Overview
Audit Log in an organization is a part of a larger concept called Internal Control and Audit. Although in day-to-day development, performing audit logging is not much different than doing log for debugging, a better understanding on the concept is necessary to analyze and design an audit system. For instance, a deeper understanding is needed even to answer following practical questions:
- What needs to be logged?
- What kind of detail information is necessary in the log records?
- What kind of data and operation can be excluded from logging?
Audit in an organization is frequently used in the context of accounting, that is the examination of financial records by external auditors. However, in the context of Internal Control, the scope of audit is far broader. In contrast to external audit, internal audit covers all of enterprise’s operations as well.
Following diagram shows how the concept of Audit Log relates to another concepts in the context of auditable information system in an organization:
Reading from the left to right, the diagram above can be described as follows:
- Audit Log is an unalterable electronic recording of sequences. A sequence is a collection of related activities (events).
- Audit Log is a part of Audit Trail.
- Audit Trail is used in both Internal Control and Audit processes.
- Internal Control is a process that is designed to control the organization according to laws and regulations applicable, based on assessment of risks, in order to minimize the risk of failure and frauds that should be detected by Audit process.
- Audit is the process to examine the organization to provide assurance to stakeholders that it operates according to the laws and regulations applicable.
Internal Control is a process within an organization that provides a reasonable assurance that:
- Operations within the organization is effective and efficient.
- Financial reports produced by the organization are reliable
- The organization complies to applicable laws and regulations.
This definition is based on COSO’s.
Internal Control is required by laws to be established in any organization. The SOx was enacted in 2002 as a direct consequence of corporation scandals (Enron scandal being the biggest one). A similar regulation in Japan, J-SOX was enacted in 2006 in response to similar scandals involving Kanebo, Livedoor among others.
COSO defined 5 steps process to follow when developing and implementing effective internal controls in an organization. These steps are specified further in total 17 principles:
- Establish an appropriate control environment. Control Environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.
- Demonstrate commitment to integrity and ethical values.
- Ensure that board exercises oversight responsibility.
- Establish structures, reporting lines, authorities, and responsibilities.
- Demonstrate commitment to a competent workforce.
- Hold people accountable.
- Assess risk. Process for determining how all levels of risks will be managed.
- Specify appropriate objectives
- Identify and analyze risks
- Evaluate fraud risks
- Identify and analyze changes that could significantly affect internal controls
- Implement control activities. Actions—established through enterprise policies and procedures—that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out.
- Select and develop control activities that mitigate risks
- Select and develop technology controls
- Deploy control activities through policies and procedures
- Manage information and communication effectively. Processes should be in place to identify, capture, and distribute the key elements of all types of information and then communicate relevant elements of this information to appropriate parties.
- Use relevant, quality information to support the internal control function
- Communicate internal control information internally
- Communicate internal control information externally
- Establish monitoring activities. Continuous assessment whether each of the other objectives or steps described above, including the control environment, risk assessment, and others, are present and functioning.
- Perform ongoing or periodic evaluations of internal controls (or a combination of the two)
- Communicate internal control deficiencies
WAP provides ERP services to other companies. The Customers can use SOC reports and various kinds of accreditation certificates provided by WAP as audit documents. Following are the things to be observed by WAP:
- The requirement to be able to provide SOC2 report to customers.
- The requirement to be ISO-27001 and ISO-27002 certified.
- All procedures and policies implemented in the services provided needs to be designed such that they conform to Internal Control principles.
- All audit logs need to be designed with the awareness of procedures/scenarios of how the services are being used, and the assessment of the risks they imposed.
Regulations that are most relevant to Internal Control and Audit are:
| Regulation | Applicable country/areas | Practical implications |
|---|---|---|
| Sarbanes–Oxley Act (SOX) | United States |
|
| Financial Instruments and Exchange Act (J-SOX) | Japan | [TODO: what are elements of SOX that are directly/practically applicable to audit log design.] |
| General Data Protection Regulation (GDPR) | European Union | [TODO: what are elements of SOX that are directly/practically applicable to audit log design.] |
[TODO: What are the activities of auditors, and how those activities define requirements of what should be logged]
[TODO: Just a brief explanation of the terminology]
[TODO: Just a brief explanation of the terminology]