Close this search box.

Your Next CJIS Audit: What to Expect

Person reviewing a book with magnifying glass and pen.

Every agency that uses Criminal Justice Information Systems or data is audited at least once every 3 years. CJIS policies provide complex but effective guidelines to help you uphold the freedoms of those in your care.

But alas, understanding the importance of CJIS–particularly the auditing process–doesn’t make compliance any simpler. CJIS certification is still a complicated beast.

In addition to the tri-annual State Audit (performed by your state’s , CJIS Systems Agency, or CSA), your agency could be selected to be audited by the FBI’s CJIS Audit Unit. While this can take place anytime, it usually coincides with the FBI’s audit of CSA, which also takes place once every three years.

Take a look at the generalized audit schedule below as you begin to prepare your team.

FBI & CSA Audits: What to Expect

1.) You’ll be Notified by the FBI or CSA

An audit staffer will reach out to you, most likely by phone, to make arrangements for your agency’s audit.

2.) You’ll Designate a Terminal Agency Coordinator (TAC)

Your TAC will liaison with auditors and act as the lead in preparing for your audit, with the support of your LASO, or Local Agency Security Officer.

3.) You’ll Receive the Pre-Audit Questionnaire

This in-depth questionnaire, which will give you insight into what documentation and topics the auditor will cover, must be completed and returned to the auditing staff by the set deadline.

4.) The Binder

Place a copy of all relevant documentation into a binder (or two) that you can deliver to your auditor when they arrive on-site.

This up-to-date technical documentation of your processes and qualifications (including that of your vendors) is a key component of a successful audit.

5.) Your On-Site Audit

Your auditor will arrive on the scheduled date and conduct an administrative interview with appropriate agency personnel (TAC, LASO, IT Manager(s), and Chief (or representative)) discussing your NCIC and security systems and processes.

A physical security inspection will be conducted of the facility and anywhere the criminal justice information is processed, stored, or accessed, including dispatch centers, patrol vehicles, records areas, and more.

Lastly, detailed documentation of your processes and systems will be expected by your auditor. That’s when you’ll hand over your binder.

4.) Audit Follow-Up and Compliance Planning

While the action may seem to be simmering down, this step is actually the most important for you and your agency.

At the conclusion of the On-Site Audit you will receive your CJIS policy assessment packet, which contains your compliance status in all areas assessed. Your agency will be assigned a CJIS Security Officer (CSO), a state representative who will hold your agency accountable to forming and executing a plan to address compliance gaps.

Your CSO will be communicating through your LASO and following up on any deficiencies. These followups are regularly reported to the Audit Unit and further to the Advisory Policy Board (APB) for further action as deemed appropriate.

Consequences of a Failed Audit

The most common causes of audit failure are often issues pointed out in past audits. When not addressed in a timely manner, these issues can get even worse with time, leading to a poor CJIS compliance standing.

Your access to CJI could be revoked until your next state or federal audit.

Corsica Technologies
Corsica provides personalized service and a virtual CIO (vCIO) who serves as a strategic advisor. When it comes to the complex integration of solutions for IT and cybersecurity, the whole is greater than the sum of its parts. We offer cybersecurity solutions, managed services, digital transformation, resale services, and one-off technology projects. Corsica unifies any combination of these services into a complete, seamless solution.

Related Reads

Unlimited IT Support Services - Corsica Technologies

The End Of Metered Billing In Technology Services

Let’s be honest. When it comes to technology services, something is broken. Customers aren’t getting the consistency, responsiveness, and cost transparency they deserve. Meanwhile, MSPs (managed IT service providers) promise the moon with “all-in” pricing, yet they still allow tons

Read more
CPCSC - Canadian Program for Cyber Security Certification - Corsica Technologies

CPCSC For Canadian Defense Contractors: What We Know Today

With cybersecurity threats evolving rapidly, governments are taking steps to protect sensitive but unclassified information that they must share with their suppliers. This is a critical undertaking, as hackers can use sensitive information to inform their strategies—plus they can execute

Read more
EDI Software - 5 steps to choosing the right solution - Corsica Technologies

5 Steps To Choosing The Right EDI Software

How do you understand EDI and choose the right solution for your business? Whether you’re just starting with EDI or replacing an outdated solution, it’s crucial to get this right. Picking the wrong EDI software for your situation can saddle

Read more

Sign Up For Our Newsletter

Stay up-to-date on the Managed Services and Cybersecurity landscape, and be the first to find out about events and special offers.