Everyone understands the benefit of using access control to keep people out of sensitive areas where they don’t belong. But what about the risk posed by the people who are granted access to those areas? I would argue that they pose just as big a risk if not a bigger one. After all, they know where the high value goods are. If the goal is to protect critical infrastructure that would disrupt operation of the business if compromised, the folks you are letting in know exactly how to cause the maximum disruption.
If a disgruntled employee with access to this area knows they can come in overnight and do something nasty without being detected, they may be tempted to do so. However, if their access is audited with their credential ID number, date and time, they are far less likely to do anything that will get them fired and/or sent to jail.
While audit reports are rarely looked at when all is good, they are looked at scrupulously when things go wrong. Obviously, for this to be a deterrent, people need to know that access is being audited.
It has always been my opinion that 50% of an access control system’s benefit comes from keeping people out who don’t belong. The other 50% comes from keeping the trusted folks honest.