Audit of the Department of Criminal Justice Information Services Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Department of Criminal Justice Information Services (DCJIS) for the period July 1, 2020 through June 30, 2021.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

To achieve our audit objectives, we gained an understanding of DCJIS’s internal control environment related to the objectives by reviewing applicable agency policies and procedures, as well as conducting inquiries with DCJIS’s employees and management. We evaluated the design of controls over CORI request backlogs, CORI requestor audits, cybersecurity awareness training for law enforcement personnel with access to CSSOA, and reconciliation of CORI revenue data.

We extracted all 1,019,597 CORI requests from individuals and organizations during the audit period from the iCORI database. We analyzed 100% of the CORI requests by comparing the CORI request date to the date the CORI request was completed and provided to the requestor to determine whether CORI requests were completed within the 10 business days required. We identified 37 instances where a request took longer than 10 business days to complete.

We examined all 37 requests that exceeded the 10-business day requirement to determine whether the delays were substantiated.

We requested the list of audits DCJIS performed on CORI requestors (non–law enforcement agencies) from DCJIS management. We analyzed the types of agencies / organizations that requested CORI through the iCORI database to determine the number of CORI requests by agency / organization type.

We selected a random, statistical sample of 131 law enforcement personnel from a population of 22,855 who use CSSOA—with a 90% confidence level, 15% tolerable error rate, and a 50% expected error rate—to determine whether those individuals completed cybersecurity awareness training within six months of first accessing the data and biennially thereafter. We examined copies of training completion certificates to determine whether selected users completed the cybersecurity awareness training within the established timeframes.

We compared DCJIS reconciliations of revenue collected for CORI requests from DCJIS’s bank statements to MMARS revenue reports. We performed a reconciliation of revenue recorded in the iCORI database to MMARS to ensure that collected revenue was properly accounted for in accordance with the Office of the Comptroller of the Commonwealth’s “Cash Recognition and Reconciliation Policy.”

iCORI Database

To determine the reliability of the data in the iCORI database, we tested selected information system controls (access controls, security management, configuration management, contingency planning, and segregation of duties). We conducted electronic tests, including checking for sequential gaps and duplicates, on request identification numbers. We also determined whether all data fell within the audit period.

For those law enforcement agencies accessing CSSOA, we reconciled the number of law enforcement agencies to the law enforcement agency list used by the DCJIS audit team.

MMARS

In 2018 and 2022, the Office of the State Auditor performed data reliability assessments of MMARS that focused on testing selected system controls (access controls, configuration management, contingency planning, and segregation of duties). As part of our current audit, we asked DCJIS management for the agency’s cybersecurity awareness policy and personnel screening policy and procedures. We tested one of the two employee files of the DCJIS employees who had access to MMARS during the audit period to determine whether DCJIS had completed the employee’s background check and whether the employee had completed cybersecurity awareness training.

Based on the results of our data reliability assessments, we determined that the information obtained for our audit period was sufficiently reliable for the purpose of our audit.