Back to all insights

Hospital Security Audits in Perth and WA: What They Cover and How to Get Real Value

If you’re searching for hospital security audits, you’re probably trying to solve a real operational problem, not just “tick a compliance box”. Maybe your team is dealing with aggressive behaviour in the ED, unauthorised access after-hours, missing assets, duress calls that aren’t getting handled cleanly, or pressure from leadership to show you’ve got effective controls in place.

A good hospital security audit gives you a clear, evidence-based view of what’s working, what’s not, and what to fix first. It should translate security into practical actions that improve staff and patient safety, reduce incidents, and stand up to scrutiny.

This guide explains what hospital security audits should cover, how the process typically works, what common gaps look like in real facilities, and how to get value from the outcome in a Perth and Western Australia context.

 

What is a hospital security audit?

A hospital security audit is a structured review of your security controls, procedures and operational practices. It aims to identify gaps, weaknesses and improvement opportunities across the areas that matter most in healthcare:

  • protection of patients, staff and visitors
  • protection of controlled drugs and sensitive areas
  • protection of information and assets
  • safe response to incidents, including aggression and violence

The AS 4485.1 standard is a key Australian reference point for healthcare security, and it sets expectations around policy, procedures and protective measures for people, drugs, information and property.

 

Audit vs risk assessment (and why hospitals often need both)

People often use “audit” and “risk assessment” interchangeably, but they’re not the same.

  • A security audit checks how your current controls and processes perform against expectations (including your internal standards, operational needs, and relevant frameworks).
  • A security risk assessment focuses more on threat/vulnerability analysis and risk treatment planning, often aligned to a formal risk management framework.

In WA health settings, risk management is a formal governance expectation, and the WA Health Risk Management Policy is a mandatory requirement under the WA Health policy framework.

In practice, many facilities use an audit to identify control gaps and a risk assessment to prioritise treatments, funding and governance.

 

Why hospital security audits matter right now in WA

Hospitals are complex, high-traffic environments with competing priorities. Security can’t be “set and forget”, and the pressure points shift as the facility changes.

Common reasons WA facilities commission audits include:

  • rising aggression and violence risk, especially around ED, mental health presentations, and after-hours entry points
  • leadership focus on staff safety, systems of work, and measurable controls
  • inconsistent access rules across wards, contractors and after-hours operations
  • CCTV coverage that exists but doesn’t reliably support investigations or early intervention
  • duress systems that technically function but fail in real-world workflows

The NSQHS Comprehensive Care Standard explicitly includes actions aimed at predicting, preventing and managing aggression and violence, including having processes to identify and mitigate situations that may precipitate aggression.

A well-run security audit helps you show that the organisation understands these risk areas and has practical controls in place, rather than relying on individual staff “doing their best” in the moment.

 

What a hospital security audit should cover

A hospital security audit should look at controls as a complete system: people, process, environment and technology. Below are core areas that should be in scope for most Perth and WA hospitals, day hospitals, private hospitals, and larger health campuses.

 

Access control and key management

This is usually the biggest driver of avoidable security issues.

A good audit will examine:

  • zoning and access levels (public, semi-public, clinical, restricted, critical)
  • door and lock condition, including fail-safe vs fail-secure decisions where relevant
  • access credential governance (issuance, deactivation, temporary access, visitor passes)
  • key control and master key governance
  • after-hours entry management, including who is allowed in, when, and how it is verified
  • contractor access and loading dock controls

The AS 4485 series is designed around creating a safe and secure environment for workers, patients and visitors, and includes implementation guidance across security services and practices.

 

Duress, escalation and incident response

A duress system isn’t just a button. It’s an end-to-end response chain.

An audit should test:

  • whether duress activations reach the right point (and with usable location info)
  • response time expectations and what “good” looks like for different areas
  • how duress calls are triaged, escalated and closed out
  • training and drills (including new starters, agency staff, and ward-based refreshers)
  • what happens after-hours, when staffing is reduced
  • how incidents are recorded and learnt from

Where aggression and violence is part of your risk profile, the NSQHS actions point toward proactive processes and controls rather than reactive responses only.

 

CCTV coverage and investigative capability

A CCTV audit should be outcomes-based, not “camera-count based”.

It should assess:

  • whether coverage aligns with incident types and high-risk areas
  • image usability (identification, lighting, angles, obstructions)
  • retention settings and export workflows
  • who can access footage, under what authority, and how that’s logged
  • whether cameras support early intervention (not just post-incident review)

In healthcare, CCTV often fails in the small details: blind spots at ward entry points, poor low-light performance, or cameras that don’t actually capture faces where decisions are made.

 

Security operations and guarding model

Even facilities with good technology can struggle if the operating model isn’t aligned to the real risk profile.

An audit should look at:

  • patrol routes and timing (and whether they match incident patterns)
  • post orders and role clarity
  • incident response workflows between security, clinical teams and facilities
  • communication methods, including handovers and escalation pathways
  • how security supports patient guarding requirements where relevant

 

Environmental security and CPTED

Hospitals have predictable “risk transition points”, especially where public and clinical areas intersect.

A review should consider:

  • lighting and after-hours visibility around entries, car parks and paths
  • sightlines, concealment points, waiting areas and queuing behaviour
  • signage and wayfinding that reduces frustration and conflict
  • physical barriers and access control at vulnerable entry points
  • car parks, stairwells, lift lobbies, and staff-only corridors

 

Standards and governance touchpoints that often shape audit expectations

For hospital security audits in Australia, the most commonly cited anchors include:

  • AS 4485.1 (general requirements) which sets requirements for policy, principles and procedures to protect people, drugs/controlled substances, information and property.
  • AS 4485.2 (procedures guide) which supports implementation and practical security procedures (often used to benchmark “what good looks like” operationally).
  • NSQHS Comprehensive Care actions on managing aggression and violence risks.
  • WA Health’s risk management policy expectations as a mandatory requirement in the WA system.

Practical note: you don’t need to turn an audit into a compliance thesis. You do want a report that is defensible, evidence-based, and aligned to the frameworks your executives and quality teams already use.

 

How the hospital security audit process works

A practical audit process usually looks like this:

 

1) Pre-audit information review

Typical inputs include:

  • site plans (or at least high-level layouts)
  • incident trends and hotspot locations
  • access control and key governance procedures
  • security SOPs and post orders
  • duress workflows and response expectations
  • relevant committee minutes or prior audit findings

 

2) On-site walkthrough (day and after-hours where it matters)

A walkthrough should focus on the real pressure points:

  • ED and waiting areas
  • ward entry points and restricted zones
  • pharmacy/controlled drug areas (as applicable)
  • loading docks and service corridors
  • staff entries, car parks and after-hours paths

 

3) Stakeholder interviews

You’ll get the best findings by speaking with:

  • nurse unit managers and clinical leads
  • facilities/maintenance and access control administrators
  • security supervisors and frontline officers
  • quality/risk and HR where staff safety is a key driver

 

4) Findings workshop

A short workshop helps confirm:

  • what’s genuinely broken vs a one-off issue
  • which fixes are realistic within your operational constraints
  • what should be prioritised immediately vs planned as staged works

 

5) Final report with prioritised actions

A strong audit report will include:

  • clear findings written in plain language
  • a prioritised action plan (quick wins and longer-term items)
  • responsibility suggestions (who owns what)
  • practical implementation notes (what “done” looks like)

 

Common gaps found in hospital security audits

These are issues that frequently show up in healthcare environments:

  • access rules exist, but exceptions become the norm (doors wedged open, shared credentials, unmanaged contractor access)
  • duress technically works, but staff aren’t confident in how it’s handled, or response varies by shift
  • CCTV coverage exists, but key incident locations aren’t usable (poor angles, lighting, obstructions)
  • inconsistent visitor management in semi-public areas
  • after-hours entry points don’t have a clean verification process
  • incident data isn’t being used to shape patrols, staffing, or security investment

These are fixable, but they need a clear plan and ownership, not just another policy.

 

Hospital security audit checklist (practical, WA-focused)

Use this as a quick internal sense-check before you engage an auditor.

Access and movement

  • Do public, semi-public, clinical, and restricted zones have clear boundaries?
  • Are staff-only doors propped open during busy periods?
  • Are contractors and deliveries controlled, logged and supervised appropriately?
  • Are credentials issued and removed consistently when roles change?
  • Is key management controlled, tracked and reviewed?

Duress and response

  • Do duress activations give accurate location information?
  • Are response expectations documented by area (ED vs ward vs car park)?
  • Are staff trained in when and how to use duress, including agency staff?
  • Are there clear escalation pathways for aggression and violence incidents?
  • Are incidents reviewed for trends and improvement actions?

CCTV and evidence

  • Are high-risk areas covered with usable footage (not just “coverage”)?
  • Are there blind spots at entries, waiting areas, or transition corridors?
  • Is footage retention fit for purpose?
  • Is export and evidence handling consistent and logged?

Operations and governance

  • Do security post orders match current risks and incident trends?
  • Are patrols targeted to hotspots and higher risk periods?
  • Are handovers, escalation and clinical coordination consistent?
  • Is there a regular review cadence (monthly/quarterly) for security performance?
  • Do executive stakeholders receive useful reporting, not just incident counts?

Environment

  • Are staff paths, car parks and entries well-lit after-hours?
  • Are there concealment points near entrances and waiting zones?
  • Is signage and wayfinding reducing confusion and frustration?

 

When to engage an independent security consultant

Hospitals often bring in independent support when:

  • incidents are increasing or becoming more severe
  • leadership wants an audit-defensible view of controls and gaps
  • you’re planning upgrades (CCTV, access control, duress) and need a clear business case
  • you’ve had a serious incident and need to demonstrate improvement actions
  • you’re preparing for internal/external reviews and want confidence in your baseline

Independence matters because a hospital security audit should be about risk and outcomes, not selling hardware.

 

FAQs about hospital security audits

 

What does a hospital security audit include?

It usually covers access control and key governance, duress and response processes, CCTV coverage and usability, security operations, and environmental security across high-risk areas. In healthcare, it should also consider staff safety risks and how incidents are managed end-to-end.

 

How is a security audit different from a security risk assessment?

An audit checks whether your current controls and procedures are effective and being applied consistently. A risk assessment focuses on identifying threats, vulnerabilities and prioritised treatments, often aligned to formal risk governance expectations.

 

How often should hospitals do security audits?

Many facilities do a high-level review annually, with deeper audits when incident patterns change, services expand, or major upgrades are planned. The right frequency depends on your risk profile and change rate.

 

Do hospital security audits cover violence and aggression controls?

They should. Healthcare governance frameworks expect processes to identify and mitigate situations that may precipitate aggression and violence, and audits should test whether your controls work in real workflows.

 

What standards apply to hospital security in Australia?

The AS 4485 series is the key Australian healthcare security reference for requirements and practical implementation guidance in healthcare facilities.

 

How long does a hospital security audit take?

It depends on size and complexity. A single-site audit might be completed over days to a few weeks including interviews, on-site review and reporting. Multi-building campuses and high-risk services typically take longer.

 

Next steps for Perth and WA healthcare facilities

If you want a hospital security audit that actually improves safety outcomes, start by getting clear on:

  • the top incident types you’re trying to reduce
  • the areas where staff feel least safe or least supported
  • what “good” looks like for access, duress, CCTV and response
  • who needs to sign off the outcomes (executive, quality, risk, facilities)

If you’d like to talk it through, contact us here and we’ll help map out the most sensible next steps for your facility.

more insights

Call for a scope chat