Most commercial security maintenance contracts include an annual on-site service visit. The quality varies wildly. We've walked onto sites where the previous installer's "annual service" was a 15-minute drive-by with no documentation. Here's what a proper annual visit looks like, so you can audit what you're actually paying for.

Why this matters

Security hardware doesn't fail dramatically. It degrades quietly. A camera lens slowly fogs over. A reader's sensitivity drifts. A backup battery loses capacity. A door strike develops play. None of these will trigger an alarm or a fault. They just mean that when you actually need the system to work, it doesn't.

The annual service visit is the formal opportunity to catch this drift before it becomes a problem. If your installer is treating it as a box-tick, you're paying for compliance theatre. Use this article as a checklist to compare what you're getting against what you should be getting.

What a proper annual visit covers

A real commercial security service visit takes between half a day and a full day for a typical site, depending on size and system complexity. It covers four areas: hardware health, software health, documentation, and a compliance walkover.

1. Hardware health checks

Every device on the site gets a physical inspection. For each category, here's what should actually happen:

CCTV cameras:

  • Lens cleaned (every camera, no exceptions)
  • Housing seals checked, weatherproofing verified on external units
  • Field of view confirmed against the as-built drawings (cameras drift, get knocked, get partially obscured by signage or stock)
  • Image quality reviewed at full resolution on the recorder, not just thumbnails
  • IR illumination tested at night-equivalent light levels
  • Mounts and brackets checked for movement, corrosion, rust

Access control hardware:

  • Every reader tested with a known-good credential and a known-bad credential
  • Door contacts and REX (request-to-exit) sensors tested at every door
  • Strike and maglock function tested under both normal and fail-safe/fail-secure modes
  • Door alignment checked (a door that's starting to sag will eventually fail to latch reliably)
  • Auto-closer function and timing verified
  • Tamper switches tested on every panel, reader, and external device

Alarm and intrusion:

  • Every PIR, dual-tech, glass-break, and shock sensor tested by walk-test or simulation
  • Siren and strobe tested (and yes, the building should be informed first)
  • Backup battery load-tested, not just voltage-checked. A battery can read full voltage on a multimeter and still fail under load.
  • Communication path to monitoring tested (whether IP, GSM, or both)
  • Failover path tested where dual-path monitoring is in place

Cabling and racks:

  • Visual inspection of comms cabinets, panels, and head-end equipment
  • Fan filters cleaned, internal temperature checked
  • UPS tested where present
  • Cable terminations spot-checked for tightness and oxidation

2. Software health checks

The platform side of the system needs as much attention as the hardware. Most installers under-do this part because it's less visible to the client.

  • Firmware versions reviewed across cameras, panels, and recorders, with security updates applied where needed
  • Management software updated to the current supported release
  • Database integrity check on the access control platform
  • Backup of the management database verified (i.e. the backup is taken and then restored to a test environment to confirm it's actually usable)
  • User accounts reviewed: any leavers still on the system, any orphan service accounts, any over-privileged users
  • Audit log review for unusual access patterns or repeated failed credential attempts
  • Storage capacity and retention period verified against the documented retention policy

3. Documentation refresh

A site's documentation drifts from reality faster than people expect. The annual visit is when it gets pulled back into alignment.

  • As-built drawings updated to reflect any changes since last visit
  • Cable schedule reconciled (especially after fitouts, refurbs, or tenancy changes)
  • Credential database reviewed against current staff list
  • Access groups and time schedules reviewed against current operational hours
  • Emergency contact list verified and updated
  • Service log updated with the visit findings, all faults raised, all parts replaced

4. Compliance walkover

Sector-specific compliance items get checked against the relevant framework. The detail varies by site type, but typically includes:

  • Signage at all CCTV-monitored entrances (APP 5 obligation)
  • Camera coverage of regulated areas (gaming floor, pharmacy, cash handling, controlled-substance storage, etc.)
  • Retention period configured to match the documented policy
  • Access control coverage of restricted areas matches the asset register
  • Any sector-specific evidence the auditor will want at next inspection

What you should receive after the visit

A proper annual service generates a written report. Not a stapled invoice. The report should include:

  • The date and the technician's name
  • The full checklist with each item ticked or noted
  • Photographs of any defects found
  • Parts replaced and parts recommended for replacement
  • Any software or firmware updates applied
  • Recommendations for remedial work, with a priority rating
  • An updated version of the as-built drawings if anything has changed

If your current installer doesn't produce something like this, the annual visit is happening on paper but not in practice. It's the single biggest red flag we look for when reviewing an inherited installation.

Red flags worth raising with your current installer

  • The visit takes less than two hours on a multi-door site. A proper inspection of even a small commercial install takes longer than that.
  • No camera lens cleaning. If you can run a finger along the housing of an external camera and find dust on the glass, the lens hasn't been touched.
  • No load-tested batteries. Voltage check only is not a battery test. A 12V SLA battery will read 13.4V open-circuit while being unable to hold a load for 30 seconds.
  • No software/firmware update history. If your camera fleet is on firmware from 2022, something has gone wrong with the maintenance regime.
  • No access control user audit. Leavers should be removed from the system as part of the offboarding process, but in practice this is patchy at most sites. The annual visit is when it gets cleaned up.
  • No written report. If all you get is an invoice saying "annual service complete", you have no evidence of what was actually done.

What it should cost

For a typical commercial site, an annual service visit on a managed maintenance contract is usually included in the contract fee rather than billed separately. Standalone annual visits, where there's no ongoing contract, typically run between $1,200 and $3,500 depending on site size, system complexity, and the breadth of the inspection.

Significantly cheaper than that and the corners are being cut. Significantly more and the scope should be detailed enough to justify it (very large sites, integrated multi-discipline systems, or compliance-heavy environments).

If you're due for a visit and not sure what to expect

Print this checklist. Walk it with your current installer's technician on the day. Ask the questions: when was the last firmware update, can I see a load-test on the backup battery, can I see the written report from last year's visit, how many leavers are still active in the access control system. If the answers are confident and documented, you've got a serious maintainer. If the answers are vague, it's time to either reset the expectations with your current installer or get a second opinion.

If you want a second opinion on the state of an existing commercial security installation, get in touch. We do site audits as a standalone piece of work, separate from any quote to take on the maintenance.