Audit logging refers to system-generated audit trails of staff, client or third-party interactions that help with fraud investigations and deters fraud. This also includes IT audit trails. The Protective Security Policy Framework includes the government protective security policies that support this countermeasure.
Why this countermeasure matters
The prosecution must prove every element of an offence beyond reasonable doubt to convict someone. Poor or no audit logging may lead to:
- difficultly in detecting, analysing, investigating and disrupting fraudulent activity
- briefs of evidence being rejected by the Commonwealth Director of Public Prosecutions.
How to put this countermeasure in place
Some ways to implement this countermeasure include setting up audit logging by capturing information like:
- access to production systems
- changes to production data and who made the changes
- access to sensitive information
- access and use of high-risk accounts and transactions.
How to measure this countermeasure's effectiveness
Measure the effectiveness of this countermeasure by using the following methods.
- Confirm that audit logging is switched on.
- Confirm audit logging complies with the Australian Government Investigations Standards and other national guidelines and frameworks.
- Consult with investigators about what evidence is required.
- Review the logs to confirm they capture enough evidence to support an investigation.
- Review the logs to confirm they capture meaningful information to support detection or an investigation.
- Check the method of logging is reliable.
- Confirm and test (if required) audit logs are stored securely.
- Confirm that audit logs are available to investigators.
- Confirm that audit logs cannot be switched-off, deleted or altered, even by staff with privileged access.
- If audit logs can be altered, confirm that these actions are also logged and that copies of originals are retained.
- Confirm that audit logs are retained as per the relevant records authority.
- Conduct random and targeted reviews of audit logs.
This type of countermeasure is supported by: