County Audit: badge access standards must tighten to protect staff, public and facilities

January 22, 2019

Secure access to Multnomah County buildings protect staff and the public while also safeguarding the County’s assets and confidential information. But improper access levels and poor controls over building access cards are currently posing an unacceptable security risk to County facilities.

Those are the findings of a recent audit delivered to the Board of County Commissioners at a board briefing on Tuesday, Jan. 22, 2019.  Of 1,920 access cards issued to new employees and visitors, investigators were unable to locate half of them. The report also found nearly 500 access cards that weren’t deactivated after employees left the County.

According to County leaders, that poses a security risk to the County’s 130 buildings, its 6,000 employees and the community it serves. 

“Because people come in and out of our buildings, we want them to feel safe,” County Auditor Jennifer McGuirk said. “A system that is working well, at a minimum, should reduce unauthorized physical access to our buildings. These systems should also reduce unauthorized access to the confidential information we have on our community members that we use to serve them.” 

(Left to right): Annamarie McNiel, Craig Hunt, County Auditor Jennifer McGuirk, and Chief Operating Officer Marissa Madrigal brief the Board of County Commissioners on a recent audit of County-issued access cards.

The review began in October 2018 after auditing staff discovered inadequate access controls in one County department while working on an unrelated project. Suspecting similar issues in other departments, the Auditor’s Office launched a full audit of all County-issued access cards.

After discovering hundreds of access cards that were unaccounted for, auditing staff promptly informed the County’s Facilities Department. The missing cards were then deactivated to prevent unauthorized access to County facilities.

Departments are responsible for monitoring their access cards, but auditing staff recorded issues including improper monitoring, limited security expertise, and poor communication. In some cases, the report found some departments hadn’t identified staff responsible for tracking access cards.

“We’re 150 years old — we started small,” Chief Operating Officer Marissa Madrigal said. “We’re a lot bigger now and our security needs are different.”

To lower risk, the audit encouraged County managers to define their security goals and strengthen security policies and procedures. Auditing staff also urged departments to better train staff on building security, better track and monitor their own access cards, and allow only the minimum access level needed for employees to conduct their work.

The Auditor’s Office is expected to review the County’s progress in tightening security in one year. At that point, the office will report on how well County departments have responded to their recommendations and evaluate whether any additional steps must be taken to improve County security.

“We have been lucky we haven’t had a major incident,” Chair Kafoury said. “We do need to weigh the level of security we have and the ability for the public to have access to these buildings.”