Skip navigation

Audit Report-Dept of Public Safety's Texas Gang Intelligence Database-Aug. 2022

Download original document:
Brief thumbnail
This text is machine-read, and may contain errors. Check the original document to verify accuracy.
Lisa R. Collier, CPA, CFE, CIDA
State Auditor

An Audit Report on

The Department of Public Safety’s Texas
Gang Intelligence Database
August 2022
Report No. 22-039

State Auditor’s Office reports are available on the Internet at https://sao.texas.gov/.

An Audit Report on

The Department of Public Safety’s Texas
Gang Intelligence Database
SAO Report No. 22-039
August 2022

Overall Conclusion
The Department of Public Safety’s (Department) Texas
Gang Intelligence Database (TxGANG) contained 15,368
records that were at least 10 years old as of February
1, 2022. (See text box for background on TxGANG.) Of
those records, 8,539 (56 percent) were validated
within the last 5 years, as required by Title 28, Code of
Federal Regulations, Part 23. However, the remaining
6,829 records either (1) were not validated within the
last five years or (2) did not include all information
needed to determine whether the record was validated
as required by federal regulations. Specifically:

Background Information
The Department of Public Safety
(Department) implemented the
Texas Gang Intelligence Database
(TxGANG) on September 1, 2000.
Law enforcement agencies, except
for the Department of Criminal
Justice and the Juvenile Justice
Department, were required to report
information collected on or before
September 1, 1999.
TxGANG serves as a statewide
repository of criminal intelligence
information on gang organizations
and their members. TxGANG’s goal is
to improve the effectiveness of the
criminal justice community by
providing for the timely exchange of
documented and reliable
information.

 Not validated. A total of 1,099 records (7 percent)
had not been validated within 5 years. The
majority of those records were flagged as
As of May 23, 2022, TxGANG
included approximately 71,640 gang
belonging to individuals who were incarcerated.
member records, which were
TxGANG currently allows the validation process to
associated with at least one of the
10,845 gang organizations
be suspended for an individual’s sentencing period
documented in TxGANG.
rather than the actual time incarcerated. Because
Source: The Department.
the Department does not require Agencies to
validate a record to confirm that an individual
remains incarcerated, those records are not being reviewed for the entire
duration of an individual’s sentencing period.
 Undetermined validation. A total of 5,730 records (37 percent) may not have
been validated as required. The majority of those records did not include a
date that indicated the last time the record was validated to justify its
retention in TxGANG. This occurred because TxGANG does not apply the same
automated controls to records uploaded in batches as it does for records
directly entered into the database.
Validation conclusion. In addition, TxGANG is not programmed to require a
decision (or conclusion) to be documented in order to validate a record. As a
result, records are retained in TxGANG without supporting information required by
federal regulations.

This audit was conducted in accordance with Rider 6, page X-7, General Appropriations Act (87th Legislature).
For more information regarding this report, please contact Becky Beachy, Audit Manager, or Lisa Collier, State Auditor, at (512) 9369500.

An Audit Report on
The Department of Public Safety’s Texas Gang Intelligence Database
SAO Report No. 22-039

Exception Report. TxGANG automatically removes expired records. However, it
does not generate an exception report when the removal process fails to execute.
As a result, the Department reported that 916 records were not removed as
required between February 2022 and March 2022.
Table 1 presents a summary of the findings in this report and the related issue
ratings. (See Appendix 2 for more information about the issue rating classifications
and descriptions.)
Table 1

Summary of Chapters/Subchapters and Related Issue Ratings
Chapter/
Subchapter
1

Issue Rating a

Title
TxGANG Contains Records That Were Not Validated Within the Last 5 Years and
Records That Do Not Include Information Necessary to Determine Whether They
Were Validated as Required

Priority

2-A

TxGANG Has Sufficient Controls for Data Entered Directly Into the Database

Low

2-B

TxGANG Lacks Sufficient Automated Controls on Records Uploaded by Batch

Priority

2-C

TxGANG Removes Records When They Expire; However, It Does Not Notify the
Department When the Removal Process Fails to Execute

Medium

a A chapter/subchapter is rated Priority if the issues identified present risks or effects that if not addressed could critically affect the
audited entity’s ability to effectively administer the program(s)/function(s) audited. Immediate action is required to address the noted
concern(s) and reduce risks to the audited entity.
A chapter/subchapter is rated High if the issues identified present risks or effects that if not addressed could substantially affect the
audited entity’s ability to effectively administer the program(s)/function(s) audited. Prompt action is essential to address the noted
concern(s) and reduce risks to the audited entity.
A chapter/subchapter is rated Medium if the issues identified present risks or effects that if not addressed could moderately affect the
audited entity’s ability to effectively administer the program(s)/function(s) audited. Action is needed to address the noted concern(s)
and reduce risks to a more desirable level.
A chapter/subchapter is rated Low if the audit identified strengths that support the audited entity’s ability to administer the
program(s)/function(s) audited or the issues identified do not present significant risks or effects that would negatively affect the audited
entity’s ability to effectively administer the program(s)/function(s) audited.

Summary of Management’s Response
At the end of certain chapters in this report, auditors made recommendations to
address the issues identified during this audit. The Department agreed with the
recommendations in this report. The Department’s detailed management
responses are presented immediately following the recommendations in each
chapter. In addition, the Department’s transmittal letter, which includes an
overall statement of response, is presented in Appendix 4.

ii

An Audit Report on
The Department of Public Safety’s Texas Gang Intelligence Database
SAO Report No. 22-039

Audit Objective and Scope
The objective of this audit, as directed by Rider 6, page X-7, General
Appropriations Act (87th Legislature), was to conduct an audit of TxGANG to
identify all records older than 10 years that have not been recently validated, as
defined by the TxGANG operating policies and procedures.
The scope of the audit covered TxGANG records with a “Documented On” date or
an “Entered in TxGANG On” 1 date on or before February 1, 2012. The scope also
included a review of significant internal control components related to TxGANG.

1

The “Documented On” field indicates the date an individual was identified as a gang member and the “Entered in TxGANG On”
field indicates the date a record was created in TxGANG.

iii

Contents
Background Information
Background Information on the TxGANG Intelligence
Database ................................................................ 1

Detailed Results
Chapter 1

TxGANG Contains Records That Were Not Validated
Within the Last 5 Years and Records That Do Not Include
Information Necessary to Determine Whether They Were
Validated as Required ................................................ 5
Chapter 2

TxGANG Has Sufficient Controls to Help Ensure That
Data Entered Directly Was Complete; However, It Has
Significant Control Weaknesses for Batch Uploaded Data ..... 10

Appendices
Appendix 1

Objective, Scope, and Methodology .............................. 16
Appendix 2

Issue Rating Classifications and Descriptions .................... 19
Appendix 3

Internal Control Components ...................................... 20
Appendix 4

The Department’s Management Response Transmittal
Letter ................................................................. 21

Background Information
Background Information on the TxGANG Intelligence Database
Law Enforcement
Agencies
For purposes of this report,
law enforcement agencies
(Agencies) include municipal
and county agencies, school
districts that have law
enforcement personnel, and
state or federal agencies that
are engaged in the
administration of criminal
justice under statute or
executive order. However, it
does not include the
Department of Criminal
Justice, the Juvenile Justice
Department, or local juvenile
probation departments.

The Department of Public Safety’s (Department) Texas Gang Intelligence
Database (TxGANG) is designed to facilitate the exchange of information
about gang organizations and their members among the law enforcement
community. Law enforcement agencies (Agencies) in a municipality with a
population of 50,000 or more or in a county with a population of 100,000
or more are required to compile, maintain, and report criminal
intelligence information related to gang activity to TxGANG (see text box
for information about the Agencies included in this audit report).
Identification and TxGANG Record Creation Process
Agencies are responsible for collecting and evaluating information
concerning an individual to determine whether that individual meets the
requirements for being added to TxGANG. Figure 1 shows the process for
creating a record in TxGANG based on information collected.

Figure 1

•
~

Reco rd Creati on Process

•

Law enforcement
has contact with
individual who is
potentially
involved in gang
activity.

-

C.r i-t~rit1

Based on information
collected, officer must
determine if individual
meets requirements for
being added to TxGANG. a

----..""'-\.__..._______r.~----~-----""""---

•

Law enforcement

collects
;nfo,maUon
about individua
l's
involvement in
potential gang
activity.

/

ill_•·

-----,~=: 0

~
•

If requirement(s)
met, a record is

·s
1

~

TxGA NG

a See Table 2 for requirements for being added to TxGANG.
Source: Based on information from the Department.

An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database
SAO Report No. 22-039
August 2022
Page 1

A record may be created in TxGANG even if an individual has not been
arrested. To create a record, an Agency must ensure that the individual meets
the requirements established in the Texas Code of Criminal Procedure,
Chapter 67. Table 2 lists those requirements.
Table 2

Requirements for Creating a Record in TxGANG
To create or retain a record in TxGANG, an Agency must determine that the
individual meets:
One of the following requirements:
 Judicial finding that includes as part
of the criminal offense the
individual’s participation in a
criminal street gang.

 Judicial self-admission by an
individual of criminal street gang
membership.

Or, two of the following requirements:
 Non-judicial self-admission by the
individual of criminal street gang
membership.

 Identification of the individual as a
criminal street gang member by
reliable informant or other
individual.

 Identification of the individual as a
criminal street gang member by
reliable informant or other
individual, and corroborated by an
informant or other individual of
unknown reliability.

 Evidence that the individual uses, in
more than an incidental manner,
criminal street gang dress, hand
signals, tattoos, or symbols etc.
that are associated with a criminal
street gang that operates in an area
frequented by the individual.

 Evidence that the individual has
been arrested or taken into custody
with known criminal street gang
members for an offense or conduct
consistent with criminal street gang
activity.

 Evidence that the individual uses
technology, including the Internet,
to recruit new criminal street gang
members.

 Evidence that the individual
frequents a documented area of a
criminal street gang and associates
with known criminal street gang
members.a

 Evidence that the individual has
visited a known criminal street gang
member, other than a family
member of the individual, while
individual is confined in or
committed to a penal institution.a

a If these two requirements are used jointly, a third requirement also must be met.
Source: Texas Code of Criminal Procedure, Chapter 67.

An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database
SAO Report No. 22-039
August 2022
Page 2

Agencies are responsible for creating and validating their own records. As a
result, an individual can have more than one record if those records are
created by (1) a single Agency, and the individual is a member of two or more
gang organizations, or (2) different Agencies. Figure 2 shows an example of
one individual with multiple records in TxGANG.
Figure 2

Individual with Multi ple Records

Agency "A"

Agency "B"

Source: Based on information from the Department.

Record Validation Process
Agencies are required to review and validate TxGANG record information at
least every 2 years for juvenile records (for individuals who are 16 years or
younger) and every 5 years for adult records. According to the TxGANG
operating policies and procedures, validation consists of reviewing supporting
documentation, such as photographs, social media, or court documents, and
other relevant procedures to determine whether a record continues to meet
the requirements listed in Table 2.
An Agency may review and validate a record at any time based on additional
information collected. A validated record will be kept an additional 2 or 5
years based on record type. If a record is not validated, TxGANG is
programmed to automatically remove the record upon its expiration (see
Chapter 2-C for more information).
Figure 3 on the next page shows the record validation and removal process.

An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database
SAO Report No. 22-039
August 2022
Page 3

Figure 3

Record Validation and Removal Process

15 days prior to expiration date,
Agency re ceives notification from ~
TxGANG to validate record.

Agen cy reviews reco rd to
determine if info rmation
rema ins re levant .

Agency does nothing
to the record.
Information is
no longer
relevant

Agency deletes record
from TxGANG.
Record automatjcaUy deleted from
TxGANG upon expiration date.

G

Information is retained in TxGANG for:
2 more years for juvenile records.
5 more years for adult records.

l

ill

Source: Based on information from the Department.

An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database
SAO Report No. 22-039
August 2022
Page 4

~1

~

Detailed Results
Chapter 1

TxGANG Contains Records That Were Not Validated Within the Last 5
Years and Records That Do Not Include Information Necessary to
Determine Whether They Were Validated as Required
Chapter 1
Rating:
Priority

2

Of the 15,368 TxGANG records that were at least 10 years old as of February
1, 2022, 8,539 (56 percent) contained information showing that they were
validated within the last 5 years. However, the remaining 6,829 records:


Were not validated within the last five years, or



Did not include all information needed to determine whether the records
were validated as required by federal regulations.

Title 28, Code of Federal Regulations, Part 23, requires Agencies to validate a
record and determine whether the supporting information remains relevant
at least once every 5 years to retain that record in TxGANG. It also requires
Agencies to document certain information as part of the validation process.
Not validating records at least every 5 years and not documenting all required
elements of the validation process within TxGANG increases the risk of
retaining a record inappropriately.
Table 3 shows the number of records in TxGANG that were at least 10 years
old as of February 1, 2022, and the validation status of those records as of
March 9, 2022.
Table 3

Number and Validation Status of TxGANG Records At Least 10 Years Old
Record Validation Status a
Validated Within 5 Years

Number of
Records

As a Percentage

8,539

56%

Not Validated Within 5 Years

1,099

7%

Undetermined Validation Status

5,730

37%

15,368

100.0%

Total Records
a As of March 9, 2022.

2

The risk related to the issues discussed in Chapter 1 is rated as Priority because they present risks or effects that if not
addressed could critically affect the audited entity’s ability to effectively administer the program(s)/function(s) audited.
Immediate action is required to address the noted concern(s) and reduce risks to the audited entity.
An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database
SAO Report No. 22-039
August 2022
Page 5

TxGANG contained records that were not validated within the last
5 years as required.
As shown in Table 3 above, 1,099 TxGANG records that were at least 10 years
old were not validated within the 5-year period required by federal
regulations. TxGANG data shows that those records were last validated
between June 1994 and January 2017. The majority of those records were
also flagged as belonging to individuals who were incarcerated.
Chapter 67 of the Texas Code of Criminal Procedure allows the record
retention process, and therefore the validation process, to be suspended
while an individual is incarcerated. While the Department policies and
procedures align with statute, TxGANG allows the record retention and
validation process to be suspended for the entire time of the individual’s
sentence. But the time of a sentence and the actual time an individual spends
incarcerated can differ if that individual is granted early release or is released
on parole.
The Department, though, does not require Agencies to confirm that an
individual remains incarcerated during the entire time of the sentence. As a
result, those records are not being reviewed and validated every five years.
Title 28, Code of Federal Regulations, Part 23, states that “information
retained in the system must be reviewed and validated for continuing
compliance with system submission criteria before the expiration of its
retention period, which in no event shall be longer than five (5) years.”
Figure 4 on the next page shows the effect on the validation process when an
individual is incarcerated and the record retention period is suspended for the
entire duration of the sentence period.

An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database
SAO Report No. 22-039
August 2022
Page 6

Figure 4

Example of Val idation Process fo r Inca rcerated Individual
Individual entered
into TxGANG

Individual rece ives 7-year
prison sentence

Released from
incarceration

2030

2031

2032

2033

2034

~ Remaining 2

years from
original retention
period ➔

t

t
Federally required
5-year validation
(not performed)

Federally required
5-year validation
(not performed)

t
Based on current
process, record is
validated in 12 years

Source: Based on information from the Department.

TxGANG contains records that do not include all information required for
validation.
As part of the validation process, federal regulations require an Agency to
document (1) the date the review was performed, (2) the name of the
reviewer conducting the validation, and (3) an explanation of the decision (or
conclusion) to retain a record. While TxGANG policies and procedures require
Agencies to report a validation conclusion, they do not require the Agencies
to report a validation date or the name of the person performing the review.
If Agencies do not document all required information, it cannot be
determined whether the records were properly validated to be retained in
TxGANG.
A total of 5,730 (37 percent)
of the 15,368 TxGANG records that were at least 10 years old may not have
been validated as required. Of those records, 5,722 did not include a
validation date to indicate the last time the record was validated. The
remaining eight records had unreasonable validation dates, ranging from
March 2023 to June 2998.
Lack of the date the validation review was performed.

The validation date is crucial for confirming that the record should be retained
in TxGANG and for calculating the record’s new expiration date. TxGANG’s
records lack validation dates primarily because TxGANG does not apply
An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database
SAO Report No. 22-039
August 2022
Page 7

automated controls over most data uploaded by a batch. (See Chapter 2-B for
more information.)
TxGANG does not always require the name of
the reviewer completing the validation review. A total of 6,512 (42.4 percent)
of the 15,368 records did not include that information. Specifically, 5,803
records did not include a reviewer’s name and 709 records included
inappropriate information such as “gang” or “other.” The majority of those
records were submitted via batch upload (see Chapter 2-B for more
information).

Lack of the name of the reviewer.

TxGANG includes a
notes field that some validation reviewers use to document a validation
conclusion. However, validation conclusions are not consistently documented
because TxGANG does not require a conclusion to be entered in order to
validate a record. For 68 records that auditors tested, the validation reviewer
had documented a conclusion in the notes field for only 19 (or 28 percent) of
the records. Having a specific field where reviewers can document a
conclusion for retaining a record and requiring that field to be completed
would help Agencies ensure that TxGANG is collecting this federally required
information.
Lack of explanation of decision (or conclusion) to retain a record.

According to Title 28, Code of Federal Regulations, Part 23, validating a record
indicates that there are sufficient facts to give a trained law enforcement
person a basis to believe there is reasonable suspicion that an individual
continues to be involved in criminal activities. Not documenting a validation
conclusion increases the risk of retaining a record that no longer meets
requirements.
Recommendations

The Department should:


Require that all records are validated at least every five years, as required
by federal regulations. This includes records for individuals who have been
sentenced to be incarcerated.



Update TxGANG policies and procedures to include all federal regulation
requirements.



Require Agencies to include validation dates and reviewer names in all
records submitted to TxGANG.

An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database
SAO Report No. 22-039
August 2022
Page 8



Require Agencies to include a decision or conclusion for each validated
record, which could include adding or designating a field for this required
information within TxGANG.

Management’s Response

As noted in the auditor’s report, the Department’s CRD team does not enter
gang records. Since the CRD does not enter data, CRD is not the owner of the
data, and thus, is not responsible for the required validation of records.
Rather, as the administrator of TXGANG, the Department provides the system
to facilitate information sharing across jurisdictions and provide agencies with
a mechanism to collect information on gang members within their
jurisdictions. The local law enforcement agencies own their records and are
responsible for data compliance. However, the Department agrees with the
recommendations and will perform the following:


The Department will develop an automated solution to ensure records are
validated within their respective timeframe, including those where the
member is incarcerated. Further, the Department will work to educate
entering agencies to update gang member records to indicate
incarceration dates, when applicable.



After record removal, the Department will provide local agencies with a
copy of their records that were removed from the system. The Department
will work with agencies to ensure an understanding of their responsibilities
for record ownership to include responsibility for record validation.



The Department has prioritized the immediate review of all presentations,
manuals, policies, procedures, and websites to ensure consistency with
CCP Chapter 67 and 28 CFR Part 23. The Department will ensure that all
documentation and websites related to TXGANG contain the applicable
federal regulatory requirements and direct the end user to these
requirements. Review of documentation will be conducted yearly or as
required when policies or procedures change.



The Department will update the TXGANG Database and batch submission
to require the name and date of the user validating the TXGANG record.



The Department will update the TXGANG Database and batch submission
to require and create a location to document the determination of the
entering agency for each validated record.

Title of Responsible Individual: Crime Records Division Chief
Estimated Completion Date: December 31, 2023

An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database
SAO Report No. 22-039
August 2022
Page 9

Chapter 2

TxGANG Has Sufficient Controls to Help Ensure That Data Entered
Directly Was Complete; However, It Has Significant Control
Weaknesses for Batch Uploaded Data
Agencies create and manage their TxGANG records either by (1) entering
information directly into the database (direct data entry) or (2) uploading
multiple files’ information via an automated method (upload by batch).
TxGANG had sufficient automated controls for direct data entry to help
reduce errors before the data was accepted. However, TxGANG lacks similar
controls on records uploaded by batch, which resulted in records that did not
include all required information being accepted into TxGANG. In addition,
although TxGANG has an automated process to remove records when they
expire, it does not notify the Department when that process fails to execute.
Figure 5 illustrates differences in the upload process for data entered directly
and data entered via batch.
Figure 5

Data Upload Process

.... ► If data passes t:;)\v
Direct Data
Entry

If data fails
automated checks,
record rejected@

Most data accepted as submitted by Agency
Batch
Upload
Source: Based on information from the Department.

An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database
SAO Report No. 22-039
August 2022
Page 10

automated
\()
checks, record
saved in TxGANG

As of May 23, 2022, TxGANG contained approximately 71,640 records. Of
those, 52,025 (73 percent) were entered into TxGANG directly. However, of
the 15,368 records that were at least 10 years old, 41 percent were submitted
through the batch upload process (see Table 4).
Table 4

Number of TxGANG Records At Least 10 Years Old Submitted
Using Direct Data Entry and Batch Upload as of March 9, 2022
Record Submission
Method a

Total Number of
Records

Percentage of
Records

Direct Data Entry

9,003

59%

Batch Upload

6,365

41%

15,368

100.0%

Totals

a The record submission type is based on the Agencies’ submission method as
of March 9, 2022; however, Agencies may have entered previous records using
a different submission method.
Source: TxGANG.

Chapter 2-A

TxGANG Has Sufficient Controls for Data Entered Directly Into the
Database

Direct Data
Entry

3

Chapter 2-A
As of March 2022, TxGANG had sufficient automated controls
Rating:
over data entered directly into the database to help ensure
Low 3
that the information in key data fields was appropriate. For
example, the automated controls helped ensure that (1) the
record created for an individual identified as a potential gang member meets
the requirements for inclusion in the database (see Background section for
those requirements), (2) the record expiration date is accurately calculated,
and (3) all dates are correctly formatted. Requiring this information to be
entered prior to accepting a record helps the Department increase the
completeness and accuracy of the TxGANG data.

The risk related to the issues discussed in Chapter 2-A is rated as Low because the audit identified strengths that support the
Department’s ability to administer the program(s)/function(s) audited or the issues identified do not present significant risks
or effects that would negatively affect the audited entity’s ability to effectively administer the program(s)/function(s) audited.
An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database
SAO Report No. 22-039
August 2022
Page 11

Chapter 2-B

TxGANG Lacks Sufficient Automated Controls on Records Uploaded
by Batch
Chapter 2-B
For the majority of the 6,365 records that were at least 10
Rating:
years old and submitted via batch upload, TxGANG did not
Priority 4
apply the same automated controls as it did for information
entered directly into the database. According to the
Department, when data is submitted through batch upload,
TxGANG accepts the data with limited or no automated controls applied.

Batch
Upload

As discussed in Chapter 1, a significant number of records did not include all
of the information required to show that the record was properly validated.
The primary cause of this is the lack of automated controls over data
submitted through a batch upload, which allowed most of the records to be
accepted “as is.”
Even though all of the records had an expiration date, without requiring key
information, such as a validation date, to be entered for all TxGANG records, it
cannot be determined whether the expiration dates are within the required
timeframes and meet all retention requirements. For example, for data
uploaded by batch, expiration dates ranged from January 2022 through
January 5560.
In addition to the federal regulations requiring certain information to be
entered into TxGANG, the Department of Information Resources’ Security
Control Standards Catalog, version 1.3, requires systems to check the validity
of data.
Recommendation

The Department should implement automated controls over key fields for
records that are entered into TxGANG via batch upload to help ensure that
data is complete and reliable.

4

The risk related to the issues discussed in Chapter 2-B is rated as Priority because they present risks or effects that if not
addressed could critically affect the audited entity’s ability to effectively administer the programs(s)/function(s) audited.
Immediate action is required to address the noted concern(s) and reduce risks to the audited entity.
An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database
SAO Report No. 22-039
August 2022
Page 12

Management’s Response

The Department agrees with the recommendation and will update and
implement data validations for batch submissions. As local law enforcement
agencies own the records within TXGANG, the Department will educate
agencies submitting gang data via batch files and request changes to those
local systems to ensure compatibility and compliance with TXGANG
requirements.
Title of Responsible Individual: Crime Records Division Chief
Estimated Completion Date: December 31, 2023

An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database
SAO Report No. 22-039
August 2022
Page 13

Chapter 2-C

TxGANG Removes Records When They Expire; However, It Does
Not Notify the Department When the Removal Process Fails to
Execute

Automatic
Record
Deletion

TxGANG has a process to automatically remove a record from
the database on that record’s expiration date, as required by
Department’s TxGANG operating policies and procedures.
Auditors verified that, as of April 2022, that process was working
as intended and records were deleted when they reached the
expiration date.

Chapter 2-C
Rating:
Medium 5

However, that process stopped working from February 10, 2022, through
March 10, 2022. The Department reported that, as a result, 916 records were
not deleted upon the expiration date. The Department did not know that the
records were not being deleted during that time period because TxGANG did
not generate an exception report when the removal process failed.
The Department of Information Resources’ Security Control Standards
Catalog, version 1.3, requires state agencies to implement a monitoring
process to identify system failures in a timely manner. Generating an
exception report when the automatic removal of an expired record fails would
help the Department verify that the system is not retaining a record longer
than allowed by Texas Code of Criminal Procedure, Chapter 67.
Recommendation

The Department should develop and implement an exception report in
TxGANG to notify it when the system fails to automatically remove a record
upon the expiration date to help ensure that records are deleted as required
by statute.

5

The risk related to the issues discussed in Chapter 2-C is rated as Medium because they present risks or effects that if not
addressed could moderately affect the audited entity’s ability to effectively administer the program(s)/function(s) audited.
Action is needed to address the noted concern(s) and reduce risks to a more desirable level.
An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database
SAO Report No. 22-039
August 2022
Page 14

Management’s Response

The Department agrees with the recommendation and will create an alert to
TXGANG Administrators and Technical Staff to notify the appropriate
individuals the automated program did not complete successfully. If the
records could not be processed through the automated process, TXGANG
Administrators would remove the records subject to expiration.
Title of Responsible Individual: Crime Records Division Chief
Estimated Completion Date: August 31, 2023

An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database
SAO Report No. 22-039
August 2022
Page 15

Appendices
Appendix 1

Objective, Scope, and Methodology
Objective
The objective of this audit, as directed by Rider 6, page X-7, General
Appropriations Act (87th Legislature), was to conduct an audit of the Texas
Gang Intelligence Database (TxGANG) to identify all records older than 10
years that have not been recently validated, as defined by the TxGANG
operating policies and procedures.
Scope
The scope of this audit covered TxGANG records with a “Documented on”
date or an “Entered in TxGANG On” 6 date on or before February 1, 2012. The
scope also included a review of significant internal control components
related to TxGANG (see Appendix 3 for more information about internal
control components).
Methodology
The audit methodology included reviewing and analyzing TxGANG records;
conducting interviews; reviewing applicable regulatory requirements and
TxGANG policies and procedures; and performing selected tests and
procedures. The methodology also included testing selected automated
controls over data entry fields used when records are entered directly in the
database. In addition, during the audit, matters not required to be reported in
accordance with Government Auditing Standards were communicated to the
Department of Public Safety’s (Department) management for consideration.
Data Reliability and Completeness
Auditors obtained data from TxGANG on records that were at least 10 years
old as of February 1, 2022.
Auditors performed procedures to assess the reliability of those data sets
including (1) observing data extracts, (2) reviewing parameters used to extract
the data, and (3) reviewing key data fields for reasonableness and
completeness. Auditors also evaluated the effectiveness of certain automated
controls over key data fields in TxGANG.

6

The “Documented On” field indicates the date an individual was identified as a gang member and the “Entered in TxGANG On”
field indicates the date a record was created in TxGANG.
An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database
SAO Report No. 22-039
August 2022
Page 16

Auditors determined that the populations of records extracted from TxGANG
were sufficiently complete for the purposes of the audit. However, the
accuracy of the information in those records was of undetermined reliability
for the purposes of this audit due to the weaknesses discussed in Chapters 1
and 2 of this report and because the documentation that supports each
individual member record resides at the law enforcement agency (Agency)
that created and maintains the record.
Sampling Methodology
To determine if Agencies documented a conclusion when a record was
recently validated, 7 auditors selected a nonstatistical sample of records
through random selection from two data sets. Specifically, each sample
consisted of:


30 of 8,250 records from the “Documented On” population.



30 of 2,437 records from the “Entered in TxGANG” population.

This sample design was chosen so the sample could be evaluated in the
context of the population. The test results may be projected to the
population, but the accuracy of the projection cannot be measured.
In addition, auditors also tested all eight records that had a future validation
date 8. Each data set included four records.
Information collected and reviewed included the following:


TxGANG records.



Statutes, policies, procedures, and other guidance relevant to TxGANG.

Procedures and tests conducted included the following:


Interviewed Department management and staff, as well as staff at the
TxGANG vendor, to gain an understanding of the TxGANG system and
processes.



Tested samples of recently validated records to determine if the Agencies
documented an explanation for the validation.



Tested all records with a future validation date to determine if Agencies
documented an explanation for the validation.

7

Recently validated records are those that were validated from February 1, 2017, through February 1, 2022.

8

Future Validation Date records are those whose validation date is after the date when the TxGANG vendor extracted the data
at auditors’ request.
An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database
SAO Report No. 22-039
August 2022
Page 17



Tested automated controls that apply to records entered directly into the
database for certain key data fields.



Performed data analysis to determine the completeness and
appropriateness of information on selected key data fields such as records
without a validation date and reviewer’s name; and date formatting
appropriateness.



Reviewed policies and procedures for compliance with applicable
statutory and federal regulatory requirements.

Criteria used included the following:


Title 28, Code of Federal Regulations, Part 23 (Criminal Intelligence
Systems Operating Policies).



Texas Code of Criminal Procedure, Chapter 67.



Department of Information Resources' Security Control Standards Catalog,
version 1.3.



TXGANG INDEX Operating Policies and Procedures, May 2019.

Project Information
Audit fieldwork was conducted from January 2022 through August 2022. We
conducted this performance audit in accordance with Government Auditing
Standards. Those standards require that we plan and perform the audit to
obtain sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that the
evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
The following members of the State Auditor’s staff performed the audit:


Ileana Barboza, MBA, CFE, CGAP (Project Manager)



Lauren Ramsey (Assistant Project Manager)



Jenna Perez, MAcy



Venus Santos



Robert G. Kiker, CFE, CGAP (Quality Control Reviewer)



Becky Beachy, CIA, CGAP (Audit Manager)

An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database
SAO Report No. 22-039
August 2022
Page 18

Appendix 2

Issue Rating Classifications and Descriptions
Auditors used professional judgment and rated the audit findings identified in
this report. Those issue ratings are summarized in the report chapters/subchapters. The issue ratings were determined based on the degree of risk or
effect of the findings in relation to the audit objective(s).
In determining the ratings of audit findings, auditors considered factors such
as financial impact; potential failure to meet program/function objectives;
noncompliance with state statute(s), rules, regulations, and other
requirements or criteria; and the inadequacy of the design and/or operating
effectiveness of internal controls. In addition, evidence of potential fraud,
waste, or abuse; significant control environment issues; and little to no
corrective action for issues previously identified could increase the ratings for
audit findings. Auditors also identified and considered other factors when
appropriate.
Table 5 provides a description of the issue ratings presented in this report.
Table 5

Summary of Issue Ratings
Issue Rating

Description of Rating

Low

The audit identified strengths that support the audited entity’s ability to
administer the program(s)/function(s) audited or the issues identified do
not present significant risks or effects that would negatively affect the
audited entity’s ability to effectively administer the
program(s)/function(s) audited.

Medium

Issues identified present risks or effects that if not addressed could
moderately affect the audited entity’s ability to effectively administer
the program(s)/function(s) audited. Action is needed to address the noted
concern(s) and reduce risks to a more desirable level.

High

Issues identified present risks or effects that if not addressed could
substantially affect the audited entity’s ability to effectively administer
the program(s)/function(s) audited. Prompt action is essential to address
the noted concern(s) and reduce risks to the audited entity.

Priority

Issues identified present risks or effects that if not addressed could
critically affect the audited entity’s ability to effectively administer the
program(s)/function(s) audited. Immediate action is required to address
the noted concern(s) and reduce risks to the audited entity.

An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database
SAO Report No. 22-039
August 2022
Page 19

Appendix 3

Internal Control Components
Internal control is a process used by management to help an entity achieve its
objectives. The U.S. Government Accountability Office’s Government Auditing
Standards require auditors to assess internal control when internal control is
significant to the audit objectives. The Committee of Sponsoring
Organizations of the Treadway Commission (COSO) established a framework
for five integrated components of internal control, which are listed in Table 6.
Table 6

Internal Control Components
Component

Component Description

Control Environment

The control environment sets the tone of an organization, influencing the control
consciousness of its people. It is the foundation for all other components of internal
control, providing discipline and structure.

Risk Assessment

Risk assessment is the entity’s identification and analysis of risks relevant to
achievement of its objectives, forming a basis for determining how the risks should be
managed.

Control Activities

Control activities are the policies and procedures that help ensure that management’s
directives are carried out.

Information and
Communication

Information and communication are the identification, capture, and exchange of
information in a form and time frame that enable people to carry out their
responsibilities.

Monitoring Activities

Monitoring is a process that assesses the quality of internal control performance over
time.

Source: Internal Control – Integrated Framework, Committee of Sponsoring Organizations of the Treadway
Commission, May 2013.

An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database
SAO Report No. 22-039
August 2022
Page 20

Appendix 4

The Department’s Management Response Transmittal Letter
DocuSign Envelope ID: 7448E715-9A41-48BB-9A 79 -D9DA45394091

TEXAS DEPARTMENT OF PUBLIC SAFETY
5805 N LAMAR BLVD• BOX 4087 • AUSTIN , TEXAS 78773--0001
512/424-2000

www .dps .texas.gov

COMMISSION
STEVEN P. MACH, CHAIRMAN
NELDA L BLAIR
STEVE H. STODGH ILL

STEVEN C. McGRAW
DIRECTOR
FREEMAN F. MARTIN
DVI/IGHT D. MATHIS
JEOFF WILLIAMS
DEPUTY DIRECTORS

DALE WAIN'v'IIRIGHT

July 29, 2022
Ileana Barboza, Project Manager
Texas State Audi tor's Office
P.O. Box 12067
Austin, Texas 7871 1-2067
Dear Ms . Barboza,
Thank you for the opportunity to review and respond to the draft findings resulting from the State
Auditor' s Office audit of the Department's Texas Gang Intelligence Database.
We appreciate the detailed review provided by the audit team , as well as the professionalism with
which the audit was conducted. The team ' s work, in concert with the efforts of our staff and local
law enforcement entities, provides important assurance and accountabi lity regarding the data.
The Department strives for excellence in all endeavors, including in our administration of the Texas
Gang Intelligence Database. While timely validation is the responsibility of the local law enforcement
agencies, the Department will continue to strengthen operations, work with our local law enforcement
partners, and work diligently to implement recommendations.
Sincerely,

I,

DocuSigned by:

~~C4~~
Steven C. McCraw
Director
Attachment
cc: Becky Beachy, State Auditor' s Office
JeoffWilliams, Deputy Director, Law Enforcement Services
Michell e Farris, Chief, Crime Records Services Division
Bryan Lane, ChiefTnformation Officer
Catherine Melvin, Chi ef Auditor

EQUAL OPPORTUNITY EMPLOYER
COURTESY • SERVICE • PROTECTION

An Audit Report on the Department of Public Safety’s Texas Gang Intelligence Database
SAO Report No. 22-039
August 2022
Page 21

Copies of this report have been distributed to the following:

Legislative Audit Committee

The Honorable Dan Patrick, Lieutenant Governor, Joint Chair
The Honorable Dade Phelan, Speaker of the House, Joint Chair
The Honorable Joan Huffman, Senate Finance Committee
The Honorable Robert Nichols, Member, Texas Senate
The Honorable Greg Bonnen, House Appropriations Committee
The Honorable Morgan Meyer, House Ways and Means Committee

Office of the Governor

The Honorable Greg Abbott, Governor

Texas Department of Public Safety
Members of the Public Safety Commission
Mr. Steven P. Mach, Chairman
Ms. Nelda L. Blair
Mr. Steve H. Stodghill
Mr. Dale Wainwright
Colonel Steven C. McCraw, Director

This document is not copyrighted. Readers may make additional copies of this report as
needed. In addition, most State Auditor’s Office reports may be downloaded from our
website: https://sao.texas.gov.
In compliance with the Americans with Disabilities Act, this document may also be requested
in alternative formats. To do so, contact our report request line at (512) 936-9500 (Voice),
(512) 936-9400 (FAX), 1-800-RELAY-TX (TDD), or visit the Robert E. Johnson Building, 1501
North Congress Avenue, Suite 4.224, Austin, Texas 78701.
The State Auditor’s Office is an equal opportunity employer and does not discriminate on the
basis of race, color, religion, sex, national origin, age, or disability in employment or in the
provision of services, programs, or activities.
To report waste, fraud, or abuse in state government visit https://sao.fraud.texas.gov.