Security Company Compliance Audit Checklist — AU & US

Compliance audits are an inevitable part of running a security company, whether triggered by a regulatory body, a client's due diligence process, or your own internal review cycle. For companies operating across Australia and the United States, the complexity multiplies — different states, different regulators, different insurance requirements, and different documentation standards. The companies that treat compliance as an ongoing discipline rather than a periodic scramble are the ones that pass audits without disruption.

This checklist covers what auditors typically look for, organised by category, with notes on jurisdiction-specific requirements for both Australian and US operations.

1. Business Licensing & Registration

The foundation of any compliance audit starts with whether your business is legally authorised to operate as a security provider in every jurisdiction where you deliver services.

• Australia: Master security licence for the business entity in each state where you operate (NSW Security Industry Act 1997, VIC Private Security Act 2004, QLD Security Providers Act 1993, etc.)
• United States: State-level security company licence or registration — requirements vary significantly by state (California BSIS, New York DOS, Texas DPS, Florida DLSS)
• ABN/ACN registration (AU) or EIN/state business registration (US)
• Current business insurance certificates of currency
• Any industry-specific permits (firearms, crowd control, investigation)

Auditors will check that every licence is current, matches the legal entity operating, and covers the specific class of security work being performed. A company licenced for static guarding may not be covered for close protection work in some jurisdictions.

2. Operator Licensing & Credentials

Every operator deployed on your missions must hold a valid individual security licence for the jurisdiction and class of work they are performing.

• Individual security licences for each operator — verified as current, not expired, suspended, or cancelled
• Licence class matches the work performed (bodyguard/CP class specifically in AU states that differentiate)
• Copies of licence documents on file — front and back, or digital verification records
• First aid certifications (HLTAID011 in AU, equivalent in US) — typically must be current within two to three years
• Responsible Service of Alcohol (RSA) where applicable
• Any additional certifications required by client contracts

Platforms like EP-CP automate much of this by maintaining a verified credential database for every operator, with automated expiry alerts that flag documents before they lapse. This shifts compliance from a reactive exercise to a continuous, automated process.

3. Insurance Verification

Insurance is where many security companies fall short during audits — not because they lack coverage, but because documentation is incomplete or policies have lapsed without notice.

Australian Requirements

• Public liability insurance — typically A$10M to A$20M minimum
• Professional indemnity insurance
• Workers compensation insurance for every state where operators are engaged
• Certificates of currency must be current — not expired, not pending renewal

US Requirements

• Commercial general liability (CGL) insurance — typically US$1M to US$5M
• Errors and omissions (E&O) insurance
• Workers compensation per state requirements
• Umbrella/excess liability for larger contracts
• Auto liability if company vehicles are used

Auditors will verify that coverage amounts meet both regulatory minimums and client contract requirements. They will also check that subcontracted operators carry their own insurance or are covered under your policies.

4. Training & Competency Records

Training documentation demonstrates that your operators are competent to perform the work they are assigned. Auditors want evidence, not assurances.

• Induction training records for all operators — site-specific and company-specific
• Ongoing training logs — dates, topics, duration, trainer details
• Use of force training and assessment records
• First aid refresher training
• Equipment training (communications, surveillance, vehicles)
• Client-specific training where required by contract
• CPD (Continuing Professional Development) records where applicable

Best practice is to maintain training records digitally with sign-off from both the trainer and the operator. Physical sign-in sheets get lost. Digital records with timestamps do not.

5. Incident & Reporting Documentation

Your incident reporting system tells auditors whether you take operational governance seriously or treat it as an afterthought.

• Incident report forms — standardised format with date, time, location, personnel involved, description, actions taken
• Evidence that incidents were reported within required timeframes
• Escalation records — who was notified and when
• Post-incident review documentation
• Corrective action records — what changed as a result of the incident
• Near-miss reporting (demonstrates proactive safety culture)

6. Workplace Health & Safety (WHS/OSHA)

Security companies have specific WHS obligations as a Person Conducting a Business or Undertaking (PCBU) under Australian WHS law, and under OSHA in the United States.

• WHS/OSHA policy document — current, signed by senior management
• Risk assessments for each site and mission type
• Safe work method statements (SWMS) for high-risk activities
• Hazard reporting and resolution records
• PPE provision and maintenance records
• Emergency response procedures for each operational environment
• Worker consultation records — evidence that operators are consulted on safety matters

7. Employment & Contractor Compliance

Whether your operators are employees or contractors has significant implications for tax, insurance, superannuation (AU), and workers compensation.

• Employment contracts or contractor agreements for every operator
• Correct worker classification under ATO guidelines (AU) or IRS guidelines (US)
• Superannuation compliance (AU) — paid quarterly, correct fund details
• Tax withholding compliance — PAYG (AU), W-2/1099 (US)
• Working With Children checks where applicable
• Right to work verification — visa status for non-citizens

8. Data & Privacy Compliance

Security companies handle sensitive personal information about both operators and clients. Privacy compliance is increasingly scrutinised.

• Privacy policy — current and accessible
• Data collection notices provided to individuals
• Secure storage of personal information — encryption, access controls
• Data breach response plan
• Compliance with Australian Privacy Act 1988 / US state privacy laws (CCPA, etc.)
• Surveillance and monitoring disclosures where CCTV or body cameras are used

9. Operational Procedures & SOPs

• Standard Operating Procedures for core service types (static guarding, close protection, event security)
• Mission briefing templates and distribution records
• Communication protocols — including encrypted messaging policies
• Escalation procedures with contact details
• Quality assurance processes — how you review and improve operations

10. Record Keeping & Document Management

Finally, auditors assess whether your document management system itself is fit for purpose.

• Centralised document storage — not scattered across email threads and personal devices
• Version control — evidence that documents are reviewed and updated regularly
• Access controls — who can view and edit compliance documents
• Retention policies — how long records are kept (typically five to seven years minimum)
• Backup procedures — disaster recovery for compliance records

EP-CP provides a centralised compliance dashboard that tracks all of these elements across your entire operator network, with automated alerts for expiring documents and real-time compliance status visibility. This turns what would otherwise be a quarterly scramble into a continuously maintained system.

Preparing for Your Next Audit

The best way to prepare for a compliance audit is to operate as though one could happen tomorrow. That means treating compliance documentation as an operational discipline, not a filing exercise. Run internal audits quarterly. Assign a compliance owner. Automate what you can. And keep your records in a single, accessible system that any auditor can navigate without spending hours hunting through folders.

Companies that invest in compliance infrastructure — whether through platforms like EP-CP or through dedicated compliance staff — consistently pass audits faster, with fewer findings, and with significantly less disruption to their operations.