A Performance Audit
An Audit Report on the Criminal Justice Information System
January 2022
Summary Analysis
The Department of Public Safety (DPS) and the Texas Department of Criminal Justice (TDCJ) have processes and controls in place to help ensure that information in the Criminal Justice Information System (CJIS) is accurate and complete. In addition, the timeliness and completeness of some data has improved since the State Auditor’s Office audit of CJIS in May 2016. However, DPS and TDCJ should strengthen certain controls to help ensure compliance with CJIS-related requirements.
The Criminal Justice Information System (CJIS) consists of two independent systems maintained by two separate state agencies:
- DPS maintains the Computerized Criminal History (CCH) system, which is a database containing arrest, disposition, and supervision information.
- TDCJ maintains the Corrections Tracking System (CTS), which is a collection of applications containing information on all offenders under the supervision of corrections agencies and community supervision and corrections departments (CSCDs) in Texas.
Law enforcement agencies, prosecutors’ offices, and courts submitted most information to CCH within the required reporting timeframes. Compliance with timeliness requirements has improved since a State Auditor’s Office audit report in May 2016.
DPS had processes and controls in place to help ensure the accuracy and completeness of the information in CCH; however, certain processes and controls should be strengthened. For example, DPS should implement automated controls to help ensure compliance with requirements to report the age of the victim for certain offenses and to identify offenses that involved family violence. DPS also should implement processes for reviewing the data it enters and updates in CCH.
To ensure the accuracy and completeness of information in CTS and the Intermediate System (ISYS), TDCJ (1) implemented automated controls within the systems, (2) performed internal reviews, and (3) conducted audit and correction processes. In addition, TDCJ has improved the completeness of incident numbers in CTS.
However, TDCJ should strengthen controls to (1) improve the completeness of state identification numbers and incident numbers in ISYS and (2) ensure that automated calculations in CTS are programmed correctly.
DPS implemented information security controls to help ensure the reliability of criminal history information in the CCH system. However, DPS should strengthen certain general controls, such as controls over user access and authentication, to further reduce the risks of loss or inappropriate modification of criminal history information in CCH.
To minimize the risks associated with public disclosure, auditors communicated details about information technology findings separately to DPS, in writing.
TDCJ Had Information Security Controls in Place, but Certain General Controls Should be Strengthened
TDCJ had controls in place to help ensure the reliability of criminal history information in CTS and ISYS. However, TDCJ should strengthen its process for implementing changes to ISYS and controls over user access and authentication to further reduce the risk of inappropriate modifications to its systems or the data within those systems.
To minimize the risks associated with public disclosure, auditors communicated details about information technology findings separately to TDCJ, in writing.
Auditors followed up on 17 of 21 recommendations in An Audit Report on the Criminal Justice Information System at the Department of Public Safety and the Texas Department of Criminal Justice (State Auditor’s Office Report No. 16-025, May 2016). Five recommendations were fully implemented, eight recommendations were substantially implemented, and implementation of four recommendations was incomplete or ongoing.
Graphics, Media, Supporting documents