The Office of the Inspector General, Audit Division, has completed an audit of compliance with standards governing Combined DNA Index System (CODIS) activities at the Utah Department of Public Safety (DPS) Bureau of Forensic Services (BFS) Laboratory (Laboratory).1 The Federal Bureau of Investigation (FBI) began the CODIS Program as a pilot project in 1990. The DNA Identification Act of 1994 (Act) formalized the FBI’s authority to establish a national DNA index for law enforcement purposes.2 The Act authorized the FBI to establish an index of DNA identification records of persons convicted of crimes and analyses of DNA samples recovered from crime scenes. The Act further specified that the indices include only DNA information that is based on analyses performed in accordance with quality assurance standards issued by the FBI.
The FBI implemented CODIS as a distributed database with three hierarchical levels that enables federal, state, and local crime laboratories to compare DNA profiles electronically. The National DNA Index System (NDIS) is the highest level in the CODIS hierarchy and enables the laboratories participating in the CODIS Program to compare DNA profiles on a national level. NDIS became operational in 1998 and is managed by the FBI as the nation’s DNA database containing DNA profiles uploaded by participating states. DNA profiles originate at the local level, flow upward to the state and national levels, and are compared to determine if a convicted offender can be linked to a crime, or if crimes can be linked to each other. Thus, a laboratory’s profiles have to be uploaded to NDIS before the profiles benefit the system as a whole.
The FBI provides CODIS software free of charge to any state or local law enforcement laboratory performing DNA analysis. Before a laboratory is allowed to participate at the national level a Memorandum of Understanding (MOU) must be signed between the FBI and the applicable state laboratory. The MOU defines the responsibilities of each party, includes a sublicense for the use of the CODIS software, and delineates the standards laboratories must meet in order to utilize NDIS.3
The objective of the audit was to determine if the Laboratory was in compliance with standards governing CODIS activities. Specifically, we performed testing to determine if the: (1) Laboratory was in compliance with the NDIS participation requirements; (2) Laboratory was in compliance with the quality assurance standards issued by the FBI; and (3) Laboratory’s DNA profiles in CODIS databases were complete, accurate, and allowable.
We determined that the Laboratory was in compliance with the standards governing CODIS activities with some exceptions. Specifically, we noted the following.
The Laboratory: (1) had not filed the necessary paperwork to make three information technology personnel approved CODIS users, as required; (2) did not have controls in place that would prevent concurrent logins on the Laboratory’s CODIS computers, which are prohibited; and (3) did not have control measures in place to ensure that CODIS users’ passwords are changed at least every six months, as required. Laboratory officials agreed with each of these issues, and have since taken action to address these deficiencies.
The Laboratory had not submitted copies of its most recent external quality assurance audit performed at the Laboratory to the FBI within the timeframe (30 days) permitted by the NDIS participation requirements. Since this occurrence appears to be caused by a miscommunication with the external auditors, we recommend Laboratory management take steps to ensure that external auditors are provided the information necessary to transmit the audit report to the appropriate Laboratory personnel and ensure the report is submitted timely to the FBI as required.
The Laboratory was not fully complying with the quality assurance standards, since DNA analysts were storing derivative evidence (cuttings from main evidence) in an unsecured short-term freezer. The short-term freezer in question contained properly labeled items for case analyses being completed in securely closed, but not tamper-evident individual packaging. Since the freezer was left unlocked during the day and all Laboratory employees, including non-DNA personnel, have unescorted access to the DNA section, which houses the freezer in question, we concluded that access to the evidence in that freezer was not properly limited as required. Laboratory officials agreed and have since implemented a new procedure of keeping the freezer locked at all times when not in use and restricting non-DNA personnel from access to the freezer keys.
Of the 100 forensic profiles we reviewed, we determined that all were allowable, complete, and accurate, however, 1 of the 100 profiles had not gone through a proper technical review before it was uploaded to NDIS. Since the time that the profile was originally uploaded in 2003, Laboratory officials have changed their policies and procedures in a manner that will prevent similar occurrences. In addition, Laboratory management completed the review of this particular case while auditors were on-site.
In addition, we noted an other reportable matter: 28 of the 100 DNA profiles we reviewed were only analyzed at 9 loci instead of the required 13, thereby making them unsearchable in NDIS.4 By addressing both of these matters, we believe that Laboratory management can strengthen the evidence and contamination controls within the DNA Laboratory space, and can ensure full utilization of the crime-solving benefits of NDIS for their unsolved cases.
Based upon the corrective action already taken by the Laboratory, we make only two recommendations for additional corrective action to address the Laboratory’s compliance with standards governing CODIS activities. The results of our audit are discussed in detail in the Findings and Recommendations section of the report. Our audit scope and methodology are detailed in Appendix I of the report and the audit criteria are detailed in Appendix II of the report.
We discussed the results of our audit with Laboratory officials and have included their comments in the report as applicable. In addition, we requested a written response to a draft of our audit report from the FBI and the Laboratory. The Laboratory responded only to indicate it would take our recommendations under advisement. The FBI’s response is documented in Appendix III, and states that it plans to work with the Laboratory to resolve the remaining recommendations. Our analysis of actions necessary to close the report is contained in Appendix IV.
DNA, deoxyribonucleic acid, is genetic material found in almost all living cells that contains encoded information necessary for building and maintaining life. Approximately 99.9 percent of human DNA is the same for all people. The differences found in the remaining 0.1 percent allow scientists to develop a unique set of DNA identification characteristics (a DNA profile) for an individual by analyzing a specimen that contains DNA.
These standards were appended to the MOU as Appendix C - NDIS Procedure Manual. This manual is comprised of several operational procedures that provide specific instructions for laboratories to follow for procedures pertinent to NDIS. For our purposes, the NDIS participation requirements consist of the MOU and the NDIS operational procedures.