Combined DNA Index System Operational and Laboratory Vulnerabilities

Audit Report 06-32
May 2006
Office of the Inspector General

Appendix IV
Audit Criteria for CODIS Laboratory Audits

In conducting the OIG’s CODIS laboratory audits, we considered the following elements of the NDIS participation requirements and the QAS. However, we did not test for compliance with elements that are not applicable to the laboratory. In addition, the OIG has established standards to test the completeness and accuracy of DNA profiles and the timely notification of law enforcement when DNA profile matches occurred in NDIS. Further, we considered applicable state legislation, specific to each location audited, as part of our testing of convicted offender DNA profiles.

NDIS Participation Requirements

The NDIS participation requirements, which consist of the MOU and the NDIS operational procedures, establish the responsibilities and obligations of laboratories that participate in NDIS. The MOU requires that NDIS participants comply with federal legislation and the QAS, as well as NDIS-specific requirements accompanying the MOU in the form of appendices. Audit criteria for the OIG CODIS laboratory audits includes the following requirements from MOU Appendix A – NDIS Responsibilities.

  • Organizational Responsibilities (Requirement II.B.4) – Comply with FBI requirements for safeguarding CODIS against unauthorized use, including providing an appropriate and secure site for the NDIS system.
  • System Operation (Requirement III.B.2) – Ensure that appropriate personnel are provided copies of, understand, and abide by the NDIS operational procedures.
  • System Operation (Requirement III.B.3) – Identify in writing, in prescribed form, personnel approved to access CODIS and ensure that access to CODIS is limited to them.
  • Reporting and Record-keeping Requirements (Requirement VI.B.1) – Report on a monthly basis, confirmed NDIS matches to the FBI in a form prescribed by the FBI.
  • Reporting and Record-keeping Requirements (Requirement VI.B.3) – Provide to the NDIS Custodian a written report of deletions or modifications within 10 business days of discovering that a DNA record requires deletion or modification.
  • Reporting and Record-keeping Requirements (Requirement VI.B.4) – Maintain records on these personnel, including proficiency testing records and any other report required by the FBI, for a period of 10 years.

Audit criteria for OIG CODIS laboratory audits also includes the following operational procedures from MOU Appendix C ‑ NDIS Procedures Manual.58 The remainder of the manual consists of sets of procedures outside the scope of the OIG CODIS laboratory audits.

DNA Data Acceptance Standards59

Interpretation of DNA Profiles (Sections 6.4.2 and 6.4.3) – Only forensic profiles derived from forensic evidence matching the suspected perpetrators or an unknown individual can be uploaded to NDIS. Profiles clearly matching the victim or any known person other than the suspected perpetrators cannot be uploaded to NDIS. In the case of mixtures, the profile must not contain any portion of the analysis results that clearly belong only to the victim; a mixture that cannot be clearly separated into a portion matching the victim or other known person and the portion matching the suspected perpetrator is allowable.

Add a User from a Participating Laboratory to NDIS

Adding a State or Local CODIS User to NDIS (Section 4.0) – Adding state or local CODIS users to NDIS can occur under two circumstances. First, users may be added when a state begins to participate in NDIS. Second, users may be added periodically as states add new CODIS users. To add a user, the designated state official will send a letter to the NDIS Custodian requesting the addition.

The letter must be accompanied by:

  • FD‑484: Privacy Act explanation;

  • FD‑258: Fingerprint (10 Print) card, two copies;

  • FD-816: Background Data Information Form;

  • CODIS user information;

  • External Proficiency Testing Document for each Qualified DNA Analyst; and

  • DNA Data Acceptable at NDIS form for each user.

The letter shall include a certification by the designated state official that all qualified DNA analysts being added will undergo external proficiency testing as required by the DNA Identification Act and the MOU.

DNA Data Accepted at NDIS

Annual Reminder for Users (Section 5.0) – At the beginning of each calendar year, on an annual basis, the CODIS administrator shall ensure that each user (personnel who have log-in access to the CODIS system and or qualified DNA analysts who are responsible for producing the DNA profiles stored in NDIS) is reminded of the categories of DNA data accepted at NDIS. The CODIS administrator shall then have each user confirm they have received their annual reminder and understand and will abide by the DNA data acceptance requirements. Completed annual reminders for each user shall be filed and maintained by the CODIS administrator and available for inspection.

Review of External Evaluations

Notification of External Evaluation and Forwarding of Evaluation Documents (Section 6.1) – It shall be the responsibility of the NDIS Participating Laboratory to arrange and schedule an external QAS evaluation once every two years. After January 1, 2002, the NDIS Participating Laboratory shall have only those persons who have successfully completed the FBI training course for the QAS Audit Document perform such external QAS evaluation. The NDIS Participating Laboratory shall notify the NDIS Custodian once the external QAS evaluation has been conducted and the evaluation report will be forwarded for review within 30 days of the laboratory’s receipt of the report. The NDIS Participating Laboratory shall include with the evaluation report any clarifications, responses and or corrective action plans or documents (hereinafter referred to as “evaluation documentation”), as appropriate. The NDIS Custodian shall acknowledge this communication. If the NDIS Participating Laboratory is unable to forward the required evaluation documentation within 30 days, the NDIS Participating Laboratory shall notify the NDIS Custodian to request an extension of time for sending the required evaluation documentation.

Confirming an Interstate Candidate Match

Responsibilities (Sections 3.2 and 4.2) and Procedures (Sections 3.3 and 4.3) – Candidate matches must be resolved within 30 calendar days. Resolution is refuting or confirming that the candidate match is a valid match. Laboratories are to document the disposition of a candidate match. Further, for confirmed matches, the documentation is to include the interaction between the two laboratories and the notification to law enforcement of the match for unsolved cases.

Expunging a DNA Profile

Responsibilities (Section 3.0) – Included in the DNA Analysis Backlog Elimination Act of 2000 was a requirement for states to expunge the DNA profiles of persons whose qualifying convictions had been overturned. This Act was effective December 19, 2001, and requires that states participating in NDIS “shall promptly expunge from that index the DNA analysis (DNA profile) of a person included in the index by that state if the responsible agency or official of that state receives, for each conviction of the person of an offense on the basis of which that analysis (profile) was or could have been included in the index, a certified copy of a final court order establishing that such conviction has been overturned.”

A participating state shall have procedures in place for expunging a DNA profile, regardless of whether or not its state DNA law requires it.

Quality Assurance Standards

The FBI issued two sets of quality assurance standards – the Quality Assurance Standards for Forensic DNA Testing Laboratories, effective October 1, 1998, (Forensic QAS); and the Quality Assurance Standards for Convicted Offender DNA Databasing Laboratories, effective April 1, 1999, (Offender QAS). The Forensic QAS and the Offender QAS describe the quality assurance requirements that the laboratory should follow to ensure the quality and integrity of the data it produces.

For the OIG CODIS laboratory audits, we generally relied on the reported results of the laboratory’s most recent annual external evaluation to determine if the laboratory was in compliance with the QAS. Additionally, we performed audit work to verify that the laboratory was in compliance with the quality assurance standards listed below, because they have a substantial effect on the integrity of the DNA profiles uploaded to NDIS.

  • Facilities (Forensic QAS and Offender QAS Standard 6.1) – The laboratory shall have a facility that is designed to provide adequate security and minimize contamination.
  • Evidence Control (Forensic QAS Standards 7.1 and 7.2) – The laboratory shall have and follow a documented evidence control system to ensure the integrity of physical evidence. Where possible, the laboratory shall retain or return a portion of the evidence sample or extract.
  • Sample Control (Offender QAS Standard 7.1) – The laboratory shall have and follow a documented sample inventory control system.
  • Analytical Procedures (Forensic QAS Standard 9.4 to 9.4.2 and Offender QAS Standard 9.3 to 9.3.2) – The laboratory shall monitor the analytical procedures using appropriate controls and standards.
  • Review (Forensic QAS Standard 12.1) – The laboratory shall conduct administrative and technical reviews of all case files and reports to ensure conclusions and supporting data are reasonable and within the constraints of scientific knowledge.
  • (Offender QAS Standard 12.1) – The laboratory shall have and follow written procedures for reviewing database sample information, results, and matches.

  • Evaluations (Forensic QAS and Offender QAS Standards 15.1 and 15.2) – The laboratory shall conduct evaluations annually in accordance with the QAS. Once every two years, a second agency shall participate in the annual evaluation.
  • Subcontractor of Analytical Testing for which Validated Procedures Exist (Forensic QAS and Offender QAS Standard 17.1) – A laboratory operating under the scope of the QAS will require certification of compliance with these standards when a subcontractor performs DNA analyses for the laboratory. The laboratory will establish and use appropriate review procedures to verify the integrity of the data received from the subcontractor. When a subcontractor analyzes convicted offender samples, these procedures must include, but are not limited to random re-analysis of samples, visual inspection and evaluation of results or data, inclusion of quality control samples, and on-site visits.

Office of the Inspector General Standards

The OIG has established standards to test the completeness and accuracy of DNA profiles and the timely notification of law enforcement when DNA profile matches occur in NDIS. We test for compliance with these standards as part of our CODIS laboratory audits.

  • Completeness of DNA Profiles – A profile must include all the loci for which the analyst obtained results. Our rationale for this standard is that the probability of a false match among DNA profiles is reduced as the number of loci included in a profile increases. A false match would require the unnecessary use of laboratory resources to refute the match.
  • Accuracy of DNA Profiles – The values at each locus of a profile must match those identified during analysis. Our rationale for this standard is that inaccurate profiles may: (1) preclude DNA profiles from being matched and, therefore, the potential to link convicted offenders to a crime or to link previously unrelated crimes to each other may be lost; or (2) result in a false match that would require the unnecessary use of laboratory resources to refute the match.
  • Timely Notification of Law Enforcement When DNA Profile Matches Occur in NDIS – Laboratories should notify law enforcement personnel of NDIS matches within 2 weeks of the match confirmation date, unless there are extenuating circumstances. Our rationale for this standard is that untimely notification of law enforcement personnel may result in the suspected perpetrator committing additional, and possibly more egregious crimes, if the individual is not deceased or already incarcerated for the commission of other crimes.

  1. The manual, a collection of operational procedures to be followed for various processes pertinent to the functioning of NDIS, was actually issued separately from the MOU, although it is still considered an appendix to the MOU.

  2. The MOU, Appendix B, addresses DNA data acceptance standards. We did not include Appendix B in our audit criteria because the DNA Data Acceptance Standards’ operational procedure addresses the same issues and is more current than Appendix B.

« Previous Table of Contents Next »