TECHNICAL Infrastructure · Managed Service

Fob Audits

An annual reconciliation that keeps a building’s credential register honest.

Every condominium loses about ten percent of its issued credentials each year through the unremarkable accidents of daily life — and the only honest answer to how many fobs does this building actually have in active circulation is the answer produced by an audit that has actually been performed.

The Problem We Are Naming

A building issues a fob to every resident. Over time, residents lose fobs, find them again, lend them to family members, hand them to contractors who never return them, drop them in laundry rooms, mail them to a child away at university. Some come back to the property’s records. Most do not.

The property’s belief about its credential state is therefore almost always more optimistic than its actual credential state. The system says four hundred and seven fobs are active. The reality is that some unknown subset of those four hundred and seven are sitting in drawers and coat pockets belonging to people the building no longer recognizes — and some unknown smaller subset are in the hands of people who never had a legitimate reason to hold them in the first place.

This is not a building’s fault. It is a property of how credential systems behave under ordinary use. The question is whether the property is willing to do the work that closes the gap between belief and reality.

Most are not. The work is unglamorous, the cost is real, and the result — once produced — looks like a list of small reconciliations rather than a dramatic finding. Boards tend not to fund work whose visible product is the building was a little less wrong about itself than we thought.

We believe that work should be funded anyway, because it compounds. And we have built the audit practice that makes it tractable.

The TECI Posture

A fob audit, done properly, is the annual ritual that keeps a building’s credential system honest. It is neither a security exercise nor a punitive one. It is a stewardship exercise, of the same family as the annual physical inspection of mechanical systems or the annual reconciliation of the reserve fund.

We perform fob audits as a defined annual service for every property under an RTMA, and we will perform them as one-time engagements for properties that want a baseline before deciding what to do next.

What the Audit Actually Measures

Four ordered audit measures: active credentials, those mapped to residents, orphans, and count divergence
What the audit measures, in order.

A fob audit answers four questions about a building, in order.

What credentials does the access system believe are active? This is the easy part. The system has a list. The list can be exported.

Which of those credentials map to current residents in good standing? This requires comparing the access system’s list against the resident roster the property maintains. The comparison is rarely as clean as the property expects.

Which credentials are issued to no one we can identify? These are the orphans — credentials active in the system but with no living mapping to a resident, a staff member, or an authorized third party. Every audit finds some. Some buildings find a great many.

Which residents should hold credentials but appear to hold either too few or too many? This is the discipline question. A unit registered for two fobs that appears to have four active credentials is worth understanding before more are issued.

The output of the audit is a single document showing each of these four answers, with recommended actions for each anomaly category and a clear path to closure.

Why Ten Percent

The figure is not a guess. Across the buildings TECI manages, the annual rate of credential turnover from causes other than resident moves — loss, breakage, retention without disclosure, contractor non-returns, vehicle resales with credentials still in the glove box — runs at roughly ten percent of total issued credentials.

Bold ten-percent figure noting roughly one in ten issued credentials goes unaccounted-for each year
Roughly one in ten issued credentials drifts out of account each year.

This number is durable across building types, demographics, and management styles. We have looked for variation; it does not appear in any meaningful way. A building of three hundred fobs will reliably need to absorb something close to thirty unaccounted-for credentials per year on top of the credentials properly turned over through move-in and move-out.

The ten percent figure is also the floor on what fob audits routinely surface. A building that has not been audited in three years is, in our experience, looking at roughly a quarter of its credential state being either misallocated or unaccounted for. By year five, the figure starts approaching half. By year ten, the credentials register is no longer a useful document.

This is the rate at which entropy operates on credential systems. Nothing in the credential system is broken. The system is doing exactly what it was designed to do — namely, hold whatever records it is told to hold. The drift is in what it is told.

How the Audit Is Performed

A TECI fob audit unfolds over approximately two weeks of elapsed time, though active work is concentrated in a few discrete passes.

Two-week fob audit timeline from kickoff through reconciliation to a board-ready report
A typical audit runs about two weeks end to end.

Week one, day one. The property’s current access system database is exported. The resident roster is requested from the property manager. Both documents are loaded into the audit workspace.

Week one, days two through four. Initial reconciliation. The two documents are compared programmatically. Anomalies are categorized: orphan credentials, residents missing expected credentials, residents holding extra credentials, retired credentials still active, active credentials mapped to retired residents.

Week one, day five. Findings document drafted. Sent to the property manager for context. Many anomalies have explanations that the system cannot see — a long-term board member who legitimately holds a fob, a property staff member whose credentials are unflagged, an authorized contractor with persistent access. The property manager’s review resolves these.

Week two, days one through three. Resolved findings are processed. Genuine orphans are deactivated. Missing credentials are issued. Discrepancies in resident credential counts are clarified with the residents themselves where appropriate.

Week two, day four. Final audit report produced. This is the document that goes to the board. It states the audit date, the count of credentials reviewed, the count of anomalies surfaced, the disposition of each anomaly, and the resulting credential state of the property.

Week two, day five. The Property Tech Binder’s credentials register is updated to reflect the post-audit state. The audit report is filed in the binder as a permanent record. The MoveIns audit trail is closed out.

The audit produces three documents: the technical findings (for the property manager), the board report (for governance), and the binder update (for the long-term record). The same audit serves all three purposes.

What the Audit Does Not Do

It is worth being precise about what an audit is not, because the word can carry connotations the practice does not deserve.

A fob audit is not a security investigation. We are not trying to find a culprit. The vast majority of anomalies surfaced by an audit have benign explanations — a fob lent and forgotten, a contractor’s credential never decommissioned because the contractor’s project ended without a formal handoff.

A fob audit is not a punitive exercise toward residents. No resident is contacted about an anomaly without the property manager’s knowledge and concurrence. When residents are contacted, the question is informational, not accusatory.

A fob audit is not a substitute for the per-event turnover discipline. The two practices are complementary. The turnover discipline keeps the credential state clean event by event; the audit catches what the per-event discipline cannot see. A building that performs neither has neither defense against drift. A building that performs both has both, and the audit’s findings shrink over time as the per-event discipline does more of the work.

A fob audit is not, finally, a moment for accusation against prior management or prior vendors. We have inherited many buildings whose credential state was a wreck on day one. The right response is to say so honestly, fix what can be fixed, and start the discipline from a clean baseline. Naming where the wreck came from serves no one.

Why Annual

Line chart of credential drift climbing toward fully unaccounted-for by year ten when audits are skipped
Uncorrected, the register drifts until it is no longer useful.

The cadence is annual rather than more or less frequent for reasons that are operational rather than arbitrary.

More frequent than annual produces diminishing returns. The cost of the audit infrastructure is largely fixed; the marginal anomalies caught by a six-month audit relative to a twelve-month audit do not justify the doubled effort.

Less frequent than annual allows drift to compound past the point where a single audit can recover the credential state cleanly. A two-year gap typically produces an audit that runs three weeks instead of two and surfaces twice the anomalies. A three-year gap produces an audit that is, functionally, a partial rebuild of the credentials register.

Annual audits, run consistently, hold the building’s credential state within a few percent of accurate at all times. They are the dose at which the discipline works.

What an Audit Costs

Annual fob audits are included in the RTMA at no additional charge. This is one of the recurring services that justifies the recurring agreement model.

For properties not under an RTMA, a one-time fob audit is available as a defined engagement at a flat rate. The rate reflects the scope of the building — primarily the count of active credentials, secondarily the complexity of the access systems involved. We quote it before any work begins.

We are explicit on this point: the per-event audit, performed once, is genuinely valuable. A property considering whether to enter an RTMA can use a baseline audit to inform that decision with real data about the state of their building. But a fob audit that is not followed up by either the per-event turnover discipline or another audit a year later is a snapshot, not a practice. Its value decays.

The Hardware Underneath

A fob audit does not require any capital expenditure from the property. The work depends on what the property already has — the access system, the resident roster, the MoveIns ticketing infrastructure that TECI operates as part of its standard service.

What is needed is the discipline to perform the work, the tooling to do it efficiently, and the relationship that makes the property’s records open to honest examination. None of these are hardware. All of them are part of the RTMA.

The Triple-Duty Question

A fob audit, like every other TECI service, is asked to do more than one job.

It is a credential discipline exercise. That is its primary function.

It is also a verification of the Property Tech Binder. The credentials register in the binder is supposed to reflect the building’s actual credential state. The audit is the moment when that supposition is tested. If the binder and the audit disagree, the binder is updated. The audit holds the binder honest.

And it is a relationship checkpoint. The audit produces a conversation between TECI and the property about how the building’s credential discipline is holding up. Trends are visible across years. A property whose anomaly count is declining year over year is in a different conversation than one whose anomaly count is rising. The audit makes that conversation possible.

Three jobs from one annual exercise.

The Relationship Frame

A fob audit performed by a third party that the property does not have an ongoing relationship with is a transaction. A fob audit performed by the same vendor for the same building for ten years is something else — a longitudinal record of how the building has been kept.

The longitudinal version is the more valuable one, and it is only available through the relationship. We do not say this to argue against per-event audits. We say it because the difference is real and worth understanding before a property decides what kind of audit practice it wants.

The Property Tech Binder records the static state of the building. The annual fob audit, performed over years, records the trajectory.

What the Audit Reveals Over Time

The first audit on a new property typically surfaces a number of anomalies that is unrelated to TECI’s discipline — it reflects the state of the building when we arrived. The second audit, twelve months later, is the meaningful one. It measures what happened in a year of disciplined practice.

A property whose second audit shows materially fewer anomalies than its first audit is a property whose per-event turnover discipline is working. A property whose second audit shows no improvement is a property where something in the per-event practice is failing — the property manager is not notifying us promptly, the property has informal credential issuance happening outside the system, or some other process gap is allowing drift to continue.

The audit, in other words, is also a diagnostic. It does not just describe a state; it describes the health of the practice that produced the state.

The Board Report

The single-page board report that emerges from each audit is, in our experience, one of the more useful artifacts the building produces in a year. It is short. It is factual. It contains no opinions and no recommendations beyond the technical disposition of anomalies.

A board member who reads it once a year for five years has accumulated a meaningful picture of the property’s credential discipline trajectory. They can answer the question is this getting better or worse without needing to consult anyone.

Many board members never look at the report. That is fine. The report is on file when someone needs it. The handful of board members across our portfolio who do read it have found it useful in ways we did not anticipate when we first designed the format. We have, over time, refined the report toward those readers.

What We Ask of the Property

Three things, modest in scope.

First, that the property maintain a current resident roster and provide it for the audit when requested. The audit cannot reconcile against a roster that is itself out of date.

Second, that the property manager allocate roughly four hours of attention across the two-week audit window to review the findings document and resolve the per-anomaly questions. The audit is collaborative; it does not work as a one-way report.

Third, that the property surface, before the audit begins, any informal credential arrangements the audit might otherwise flag as anomalies — the long-term contractor with access, the board member who legitimately holds an extra fob, the property staff whose credentials are unmarked. Surfacing these in advance saves the audit from generating false positives.

The Stewardship Frame

There is an honest version of the question how well is this building being managed? that the credential state answers. Not because credentials are themselves a deep matter, but because the kind of attention that maintains them is the kind of attention that maintains everything else.

A building whose credential state is clean is a building where things are being noticed. A building whose credential state has drifted for three years is a building where something is not being noticed — and the credential state is probably not the only thing.

We do fob audits because they are, in themselves, worth doing. We also do them because they are an honest mirror, held up annually to ask whether the practice underneath is holding.

How to Begin

For properties under an RTMA: the annual audit is scheduled, and your TECI account contact can tell you when it is next due and what you will see when it runs. If you have not previously walked through the audit format, we recommend doing so before the first one.

For properties considering an RTMA: a baseline fob audit is a reasonable first engagement before the agreement begins. It produces a real document, a real anomaly count, and a real conversation about what the building’s credential state actually looks like. From there, an RTMA discussion can proceed on the basis of facts rather than impressions.

For properties simply curious about how the practice works: we will share the audit format and walk you through what a typical findings document looks like. The methodology is not proprietary and the conversation costs nothing.

Fob Audits are part of the TECI managed service practice. To begin a conversation, contact us at the address on the homepage or through your property manager.