself a determinant of security.
Compliance auditing can exercise a siren song: in addition to being quick and cost-effective, it’s comparatively simple to assess. In short, you are either compliant or you are not. If not, the action required is simply to become compliant.
Likewise, if you measure your security performance against compliance it’s relatively easy to assess. You are either compliant or not, and your success becomes an issue of how compliant you are, or will become, or how much more compliant you are year-on-year.
The provision of effective security, on the other hand, is much more complex and harder to pin down. Security is a difficult state to envisage and even more difficult to measure. Nonetheless, it’s the more difficult road of security provision rather than pure compliance that we need to follow.
Security has advanced significantly in the last 20 years. One of the great advances made is that security has become more business orientated, with security managers adopting mainstream management tools and techniques.
Auditing and compliance are crucial elements in good management, but they must not become the defining elements. We must not put the cart before the horse and, in seeking to become compliant, we must not lose sight of the need to become secure.
The way forward must be to embrace evaluation, auditing and compliance as part of the greater security strategy and as part of a security management process: a process that provides staff and managers alike with the training, skills sets and resources necessary to distinguish between the security survey, the security audit and a greater awareness of what security really is all about.
Ken Livingstone is managing director of Perpetuity Training
Further information about… Perpetuity Training
Perpetuity Training offers a range of short courses, including Level 4 professional awards in Managing Security Surveys and Security Management.
All of the company’s short courses can be adapted to meet the needs of individual businesses. Bespoke training services are also available.
Perpetuity Training is proud to be associated with The Security Institute and to be the provider of the Institute’s two membership qualifications: the Certificate in Security Management (Level 3 Advanced Certificate) and the Diploma in Security Management (Level 5 Professional Diploma).
For more details telephone 0116-222 5550 or e-mail: training@perpetuitygroup.com
Free Download: The Video Surveillance Report 2023
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
