Corporate Security: A New Imperative for Internal Audit

February 12, 2025

Considering the escalating risks, organizations must prioritize corporate security audits as a cornerstone of their risk management strategy. By doing so, they can safeguard their most valuable assets—their people—while mitigating potential liabilities and ensuring compliance with evolving regulatory requirements. The time to act is now.

The Call to Action: Prioritize Corporate Security Audits

The tragic murder of the United Healthcare CEO served as a stark wake-up call for corporations worldwide, a chilling reminder of the vulnerabilities faced by senior executives and employees in an increasingly volatile environment. In the aftermath of the incident, organizations swiftly removed public profiles of executives from corporate websites, scrambled to enhance executive protection measures, and sought advanced online sentiment monitoring services. This event underscored a sobering reality: employees, particularly those in leadership roles, could become targets of violence solely due to their association with an organization.

This unprecedented safety and duty of care dynamic has exposed significant gaps in risk management, liability, and compliance frameworks. Many organizations are now confronting risks they had previously overlooked or underestimated. As a result, corporate security departments are being thrust into the spotlight, tasked with safeguarding physical assets and employees’ lives. Simultaneously, Boards, Audit Committees, and Risk Committees are turning to their internal audit functions—the third line of defense—to provide clarity, assurance, and actionable insights into these emerging risks.

Historically, corporate security has rarely been a focal point for internal audit. However, the evolving risk landscape demands a paradigm shift. As someone with a background in both internal audit and physical security, I have witnessed firsthand the growing emphasis on auditing corporate security functions and executive protection programs. While I have conducted such audits periodically throughout my career, this remains an uncommon practice in many organizations, primarily due to the limited availability of auditors with expertise in both domains.

Today, corporate security audits are no longer optional but critical to robust risk management. Organizations must assess the maturity of their security programs, evaluate the effectiveness of executive protection measures, and address potential compliance and tax implications associated with these controls. For instance, specific executive protection measures may be classified as perks or fringe benefits, necessitating careful consideration from both a risk and regulatory perspective.

This is a rapidly evolving field, and organizations must act swiftly to adapt. I have been privileged to lead corporate security audits, maturity assessments, and risk workshops, helping organizations navigate this complex and often unfamiliar terrain. The time has come for internal audit functions to embrace this new responsibility, ensuring that corporate security risks are identified, assessed, and managed effectively.

If your organization seeks to benchmark its security practices, enhance its risk management framework, rationalize and optimize security spend, effectively communicate physical security risk to leadership, or explore the latest trends in security metrics, I invite you to connect. Together, we can address this critical aspect of corporate governance and ensure that your organization is prepared to meet the challenges of an increasingly uncertain world.