Audit Report-Dept of Public Safety's Texas Gang Intelligence Database-Aug. 2022
Download original document:
Document text
Document text
This text is machine-read, and may contain errors. Check the original document to verify accuracy.
Lisa R. Collier, CPA, CFE, CIDA State Auditor An Audit Report on The Department of Public Safety’s Texas Gang Intelligence Database August 2022 Report No. 22-039 State Auditor’s Office reports are available on the Internet at https://sao.texas.gov/. An Audit Report on The Department of Public Safety’s Texas Gang Intelligence Database SAO Report No. 22-039 August 2022 Overall Conclusion The Department of Public Safety’s (Department) Texas Gang Intelligence Database (TxGANG) contained 15,368 records that were at least 10 years old as of February 1, 2022. (See text box for background on TxGANG.) Of those records, 8,539 (56 percent) were validated within the last 5 years, as required by Title 28, Code of Federal Regulations, Part 23. However, the remaining 6,829 records either (1) were not validated within the last five years or (2) did not include all information needed to determine whether the record was validated as required by federal regulations. Specifically: Background Information The Department of Public Safety (Department) implemented the Texas Gang Intelligence Database (TxGANG) on September 1, 2000. Law enforcement agencies, except for the Department of Criminal Justice and the Juvenile Justice Department, were required to report information collected on or before September 1, 1999. TxGANG serves as a statewide repository of criminal intelligence information on gang organizations and their members. TxGANG’s goal is to improve the effectiveness of the criminal justice community by providing for the timely exchange of documented and reliable information. Not validated. A total of 1,099 records (7 percent) had not been validated within 5 years. The majority of those records were flagged as As of May 23, 2022, TxGANG included approximately 71,640 gang belonging to individuals who were incarcerated. member records, which were TxGANG currently allows the validation process to associated with at least one of the 10,845 gang organizations be suspended for an individual’s sentencing period documented in TxGANG. rather than the actual time incarcerated. Because Source: The Department. the Department does not require Agencies to validate a record to confirm that an individual remains incarcerated, those records are not being reviewed for the entire duration of an individual’s sentencing period. Undetermined validation. A total of 5,730 records (37 percent) may not have been validated as required. The majority of those records did not include a date that indicated the last time the record was validated to justify its retention in TxGANG. This occurred because TxGANG does not apply the same automated controls to records uploaded in batches as it does for records directly entered into the database. Validation conclusion. In addition, TxGANG is not programmed to require a decision (or conclusion) to be documented in order to validate a record. As a result, records are retained in TxGANG without supporting information required by federal regulations. This audit was conducted in accordance with Rider 6, page X-7, General Appropriations Act (87th Legislature). For more information regarding this report, please contact Becky Beachy, Audit Manager, or Lisa Collier, State Auditor, at (512) 9369500. An Audit Report on The Department of Public Safety’s Texas Gang Intelligence Database SAO Report No. 22-039 Exception Report. TxGANG automatically removes expired records. However, it does not generate an exception report when the removal process fails to execute. As a result, the Department reported that 916 records were not removed as required between February 2022 and March 2022. Table 1 presents a summary of the findings in this report and the related issue ratings. (See Appendix 2 for more information about the issue rating classifications and descriptions.) Table 1 Summary of Chapters/Subchapters and Related Issue Ratings Chapter/ Subchapter 1 Issue Rating a Title TxGANG Contains Records That Were Not Validated Within the Last 5 Years and Records That Do Not Include Information Necessary to Determine Whether They Were Validated as Required Priority 2-A TxGANG Has Sufficient Controls for Data Entered Directly Into the Database Low 2-B TxGANG Lacks Sufficient Automated Controls on Records Uploaded by Batch Priority 2-C TxGANG Removes Records When They Expire; However, It Does Not Notify the Department When the Removal Process Fails to Execute Medium a A chapter/subchapter is rated Priority if the issues identified present risks or effects that if not addressed could critically affect the audited entity’s ability to effectively administer the program(s)/function(s) audited. Immediate action is required to address the noted concern(s) and reduce risks to the audited entity. A chapter/subchapter is rated High if the issues identified present risks or effects that if not addressed could substantially affect the audited entity’s ability to effectively administer the program(s)/function(s) audited. Prompt action is essential to address the noted concern(s) and reduce risks to the audited entity. A chapter/subchapter is rated Medium if the issues identified present risks or effects that if not addressed could moderately affect the audited entity’s ability to effectively administer the program(s)/function(s) audited. Action is needed to address the noted concern(s) and reduce risks to a more desirable level. A chapter/subchapter is rated Low if the audit identified strengths that support the audited entity’s ability to administer the program(s)/function(s) audited or the issues identified do not present significant risks or effects that would negatively affect the audited entity’s ability to effectively administer the program(s)/function(s) audited. Summary of Management’s Response At the end of certain chapters in this report, auditors made recommendations to address the issues identified during this audit. The Department agreed with the recommendations in this report. The Department’s detailed management responses are presented immediately following the recommendations in each chapter. In addition, the Department’s transmittal letter, which includes an overall statement of response, is presented in Appendix 4. ii An Audit Report on The Department of Public Safety’s Texas Gang Intelligence Database SAO Report No. 22-039 Audit Objective and Scope The objective of this audit, as directed by Rider 6, page X-7, General Appropriations Act (87th Legislature), was to conduct an audit of TxGANG to identify all records older than 10 years that have not been recently validated, as defined by the TxGANG operating policies and procedures. The scope of the audit covered TxGANG records with a “Documented On” date or an “Entered in TxGANG On” 1 date on or before February 1, 2012. The scope also included a review of significant internal control components related to TxGANG. 1 The “Documented On” field indicates the date an individual was identified as a gang member and the “Entered in TxGANG On” field indicates the date a record was created in TxGANG. iii Contents Background Information Background Information on the TxGANG Intelligence Database ................................................................ 1 Detailed Results Chapter 1 TxGANG Contains Records That Were Not Validated Within the Last 5 Years and Records That Do Not Include Information Necessary to Determine Whether They Were Validated as Required ................................................ 5 Chapter 2 TxGANG Has Sufficient Controls to Help Ensure That Data Entered Directly Was Complete; However, It Has Significant Control Weaknesses for Batch Uploaded Data ..... 10 Appendices Appendix 1 Objective, Scope, and Methodology .............................. 16 Appendix 2 Issue Rating Classifications and Descriptions .................... 19 Appendix 3 Internal Control Components ...................................... 20 Appendix 4 The Department’s Management Response Transmittal Letter ................................................................. 21 Background Information Background Information on the TxGANG Intelligence Database Law Enforcement Agencies For purposes of this report, law enforcement agencies (Agencies) include municipal and county agencies, school districts that have law enforcement personnel, and state or federal agencies that are engaged in the administration of criminal justice under statute or executive order. However, it does not include the Department of Criminal Justice, the Juvenile Justice Department, or local juvenile probation departments. The Department of Public Safety’s (Department) Texas Gang Intelligence Database (TxGANG) is designed to facilitate the exchange of information about gang organizations and their members among the law enforcement community. Law enforcement agencies (Agencies) in a municipality with a population of 50,000 or more or in a county with a population of 100,000 or more are required to compile, maintain, and report criminal intelligence information related to gang activity to TxGANG (see text box for information about the Agencies included in this audit report). Identification and TxGANG Record Creation Process Agencies are responsible for collecting and evaluating information concerning an individual to determine whether that individual meets the requirements for being added to TxGANG. Figure 1 shows the process for creating a record in TxGANG based on information collected. Figure 1 • ~ Reco rd Creati on Process • Law enforcement has contact with individual who is potentially involved in gang activity. - C.r i-t~rit1 Based on information collected, officer must determine if individual meets requirements for being added to TxGANG. a ----..""'-\.__..._______r.~----~-----""""--- • Law enforcement collects ;nfo,maUon about individua l's involvement in potential gang activity. / ill_•· -----,~=: 0 ~ • If requirement(s) met, a record is ·s 1 ~ TxGA NG a See Table 2 for requirements for being added to TxGANG. Source: Based on information from the Department. An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database SAO Report No. 22-039 August 2022 Page 1 A record may be created in TxGANG even if an individual has not been arrested. To create a record, an Agency must ensure that the individual meets the requirements established in the Texas Code of Criminal Procedure, Chapter 67. Table 2 lists those requirements. Table 2 Requirements for Creating a Record in TxGANG To create or retain a record in TxGANG, an Agency must determine that the individual meets: One of the following requirements: Judicial finding that includes as part of the criminal offense the individual’s participation in a criminal street gang. Judicial self-admission by an individual of criminal street gang membership. Or, two of the following requirements: Non-judicial self-admission by the individual of criminal street gang membership. Identification of the individual as a criminal street gang member by reliable informant or other individual. Identification of the individual as a criminal street gang member by reliable informant or other individual, and corroborated by an informant or other individual of unknown reliability. Evidence that the individual uses, in more than an incidental manner, criminal street gang dress, hand signals, tattoos, or symbols etc. that are associated with a criminal street gang that operates in an area frequented by the individual. Evidence that the individual has been arrested or taken into custody with known criminal street gang members for an offense or conduct consistent with criminal street gang activity. Evidence that the individual uses technology, including the Internet, to recruit new criminal street gang members. Evidence that the individual frequents a documented area of a criminal street gang and associates with known criminal street gang members.a Evidence that the individual has visited a known criminal street gang member, other than a family member of the individual, while individual is confined in or committed to a penal institution.a a If these two requirements are used jointly, a third requirement also must be met. Source: Texas Code of Criminal Procedure, Chapter 67. An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database SAO Report No. 22-039 August 2022 Page 2 Agencies are responsible for creating and validating their own records. As a result, an individual can have more than one record if those records are created by (1) a single Agency, and the individual is a member of two or more gang organizations, or (2) different Agencies. Figure 2 shows an example of one individual with multiple records in TxGANG. Figure 2 Individual with Multi ple Records Agency "A" Agency "B" Source: Based on information from the Department. Record Validation Process Agencies are required to review and validate TxGANG record information at least every 2 years for juvenile records (for individuals who are 16 years or younger) and every 5 years for adult records. According to the TxGANG operating policies and procedures, validation consists of reviewing supporting documentation, such as photographs, social media, or court documents, and other relevant procedures to determine whether a record continues to meet the requirements listed in Table 2. An Agency may review and validate a record at any time based on additional information collected. A validated record will be kept an additional 2 or 5 years based on record type. If a record is not validated, TxGANG is programmed to automatically remove the record upon its expiration (see Chapter 2-C for more information). Figure 3 on the next page shows the record validation and removal process. An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database SAO Report No. 22-039 August 2022 Page 3 Figure 3 Record Validation and Removal Process 15 days prior to expiration date, Agency re ceives notification from ~ TxGANG to validate record. Agen cy reviews reco rd to determine if info rmation rema ins re levant . Agency does nothing to the record. Information is no longer relevant Agency deletes record from TxGANG. Record automatjcaUy deleted from TxGANG upon expiration date. G Information is retained in TxGANG for: 2 more years for juvenile records. 5 more years for adult records. l ill Source: Based on information from the Department. An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database SAO Report No. 22-039 August 2022 Page 4 ~1 ~ Detailed Results Chapter 1 TxGANG Contains Records That Were Not Validated Within the Last 5 Years and Records That Do Not Include Information Necessary to Determine Whether They Were Validated as Required Chapter 1 Rating: Priority 2 Of the 15,368 TxGANG records that were at least 10 years old as of February 1, 2022, 8,539 (56 percent) contained information showing that they were validated within the last 5 years. However, the remaining 6,829 records: Were not validated within the last five years, or Did not include all information needed to determine whether the records were validated as required by federal regulations. Title 28, Code of Federal Regulations, Part 23, requires Agencies to validate a record and determine whether the supporting information remains relevant at least once every 5 years to retain that record in TxGANG. It also requires Agencies to document certain information as part of the validation process. Not validating records at least every 5 years and not documenting all required elements of the validation process within TxGANG increases the risk of retaining a record inappropriately. Table 3 shows the number of records in TxGANG that were at least 10 years old as of February 1, 2022, and the validation status of those records as of March 9, 2022. Table 3 Number and Validation Status of TxGANG Records At Least 10 Years Old Record Validation Status a Validated Within 5 Years Number of Records As a Percentage 8,539 56% Not Validated Within 5 Years 1,099 7% Undetermined Validation Status 5,730 37% 15,368 100.0% Total Records a As of March 9, 2022. 2 The risk related to the issues discussed in Chapter 1 is rated as Priority because they present risks or effects that if not addressed could critically affect the audited entity’s ability to effectively administer the program(s)/function(s) audited. Immediate action is required to address the noted concern(s) and reduce risks to the audited entity. An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database SAO Report No. 22-039 August 2022 Page 5 TxGANG contained records that were not validated within the last 5 years as required. As shown in Table 3 above, 1,099 TxGANG records that were at least 10 years old were not validated within the 5-year period required by federal regulations. TxGANG data shows that those records were last validated between June 1994 and January 2017. The majority of those records were also flagged as belonging to individuals who were incarcerated. Chapter 67 of the Texas Code of Criminal Procedure allows the record retention process, and therefore the validation process, to be suspended while an individual is incarcerated. While the Department policies and procedures align with statute, TxGANG allows the record retention and validation process to be suspended for the entire time of the individual’s sentence. But the time of a sentence and the actual time an individual spends incarcerated can differ if that individual is granted early release or is released on parole. The Department, though, does not require Agencies to confirm that an individual remains incarcerated during the entire time of the sentence. As a result, those records are not being reviewed and validated every five years. Title 28, Code of Federal Regulations, Part 23, states that “information retained in the system must be reviewed and validated for continuing compliance with system submission criteria before the expiration of its retention period, which in no event shall be longer than five (5) years.” Figure 4 on the next page shows the effect on the validation process when an individual is incarcerated and the record retention period is suspended for the entire duration of the sentence period. An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database SAO Report No. 22-039 August 2022 Page 6 Figure 4 Example of Val idation Process fo r Inca rcerated Individual Individual entered into TxGANG Individual rece ives 7-year prison sentence Released from incarceration 2030 2031 2032 2033 2034 ~ Remaining 2 years from original retention period ➔ t t Federally required 5-year validation (not performed) Federally required 5-year validation (not performed) t Based on current process, record is validated in 12 years Source: Based on information from the Department. TxGANG contains records that do not include all information required for validation. As part of the validation process, federal regulations require an Agency to document (1) the date the review was performed, (2) the name of the reviewer conducting the validation, and (3) an explanation of the decision (or conclusion) to retain a record. While TxGANG policies and procedures require Agencies to report a validation conclusion, they do not require the Agencies to report a validation date or the name of the person performing the review. If Agencies do not document all required information, it cannot be determined whether the records were properly validated to be retained in TxGANG. A total of 5,730 (37 percent) of the 15,368 TxGANG records that were at least 10 years old may not have been validated as required. Of those records, 5,722 did not include a validation date to indicate the last time the record was validated. The remaining eight records had unreasonable validation dates, ranging from March 2023 to June 2998. Lack of the date the validation review was performed. The validation date is crucial for confirming that the record should be retained in TxGANG and for calculating the record’s new expiration date. TxGANG’s records lack validation dates primarily because TxGANG does not apply An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database SAO Report No. 22-039 August 2022 Page 7 automated controls over most data uploaded by a batch. (See Chapter 2-B for more information.) TxGANG does not always require the name of the reviewer completing the validation review. A total of 6,512 (42.4 percent) of the 15,368 records did not include that information. Specifically, 5,803 records did not include a reviewer’s name and 709 records included inappropriate information such as “gang” or “other.” The majority of those records were submitted via batch upload (see Chapter 2-B for more information). Lack of the name of the reviewer. TxGANG includes a notes field that some validation reviewers use to document a validation conclusion. However, validation conclusions are not consistently documented because TxGANG does not require a conclusion to be entered in order to validate a record. For 68 records that auditors tested, the validation reviewer had documented a conclusion in the notes field for only 19 (or 28 percent) of the records. Having a specific field where reviewers can document a conclusion for retaining a record and requiring that field to be completed would help Agencies ensure that TxGANG is collecting this federally required information. Lack of explanation of decision (or conclusion) to retain a record. According to Title 28, Code of Federal Regulations, Part 23, validating a record indicates that there are sufficient facts to give a trained law enforcement person a basis to believe there is reasonable suspicion that an individual continues to be involved in criminal activities. Not documenting a validation conclusion increases the risk of retaining a record that no longer meets requirements. Recommendations The Department should: Require that all records are validated at least every five years, as required by federal regulations. This includes records for individuals who have been sentenced to be incarcerated. Update TxGANG policies and procedures to include all federal regulation requirements. Require Agencies to include validation dates and reviewer names in all records submitted to TxGANG. An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database SAO Report No. 22-039 August 2022 Page 8 Require Agencies to include a decision or conclusion for each validated record, which could include adding or designating a field for this required information within TxGANG. Management’s Response As noted in the auditor’s report, the Department’s CRD team does not enter gang records. Since the CRD does not enter data, CRD is not the owner of the data, and thus, is not responsible for the required validation of records. Rather, as the administrator of TXGANG, the Department provides the system to facilitate information sharing across jurisdictions and provide agencies with a mechanism to collect information on gang members within their jurisdictions. The local law enforcement agencies own their records and are responsible for data compliance. However, the Department agrees with the recommendations and will perform the following: The Department will develop an automated solution to ensure records are validated within their respective timeframe, including those where the member is incarcerated. Further, the Department will work to educate entering agencies to update gang member records to indicate incarceration dates, when applicable. After record removal, the Department will provide local agencies with a copy of their records that were removed from the system. The Department will work with agencies to ensure an understanding of their responsibilities for record ownership to include responsibility for record validation. The Department has prioritized the immediate review of all presentations, manuals, policies, procedures, and websites to ensure consistency with CCP Chapter 67 and 28 CFR Part 23. The Department will ensure that all documentation and websites related to TXGANG contain the applicable federal regulatory requirements and direct the end user to these requirements. Review of documentation will be conducted yearly or as required when policies or procedures change. The Department will update the TXGANG Database and batch submission to require the name and date of the user validating the TXGANG record. The Department will update the TXGANG Database and batch submission to require and create a location to document the determination of the entering agency for each validated record. Title of Responsible Individual: Crime Records Division Chief Estimated Completion Date: December 31, 2023 An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database SAO Report No. 22-039 August 2022 Page 9 Chapter 2 TxGANG Has Sufficient Controls to Help Ensure That Data Entered Directly Was Complete; However, It Has Significant Control Weaknesses for Batch Uploaded Data Agencies create and manage their TxGANG records either by (1) entering information directly into the database (direct data entry) or (2) uploading multiple files’ information via an automated method (upload by batch). TxGANG had sufficient automated controls for direct data entry to help reduce errors before the data was accepted. However, TxGANG lacks similar controls on records uploaded by batch, which resulted in records that did not include all required information being accepted into TxGANG. In addition, although TxGANG has an automated process to remove records when they expire, it does not notify the Department when that process fails to execute. Figure 5 illustrates differences in the upload process for data entered directly and data entered via batch. Figure 5 Data Upload Process .... ► If data passes t:;)\v Direct Data Entry If data fails automated checks, record rejected@ Most data accepted as submitted by Agency Batch Upload Source: Based on information from the Department. An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database SAO Report No. 22-039 August 2022 Page 10 automated \() checks, record saved in TxGANG As of May 23, 2022, TxGANG contained approximately 71,640 records. Of those, 52,025 (73 percent) were entered into TxGANG directly. However, of the 15,368 records that were at least 10 years old, 41 percent were submitted through the batch upload process (see Table 4). Table 4 Number of TxGANG Records At Least 10 Years Old Submitted Using Direct Data Entry and Batch Upload as of March 9, 2022 Record Submission Method a Total Number of Records Percentage of Records Direct Data Entry 9,003 59% Batch Upload 6,365 41% 15,368 100.0% Totals a The record submission type is based on the Agencies’ submission method as of March 9, 2022; however, Agencies may have entered previous records using a different submission method. Source: TxGANG. Chapter 2-A TxGANG Has Sufficient Controls for Data Entered Directly Into the Database Direct Data Entry 3 Chapter 2-A As of March 2022, TxGANG had sufficient automated controls Rating: over data entered directly into the database to help ensure Low 3 that the information in key data fields was appropriate. For example, the automated controls helped ensure that (1) the record created for an individual identified as a potential gang member meets the requirements for inclusion in the database (see Background section for those requirements), (2) the record expiration date is accurately calculated, and (3) all dates are correctly formatted. Requiring this information to be entered prior to accepting a record helps the Department increase the completeness and accuracy of the TxGANG data. The risk related to the issues discussed in Chapter 2-A is rated as Low because the audit identified strengths that support the Department’s ability to administer the program(s)/function(s) audited or the issues identified do not present significant risks or effects that would negatively affect the audited entity’s ability to effectively administer the program(s)/function(s) audited. An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database SAO Report No. 22-039 August 2022 Page 11 Chapter 2-B TxGANG Lacks Sufficient Automated Controls on Records Uploaded by Batch Chapter 2-B For the majority of the 6,365 records that were at least 10 Rating: years old and submitted via batch upload, TxGANG did not Priority 4 apply the same automated controls as it did for information entered directly into the database. According to the Department, when data is submitted through batch upload, TxGANG accepts the data with limited or no automated controls applied. Batch Upload As discussed in Chapter 1, a significant number of records did not include all of the information required to show that the record was properly validated. The primary cause of this is the lack of automated controls over data submitted through a batch upload, which allowed most of the records to be accepted “as is.” Even though all of the records had an expiration date, without requiring key information, such as a validation date, to be entered for all TxGANG records, it cannot be determined whether the expiration dates are within the required timeframes and meet all retention requirements. For example, for data uploaded by batch, expiration dates ranged from January 2022 through January 5560. In addition to the federal regulations requiring certain information to be entered into TxGANG, the Department of Information Resources’ Security Control Standards Catalog, version 1.3, requires systems to check the validity of data. Recommendation The Department should implement automated controls over key fields for records that are entered into TxGANG via batch upload to help ensure that data is complete and reliable. 4 The risk related to the issues discussed in Chapter 2-B is rated as Priority because they present risks or effects that if not addressed could critically affect the audited entity’s ability to effectively administer the programs(s)/function(s) audited. Immediate action is required to address the noted concern(s) and reduce risks to the audited entity. An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database SAO Report No. 22-039 August 2022 Page 12 Management’s Response The Department agrees with the recommendation and will update and implement data validations for batch submissions. As local law enforcement agencies own the records within TXGANG, the Department will educate agencies submitting gang data via batch files and request changes to those local systems to ensure compatibility and compliance with TXGANG requirements. Title of Responsible Individual: Crime Records Division Chief Estimated Completion Date: December 31, 2023 An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database SAO Report No. 22-039 August 2022 Page 13 Chapter 2-C TxGANG Removes Records When They Expire; However, It Does Not Notify the Department When the Removal Process Fails to Execute Automatic Record Deletion TxGANG has a process to automatically remove a record from the database on that record’s expiration date, as required by Department’s TxGANG operating policies and procedures. Auditors verified that, as of April 2022, that process was working as intended and records were deleted when they reached the expiration date. Chapter 2-C Rating: Medium 5 However, that process stopped working from February 10, 2022, through March 10, 2022. The Department reported that, as a result, 916 records were not deleted upon the expiration date. The Department did not know that the records were not being deleted during that time period because TxGANG did not generate an exception report when the removal process failed. The Department of Information Resources’ Security Control Standards Catalog, version 1.3, requires state agencies to implement a monitoring process to identify system failures in a timely manner. Generating an exception report when the automatic removal of an expired record fails would help the Department verify that the system is not retaining a record longer than allowed by Texas Code of Criminal Procedure, Chapter 67. Recommendation The Department should develop and implement an exception report in TxGANG to notify it when the system fails to automatically remove a record upon the expiration date to help ensure that records are deleted as required by statute. 5 The risk related to the issues discussed in Chapter 2-C is rated as Medium because they present risks or effects that if not addressed could moderately affect the audited entity’s ability to effectively administer the program(s)/function(s) audited. Action is needed to address the noted concern(s) and reduce risks to a more desirable level. An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database SAO Report No. 22-039 August 2022 Page 14 Management’s Response The Department agrees with the recommendation and will create an alert to TXGANG Administrators and Technical Staff to notify the appropriate individuals the automated program did not complete successfully. If the records could not be processed through the automated process, TXGANG Administrators would remove the records subject to expiration. Title of Responsible Individual: Crime Records Division Chief Estimated Completion Date: August 31, 2023 An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database SAO Report No. 22-039 August 2022 Page 15 Appendices Appendix 1 Objective, Scope, and Methodology Objective The objective of this audit, as directed by Rider 6, page X-7, General Appropriations Act (87th Legislature), was to conduct an audit of the Texas Gang Intelligence Database (TxGANG) to identify all records older than 10 years that have not been recently validated, as defined by the TxGANG operating policies and procedures. Scope The scope of this audit covered TxGANG records with a “Documented on” date or an “Entered in TxGANG On” 6 date on or before February 1, 2012. The scope also included a review of significant internal control components related to TxGANG (see Appendix 3 for more information about internal control components). Methodology The audit methodology included reviewing and analyzing TxGANG records; conducting interviews; reviewing applicable regulatory requirements and TxGANG policies and procedures; and performing selected tests and procedures. The methodology also included testing selected automated controls over data entry fields used when records are entered directly in the database. In addition, during the audit, matters not required to be reported in accordance with Government Auditing Standards were communicated to the Department of Public Safety’s (Department) management for consideration. Data Reliability and Completeness Auditors obtained data from TxGANG on records that were at least 10 years old as of February 1, 2022. Auditors performed procedures to assess the reliability of those data sets including (1) observing data extracts, (2) reviewing parameters used to extract the data, and (3) reviewing key data fields for reasonableness and completeness. Auditors also evaluated the effectiveness of certain automated controls over key data fields in TxGANG. 6 The “Documented On” field indicates the date an individual was identified as a gang member and the “Entered in TxGANG On” field indicates the date a record was created in TxGANG. An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database SAO Report No. 22-039 August 2022 Page 16 Auditors determined that the populations of records extracted from TxGANG were sufficiently complete for the purposes of the audit. However, the accuracy of the information in those records was of undetermined reliability for the purposes of this audit due to the weaknesses discussed in Chapters 1 and 2 of this report and because the documentation that supports each individual member record resides at the law enforcement agency (Agency) that created and maintains the record. Sampling Methodology To determine if Agencies documented a conclusion when a record was recently validated, 7 auditors selected a nonstatistical sample of records through random selection from two data sets. Specifically, each sample consisted of: 30 of 8,250 records from the “Documented On” population. 30 of 2,437 records from the “Entered in TxGANG” population. This sample design was chosen so the sample could be evaluated in the context of the population. The test results may be projected to the population, but the accuracy of the projection cannot be measured. In addition, auditors also tested all eight records that had a future validation date 8. Each data set included four records. Information collected and reviewed included the following: TxGANG records. Statutes, policies, procedures, and other guidance relevant to TxGANG. Procedures and tests conducted included the following: Interviewed Department management and staff, as well as staff at the TxGANG vendor, to gain an understanding of the TxGANG system and processes. Tested samples of recently validated records to determine if the Agencies documented an explanation for the validation. Tested all records with a future validation date to determine if Agencies documented an explanation for the validation. 7 Recently validated records are those that were validated from February 1, 2017, through February 1, 2022. 8 Future Validation Date records are those whose validation date is after the date when the TxGANG vendor extracted the data at auditors’ request. An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database SAO Report No. 22-039 August 2022 Page 17 Tested automated controls that apply to records entered directly into the database for certain key data fields. Performed data analysis to determine the completeness and appropriateness of information on selected key data fields such as records without a validation date and reviewer’s name; and date formatting appropriateness. Reviewed policies and procedures for compliance with applicable statutory and federal regulatory requirements. Criteria used included the following: Title 28, Code of Federal Regulations, Part 23 (Criminal Intelligence Systems Operating Policies). Texas Code of Criminal Procedure, Chapter 67. Department of Information Resources' Security Control Standards Catalog, version 1.3. TXGANG INDEX Operating Policies and Procedures, May 2019. Project Information Audit fieldwork was conducted from January 2022 through August 2022. We conducted this performance audit in accordance with Government Auditing Standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The following members of the State Auditor’s staff performed the audit: Ileana Barboza, MBA, CFE, CGAP (Project Manager) Lauren Ramsey (Assistant Project Manager) Jenna Perez, MAcy Venus Santos Robert G. Kiker, CFE, CGAP (Quality Control Reviewer) Becky Beachy, CIA, CGAP (Audit Manager) An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database SAO Report No. 22-039 August 2022 Page 18 Appendix 2 Issue Rating Classifications and Descriptions Auditors used professional judgment and rated the audit findings identified in this report. Those issue ratings are summarized in the report chapters/subchapters. The issue ratings were determined based on the degree of risk or effect of the findings in relation to the audit objective(s). In determining the ratings of audit findings, auditors considered factors such as financial impact; potential failure to meet program/function objectives; noncompliance with state statute(s), rules, regulations, and other requirements or criteria; and the inadequacy of the design and/or operating effectiveness of internal controls. In addition, evidence of potential fraud, waste, or abuse; significant control environment issues; and little to no corrective action for issues previously identified could increase the ratings for audit findings. Auditors also identified and considered other factors when appropriate. Table 5 provides a description of the issue ratings presented in this report. Table 5 Summary of Issue Ratings Issue Rating Description of Rating Low The audit identified strengths that support the audited entity’s ability to administer the program(s)/function(s) audited or the issues identified do not present significant risks or effects that would negatively affect the audited entity’s ability to effectively administer the program(s)/function(s) audited. Medium Issues identified present risks or effects that if not addressed could moderately affect the audited entity’s ability to effectively administer the program(s)/function(s) audited. Action is needed to address the noted concern(s) and reduce risks to a more desirable level. High Issues identified present risks or effects that if not addressed could substantially affect the audited entity’s ability to effectively administer the program(s)/function(s) audited. Prompt action is essential to address the noted concern(s) and reduce risks to the audited entity. Priority Issues identified present risks or effects that if not addressed could critically affect the audited entity’s ability to effectively administer the program(s)/function(s) audited. Immediate action is required to address the noted concern(s) and reduce risks to the audited entity. An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database SAO Report No. 22-039 August 2022 Page 19 Appendix 3 Internal Control Components Internal control is a process used by management to help an entity achieve its objectives. The U.S. Government Accountability Office’s Government Auditing Standards require auditors to assess internal control when internal control is significant to the audit objectives. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) established a framework for five integrated components of internal control, which are listed in Table 6. Table 6 Internal Control Components Component Component Description Control Environment The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Risk Assessment Risk assessment is the entity’s identification and analysis of risks relevant to achievement of its objectives, forming a basis for determining how the risks should be managed. Control Activities Control activities are the policies and procedures that help ensure that management’s directives are carried out. Information and Communication Information and communication are the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities. Monitoring Activities Monitoring is a process that assesses the quality of internal control performance over time. Source: Internal Control – Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, May 2013. An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database SAO Report No. 22-039 August 2022 Page 20 Appendix 4 The Department’s Management Response Transmittal Letter DocuSign Envelope ID: 7448E715-9A41-48BB-9A 79 -D9DA45394091 TEXAS DEPARTMENT OF PUBLIC SAFETY 5805 N LAMAR BLVD• BOX 4087 • AUSTIN , TEXAS 78773--0001 512/424-2000 www .dps .texas.gov COMMISSION STEVEN P. MACH, CHAIRMAN NELDA L BLAIR STEVE H. STODGH ILL STEVEN C. McGRAW DIRECTOR FREEMAN F. MARTIN DVI/IGHT D. MATHIS JEOFF WILLIAMS DEPUTY DIRECTORS DALE WAIN'v'IIRIGHT July 29, 2022 Ileana Barboza, Project Manager Texas State Audi tor's Office P.O. Box 12067 Austin, Texas 7871 1-2067 Dear Ms . Barboza, Thank you for the opportunity to review and respond to the draft findings resulting from the State Auditor' s Office audit of the Department's Texas Gang Intelligence Database. We appreciate the detailed review provided by the audit team , as well as the professionalism with which the audit was conducted. The team ' s work, in concert with the efforts of our staff and local law enforcement entities, provides important assurance and accountabi lity regarding the data. The Department strives for excellence in all endeavors, including in our administration of the Texas Gang Intelligence Database. While timely validation is the responsibility of the local law enforcement agencies, the Department will continue to strengthen operations, work with our local law enforcement partners, and work diligently to implement recommendations. Sincerely, I, DocuSigned by: ~~C4~~ Steven C. McCraw Director Attachment cc: Becky Beachy, State Auditor' s Office JeoffWilliams, Deputy Director, Law Enforcement Services Michell e Farris, Chief, Crime Records Services Division Bryan Lane, ChiefTnformation Officer Catherine Melvin, Chi ef Auditor EQUAL OPPORTUNITY EMPLOYER COURTESY • SERVICE • PROTECTION An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database SAO Report No. 22-039 August 2022 Page 21 Copies of this report have been distributed to the following: Legislative Audit Committee The Honorable Dan Patrick, Lieutenant Governor, Joint Chair The Honorable Dade Phelan, Speaker of the House, Joint Chair The Honorable Joan Huffman, Senate Finance Committee The Honorable Robert Nichols, Member, Texas Senate The Honorable Greg Bonnen, House Appropriations Committee The Honorable Morgan Meyer, House Ways and Means Committee Office of the Governor The Honorable Greg Abbott, Governor Texas Department of Public Safety Members of the Public Safety Commission Mr. Steven P. Mach, Chairman Ms. Nelda L. Blair Mr. Steve H. Stodghill Mr. Dale Wainwright Colonel Steven C. McCraw, Director This document is not copyrighted. Readers may make additional copies of this report as needed. In addition, most State Auditor’s Office reports may be downloaded from our website: https://sao.texas.gov. In compliance with the Americans with Disabilities Act, this document may also be requested in alternative formats. To do so, contact our report request line at (512) 936-9500 (Voice), (512) 936-9400 (FAX), 1-800-RELAY-TX (TDD), or visit the Robert E. Johnson Building, 1501 North Congress Avenue, Suite 4.224, Austin, Texas 78701. The State Auditor’s Office is an equal opportunity employer and does not discriminate on the basis of race, color, religion, sex, national origin, age, or disability in employment or in the provision of services, programs, or activities. To report waste, fraud, or abuse in state government visit https://sao.fraud.texas.gov.