Audit trail system implementation

maharalielmaharaliel Member Posts: 119
in CISM
Dear members,

I would like to ask you an advice on the implementation of audit trail system, whether the project implementation of audit trail system can be managed by internal audit function and do not compromise their independence and objectivity. I am also wondering what will happen if this is managed by IT department that is composed by system administrators who perform tasks and are managing logs, that one also I think will be missing segregation of duties. Kindly advise me, how it is normally managed.
· Share on FacebookShare on Twitter

Comments

  • 636-555-3226636-555-3226 Member Posts: 975 ■■■■■□□□□□
    Segregation of duties is great if you have enough people to support it. I prefer for the auditors to stay out of operational tasks (like logging). I like auditors who come in "cold" once a year and look at the situation with a fresh pair of unadulterated eyes.

    What exactly are you auditing, and why?
    · Share on FacebookShare on Twitter
  • maharalielmaharaliel Member Posts: 119
    636-555-3226 wrote: »
    Segregation of duties is great if you have enough people to support it. I prefer for the auditors to stay out of operational tasks (like logging). I like auditors who come in "cold" once a year and look at the situation with a fresh pair of unadulterated eyes.

    What exactly are you auditing, and why?

    Thanks, Actually I am an IT auditor and head of our IT department is enhancing our audit trail system, so they wanted me to be the custodian and the one who will monitor the system. But I am thinking that this will compromise my responsibilities as auditor.
    · Share on FacebookShare on Twitter
  • mcc39817mcc39817 Member Posts: 20 ■■■□□□□□□□
    So, it sounds like the overarching question is related to CM (Continuous Monitoring). From my experience, CM should be implemented and managed by the business. IA is not there as the primary control. As stated previously, it's good for IA to come in and review, but they should not handle logging or other monitoring. Also, depending on the nature of the CM, it may need to be reviewed daily/weekly/monthly/Quarterly/annually.

    I will say however, the exception to this is when you are assisting the business in the tool/vendor they are looking to go with. Things like walkthrough and post-implementation reviews are definitely the best way for IA to assist here as they assist the business with aligning goals so everyone benefits.
    Certs: CISA, CDPSE | Pentest+, SEC+, CySA+
    Planned: CASP+, CISSP, CISM, eJPT, eWPT (2023)

    · Share on FacebookShare on Twitter
Sign In or Register to comment.