Overview
The Visitor Management Process is the set of procedures used to identify, log, authorize, and monitor all non-employee visitors entering company facilities. It ensures that only approved visitors access physical locations and that visitor activity is documented to meet SOC 2 CC6.4 requirements.
Step-by-Step Process
Define visitor access rules
The Facilities Manager documents which types of visitors are permitted, what areas they may access, and whether an escort is required. This information is formalized in a Visitor Access Policy or Facilities Policy. The output is an approved policy available to staff and auditors.
Role: Facilities Manager
Set up visitor logging system
The Facilities Manager configures the chosen visitor management tool or prepares a physical sign-in sheet at each entrance. Required fields include visitor name, company, host, time in, and time out. The output is a ready-to-use visitor log system.
Role: Facilities Manager
Verify visitor identity on arrival
Reception or front desk staff verify the visitor’s identity using a government-issued ID or pre-registration details. The visitor’s details are entered into the visitor log before granting access. The output is a completed visitor record with arrival time.
Role: Receptionist
Issue visitor badge
Reception staff issue a visible visitor badge indicating visitor status and date of visit. The badge must be worn at all times while on-site. The output is physical identification that distinguishes visitors from employees.
Role: Receptionist
Ensure visitor escort where required
If the visitor policy requires escorting, the host employee meets the visitor and remains with them in restricted areas. Hosts are responsible for preventing unauthorized access. The output is controlled visitor movement within the facility.
Role: Employee Host
Record visitor departure and retain logs
Upon exit, reception staff record the visitor’s departure time and collect the badge. Visitor logs are retained according to the company’s record retention policy. The output is a complete, time-bounded visitor record.
Role: Receptionist
What You Need Before Starting
- Approved Visitor Access Policy or Facilities Policy
- Access to visitor management tool (Envoy or SwipedOn) or printed sign-in sheets
- Visitor badge stock
- Front desk or reception coverage schedule
Evidence Your Auditor Expects
- Visitor Access Policy approved and dated (e.g., last revision date)
- Exported visitor log from Envoy or SwipedOn showing names, hosts, and timestamps for a sampled period
- Scanned sign-in sheets with visible dates and signatures for sampled days
- Photos or screenshots of visitor badge templates showing date and visitor designation
How This Looks In Your Tools
Envoy
Log in to the Envoy dashboard and navigate to Locations > Select Location > Visitors > Settings. Configure required fields such as full name, company, host, and badge printing, and enable sign-out reminders.
At the front desk, visitors check in using the Envoy iPad app by selecting “Sign In,” entering their details, and confirming their host. To retrieve evidence, go to Visitors > Visitor Log, filter by date range, and export the log as a CSV with timestamps.
SwipedOn
Log in to the SwipedOn admin portal and go to Settings > Visitor Settings to define mandatory fields and badge requirements. Assign the location and ensure sign-out is enabled.
Visitors sign in on the SwipedOn kiosk by entering their details and selecting a host. For audits, navigate to Dashboard > Visitor Logs, apply a date filter, and export the report showing check-in and check-out times.
Sign-in sheet
Prepare a printed sign-in sheet with columns for date, visitor name, company, host, time in, time out, and signature. Place the sheet at the reception desk with instructions for completion.
Reception staff ensure each visitor completes all fields on arrival and departure. Completed sheets are scanned or stored in a secure folder labeled by date for retention and audit review.
Common Audit Findings
- Incomplete visitor logs
- This occurs when arrival or departure times are not consistently recorded. Prevent this by making time-in and time-out fields mandatory and training reception staff on log completion.
- Visitors not wearing badges
- Badges may be skipped during busy periods or run out. Prevent this by keeping badge supplies stocked and requiring visible badges as part of reception procedures.
- No evidence of visitor departure
- Auditors flag missing sign-out times as a control gap. Enable automatic sign-out reminders in tools or require reception to actively collect badges at exit.
- Visitor logs not retained
- Logs may be deleted or misplaced due to unclear retention rules. Prevent this by defining retention periods and storing logs in a centralized, backed-up location.