Security Company Audits
The auditing of security companies has caused something of a stir amongst security professionals over the past few years. A large company this week asked me why they need to be audited, who sets the standard and why is it so expensive?
I think it is important to identify some key facts and issues about the audits. Don’t get me wrong, I actually think that a profession such as the security industry should be able to prove they meet a suitable standard. So I agree with an audit process being available, but questions have been raised about the status of audits we currently have available to the industry.
Who says security companies have to be audited?
Interesting question. Having a company that is audited against a set of standards provides a level of credibility for clients and gives them confidence in their chosen security company. Currently NZSA is the only organisation that offers an audit process. However it is part of a business model offering products to their members at a high cost should they wish to go through the process. As part of this business model NZSA advises security industry clients, including government agencies, that they should only employ an audited member of NZSA.
However, the reality of this is that it is rarely complied with. The most recently awarded large scale (150 guards) security contract was won by a company that is not a member of NZSA, and has no official audit status. Also of interest the contract was taken from a large NZSA audited security company.
So the bottom line is that security companies do not have to be audited – there is no statutory or legal requirement to undergo an audit.
Quality & Integrity of Audit & Auditor
An audit system requires robustness, credibility and integrity. I understand audits. I go through major audits every year either by the Charities Commission in my role as Chairman of CPNZ or NZQA in my role as a Director. In each situation the quality of the audit and the auditors is something of paramount importance to ensure validity, fairness, consistency and integrity.
Firstly, an auditor should have a qualification that indicates an appropriate level of skill and knowledge in the audit process. This must also be accompanied by comprehensive knowledge of the subject being audited. For example the Security Management Systems Lead Auditor certificate meets an international standard. An audit performed by someone without recognised certification is as good as a financial offer received by email from a Nigerian prince or gaining a Masters degree online.
In New Zealand there are some very experienced security consultants that could, and do, carry out audits providing the appropriate level of certification and integrity.
Secondly, the auditing organisation should have a proven history of integrity with its own internal audits as well as any external audits they are required to undergo. This has not been the case with the organisation currently offering security industry audits. I refer you to the NZ Security Magazine article entitled ‘NZSA training evaluation result raises questions‘. (NZ Security Magazine June/July 2016)
Thirdly, there needs to be wider industry support for the codes of practice that the auditing organisation is auditing you against. For example neither the New Zealand Institute of Professional Investigators (NZIPI) nor ASIS endorse any currently available codes of practice in New Zealand.
Lastly, an audit should primarily be an independent, quality driven process based on integrity and credibility and designed to improve standards within industry. It should not be an income driven process included within an organisation’s business model. The high cost of membership and the audit process effectively excludes some organisations from being able demonstrate their ongoing commitment to quality.
If we are serious about raisingthe standards within the industry we need to have an audit process available that meets all the requirements mentioned above as well as being easily accessible industry wide.
My final thoughts
Good on NZSA for having an audit process. However it is being thrust upon the wider security industry by virtue of it being ‘sold’ to clients and end users as a mandatory process for RFP and other tenders. Before clients can have confidence in this process they need to ask how valid these audits may be, and how competent the people undertaking these audits are.
Does it reach the levels of professionalism that the security industry needs? If not then it needs fixing.