So, You’re About to be Audited….What to Expect
Imagine for a moment…
You get into the office, everything about your day is looking great. That is, until you receive notice that your agency will be audited!
You immediately think that it’s time to take that long overdue vacation. Or maybe consider early retirement?
Nah, it doesn’t have to be that bad and here’s why.
Looking at an audit as a “good thing” is certainly better than viewing it as something terrible. It’s that old, “not looking at it as a problem but as an opportunity” adage.
The underlying purpose of any audit is based in “good” — ensuring compliance with standards and policies.
How is this good? It’s good because it’s very important to comply with standards and policies, especially in our line of work.
Compliance with standards and policies assist you in your job by helping to make sure you get accurate and secure information when you need it.
In the practice of information security, we call this ensuring the confidentiality, integrity and availability of mission critical information.
Now that we have established that the audit concept is a good thing (really – it is!), let’s talk about what you can expect.
CJIS policy requires that every agency that uses CJIS systems or data get audited minimally on a triennial basis by the CJIS Systems Agency (CSA), sometimes referred to as a “State Audit.”
In addition to the CSA audit, an agency could get selected to be audited by the FBI’s CJIS Audit Unit. Technically, this selection can be anytime, but usually matches up with when CSA gets audited by the FBI, which is also minimally on a triennial basis.
For simplicity, I will be focusing on a typical FBI CJIS audit process, but any audit (e.g. State Audit) will follow a logical progression like this.
The FBI CJIS audit process will be similar for any CJIS program area (e.g. Information Technology Security, NCIC, NDex, etc.) and consist of the following sequential steps:
1) Initial Contact and Notification of Audit
- This is where an FBI audit staffer will reach out to you, usually by phone, to discuss point-of-contact information and logistics.
2) Pre-Audit Questionnaire
- You will receive a pre-audit questionnaire specific to the type of audit you are going to go through. You may even receive multiple questionnaires if you are “lucky” enough to be audited on multiple programs.
- This questionnaire needs to be completed and returned to the audit staff by a set deadline.
- The pre-audit questionnaire serves several purposes by giving:
The FBI Auditor background about your agency and a sense of your agency’s policies and procedures
You an idea of what topics the audit is going to cover
You an idea on what type of documentation will be needed
You an idea as to what staff to have available to provide insight and additional documentation during the audit
3) On-Site Audit (A-DAY!!)
- An administrative interview will be conducted with appropriate agency personnel. It is important to be prepared for this! Topics covered are, but not limited to:
Data Quality (Entry, Packing, etc.)
Second Party Checks
Categories for Entry
Timely Entry and Hit Confirmations
Proper Use of III
Network Diagram Review
Firewall Ruleset Review
Awareness Training Content/Records Review
- A physical security inspection will be conducted of the facility and anywhere the criminal justice information is processed, stored or accessed. Examples include, but are not limited to:
- Terminal Areas
Communications / Dispatch Centers
Patrol / Squad Rooms
Data Center / Network Equipment Areas
4) Audit Follow Up and Compliance Planning
- At the conclusion of the On-Site Audit you will receive a policy assessment packet containing the agency’s compliance status with those areas assessed.
- This policy assessment packet will be an input to the overall compliance report issued to the CJIS Systems Officer (CSO) responsible for your agency’s compliance.
- The CSO will be following up on any deficiencies requiring that you submit a plan toward compliance. These follow ups are regularly reported to the FBI Audit Unit and further to the FBI’s Advisory Policy Board (APB) for further action as they deem appropriate.
Whew! That’s a whole lot of coordination, information gathering and time commitment, especially when resources are spread so thin. There goes the “good thing” of an audit!
Even if I have successfully convinced you that an audit, in concept, isn’t a bad thing – – who has the time needed to do it, right?
This is where I and the rest of the CJIS ACE team can help!
We’ve been in your shoes and understand the pressure and stress that an audit can cause.
But we’ve also been on the other side being the auditor, so we know exactly what things an auditor will be looking for.
In our next newsletter, we’ll talk about some audit preparation particulars in “Audit Day: Who Needs To Be Present and What Documentation Do I Need?”