Electronic Building Security Review Audit Programs PLANNING 1. Develop internal control narratives to describe the process and procedures of the building security system. At a minimum, document the following: * General Access * Public Access * Employee Access * Vendor Access * Contractor Access 2. Verify understanding of current procedures through inquiry, observation, and inspection of supporting documentation. 3. Evaluate whether the established controls are reasonable and adequate. FIELDWORK Public Access: 1) Test doors at main entrance during regular office hours and off-work hours. 2) Verify whether non-employee visitors are properly screened and are accompanied by a required company escort. 3) Test doors to restricted access areas, such as: Data Centers, Mainframe, LAN/WAN Wiring Closets, and LAN rooms. Employee Access: 1. Test main entrance doors during working and off-working hours. 2. Test doors other than main entrance during regular office hours. 3. Test the addition/deletion of employees to the security system. 4. Test unused access cards to see what access they have, if any. 5. Test workstations for access to computer terminal and access cards themselves. 6. Test employee access in LAN areas. 7. Look at access system activity logs to determine inconsistencies. Vendor Access: 1. Verify adequate control of vendors who deliver goods or supplies to the office. 2. Test vendor access in restricted areas-IT areas. 3. Test vendor access in LAN areas. 4. Test vendor access to all restricted areas. Contractor Access: 1. Test controls on contractor access. Exigent Circumstances: 1. Test emergency action system and verify security system is released so employees can seek safety. 2. Test power failure access. Are the buildings still secure? REPORTING 1. Rate the status of internal control based on tests performed. 2. Prepare a report covering: a. objective and scope of audit b. findings and recommendations 3. Discuss the report with management, and obtain and evaluate responses to recommendations 4. Follow up (as needed) to assure that new or improved controls are functioning.