Audit trail system implementation

Dear members,

I would like to ask you an advice on the implementation of audit trail system, whether the project implementation of audit trail system can be managed by internal audit function and do not compromise their independence and objectivity. I am also wondering what will happen if this is managed by IT department that is composed by system administrators who perform tasks and are managing logs, that one also I think will be missing segregation of duties. Kindly advise me, how it is normally managed.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

636-555-3226

Segregation of duties is great if you have enough people to support it. I prefer for the auditors to stay out of operational tasks (like logging). I like auditors who come in "cold" once a year and look at the situation with a fresh pair of unadulterated eyes.

What exactly are you auditing, and why?

maharaliel

636-555-3226 wrote: »

Segregation of duties is great if you have enough people to support it. I prefer for the auditors to stay out of operational tasks (like logging). I like auditors who come in "cold" once a year and look at the situation with a fresh pair of unadulterated eyes.

What exactly are you auditing, and why?

Thanks, Actually I am an IT auditor and head of our IT department is enhancing our audit trail system, so they wanted me to be the custodian and the one who will monitor the system. But I am thinking that this will compromise my responsibilities as auditor.

mcc39817

So, it sounds like the overarching question is related to CM (Continuous Monitoring). From my experience, CM should be implemented and managed by the business. IA is not there as the primary control. As stated previously, it's good for IA to come in and review, but they should not handle logging or other monitoring. Also, depending on the nature of the CM, it may need to be reviewed daily/weekly/monthly/Quarterly/annually.

I will say however, the exception to this is when you are assisting the business in the tool/vendor they are looking to go with. Things like walkthrough and post-implementation reviews are definitely the best way for IA to assist here as they assist the business with aligning goals so everyone benefits.