The Combined DNA Index System
Report No. 01-26
September 17, 2001
Office of the Inspector General
The FBI has made significant progress in implementing CODIS across the country. Thirty-four states are contributing DNA profiles to the national index and 15 states have initiated the application process necessary to participate at the national level. On the local level, 62 laboratories are contributing DNA profiles to the national index through their state laboratories. The fact that the system works and is useful to the criminal justice system can be partially demonstrated by FBI statistics which reported that 1,733 investigations were aided by the use of CODIS as of February 2001. However, the Commission has estimated that tens of thousands of evidence samples across the country are untested. The crime-solving potential of CODIS will be enhanced when a substantial number of these untested forensic profiles are added, especially profiles from cases without a suspect. In addition, 24 percent of the forensic profiles and 29 percent of the convicted offender profiles in the national index are considered incomplete because they do not contain the required number of loci (specific locations on the DNA molecule, analogous to an address for a house). The incomplete profiles are not used in searches at the national index. As a result, there is the possibility that DNA matches are not discovered and crimes remain unsolved. The lack of forensic profiles and complete DNA profiles in the national index are, to some degree, due to a resource shortage at state and local forensic laboratories.
The FBI's progress in implementing CODIS can be examined by reviewing the performance measures that the FBI has set for its own development of the CODIS system. The FBI's progress in implementing CODIS can also be measured in part by the number of laboratories uploading DNA profiles to CODIS and the number of DNA profiles in CODIS. The impact of CODIS is more difficult to demonstrate. There are numerous statistics concerning the number of crimes solved using DNA and the number of investigations aided by DNA evidence. However, the full value of CODIS to the criminal justice system and to the citizens of this country is difficult to measure.
Performance Measures for CODIS
In response to the Government Performance and Results Act, the FBI's strategic plan for CODIS included the desired program outcomes and results. The plan, developed in November 1994, stated that the outcomes were not limited to the CODIS software because the successful achievement of the program's goals and objectives depended on the work of several units of the FBI laboratory and the Department of Justice. Under the section titled Vision, the strategic plan posed the question, "Where do we want CODIS to be in 5 years?" This question was answered with the following four statements.
The strategic plan also delineated eight goals, nine targets, and eight objectives. The document defined goals as the results needed to fulfill the FBI's vision for CODIS, targets as the broad activities needed in the next 5 years to reach the CODIS goals, and objectives as the specific things that needed to be accomplished within the next 24 months. We reviewed the FBI's progress in accomplishing the activities noted in the following table.
| ACTIVITY | CATEGORY |
|---|---|
| For software development, reach Level 2 of the Software Engineer Institute's Capability Maturity Model (Model). | Objective |
| Expand CODIS installed base to 125 laboratories. | Objective |
| Begin full-scale operation of the national index, with all eligible laboratories participating. | Target |
| Proliferate the installed base to include all crime laboratories doing DNA analysis. | Target |
| Optimize software performance for local, state, and national indexes. | Target |
| Implement high-bandwidth Wide Area Network secure communications. | Target |
| Implement Unidentified Person Index. | Target |
Although the FBI's vision for CODIS was not realized within five years, we determined that the FBI has made steady progress toward that end. The FBI completed the two objectives that we tested, but not within the 24-month time frame established for the objectives. For processes involved in developing CODIS software, the contractor was operating at Model Level 2 in October of 1999. The Model has five levels, Level 5 being the highest, that indicate the relative maturity of the processes used to produce a product. The Model is based on the concept that the quality of a product is a function of the processes used to create it. The more mature the process, the higher the quality. In addition, more mature processes yield more accurate cost and schedule estimates.
The FBI was not able to expand the installed base to 125 laboratories within the 24-month time frame set for the objective. Our testing revealed that as of March 2001, 129 laboratories in the United States were using CODIS software, although not all of these laboratories contribute DNA profiles to the state and national indexes. Originally, the FBI provided laboratories with the software upon request. Within the past two years, the FBI has not provided CODIS software to a laboratory until it was ready to begin uploading DNA profiles to the state and national indexes. This policy change slowed the rate at which new laboratories began using the software. In our judgment, the new policy is more effective because the FBI does not spend time installing the software until a laboratory is ready to fully participate in and contribute to CODIS.
As noted in the previous table, we tested five of the targets listed in the strategic plan. In October 1998, the FBI began the full-scale operation of the national index with all eligible laboratories (the test site laboratories and others that had completed the NDIS-participation application process), thereby meeting the first target. The states that served as test sites for the national index as well as the states currently participating in the national index are discussed in the next section of the report. The second target was to have 100 percent of the crime laboratories that performed DNA analysis using CODIS software. This target was not met for the reasons discussed in the previous paragraph. The third target was to optimize software performance for the local, state, and national indexes. This is an ongoing process in that it will probably always be possible to improve the software. According to officials at the eight laboratories we audited, the FBI was responsive to user complaints and suggestions as they developed each new version of CODIS software.
The FBI has completed a portion of the fourth target - to implement high-bandwidth wide area network secure communications among the laboratories participating in the national index. The FBI is in the process of connecting laboratories to its Criminal Justice Information System Wide Area Network. The FBI estimates that, if funds are available, the project will be completed by the end of 2001. Lastly, the FBI stated that as of January 31, 2001, laboratories could begin uploading DNA profiles to the Unidentified Human Remains and the Relatives of Missing Persons Indexes, meeting the fifth target. These new indexes allow laboratories to contribute and compare DNA profiles from unidentified human remains with the DNA profiles of close biological relatives of missing persons in order to identity the remains.
The FBI officially activated the national index in October 1998. At that time there were eight states contributing profiles as part of the test use of the index: California, Florida, Illinois, Minnesota, North Carolina, Oregon, Utah, and Virginia (our audits included five of these states). There are 53 laboratories eligible to serve as SDIS sites: one laboratory in each state and in Puerto Rico; the FBI laboratory in Washington, D.C.; and the U.S. Army laboratory in Georgia. According to the FBI, as of February 2001, 36 state index laboratories 3 had completed the application process and another 15 laboratories had started the process. Puerto Rico and Alabama had not begun the application process. Puerto Rico informed the FBI that it would like to use the CODIS software and is gathering information about the application process. According to the FBI, Alabama was slowed by personnel changes and was not yet testing DNA samples at the 13 Short Tandem Repeat (STR) loci required for DNA profiles that are included in the national index. The FBI estimated that the Alabama state index laboratory will not be ready to participate in the national index until June 2002. The status of CODIS implementation by state is shown in the following chart.
Image of map not available electronically.
Source: FBI NDIS Program Metrics, February 2001 report
As would be expected, the number of profiles in the national index increased as the number of laboratories uploading profiles increased. The following graph depicts the steady increase in the number of profiles in the national index.
Image of graph not available electronically.
Source: FBI NDIS Program Metrics, February 2001 report
Although the number of laboratories participating in the national index and the number of profiles in the index has steadily increased, it is also important to consider the usefulness of the information in the national index. As noted in the above chart, as of February 2001 there were 23,301 forensic profiles in the national index. Although no exact number is available, in its July 13, 1999 recommendation to the Attorney General, the Commission stated that tens of thousands of evidence samples across the country were untested. In our judgment, the crime-solving potential of CODIS will not be fully realized until a substantial number of forensic profiles are added, especially profiles from cases without a suspect. Convicted offenders cannot be linked with crimes until the DNA profiles from crime-scene evidence are included in CODIS. According to FBI statistics, there was a significant increase in the number of offenders at the state level linked to unsolved crimes as the number of forensic profiles grew. In our judgment, the low number of forensic profiles in the national index from nonsuspect cases appears to be the result of resource shortages at state and local laboratories. Many laboratories do not have the resources to perform DNA testing on old cases or on cases with no suspect. Laboratory personnel are fully occupied trying to keep up with the demand for DNA testing in cases with a suspect. According to the FBI, the police have a suspect in approximately 80 percent of the cases submitted for DNA testing. However, based on DNA test results, the initial suspect is not the perpetrator in approximately 20 percent of these cases.
In addition to the tens of thousand of cases awaiting analysis, the Commission estimated that several hundred thousand convicted offender samples were awaiting analysis. As state legislatures passed laws requiring the collection of DNA samples, laboratories across the country received an influx of convicted offender samples without necessarily having the capability to analyze them all. Appendix IV discusses some of the factors that have contributed to both the case and convicted offender backlogs. 4
Additionally, unless the DNA profiles in the national index contain information for specific loci, the profiles are not included when the index is searched. As a result, the profiles are essentially useless at the national level. The NDIS requirements 5 contain the following provisions:
However, in certain circumstances, a laboratory can request that a specific profile be searched at the national index (even though it has less than the required number of loci) through a procedure called a keyboard search. In addition, state and local index laboratories determine the number of loci a profile is required to have in order to be included in a search of their own indexes. Laboratories can change this search parameter as necessary.
The FBI considers profiles with less than the required number of loci to be incomplete. Each month, the FBI determines the number of complete and incomplete profiles in the national index by laboratory. According to the FBI's statistics, as of February 28, 2001, 24 percent of the forensic profiles and 29 percent of the convicted offender profiles were incomplete. The incomplete profiles substantially reduce the effectiveness of CODIS. Again, in our judgment, part of the reason there are so many incomplete profiles in the national index is a lack of resources at state and local laboratories. See Appendix IV for a discussion of resource issues and other factors that affect a laboratory's DNA testing program.
The FBI uses the number of investigations aided to help measure the impact of CODIS. The matching of DNA profiles through CODIS may provide investigative leads in more than one investigation so the FBI decided to focus on investigations aided rather than on the number of DNA profile matches that occurred using CODIS. For example, six rapes in Washington, D.C., were linked to three rapes in Jacksonville, Florida, using CODIS. When the DNA profile from one of these crime scenes matched the DNA profile of a convicted offender, the investigations for all nine cases were aided. Thus one DNA profile match resulted in nine investigations aided. According to the FBI, CODIS had aided 1,733 investigations as of February 2001.
The complete impact of CODIS cannot be easily measured. The use of DNA evidence to link a suspect to a crime can result in a guilty plea by the suspect, saving the criminal justice system the cost of a trial. DNA evidence is also useful to investigators because it helps to determine whether or not a suspect was involved in a crime, reducing the number of hours spent investigating suspects who were not involved in a crime. There are some intangible results associated with CODIS as well. When DNA evidence is used to solve very old crimes, the closure provided to victims and their families is impossible to measure, although it can have a profound effect on those involved.
A second intangible benefit of CODIS is that criminals may be caught earlier and, as a result, taken off the streets before they have the chance to commit additional crimes. A 1982 study (A. N. Groth, R. E. Longo, and J. B. McFadin, "Undetected Recidivism Among Rapists and Child Molesters," Crime and Delinquency, Vol. 28, No. 3, 1982, pp. 450-458) used anonymous questionnaires to survey convicted rapists in custody. The study found that these rapists had been convicted of an average of 2.8 rapes and that they had committed an average of 5.2 rapes for which they were never caught. The fact that criminals may be caught sooner through DNA analysis is an important benefit of CODIS.
In conclusion, the FBI has made steady progress toward its goal of having all forensic DNA laboratories participate in the national index. In our judgment, the lack of forensic profiles and the presence of incomplete profiles in CODIS are problems that must be remedied by the state and local laboratories. Therefore, we have no recommendations for the FBI with respect to the implementation of CODIS. We note, however, that the FBI needs to strengthen its oversight of CODIS. This issue is discussed in Finding No. 2.
The FBI's management controls over laboratory compliance with regulatory standards, as well as the evaluation of DNA profiles contained in the national index, need improvement. We performed audits at eight laboratories that contributed DNA profiles to the national index. We determined that four of these eight laboratories were not fully compliant with the FBI's quality assurance standards and NDIS requirements. We also noted that six of the eight laboratories uploaded a total of 55 incomplete or unallowable DNA profiles to CODIS out of the 1,308 profiles we tested. Furthermore, the FBI has not established any periodic method of auditing profiles in the national index to ensure compliance with the applicable quality assurance standards and NDIS requirements. If CODIS contains profiles that are inaccurate, incomplete, or unallowable, the database is less useful to the criminal justice system. In our judgment, the presence of unallowable profiles in CODIS could also be viewed as a violation of privacy for the individuals involved.
Our audit work included reviewing the FBI's oversight of: (1) the application process required for a laboratory to participate in the national index, (2) laboratory compliance with the FBI's quality assurance standards (QAS) and NDIS requirements, and (3) the accuracy, allowability, and completeness of the DNA profiles contained in CODIS.
Laboratory Application Process
For each state, only the state index laboratory has the capability to upload DNA profiles to the national index. Consequently, it uploads all DNA profiles for the state. In order to ensure the integrity of the national index, a state index laboratory may not upload DNA profiles to the national index until it completes an application process that includes the items listed below. The laboratory must:
Our analysis of the FBI's oversight of the application process disclosed that the FBI adequately tracked the laboratories' progress related to this area. From the 52 files available, we selected a judgmental sample of 30 FBI laboratory files to review. Our sample included 26 laboratories that had completed the application process, 3 laboratories that had started the process, and 1 laboratory that had not begun the process. The files for the 26 CODIS-participating laboratories contained documentation that demonstrated the laboratories had completed all required elements of the application process. Based on documentation in the files of these 26 laboratories, we determined that an average of 6 months was required to complete the application process described above, with a range from 1 day to 28 months. Our review also indicated that the variation in the amount of time laboratories needed to complete the application process seemed appropriate given the unique circumstances in which each laboratory operated.
As we reviewed the FBI's laboratory files, we also examined all correspondence to determine if the FBI worked to facilitate the application process by responding to laboratory questions and concerns. We noted that the laboratory files contained documentation indicating that the FBI not only responded to the laboratories' questions and concerns, but also reminded them about missing or overdue documentation.
Compliance with the QAS and NDIS Requirements
In accordance with the Act, the Director of the FBI issued Quality Assurance Standards for Forensic DNA Testing Laboratories (Forensic QAS), effective October 1, 1998, and Quality Assurance Standards for Convicted Offender DNA Databasing Laboratories (Offender QAS), effective April 1, 1999. In addition, the FBI developed requirements governing a laboratory's submission of DNA profiles to the national index (NDIS requirements). The FBI is responsible for ensuring that laboratories submitting DNA profiles to the national index comply with the QAS 6 and NDIS requirements. The QAS address a wide range of issues related to the testing of DNA samples. Compliance with the QAS helps ensure the accuracy and integrity of a laboratory's DNA test results and uniformity in the quality of DNA profiles submitted by laboratories across the country. Compliance with the NDIS requirements ensures that the national index contains allowable, useful DNA profiles that can be compared among participating laboratories.
At the time of our audit, the FBI did not have the resources to directly evaluate laboratory compliance with the QAS and NDIS requirements. Consequently, oversight was limited to self-certification with the QAS and NDIS requirements on the part of each laboratory. In our judgment, self-certification presents a high risk that the FBI would not necessarily detect instances of noncompliance by the laboratories. In order to test this condition, we audited eight laboratories that contributed DNA profiles to the national index to determine if they were in compliance with the QAS and NDIS requirements. At the time of our audits, the eight laboratories had contributed approximately 24 percent of the forensic profiles and 71 percent of the convicted offender profiles contained in the national index. See Appendix I for a description of the laboratory selection process and a list of the laboratories that we audited.
Specifically, we tested the laboratories' compliance with the 165 Forensic and 148 Offender QAS and NDIS requirements that pertained to laboratory operations. See Appendix III for a description of the standards and requirements included in these numbers. We determined that four of the eight laboratories audited were in compliance with these QAS and NDIS requirements. However, we noted the following areas of noncompliance at the remaining four laboratories.
Proficiency Testing
Section No. 13 of the QAS addresses proficiency testing. The QAS require that laboratory personnel who are actively engaged in DNA analysis undergo external proficiency testing at intervals not to exceed 180 days. In addition, a laboratory is required to include seven specific items in its proficiency test records, and the laboratory is required to inform all proficiency test participants of the final test results. Further, the NDIS requirements state that, for each analyst, the test provider must grade at least two external proficiency tests each year.
Proficiency testing is extremely important to the DNA testing process in that it ensures DNA analysts are capable of producing reliable, accurate DNA profiles. DNA laboratories purchase proficiency tests from test providers who set a due date for each test. The laboratories are not given answers to the tests at the time of purchase. Rather, the analyst's test results must be submitted to the test provider for independent grading and statistical evaluation. The test provider ultimately publishes the individual test results and related statistical analysis for all analysts who submitted results by the due date.
Our audits disclosed that two of the eight laboratories did not comply with all proficiency testing requirements. The Broward County Sheriff's Office Crime Laboratory in Fort Lauderdale, Florida (Broward Laboratory), returned one test per year per analyst to the external test provider and graded the second test in-house, based on the published test results. At the time of our audit, laboratory officials felt that their procedures met the QAS requirement for external proficiency testing. However, the NDIS requirements clearly require that, for each analyst, the test provider must independently evaluate two tests per year. As a result of our audit, the Broward Laboratory implemented a new policy to comply with the proficiency testing requirements. The Florida Department of Law Enforcement, Tallahassee Regional Crime Laboratory, Tallahassee, Florida (Tallahassee Laboratory), did not consistently include all seven required items in its proficiency test records and did not routinely notify participants of their final test results. Participants were only notified if there were problems with a proficiency test. Laboratory management stated that it was laboratory policy to notify recipients only when there were problems with the proficiency tests. Laboratory management agreed to modify the policy to require that all test participants be notified of their test results, and to ensure that proficiency test records included all required seven items. These required items must be included in the proficiency test records in order to demonstrate that each analyst has passed an external proficiency test every 180 days.
Evidence Control
Section No. 7 of the Forensic QAS requires that laboratories have secure areas for evidence storage.
In order to prevent theft or tampering, evidence must be properly secured. Our audits disclosed that the Broward Laboratory and the Miami-Dade Police Department, Crime Laboratory Bureau, Miami, Florida (Miami Laboratory), needed to increase the security over evidence maintained in cold storage. Although the evidence was stored within secured laboratory space, the refrigerators and freezers containing small items of evidence or extracted DNA were not locked. Since all other evidence was secured in locked rooms or evidence lockers at these two laboratories, it would follow that the cold storage areas should be locked as well. In addition, the cold storage areas at the remaining six laboratories were locked even when the refrigerators or freezers were in locked rooms. In our judgment, security would be increased if all evidence and extracted DNA were stored in locked refrigerators or freezers. Although officials at both laboratories stated that they felt they had implemented controls that would successfully prevent unauthorized access to evidence, the FBI required the laboratories to begin locking the refrigerators and freezers as a result of our audits.
Equipment Calibration and Maintenance
Section No. 10 of the QAS requires that laboratories have a documented program for the calibration of instruments and equipment. As part of that program, laboratories are to document the frequency of calibration for each instrument and must maintain evidence that the required calibrations were performed.
A laboratory must calibrate its instruments to ensure errors are not introduced into the testing process. Our audits disclosed that the Commonwealth of Virginia, Division of Forensic Science Central Laboratory, Richmond, Virginia (Richmond Laboratory), did not have supporting documentation for the calibration of 2 of the 10 pieces of equipment we reviewed. Laboratory officials agreed that all calibrations performed should and will be documented in writing. Further, the Miami Laboratory did not have written policies that specified the required frequency of calibration. Miami officials stated that they were unaware the QAS required frequencies to be included in a laboratory's written calibration program. When the required frequency of calibration is documented in writing, there are clear guidelines for laboratory personnel to follow. The laboratory agreed to document its calibration policies in writing.
Review of Court Testimony
Section No. 12 of the QAS requires that the courtroom testimony of laboratory analysts be monitored annually.
An important part of each analyst's job is to provide courtroom testimony that is understandable to a jury and yet thoroughly explains the DNA test results. Inadequate courtroom testimony could, in essence, negate the power of DNA evidence. Our audits disclosed that the Miami Laboratory could not locate documentation to verify the 1998 monitoring of one analyst's courtroom testimony. Laboratory officials stated that the analyst's testimony was reviewed in 1998 but the documentation had been misplaced. Subsequent to our audit, the laboratory began notifying analysts on a regular basis of the requirement to have their courtroom testimony monitored and to provide documentation of the monitoring to the laboratory.
Analytical Procedures
Section No. 9 of the QAS requires that a laboratory's technical leader or management approve its analytical procedures.
It is important for the analytical procedures to be approved as required in order to demonstrate the laboratory has followed appropriate internal controls when developing its analytical procedures. Our audits disclosed that the Broward Laboratory's analytical procedures were not approved as required. The technical leader stated that he provided input as the procedures were developed but that he had not officially approved the procedures or documented his approval in writing. He also stated that he would document his approval of the procedures in writing.
Safety
Section No. 16 of the QAS states that a laboratory shall have and follow a documented environmental health and safety program.
Our audits disclosed that the Richmond Laboratory did not have an emergency procedures and evacuation plan, which is part of an environmental health and safety program, for the building it occupied. The only emergency procedures and evacuation plan available was for a building the laboratory had not occupied for six years. This finding was reported in a prior audit conducted by the Potomac Regional Audit Group but had not been corrected.
Laboratory Audits
Section No. 15 of the QAS requires that laboratories undergo annual audits in accordance with specific guidelines. This section also states that once every two years an outside agency must conduct the audit.
Our audits disclosed that all eight laboratories complied with these audit requirements. However, we noted some weaknesses with the audits performed by outside agencies. The outside agencies generally consisted of either DNA analysts from another laboratory or auditors representing an accreditation or certification agency.
The major problem with the audits performed by analysts from other laboratories was that audit findings became mere suggestions. For example, the Richmond Laboratory dismissed many of the findings noted by the Potomac Regional Audit Group during a previous audit. Laboratory management prepared a response stating why they felt specific findings were not appropriate and why they would not be implementing the auditors' recommendations. We noted that the Richmond Laboratory was not in compliance with the QAS's safety requirements and that the laboratory should have corrected this finding rather than disputing it. We included this deficiency as a repeat finding in our audit report.
Although an accreditation or certification agency has the authority to ensure a laboratory takes appropriate corrective action, accreditation or certification audits did not typically focus on compliance with the QAS. These audits covered the entire forensic laboratory, not just the section performing DNA analysis.
Our review of external audit reports at the eight laboratories disclosed that laboratory audits were not always performed consistently. In our judgment, inconsistencies occurred because: (1) different guides were used by those conducting the audits, (2) interpretation of the requirements varied among the individuals conducting the audit work, and (3) the focus of the audits varied depending on the agency performing the work. Although the FBI had identified these issues prior to our audit, FBI officials stated that our audit added an awareness of the full extent of the FBI's responsibilities in ensuring laboratories comply with the QAS. To address these issues, the FBI developed an audit guide that focuses on laboratory compliance with the QAS requirements. An FBI official stated that, as of January 1, 2002, a CODIS-participating laboratory cannot meet the QAS requirements unless the external audit is conducted using the FBI-developed guide by individuals who have attended the FBI's audit training. The FBI's training class is designed to ensure that the QAS requirements are interpreted consistently. Additionally, to facilitate the use of the audit guide, the FBI entered into a MOU with the major laboratory accreditation organization in the United States. This organization agreed to use the FBI-developed guide in conjunction with its own audit guide to determine if the DNA section of the laboratory is in compliance with the QAS.
The FBI's audit guide states that a laboratory is not in compliance with the QAS audit requirements unless the laboratory can demonstrate that it provided an adequate response to all findings detailed in its previous audit. However, in our judgment, the audit guide alone does not remedy the problem. The FBI should also provide a mechanism for the resolution of audit findings and identify an arbiter for disputes between auditors and laboratories. The resolution of audit findings is the final step in ensuring compliance with the QAS. FBI officials stated that they were aware that it is essential to have a mechanism to resolve audit findings and that they were working on developing a policy to address the issue.
The DNA profiles contributed to CODIS are developed either from evidence related to a crime (forensic profiles) or from DNA samples provided by individuals convicted of certain crimes (convicted offender profiles). We reviewed forensic and convicted offender profiles uploaded to CODIS to determine if the profiles were complete, accurate, and in compliance with specific QAS and NDIS requirements. A DNA profile was considered complete if all the loci for which the analyst obtained results were included in the uploaded profile. When the values at each locus in the uploaded profile matched those on the analyst's worksheets, the profile was considered accurate. For seven of the eight laboratories, we reviewed forensic profiles that were uploaded to the national index and, when applicable, convicted offender profiles that were uploaded to the state indexes. We reviewed profiles from the Miami Laboratory's local index because the laboratory's 110 profiles were inadvertently deleted from the national and state indexes.
Inadvertent Deletion of Profiles
We found that the Miami Laboratory's forensic profiles were inadvertently deleted from both the national and state indexes. The problem arose in September 1998 after a new version of CODIS software was installed at the laboratory. Because of the way the software was installed, the laboratory's existing profiles in the state index were deleted when the laboratory uploaded new profiles to the index. As a result, the profiles were also deleted from the national index since it reflects the profiles contained in the state index. The laboratory's CODIS administrator knew that there was a problem and believed, incorrectly, that he had fixed it. Although the CODIS administrator performed additional uploads to the state index, the DNA profiles in the local index were not actually uploaded to the state index due to the software problems.
Although the FBI tracks the number of profiles in the national index by laboratory on a monthly basis, neither the FBI nor the state index administrator recognized that the Miami Laboratory's profiles were no longer in the national or state indexes. As a result, the situation was not corrected in a timely manner. We brought this condition to the FBI's attention when we were preparing to select a sample of profiles to review. Subsequently, the laboratory's profiles were restored to the state and national indexes after the software problem was corrected. Since the profiles were not in the indexes, they could not be searched against for 13 months, delaying any matches that might have occurred between the laboratory's profiles and those in the state or national indexes.
Forensic Profiles
The eight laboratories audited had a total of 3,596 forensic profiles in CODIS as of the dates the audits were conducted. We reviewed a total of 608 forensic profiles that were randomly selected at each laboratory. The forensic profiles were selected from printouts of the profiles contained in CODIS as of a specified date. The results obtained for the sample cannot be projected to the 3,596 forensic profiles that the eight laboratories had contributed to CODIS because we did not use statistical sampling. We reviewed case files to determine if the DNA profiles were complete and accurate, and to determine if the laboratories were in compliance with the seven Forensic QAS and NDIS requirements that pertain to forensic profiles. See Appendix III for information concerning these elements.
We considered a profile compliant with the Forensic QAS if the amount of DNA in the sample was quantified using the appropriate method, and if both technical and administrative reviews of the analyst's work were performed (these tests cover five of the seven criteria elements).
We considered a profile compliant with the NDIS requirements if the profile was allowable for inclusion in the national index (this test covers the last two criteria elements). The NDIS requirements prohibit a laboratory from uploading forensic profiles to the national index that clearly match the DNA profile of the victim or another known person unless the known person is a suspected perpetrator.
Our audits revealed noncompliant forensic profiles at six of the eight laboratories audited.
We also noted that the Richmond Laboratory uploaded 3 unallowable forensic profiles to the national index out of the 75 profiles we reviewed. Two profiles that matched the DNA profiles of crime victims were uploaded inadvertently. The remaining profile matched the DNA profile of a suspect whom the laboratory knew was cleared of the charge. In this instance, the case file contained notes indicating that the criminal justice agency notified the laboratory that the suspect was cleared of the charge because the suspect acted in self defense. The laboratory should have removed this profile from the national index after receiving notification from the criminal justice agency. Laboratory management agreed the profile should be removed from the national index and stated that all of the profiles the laboratory had contributed to the national index would be reviewed to ensure they were appropriately included in the index.
As discussed on the preceding pages, we found that 5 laboratories had uploaded a total of 40 unallowable profiles to the national index out of the 608 forensic profiles we evaluated. These profiles matched the DNA of crime victims or other individuals who were not suspected perpetrators in a crime. The FBI's NDIS requirements specify which DNA profiles may be uploaded to the national index. In addition, the NDIS requirements state that appropriate personnel should receive copies of, understand, and abide by the NDIS requirements. At some of the laboratories that we audited, "appropriate personnel" included only the personnel involved in uploading profiles into the local or state database. However, it is the responsibility of the DNA analysts to correctly categorize (label) the DNA profiles they examine based upon the guidelines in the NDIS requirements. If each analyst is not aware of those requirements, a profile may be mislabeled and as a result an unallowable profile may be inadvertently uploaded to CODIS. We also found that local index laboratories uploading DNA profiles to the state index were not always aware that they were required to adhere to all NDIS requirements. In our judgment, all analysts at the local and state index laboratories should be aware of the NDIS requirements in order to reduce the risk of uploading unallowable profiles to the national index. Therefore, the FBI should place special emphasis on ensuring that laboratories and analysts understand the NDIS requirements, specifically those related to profiles that are unallowable in the national index.
In our judgment, uploading unallowable DNA profiles could be viewed as a violation of privacy for the individuals involved. In addition, if a suspect were tied to one or more crimes through unallowable CODIS profiles, the evidence may not be admissible in court. This could affect the outcome of a trial since DNA is often the most compelling evidence linking a suspect to a crime. Furthermore, when unallowable profiles are included in CODIS, it undermines public confidence in DNA databases. To allay concerns over function creep and the use of genetic information for discriminatory purposes, the FBI and DNA laboratories need to scrupulously abide by the law, especially those provisions addressing allowable profiles and allowable uses for the information in CODIS.
In order for the DNA profiles in the national index to be useful to the criminal justice system they must be complete and accurate. For the purposes of this audit, an incomplete profile was one that was missing available test results at one or more loci. When laboratories are notified of a potential match between DNA profiles, they must perform additional work to determine if the match is a true match, or if there are points at which the profiles do not match. As the number of loci included in a DNA profile increases, there is an increase in the points of comparison between DNA profiles with a resulting decrease in the number of "false matches." Therefore, complete profiles are ultimately more useful because they decrease the amount of time laboratories spend following up on potential matches between DNA profiles. As the number of profiles in the national index grows, it will become increasingly important that the profiles it contains are complete.
While incomplete profiles increase the amount of work done by the laboratories, inaccurate profiles may increase the amount of time investigators spend trying to tie a suspect to a crime. An inaccurate profile in CODIS could prevent the detection of a match between two profiles, depriving investigators of valuable information that could be used to help solve a crime. Additionally, inaccurate profiles in CODIS would also undermine the credibility of DNA databases with the public and with the criminal justice system.
Convicted Offender Profiles
The Broward Laboratory and the Miami Laboratory were local index laboratories that did not perform convicted offender testing. The remaining six state index laboratories had a total of 233,823 convicted offender profiles in CODIS as of the dates the audits were conducted. We reviewed a total of 700 convicted offender profiles. The results obtained for the sample cannot be projected to the 233,823 convicted offender profiles that the six laboratories had contributed to CODIS because we did not use statistical sampling. The profiles were randomly selected at each laboratory from electronic files containing limited information on the offender profiles stored in the laboratories' state indexes.
We reviewed supporting documentation for the selected profiles to determine if the profiles were complete, accurate, and allowable in the database in accordance with state legislation and the applicable NDIS requirement. We considered an offender profile compliant with the NDIS requirement and state legislation if the profile was obtained from an offender convicted of a crime for which state legislation required that a DNA profile be entered into the state offender database. See Appendix III for more information on state legislation and the NDIS requirement.
Our audits disclosed noncompliant convicted offender profiles at two of the six laboratories we tested.
Lack of Profile Verification
The unallowable, inaccurate, and incomplete profiles that we found in CODIS emphasize the need for verification of the DNA profiles contained in the indexes. The QAS-required laboratory audits (discussed on page 21) do not include a review of the DNA profiles uploaded to CODIS. Further, the FBI does not have a system in place to verify the accuracy, completeness, or allowability of the DNA profiles contained in the national index. The Forensic Science Systems Unit recognized this management control deficiency and included auditors in its budget requests for fiscal years 2000 and 2001. Since it has not been able to secure additional resources to develop its own audit capabilities, the unit is considering alternative plans, such as using auditors from other FBI divisions, to review the profiles uploaded to the national index.
The FBI's management controls over laboratory compliance with regulatory standards as well as its evaluation of DNA profiles contained in the national index need improvement. If the FBI does not ensure that the DNA profiles in CODIS are reliable, accurate, and produced by laboratories that comply with the QAS and relevant legislation, the profiles become less useful to the criminal justice system. Although DNA evidence is useful to investigators as they investigate crimes, it can also be used as evidence in a courtroom. If there are doubts about the integrity of a DNA profile or the laboratory that produced it, the DNA evidence can be challenged in court. Although we noted problems with a small percentage of the CODIS profiles reviewed, because of the sensitivity of the information a small percentage is unacceptable. As a result, it is important to verify the accuracy, completeness, and allowability of the DNA profiles in the national index. In addition, we noted that some laboratories did not fully comply with the QAS and that audit findings were not always resolved. These facts indicate that a formal process is needed to ensure that laboratories uploading profiles to the national index adequately resolve any audit findings that result from the QAS-required audits.
Recommendations: 7
We recommend that the Director of the FBI:
Our audit disclosed that the LIP grants awarded by the NIJ were generally made in accordance with the Act. However, our examination of the LIP grants awarded through Congressional earmarks disclosed that the NIJ did not require one grantee to adhere to the match requirement. NIJ officials stated that the match requirement was inadvertently omitted from the grant documents. The improperly awarded grant funds could have been used to fund one or more of the 15 approved LIP grant applications that did not receive funding under the program due to insufficient funds.
We reviewed the NIJ's oversight of the LIP to determine if grants were made in accordance with the Act. The NIJ awarded 129 grants, totaling $30.7 million, under the LIP program in fiscal years 1996 through 2000. Grantees were selected based on the merits of grant applications submitted to the NIJ. Congress also determined the recipients and amounts of seven additional grant awards, totaling $9.6 million, through language in annual appropriation bills. Of the Congressionally directed grants, $1.4 million was not related to CODIS but rather to forensic investigation of arson and explosions. Grantees receiving funds through Congressional earmarks were required to adhere to the Act unless the appropriation language indicated otherwise. As of the end of the grant program, 15 grant applications from qualified agencies could not be funded due to insufficient funds.
The Act authorized grants to states and units of local government or combinations thereof. These grants were to be used to improve the capacity and capability of public forensic laboratories in performing forensic DNA testing. The Act required that the grants awarded fund a maximum of 75 percent of the annual costs for the program outlined in the grant application, with the grantee funding the remaining 25 percent of the total program costs through matching funds. In addition, the Act stated that a maximum of 10 percent of the grant funds could be used for administrative costs.
We evaluated the recipients of all 129 LIP grants to determine if grants were made to eligible recipients and noted no deficiencies. We also examined specific grant awards to determine if the awards complied with the Act's grantee match requirement and indirect cost limitation. Our review was limited to the grants awarded to the eight laboratories we audited and to the seven grants awarded through Congressional earmarks. Our evaluation disclosed that the grants the NIJ awarded based on grant applications complied with the Act's grantee match requirement and the indirect cost limitation. However, we noted two grants, totaling $1,377,846, awarded to the University of Central Florida through a Congressional earmark that did not call for the grantee to provide matching funds. The grantee should have supplied matching funds such that the grants funded 75 percent of the project's total costs. Therefore, we are questioning costs of $459,282 [($1,377,846 / 0.75) x 0.25]. NIJ officials agreed that matching funds should have been required and stated that the requirement was inadvertently omitted from the grant documents. NIJ officials stated that they would determine whether the grantee incurred other costs that would be acceptable for grant provisions.
Grantees were not required to participate in CODIS. We reviewed a list of all grantees during the 5-year grant program to determine if grant funds also generated the addition of DNA profiles to CODIS. We found that, of the 129 LIP grants awarded, 44 grants (34 percent) totaling $9,252,173 were made to entities not contributing DNA profiles to CODIS. However, some of the grantees used the funds to develop the capacity to participate in CODIS or to expand CODIS programs. NIJ and FBI officials stated that they felt the LIP grants had accomplished the intended goal, which was to improve the capacities and capabilities of forensic laboratories to perform DNA testing.
We recommend that the Assistant Attorney General, Office of Justice Programs, require the Director of the NIJ to: