System generated audit trails of staff, customer or third party interactions. This also includes IT audit trails. Audit logging can also deter fraud.
NB: Effective audit logging captures meaningful data to support a fraud investigation.
Some examples of this type of countermeasure include:
- All access to production systems is logged for audit purposes.
- Audit logs record changes to production data and identify who made the changes.
- Browsing of sensitive information is logged and monitored.
- Access and use of high risk accounts and transactions is logged and monitored.
- Staff, contractors and providers are informed that their activity is logged and monitored.
Purpose of this countermeasure
A lack of meaningful audit logging can make it difficult to detect, analyse, investigate and disrupt fraudulent activity.
The Commonwealth Director of Public Prosecutions may also reject a Brief of Evidence if you have not captured sufficient evidence to prove an offence.
Under the Criminal Code Act 1995, the prosecution bears a legal burden of proving every element of an offence relevant to the guilt of the person charged. Furthermore, the offence must be proven beyond reasonable doubt.
This type of countermeasure is supported by:
- A specific form, process or system must be used
- Change management processes
- System testing
- Privileged access restrictions and monitoring
- Data protected from manipulation or misuse
- Internal or external audits or reviews
- Documentation and evidence storage
How do I know if my countermeasures are effective?
You can apply the following methods to measure the effectiveness of these types of countermeasures:
- Confirm that audit logging is switched on.
- Consult with investigators about evidentiary requirements.
- Review the logs to confirm they capture sufficient evidence to support an investigation.
- Review the logs to confirm they capture meaningful information to support detection or an investigation.
- Check the method of logging. Is it reliable?
- Confirm audit logs are stored securely. Test this if required.
- Confirm that audit logs are available to investigators.
- Confirm that audit logs cannot be switched-off, deleted or altered, even by staff with privileged access.
- If audit logs can be altered, confirm that these actions are also logged and that copies of originals are retained.
- Confirm that audit logs are retained as per the relevant Records Authority.