1. What information is forthcoming on the audit?
Click here for the latest information on audits.
Last updated March 14, 2013.
2. Does my agency have to audit exactly one third of its facilities each year? We are on an ACA audit schedule and ACA does not audit exactly one third of our agencies per year. Do we need to change the auditing schedule to comply with PREA?
Standard 115.401 focuses on audit frequency, timeframes, and specifies, and requires that the agency shall ensure that each facility operated by the agency, or by a private organization on behalf of the agency, is audited at least once during each three-year period. The standards require an audit during each one-year period of at least one-third of each facility type (prison, jail, juvenile facility, overnight lockup, and community confinement facility) operated by an agency or by a private organization on behalf of an agency.
There are two other FAQs that focus on what happens if an agency does not audit exactly one-third of its facilities each year, as follows:
Please click here to read the FAQ that describes what happens to an agency’s three-year audit timeline if it fails to have the required minimum of one-third of its facilities audited by August 19, 2014.
Please click here to read the FAQ that addresses whether there is a time limit to the number of years that a state can submit an Assurance without a reduction in Department of Justice (DOJ) grant funding.
While agencies are not prohibited from coordinating the timing of ACA audits with PREA audits, agencies must audit one-third of each type of facility as specified in Standard 115.401(b), irrespective of the timing of any ACA audit schedule.
Last updated January 14, 2015.
3. What is the minimum period of time, prior to the start of an audit, that an agency needs to demonstrate compliance with the standards in order to achieve favorable audit findings? For example, if an agency can demonstrate it is in compliance on a specific standard for 30 days prior to the audit, but not the eight months prior to the audit, is the agency considered compliant?
DOJ recognizes that audits conducted toward the beginning of the first audit cycle, which begins August 20, 2013, will take into consideration the fact that facilities will have spent a significant period of time institutionalizing the standards. By contrast, a short period of compliance during the end of the audit review period (meaning closer to August 2014 or thereafter) would not be sufficient to achieve compliance. DOJ is working with the PRC to define specific measures auditors will use to assess compliance. Additional information will be forthcoming soon. Additionally, pursuant to PREA Standard 115.404(d), facilities that auditors find not in compliance with provisions of PREA have an automatic 180-day corrective action period during which auditors will work with agencies to remedy and verify remedial action for any deficiencies. This process provides additional time for facilities to achieve compliance before the auditor issues a final audit determination.
Last updated March 14, 2013.
4. Please provide recommendations for identifying an auditor while maintaining appropriate independence from the state criminal justice department. What role, if any, should the state criminal justice department play in identifying the auditor? Will the DOJ publish a list of certified PREA auditors?
Prospective auditors will apply to be PREA-certified auditors. Only DOJ can certify auditors. In order to be certified, auditors must 1) meet a number of qualifications; 2) submit to a criminal records background check; and 3) pass DOJ-developed auditor training. DOJ holds auditor trainings approximately every other month throughout calendar year 2014. For exact dates click here. A complete list of PREA-certified auditors is maintained publicly on the PRC website here.
DOJ has not placed restrictions on how agencies choose auditors. Each agency should develop its own process, consistent with PREA Standard 115.402, which provides that 1) the auditor cannot be part of, or under the authority of, the agency (but may be part of, or authorized by, the relevant state or local government); 2) an auditor cannot be a person who has received financial compensation from the agency being audited (except for compensation received for conducting prior PREA audits) within three years prior to the agency’s retention of the auditor; and 3) the agency cannot employ, contract with, or otherwise financially compensate the auditor for three years subsequent to the agency’s retention of the auditor, with the exception of contracting for subsequent PREA audits.
Last updated March 14, 2013.
5. What constitutes “overnight” for purposes of PREA Standard 115.193, which states that “[a]udits need not be conducted of individual lockups that are not utilized to house detainees overnight?”
As a general matter, the term “overnight” is construed as a period of seven or more continuous hours between 8:00 p.m. and 8:00 a.m. In situations where the facility has only a remote chance of meeting the above time period threshold, or does so only in rare circumstances (less than one time per month on average), the facility will not be considered “overnight.”
Last updated March 26, 2014
6. How long must the documents that auditors relied on for making audit determinations be retained?
These documents must be retained for 12 months following the deadline for any agency audit appeal. Because audit appeals must be lodged within 90 days of the auditor’s final report, auditors must retain these documents for 15 months following the issuance of the final audit report. Longer document retention may be required in particular instances if so requested by the US Department of Justice.
Last updated March 26, 2014
7. Can PREA auditors engage support staff to assist with completing PREA audits?
PREA auditors may employ staff to provide assistance, including conducting interviews, but the DOJ-certified auditor is ultimately responsible for the final audit. In addition, the certified auditor is required to be present for, and supervise, the entirety of the on-site portion of the audit; to be the counterparty in an agency’s contractual engagement for the conduct of the audit; and to sign and certify the interim and final audit reports. Failure to adequately supervise such support staff could have consequences for the responsible auditor, up to and including decertification by the Department of Justice.
Last updated December 5, 2013.
8. Do any of the conflict rules governing who can conduct an audit of a given agency’s facilities apply to the staff they hire to help them conduct that audit?
The same restrictions regarding auditor conflict of interest also apply to staff who auditors hire to help conduct the audit. Consistent with PREA Standard 115.402: 1) the auditor cannot be part of, or under the authority of, the agency (but may be part of, or authorized by, the relevant state or local government); 2) an auditor cannot be a person who has received financial compensation from the agency being audited (except for compensation received for conducting prior PREA audits) within three years prior to the agency’s retention of the auditor; and 3) the agency cannot employ, contract with, or otherwise financially compensate the auditor for three years subsequent to the agency’s retention of the auditor, with the exception of contracting for subsequent PREA audits.
Last updated June 11, 2014
9. Is reciprocal auditing conducted by employees of two confinement agencies permissible?
An auditor who is employed by one correctional agency may not conduct an audit of another correctional agency if an auditor employed at the time by the latter agency has concluded an audit of the former agency within the prior twelve months.
Last updated July 9, 2013.
10. I understand that reciprocal auditing is not permitted, but what about “circular auditing?”
Circular auditing, in which a consortium of three or more States, or three or more local jurisdictions, agrees to perform audits at facilities in other consortium States, is permissible, with a few caveats. First, the circular auditing schedule must be developed so that no audits would be considered impermissible reciprocal audits (see FAQ #9 under Audits and Compliance section of FAQ). Second, no audits can be allowed in cases in which the auditor’s agency contracts for space in the facility being audited.
Last updated December 5, 2013.
11. Should an auditor’s final report reflect deficiencies that were found in the interim report and actions taken to correct them during the corrective action period?
Auditors are required to submit a report to the audited agency within 30 days of completion of an on-site audit. It is expected that if an auditor determines that a facility does not meet one or more of the standards, this report will be considered an “interim report,” triggering a 180-day corrective action period, and the auditor will include in the report recommendations for any required corrective action and shall jointly develop with the agency a corrective action plan to achieve compliance. The auditor is required to “take necessary and appropriate steps to verify implementation of the corrective action, such as reviewing updated policies and procedures or re-inspecting portions of a facility.” At the completion of the corrective action period, the auditor has 30 days to issue a “final report” with final determinations. Section 155.404 (d) states that, “After the 180-day corrective action period ends, the auditor shall issue a final determination as to whether the facility has achieved compliance with those standards requiring corrective action.” The final report, which is a public document that the agency is required to post on its web site or otherwise make publicly available, should include a summary of the actions taken during the corrective action period to achieve compliance.
Last updated April 23, 2014
12. What are the financial consequences to a state if it is not in compliance with the standards?
The PREA statute provides that a state whose governor does not certify full compliance with the standards is subject to the loss of five percent of any DOJ grant funds that it would otherwise receive for prison purposes, unless the governor submits an assurance that such five percent will be used only for the purpose of enabling the state to achieve and certify full compliance with the standards in future years. 42 U.S.C. § 15607(e). For more information on the certification process, click here to access the letter sent from the Department of Justice to all state governors.
Last updated March 14, 2013.
13. At what stage in the audit process is an audit considered complete for the purposes of meeting the requirement that one-third of an agency’s facilities be completed by the end of each year in the auditing cycle?
For the purpose of the PREA standards, the audit is considered complete upon issuance of the initial audit report or 30 days after the conclusion of the audit’s on-site visit to the facility, whichever one comes first.
Last updated June 20, 2014.
14. Can an auditor find a federal Bureau of Prisons, state, county, or other local or private facility compliant with the PREA standards if an entity external to the confining agency, which conducts criminal investigations of sexual abuse in the facility being audited, is not compliant with the external investigative entity’s obligations under § 115.21, § 115.22, § 115.34, and § 115.71?
Yes, provided that the confining agency and facility being audited has met its own specific obligations under these standards. For example, § 115.21(f) requires the confining agency to request that the relevant external investigating entity follow the PREA standards regarding a uniform evidence protocol and forensic medical evaluations.
The four PREA standards referenced above explicitly apply to DOJ and state entities that are responsible for investigating allegations of sexual abuse in adult prisons, jails, lockups, community corrections facilities, and juvenile facilities. See, §§ 115.21(g)(2), 115.22(e), 115.34(d), and 115.71(k)&(l).
Last updated April 23, 2014.
15. In regard to §§115.21, 115.22, 115.34, and 115.71, what is required of agencies being audited, auditors, and external entities that conduct investigations of sexual abuse and harassment, and how will these obligations be audited?
There has been confusion in the field and among the auditor community about the requirements of §§115.21, 115.22, 115.34, and 115.71 as they pertain to investigators who are external to the agency being audited. The following guidance is offered to auditors and agencies subject to a PREA audit in order to clarify what obligations auditors and audited agencies have vis-à-vis those provisions that obligate external investigative agencies to comply.
The information in this FAQ is consistent with and expands upon the FAQ that focuses on whether an auditor can find an entity being audited to be compliant with the PREA Standards if an entity external to the confining agency, which conducts criminal investigations of sexual abuse in the facility being audited, is not compliant with the external investigative entity’s obligations under the standards. To review this FAQ, please click here.
Responsibilities of Audited Agencies and Auditors under §115.21
Under §115.21, the agency (a private, federal, state, county, or other local entity) being audited must demonstrate to the auditor that it has attempted to gain compliance from an external entity that conducts criminal investigations of sexual abuse with requirements (a) through (e) of that standard—that is, the agency being audited must have requested that the external entity responsible for investigations comply with all those provisions described in (a) through (e) of §115.21.
Auditors may find that the private, federal, state, county, or other local entity being audited has attempted to confirm that an external investigator is complying with (a) through (e) of the standard, and was unable to get such confirmation. In that case, the agency being audited can be found compliant with the standard, if they have documented these efforts.
Responsibilities of Audited Agencies and Auditors under §115.22
The requirements of §115.22 work in a way that is consistent with §115.21. If an external entity conducts criminal investigations of sexual abuse for the agency (a private, federal, state, county, or other local entity) being audited, the agency must have a policy in place that makes explicit both the responsibilities of the agency in a criminal investigation and the corresponding responsibilities of the external investigating entity. The agency being audited also must publish that policy on its website or make it available through other means if the agency has no website of its own. There is no exception here—the policy must be in place, as it is an agency policy, not the policy of the external investigator, and the agency can describe the respective roles and responsibilities in its own policy, regardless of whether the external investigating entity has a corresponding policy of its own.
Auditors must confirm that a policy is in place that makes explicit both the responsibilities of the agency in a criminal investigation and the corresponding responsibilities of the external investigating entity, and that the agency has published that policy on its website or has made it available through other means if the agency has no website of its own.
Responsibilities of Audited Agencies and Auditors under §115.34
§115.34 describes the specialized training that the agency being audited must provide to its investigators in order to be PREA compliant. This standard further requires that, “any State entity or Department of Justice component that investigates sexual abuse in confinement settings must provide such training to its agents and investigators who conduct such investigations.”
The obligation of the agency being audited is to provide the required specialized training to its own investigators if they conduct sexual abuse investigations, whether administrative or criminal. External State and Department of Justice investigative entities that conduct investigations of sexual abuse in confinement bear a separate obligation to train their agents and investigators per the standard, and that obligation does not lie with the agency being audited. Auditors should not assess compliance with these training requirements by external entities.
Responsibilities of Audited Agencies and Auditors under §115.71
§115.71(a)-(j) sets out the requirements for both administrative and criminal investigations of sexual abuse and sexual harassment, and describes when, how, and by what standards those investigations should be conducted. §115.71(a)-(j) also reiterates the requirement that investigators who conduct those investigations must have received specialized training described in §115.34.
§115.71(k) requires that any external State entity or Department of Justice component that conducts these investigations in a confinement setting do so according to the requirements laid out in this standard.
§115.71(l) requires that the facility being audited cooperate with any outside investigative agency conducting sexual abuse investigations in the facility and must remain informed about the progress of the investigation.
The obligations under §115.71 of the agency being audited are to ensure that:
Its own investigators comply with this standard;
It cooperates with external investigators; and
It remain informed about any investigation being conducted by external investigators.
It is the responsibility of auditors to assess whether these obligations are being met by the agency being audited.
The obligation placed on external State entities and Department of Justice component investigators conducting sexual abuse investigations in a confinement facility to comply with the requirements laid out in this standard rests with the State entity or Department of Justice component. Auditors should not assess compliance with these obligations by external entities.
Summary of Implications for Auditors
Consistent with the requirements stated above of §§115.21,115.22, 115.34, and 115.71, and as articulated in the FAQ that can be accessed by clicking here, the Department of Justice (DOJ) has determined that auditors should not:
Assess whether external entities that conduct criminal investigations of sexual abuse and sexual harassment for the agency being audited are in compliance with the PREA Standards. The sole focus of the audit is to determine whether the agency (a private, federal, state, county, or other local entity) being audited is in compliance with the standards.
Include in interim or final audit reports information about compliance with the standards on the part of external entities that conduct criminal investigations of sexual abuse and sexual harassment. The sole focus of these reports is to document whether the agency (a private, federal, state, county, or other local entity) is in compliance with the standards.
Affirmative Obligations of External Entities that Conduct Investigations to Comply with the PREA Standards
Standards §§115.21, 115.22, 115.34, and 115.71 do impose affirmative obligations to comply on both external State entities and Department of Justice (DOJ) components that conduct sexual abuse investigations in confinement. Nothing in this guidance changes that obligation. However, confirming compliance with these standards by external entities during a corrections facility/agency audit is beyond the scope of that audit. DOJ is working to develop tools to assist these external entities, state and territorial governors who are responsible for certifying full compliance with the PREA Standards, and others to assess whether these external entities are in compliance with their affirmative obligations under the standards.
Last updated February 19, 2015.
16. What happens to an agency’s three-year audit timeline if an agency fails to have the required minimum of one-third of its facilities audited by August 19, 2014?
The standards require generally that an agency must have “at least one-third” of its facilities audited during each one-year period, which began on August 20, 2013; and that all facilities must be audited by the conclusion of each three-year period, which began on the same date. See 28 C.F.R. § 115.401(a)&(b). Compliance with the audit timeline is evaluated both on a year-to-year basis and at the conclusion of the three-year audit cycle. Failure to comply with the audit timeline during the initial year of an audit cycle does not preclude compliance during years two and three of an audit cycle. Similarly, failure to comply with the audit timeline during the first two years of an audit cycle does not preclude compliance during the final year of each audit cycle. It is important to note that, for purposes of complying with § 115.401(a) (requiring audits of each facility during the three-year audit cycle), agencies must ensure that each facility is audited at least once by August 19, 2016, and during every three-year anniversary thereafter.
The agency would not be fully compliant with the PREA standards as of August 20, 2014. However, the agency may still become fully PREA compliant during the second year and the third year of the audit cycle. For purposes of the audit cycle, compliance is determined during each specific audit cycle year. So if this agency obtains three facility audits (at least one-third) between August 20, 2014 and August 19, 2015, then the agency would be PREA compliant with the audit cycle during that year.
During the final year of the audit cycle (ending August 19, 2016), however, the agency would be required to have all four remaining facilities audited. This is because an agency has a separate obligation under the standards to ensure that “each facility” must be audited “at least once” during the three-year audit cycle (concluding on August 19, 2016). See 28 C.F.R. § 115.401(a).
Because the standards require that an agency have “at least” one-third of its facilities audited during each year of the three-year audit cycle, an agency with a single facility is required to receive an audit during the initial year of the audit cycle to be compliant as of August 19, 2014. In other words, an agency with a single facility cannot be said to have had at least one third of its facilities audited by August 19, 2014, if it has had no facility audits. However, a single-facility agency could become fully compliant at any point during the remainder of the three-year audit cycle (concluding on August 19, 2016) subject to a successful audit of that facility. So for example, a single-facility agency that is not compliant as of the conclusion of the first year of the audit cycle because it had received no audits by August 19, 2014, could nevertheless become fully compliant with the audit standards if it receives an audit one month later (early in the second year of the audit cycle) and would remain compliant with this standard through the remainder of the first audit cycle.
Last updated April 23, 2014.
17. Is it ever appropriate for auditors to require the installation of cameras as part of a corrective action plan?
No, with respect to adult confinement facilities. Generally, no, with respect to juvenile facilities. In juvenile facilities that include specific camera coverage in their staffing plan, the absence of such camera coverage may appropriately provide the basis for an auditor to either insist on the camera requirements in their staffing plan or require that the staffing plan be amended. Note that there are different requirements regarding the deployment of video monitoring technology among the four sets of standards.
Prisons, Jails, Lockups, and Community Confinement Facilities
In adult facilities (adult prisons and jails; lockups; and community confinement facilities), the standards require facilities to develop and document staffing plans that provide for “adequate levels of staffing, and, where applicable, video monitoring, to protect inmates against sexual abuse.” See 28 C.F.R. §§ 115.13(a), 113(a), and 213(a). These standards require that facilities consider several enumerated factors in the development of the staffing plan, including, among other things, the physical layout of the facility. See also 28 C.F.R. §§ 115.13(a)(5) (“including ‘blind spots’”). In adult facilities, agencies are required to make “best efforts” to comply with the staffing plan and/or to “document and justify” deviations from it.
The adult standards also require agencies to reassess the adequacy of the “facility’s deployment of video monitoring systems and other monitoring technologies…[w]henever necessary, but no less frequently than once each year…” See 28 C.F.R. §§ 115.13(c), 113(c), and 213(c).
Finally, the adult standards require agencies “[w]hen installing or updating a video monitoring system, electronic surveillance system, or other monitoring technology…to consider how such technology may enhance the agency’s ability to protect inmates from sexual abuse.” See 28 C.F.R. §§ 115.18(b), 118(b), and 218(b).
Within this context, agencies have considerable discretion regarding how best to allocate resources devoted toward developing and implementing their staffing plans. For example, in developing an adequate staffing plan, an agency may choose to emphasize higher staffing levels rather than comprehensive video monitoring. Indeed, best practices suggest that video monitoring is not an adequate substitute for sufficient numbers of staff. In any event, so long as the above requirements are complied with (e.g., make best efforts to comply, document and justify deviations, and consider how technology may enhance protections), then the failure to incorporate or add video monitoring technology does not cause a facility to be out of compliance with the standards. Accordingly, it is not appropriate for an auditor to specifically require the addition of video cameras as a condition of finding compliance.
Unlike the adult facility standards, the juvenile facility standards require agencies to “implement…a staffing plan that provides…where applicable, video monitoring, to protect residents against sexual abuse.” See 28 C.F.R. § 115.313(a). The staffing plan must take into consideration, among other things, “the facility’s physical plant (including ‘blind spots’ or areas where staff or residents may be isolated)…” Further, the juvenile facility standards provide that the agency “shall comply with the staffing plan except during limited and discrete exigent circumstances, and shall fully document deviations from the plan during such circumstances.” See 28 C.F.R. § 115.313(b) (emphasis added).
By contrast, while adult facility standards require agencies to develop an adequate staffing plan, and to make best efforts and/or to document and justify deviations, the juvenile facility standards require agencies to comply with the staffing plan, absent exigent circumstances.
However, as discussed above with respect to the development of the staffing plan, agencies have considerable discretion regarding how best to allocate resources devoted toward developing and implementing their staffing plans. In developing an adequate staffing plan, an agency may choose to emphasize higher staffing levels rather than comprehensive video monitoring. For example, where an auditor or an agency identifies a “blind spot” that imposes considerable danger of the occurrence of sexual abuse, an agency may choose to reallocate existing staff or add staff to the area in question, rather than to install a new video camera in the area.
Accordingly, so long as the above requirements are met, the absence of a particular video monitoring system or camera would not preclude agency compliance with this standard, and it would be inappropriate for an auditor to specifically insist on the installation of a video camera (as opposed to other enhanced protective measures) in order to find compliance. However, if the staffing plan developed pursuant to this standard requires specific camera coverage, and that coverage is either not provided or inoperable, then it may be appropriate for the auditor to insist on agencies either complying with the staffing plan (absent exigent circumstances) or amending their staffing plan.
Please note the requirements for a periodic staffing plan reassessment and for consideration of the effect of video monitoring technology when installing or enhancing systems is substantively the same between adult and juvenile facilities. See 28 C.F.R. § 115.313(d) and 318(b).
Last updated September 23, 2014.
Notice of Federal Funding and Federal Disclaimer – This Web site is funded in part through a grant from the Bureau of Justice Assistance, Office of Justice Programs, U.S. Department of Justice. Neither the U.S. Department of Justice nor any of its components operate, control, are responsible for, or necessarily endorse, this Web site (including, without limitation, its content, technical infrastructure, and policies, and any services or tools provided).