Your Next CJIS Audit: What to Expect

Reading Time: 2 minutes

Every agency that uses Criminal Justice Information Systems or data is audited at least once every 3 years. CJIS policies provide complex but effective guidelines to help you uphold the freedoms of those in your care.

But alas, understanding the importance of CJIS and (cue the sad trombone) CJIS audits doesn’t make compliance any simpler.

Learn About our CJIS Audit Preparation & Compliance Services

In addition to the tri-annual State Audit (performed by your state’s , CJIS Systems Agency, or CSA), your agency could be selected to be audited by the FBI’s CJIS Audit Unit. While this can take place anytime, it usually coincides with the FBI’s audit of CSA, which also takes place once every three years.

Take a look at the generalized audit schedule below as you begin to prepare your team.

FBI & CSA Audits: What to Expect

1.) You’ll be Notified by the FBI or CSA

An audit staffer will reach out to you, most likely by phone, to make arrangements for your agency’s audit.

2.) You’ll Designate a Terminal Agency Coordinator (TAC)

Your TAC will liaison with auditors and act as the lead in preparing for your audit, with the support of your LASO, or Local Agency Security Officer.

3.) You’ll Receive the Pre-Audit Questionnaire

This in-depth questionnaire, which will give you insight into what documentation and topics the auditor will cover, must be completed and returned to the auditing staff by the set deadline.

4.) The Binder

Place a copy of all relevant documentation into a binder (or two) that you can deliver to your auditor when they arrive on-site.

This up-to-date technical documentation of your processes and qualifications (including that of your vendors) is a key component of a successful audit.

5.) Your On-Site Audit

Your auditor will arrive on the scheduled date and conduct an administrative interview with appropriate agency personnel (TAC, LASO, IT Manager(s), and Chief (or representative)) discussing your NCIC and security systems and processes.

A physical security inspection will be conducted of the facility and anywhere the criminal justice information is processed, stored, or accessed, including dispatch centers, patrol vehicles, records areas, and more.

Lastly, detailed documentation of your processes and systems will be expected by your auditor. That’s when you’ll hand over your binder.

4.) Audit Follow-Up and Compliance Planning

While the action may seem to be simmering down, this step is actually the most important for you and your agency.

At the conclusion of the On-Site Audit you will receive your CJIS policy assessment packet, which contains your compliance status in all areas assessed. Your agency will be assigned a CJIS Security Officer (CSO), a state representative who will hold your agency accountable to forming and executing a plan to address compliance gaps.

Your CSO will be communicating through your LASO and following up on any deficiencies. These followups are regularly reported to the Audit Unit and further to the Advisory Policy Board (APB) for further action as deemed appropriate.

Consequences of a Failed Audit

The most common causes of audit failure are often issues pointed out in past audits. When not addressed in a timely manner, these issues can get even worse with time, leading to a poor CJIS compliance standing.

Your access to CJI could be revoked until your next state or federal audit.

Related Reads

What are the latest cybersecurity threats to businesses?

What Are the Latest Cybersecurity Threats to Businesses?

Barracuda Networks, an IT security company, recently patched a vulnerability in its email software, but not until after attackers exploited the weakness by installing malware in user networks and stealing data. Unfortunately, zero-day and other vulnerabilities are common threats to

Read More
How to stop phishing emails from reaching your team

Stop Phishing Emails from Reaching Your Team 

The easiest way for cyberattackers to infiltrate an organization is through your employees. And phishing emails continue to get more convincing, especially with the help of artificial intelligence (AI). Attackers are even posing as potential customers or vendors to establish

Read More

Get the latest insights delivered to your inbox