Every agency that uses Criminal Justice Information Systems or data is audited at least once every 3 years. CJIS policies provide complex but effective guidelines to help you uphold the freedoms of those in your care.
But alas, understanding the importance of CJIS and (cue the sad trombone) CJIS audits doesn’t make compliance any simpler.
In addition to the tri-annual State Audit (performed by your state’s , CJIS Systems Agency, or CSA), your agency could be selected to be audited by the FBI’s CJIS Audit Unit. While this can take place anytime, it usually coincides with the FBI’s audit of CSA, which also takes place once every three years.
Take a look at the generalized audit schedule below as you begin to prepare your team.
FBI & CSA Audits: What to Expect
1.) You’ll be Notified by the FBI or CSA
An audit staffer will reach out to you, most likely by phone, to make arrangements for your agency’s audit.
2.) You’ll Designate a Terminal Agency Coordinator (TAC)
Your TAC will liaison with auditors and act as the lead in preparing for your audit, with the support of your LASO, or Local Agency Security Officer.
3.) You’ll Receive the Pre-Audit Questionnaire
This in-depth questionnaire, which will give you insight into what documentation and topics the auditor will cover, must be completed and returned to the auditing staff by the set deadline.
4.) The Binder
Place a copy of all relevant documentation into a binder (or two) that you can deliver to your auditor when they arrive on-site.
This up-to-date technical documentation of your processes and qualifications (including that of your vendors) is a key component of a successful audit.
5.) Your On-Site Audit
Your auditor will arrive on the scheduled date and conduct an administrative interview with appropriate agency personnel (TAC, LASO, IT Manager(s), and Chief (or representative)) discussing your NCIC and security systems and processes.
A physical security inspection will be conducted of the facility and anywhere the criminal justice information is processed, stored, or accessed, including dispatch centers, patrol vehicles, records areas, and more.
Lastly, detailed documentation of your processes and systems will be expected by your auditor. That’s when you’ll hand over your binder.
4.) Audit Follow-Up and Compliance Planning
While the action may seem to be simmering down, this step is actually the most important for you and your agency.
At the conclusion of the On-Site Audit you will receive your CJIS policy assessment packet, which contains your compliance status in all areas assessed. Your agency will be assigned a CJIS Security Officer (CSO), a state representative who will hold your agency accountable to forming and executing a plan to address compliance gaps.
Your CSO will be communicating through your LASO and following up on any deficiencies. These followups are regularly reported to the Audit Unit and further to the Advisory Policy Board (APB) for further action as deemed appropriate.
Consequences of a Failed Audit
The most common causes of audit failure are often issues pointed out in past audits. When not addressed in a timely manner, these issues can get even worse with time, leading to a poor CJIS compliance standing.
Your access to CJI could be revoked until your next state or federal audit.