Designing an Effective Door Access Audit Process: Lessons from The Ohio State University

Designing an Effective Door Access Audit Process: Lessons from The Ohio State University

Access control is a foundational component of campus safety and operational efficiency. At a recent NACCU NetworX Access Control session, Joshua Bodnar, Director of BuckID at The Ohio State University, shared a candid and comprehensive look into how his team approached the challenge of designing and implementing a scalable, practical audit process for door access.

Watch now:

From the outset, Josh framed the conversation around two deceptively simple words: appropriate and necessary. These became the cornerstones of their access philosophy, guiding not just how access is granted, but how it's reviewed and adjusted over time.

He opened the presentation with a series of everyday scenarios to drive home this principle. Should a custodian working the second shift in one zone have 24/7 access to the entire campus? Probably not. Does a faculty member really need access to every building when their work is contained to a single office? Again, unlikely. On the flip side, some roles, like campus police, absolutely require full, around-the-clock access. The key is context - matching access privileges to job duties and reevaluating them as roles change.

That reevaluation is where audits come in. Josh stressed that access needs change when someone switches jobs, leaves the institution, or takes on new responsibilities. Regular access audits are the only way to ensure permissions remain aligned with those changes. And it’s not just about good housekeeping. Poor oversight can compromise security, risk data breaches, and make institutions vulnerable to damaging headlines about unauthorized access or stolen equipment.

For Ohio State, developing an effective audit process meant identifying different types of audits. Some were straightforward, like checking who had access to which doors. Others required a deeper dive such as reviewing when access was used, or whether old access plans still made sense now that departments had moved or reorganized. The audits were tailored by context: a high-security lab might get weekly reviews, while general building access might only be reviewed once or twice a year.

One of the major shifts at Ohio State came in 2021, when they introduced a university-wide physical access policy for the first time. Prior to that, different departments had their own ways of managing access, with little consistency across the institution. It was common for employees to gain access when hired, but far less common for access to be removed when they left. The new policy mandated regular audits, access justification, and documentation. It also created a cross-departmental committee to coordinate between access control systems and share best practices.

Josh detailed how his team transitioned from a cumbersome, manual audit process to a streamlined, automated system. Using PowerShell scripts, they were able to pull access data, match it with HR records, and highlight anomalies like employees who had left the university but still had active access. These reports were emailed directly to designated departmental reviewers, who were required to respond for each entry with a clear “keep” or “remove” decision. Incomplete audits were not accepted.

Designing access plans to support this audit process was equally important. Rather than creating broad access plans shared by multiple departments, Josh’s team now builds plans around specific roles and departments. This way, when audits are performed, they’re reviewed by someone who knows the users personally and can make informed decisions.

Ohio State’s access control environment is notably complex, involving multiple systems: NetBox for Student Life, Lenel OnGuard for academic and administrative buildings, and Genetec for the medical center and athletics facilities. Despite the fragmentation, Josh emphasized the importance of aligning efforts across these platforms through communication, governance, and shared policy.

One major milestone in this effort was the integration of the medical center’s badge system with the university’s central credentialing system; a massive project that involved rebadging 60,000 individuals. Despite the scale, the project brought enormous benefits in consistency and efficiency, allowing one card to work across all campus systems.

In wrapping up, Josh noted that while technical solutions are important, successful access audits depend just as much on people - training them, communicating clearly, and fostering collaboration between departments. It's about getting the right folks in the room, defining a shared vision, and sticking with it.

For any institution looking to improve their access control strategy, Ohio State’s experience offers a relatable, actionable path forward. From defining what access is truly necessary, to building automation tools that save time and reduce errors, Josh’s story is a masterclass in how to bring structure and security to a complex environment without losing sight of the people behind the process.

Getting Started with Your Door Access Audit Process

For institutions looking to build or improve their own door access audits, here are some actionable first steps:

Start with Definitions

Clarify what access is appropriate and necessary for different roles. This mindset will shape your policies and audit design from the ground up.

Assemble the Right Stakeholders

Bring together facilities, IT, security, HR, and key department leaders. A shared understanding and commitment is essential to building an enterprise-wide process.

Take Inventory of Systems and Plans

Document what systems you’re using, how access is assigned, and who currently has it. Identify which areas are high-security versus general access.

Define Your Audit Types and Frequency

Start with basic assignment audits. Over time, consider adding transaction history reviews and access plan evaluations. Frequency should vary by risk level.

Design Audits for the Reviewers

Align access plans with departments and roles so that reviewers know the people on the list and can make informed decisions.

Automate What You Can

Use scripting or reporting tools to generate and distribute audit reports. Highlight anomalies like inactive employees or unrecognized affiliations.

Require Clear Reviewer Input

Ask reviewers to explicitly indicate “keep” or “remove” for each individual. Avoid assumptions—no response should never equal approval.

Track and Follow Up

Keep a record of responses, actions taken, and outstanding audits. This is critical for accountability and future reviews.

Use the Results to Refine Your Process

Regularly review what’s working, what’s missed, and how your access policies may need to evolve.

Frequently Asked Questions

1. How can we improve access control on our campus?

Start by evaluating who currently has access to which spaces and whether it’s truly necessary for their role. From there, develop clear policies that define what is appropriate access, implement regular audits to verify alignment, and consider automating reports using identity and HR data. Collaborating across departments is essential to maintaining consistency.

2. What are the first steps to creating an access audit process?

Begin by identifying stakeholders—facilities, security, IT, and departmental leads—then review existing access plans and policies. Establish audit types (e.g., who has access, when access was used, and whether access plans still make sense), and decide how often each should occur based on the risk level of each space.

3. What if our campus uses multiple access control systems?

That’s common. The key is building coordination between system administrators. Create shared policies, form a governance group, and streamline data sharing where possible. Ohio State’s example shows that alignment and communication across systems can make even a distributed environment manageable.

4. How can NACCU support institutions working on access control processes?

NACCU provides valuable peer connections, real-world case studies like this one, and opportunities to learn directly from institutions that have tackled similar challenges. Through community forums, webinars, and conferences, NACCU helps members exchange best practices, stay informed about evolving technologies, and build a roadmap that fits their unique environment. If you aren't already a member of NACCU, join today!