A Performance Audit
An Audit Report on The Criminal Justice Information System at the Department of Public Safety and the Texas Department of Criminal Justice
May 2016
Summary Analysis
The completeness and timeliness of some data in the Criminal Justice Information System (CJIS) has improved since the previous State Auditor’s Office’s September 2011 audit of CJIS. However, additional improvements are necessary to ensure the completeness, accuracy, and timeliness of all criminal history records in CJIS.
CJIS consist of two independent systems managed by two separate state agencies. The Department of Public Safety (DPS) manages the Computerized Criminal History System, which is the system used to provide criminal background check services. The Department of Criminal Justice (TDCJ) manages the Corrections Tracking System, which it uses to manage information on offenders who are currently sentenced to prison, jail, parole, and probation
As of January 2015, prosecutor offices and courts had submitted disposition records to DPS’s Computerized Criminal History System for 80.21 percent of arrest charges reported in calendar 2013. That is an improvement from the 73.68 percent submission rate the State Auditor’s Office reported in its September 2011 audit report4.
In 2011, the State Auditor’s Office recommended that DPS work with TDCJ to implement a process that would assist those agencies in identifying information missing from CJIS. While DPS and TDCJ discussed a process that would allow them to identify missing records, that process had not been finalized as of September 30, 2015.
TDCJ uses the Corrections Tracking System to manage criminal information for offenders sentenced to prison, jail, parole, and probation. However, the databases used to manage prison, jail, and parole records do not require records to include an incident number. Because that information field is not mandatory, records can be created with that required information missing. The state identification number and the incident number are unique identifiers that should be present on each criminal record, as required by Texas Code of Criminal Procedure, Section 60.052.
Auditors visited six law enforcement agencies to review the accuracy of criminal records that those agencies submitted to DPS’s Computerized Criminal History System. Auditors identified some inaccurate records; however, those errors would not significantly affect the results of criminal history background checks.
Auditors selected 25 of the 5,452 records that could not be matched between DPS’s Computerized Criminal History System and TDCJ’s Corrections Tracking System to determine why these records could not be matched. Auditors’ analysis indicated that all 25 records in the Corrections Tracking System had errors that prevented a match, such as incorrect state identification numbers, offense codes, incident numbers, and incident number suffixes.
In the 2011 audit of CJIS, the State Auditor’s Office reported that DPS had not entered into the Computerized Criminal History System records that reporting agencies had submitted in hard-copy form during a time period that covered approximately two months. On November 2015, auditors observed that DPS staff were entering criminal records submitted within the last 24 hours and no longer had a backlog as of that date.
However, DPS should continue monitoring the timely submission of certain disposition records and notify the appropriate commissioner court when the county reporting agencies do not comply with Texas Code of Criminal Procedure, Section 60.08(d).
Auditors identified a total of 19 user accounts that granted DPS programmers inappropriate administrative access to the servers, application, and production databases for the Computerized Criminal History System.
All seven changes that auditors tested for changes programmers made to the Computerized Criminal History System in fiscal year 2015 were properly approved, including two changes that were categorized as emergency changes. DPS also performed a post-implementation review to verify that there were no unexpected effects on the system due to the two emergency changes. However, a lack of segregation of duties among staff involved in the change management process increases the risk of unauthorized changes to the Computerized Criminal History System. Specifically:
• Five (71.43 percent) of the 7 changes were released into production by the same programmer who created the change.
DPS had an adequate process to recover data from its local virtual tape library backup; however, as of December 2015, DPS reported that it had not performed and documented a full recovery test.
Furthermore, DPS did not have a documented process to recover data from its remote location. DPS policy requires it to review its offsite backup storage procedures annually.
TDCJ has improved the security of criminal records since the 2011 audit by limiting programmers’ ability to make modifications to its Corrections Tracking System. Specifically, TDCJ has limited access in its information technology division to four programmers who have read-only access. That is an improvement from the 11 programmers with access authority to update data and the database identified in the 2011 State Auditor’s Office audit of CJIS. However, the four programmers responsible for managing the Community Justice Assistance Division’s Intermediate System and support components have administrative access to that system.
All of the information technology systems that support the Corrections Tracking System are housed at the State Data Center. While TDCJ has written information technology policies and procedures, they do not delineate responsibilities between TDCJ employees and the State Data Center staff for changes to be made to the Corrections Tracking System.
In addition, TDCJ’s Community Justice Assistance Division has its own information technology policies and procedures that address specific areas applicable to the Intermediate System. Those policies and procedures do not clearly define the segregation of duties requirements between those responsible for making programming changes in the Intermediate System and those responsible for promoting those changes into production.
Auditors followed up on 20 of 22 recommendations in An Audit Report on the Criminal Justice Information System at the Department of Public Safety and the Texas Department of Criminal Justice (State Auditor’s Office Report No. 12-002, September 2011). Auditors did not assign a rating to the issues presented in this chapter because most of those issues were discussed in previous chapters in this report.
Graphics, Media, Supporting documents