Think you have tight security measures in place? If so, you're in the majority; most DCs believe they've taken adequate steps to prevent loss. But some recent audits have shown that this confidence may be misplaced. Take the case of a DC that recently hired an outside consultant to audit its operations after discovering that a lot of inventory had gone missing. Despite substantial evidence that they had a big pilferage problem, company executives told the auditors they weren't entirely certain the loss was a result of theft. After all, they explained, they had a state-of-the-art alarm system, dozens of video cameras and 24/7 guard service.
What the auditors found was that although the DC did indeed have an intrusion detection system, video cameras and round-the-clock uniformed guards, it also had some serious holes in its security procedures. In fact, they identified no fewer than 20 significant vulnerabilities.
One of those arose from the way in which the company used its guard service. During off hours, the company hired officers to patrol the grounds as well as the DC itself. Because they needed to enter the building, the guards were all given the codes required to disarm the intrusion detection system. That meant that the guards posted on night and weekend shifts—who turned out to be the ones with the least seniority—had uncontrolled access to the company's inventory.
When this was pointed out to them, company executives seemed unconcerned. They also had a video system in place, they explained, so they would know if the guards were up to no good. But after the auditors showed them that the videotapes had numerous unexplainable gaps (the guards were responsible for viewing and maintaining the tapes), the client agreed to implement the auditors' recommendations.
What did the auditors recommend? First, they advised the client to give the guards access cards, but not alarm codes, for the facility. If security officers needed to enter the DC after hours for an emergency, company executives would be alerted by the alarm company. They also suggested making someone other than the guards responsible for viewing and rotating the videotapes. Almost immediately, the shrinkage stopped. What's more, the next inventory count was the first perfect count in three years.
As that company learned, security equipment alone won't stop thieves. Effective loss prevention also requires failsafe security procedures and policies for ensuring that workers adhere to those procedures. An audit will provide an excellent gauge of how your site measures up in these two respects. It can also provide valuable information on a security program's weaknesses and risks. What follows are some tips for conducting an effective security audit:
- Make sure the audit is unannounced. There should be no advance notification to the facility being assessed. If word gets out, workers will have a chance to provide a temporary fix to known vulnerabilities. Auditors get a distorted view of the operation.
Consider the case of a facility that performed a self assessment and gave itself an overall security rating of "excellent." Two months later, an audit team swooped in unannounced only to find the door to a high-security room propped open with a chair. When questioned, the general manager explained that the locking device that controlled that door wasn't working. When the auditors checked the site's access control history report, they found that the card reader had been out of order for over two months, meaning that the door had been unsecured during that entire time. Among other things, this room housed the alarm system's control panel, the computer containing all the access control software and the facility's main server. Any worker, vendor or contractor could have walked in and neutralized the alarm system, deleted the access control history, extracted confidential information or sabotaged the network. Needless to say, the unannounced audit team's assessment differed markedly from the "excellent" rating the workers had given themselves.
- Accept nothing at face value. Consider the case of a company that had noticed that its inventories had been steadily shrinking and called in outside auditors to figure out how the goods were leaving the facility. When the team went to examine the company's internal checking process for inbound and outbound product, the quality control manager insisted that the problem wasn't in the shipping or receiving functions. Why not? Because his personnel regularly conducted surprise shipment inspections. Rather than accept his word as fact, however, the team evaluated the entire process, with disturbing results.
To begin with, the employee conducting the receiving audits had a pattern of selecting the same days and time frames for checking inbound orders. He never audited shipments that arrived immediately prior to his breaks or within 30 minutes of his daily departure time. And because he was extremely friendly with the receiving crew, the auditors questioned whether he would report discrepancies if he found them. In fact, nearly 100 percent of his reports indicated that there were no discrepancies with any of the loads he audited. Based on the company's throughput, this seemed highly unlikely.
The auditors recommended that the company revamp its auditing process and assign a new checker to this position. It did so, and within 60 days, the company's inventory shrinkage rates had plummeted.
- Make sure the audits are performed by people who have no ties to workers in the facilities being evaluated. A security audit team that's concerned about the political fallout of a negative report may water down its findings in order to avoid embarrassing or angering co-workers. That's one reason why many companies bring in independent security firms to conduct these assessments.
Gartner, Inc.
