Visitor Management on the Security Audit Checklist: How a Fintech Scaleup Cleared It

The first time a fintech scaleup goes through a serious security audit (SOC 2 Type II, ISO 27001, or a large enterprise customer's vendor security questionnaire), physical access control shows up on the checklist. It usually does, in a section labelled something like "Facility Access Controls." Visitor management is part of it.

What the auditors actually asked

Based on the questionnaires we see come through sales, the physical-access section typically covers four things:

• Visitor log: Is every visitor recorded, with identity, host, timestamp and purpose? Is the log tamper-evident and retained for a defined period?
• Identity verification: Are visitors' identities verified before they enter sensitive areas?
• Access control: Are visitors escorted? Is there a mechanism to deny access to flagged individuals?
• Authentication: Do staff access the visitor management system with corporate SSO? Is there an audit trail of admin actions?

WelcomeDesk answers every one of these out of the box. Here's how.

The visitor log auditors want to see

Every check-in through WelcomeDesk creates a timestamped, host-linked visit record. Entries are append-only (nothing is edited in place, nothing is deleted by default), which satisfies the tamper-evidence requirement most auditors look for. The full log exports to CSV on demand, and a date-range query returns every visit across all locations in a single file.

NDA and policy acknowledgements are captured at check-in and stored against each visit. If the auditor asks "do visitors sign a confidentiality agreement before entering?", the answer is yes, and here is the timestamped record for every visitor in the past twelve months.

ID verification at the door

For regulated premises such as trading floors, data centres and server rooms, some audit frameworks require that a visitor's identity is verified against a government-issued document, not just a claimed name. WelcomeDesk integrates with Veriff for document verification as an add-on. A visitor presents their ID at the kiosk; the result (name, document type, pass/fail) is written to the visit record. The document image is not retained after the scan.

The add-on is usage-billed per scan at pass-through rates. There is no monthly fee unless you use it. A company that verifies twenty guests a month pays for twenty scans.

What the audit trail looks like

Maya Chen · Globex

2026-01-14 09:47 · Host: J. Okafor

ID verified

Tom Rowe · Auditor

2026-01-14 10:15 · Host: C. Walsh

NDA signed

Priya Anand · Regulator

2026-01-14 11:30 · Host: M. Torres

Watchlist checked

SAML SSO so access follows your directory

The question "how do you de-provision a staff member's access to the visitor system when they leave?" is a standard joiner-mover-leaver question on every security questionnaire. SAML SSO answers it cleanly: a staff member's WelcomeDesk access is tied to their corporate identity provider. Disable them in Okta or Azure AD and the access goes with it. No orphaned accounts sitting behind the audit log.

An enterprise-level answer at a SMB price

The visitor management systems that typically appear in enterprise security checklists (Envoy, iLobby, Lenel) are priced per location, starting at $100-$500 per office per month. A fintech scaleup with offices in three cities can face a $1,500–$5,000 monthly VMS bill before the security audit even concludes.

WelcomeDesk covers all three offices (and up to fifteen) on the Business plan at a single flat fee. The features the auditor is looking for are included. The per-location bill is not.