Skip to main content

Set up audit logging

Type of countermeasure

This is a response countermeasure. Response countermeasures respond to fraud after it has occurred. They help to reduce the consequences or disrupt further consequences.


Audit logging is system-generated audit trails of staff, client or third party interactions that help with fraud investigations.

Why this countermeasure matters

The prosecution must prove every element of an offence beyond reasonable doubt to convict someone. Poor or no audit logging may lead to:

  • difficultly in detecting, analysing, investigating and disrupting fraudulent activity
  • briefs of evidence being rejected by the Commonwealth Director of Public Prosecutions.

How to put this countermeasure in place

Some ways to implement this countermeasure include setting up audit logging by capturing information like:

  • access to production systems for audit purposes
  • changes to production data and who made the changes
  • browsing of sensitive information
  • access and use of high risk accounts and transactions.

How to measure this countermeasure's effectiveness

Measure the effectiveness of this countermeasure by using the following methods:

  • Confirm that audit logging is switched on.
  • Confirm audit logging is in compliance with the Australian Government Investigations Standards and other national guidelines and frameworks.
  • Consult with investigators about what evidence is required.
  • Review the logs to confirm they capture enough evidence to support an investigation.
  • Review the logs to confirm they capture meaningful information to support detection or an investigation.
  • Check the method of logging is reliable.
  • Confirm and test (if required) audit logs are stored securely.
  • Confirm that audit logs are available to investigators.
  • Confirm that audit logs cannot be switched-off, deleted or altered, even by staff with privileged access.
  • If audit logs can be altered, confirm that these actions are also logged and that copies of originals are retained.
  • Confirm that audit logs are retained as per the relevant Records Authority.
  • Conduct random and targeted reviews of audit logs.

Related countermeasures

This type of countermeasure is supported by:

Conduct system testing to identify vulnerabilities prior to release. Untested systems can allow vulnerabilities to be released into production environments.

Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.

Internal or external audits or reviews evaluate the process, purpose and outcome of activities. Clients, public officials or contractors can take advantage of weaknesses in government programs and systems to commit fraud, act corruptly, and avoid exposure.

Related Fraudster Personas

Was this page helpful?