The Office of the Inspector General, Audit Division, has completed an audit of compliance with standards governing Combined DNA Index System (CODIS) activities at the Office of the Chief Medical Examiner, Forensic Sciences Laboratory (Laboratory).¹ The Federal Bureau of Investigation (FBI) began the CODIS Program as a pilot project in 1990. The DNA Identification Act of 1994 (Public Law 103-322) formalized the FBI's authority to establish a national DNA index for law enforcement purposes.² The Act specifically authorized the FBI to establish an index of DNA identification records of persons convicted of crimes, and analyses of DNA samples recovered from crime scenes. The Act further specified that the index include only DNA information that is based on analyses performed in accordance with standards issued by the FBI.

The FBI implemented CODIS as a distributed database with three hierarchical levels that enables federal, state, and local crime laboratories to compare DNA profiles electronically. The National DNA Index System (NDIS) is the highest level in the CODIS hierarchy and enables the laboratories participating in the CODIS Program to compare DNA profiles on a national level. The NDIS became operational in 1998 and is managed by the FBI as the nation's DNA database containing DNA profiles uploaded by participating states. DNA profiles originate at the local level, flow to the state and national levels, and are compared to determine if a convicted offender can be linked to a crime, or if crimes can be linked to each other.

The FBI provides CODIS software free of charge to any state or local law enforcement laboratory performing DNA analysis. A laboratory's profiles have to be uploaded to NDIS before the profiles benefit the system as a whole. Before a laboratory is allowed to participate at the national level a Memorandum of Understanding (MOU) must be signed between the FBI and the applicable state laboratory. The MOU defines the responsibilities of each party, includes a sublicense for the use of the CODIS software, and delineates the standards laboratories must meet in order to utilize NDIS.³

The objective of the audit was to determine if the Laboratory was in compliance with standards governing CODIS activities. Specifically, we performed testing to determine if the: 1) Laboratory was in compliance with the NDIS participation requirements; 2) Laboratory was in compliance with the quality assurance standards issued by the FBI; and 3) Laboratory's DNA profiles in CODIS databases were complete, accurate, and allowable.

We determined that the Laboratory was not in compliance with all of the standards governing CODIS activities for the areas we tested. Specifically, we noted the following.

• Laboratory management did not have appropriate personnel complete annual reminder forms to remind staff members of the categories of DNA data accepted at NDIS. The requirement to complete annual reminder forms is found in the NDIS operational procedures.

• The Laboratory received an external laboratory evaluation from an independent laboratory within the two-year period specified by the FBI's QAS but did not forward the external evaluation report to the NDIS Custodian within 30 days from receiving the report as required by the NDIS operational procedures.

• The Laboratory received its internal laboratory evaluation within the timeframe specified by the FBI's QAS but had not implemented corrective action for one instance of noncompliance noted in the internal evaluation report. The FBI's QAS require laboratories to develop and implement corrective actions for each reported instance of noncompliance.

• We reviewed the Laboratory's procedures to evaluate the integrity of contract data received and found that the Laboratory did not include quality control samples within the convicted offender samples sent to the contractor for analysis. To substantiate the integrity of contractor data, the FBI's QAS require a laboratory to include quality control samples within all outsourced convicted offender samples.

• We reviewed 50 forensic profiles including 10 profiles developed by a contract laboratory and found the Laboratory did not adequately oversee the contract laboratory hired to perform the DNA analysis. None of the 10 outsourced forensic profiles in our sample included a visual inspection and evaluation of the contractor's data as required by the FBI's QAS.

• Of the 150 DNA profiles reviewed (50 forensic and 100 convicted offender), we found 1 DNA forensic profile to be inaccurate because the Laboratory uploaded the incorrect specimen number to NDIS.

We make three recommendations, which are discussed in detail in the Findings and Recommendations section of the report, to improve the Laboratory's compliance with standards governing CODIS activities. Our audit scope and methodology are detailed in Appendix I of the report and the audit criteria are detailed in Appendix II of the report.

We discussed the results of our audit with Laboratory officials and have included their comments in the report as applicable.

1. The Forensic Sciences Laboratory includes the: Death Investigation Unit, Toxicology Unit, Controlled Substances Unit, DNA Unit and Arson Unit. Our audit was limited to the work performed in the DNA Unit.
2. DNA, deoxyribonucleic acid, is genetic material found in almost all living cells that contains encoded information necessary for building and maintaining life. Approximately 99.9 percent of human DNA is the same for all people. The differences found in the remaining 0.1 percent allow scientists to develop a unique set of DNA identification characteristics (a DNA profile) for an individual by analyzing a specimen that contains DNA.
3. These standards were appended to the MOU as Appendix C - NDIS Procedure Manual. This manual is comprised of several operational procedures that provide specific instructions for laboratories to follow for procedures pertinent to NDIS. For our purposes, the NDIS participation requirements consist of the MOU and the NDIS operational procedures.