ACS Stage 2 - The feedback

This is a follow-on from our Stage 1 debrief here:

Well. It's been a protracted journey to say the least, what with Covid restrictions frustrating the issue, but I'm pleased to say that we're finally through our first ever ACS Passport audit. The result? I couldn't be happier! Had you asked me after the first half of the audit, it would have been a different story and procedure manuals may have been tested for flight out of frustration, but we got there.

So, what happened, and how did it go. And would I recommend it to other security companies? Read on!

For anyone reading this that's not in the security industry - firstly, you must be bored... But secondly, a little glossary - AIs = Assignment instructions (for some reason we don't call it a method statement within security, but it's our method statement), and RAs = Risk Assessments.

Firstly, we had two options - we could have gone with traditional ACS accreditation and ISO9001 accreditation, or we could have gone with the Passport. As we had never had our quality system audited. The main difference between the two that I can see is with the traditional route we'd be given an ACS score to brandish, and relieved of a few quid more where it would have cost a bit more (two audits, lots of common ground) - so for me it was a no brainer to go with the ACS Passport. We're still assessed to the same standard, but instead of being assessed against the standards separately, the auditor is allowed to audit against both standards at the same time.

Day One

Due to the pesky pandemic, like so many modern meetings the first half of our audit was carried out via the wonderful medium of Microsoft Teams, and I have to say, it worked pretty well. We were able to jump on and off of calls with the auditor as and when he needed clarification, and were able to send him example docs over quickly and easily using OneDrive. For the most part, our audit ran relatively smoothly. If you've read my blog post written after the stage 1 audit you'll see I've been very honest about my anxieties going in to the whole process; whether you use the modern phrase and call it "imposter syndrome", or whether you simply say I wasn't convinced we'd be deemed good enough, the anxieties had eased, but not gone away as we came in to the second stage of the audit. Before the audit, I went through the procedure manual again, making sure that the digital copy and paper master (yes, I still like a paper master!) were both carrying the latest versions of the documents. When I was happy the versions were correct, I sent a massive document bundle up to a shared directory for the auditor which contained our quality manual, all policies and procedures, and examples of forms, data output and so on. Prior to the audit, we'd been sent the checklists for each standard we were being assessed on; and man! So much duplication.. Seriously... BS10800, BS7858, BS9784-1, BS7984-3 & good old BS7499 - and each checklist had at least 5 questions the same, so I plugged through and answered all the questions, making a few semantic changes to the procedures I'd just bundled and sent off to make sure they reflected what the standard needed... Then I went through versioning checks again!

The day of the audit started with a briefing from the auditor on how the two days were going to go and what he needed to see from us and how he'd go away and do his thing, but could we stay on standby. The first thing we did was discuss the areas of concern raised from the stage 1 audit, allowing the auditor to confirm the remedial works had been carried out - which mostly they had. A couple of times throughout the day there were a few requests for further information - simple things, like *someone* forgetting to send the correct page of the insurance polices up to the shared folder, but other than that we'd not really have known we were being audited that day.

A quick catch up for lunch and the auditor hits me with a bombshell... "I've found a non-conformance. Your keyholding AIs don't appear to have a date on them" - He's right. They didn't! Our AIs are generated from our guard management system and we didn't have a mechanism for recording versioning information! "Oh, F£#k", I thought, that's a stupid oversight on my part. In the scheme of things it was a minor non-conformance and the assessor advised it wouldn't cause a fail. For me, I wasn't happy with this. I didn't want to carry any naughty-steppers over to the next stage, so out came the green pen and the notepad as I started sketching pseudo-code, flow charts and how I wanted the dog's bollocks of a versioning system to work. Basically, the assessor wanted a date on the generated AIs to tick the standard. Paul wanted a date on the AIs, a version number, change history, and a reporting facility to forewarn us when AIs and RA's are coming up for review in order to smash the standard out of the park. The perk of having in house software which I've developed personally is that making a change like this is relatively easy to do, and within an hour or two, we were conforming!

The audit carried on throughout the day and we had a debrief at the end of the day, explaining what to expect on the second day, and that was that. We had a coffee in the office and decided that we felt good about the day.

Day 2

As I parked up outside our building for day 2, I looked at my email and found an email from the assessor stating that he'd evaluated our audit policy and decided it doesn't meet with the ISO9001 standard and isn't up to scratch. GREAT! After leaving day 1 on such a high, we're entering day 2 on a fail. The feeling that went through me is the same one that went through me when I left the kickstand down on my first bike test, then had to go through a full driving test knowing I'd already failed before I left the test centre car park. We'd failed. We'd f#!ked up. More to the point. I'd failed... I'd steam-rolled this through and we weren't ready. To be fair, I think the best description of me at that moment would have been more sulky and deflated than professional business person. Then Sam walks in with a double espresso with my name on it, then another one, then the programmer in me kicks in and the green pen comes out again as I start going through solutions. I have to say, in hindsight our assessor was very helpful and had a couple of templates on how we could do things; the problem was I didn't like them. The big problem with being a small company, a lot of our audit process is often spit-balling in the office about what works and what doesn't, so writing this down wasn't the easiest. The next problem we had is, we all muck in - the ability to independently audit a section of the business with no "skin in the game" becomes very difficult; meaning that I had to have a re-thing. So, knowing Day 3 is a few weeks away, I put my big-boy pants on and decided I needed to put more thought in to the auditing so we could solve the non-conformance properly rather than shoe-horn something to achieve a pass. On with the day. With a bad mood.

Day 2 was the more tactile day of the two days - with much of the day being spent through screen-shares and demonstrating how we do various things through our guard management system. I started the day thinking our guard management system was "good, but functional", but by the end of the day and after speaking to the assessor I now firmly believe it's the most comprehensive software system behind any SME security company. We were able to demonstrate everything that needed to be done. We were able to show how our paperless systems work, and we were able to show large amounts of the business without leaving the screen.

After lunch, there were a couple of minor tweaks that had been picked up on - silly things like our quotes not having our VAT number on them and our quality statement not being on the website. Things I could change in a matter of seconds, so these changes were all carried out. Some good suggestions from the assessor on ways we can improve too - particularly on FREE training from ACAS which we could look at deploying, and on developing a safeguarding policy, something we'd discussed in the office at length and was actually on the to do list to look at implementing anyway - so it made sense to look in to this in further detail, but essentially, that was it. Day 1 and 2 of the audit were over!


As mentioned above, we had a major non-conformity which as it came in was the end of my world; it was the fly in the ointment between us being a good security company and us being "just another" security company. I gave it a day to digest the audit before even discussing it amongst the team; and at the point I discussed it, I'd already got a solution in mind and wanted to see if everyone thought it would work.

The two problems with our internal audit? Firstly impartiality, and secondly, it didn't fully cover the scope of ISO9001. Like I've alluded to, as a small team there's a lot of crossover - it could be any one of the ops team from director down that does a site check on a guard; it could be any one of the ops team who carries out screening on a particular staff member; multiple people could be involved in a complaint, so any area could potentially involve any one of us. The first thought was "well, Dave can audit Sam's bits, Paul can audit Dave's bits, and Sam can audit Paul's bits" - but the reality there was there would be so much duplication and it would get messy, so that wouldn't work for me. The next thought, which was where we decided to go with this was "What if a facilities professional from outside the business would be prepared to come down and audit us" - it makes sense to have someone come in who is completely impartial. Finding someone suitably qualified wasn't an issue - after 20+ years in the industry, I've enough contacts at management level and was lucky enough to have someone in mind who kindly agreed; but despite knowing the security trade and the facilities trade, she didn't know the inner workings of our business; this is where I set to work on rewriting the audit schedule and making it clear to anyone what needs to be checked.

How to re-write an audit schedule? Easy, take everything, make a list, and throw it together, right? I started the task by looking at the services we offer, and what needs to be audited about the services, what points need to be checked within each service and any potential pinch-points within our policies and procedures which need monitoring. I then set out a calendar for the year and started working out the sensible times of the year to carry out the different audit activities. Firstly, no audit activity in surge months - the lead up to the Christmas and Easter shut downs were blanked out. Next was about making things logical; things like auditing our financial activities at the start of the financial year and bundling things relating to marketing together, response service delivery together, and so on.

The next stage of dealing with the non-conformance was to print the relevant section of ISO9001, and go through each clause and make sure we were at least covering it, if not exceeding it, and going back to my uni days, making sure the checklist clearly referenced which clause it related to. I have to give credit to our assessor here, who was kind enough to cast his eye over the new schedule and make sure it was going to be suitable when in practice: It was. I've intentionally turned our audit schedule from a one page table to a 10 page behemoth of a document in order to include comprehensive information so in theory not only can any auditor pick it up and carry out a forensic analysis without being part of the business, but any client that wishes to see what we're looking at is welcome to do so.

Problem solved.

Day 3 - The Visit

After some back and forth between ourselves and ACM CCAS including a couple of cancelled dates, we finally managed to get a firm assessment date booked in; and that was that. Once we had the date, our MD was given an X-Ray appointment she'd been waiting for on that day, and our Operations Manager had a prior engagement that he couldn't get out of. On top of that, despite us trying to calm their nerves, we had very nervous staff who simply don't believe how brilliant they are and were scared they'd say or do the wrong thing. That aside, at 10:30 am, our audit began.

My confidence going in to day 3 was high. I know my team are good at what they do. I know we're picky about who we employ, and I know that our processes and procedures are all "real", so once the non-conformance was out of the way, today was going to be a doddle! 

What happened? Firstly, we looked at the non-conformances and confirmed that the audit procedures were now compliant with ISO9001 and the AIs now had dates and versioning. The morning was spent at the office and involved going through our screening procedures, training records and looking in a bit more detail at our systems and procedural compliance. The morning was an opportunity for Sam to prove she has a psychic ability, because each time the assessor needed to see something, she already had the correct file in her hand. We looked at our patrol & response tablets, confirming the security on them and the accurate data held on them; and then the assessor checked the vehicles to confirm that they're alarmed, locked, and fitted with decent safes. We looked at the tamper proof seals we use to secure our keys, and HE ACTUALLY TRIED TO PULL A SAFE OFF THE BULKHEAD OF A VAN!!!! Fortunately, he failed. Next, the assessor picked a few random key bunch numbers and we checked the audit trail on the seals and confirmed that the seal number on the keys matched those from the most recent audit. Everything was in order, and we demonstrated the flow of a response call from logging to incident report generation - once this was done, we headed in to visit some clients and staff. I wasn't privy to the conversations that were had with the various parties, but as I understand it, the key areas that were addressed with clients were: Do we deliver. Do we solve problems effectively. With staff, it was: Is your job clear to you. Are you paid correctly. Are you suitably trained. Can you approach management. And that was that! Day 3 seemed to flow very well and I spent the day positive that my guys had done everything we needed to do in order to get a nice solid pass.

I'm still waiting on the final summary report and certificates, but as we debriefed, I was informed that we have no non-conformities and that the assessor is confident that we meet the standard; a week on, I'm still walking on air. A little old security company that was started on the back of a fag packet 10 years ago and has steadily grown was able to achieve the high standards needed to get accredited and achieve the coveted and much-demanded Approved Contractor Scheme.

Would I recommend it?

If you're still reading, and there's a chance you are - I'm assuming you're either a CCAS employee checking I've not told any porkies, or you're most likely the director of a small security company who's contemplating the jump in to the world of accreditations. When it comes to ACS, we've plodded along for some time without it, and I've always seen it as paying to prove you're what you say you are. As we've grown, the type of contracts and the type of competitors out there who are scamming the system have changed; more and more often, the way clients select a supplier is to ask for ACS because they perceive it as a starting point to a gold standard. If you're a decent operator and you know in your head you're a decent operator, I would say the process is definitely worth the end-result.

When we started our ACS journey, I treated it as a stress test of our business. I wanted to see how far from the standard we are; and did this using the old ACS Workbook and myself and Dave sitting around the table in the meeting room cross-referencing our procedures, identifying gaps and filling them as we went. When it became clear that for the most part we were already doing what the standard dictates, I brought it to the management team and said I wanted to proceed with accreditation. 

The key thing for me is this: Our policies and procedures are from the heart and written in house. The content of our procedure manual and our guard management systems are the life-blood of the company and when we've tweaked our procedures to fit the standard it's not been about padding and puff, it has been about learning how we can better do things and implementing these; the tick in the box comes naturally when the improvement has been made. If you're in the industry and running a solid business, I would suggest in the first instance to simply write down what you do - you'd be surprised how much you already have. I did look at the procedures from one of these copy & paste certificate mills, and they went in the shredder within an hour or two of receiving them: they were terrible! Documents that had been botched together where they'd been stolen from people in the industry who I have respect for (EXIF data proved this), and when I said "this is nothing like how we do business" I was told "you'll need to change in line with the procedures" - not something I was prepared to do when the hashed together procedure manual would have made us inferior to how we are now. For this reason, amongst others, I think the way we've done this is the right way and the road to ACS has been largely organic for ourselves. If anyone is thinking about it, drop me a message on LinkedIn, or give me a call - I can't promise to be an expert, but I'm more than happy for you to buy me a coffee and discuss how bits from our journey help you on yours in more detail.

And Finally.

As cliché as it may be - we could not have done this without a brilliant team. My MD, Ellinor, who has let me run with this and take lead. Dave Martin & Sam Edwards who make up my ops team and have helped me endlessly; both in fine tuning the procedures over the years, and helping get us ready for audit. Finally, a massive debt of gratitude is owed to our guard force. I genuinely believe that right now I have one of the best teams I've ever had in any business. Thank you to those of you who spoke with the assessor as part of this audit, and thank you all for doing what you do when you come to work.

As soon as the certificates arrive, the SIA ACS application is ready to be submitted; hopefully it won't be too long until we've got a little blue badge that says we're doing it right.