Audit Compliance of CODIS at SWIFS December 2009 - Copy

COMPLIANCE WITH STANDARDS GOVERNING COMBINED DNA INDEX SYSTEM ACTIVITIES AT THE

SOUTHWESTERN INSTITUTE OF FORENSIC SCIENCES DALLAS COUNTY, TEXAS

U.S. Department of Justice Office of the Inspector General

Audit Division

Audit Report Number GR-80-10-002 December 2009



EXECUTIVE SUMMARY

The Department of Justice, Office of the Inspector General (OIG), Audit Division, has completed an audit of compliance with standards governing Combined DNA Index System (COOlS) activities at the Southwestern Institute of Forensic Sciences (SWIFS) Laboratory (Laboratory). The Federal Bureau of Investigation's (FBI) COOlS program blends forensic science and computer technology to provide an investigative tool to federal, state, and local crime laboratories in the United States, as well as those from select international law enforcement agencies. The COOlS program allows laboratories to compare and match DNA profiles electronically to assist law enforcement in solving crimes and identifying missing or unidentified persons. 1 The FBI's COOlS Unit manages CODIS, as well as develops, supports, and provides the program to crime laboratories to foster the exchange and comparison of forensic DNA evidence.

The FBI implemented COOlS as a distributed database with hierarchical levels that enable federal, state, and local crime laboratories to compare DNA profiles electronically. The hierarchy consists of three distinct levels that flow upward from the local level to the state level and then, if allowable, the national level. National DNA Index System (NDIS), the highest level in the hierarchy, is managed by the FBI as the nation's DNA database containing DNA profiles uploaded by law enforcement agencies across the United States. NDIS enables the laboratories participating in the COOlS program to electronically compare DNA profiles on a national level. The State DNA Index System (SDIS) is used at the state level to serve as a state's DNA database containing DNA profiles from local laboratories and state offenders. The Local DNA Index System (LOIS) is used by local laboratories.

1 DNA, or deoxyribonucleic acid, is genetic material found in almost all living cells that contains encoded information necessary for building and maintaining life. Approximately 99.9 percent of human DNA is the same for all people. The differences found in the remaining 0.1 percent allow scientists to develop a unique set of DNA identification characteristics (a DNA profile) for an individual by analyzing a specimen containing DNA.

- i -

The objectives of our audit were to determine if the: (1) Laboratory was in compliance with the NDIS participation requirements; (2) Laboratory was in compliance with the Quality Assurance Standards (QAS) issued by the FBI; and (3) Laboratory's forensic DNA profiles in COOlS databases were complete, accurate, and allowable for inclusion in NDIS. The results of our review are below.

The results of our review indicated that the Laboratory did not strictly adhere to all of the NDIS participation requirements we reviewed. The NDIS participation requirement compliance issues we found resulted from the Laboratory not: (1) storing the COOlS server backup media in a locked container at an off-site location on a monthly basis, (2) properly authorizing through the FBI an analyst that used COOlS for 1 year, (3) forwarding its most recent external audit report to the FBI within the required time frame, and ( 4) making best efforts to disposition in a timely manner 8 of the 17 COOlS matches we selected for review. In addition, the Laboratory did not maintain adequate documentation to determine timely notification of investigators for three matches and could not locate the case file for the profile involved in one match we attempted to review. 2 As a result of our audit, the Laboratory stated that it would begin making monthly backup tapes of the COOlS server and storing them in a locked container at a secure facility off-site, and the unauthorized COOlS user is no longer employed at the Laboratory. The Laboratory was in compliance with the remaining NDIS participation requirements we reviewed.

Our audit results indicate that the Laboratory did not adhere to all of the Quality Assurance Standards (QAS) we reviewed . Four profiles we requested to review during our audit were missing documentation of DNA analysis. Specifically, the Laboratory could not locate case files for three profiles we requested to review, and one profile we reviewed was missing evidence of DNA analysis in the case file. 3 Forensic QAS 11 requires that laboratories maintain documentation generated by examiners related to case analyses. As a resu lt, for these profiles it was not possible to verify adherence to Quality Assurance Standards such as technical review, control samples, and quantitation. In

2 While timely notification of investigators is not an NDIS participation requirement, the OIG uses a standard of 2 weeks. The profile with a missing case file is discussed further in the Quality Assurance Standards section of our audit report.

3 Three of these profiles were in our sample of forensic profiles as part of our testing for the suitability of profiles at NDIS and one was involved in a match we selected for review as part of our NDIS Participation Requirement testing.

- ii -

addition, for those profiles missing case files it was not possible to assess compliance with NDIS suitability requirements or NDIS Participation Requirements for timely match resolutions. We verified that the Laboratory removed three of these four incompliant profiles.

In our sample of 103 profiles, 2 profiles were inaccurate and 18 profiles were deleted from NDIS because they were unallowable, incomplete, or missing, and because of insufficient record retention, 15 of the Laboratory's files did not have sufficient evidence to determine if the profiles were obtained from a crime scene. The Laboratory deleted these 35 profiles from NDIS. The remaining 68 profiles we reviewed were complete, accurate, and allowable for inclusion in NDIS. However, 58 of the 103 profiles in our sample are not searchable at NDIS because they contain 9 or less core loci rather than the minimum of 10 loci required to be searchable at NDIS.4 Prior to January 2009, the Laboratory only attempted the analysis of 13 loci on forensic samples that did not have a standard for comparison, but in January 2009, the Laboratory began attempting the analysis of 13 core loci. However, 11 (30 percent) of the 37 samples analyzed between January 1, 2009, and May 13, 2009, contained less than 13 loci. The COOlS Administrator explained that it could be a matter of timing if the profile was run prior to January 1, 2009, or 13 loci were not run either because a suspect profile had already been developed for comparison or some of the sample was preserved for later use.

We made 10 recommendations to address the Laboratory's compliance with standards governing COOlS activities, which are discussed in detail in the Findings and Recommendations section of the report. Our audit objectives, scope, and methodology are detailed in Appendix I of the report and the audit criteria are detailed in Appendix II.

We discussed the results of our audit with Laboratory officials and have included their comments in the report as applicable. In addition, we requested a written response to a draft of our audit report from the FBI and the Laboratory. The Laboratory responded that it agreed with all ten of our recommendations. In addition, the Laboratory took adequate corrective actions to close eight recommendations. The FBI responded that it agreed with nine of our recommendations. The Laboratory response can be found in Appendix IV, while the FBI's response can be found in Appendix V. Our analysis of those responses, as well as the actions necessary to close the recommendations can be found in Appendix VI of this report.

4 A locus is a specific location on a chromosome. The plural form of locus is loci.

- iii -

TABLE OF CONTENTS

INTRODUCTION .................... ... ... .......... .. ...... .. ..................................... 1 Legal Foundation for CO DIS .. .............. .. ........ .. .. .... .. ...... .................... 1 CO DIS Structure .. ... ................................................ .. .. ....... ..... ... ...... 2 Laboratory Information ...................................... ... ... ... .... .... ... ........ ... 6

FINDINGS AND RECOMMENDATIONS .. .... .. ...... .. ............ .. ........................ 7 I. Compliance with NDIS Participation Requirements .... .. ... .. .... ...... .. .. 7 II. Compliance with the Quality Assurance Standards ....................... 14 III. Suitability of Forensic DNA Profiles in CO DIS Databases ................ 17

APPENDIX I: OBJECTIVES, SCOPE, AND METHODOLOGY ........................ 24

APPENDIX II: AUDIT CRITERIA ..................................... .. .................... 27 NDIS Participation Requirements ............................. ..... .. .. .. ...... .... .... 27 Quality Assurance Standards ............................. .. ............................ 32 Office of the Inspector General Standards ......................................... 34

APPENDIX III: PROFILES REVIEWED AT THE SOUTHWESTERN INSTITUTE OF FORENSIC SCIENCES LABORATORY ........................... 36

APPENDIX IV: SOUTHWESTERN INSTITUTE OF FORENSIC SCIENCES LABORATORY RESPONSE TO DRAFT REPORT .. .... ....... .... . 40

APPENDIX V: FEDERAL BUREAU OF INVESTIGATION RESPONSE TO DRAFT REPORT ............ ......... ...... ...... ... ...... .... .. . ; .... ...... 44

APPENDIX VI: OFFICE OF THE INSPECTOR GENERAL, AUDIT DIVISION, ANALYSIS AND SUMMARY OF ACTIONS NECESSARY TO CLOSE REPORT .. ... .. .... ............ ... ........ ... ...................... 46



INTRODUCTION

The Department of Justice, Office of the Inspector General, Audit Division, has completed an audit of compliance with standards governing Combined DNA Index System (CODIS) activities at the Southwestern Institute of Forensic Sciences Laboratory (Laboratory). The Federal Bureau of Investigation's (FBI) CODIS program provides an investigative tool to federal, state, and local crime laboratories in the United States using forensic science and computer technology. The CODIS program allows laboratories to compare and match DNA profiles electronically, thereby assisting law enforcement in solving crimes and identifying missing or unidentified persons. 5 The FBI's COD IS Unit manages CO DIS and is responsible for its use in fostering the exchange and comparison of forensic DNA evidence.

The objectives of our audit were to determine if the: (1) Laboratory was in compliance with the National DNA Index System (NDIS) participation requirements; (2) Laboratory was in compliance with the Quality Assurance Standards (QAS) issued by the FBI; and (3) Laboratory's forensic DNA profiles in CODIS databases were complete, accurate, and allowable for inclusion in NDIS. Appendix I contains a detailed description of our audit objectives, scope, and methodology, while the criteria used to conduct our audit are presented in Appendix II.

Legal Foundation for CODIS

The FBI began the CODIS program as a pilot project in 1990. The DNA Identification Act of 1994 (Act) authorized the FBI to establish a national index of DNA profiles for law enforcement purposes. The Act, along

5 DNA, or deoxyribonucleic acid, is genetic material found in almost all living cells that contains encoded information necessary for building and maintaining life. Approximately 99.9 percent of human DNA is the same for all people. The differences found in the remaining 0.1 percent allow scientists to develop a unique set of DNA identification characteristics (a DNA profile) for an individual by analyzing a specimen containing DNA.

with subsequent amendments, has been codified in a federal statute (Statute) providing the legal authority to establish and maintain NDIS.6

Allowable DNA Profiles

The Statute authorizes NDIS to contain the DNA identification records of persons convicted of crimes, persons who have been charged in an indictment or information with a crime, and other persons whose DNA samples are collected under applicable legal authorities. 7 Samples voluntarily submitted solely for elimination purposes are not authorized for inclusion in NDIS. The Statute also authorizes NDIS to include analysis of DNA samples recovered from crime scenes or from unidentified human remains, as well as those voluntarily contributed from relatives of missing persons.

Allowable Disclosure of DNA Profiles

The Statute requires that NDIS include only DNA information that is based on analyses performed by or on behalf of a criminal justice agency -or the U.S. Department of Defense- in accordance with QAS issued by the FBI. The DNA information in the index is authorized to be disclosed only: (1) to criminal justice agencies for law enforcement identification purposes; (2) in judicial proceedings, if otherwise admissible pursuant to applicable statutes or rules; (3) for criminal defense purposes, to a defendant who shall have access to samples and analyses performed in connection with the case in which the defendant is charged; or (4) if personally identifiable information (PII) is removed for a population statistics database, for identification research and protocol development purposes, or for quality control purposes.

CODIS Structure

The FBI implemented CODIS as a distributed database with hierarchical levels that enables federal, state, and local crime laboratories to compare DNA profiles electronically. COD IS consists of a hierarchy of three distinct levels: (1) NDIS is managed by the FBI as the nation's DNA database containing DNA profiles uploaded by participating states, (2) the State DNA Index System (SDIS) is used at the state level to serve as a state's DNA database containing DNA profiles from local laboratories within

6 42 U.S.C.A. 14132 (2006). 7 An "information" is a formal criminal charge made by a prosecutor without a grand

jury indictment. Black's Law Dictionary 795 (8th ed. 2004).

- 2 -

the state and state offenders, and (3) the Local DNA Index System (LDIS) is used by local laboratories. DNA profiles originate at the local level and then flow upward to the state and, if allowable, national level. For example, the local laboratory in the Palm Beach County, Florida, Sheriff's Office sends its profiles to the state laboratory in Tallahassee, which then uploads the profiles to NDIS. Each state participating in CODIS has one designated SDIS laboratory. The SDIS laboratory maintains its own database and is responsible for overseeing NDIS issues for all COOlS-participating laboratories within the state. The graphic below presents an example of how the system hierarchy works.

SOlS Laboratory Richmond, CA

Example of System Hierarchy within CODIS

NDIS Maintained by the FBI

SOlS Laboratory Springfield, IL

SOlS Laboratory Tallahassee, FL

LOIS Laboratories (partial list): DuPage County Sheriff's Office Illinois State Police, Chicago Illinois State Police. Rockford

LOIS Laboratories (partial list): LOIS Laboratories (partial list): Orange County Sheriff's Department San Bernardino County Sheriff's Department San Diego Police Department

National DNA Index System

Broward County Sheriff's Office Miami-Dade Police Department Palm Beach County Sheriff's Office

NDIS is the highest level in the CODIS hierarchy and enables the laboratories participating in the CODIS program to electronically compare DNA profiles on a national level. NDIS does not contain names or other PII about the profiles. Therefore, matches are resolved through a system of laboratory-to-laboratory contacts. Within NDIS are seven searchable indices discussed below.

- 3 -

Convicted Offender Index contains profiles generated from persons convicted of qualifying offenses. 8

Arrestee Index is comprised of profiles developed from persons who have been arrested, indicted, or charged in an information with a crime.

Legal Index consists of profiles that are produced from DNA samples collected from persons under other applicable legal authorities. 9

Forensic Index profiles originate from, and are associated with, evidence found at crime scenes.

Missing Person Index contains known DNA profiles of missing persons and deduced missing persons.

Unidentified Human (Remains) Index holds profiles from unidentified living individuals and the remains of unidentified deceased individuals. 10

Relatives of Missing Person Index is comprised of DNA profiles generated from the biological relatives of individuals reported missing .

Although COOlS is comprised of multiple indices or databases, the two main functions of the system are to: (1) generate investigative leads that may help in solving crimes and (2) identify missing and unidentified persons.

The Forensic Index is pivotal for generating investigative leads in COOlS that may help solve crimes. Investigative leads may be generated through matches between the Forensic Index and other indices in the system, including the Convicted Offender, Arrestee, and Legal Indices. These matches may provide investigators with the identity of suspected perpetrators. CODIS also links crime scenes through matches between Forensic Index profiles, potentially identifying serial offenders.

8 The phrase "qualifying offenses" is used here to refer to local, state, or federal cr imes that require a person to provide a DNA sample in accordance with applicable laws.

9 An example of a Legal Index profile is one from a person found not guilty by reason of insanity, who is required by the relevant state law to provide a DNA sample.

10 An example of an Unidentified Human (Remains) Index profile from a living person is a profile from a child or other individual, who cannot or refuses to identify themselves.

- 4 -

In addition to generating investigative leads, CODIS furthers the objectives of the FBI's National Missing Person DNA Database program through its ability to identify missing and unidentified individuals. Those persons may be identified through matches between indices in CODIS, for instance, through matches between the profiles in the Missing Persons Index and the Unidentified Human (Remains) Index. Identifications may also be generated through matches between the Unidentified Persons Index and the Relatives of Missing Persons Index. The profiles within the Missing Persons and Unidentified Human (Remains) Indices may also be vetted against the Forensic, Convicted Offender, Arrestee, and Legal Indices to provide investigators with leads in solving missing and unidentified persons cases.

State and Local DNA Index System

The FBI provides CODIS software free of charge to any state or local law enforcement laboratory performing DNA analysis. Laboratories are able to use the CODIS software to upload profiles to NDIS. However, before a laboratory is allowed to participate at the national level and upload DNA profi les to NDIS, a Memorandum of Understanding (MOU) must be signed between the FBI and the applicable state's SDIS laboratory. The MOU defines the responsibilities of each party, includes a sublicense for the use of CODIS software, and delineates the standards laboratories must meet in order to utilize NDIS. Although officials from LOIS laboratories do not sign an MOU, LOIS laboratories that upload DNA profiles to an SDIS laboratory are required to adhere to the MOU signed by the SDIS laboratory.

States are authorized to upload DNA profiles to NDIS based on local, state, and federal laws, as well as NDIS regulations. However, states or localities may maintain NDIS-restricted profiles in SDIS or LOIS. For instance, a local law may allow for the collection and maintenance of a victim profile at LOIS, but NDIS regulations do not authorize the upload of that profile to the national level.

The utility of CODIS relies upon the completeness, accuracy, and quantity of profiles that laboratories upload to the system. Incomplete CODIS profiles are those for which the required number of core loci were not tested or do not contain all of the DNA information that resulted from a DNA analysis and may not be searched at NDIS. The probability of a false match among DNA profiles is reduced as the completeness of a profile increases. Inaccurate profiles, which conta in incorrect DNA information or an incorrect specimen number, may generate false positive leads, false negative comparisons, or lead to the misidentification of a sample. CODIS becomes more useful as the quantity of DNA profiles in the system increases because the potential for additional leads rises. However, laws and regulations

- 5 -

exclude certain types of profiles from being uploaded to CODIS to prevent violations to an individual's privacy and foster the public's confidence in CODIS. Therefore, it is the responsibility of the Laboratory to ensure that it is adhering to the NDIS participation requirements and the profiles uploaded to CODIS are complete, accurate, and allowable for inclusion in NDIS.

Laboratory Information

The Southwestern Institute of Forensic Sciences in Dallas, Texas, participates in the CODIS program as an LOIS laboratory, serving approximately 70 counties and 120 different agencies in Texas. Funding for the Laboratory is provided by Dallas County; and, because there is no state medical examiner in Texas, Dallas County is the Laboratory's main user. The Laboratory began a DNA program in 1991 and started uploading profiles to SDIS in 1997. The Laboratory has participated in NDIS since its inception in 1998 and analyzes only forensic samples. The Laboratory does not contract out the analysis of samples. The Laboratory was first accredited by the American Society of Crime Laboratory Directors/Laboratory Accreditation Board in 2003. The accreditation was renewed on March 12, 2008, and expires on March 11, 2013. The Laboratory also has accreditation from the Texas Department of Public Safety.

- 6 -

FINDINGS AND RECOMMENDATIONS

I. Compliance with NDIS Participation Requirements

We determined that the Laboratory was not in compliance with four NOIS participation requirements we tested. We found that the Laboratory was not adequately safeguarding COOlS information by storing monthly backup media in a locked container at a secure off-site location, an unauthorized user was allowed access to the COOlS computer for 1 year without the proper authority from the FBI, the Laboratory did not make its best efforts to disposition 8 of the 17 matches in our sample within a 30 business day t ime frame, and the Laboratory had not forwarded its external audit report to the FBI within the required 30-day period. In addition, the Laboratory did not maintain adequate documentation to determine timely notification of investigators for two matches and could not locate the case file for the profile involved in one match we attempted to review. 11

The Nors participation requ irements, which consist of the MOU and the NOI S Procedure Manual, establish the responsibilities and obligations of laboratories that participate in the COOrS program at the national level. The MOU describes the COOrS-related responsibil ities of both the Laboratory and the FBI. The NOIS Procedure Manual is comprised of the NOIS operational procedures and provides detailed instructions for laboratories to follow when performing certain procedures pertinent to NOIS. The NOrS participation requirements we reviewed are described in more detail in Appendix II of this report.

Results

We noted four exceptions to the Laboratory's compl iance with the NOIS participation requirements regarding measures to safeguard COOlS, NOIS matches, external audits, and an unauthorized COOlS user. We also found that the Laboratory was not notifying investigators of matches in a timely manner. The results of our audit are described in more detail below.

11 While this is not an NDIS participation requirement, the OIG uses a standard of 2 weeks to assess timely notification of matches to investigators.

- 7-

----------

Measures to Safeguard COOlS

We found that the CODIS server and computers are accessible only to authorized CODIS users with unique passwords and that the server and computers are located in a separate locked room. In the event that a user fails to lock the screen manually when leaving the room, the computer screen locks itself after 10 minutes of non-use. We noted that weekly backups of the server were made as required. However, the backups were not being stored at a secure off-site location in a locked container on a monthly basis. The CODIS Administrator stated that she thought backups must be maintained off-site only when the tape was full, which occurs every 4 to 5 years. When we brought the requirement to the CODIS Administrator's attention, she said it would be corrected immediately.

NDIS Match Dispositions

We judgmentally selected a sample of 10 percent of the NDIS matches but expanded our sample size to 17 matches based upon our findings. However, one of the case files could not be located for our review. Two were duplicate matches to offenders that were previously confirmed - both cases involved had been adjudicated and the investigators declined to pursue further. Of the 14 remaining matches we reviewed, 9 of the confirmation requests were initiated by this laboratory and 5 were confirmation requests from another laboratory. We found that the Laboratory did not request confirmation for 6 matches and did not confirm 2 matches in a timely manner. These findings are explained in more detail below.

NDIS procedures require Laboratory staff to make best efforts to disposition matches within 30 business days. For the 10 match confirmations initiated by the Laboratory that we were able to review, 6 were untimely because the Laboratory took between 45 and 212 business days to request the confirmation from the other laboratory involved in the match. The other four matches met the 30 business day requirement. The reason provided by the CODIS Administrator for the majority of the late match dispositions was that they were not processed until she started going through the backlog of match files and cleared out overdue dispositions.

NDIS procedures require the Laboratory to make its best efforts to perform its internal match confirmation process, review its DNA data, and respond to the requesting laboratory within 30 business days of receipt of a request for match follow-up. Of the 5 match confirmation requests that the Laboratory received, we found 2 match confirmations

- 8 -

were untimely because the Laboratory took 302 and 536 days to confirm. We asked the COOlS Administrator why the two confirmations were not completed in a timely manner. She explained that the match that took 536 days occurred while she was on leave and no one else was attending to the match requests. The remaining match confirmation was late because it was not done until she started going through the backlog of match f iles.

Notifying Investigators of Matches

To assess timely notification of investigators, the OIG uses a standard of 2 weeks from the match confirmation date, unless there are extenuating circumstances. Our rationale for this standard is that delayed notification of law enforcement personnel may result in the suspected perpetrator's commitment of additional, and possibly more egregious, crimes if the individual is not deceased or already incarcerated for the commission of other crimes. Of the 17 matches we selected for review, 4 had incomplete documentation. Three matches were duplicate offender matches that had been previously matched and confirmed. Two other matches had been previously matched to offenders, investigators had been previously contacted at the time of the original matches, and the cases had been adjudicated . For one match, the other laboratory involved never confirmed the SWIFS's request for confirmation. Investigators were notified in a timely manner of the eight remaining matches.

Exhibit 1 illustrates the results of our review of NDIS matches.

- 9 -

EXHIBIT 1. OIG ANALYSIS OF NDIS MATCHES

DC0000084862

DC0000084863

DC0000093237

DC0000076566

DC0000084862

DC0000068246

DC0000027128 DC0000052295

DC0000135604

DC00000125794 Source: OIG Analysis

External Audits

Business Days from date of Initiation to Request for

(;;o(jtlfitmation 'anothet:

205

205

Unable to Determine-Incomplete Records

45

4

125

Business Days to Confirm Matdlrof

another Labot at!ll,tyJ

Not Applicable -Duplicate Offender Match

eusiness Days From Confirmation to Notify Investigator ~,

Not Applicable - Profile was Previously Matched to Offender on Another Case Not Applicable - Profile was Previously Matched to Offender on Another Case

Not Applicable - Profile was Previously Matched to Offender and Case has been Adjudicated

Not Applicable -Profile was Previously Matched to Offender on Another Case

Not Applicable - Profile was Previously Matched to Offender and

Laboratory was unable to locate case file .

Quality Assurance Standards require laboratories to conduct annual audits, and at least once every 2 years the audit must be conducted by an external agency. NDIS procedures require that all external audit reports,

12 The COOlS Administrator told us the investigators were notified of the potential match 2 days prior to the confirmation. The investigators were not contacted again until the confirmation report was issued.

- 10-

r_

with the Laboratory's clarifications or responses, be forwarded to the FBI within 30 days of receipt of the audit. The Laboratory had an external audit conducted in February 2008 and an internal audit conducted in December 2007. Annual audits must be conducted not less than 6 months or more than 18 months apart. Since the February 2008 external audit occurred less than 6 months after the internal audit, the Laboratory had a second external audit conducted in June 2008.

The Laboratory had no record of when the audit reports were received, but the Technical Leader told us that he knew it was well over 30 days from the Laboratory's receipt of the audit reports until they were forwarded to the FBI. The Laboratory did not forward the February 26 through 29, 2008, audit to the FBI until June 16, 2008, and the FBI acknowledged receipt of the audit conducted June 23 through June 24, 2008, on March 13, 2009. We asked the Technical Leader why the audit reports were not forwarded in a t imely manner. He explained that it was an oversight on his part and that it took more than 30 days to respond to the various issues in the reports. He further stated that he did not request extensions from the FBI.

Unauthorized COOlS User

NDIS participating laboratories are required to submit certain documents for FBI approval before a CODIS user is authorized to access the CODIS database. These documents include fingerprint cards and background information certifying that the analyst is qualified to become a CODIS user and allowing the FBI to perform a background check. In our review of CODIS user records, we found that the Laboratory had allowed a CODIS user access to CODIS for 1 year (May 11, 2001, to May 11, 2002) before the FBI received the documentation for her approval (in June 2002). The CODIS user was an analyst that produced profiles for upload to NDIS and also had direct unsupervised access to all of the Laboratory's profiles in CODIS. Once the Laboratory submitted the required paperwork, the FBI denied the CODIS user's access based on a failed security check. The CODIS Administrator and the Technical Leader told us they thought the required paperwork had been submitted before the user was allowed access. The proper documentation was provided to the FBI for all other CODIS users.

We took no exception with the remaining areas of our review of the Laboratory's compliance with NDIS participation requirements. The results for these areas are described below.

- 11 -

We reviewed the annual COOlS user reminder forms for the past 2 years and found that all analysts had completed the forms as required.

We found that the Laboratory exceeds NOIS participation requirements for maintaining personnel records of COOlS users. NOIS requires records be kept for 10 years. Laboratory management told us they keep the records indefinitely.

Conclusion

We noted that the Laboratory was not in compliance with NOIS participation req uirements because we identified four exceptions in t he areas reviewed. Specifically, we found that : (1) the laboratory was not sending backup tapes of the COOlS server to a secure off-site location on a monthly basis, (2) 8 of the 17 NOIS matches in our sample were not requested or confirmed within 30 business days, (3) the external audit we reviewed was not forwarded to the FBI within 30 days, and (4) the Laboratory had allowed an unauthorized user access to COOlS for 1 year without the proper authorization from the FBI. 13 We also found a QAS violation, discussed further in the QAS section (Finding II) of this report, and the Laboratory did not maintain sufficient documentation to assess whether investigators were notified in a time ly manner for two other matches we reviewed.

Recommendations

We recommend that the FBI:

1. Ensure the Laboratory sends backup tapes of the COOlS server to a secure off-site location, where they are kept in a lockable container, on a monthly basis.

2. Ensure that the Laboratory implements a written policy that requ ires personnel to request or confirm NOIS matches in a timely manner.

3. Ensure that the Laboratory implements a written policy that wi ll ensure that matches are reviewed and dispositioned in the absence of the COOlS Administrator.

13 Our sample included 17 matches. However, one case file could not be located. As a result, we reviewed 16 samples.

- 12 -

4. Ensure that the Laboratory implements a written policy that requires Laboratory personnel to submit external audit reports, with clarifications or responses, to the FBI within 30 days of receipt of the audit report or, if unable to meet the 30-day requirement, request an extension from the FBI.

5. Ensure that the Laboratory sends all required documentation for a new CODIS user to the FBI and receives FBI authorization before allowing the user access to CODIS.

6. Ensure that the Laboratory takes appropriate steps to minimize risks presented by the unauthorized DNA analyst's access to or analysis of CODIS profiles and review all profiles uploaded to NDIS by this analyst.

7. Ensure that the Laboratory deletes from NDIS the profile for file number 89P1294, which could not be located during our review of NDIS matches.

- 13 -

II. Compliance with the Quality Assurance Standards

Our audit results indicate that the Laboratory did not adhere to all of the Quality Assurance Standards (QAS) we reviewed. Four profiles we requested to review during our audit had insufficient documentation of DNA analysis. Specifically, the Laboratory could not locate case files for three profiles we requested to review, and one profile we reviewed was missing evidence of DNA analysis in the case file. 14 Forensic QAS 11 requires that Laboratories maintain documentation generated by examiners related to case analyses. As a result, for these profiles it was not possible to verify adherence to QAS, such as technical review, control samples, and quantitation. In addition, for those profiles missing case fi les it was not possible to assess compliance with NDIS suitability requirements or NDIS Participation Requirements for timely match resolutions.

During our audit, we considered the Forensic QAS issued by the FBI. 15 These standards describe the quality assurance requirements that the Laboratory must follow to ensure the quality and integrity of the data it produces. The QAS we reviewed are described in more detail in Appendix II.

Results

During our audit we found four profiles at NDIS did not conform to the forensic QAS. In our review of forensic profiles, which is discussed in Finding III, Suitability of Forensic DNA Profiles in COOlS Databases, we identified one profile with an incomplete case file that was missing evidence of DNA analysis. In addition, two specimens were excluded from our sample because their case files could not be located. Further, during our review of NDIS participation requirements, which is discussed in Finding I of this report, we found one profile associated with a match that we selected for review also had a missing case file. These profiles violate Forensic QAS 11, which requires that Laboratories maintain documentation generated by examiners related to case analyses. These deficiencies are also concerning because we could not verify that the QAS were adhered to in the analysis of these profiles. Specifically, the QAS require that specimen analysis be technically reviewed, that human DNA is quantified whenever possible, and

14 Three of these profiles were in our sample of forensic profiles as part of our testing for the suitability of profiles at NDIS, and one was involved in a match we selected for review as part of our NDIS Participation Requirement testing.

15 Forensic Quality Assurance Standards refers to the Quality Assurance Standards for Forensic DNA Testing Laboratories, effective October 1, 1998.

- 14-

that controls are run with the sample to identify contamination. In addition, for those profiles missing case files, we could not determine whether NDIS suitability standards or NDIS Participation Requirements regarding match dispositions were adhered to.

Also of note, we found that the Laboratory only maintains control of its case files for the current year and the 2 preceding years. Older files are stored at the Dallas County Records Storage Warehouse and become the responsibility of Dallas County's Records Management Staff in accordance with the policy of Dallas County. The case files that were missing had been sent to the Dallas County Records Storage Warehouse for storage.

We took no exception to the Laboratory's compliance with the QAS for the remaining areas of our review. The results for the areas of our review are described below.

We reviewed the internal audit performed in December 2007 and external audits performed in February and June 2008. The FBI's QAS require annual audits to be performed not less than 6 months but not more than 18 months apart and that at least every 2 years the audit must be an external audit. Because the external audit performed in February 2008 was not at least 6 months after the internal audit of December 2007, another external audit was performed in June 2008. We found the Laboratory to be in compliance with the QAS for performing an external audit at least every 2 years.

We determined that the reviewers conducting both external audits we reviewed used the required FBI Audit Document, and the FBI confirmed that at least one member of the audit team for these audits had successfully passed the FBI's training course for that audit document. We also reviewed the audits and determined that there were no repeat deficiencies.

We determined that all four of the auditors who performed the external audits, including the lead auditors, were independent of the audit and had no impairments.

We toured the Laboratory to check for security features of the Laboratory and the DNA analysis areas. We determined that the Laboratory meets the criteria for QAS for Forensic DNA Testing Laboratories.

Also, while touring the Laboratory we assessed the adequacy of the controls used to ensure the integrity of physical evidence for forensic

- 15-

samples. We determined the controls in place were adequate and the Laboratory was entering the sample test results correctly.

We verified that the Laboratory was adequately separating the known and unknown samples as required by NDIS procedures.

We reviewed the Laboratory's policy for retaining samples after typing and found the Laboratory's procedures to be in accordance with the Forensic QAS.

We verified that the Laboratory does not use subcontracted laboratories to assist in the analysis of its forensic samples.

Conclusion

We found that the Laboratory was not in compliance with the FBI's QAS because we identified four samples during our audit for which documentation of DNA analysis was missing, including technical review, quantitation, and controls. As a result, we make one recommendation regarding the Laboratory's procedures for the maintenance of DNA analysis documentation. In addition, recommendation number 10 in Finding III of this report, entitled Suitability of Forensic DNA Profiles in CODIS Databases, addresses the compliance with QAS of the Laboratory's remaining profiles at NDIS.

Recommendations


8. Ensure that the Laboratory implements procedures to require that all case documentation is maintained for profiles at NDIS.

- 16-

-~~-----

III. Suitability of Forensic DNA Profiles in COOlS Databases

Our review of 103 forensic DNA profiles uploaded to NDIS revealed that 18 profiles were unallowable, incomplete, or missing, and because of insufficient record retention, 15 of the Laboratory's files did not have sufficient evidence to determine if the profiles were obtained from a crime scene. 16 These 33 profiles included one case file that was incomplete and did not reflect evidence of DNA analysis and two case files that cou ld not be located.17 In addition, we found four profiles with incorrect information that had been uploaded to NDIS. The Laboratory corrected two of the four incorrect profiles and deleted the remaining two incorrect profiles from NDIS. As a result of our review, the Laboratory deleted all 35 of these profiles while we were on site for our audit field work.

We reviewed a sample of the Laboratory's forensic DNA profiles to determine whether each profile was complete, accurate, and allowable for inclusion in NDIS. 18 To test the completeness and accuracy of each profile, we established standards that require a profi le include all the loci for which the analyst obtained results and that the values at each locus match those identified during analysis.19 Our standards are described in more detail in Appendix II.

The NDIS operational procedures establish the DNA data acceptance standards by which laboratories must abide. These procedures prohibit a laboratory from uploading forensic profiles to NDIS that clearly match the DNA profile of the victim or another known person, unless the known person is a suspected perpetrator. The NDIS procedures we reviewed are described in more detail in Appendix II.

16 See Appendix III for further details of the 103 reviewed profiles.

17 These three profiles are discussed in more detail in Finding II of this report, entitled Compliance with the Quality Assurance Standards.

18 When a laboratory's universe of DNA profiles in NDIS exceeds 1,500, our sample is taken from SDIS rather than directly from NDIS. See Appendix I for further description of the sample selection.

19 A " locus" is a specific location on a chromosome. The plural form of locus is loci.

- 17-

Results

We originally selected a random sample of 100 profiles from the 1,167 forensic profiles the Laboratory uploaded to NDIS as of April 28, 2009. We found that in 58 of the profiles only 9 core loci had been attempted for analysis. The Technical Leader told us that beginning in January 2009 the analysts were instructed to attempt the analysis of 13 core loci. As a result, we expanded our sample to include 3 profiles that had been uploaded to NDIS after January 1, 2009. Our sample then contained 103 profiles, 3 of which had been uploaded after January 1, 2009.

Our review revealed 33 profiles that were unallowable for upload to NDIS, 4 profiles that were inaccurate, and 1 profile that was incomplete. The Laboratory corrected the incomplete profile and 2 of the inaccurate profiles, deleted the remain ing 2 inaccurate profiles from NDIS, and deleted the 33 unallowable profiles. The remaining 68 profiles sampled were complete, accurate, and allowable for inclusion in NDIS. The specific exceptions are explained in more detail below.

Unallowable Profiles

Our audit resulted in the identification of 33 unallowable profiles. The Laboratory agreed with our conclusions and deleted these profiles from NDIS while we were on site. The CODIS Administrator could not explain why these 33 unallowable profiles were entered into NDIS. We questioned 30 of these profiles because of their compliance with FBI guidance on profile suitability. The remaining three profiles were questioned because of missing case documentation and the resulting implications on compliance with FBI guidance on profile suitability, as well as forensic QAS. Both of these types of findings are discussed below.

FBI Guidance on Profile Suitability

In December 2006, the FBI issued a flowchart with eight general principles to assist DNA analysts in determining if a profile is eligible for upload to NDIS. Thirty of the unallowable profiles were attributed to the following FBI general principles.

General Principle number 2 requires that a profile at NDIS be developed from biological evidence from a crime scene.

General Principle number 4 requires that the profile be attributable to a putative perpetrator.

- 18-

General Principle number 5 disallows the inclusion of the profile if it is unambiguously attributed to the victim or individuals other than the perpetrator(s).

Genera l Principle number 8 states that if a suspect's profile can reasonably be expected to be on an item that is at the crime scene or is part of the crime scene independent of the crime, then it would generally be considered a suspect profile and is therefore not allowable at NDIS.

Exhibit 2 shows to which FBI General Principle each of these 30 unallowable profiles corresponded.

- 19 -

----- -----

EXHIBIT 2. UNALLOWABLE PROFILES DELETED FROM NDIS General

General Principle General Principle General Principle Number4 Number 5 Principle

OIG Sample Number 2 (Putative (Victim or Number 8 Number (Crime Scene) Perpetrator) Non-Per_p_etrator_l (Suspect)

CA-11 X X CA-13 X CA- 16 X CA-27 X CA-28 X CA-33 X CA-34 X CA-35 X CA-40 X CA-42 X CA-44 X CA-46 X CA-48 X CA-52 X CA-54 . X CA-56 X CA-59 X CA-63 X CA-65 X CA-67 X CA-69 X CA-72 X CA-73 X CA-85 X CA-88 X CA-90 X CA-95 X CA-96 X CA-98 X X

CA-102 X Source: OIG Analysis

- 20 -

Incomplete and Missing Case Files

The case file for one of the profiles we reviewed was incomplete and did not contain evidence of DNA analysis. The case files for two profiles originally in the sample of profiles we selected for our review could not be located. As a result, we could not determine whether these profiles were forensic unknowns developed from a crime scene, whether they were complete, or whether they were accurately uploaded to NDIS. We therefore determined that these profiles were unallowable because they did not adhere to the FBI General Principle number 2, as well as forensic QAS 11 as discussed in Finding II of this report.

Because the Laboratory could not locate any additional information about these profiles, they agreed with our assessment and removed them from NDIS. In our opinion, the incomplete and missing case files raise concerns regarding material compliance with NDIS requirements and Quality Assurance Standards.

Other Matters

Until January 2009, the Laboratory attempted the analysis of 13 core loci on forensic unknown samples only when there was not a standard to compare it to; for the rest of its forensic samples, the Laboratory only attempted 9 core loci. NDIS requires that the analysis of all 13 core loci for forensic samples be attempted and a profile must contain at least 10 core loci for it to be searchable in the NDIS database. Therefore, prior to January 2009, the number of searchable profiles uploaded to NDIS was significantly decreased because of this Laboratory practice. The Technical Leader told us there were several reasons behind this decision. He stated that, first, from a scientific perspective, there is no bright line rule stating that searching 10 loci versus 9 loci is more reliable. Second, it was a cost-cutting measure, as not using the second kit to run the remaining four loci saved money. The COOlS Administrator informed us that profiles are searchable at LOIS with a minimum of 7 loci and at SDIS with 9 loci, but that the Laboratory has been attempting the analysis of 13 core loci on all its forensic samples since January 2009 .

For the 103 samples that we reviewed, we found that 58 contained 9 or less loci and thus are not searchable at NDIS. We asked the COOlS Administrator to run a list of the 9 or less loci profiles the Laboratory had uploaded to NDIS, and we found that 614 of the 1,171 profiles (52 percent) uploaded as of May 13, 2009, were unsearchable at NDIS. Eleven of these profiles were uploaded after January 1, 2009. We are therefore concerned that this policy may not be implemented effectively and that the Laboratory

- 21 -

may not be fully participating in the CODIS program. We asked the CODIS Administrator why only 9 loci were attempted on these eleven profiles. She replied that it could be due to: timing, if they were run before January 1, 2009; if a suspect profile had already been developed for comparison; or if attempting 13 loci would deplete the sample too much for later use.

Completeness and Accuracy

For each of the forensic profiles in our sample, we reviewed the analysis to determine if all of the loci for which an analyst attained results were uploaded and to determine if the values at each locus matched those identified during analysis. We found one profile that was incomplete and four profiles that were inaccurate.

The Laboratory corrected the incomplete profile by adding the missing values that were returned in the DNA analysis. The CODIS Administrator did not recall why this incomplete profile was entered into CODIS.

The Laboratory corrected two of the inaccurate profiles and deleted the remaining two profiles because they were redundant profiles that were already in NDIS. Inaccurate profiles, which contain incorrect DNA profile information, may generate false positive leads, false negative comparisons, or lead to the misidentification of a sample.

Appendix III details the results of the review of the 103 forensic profiles in our sample.

GeneScan Review

For a portion of our sample, we verified that the negative controls were run properly when the samples were analyzed. In this effort, we reviewed GeneScan printouts. We chose a judgmental sample of 11 printouts with 1 from each of the Laboratory analysts whose samples we reviewed in the forensic profile analysis. We did not identify any exceptions in our review of the GeneScan data .

Conclusion

For the 103 forensic profiles in our sample, the Laboratory deleted 35, or 34 percent, from NDIS. Specifically, we found 30 unallowable profiles that the Laboratory deleted from NDIS because they did not adhere to the FBI's suitability standards. The Laboratory also deleted two inaccurate

- 22-

profiles. In addition, we found one profile with an incomplete case file for which no evidence of the DNA analysis was provided and two profiles for which the case files could not be located. These circumstances raise concerns about the Laboratory's adherence to NDIS requirements and Quality Assurance Standards.

Recommendations


9. Ensure the Laboratory establishes a written policy to require all analysts to follow the FBI's Guide to Determining What is Allowable in the Forensic Index at NDIS.

10. Ensure the Laboratory reviews the remaining profiles it maintains at NDIS to ensure they are allowable, complete, accurate, and conform to the QAS for the maintenance of documentation.

- 23-

APPENDIX I

OBJECTIVES, SCOPE, AND METHODOLOGY

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for .our findings and conclusions based on our audit objectives.

Our audit generally covered the period from May 2007 through April 2009. The objectives of the audit were to determine if the: (1) Laboratory was in compliance with the NDIS participation requirements; (2) Laboratory was in compliance with the Quality Assurance Standards (QAS) issued by the FBI; and (3) Laboratory's forensic DNA profiles in COOlS databases were complete, accurate, and allowable for inclusion in NDIS. To accomplish the objectives of the audit, we:

Examined internal and external Laboratory review reports and supporting documentation for corrective action taken, if any, to determine: (a) if the Laboratory complied with the QAS, (b) whether repeat findings were identified, and (c) whether recommendations were adequately resolved . 20

In accordance with the QAS, the internal and external laboratory review procedures are to address, at a minimum, a laboratory's quality assurance program, organization and management, personnel qualifications, facilities, evidence control, validation of methods and procedures, analytical procedures, calibration and maintenance of instruments and equipment, proficiency testing of analysts, corrective action for discrepancies and errors, review of case files, reports, safety, and previous audits. The FBI's NDIS operational procedures state that, after January 1, 2002, an external laboratory review is required to be

20 The QAS require that laboratories undergo annual audits. The QAS requires that every other year the audit be performed by an external agency that performs DNA identification analysis and is independent of the laboratory being reviewed. These audits are not required by the QAS to be performed in accordance with the Government Auditing Standards (GAS) and are not performed by the Department of Justice Office of the Inspector General. Therefore, we will refer to the QAS audits as reviews (either an internal laboratory review or an external laboratory review, as applicable) to avoid confusion with our audits that are conducted in accordance with GAS.

- 24-

APPENDIX I

performed by personnel who have successfully completed the FBI's training course for conducting such reviews.

As permitted by GAS 7.42 (2007 revision), we generally relied on the results of the Laboratory's external laboratory reviews to determine if the Laboratory complied with the QAS. 21 In order to rely on the work of non-auditors, GAS requires that we perform procedures to obtain sufficient evidence that the work can be relied upon. Therefore, we: (1) obtained evidence concerning the qualifications and independence of the individuals who conducted the review and (2) determined that the scope, quality, and timing of the audit work performed was adequate for reliance in the context of the current audit objectives by reviewing the evaluation procedure guide and resultant findings to understand the methods and significant assumptions used by the individuals conducting the reviews. Based on this work, we determined that we could rely on the results of the Laboratory's external laboratory review.

Interviewed Laboratory officials to identify management controls, Laboratory operational policies and procedures, Laboratory certifications or accreditations, and analytical information related to DNA profiles.

Toured the Laboratory to observe facility security measures as well as the procedures and controls related to the receipt, processing, analyzing, and storage of forensic evidence and convicted offender DNA samples.

Reviewed the Laboratory's written policies and procedures related to conducting internal reviews, resolving review findings, and resolving matches among DNA profiles in NDIS.

Reviewed supporting documentation for 7 of 84 NDIS matches to determine whether they were resolved in a timely manner. (Some of the matches were multiple matches. As a result, our sample contained 17 matches.) The Laboratory provided the universe of NDIS matches as of May 5, 2009. The sample was judgmentally selected to include both case-to-case and case-to-offender matches. This non-statistical sample does not allow projection of the test results to all matches. 21 We also considered the results of the Laboratory's internal laboratory review, but

could not rely on it because it was not performed by personnel independent of the Laboratory. Further, as noted in Appendix II, we performed audit testing to verify Laboratory compliance with specific Quality Assurance Standards that have a substantial effect on the integrity of the DNA profiles uploaded to NDIS.

- 25-

APPENDIX I

Reviewed the case files for selected forensic DNA profiles to determine if the profiles were developed in accordance with the Forensic QAS and were complete, accurate, and allowable for inclusion in NDIS.

The NDIS Custodian, via the contractor used by the FBI to maintain NDIS and the COOlS software, provided a printout identifying the 1,167 STR forensic profiles the Laboratory had uploaded to NDIS as of April 28, 2009. We limited our review to a sample of 103 profiles. This sample size was determined judgmentally because preliminary audit work determined that risk was not unacceptably high.

Using the judgmentally determined sample size, we randomly selected a representative sample of labels associated with specific profiles in our universe to reduce the effect of any patterns in the list of profiles provided to us. However, since the sample size was judgmentally determined, the results obtained from testing this limited sample of profiles may not be projected to the universe of profiles from which the sample was selected.

The objectives of our audit concerned the Laboratory's compliance with required standards and the related internal controls. Accordingly, we did not attach a separate statement on compliance with laws and regulations or a statement on internal controls to this report. See Appendix II for detailed information on our audit criteria.

- 26-

--------

APPENDIX II

AUDIT CRITERIA

In conducting our audit, we considered the NDIS participation requirements and the Quality Assurance Standards (QAS). However, we did not test for compliance with elements that were not applicable to the Laboratory. In addition, we established standards to test the completeness and accuracy of DNA profiles as well as the timely notification of DNA profile matches to law enforcement.

NDIS Participation Requirements

The NDIS participation requirements, which consist of the Memorandum of Understanding (MOU) and the NDIS operational procedures, establish the respbnsibilities and obligations of laboratories that participate in NDIS. The MOU requires that NDIS participants comply with federal legislation and the QAS, as well as NDIS-specific requirements accompanying the MOU in the form of appendices. We focused our audit on the following criteria from the MOU Appendix I, NDIS Responsibilities.

Organizational Responsibilities (Requirement II.B.4): comply with FBI requirements for safeguarding CODIS against unauthorized use that includes providing an appropriate and secure site for the NDIS system.

System Operation (Requirement III.B.2): ensure that appropriate personnel are provided copies of, understand, and abide by the NDIS Procedure Manual.

System Operation (Requirement III.B.3): . identify in writing, in prescribed form, personnel approved to access CODIS and ensure that access to CODIS is limited to those personnel.

Reporting and Recordkeeping Requirements (Requirement VI.B.l): on a monthly basis, report confirmed NDIS matches to the FBI in a form prescribed by the FBI.

Reporting and Recordkeeping Requirements (Requirement VI.B.4): maintain records on approved personnel, including proficiency testing reports and any other report required by the FBI, for a period of 10 years.

Our audit criteria also included the operational procedures discussed below from the NDIS Procedures Manual.

- 27 -

APPENDIX II

DNA Data Acceptance Standards The NDIS DNA data acceptance standards state that DNA profiles submitted to NDIS shall be interpretable.22 Also, the procedure requires that a laboratory submitting a DNA profile to the Forensic Index at NDIS, that is derived from forensic evidence, shall only offer those alleles that are attributed to the putative perpetrator. Alleles derived from forensic profiles that are unambiguously attributed to a victim or individuals other than the perpetrator, such as, but not limited to a husband or boyfriend, shall not be offered to NDIS. In addition, the DNA results from any locus in which an ambiguity exists in the assignment of one or more alleles to the putative perpetrator may be offered to NDIS. The mere observation of alleles that may be attributed to individuals other than the putative perpetrator, does not in itself, preclude offering DNA profiles to NDIS at that locus. Forensic mixture DNA profiles submitted to NDIS shall have up to four alleles at a maximum of four core loci; any of the remaining nine core loci shall have no more than two alleles at each locus.

Add a User from a Participating Laboratory to NDIS The "Add and/or Change Information About a CODIS User from a Participating Laboratory to NDIS" procedure states that state or local laboratories may add CODIS users to NDIS under two circumstances. First, users may be added when a state begins to participate in NDIS. Second, users may be added periodically as states add new CODIS users.

To add a user, the designated state official must send a letter to the NDIS Custodian requesting the addition. The letter must be accompanied by:

FD-484: Privacy Act explanation; FD-258: Fingerprint (10 Print) card, two copies; FD-816: Background Data Information Form; and CODIS user information.

The letter should include a certification by the designated state official that all qualified DNA analysts being added will undergo external proficiency testing as required by the DNA Identification Act and the MOU.

22 "Interpretable" is defined as any DNA data that could be used to make an

exclusion.

- 28-

APPENDIX II

DNA Data Accepted at NDIS The DNA Data Accepted at NDIS procedure, Section 5.0, discusses the web-based DNA Records Acceptable at NDIS training. On an annual basis, in accordance with a schedule determined by the NDIS Custodian, the CODIS Administrator shall ensure that each CODIS user successfully completes the web-based DNA Records Acceptable at NDIS training. NDIS procedures define a COOlS user as a government employee who: (1) has log-in access to CODIS and is authorized to read, add, modify, and delete DNA records in COOlS; or (2) is a qualified DNA analyst responsible for producing the DNA profiles stored in NDIS.

The DNA Data Accepted at NDIS procedure also states that the NDIS Custodian shall establish a schedule for completion of the annual DNA Records Acceptable at NDIS training. CODIS users shall have a period of 30 business days to complete the annual training. After the expiration of the 30-day period, the NDIS Custodian shall notify NDIS participating laboratories of the COOlS users in their laboratories who have not completed the annual training. These COOlS users shall successfully complete the required annual training according to a schedule established by the NDIS Custodian. Any CODIS user who has not successfully completed the required annual training in accordance with this schedule shall be denied access to enter DNA data to COOlS by the assignment of a "stop date" for their COOlS user privileges.

Review of External Audits The Review of External Audits procedure, Section 6.1, states that it is the responsibility of the NDIS participating laboratory to arrange and schedule an external QAS review once every 2 years. The NDIS participating laboratory is required to notify the NDIS Custodian once the external QAS review has been conducted and the report will be forwarded for review within 30 days of the laboratory's receipt of the report. The NDIS participating laboratory must include with the report any clarifications, responses, and corrective action plan/documents (hereinafter referred to as "evaluation documentation"), as appropriate. The NDIS Custodian then acknowledges this communication. If the NDIS participating laboratory is unable to forward the required documentation within 30 days, the NDIS participating laboratory must notify the NDIS Custodian to request an extension of time for sending the required evaluation documentation.

Confirming an Interstate Candidate Match The Confirming an Interstate Candidate Match procedure, Section 3.2, states that Casework Laboratories have the primary responsibility to

- 29-

APPENDIX II

contact another laboratory for follow-up of a match. An Offender Laboratory should: (1) be prepared to respond to inquiries originating from another laboratory; and (2) make a good-faith effort to perform its internal match confirmation process, review its DNA data and respond to the casework laboratory within 30 business days of receipt of the request for match follow-up.

In instances of forensic matches between two Casework Laboratories, Section 4.2 of the NDIS operational procedure states that both Casework Laboratories are equally responsible for coordinating the match follow-up. The Casework Laboratory contacted for match follow-up must make a good faith effort to review its DNA data and respond to the requesting laboratory within 30 business days of receipt of the request. Both Casework Laboratories must document confirmed matches, as required by Section 4.3.5.

COOlS Administrator Responsibilities The COOlS Administrator Responsibilities procedure, Section 4.0, requires COOlS Administrators to ensure that Laboratories review and make best efforts to disposition matches within 30 business days (in accordance with NDIS operational procedures).

Expunge A DNA Profile The Expunge a DNA Profile procedure, Section 3.0, states that included in the DNA Analysis Backlog Elimination Act of 2000 -effective December 19, 2001- was a requirement that states participating in NDIS "shall promptly expunge from that index the DNA analysis (DNA profile) of a person included in the index by that state if the responsible agency or official of that state receives, for each conviction of the person of an offense on the basis of which that analysis (profile) was or could have been included in the index, a certified copy of a final court order establishing that such conviction has been overturned." For states that will be uploading the DNA data of arrestees or indicted persons, amendments to the DNA Fingerprint Act of 2005 require expungements where the charge is dismissed, an acquittal, or no charge was filed within the applicable time period. NDIS participating states are required to expunge from NDIS the DNA analysis of a person included in NDIS by that state if "the person has not been convicted of an offense on the basis of which that analysis was or could have been included in the index, and the responsible agency or official of that state receives, for each charge against the person on the basis of which the analysis was or could have been included in the index, a certified copy of a final court order establishing that such

- 30-

APPENDIX II

charge has been dismissed or has resulted in an acquittal or that no charge was filed within the applicable time period." A participating state must have procedures in place for expunging a DNA profile, regardless of whether or not its state DNA law requires it.

One-Time Search of Outsourced Offender DNA Data The One-Time Search of Outsourced Offender Data procedure, Section 3.0, allows laboratories to request a one-time search of NDIS outsourced convicted offender DNA data that has been technically reviewed by the vendor laboratory but not reviewed by the NDIS laboratory as required by the QAS. Only outsourced offender DNA data is eligible for a one-time search.

NDIS participating laboratories submitting outsourced offender DNA profiles for a one-time search must have a documented procedure to confirm that such DNA data has not been previously searched at NDIS and shall maintain such documentation. The laboratory must submit a request to the NDIS Custodian for performing a one-time search of its offender outsourced DNA data that has not been reviewed in accordance with the QAS. The request must include a plan for conducting a QAS review of the outsourced offender DNA data being searched one-time at NDIS and a time frame for completing the review.

The procedure also states that only one one-time search file shall be searched for each NDIS participating state at a time. Another one-time search request shall only be approved once all the DNA profiles from previous one-time search files for that state have been reviewed in accordance with the QAS. A maximum of four one-time searches shall be conducted within 1 calendar year for each NDIS participating state.

Section 4.0 of the procedure states that to ensure that DNA profiles that are included in one-time search files are not entered into and searched at the Offender Index at SDIS, but that these DNA profiles shall be categorized under the specimen category "Unreviewed Offender." The "Unreviewed Offender" specimen category will not be eligible for uploading or searching at SDIS. The specimen identification number used by the NDIS participating laboratory must remain the same as that originally assigned by the laboratory.

NDIS Security Requirements The NDIS Security Requirements Procedure, Section 3.1, states the NDIS participating laboratory shall be responsible for ensuring that

- 31 -

APPENDIX II

only COOlS users have access to COOlS. A CODIS user is a government employee who: (1) has log-in access to the CODIS (i.e., state or local) system or (2) is a qualified DNA analyst responsible for producing DNA profiles stored in NDIS.

Section 3.2 of the requirement states that the NDIS participating laboratory shall ensure that each COOlS user has a COOlS user account. The NDIS participating laboratory shall also ensure that all COOlS servers/terminals are set to lock the screen after 10 minutes of non-use and require the COOlS user's password to unlock the screen. The NDIS participating laboratory shall train its COOlS users to lock their screen or log off before moving to an area in which the user can no longer visually observe the COOlS server/terminal.

Section 3.2 also states that each COOlS user shall use his or her individual username and password to log in to the terminal containing the COOlS software. COOlS users shall not be permitted to use shared user names or passwords (each individual must be assigned their own unique user name and password and they must use these credentials each time they authenticate themselves to the system). Section 4 .0 states that the NDIS participating laboratory shall be responsible for providing adequate physical security for the CODIS servers and terminals against any unauthorized personnel gaining access to the computer equipment or to any of the stored data.

Section 5.3 states that the NDIS participating laboratory shall be responsible for conducting backups of their COOlS data on a routine schedule but in no event, less than once per week. On a routine basis, but in no event less than once per month, the COOlS backup media shall be stored at a secure physical location other than the NDIS participating laboratory. Electronic media on which CODIS data (i.e. backups) is stored shall be maintained in a lockable container.

General Responsibilities Section 3.0 of the General Responsibilities procedure requires labs to ensure that COOlS users are notified of and provided access to revised NDIS operational procedures and other documentation necessary to properly participate in NDIS.

Quality Assurance Standards

The FBI issued two sets of Quality Assurance Standards : Forensic DNA Testing Laboratories, effective October 1, 1998 (Forensic QAS); and

- 32 -

APPENDIX II

Convicted Offender DNA Databasing Laboratories, effective April 1, 1999 (Offender QAS). The Forensic QAS and the Offender QAS describe the quality assurance requirements that the Laboratory should follow to ensure the quality and integrity of the data it produces.

For our audit, we generally relied on the reported results of the Laboratory's most recent annual external review to determine if the Laboratory was in compliance with the QAS. Additionally, we performed audit work to verify that the Laboratory was in compliance with the QAS listed below because they have a substantial effect on the integrity of the DNA profiles uploaded to NDIS.

Facilities (Forensic QAS and Offender QAS Standard 6.1): The laboratory shall have a facility that is designed to provide adequate security and minimize contamination.

Evidence Control (Forensic QAS Standards 7 .1): The laboratory shall have and follow a documented evidence control system to ensure the integrity of physical evidence. Where possible, the laboratory shall retain or return a portion of the evidence sample or extract.

Sample Control (Offender QAS Standard 7.1): The laboratory shall have and follow a documented sample inventory control system.

Analytical Procedures (Forensic QAS Standard 9.4/9.4.2 and Offender QAS Standard 9.3/9.3.2): The laboratory shall monitor the analytical procedures using appropriate controls and standards.

Review (Forensic QAS Standard 12.1): The laboratory shall conduct administrative and technical reviews of all case files and reports to ensure conclusions and supporting data are reasonable and within the constraints of scientific knowledge.

(Offender QAS Standard 12.1): The laboratory shall have and follow written procedures for reviewing database sample information, results, and matches.

Reviews (Forensic QAS and Offender QAS Standards 15.1 and 15.2): The laboratory shall conduct reviews annually in accordance with the QAS. Once every 2 years, a second agency shall participate in the annual review.

Subcontractor of Analytical Testing for Which Validated Procedures Exist (Forensic QAS and Offender QAS Standard 17.1): A laboratory operating under the scope of the QAS will require certification of

- 33-

APPENDIX II

compliance with these standards when a subcontractor performs DNA analyses for the laboratory. The laboratory will establish and use appropriate review procedures to verify the integrity of the data received from the subcontractor. When a subcontractor analyzes convicted offender samples, these procedures must include, but are not limited to, random reanalysis of samples, visual inspection and evaluation of results/data, inclusion of quality control samples, and on-site visits.

Office of the Inspector General Standards

We established standards to test the completeness and accuracy of DNA profiles as well as the timely notification of law enforcement when DNA profile matches occur in NDIS. Our standards are listed below.

Completeness of DNA Profiles: A profile must include each value returned at each locus for which the analyst obtained results. Our rationale for this standard is that the probability of a false match among DNA profiles is reduced as the number of loci included in a profile increases. A false match would require the unnecessary use of laboratory resources to refute the match.

Accuracy of DNA Profiles: The values at each locus of a profile must match those identified during analysis. Our rationale for this standard is that inaccurate profiles may: (1) preclude DNA profiles from being matched and, therefore, the potential to link convicted offenders to a crime or to link previously unrelated crimes to each other may be lost or (2) result in a false match that would require the unnecessary use of laboratory resources to refute the match.

Timely Notification of Law Enforcement When DNA Profile Matches Occur in NDIS: Laboratories should notify law enforcement personnel of NDIS matches within 2 weeks of the match confirmation date, unless there are extenuating circumstances. Our rationale for this standard is that untimely notification of law enforcement personnel may result in the suspected perpetrator committing additional, and possibly more egregious, crimes if the individual is not deceased or already incarcerated for the commission of other crimes.

- 34-

APPENDIX III

PROFILES REVIEWED AT THE SOUTHWESTERN INSTITUTE OF FORENSIC SCIENCES LABORATORY

Profile Suitable Profile Sample for inclusion in Profile Complete Uploaded Number NDIS with 13 Core Loci Accurately in NDIS CA-01 Yes No - cofiler not run Yes CA-02 Yes No - cofiler not run Yes CA-03 Yes No - cofiler not run Yes CA-04 Yes No - cofiler not run Yes CA-05 Yes No - cofiler not run Yes CA-06 Yes No - cofiler not run Yes CA-07 Yes No - cofiler not run Yes CA-08 Yes Yes Yes CA-09 Yes No - cofiler not run Yes CA-10 Unable to determine - Not enouqh info in case file for review CA-ll No- profile No - cofiler not run Yes

matched victim CA-12 Yes No - cofiler not run Incomplete-Lab

corrected CA-13 No - buccal swab No - cofiler not run Yes

of suspect not taken at crime scene

CA-14 Yes No - cofiler not run Yes CA- 15 Yes Yes Yes CA-16 No - jacket taken No - cofiler not run Yes

from suspect CA-17 Yes Yes Yes CA-18 Yes Yes Yes CA-19 Yes No - cofiler not run Yes CA-20 Yes Yes Yes CA-21 Yes No - cofiler not run Yes CA-22 Yes Yes Yes CA-23 Yes Yes Yes CA-24 Yes Yes Yes CA-25 Yes No - cofiler not run Yes CA-26 Yes Yes Yes CA-27 UTD from info in No - cofiler not run Yes

case file if profile came from crime scene evidence

CA-28 UTD from info in No - cofiler not run Yes case file if profile came from crime scene evidence

CA-29 Yes Yes Yes

- 35-

APPENDIX III

Profile Suitable Profile sample ~ 1, for inclusion in Profile Complete Uploaded Number with 13 Core Loci Accurately in ~' NDIS NDIS

CA-30 Yes No - cofiler not run Yes CA-31 Unable to determine - case fi le never found for our review CA-32 Yes Yes Yes CA-33 UTD from info in Yes Yes

case file if profile attributable to putative perpetrator

CA-34 No-profile not Yes Yes attributable to putative perpetrator


CA-36 Yes Yes Yes CA-37 Yes No - cofiler not run Inaccurate-

Laboratory corrected

CA-38 Yes Yes Yes CA-39 Yes Yes Yes CA-40 No-buccal swab No - cofiler not run Yes

from boyfriend CA-41 Unable to determine - case fi le never found for our review CA-42 UTD from info in No - cofiler not run Yes


CA-43 Yes No - cofiler not run Yes CA-44 No-sample taken No - cofiler not run Yes

from victim's home but not tested against victim standard

CA-45 Yes No - cofiler not run Yes CA-46 No-known sample No - cofiler not run Yes

taken from suspect's clothinq

CA-47 Yes Yes Yes CA-48 No-known sample No - cofiler not run Yes

taken from suspect's truck

CA-49 Yes Yes Yes

- 36-

~- ---------

APPENDIX III

~ Profile Profile Suitable Sample for inclusion in Profile Complete Uploaded Number NDIS with 13 Core Loci Accurately in NDIS CA-50 Yes Yes Yes CA-51 Yes No-13 loci run but 3 Yes

were inconclusive CA-52 No-sample taken No - cofiler not run Yes

from suspect's person

CA-53 Yes Yes Yes CA-54 No- known sample No - cofiler not run Yes

taken from suspect

CA-55 Yes Yes Yes CA-56 No- does not No - cofiler not run Yes

match suspect or victim

CA-57 Yes Yes Yes CA-58 Yes No - cofiler not run Yes CA-59 No-sample taken No - cofiler not run Yes

from shirt on suspect

CA-60 Yes No - cofiler not run Yes CA-61 Yes Yes Yes CA-62 Yes No - cofiler not run Yes CA-63 No- not No - cofiler not run Yes

attributable to putative perpetrator

CA-64 Yes No - cofiler not run Yes CA-65 No- unknown No - cofiler not run Yes

profile not matching suspect or victim

CA-66 Yes No - cofiler not run Yes CA-67 No - not crime No - cofiler not run Yes

scene evidence and likely known sample

CA-68 Yes No - cofiler not run Yes CA-69 UTD from info in Yes Yes


CA-70 Yes Yes Yes

- 37 -

APPENDIX III

'" Profile Sample Profile Suitable Profile Complete Uploaded for inclusion in ~ Number NDIS with 13 Core Loci Accurately in

/!;' NDIS CA-71 Yes yes Inaccurate-

Laboratory corrected



CA-74 Yes No - cofiler not run Yes CA-75 Yes No - cofiler not run Yes CA-76 Yes Yes Yes CA-77 Yes Yes Yes CA-78 Yes No - 12 loci run but Inaccurate -

only 7 loci uploaded Laboratory deleted

CA-79 Yes No - cofiler not run Yes CA-80 Yes No - 11 loci run but Inaccurate -

2 inconclusive Laboratory deleted

CA-81 Yes Yes Yes CA-82 Yes No - cofiler not run Yes CA-83 Yes Yes Yes CA-84 Yes Yes Yes CA-85 No - profile did No - cofiler not run Yes

not match victim or suspects

CA-86 Yes No - cofiler not run Yes CA-87 Yes No - cofiler not run Yes CA-88 UTD from info in No - cofiler not run Yes


CA-89 Yes Yes Yes CA-90 UTD from info in No - cofiler not run Yes


CA-91 Yes No - cofiler not run Yes CA-92 Yes Yes Yes CA-93 Yes No - cofiler not run Yes CA-94 Yes No - cofiler not run Yes

- 38-

APPENDIX III

Proflre Suitable Profile Sample - ~~ for inclusion in Profile Complete Uploaded Number NDIS with 13 Core Loci Accurately in

* NDIS

CA-95 UTD from info in Yes Yes case file if profile came from crime scene evidence

CA-96 No - not taken No - cofiler not run Yes from crime scene

CA-97 Yes Yes Yes CA-98 UTD from info in Yes Yes


CA-99 Yes No - cofiler not run Yes CA-100 Yes No - cofiler not run Yes CA-101 Yes Yes Yes CA-102 No - victim's Yes Yes

profile CA- 103 Yes Yes Yes

- 39-

APPENDIX IV

SOUTHWESTER.i'l

INSTITUTE OF FORENSIC SCIENCES AT DALLAS

FORENSIC BIOLOGY UNIT 5230 Medical Center Drive Dallas, Texas 75235

:MEMORANDUM

Date: To: From: Re: Cc:

Att:

December 15, 2009 David Sheeren, Acting Regional Audit Manager, Office of the Inspector General Stacy R. McDonald, Ph.D., Deputy Chief of Physical Evidence/DNA Technical Leader Office of the Inspector General Draft Audit Report Doug Hares, Ph.D ., NDIS Administrator Paula Pagano, Paralegal Specialist (CODIS Unit) Karen Young, Quality Manager Timothy Sliter, Ph.D., Chief of Physical Evidence

l) Attachment I: Forensic Biology Quality Management Program, Version 1.5 (l 1.24.2009)

2) Attachment II : Procedure: CODIS Operations Manual (I 1.24.2009) 3) Attachment III: Letter from Dallas County Records Management Division 4) Attachment IV: Procedure: Case Record Management- Archived Case File Processes

(l 1.24.2009) 5) Attachment V: CODIS Specimen Category Worksheet

Per the request of Ms. Linda Clark, Office of the Inspector General, the Laboratory' s original response document addressing the findings identified by the audit team has been revised to provide the Laboratory' s responses in the same order as the audit team's recommendations .

Recommendation 1. Ensure the Laboratory sends back"Up tapes of the COD IS server to a secure off-site location, where they are kept in a lockable container, on a monthly basis.

Response: Laboratory backup tapes of the CODIS server are made on a daily basis; however, prior to May 2009, the monthly bacl'Up tapes were being stored in a locked container on-site. As of May 2009, the backup tapes have been regularly transferred to the Tarrant Connly Medical Examiner' s Office, a local CODIS laboratory, and stored in a lockable container. Additionally, the Forensic Biology Unit Quality Management Program was revised. to assign responsibility for the assurance that the security of data stored in CO DIS is in accordance with state and/or federal Jaw and NDIS operational procedures to the CO DIS Administrator (Attachment I).

Recommendation 2. Ensure that the Laboratory implements a written policy that requires personnel to request or confirm NDIS matches in a timely manner.

- 40-

APPENDIX IV

Response: Following the OIG audit, a CODIS Operations Manual (Attachment II) was developed and incorporated into the Procedures for Multiplex STR Analysis. Included in the CO DIS Operations Manual are guidelines for processing CO DIS candidate matches. Additionally, the Forensic Biology Quality Management Program was updated to outline the responsibilities ofCODIS Administrator and steps to be taken if the CODIS Administrator is unable to perform his/her duties (Attachment I).

Recommendation 3. J

APPENDIX IV

COD IS network, to assure that the security of data stored in CODIS is in accordance with state and/or federal law and NDIS operational procedures, and to assure that the quality of data stored in CODIS is in accordance with state and/or federal law and NDIS operational procedures (Attachment I).

Recommendation 6. Ensure th~tt the Laboratory takes appropriate steps to minimize risks presented by the unauthorized DNA analyst's access to or analysis ofCODIS prontes and review all prontes uploaded to NDIS by the analyst.

Response: See Response Section for Recommendation 5.

Recommendation 7. Ensure that the Laboratory deletes from NDIS the pronte fo1 me number 89P1294, which could not be located during our review of NDIS matches.

Response: At the time of the audit, the supporting documentation for the DNA profile from case number 89Pl294 could not be located. Following the audit, the case file for 89Pl294 was located. TI1e COD IS Administrator reviewed the casework documentation for the DNA profile and determined that the profile was acceptable for entry into CODIS. Therefore, the DNA profile has not been deleted from N DrS.

Recommendation 8. Ensure that the Laboratory implements procedures to require that all case doCUDlentation is maintained for promes at NDIS.

Response: The Institute currently mainta

Audit Compliance of CODIS at SWIFS December 2009 - Copy

Documents

Transcript of Audit Compliance of CODIS at SWIFS December 2009 - Copy