28 CFR 901.4 - Audits.
(a) Audits of authorized State agencies that access the III System shall be conducted by the State's Compact Officer or, in the absence of a Compact Officer, the chief administrator for the criminal history record repository. The responsible Federal CJIS Systems Officer shall ensure that similar audits are conducted of authorized Federal agencies. Such audits shall be conducted to verify adherence to the provisions of part 901 and the FBI's CJIS Security Policy.
(b) Authorized agencies shall cause to be collected an appropriate record of each instance of III System access through a manual or electronic log. The log shall be maintained for a minimum one-year period to facilitate the audits and compliance reviews. Such records shall be maintained in accordance with the CJIS Security Policy. (For information on this security policy, contact your CJIS Systems Officer.)
(c) The audit and compliance reviews must include mechanisms to determine whether fingerprints were submitted within the time frame specified by the Compact Council.
(d) In addition to the audits as stated above, the FBI CJIS Audit staff shall also conduct routine systematic compliance reviews of State repositories, Federal agencies, and as necessary other authorized III System user agencies.