Careful with that brush, Eugene. As someone who has done (extensive) audit, I respectfully submit that the problem is not the audit process but the auditors you hire.
The usual process for such a control should be:
* Is there a requirement for a log?
* Does that log exist?
* Can the system(s) that write to the log be prevented from doing so/tampered with? (branch here to system security review)
* How are the contents of that log secured against tampering? (branch here to security review of logs)
* Who is responsible for reviewing it?
* Where is the evidence that such reviews occurred?
* What violations of policy were found during those reviews? (branch here to a review of the follow-up process)
* Can I, the auditor, find violations that were not found during the reviews? (if yes, branch here to figuring out why not)
This is not an especially complex script to follow, and winning at that last step is the kind of thing that gets you nice fat bonuses and happy bosses, because suddenly the auditee needs remediation consulting services. Especially as the cost of "taking a complete sample" (i.e. reviewing every entry in the log) goes down to nearly zero, this kind of review gets easier and easier (and is often automated by the company being audited, which just shifts the focus slightly... with no change to the last step).
Thats broadly correct, although auditing is usually risk based. The first question should be is there a risk that requires a detective control of audit logging to be in place, if the answer is no (because the system is of low risk or value) then you would be unlikely to continue down the checklist.
The usual process for such a control should be:
* Is there a requirement for a log?
* Does that log exist?
* Can the system(s) that write to the log be prevented from doing so/tampered with? (branch here to system security review)
* How are the contents of that log secured against tampering? (branch here to security review of logs)
* Who is responsible for reviewing it?
* Where is the evidence that such reviews occurred?
* What violations of policy were found during those reviews? (branch here to a review of the follow-up process)
* Can I, the auditor, find violations that were not found during the reviews? (if yes, branch here to figuring out why not)
This is not an especially complex script to follow, and winning at that last step is the kind of thing that gets you nice fat bonuses and happy bosses, because suddenly the auditee needs remediation consulting services. Especially as the cost of "taking a complete sample" (i.e. reviewing every entry in the log) goes down to nearly zero, this kind of review gets easier and easier (and is often automated by the company being audited, which just shifts the focus slightly... with no change to the last step).