Auditors Safeguard Integrity of CJIS Systems

Imagine what would happen if the systems law enforcement agencies use daily were compromised or the information in them became corrupted. Obviously, law enforcement efforts would be impacted, and lives could be in danger.

Enter the Criminal Justice Information Services (CJIS) Audit Unit (CAU), whose job is to safeguard the integrity of criminal justice information by auditing the records of the agencies that use CJIS systems and programs.

While this work is vital, no one enjoys having their work scrutinized by an auditor. The process makes many of us uncomfortable and even fearful.

A CAU staff member noted that one audit POC several years ago was extremely anxious about the process and feared auditors were there to get her in trouble. After watching their work, she thanked the auditors and said she learned a lot from the process.

What Gets Audited

“Criminal justice information” refers to all the biometric, identity history, biographic, property, and case/incident history data necessary for law enforcement and civil agencies to do their work. Because a variety of organizations contribute information, the CJIS Division uses a shared-management philosophy. This means the CJIS Division and the federal, state, local, and tribal agencies that submit information share responsibility for the operation and management of these information systems:

Working with Auditors

While this work is vital, having their work scrutinized by an auditor can make some people anxious.

But the CJIS audit process is nothing to be anxious about. Whether CAU is reviewing your records during a scheduled audit or answering a particular question, the auditors are here to help keep CJIS systems—and the vital data they provide—working for you.

If you have questions or comments about CAU or the audit process, please contact the CAU’s front office at acjis@leo.gov or (304) 625-3020.

Who is Involved in Audits

  • The CJIS Advisory Policy Board (APB) recommends policy and information obtained by criminal justice agencies for criminal justice purposes.
  • The National Crime Prevention and Privacy Compact Council (Compact Council) governs the use of the Interstate Identification Index for noncriminal justice purposes.
  • Each participating state UCR program has a CJIS systems agency (CSA), a CJIS systems officer (CSO), and/or a Compact officer that assists the CJIS Division with managing the access, use, and dissemination of criminal justice information within their respective agencies or organizations.

These agencies and their representatives also work with CAU to evaluate the integrity and security of information in CJIS systems.

How Audits Help

Audits help the FBI's partners:

  • Improve the overall integrity of system data
  • Verify that an organization adheres to minimum standards and compliance, which, in turn, can help reduce the number of audit findings
  • Protect and safeguard criminal justice information
  • Improve officer and public safety

How Audits Work

CAU audits all CSAs and repositories every three years. Resources permitting, the unit may conduct special audits upon request. The unit also selects local agencies at random, taking into account an agency’s past performance, along with how long and how frequently the agency has been using CJIS services.

For CSAs and repositories, the audit manager begins communicating with the agency POC six months before the scheduled audit. Once on site, the auditor interviews the POC to gather information about specific processes, performs a data quality review, and participates in a tour of the facility to ensure physical security. The CAU staff conduct onsite audits during a standard work week. Agency audits may last from four to eight hours per day.  

Agencies get immediate feedback during an exit briefing and receive the final report with recommendations for necessary corrections in the agency’s procedures approximately four months afterwards, or sooner. The report also goes to appropriate oversight bodies and the CJIS APB’s Compliance Evaluation Subcommittee or the Compact Council’s Sanctions Committee. CAU also tracks its recommendations until they are completed.

Agencies Covered by Audits

If your agency is one of the following types, it is subject to the CJIS audit process:

  • State CSA and repository
  • State UCR Program office
  • Federal CSA
  • Federally regulated agency
  • Agency within a U.S. territory with a Wide Area Network connection
  • FBI-approved channeler (a contractor selected by the FBI that facilitates the electronic submission of fingerprints for noncriminal justice background checks on behalf of an authorized recipient)
  • Authorized recipient of criminal history record information
  • Sex offender registry
  • Law Enforcement Enterprise Portal identity provider
  • Any FBI component