(1) The Director shall appoint auditors to conduct performance audits of criminal justice agencies that access Georgia's CJIS network to assess and enforce compliance with these Rules, O.C.G.A. §§ 35-3-34 through 35-3-38, other relevant Georgia code sections and pertinent federal statutes and regulations. (a) The GCIC audit program shall be designed and conducted to meet the performance audit standards and practices set out in the General Accounting Office (GAO) publication Government Auditing Standards also adhered to by the FBI CJIS Division audit staff.(b) GCIC auditors shall audit these agencies triennially as required by NCIC operating policy. A representative sample of agencies that do not access Georgia's CJIS network will be audited, based on the availability of auditor resources.(c) Agency heads shall receive at least 15 days advance notice of on-site GCIC audits. Written notification will identify all areas of audit program interest and the applicable performance standards.(d) Upon completion of each performance audit, GCIC auditors shall discuss their findings with agency heads, TACs, or their designees. GCIC auditors will recommend strategies for remedial action to resolve any area of non-compliance. In addition, GCIC auditors will assist agency heads in obtaining agency personnel training or any other assistance related to efforts to resolve areas of non-compliance.(e) GCIC auditors will provide agency heads with written reports, which identify areas of compliance, non-compliance and other written comments specific to audit assessments. The Audit Program Manager will report the results of completed audits to the Assistant Deputy Director for Compliance and Customer Support and the Director.(f) The Director shall report the status of the Georgia audit program to the Chairman and members of the GCIC Council. In cases of continued non-compliance, the Director shall provide recommendations to the Council for sanctions or other actions per the provisions of GCIC Council Rule 140-2-.20(Sanctions).(2) Agencies scheduled for audit shall make the following available to GCIC auditors: (a) Facility access policy.(b) Personnel records (maintained in agency files) to include results of employee fingerprint-based background checks, GCIC Awareness Statements, records of relevant training, e.g., CJIS Network Terminal Operator workbooks, end of chapter tests and final certification tests, as well as any other training materials used for practitioners and any other documents deemed appropriate to accomplish the audit responsibilities.(c) Local criminal history record files.(d) CHRI handling procedures.(e) Standard operating procedures governing the access, use, security and discipline regarding the dissemination of criminal justice information.(f) Case files that support GCIC/NCIC computerized record entries, e.g. incident and supplemental reports, missing persons reports, family violence reports, arrest warrants.(g) Computer system hardware, when requested.(h) Computer system software, when requested.(i) Computer system documentation to include system topologies, when requested.Ga. Comp. R. & Regs. R. 140-2-.07
O.C.G.A. Secs. 35-3-31, 35-3-32, 35-3-34, 35-3-38, 42 U.S.C. 3771, 28 CFR 20.21.
Original Rule entitled "Audit Procedures" adopted. F. Feb. 25, 1976; eff. Mar. 16, 1976.Repealed: New Rule of same title adopted. F. Jan. 7, 1983; eff. Feb. 1, 1983, as specified by the Agency.Repealed: New Rule of same title adopted. F. Sept. 6, 1984; eff. Oct. 8, 1984, as specified by the Agency.Repealed: New Rule of same title adopted. F. July 2, 1986; eff. July 22, 1986.Repealed: New Rule of same title adopted. F. Nov. 7, 1990; eff. Nov. 27, 1990.Repealed: New Rule of same title adopted. F. Dec. 2, 1992; eff. Dec. 22, 1992.Amended: F. Apr. 16, 1993; eff. May 6, 1993.Repealed: New Rule of same title adopted. F. Mar. 4, 1998; eff. Mar. 24, 1998.Amended: F. Sept. 5, 2002; eff. Sept. 5, 2002.Repealed: New Rule of same title adopted. F. Sept. 25, 2007, eff. Oct. 15, 2007.