How often should an alarm system be tested?

Every 90 days at minimum. Once a year is not enough. Alarm systems are a collection of sensors, panels, communication paths, and monitoring service agreements, any of which can fail silently. Quarterly testing catches failures before they surface in an emergency.

What is an 'access control audit'?

A systematic review of every key, fob, code, and digital credential that grants access to your facility or systems. It answers four questions: who has each credential, when they last used it, whether they still need it, and what happens to it when they leave. Most facilities have not done this exercise in years.

Should we be changing our keypad code?

Yes, on a schedule that matches staff turnover. If your keypad code hasn't changed since the last three people left your organization, it is no longer a secure code. Most facilities we audit find at least one code that a former staff or volunteer technically still knows.

What's the difference between a security system and a security program?

A system is the hardware and software. A program is the people, policies, and routines that make the system do useful work. A locked door is a system. A protocol that specifies when it is locked, who has keys, and how lost keys are handled is a program. Systems without programs are expensive furniture.

security audits 8 min read

Alarms, Access Control, and the Technology Posture Review

Your alarm and access control only work if they are configured, tested, and actively managed. Here's what a technology posture review actually checks.

By P23 Security · 2026 · Serving Southwest Florida, Fort Myers, Cape Coral + more

A keypad access panel at the entrance of a Southwest Florida facility at dusk

The alarm worked. Nobody answered.

A church in Charlotte County had its motion alarm trip on a Tuesday night. The panel armed. The sensor detected. The monitoring service received the signal. Everything on the system side performed as designed. No one answered the follow-up call from monitoring because the primary contact on the account had retired eighteen months earlier and the record had never been updated. The secondary contact’s number was disconnected. By the time a sheriff’s deputy was dispatched on a general welfare check, two hours had passed.

Nothing had actually happened that night, which is the only reason the story is a cautionary tale and not an incident report. The system worked. The program did not.

What a technology posture review covers.

The technology posture review is one part of a full security audit. It does not evaluate whether you have the right hardware. It evaluates whether the hardware you have is configured, tested, staffed, and integrated into the rest of your program.

The alarm system

We audit alarms across six dimensions:

Sensor coverage: which zones are monitored, which are not, and why
Panel configuration: arming zones, partitions, entry/exit delays, panic functions
Communication path: cellular, IP, landline, and the fallback logic between them
Monitoring service: contract terms, call list, verification protocol, response time
Test discipline: when was the last full test, what was tested, who has the log
User codes and credentials: who has them, when they were issued, when they should be revoked

Access control

Access control is the broader category that includes physical keys, electronic fobs, keypad codes, badges, and increasingly, mobile credentials. The review asks the same questions regardless of technology:

Who has the credential?
When did they last use it?
Do they still need it?
What is the process for revoking it?

20-40%

of active access credentials at a typical facility belong to someone who no longer needs them

P23 audit observations

The number is not a guess. We have pulled credential audits from small nonprofits, churches, and senior living facilities across Lee and Collier counties and consistently found a quarter to nearly half of active credentials orphaned.

Technology integration

The single most overlooked category in a technology posture review is integration. Specifically, the handoffs between systems.

Does the camera record when the alarm trips?
Does the access control log sync with the security system?
Is there a unified incident timeline, or three separate systems that each have part of the story?
If the internet drops, what still works?
If the power drops, what still works?
If the cell tower goes down, which is common during major storms in Southwest Florida, what still works?

Integration is where well-intentioned systems often fall short of the combined capability they could have. A good review identifies where integration would produce outsized return.

The audit of human credentials.

Physical keys and fobs behave like access control in every way except the ability to audit them digitally. We find them in every facility, and they are almost always the weakest category.

Keys

For every physical key that opens any door at your facility, the audit asks:

Who has it?
When were they issued it?
What doors does it open?
When did they last actually use it?
Do they still need it?

Most organizations have trouble with question 1 and cannot answer questions 4 or 5 at all. That is a finding.

Fobs and access cards

Electronic access credentials are easier to audit and easier to revoke. They are still frequently mismanaged. Common findings:

Credentials assigned to people who no longer work or volunteer at the facility
Credentials assigned to vendors whose contract has lapsed
Shared credentials used by multiple people, so the log shows “the cleaning crew” without telling you which member of the cleaning crew
Credentials with 24/7 access when they should have time-limited access

Keypad codes

Codes drift worst of all. We audit them by pulling the code list, comparing it to the current authorized list, and reviewing the last time each code was changed. A code that hasn’t changed in 18 months at an organization with typical staff turnover is almost certainly known by someone who no longer belongs to the organization.

Monitoring contracts: read them again.

Alarm monitoring contracts are not well understood by most of the organizations that hold them. The contract specifies what the monitoring company will do when a signal arrives. The details vary widely:

How many calls do they attempt before dispatch?
Which numbers do they call, in what order?
What verification do they require before dispatch?
What is the contractual response time?
What happens if your contact list is out of date?

We routinely find monitoring contracts where the called number is a cell phone belonging to someone who left the organization years ago. The contract is valid. The call chain is broken.

Contract review cadence

Annual, at minimum. Every time a key staff member changes, at additional minimum. The cost of the annual review is small. The cost of discovering during an incident that your call list is stale is very high.

The Southwest Florida variables.

Our region introduces factors that affect technology posture specifically:

Lightning. Florida leads the United States in lightning strikes per square mile. Unprotected security electronics are one of the most common lightning-related losses in Fort Myers, Cape Coral, Naples, and Port Charlotte. Whole-facility surge protection, and individual surge protection on critical security components, is not a premium feature. It is a maintenance baseline.
Hurricane readiness. Hurricane Ian in 2022 demonstrated what happens when a major storm takes out commercial power, cellular service, and internet connectivity simultaneously. Security systems that rely on any single path of communication are at risk during named storms. The organizations that performed best had cellular backup with battery power that could span a multi-day outage.
Seasonal staffing. The snowbird season brings volunteer turnover, temporary staff, and increased foot traffic. Organizations that do not tighten their credential management in season end up opening the new year with a significantly expanded access list that includes several people who are no longer present.

The parable is about readiness, not paranoia. The charge is to live as if readiness matters. Technology posture review is the practical version of that charge for physical facilities.

What the review produces.

A technology posture review delivers:

A written inventory of every active security system and monitoring relationship
A credential audit, with specific findings by category (keys, fobs, codes, logins)
A monitoring contract review with flagged gaps and recommended updates
An integration map showing where systems do and do not talk to each other
A prioritized list of findings, rated by risk and implementation cost
A replacement and maintenance schedule for aging hardware

The deliverable plugs into the broader audit report and the 30/60/90-day action plan. It is a tactical document, meant to be used.

A starting exercise.

If a full review is not on the calendar, this week’s homework:

Pull your monitoring contract. Read the first two pages. Note the called numbers and compare to your current contact list.
Run a full alarm test. Trip every zone. Confirm the panel reports, confirm monitoring receives, confirm the call chain starts.
Change your keypad code. Notify only current authorized staff. This is the simplest fix in security and one of the highest yield.
Print your fob or badge roster. Mark every name that no longer belongs. Revoke those credentials before the end of the week.
Document who has which physical keys. If you cannot, that is itself the first finding.

Technology is a promise, not a program.

The alarm on your wall is a promise that someone will respond when it triggers. The fob in your volunteer’s hand is a promise that your facility’s access list matches your intention. The camera in the lobby is a promise that what happens there will be recorded, retrievable, and reviewable.

Every one of those promises is only as good as the program behind it. A technology posture review is the discipline of checking those promises against the reality. Most organizations we work with in Southwest Florida leave a review with a clearer picture, a cleaner credential list, and a tighter monitoring contract. That clarity costs far less than the alternative.

If you want fresh eyes on what your technology is actually doing, we would be glad to walk your systems and tell you plainly what we find.

Serving Southwest Florida · Fort Myers · Cape Coral · Naples · Port Charlotte

Ready when you are

An honest audit, written the way a human writes.

Flat-rate. Plain-English report. 30/60/90-day action plan. We audit. You decide.

Request a flat-rate audit

Related Insights

Keep reading.

All insights →

A wall calendar with security priorities marked at 30, 60, and 90 days

security audits · 7 min read

The 30/60/90-Day Security Action Plan Explained

A good audit ends with a 30/60/90-day plan. Here's how P23 decides what goes where, why pacing matters, and how to use the plan with leadership.

Read → P23 Security · 2026

Two side-by-side audit reports from consecutive years on a desk

security audits · 7 min read

How an Annual Audit Fits Inside an fDoS Engagement

The annual audit inside a fractional Director of Security engagement is more efficient, more focused, and more comparative than a one-time audit. Here's why.

Read → P23 Security · 2026

An auditor's hand sketching a facility layout at a Southwest Florida office

security audits · 8 min read

What a Walk-Through Security Audit Actually Looks At

A plain-English tour of what a professional security auditor sees in your building. Entry points, sight lines, access, lighting, and the things you stopped noticing.

Read → P23 Security · 2026