Compliance with Standards Governing Combined DNA Index System Activities at the Denver Police Department, Crime Laboratory Bureau, Denver, Colorado
Audit Report GR-60-07-011
September 2007
Office of the Inspector General
The Office of the Inspector General, Audit Division, has completed an audit of compliance with standards governing Combined DNA Index System (CODIS) activities at the Denver Police Department Crime Laboratory Bureau (Laboratory).1 The Federal Bureau of Investigation (FBI) began the CODIS Program as a pilot project in 1990. The DNA Identification Act of 1994 (Act) formalized the FBI’s authority to establish a national DNA index for law enforcement purposes.2 The Act authorized the FBI to establish an index of DNA identification records of persons convicted of crimes and analyses of DNA samples recovered from crime scenes. The Act further specified that the indices include only DNA information that is based on analyses performed in accordance with quality assurance standards issued by the FBI.
The FBI implemented CODIS as a distributed database with three hierarchical levels that enables federal, state, and local crime laboratories to compare DNA profiles electronically. The National DNA Index System (NDIS) is the highest level in the CODIS hierarchy and enables the laboratories participating in the CODIS Program to compare DNA profiles on a national level. NDIS became operational in 1998 and is managed by the FBI as the nation’s DNA database containing DNA profiles uploaded by participating states. DNA profiles originate at the local level, flow upward to the state and national levels, and are compared to determine if a convicted offender can be linked to a crime or if crimes can be linked to each other. Thus, a laboratory’s profiles have to be uploaded to NDIS before the profiles benefit the system as a whole.
The FBI provides CODIS software free of charge to any state or local law enforcement laboratory performing DNA analysis. Before a laboratory is allowed to participate at the national level a Memorandum of Understanding (MOU) must be signed between the FBI and the applicable state laboratory. The MOU defines the responsibilities of each party, includes a sublicense for the use of the CODIS software, and delineates the standards laboratories must meet in order to utilize NDIS.3
The objective of the audit was to determine if the Laboratory was in compliance with standards governing CODIS activities. Specifically, we performed testing to determine if the: (1) Laboratory was in compliance with the NDIS participation requirements; (2) Laboratory was in compliance with the quality assurance standards issued by the FBI; and (3) Laboratory’s DNA profiles in CODIS databases were complete, accurate, and allowable.
We determined that the Laboratory was in compliance with the standards governing CODIS activities with some exceptions. Specifically, we noted the following.
The Laboratory was not storing backup media for the CODIS server at a secure off-site storage location, as required by the NDIS requirements implemented in March 2007. Laboratory officials agreed and were able to identify a secure off-site location for storing the media during our audit. Laboratory officials also provided to us a formal procedure for how those backups will be handled, including access limitations to the stored media.
NDIS requirements instruct laboratories to notify law enforcement agencies (investigators) of confirmed NDIS matches. Of the nine confirmed NDIS matches we reviewed, we determined that case files for three were lacking documentation that investigators were notified. According to Laboratory officials, at the time the matches occurred their policies did not require documentation of these notifications, but the notifications did occur. Since that time, policies have been implemented requiring such documentation, and more recent matches reviewed indicated that these policies were being followed.
The CODIS Administrator was not reporting confirmed NDIS matches to the FBI on a monthly basis, as required, due to oversight. To assist her in ensuring monthly report submission, the CODIS Administrator implemented an electronic reminder system during our audit. Further, Laboratory officials included the requirement for monthly reporting in their CODIS operating procedures.
Of the 100 forensic profiles we reviewed, we determined that all were complete and accurate, and 99 were allowable for inclusion in NDIS. One profile was not allowable, since it was likely attributable to the male victim of the crime. Laboratory officials agreed and, at the time of our audit, had already taken steps to remove the profile from NDIS. Since our audit, Laboratory management provided us with documentation that the profile was removed.
In addition, we noted two other reportable matters: (1) the Laboratory’s procedures for separating evidence and reference samples were not reflected in its written policies; and (2) the Laboratory lacks the disaster recovery plan recommended by the FBI. Laboratory officials agreed with our conclusions, and have since completed corrective action for both of these matters.
Since corrective action on all issues we identified has been completed, we make no recommendations for additional action. The results of our audit are discussed in the Findings section of the report. Our audit scope and methodology are detailed in Appendix I of the report and the audit criteria are detailed in Appendix II of the report.
We discussed the results of our audit with Laboratory officials and have included their comments in the report as applicable. In addition, we requested a written response to a draft of our audit report from the FBI and the Laboratory. Neither the FBI nor the Laboratory provided written comments to the report beyond acknowledging the completed remediation of each finding we identified.
DNA, deoxyribonucleic acid, is genetic material found in almost all living cells that contains encoded information necessary for building and maintaining life. Approximately 99.9 percent of human DNA is the same for all people. The differences found in the remaining 0.1 percent allow scientists to develop a unique set of DNA identification characteristics (a DNA profile) for an individual by analyzing a specimen that contains DNA.
These standards were appended to the MOU as Appendix C - NDIS Procedure Manual. This manual is comprised of several operational procedures that provide specific instructions for laboratories to follow for procedures pertinent to NDIS. For our purposes, the NDIS participation requirements consist of the MOU and the NDIS operational procedures.
Return to OIG Home Page |