• This page, Audit of the Department of Criminal Justice Information Services Objectives, Scope, and Methodology, is   offered by
  • Office of the State Auditor

Audit of the Department of Criminal Justice Information Services Objectives, Scope, and Methodology

An overview of the purpose and process of auditing the Department of Criminal Justice Information Services.

Table of Contents

Overview

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Department of Criminal Justice Information Services (DCJIS) for the period July 1, 2020 through June 30, 2021.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

Objective

Conclusion

  1. Does DCJIS maintain its Criminal Offender Record Information (CORI) database, iCORI, in accordance with Section 167A(f) of Chapter 6 of the General Laws and DCJIS’s request turnaround policy, as published on its website?

Yes

  1. Does DCJIS perform audits of CORI requestors to confirm that non–law enforcement CORI requestors have security protection over the information obtained through the iCORI database in accordance with Section 2.21(4)(d) of Title 803 of the Code of Massachusetts Regulations, which was effective during the audit period?

No; see Finding 1

  1. Does DCJIS ensure that all Criminal Justice Information System Single Sign On Application (CSSOA) users who have access to criminal justice information complete cybersecurity awareness training in accordance with Section 5.2.1 through 5.2.3 of the United States Department of Justice Federal Bureau of Investigation’s “Criminal Justice Information Services (CJIS) Security Policy,” dated June 1, 2020?

No; see Finding 2

  1. Does DCJIS reconcile funds received for CORI requests to the Massachusetts Management Accounting and Reporting System (MMARS) in accordance with the Office of the Comptroller of the Commonwealth’s “Cash Recognition and Reconciliation Policy,” dated July 1, 2004?

No; see Finding 3

To achieve our audit objectives, we gained an understanding of DCJIS’s internal control environment related to the objectives by reviewing applicable agency policies and procedures, as well as conducting inquiries with DCJIS’s employees and management. We evaluated the design of controls over CORI request backlogs, CORI requestor audits, cybersecurity awareness training for law enforcement personnel with access to CSSOA, and reconciliation of CORI revenue data.

CORI Request Backlogs

We extracted all 1,019,597 CORI requests from individuals and organizations during the audit period from the iCORI database. We analyzed 100% of the CORI requests by comparing the CORI request date to the date the CORI request was completed and provided to the requestor to determine whether CORI requests were completed within the 10 business days required. We identified 37 instances where a request took longer than 10 business days to complete.

We examined all 37 requests that exceeded the 10-business day requirement to determine whether the delays were substantiated.

Audits

We requested the list of audits DCJIS performed on CORI requestors (non–law enforcement agencies) from DCJIS management. We analyzed the types of agencies / organizations that requested CORI through the iCORI database to determine the number of CORI requests by agency / organization type.

Cybersecurity Awareness Training for CSSOA Users

We selected a random, statistical sample of 131 law enforcement personnel from a population of 22,855 who use CSSOA—with a 90% confidence level, 15% tolerable error rate, and a 50% expected error rate—to determine whether those individuals completed cybersecurity awareness training within six months of first accessing the data and biennially thereafter. We examined copies of training completion certificates to determine whether selected users completed the cybersecurity awareness training within the established timeframes.

iCORI Revenue Reconciliation

We compared DCJIS reconciliations of revenue collected for CORI requests from DCJIS’s bank statements to MMARS revenue reports. We performed a reconciliation of revenue recorded in the iCORI database to MMARS to ensure that collected revenue was properly accounted for in accordance with the Office of the Comptroller of the Commonwealth’s “Cash Recognition and Reconciliation Policy.”

Data Reliability Assessment

iCORI Database

To determine the reliability of the data in the iCORI database, we tested selected information system controls (access controls, security management, configuration management, contingency planning, and segregation of duties). We conducted electronic tests, including checking for sequential gaps and duplicates, on request identification numbers. We also determined whether all data fell within the audit period.

For those law enforcement agencies accessing CSSOA, we reconciled the number of law enforcement agencies to the law enforcement agency list used by the DCJIS audit team.

MMARS

In 2018 and 2022, the Office of the State Auditor performed data reliability assessments of MMARS that focused on testing selected system controls (access controls, configuration management, contingency planning, and segregation of duties). As part of our current audit, we asked DCJIS management for the agency’s cybersecurity awareness policy and personnel screening policy and procedures. We tested one of the two employee files of the DCJIS employees who had access to MMARS during the audit period to determine whether DCJIS had completed the employee’s background check and whether the employee had completed cybersecurity awareness training.

Based on the results of our data reliability assessments, we determined that the information obtained for our audit period was sufficiently reliable for the purpose of our audit.

Date published: April 13, 2023

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback