Monthly Archives: August 2013

Audits Are A Vital Tool For Designated Offficials

You’ve done your threat and risk assessment, identified the controlled goods in your organization, written your security plan and registered with the Controlled Goods Directorate. Some designated officials might think their jobs are finished and all they have to do is assess new personnel. That might be the case if we lived in a world where nothing changed, but we don’t.

You’re organization’s controlled goods program is fluid. To deal with this, internal audits need to be conducted. Not only are they mandated by the controlled goods regulations, they are a valuable tool that allows the DO to verify the state of the local program.

In addition, audits offer a chance to evaluate the effectiveness of the current security plan and make recommendations for corrective action as required. Such corrections may be necessary when the regulations change, when the environment changes, when it is evident that the security plan no longer meets the needs of the organization or if a part of the security plan is found to be flawed.

Audits begin with an examination of the records the DO is required to keep. These include records pertaining to assessments and exemptions to make certain all relevant information has been gathered such as biographical data, background history, reference contact, criminal background checks and credit reports. Other records include verification of contractor registration with the controlled goods directorate, records of visitors, training and security briefing records, records of transfer in and out of the facility, the current physical location of each controlled good, records of the destruction of controlled goods and records of security breaches with the initial report, contact with the Controlled Goods Directorate, the corrective actions and their follow ups.

The DO then needs to go into the field and cross reference the documents with the actual state of personnel and controlled goods. Security measures, physical and electronic, need to match the security plan. Those measures must also be evaluated for their effectiveness. Records of assessed or exempt personnel need to be checked with the actual personnel possessing controlled goods to make certain these people are still with the organization and to detect if there are non-assessed or non-exempt persons working with controlled goods. The DO must make certain the physical location of controlled goods match the documentation and that they have not been moved to a different location, shipped out of the facility or destroyed without proper records. The audit can also reveal controlled goods that have been introduced without the proper documentation. This can occur when someone orders an item without informing the DO or without realizing it is controlled. The DO must become familiar with the purpose and requirements of all manufacturing and research projects to anticipate where controlled goods might be introduced.

Whenever a discrepancy is detected, a corrective action must be initiated, assigned for repair, and followed up to make certain it was accomplished and that it had the intended effect. If a security breach is discovered, such as non-assessed persons handling controlled goods, it must be recorded and the Controlled Goods Directorate notified immediately.

Audits need to be conducted on a periodic basis. This might be yearly, biyearly or some other period depending on the needs of the organization. The DO might want to conduct a full audit each time or break up the audit by type of information (personnel vs. material), department, project or facility and stagger these throughout the year.

Audits are the most important tool a designated official has to monitor and adjust the health of a controlled goods program.