Access Control Audits: Who Has a Key, When They Last Used It

The keys you do not know you have.

Most organizations have more physical keys and electronic credentials in circulation than their leadership realizes. Long-tenured keys given to former pastors. Electronic fobs issued to contractors who finished work two years ago. Keypad codes shared with vendors during specific projects and never changed afterward. Backdoor keys hidden in landscaping that the person who hid them no longer works at the organization.

Every one of these is a potential access to your facility that someone else retains. Most are innocuous. Some are not. All of them should be known and reviewed.

Why this is the highest-leverage exercise.

Access control audits are among the cheapest, fastest, and most productive security exercises available to most organizations. The reasons:

• The work requires only time, not money
• Findings are typically concrete and actionable
• Remediation is usually straightforward (revoke, reissue, or retire)
• The exercise surfaces information that cannot be obtained any other way
• Results improve security materially in days, not months

For nonprofit and community organizations that want to make measurable security progress with limited budget, the access audit is among the first exercises to undertake.

The categories of access credential.

A comprehensive audit covers every type of credential in use.

Physical keys

Metal keys to any door of the facility. Often the hardest category to audit because keys do not self-report usage. Inventory requires:

• Complete list of all doors
• Complete list of all key holders (current and potentially former)
• Physical verification of keys (each holder confirming they still have them)
• Review of whether each key holder still needs access

Electronic fobs and badges

Cards or fobs that activate electronic locks. Most systems generate reports showing active credentials and recent usage. The audit reviews:

• Current active credential list
• Last usage date for each credential
• Appropriateness of access level for each credential
• Credentials belonging to people no longer in the role that justified access

Keypad codes

Numeric codes entered on keypads to open doors or disarm alarms. Codes drift badly because they are shared informally.

• Current active codes
• Who knows each code
• When each code was last changed
• Appropriateness of current distribution

Digital credentials for systems

Usernames and passwords for camera systems, alarm systems, building management systems. These credentials grant remote access and often administrative capability.

• Current active accounts
• Last login date for each account
• Role appropriateness
• Accounts belonging to vendors or former staff

Parking and gate access

For facilities with controlled parking or gated access, any permit, clicker, or credential that grants entry:

• Active parking credentials
• Gate openers issued to residents, staff, or vendors
• Whether holders still need access

Mail and package access

For facilities where package lockers, mailboxes, or delivery zones have access controls:

• Who has access to receive packages
• Who has access to package lockers
• Delivery service credentials that may have been issued

The audit process.

A productive access audit follows a structured approach.

Step 1: Build the inventory

Compile a complete list of every known credential of every type. Pull reports from electronic systems. Interview leadership, facilities staff, and anyone responsible for credential issuance to identify credentials that may not appear in system reports.

Step 2: Map the access

For each credential, document what access it grants. Which doors. Which areas. What time restrictions. What authority level.

Step 3: Verify each credential

For each credential, confirm:

• Who currently holds it
• Whether they still need it for their current role
• When they last used it (if the system tracks usage)
• Whether the holder’s current role justifies continued access

Step 4: Identify discrepancies

Credentials belonging to former staff. Credentials whose holders no longer require access. Credentials that are inactive (not used in months or years). Credentials with access levels inappropriate to the holder’s role.

Step 5: Remediate

Revoke credentials that should be retired. Reduce access levels where appropriate. Reissue credentials where needed. Update documentation.

Step 6: Establish ongoing rhythm

The audit is not a one-time event. Establish a rhythm for future audits: quarterly, semiannual, or annual, depending on turnover.

Specific findings we see commonly.

Having conducted access audits for many clients, we see recurring patterns.

The retired pastor

A retired or departed pastor who still holds a master key to the church, by informal arrangement, that nobody has ever asked back.

The contractor from the 2021 renovation

A general contractor who was issued a fob during construction and whose fob was never deactivated when the project ended.

The alarm code everyone knows

A four-digit alarm code that has not changed since installation. Every current and former employee and volunteer has had it at some point.

The cleaning service

A cleaning service was given after-hours access during a specific contract. Contract ended two years ago, but the access was never revoked.

The admin account

An administrative account on the camera system that was created by the installer during setup and has never been used by the organization, but remains active with full permissions.

The children’s ministry

A children’s ministry volunteer who left the organization (or let their background check lapse) but still holds a fob that opens the children’s wing.

Each of these is a specific, named, addressable finding. The audit surfaces them, and remediation is generally straightforward.

The verse describes discernment as the basis of prudence. Access control audits are a practical application. Seeing the credentials that are in circulation, understanding who holds them, and addressing the ones that should be retired is how organizational prudence takes operational form.

The ongoing rhythm.

Access control is a rhythm, not a one-time event. Establishing a sustainable rhythm means:

• Annual full audit of all credential types
• Quarterly check of credentials issued in the prior quarter and credentials belonging to people who departed
• Monthly review of electronic credential reports where available
• Event-triggered review: after staff changes, leadership transitions, significant contractor work
• Annual rotation of keypad codes on a scheduled basis regardless of turnover

The rhythm prevents the kind of drift that makes the next full audit alarming. Organizations that establish access control rhythms typically find their annual audits surface fewer findings over time, which is evidence that the rhythm is working.

The staff role.

Access control is not just a security function. It is a culture of discipline that extends across the organization.

Staff and volunteer responsibilities:

• Return keys, fobs, and badges when they depart
• Notify the access manager when a credential is lost
• Not share codes or credentials with others
• Use their own credentials, not borrowed ones
• Report suspicious access or credentials in circulation

The culture of appropriate credential use is part of the security program. Training should include access protocols. Onboarding should cover credential policies. Exits should trigger credential return.

The fDoS and audit context.

For organizations on fDoS engagements, access control audit is a scheduled quarterly activity, with an annual full review. For other organizations, the audit can be conducted internally or with outside support.

Internal audits benefit from external validation periodically. An outside auditor can identify patterns that internal staff have grown accustomed to overlooking.

The Southwest Florida context.

Specific regional factors:

• Seasonal contractors. Winter season brings more contractor activity (HVAC service, landscaping, pool maintenance). Credentials issued during this period should be tracked and retired at season end.
• Hurricane-related access. Post-storm recovery often involves emergency access granted to contractors, adjusters, and service providers. This emergency access should be specifically reviewed and cleaned up after the recovery period.
• Multi-generation volunteer bases. Many Southwest Florida organizations have volunteers who served for decades and hold credentials that were never formally reviewed. Intergenerational transition is a specific audit trigger.

Starting this week.

For organizations that have never conducted an access control audit, a starting exercise:

• Pull the report from your electronic access control system (if you have one). Review the first page for anomalies.
• Print your physical key inventory (or create one if it does not exist). Note any keys that you cannot account for.
• List every person who knows your alarm code. Rotate the code if the list exceeds current authorized users.
• Check the admin accounts on your camera system. Deactivate any you do not recognize.
• Schedule a formal audit for the coming quarter with a named owner and documented process

If your organization in Fort Myers, Cape Coral, Naples, or Port Charlotte wants help conducting an access control audit, we would be glad to facilitate. The work is fast. The findings are concrete. The improvements begin within days.

For senior living operators, access control audits connect directly to two higher-stakes specific applications: elopement prevention for memory care residents and medication room access control. Both are worth reviewing alongside a general access audit.