+ Reply to Thread
Results 1 to 4 of 4
  1. Senior Member
    Join Date
    Oct 2013
    Location
    Kigali-Rwanda
    Posts
    117

    Certifications
    CISA, CCNA, CCNA Security, CCNP, MCITP, MCSA 2012
    #1

    Default Audit trail system implementation

    Dear members,

    I would like to ask you an advice on the implementation of audit trail system, whether the project implementation of audit trail system can be managed by internal audit function and do not compromise their independence and objectivity. I am also wondering what will happen if this is managed by IT department that is composed by system administrators who perform tasks and are managing logs, that one also I think will be missing segregation of duties. Kindly advise me, how it is normally managed.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member 636-555-3226's Avatar
    Join Date
    Jul 2015
    Posts
    882

    Certifications
    Lots of security certifications, yet the more I learn, the further I have to go...
    #2
    Segregation of duties is great if you have enough people to support it. I prefer for the auditors to stay out of operational tasks (like logging). I like auditors who come in "cold" once a year and look at the situation with a fresh pair of unadulterated eyes.

    What exactly are you auditing, and why?
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Oct 2013
    Location
    Kigali-Rwanda
    Posts
    117

    Certifications
    CISA, CCNA, CCNA Security, CCNP, MCITP, MCSA 2012
    #3
    Quote Originally Posted by 636-555-3226 View Post
    Segregation of duties is great if you have enough people to support it. I prefer for the auditors to stay out of operational tasks (like logging). I like auditors who come in "cold" once a year and look at the situation with a fresh pair of unadulterated eyes.

    What exactly are you auditing, and why?
    Thanks, Actually I am an IT auditor and head of our IT department is enhancing our audit trail system, so they wanted me to be the custodian and the one who will monitor the system. But I am thinking that this will compromise my responsibilities as auditor.
    Reply With Quote Quote  

  5. Junior Member
    Join Date
    Dec 2015
    Posts
    18

    Certifications
    CISA
    #4
    So, it sounds like the overarching question is related to CM (Continuous Monitoring). From my experience, CM should be implemented and managed by the business. IA is not there as the primary control. As stated previously, it's good for IA to come in and review, but they should not handle logging or other monitoring. Also, depending on the nature of the CM, it may need to be reviewed daily/weekly/monthly/Quarterly/annually.

    I will say however, the exception to this is when you are assisting the business in the tool/vendor they are looking to go with. Things like walkthrough and post-implementation reviews are definitely the best way for IA to assist here as they assist the business with aligning goals so everyone benefits.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks