Skip to main content

Audit logging

Type of fraud control

This is a corrective fraud control. Corrective fraud controls respond to fraud after it has occurred. They help to reduce the consequences or disrupt further consequences.



Audit logging refers to system-generated audit trails of staff, client or third-party interactions that help with fraud investigations and deters fraud. This also includes IT audit trails. The Protective Security Policy Framework includes the government protective security policies that support this countermeasure.

Why this countermeasure matters

The prosecution must prove every element of an offence beyond reasonable doubt to convict someone. Poor or no audit logging may lead to:

  • difficultly in detecting, analysing, investigating and disrupting fraudulent activity
  • briefs of evidence being rejected by the Commonwealth Director of Public Prosecutions.

How to put this countermeasure in place

Some ways to implement this countermeasure include setting up audit logging by capturing information like:

  • access to production systems
  • changes to production data and who made the changes
  • access to sensitive information
  • access and use of high-risk accounts and transactions.

How to measure this countermeasure's effectiveness

Measure the effectiveness of this countermeasure by using the following methods.

  • Confirm that audit logging is switched on.
  • Confirm audit logging complies with the Australian Government Investigations Standards and other national guidelines and frameworks.
  • Consult with investigators about what evidence is required.
  • Review the logs to confirm they capture enough evidence to support an investigation.
  • Review the logs to confirm they capture meaningful information to support detection or an investigation.
  • Check the method of logging is reliable.
  • Confirm and test (if required) audit logs are stored securely.
  • Confirm that audit logs are available to investigators.
  • Confirm that audit logs cannot be switched-off, deleted or altered, even by staff with privileged access.
  • If audit logs can be altered, confirm that these actions are also logged and that copies of originals are retained.
  • Confirm that audit logs are retained as per the relevant records authority.
  • Conduct random and targeted reviews of audit logs.

Related countermeasures

This type of countermeasure is supported by:

Conduct system testing to identify vulnerabilities prior to release. Untested systems can allow vulnerabilities to be released when the system goes live.

Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.

Capture documents and other evidence for requests, claims and activities to detect, analyse, investigate and disrupt fraudulent activity.

Related Fraudster Personas

Was this page helpful?