866.656.3338 sales@diversecomputing.com

If I’m Getting Audited, Who Needs to Be There and What Documentation Do I Need on Audit Day?

Date Posted - 2nd Jul 2014 |  Category - CJIS Security Policy, Newsletter


“Funny” story…

You may remember from the last newsletter that the title of this one was supposed to be, “Audit Day: Who Needs to be Present and What Documentation Do I Need?


Well….very recent “events” have reminded me that email subject lines can be taken out of context and can cause unintended minor panic.


Because I am such a quick learner, welcome to, If I Were Going to be Audited, Who Needs to Be Present and What Documentation Do I Need on Audit Day?“… the slightly modified, non-panic inducing, informational missive for your reading pleasure.


Preparing for an audit requires a considerable amount of time for preparation and organization of the people and documents that the auditor will be looking to interact with.


Knowing exactly who and what to have available can be tricky. Let’s look into this a bit.


For simplicity purposes once again, we will focus on the types of resources that need to be available during an FBI IT security or NCIC program audit.


For illustration, the lists below are examples of resources needed for both program areas.  Some people/items may not apply if you’re lucky enough to get audited only in one program area. 


Examples of personnel that need to be present during an FBI audit are those who are responsible for, can answer questions about and explain your agency’s operation, policy and process in:


1) Quality control procedures

  • Second party checks
  • Record packing

2) Noncriminal justice agency support (e.g. County IT providing services)

3) Private contractors/vendors

4) Personnel actions for misuse (both NCIC and IT security)

5) Personnel security

6) Training (NCIC and security awareness)

7) Technology infrastructure (networks, system access, authentication, authorization, etc.)

8) Validations



Examples of documentation that will be needed include, but aren’t limited to:


1) Management control agreements 

2) Fully executed security addenda and certifications for all contractors/vendors

3) All records with supporting information (e.g. case file)  that were specifically referenced in the pre-audit questionnaire

4) Security awareness training materials with lists of personnel, their training status and assigned access levels

5) Procedures for incident reporting/handling

6) Procedures/forms for requesting/removing access to information systems covered under the CJIS Security Policy

7) An explanation of your Agency’s Information Security Program and any local policies and procedures

8) Network diagram showing all forms of access to systems connected to CJIS systems

9) Documentation of procedures for quality control, validations and assignment of responsible personnel



Wow!  Those rival my kids’ Christmas lists and are quite long, and they DON’T INCLUDE EVERYTHING!


As you can see, there’s a lot of preparation, organization and coordination needed to adequately prepare for an audit.  


The CJIS ACE team and I will help you painlessly step through each and every stage of an audit with ease, confidence and integrity.


From the pre-audit response and document preparation, to joining you on audit day, through final report follow up, deficiency mitigation and compliance planning, CJIS ACE has you covered.


More info about CJIS ACE

Before I close, I have a favor to ask….


Because I know how valuable your time is (I’ve been in your seat), I am striving to make the CJIS ACE Newsletter one of the most informative and topical newsletters you read.


Drop me a line and tell me what topics you’d like to see. Tell me what what concerns you the most in the audit process. Let me know what issues you’re having and what obstacles you’re experiencing when dealing with compliance issues.


Here’s my direct email:  wtatun@diversecomputing.com — I’d really like to hear from you.  


Join me next time when we look under the hood at Management Control Agreements.


It has been my experience that these agreements are one of the top deficiencies across all audited agencies. I think I know why, and we’ll be talking more about it.


Until next time, be safe.

Bill - Signature - New.png


e:  wtatun@diversecomputing.com

o:  850-778-3207

w:  www.diversecomputing.com/CJISACE



Were you forwarded this newsletter from a friend or colleague and find the content useful? Then please take a few seconds and subscribe to our newsletter.


CJIS ACE Newsletter Subscribe Link


CJIS ACE is a division at DCI that helps law enforcement agencies comply with the FBI CJIS Security Policy and NCIC requirements. CJIS ACE services are designed to help you be pro-active in strengthening your agency’s information security profile and comply with any other security policies that may be required (e.g. a State or County IT Security Policy). CJIS ACE brings real-world experience at the ready to assist your agency’s personnel in navigating the daunting and complicated path through audits and information security policy compliance.


Let us deal with your audit and compliance hassles…

You already have enough to worry about.


CJIS ACE Information Page