News, Press & Publications

The 5 Steps Needed to Plan for a Successful Security Compliance Audit

Press, Articles & Publications

Passing a security inspection, or audit, can be an easy and straightforward process for most chemical companies, manufacturers and plants, provided it’s handled in an organized manner. The “5 P’s” adage “proper planning prevents poor performance” should be the background theme for the inspection or audit.

To start, let’s break the inspection, or systems audit, into 5 distinct components. 

  1. Before the Inspection
  2. Opening Meeting
  3. Site Walk-Through
  4. Document Review & Interview
  5. Closing Meeting

Before the Inspection

Proper planning is the order of the day. The time spent in preparation well ahead of the audit, will pay off during the inspection. Assemble your team. This should include the security director, the facility manager, and their assistants. If there are there cyber assets at the site, include the person in charge of them. If corporate IT or cyber systems managers oversee this from a different location and cannot attend in person, have them be available for a planning conference call. The same holds for Human Resources representatives.

Lay out the expectations for the inspection with your team. Clearly spell out what part everyone is expected to play a part in the inspection. This will demonstrate to the inspection team that your staff is actively engaged in the process. Don’t give the impression that security is a one-person show.  Instruct the team to answer any questions posed by the inspectors clearly and truthfully. Never guess if you do not know the answer AND when you are done answering a question, STOP TALKING. Don’t speculate and don’t ramble.

Every inspection involves a review of documents.  Some examples are procedures, impairment reports, incident reports, training records, and even personnel records.  Rather than collecting these items immediately before the inspection, employ a system where you can capture the necessary documents in “real time” as you use or generate them.

Work with your team to plan out the areas of the site that will be part of the inspection tour. Walk the route with your team, note any relevant security items in place, as well as any that may be lacking or in need of attention. Assign responsibility for correcting any items that need attention. In the same light, note any improvements or additions made that enhance your posture. Write them down in your notes and be sure to share with the inspectors during the actual tour.

After the team planning site walk through, reconvene and go over everyone’s notes and comments. If you have any “to do” items, spell them out. Determine who will take responsibility for them and when they will be completed.

If a required practice or piece of security equipment is on the “to be repaired” list, but will not be back to fully operational by inspection time, enact your impairment plan that addresses the shortfall. If you do not have an impairment plan that addresses the issue, develop one with your team, put it into operation, and document it!

Notify site personnel and site security staff once the inspection has been scheduled, when it will occur, and by whom it will be conducted.

Inspection Day

The inspection day can be broken down into four segments including:

  • the opening meeting,
  • a site walk-through,
  • document review & interview(s), and
  • a closing meeting.

If the inspection is set to cover multiple days, these segments (with the exception of the closing meeting) may be intermixed in each day, or could follow in sequential order. Be flexible, and remember the “5 P’s” approach described.

Opening Meeting

You never get a second chance to make a first impression. So, start off on the right foot. Welcome the inspection team and thank them for their attention. Up front, cover the “housekeeping” items:

  • Site Safety Requirements, including required PPE
  • Agenda and timing (if there is an outline or agenda from the inspector use this)
  • Restrooms, telephone and how to access wireless connectivity, if needed
  • Team introductions. Be sure to have them share what role they play at the site, and in the inspection
  • Inspection team introductions, and the role they play in the process

Readdress of the intent of the inspection, if the site tour is over a large area, consider showing an overhead image of the area. Point out key areas. If it is within a large building, such as a warehouse, consider using a floor plan drawing.

If this is the inspection team’s first visit to the location, give an overview of the site. Items to include are products produced, services provided, number of personnel, and company history.

Be certain to allow the inspection team leader the opportunity to speak to their objective(s) and plans.

Site Walk-Through

For a small group, don’t overwhelm 1 or 2 inspectors with a dozen people from your team. Have your key team members with you and ask area specific persons who may be needed during the inspection to meet you when the tour reaches their location.

If there are a number of inspectors, and the plan is to break into groups, be sure to assign the appropriate personnel from your team to each group.

Follow the route you planned that covers the area(s) to be inspected. Do not stray or wander. If there is work or maintenance type activity that could pose a hazard in a certain area, use flagging tape to section it off. Be sure to point out that there is work going on in that area and why you are not entering the area.

Point out key security items or components. If a key item is out of service, be sure to point this out, coupled with an explanation of the impairment activity you have underway in order to address the shortfall. Let the inspectors see that you are on the ball, and let them see the impairment plan in action.

Team members should focus on the tour and questions from the inspectors. They should not engage in sidebar or personal conversations amongst themselves. Likewise, they should answer questions pertinent to their area of responsibility. Remember, it is not a one person show! Appoint someone from your team to act as the sweeper for each group on the tour. Their job is to round up any wanderers and keep the group together.

Make a written note of any questions asked that are to be addressed during the interview portion of the inspection. If the inspection requires photographs to be taken by the inspectors, be sure to take an identical photo with a company-supplied camera. This can be especially helpful if a question about something viewed comes up at a later date.

Document Review & Interview

This is the area where the inspector, or inspection team leader, typically takes the lead. Be prepared to answer questions regarding items or activities seen on the tour. Again, answer clearly, truthfully and to the point of the question. When you have clearly answered the question, STOP TALKING! If you do not know the answer, don’t guess, speculate or make something up. Offer to find the answer, make note of the issue, and be certain to follow through. If an immediate answer is required, take a break and locate the information to satisfy the question.

As the team leader, you need to ensure good communication. If you do not understand a question, it is not out of line to ask for clarification. Similarly, be sure that the message that you and your team are conveying is clear and is understood by the inspector. Avoid using acronyms, nicknames or local site jargon that may mean something to you and your team, but are terms unfamiliar to those not from the site. Along the same lines, if an answer involves discussion of a more technical nature, ensure the inspector understands what you are trying to convey.

Any documents that need to be reviewed should be on-hand. If electronic versions are allowed, as opposed to written copies, have the computers needed at the ready. The same follows for any projection equipment necessary. During your pre-inspection planning you should have ensured that the most current version of any procedure, inspection report, maintenance log, etc. is the version you have on-hand.

If the inspector requires a copy of any document, be certain to note which document that is and be sure to retain a copy of the document they received. If notations were made to any photographs taken, be certain to add those notations to any duplicate photos in your possession.

Closing Meeting

The closing meeting should include the same personnel that participated in the opening meeting. Generally the closing meeting is led by the inspector or inspection team lead. They may note items that they felt are commendable and some that are even unique and noteworthy. Similarly, they will bring out areas or items that are not in accordance to requirements or for which they have further questions. If something was misinterpreted by the inspector, take the opportunity to politely clarify the issue and bring it to a resolution.

Be sure to recap any “to do” items noted during the inspections process. Items for follow up, documents or images to be sent to the inspector, and any promises made, should all be recapped in the closing meeting, along with who owns the task and the date of delivery commitment. When delivery of these items is completed, document it.

Be certain to ask if there are any open issues or items. Take time to review your notes from the site tour to ensure any questions or items you captured on the tour have not been overlooked.

Be certain to note any follow up or next steps action to be followed. Thank the inspectors and thank your team.

Conclusion

When all is said and done, you should be able to look back and see that the organization of your records, the planning and the preparation that you and your team put into place before the inspection yielded a smooth inspection and a positive outcome.

If you found yourself struggling to answer questions and locate documents, not having every member of your team involved in the process, use the lessons learned to build a more robust document retention program. And, work with your staff to become better organized and address the issues collectively. Build on the strengths of the group as a combined unit instead of individual efforts. Use the experience to not only strengthen your security posture, but also your management process. It will pay off in the long run.

About Ronald Razzolini

Ronald Razzolini is the Director of Business Development for Telgian Management Technologies, LLC, developers of the Telgian Compliance Manager, an automated security compliance solution for the chemical sector.  Razzolini has over 35 years of experience in the chemical industry, as well as deep technical knowledge in the development, implementation and management of safety and compliance programs and procedures.

He also plays an integral role in chemical sector safety and security procedure development nationwide. His committee experience includes the American Chemistry Council Chemical Security Committee (2001 – 2018) where he acted as Committee Chairman from 2010 – 2013. This chemical industry “working group” was chartered to protect the chemical sector from threats of terrorism and coordinate activities among industry, legislators and U. S. Department of Homeland Security. In addition, Razzolini has participated on the National Infrastructure Advisory Council, where he acted as subject-matter expert on projects addressing the sharing of information between federal intelligence agencies and the private sector.

About the Telgian Compliance Manager

Telgian Compliance Manager (TCM™) is a cloud-based relational database software application designed to track security compliance solutions. This software enhances management of the Department of Homeland Security Chemical Facility Anti-Terrorism Standards (CFATS) and the American Chemistry Council’s Responsible Care® Security Code (RCSC) compliance regulation requirements, as well as compliance best practice work processes. For additional information, visit Telgian Management Technologies.

Share This Post: