If I Were Going to be Audited, Who Needs to Be Present and What Documentation Do I Need on Audit Day?
You may remember from the last newsletter that the title of this one was supposed to be, “Audit Day: Who Needs to be Present and What Documentation Do I Need?”
Well….very recent “events” have reminded me that email subject lines can be taken out of context and can cause unintended minor panic.
Because I am such a quick learner, welcome to, “If I Were Going to be Audited, Who Needs to Be Present and What Documentation Do I Need on Audit Day?”… the slightly modified, non-panic inducing, informational missive for your reading pleasure.
Preparing for an audit requires a considerable amount of time for preparation and organization of the people and documents that the auditor will be looking to interact with.
Knowing exactly who and what to have available can be tricky. Let’s look into this a bit.
For simplicity purposes once again, we will focus on the types of resources that need to be available during an FBI IT security or NCIC program audit.
For illustration, the lists below are examples of resources needed for both program areas. Some people/items may not apply if you’re lucky enough to get audited only in one program area.
Examples of personnel that need to be present during an FBI audit are those who are responsible for, can answer questions about and explain your agency’s operation, policy and process in:
1. Quality control procedures
2. Second party checks
3. Record packing
4. Noncriminal justice agency support (e.g. County IT providing services)
5. Private contractors/vendors
6. Personnel actions for misuse (both NCIC and IT security)
7. Personnel security
8. Training (NCIC and security awareness)
9. Technology infrastructure (networks, system access, authentication, authorization, etc.)
Examples of documentation that will be needed include, but aren’t limited to:
1. Management control agreements
2. Fully executed security addenda and certifications for all contractors/vendors
3. All records with supporting information (e.g. case file) that were specifically referenced in the pre-audit questionnaire
4. Security awareness training materials with lists of personnel, their training status and assigned access levels
5. Procedures for incident reporting/handling
6. Procedures/forms for requesting/removing access to information systems covered under the CJIS Security Policy
7. An explanation of your Agency’s Information Security Program and any local policies and procedures
8. Network diagram showing all forms of access to systems connected to CJIS systems
9. Documentation of procedures for quality control, validations and assignment of responsible personnel
Wow! Those rival my kids’ Christmas lists and are quite long, and they DON’T INCLUDE EVERYTHING!
As you can see, there’s a lot of preparation, organization and coordination needed to adequately prepare for an audit.
The CJIS ACE team and I will help you painlessly step through each and every stage of an audit with ease, confidence and integrity.
From the pre-audit response and document preparation, to joining you on audit day, through final report follow up, deficiency mitigation and compliance planning, CJIS ACE has you covered.
Join me next time when we look under the hood at Management Control Agreements.
It has been my experience that these agreements are one of the top deficiencies across all audited agencies. I think I know why, and we’ll be talking more about it.
Until then, be safe, and I’m looking forward to hearing from you (remember the favor above),
Chief Information Security Officer, Diverse Computing, Inc.