Imagine reconstructing history without important documents such as constitutional amendments, peace treaties and records of significant events. How many different accounts of the same events would there be? How different would our understanding of the world be? On a smaller scale, that’s why it’s important to have accurate records of how your business’s keys are used.
Relying on an employee’s word or making assumptions based on the circumstances simply won’t cut it. You must have a reliable key control audit trail.
What Is a Key Control Audit Trail?
A key control audit trail captures specific details about the history of an employee’s interactions with a specific key:
- Who accessed the key
- When they removed it
- Why they removed it
- Who authorized the transaction
- When the key was due back
- When it was actually returned
With a verifiable record of these details, a company can build a historical record of key-related activity within the business. If the audit trail doesn’t exist or isn’t reliable, the organization is forced to rely on conjecture and employees’ versions of events.
To help you learn from others’ mistakes, we’ll examine two real-life examples demonstrating the consequences of a poor audit trail and explain what you should do instead.
Poor Audit Trail 1: A Dealership Goes to Court
For one dealership, a poor audit trail resulted in costly legal action. A dealership employee used one of his employer’s vehicles to run a personal errand on his lunch break and rear-ended a couple who then brought a lawsuit against the dealership.
The jury found that the dealership had given the employee implied permission to use the vehicle based on its policies for vehicle use (or lack thereof) and method for controlling access to keys. Described in the case summary as “an elaborate process,” the dealership’s key control procedure involved keeping keys in a shack staffed by an attendant. The key-issue process included the following steps:
- Request Keys — Employees needing access to a vehicle approached the window of the shack to request the keys they needed.
- Complete a Key Request Tag — Either the employee or the shack attendant filled out a key request tag containing the date, time, vehicle stock number, name of the person requesting the keys and the vehicle’s destination (test drive, detail line, gas station, third-party vendor, etc.). Employees weren’t required to list the return time, and they could check out multiple keys at once.
- Update the Key Control Log — The attendant transferred the information from each tag to a key control log and hung the tags on a board in the shack. A new key control log was started each day.
- Highlight the Log Entry When the Vehicle Is Returned — When a vehicle was returned, the attendant highlighted the log entry. If the vehicle was returned on a subsequent day, however, the attendant didn’t always go back to the earlier date’s log sheet to highlight the appropriate record. At least one log showed vehicles being checked out in the early afternoon for detail work — a one- to three-hour job — and not being returned until late at night, indicating that employees didn’t always return vehicles in a timely manner.
Because one person was in charge of issuing keys and the dealership didn’t have a clear policy against using vehicles for personal reasons or without supervisor approval, employees assumed that if the shack attendant gave them keys to a vehicle, they were authorized to use it.
In addition, relying on one person to manage keys without any cross checks increased the risk of human error, and the data’s accuracy couldn’t be verified. Since keys weren’t always marked as returned and the vehicles’ gas, oil or mileage levels weren’t monitored, it was easy for unauthorized use of vehicles to go undetected.
Although the dealership insisted that employees weren’t allowed to drive vehicles for personal use, the jury ruled that the dealership’s lack of strict vehicle monitoring and lax key control processes implied tacit permission for employees to use the vehicles. Despite appealing the jury’s verdict, the dealership was held liable for $277,662 in damages.
Poor Audit Trail 2: A Prison Is Cited for Key Control Deficiencies
A 5,200-bed state corrections facility is required to undergo annual audits conducted by the state’s Office of Inspector General. One of the audit categories reviews how keys are stored and accounted for in each unit within the facility. In one year’s inspection, the audit uncovered several problems with the facility’s key control records:
- Inaccurate Key Inventories — In several units, key inventory records didn’t match actual key stock. There were keys that were shown as on-site but were actually out for repair, a master key inventory that was off by several sets, recorded key numbers that didn’t match the number printed on the keys, and multiple key rings stored on single hooks with the additional sets not recorded in the key inventory.
- Improperly Completed Key Logs — Some units had key control logs in place, but the logs weren’t completed properly, and keys weren’t always marked as returned. For example, of the 17 times emergency keys were signed out in one unit, the keys were marked as returned only 10 of those times. In the main control unit, returned keys weren’t signed back in or placed in key boxes until an hour after shift changes.
- Missing Historical Records — One unit was required to keep on file a monthly report showing the inspection and inventory of all keys, but the key control officer didn’t have any master key inventory records older than three months. Of the past inventories that did exist, the corrections officer didn’t have copies available for review.
- Separate Data Sources — The master key inventory and total number of keys on hand were documented in separate reports.
- Unauthorized Key Use — Inmates possessed keys without written authorizations on record.
The facility’s key storage methods and manual, paper-based processes made it difficult to keep an accurate audit trail. For example, when storing multiple key rings on a single hook, it was difficult to see how many sets of keys there actually were, which led to the wrong number of key rings being recorded.
Employee training and accountability issues resulted in key control logs not being updated in a timely manner — if at all. It was also problematic that key-issue authorizations weren’t always completed and there wasn’t an effective process for storing and accessing historical records.
The deficiencies in the key control audit added to the correctional facility’s compliance burden, since it had to correct all the key control problems it was cited for, in addition to issues cited in other categories. Worse, the inaccurate records would make it easier for missing keys to go unnoticed, increasing security risks.
Best Practices for Creating and Maintaining an Audit Trail
Regardless of your industry or the types of keys you manage, there are typically two culprits for inadequate audit trails: manual processes and lack of employee accountability. To create and maintain a verifiable audit trail that’ll help you avoid unauthorized key use and liability, follow these best practices:
- Move away from manual logs and digitize the key control record by using an electronic key control system.
- Ensure you capture all pertinent details of a transaction, including who took the key, why they took it, when it was removed and when it was returned.
- Store keys in such a way that they can be easily found within the system and can’t be accessed without authorization.
- For sensitive keys, automatically record which manager or supervisor authorized someone to have a key (e.g., by requiring both an employee and their manager to log in to an electronic key control system in order to check out certain keys).
- Set due dates for keys and enable text or email alerts for when keys aren’t returned on time.
- Have a way to easily run reports of key activity.
- Back up data to ensure you have a copy of your key access history.