Your Next CJIS Audit: What to Expect

Every agency that uses Criminal Justice Information Systems or data is audited at least once every 3 years. CJIS policies provide complex but effective guidelines to help you uphold the freedoms of those in your care.

But alas, understanding the importance of CJIS–particularly the auditing process–doesn’t make compliance any simpler. CJIS certification is still a complicated beast.

In addition to the tri-annual State Audit (performed by your state’s , CJIS Systems Agency, or CSA), your agency could be selected to be audited by the FBI’s CJIS Audit Unit. While this can take place anytime, it usually coincides with the FBI’s audit of CSA, which also takes place once every three years.

Take a look at the generalized audit schedule below as you begin to prepare your team.

FBI & CSA Audits: What to Expect

1.) You’ll be Notified by the FBI or CSA

An audit staffer will reach out to you, most likely by phone, to make arrangements for your agency’s audit.

2.) You’ll Designate a Terminal Agency Coordinator (TAC)

Your TAC will liaison with auditors and act as the lead in preparing for your audit, with the support of your LASO, or Local Agency Security Officer.

3.) You’ll Receive the Pre-Audit Questionnaire

This in-depth questionnaire, which will give you insight into what documentation and topics the auditor will cover, must be completed and returned to the auditing staff by the set deadline.

4.) The Binder

Place a copy of all relevant documentation into a binder (or two) that you can deliver to your auditor when they arrive on-site.

This up-to-date technical documentation of your processes and qualifications (including that of your vendors) is a key component of a successful audit.

5.) Your On-Site Audit

Your auditor will arrive on the scheduled date and conduct an administrative interview with appropriate agency personnel (TAC, LASO, IT Manager(s), and Chief (or representative)) discussing your NCIC and security systems and processes.

A physical security inspection will be conducted of the facility and anywhere the criminal justice information is processed, stored, or accessed, including dispatch centers, patrol vehicles, records areas, and more.

Lastly, detailed documentation of your processes and systems will be expected by your auditor. That’s when you’ll hand over your binder.

4.) Audit Follow-Up and Compliance Planning

While the action may seem to be simmering down, this step is actually the most important for you and your agency.

At the conclusion of the On-Site Audit you will receive your CJIS policy assessment packet, which contains your compliance status in all areas assessed. Your agency will be assigned a CJIS Security Officer (CSO), a state representative who will hold your agency accountable to forming and executing a plan to address compliance gaps.

Your CSO will be communicating through your LASO and following up on any deficiencies. These followups are regularly reported to the Audit Unit and further to the Advisory Policy Board (APB) for further action as deemed appropriate.

Consequences of a Failed Audit

The most common causes of audit failure are often issues pointed out in past audits. When not addressed in a timely manner, these issues can get even worse with time, leading to a poor CJIS compliance standing.

Your access to CJI could be revoked until your next state or federal audit.

Corsica Technologies
Corsica provides personalized service and a virtual CIO (vCIO) who serves as a strategic advisor. When it comes to the complex integration of solutions for IT and cybersecurity, the whole is greater than the sum of its parts. We offer cybersecurity solutions, managed services, digital transformation, resale services, and one-off technology projects. Corsica unifies any combination of these services into a complete, seamless solution.

Related Reads

MDM vs. MAM: Which one is right for you? - Corsica Technologies

MDM vs. MAM: Which One Is Right For You?

How should you handle mobile devices that have access to company data and systems? This is a crucial question for today’s on-the-go, hybrid workforce. Maybe you give your team company-owned mobile devices. Or perhaps your employees find it more convenient

Read more
Managed Network Services - Everything You Need to Know - Corsica Technologies

Managed Network Services: Everything You Need To Know

For overworked IT teams, managed network services are a lifesaver. Rather than monitoring network logs, troubleshooting switches, and working overtime to mitigate vulnerabilities, you can engage a trusted partner to manage your network for you. But not all providers are

Read more

Sign Up For Our Newsletter

Stay up-to-date on the Managed Services and Cybersecurity landscape, and be the first to find out about events and special offers.