Objective 1.2Critical Priority8 min read

Accounting and Auditing

Tracking and recording user activities for security monitoring, compliance verification, and forensic investigation. Includes logging, monitoring, audit trail maintenance, and SIEM systems.

Understanding Accounting and Auditing

Accounting is the third "A" in the AAA framework (Authentication, Authorization, Accounting). After you've verified identity (authentication) and granted permissions (authorization), accounting tracks WHAT users do with that access.

Accounting answers: "What happened? Who did it? When did they do it?" This information serves multiple purposes: security monitoring, compliance verification, forensic investigation, and non-repudiation.

Auditing is the process of reviewing accounting records to verify security controls are working, detect anomalies, and ensure compliance. While accounting COLLECTS data, auditing REVIEWS it.

Why This Matters for the Exam

Accounting and auditing are heavily tested in Domain 4 (Security Operations), which covers monitoring and incident response. Understanding how logs support security operations connects Domain 1 fundamentals to practical security work.

The exam tests both the technical aspects (what should be logged, log management) and the process aspects (audit types, compliance requirements). Questions often present scenarios asking what information would help investigate an incident—the answer involves proper accounting.

This concept also supports non-repudiation. Audit logs provide evidence of user actions that supports accountability and prevents denial of actions.

Deep Dive

What Accounting Tracks

User Activity

  • Login and logout times
  • Authentication success and failures
  • Resources accessed
  • Actions performed (read, write, delete, modify)
  • Permission changes

System Events

  • System startup and shutdown
  • Service starts and stops
  • Configuration changes
  • Security events and alerts

Network Activity

  • Connection attempts
  • Traffic patterns
  • Bandwidth usage
  • Protocol information

Application Events

  • Application access
  • Transactions performed
  • Errors and exceptions
  • Data modifications

Components of Effective Accounting

Log Generation

  • Systems configured to create detailed logs
  • Standardized log formats
  • Appropriate verbosity levels
  • Timestamp accuracy (NTP synchronization)

Log Collection

  • Centralized log aggregation
  • Secure transport (encrypted)
  • Reliable delivery
  • Scalable storage

Log Protection

  • Integrity verification (hashing)
  • Access controls on log files
  • Tamper-evident logging
  • Backup and retention

Log Analysis

  • SIEM (Security Information and Event Management)
  • Correlation rules
  • Alerting thresholds
  • Baseline comparison

Types of Audits

Audit TypeWho PerformsPurpose
InternalOrganization's own auditorsOngoing compliance, risk assessment
ExternalThird-party auditorsIndependent verification, certification
ComplianceRegulatory auditorsVerify regulatory compliance
SecuritySecurity professionalsAssess security controls
IT/TechnicalIT auditorsTechnical control effectiveness

SIEM in Accounting

SIEM systems centralize accounting functions:

Collect logs from multiple sources • Normalize different log formats • Correlate events across systems • Alert on suspicious patterns • Store logs for retention requirements • Report for compliance and analysis

Retention Requirements

Different regulations require different retention periods:

RegulationTypical Requirement
PCI DSS1 year (3 months immediately available)
HIPAA6 years
SOX7 years
GDPRVaries (purpose limitation)

The Audit Trail

An audit trail is a chronological record that allows reconstruction of events:

1. Who — User identity (authenticated user) 2. What — Action performed 3. When — Timestamp (accurate, synchronized) 4. Where — Source system, IP address 5. Why — Context if available (application, transaction) 6. Result — Success or failure

How CompTIA Tests This

Example Analysis

Scenario: A security analyst investigates a data breach. They need to determine which user accessed sensitive files, when the access occurred, and what actions were taken on those files.

Analysis: This requires comprehensive accounting/audit logs that include: • User identity (who accessed) • Timestamps (when accessed) • File/resource names (what was accessed) • Actions performed (read, copy, modify, delete) • Source IP/workstation (where access originated)

Key insight: Without proper accounting, this investigation would be impossible. The audit trail enables forensic reconstruction of events.

SIEM role: A SIEM would correlate these logs from multiple systems, making it easier to trace the attacker's path across file servers, applications, and network devices.

Key Terms to Know

accountingauditingaudit logsSIEMsecurity monitoringcomplianceforensicsaudit traillogging

Common Mistakes to Avoid

Confusing accounting with authentication—authentication verifies identity BEFORE access. Accounting tracks activity AFTER access is granted. They're different AAA components.
Thinking logging is enough—generating logs isn't sufficient. Logs must be collected, protected, analyzed, and retained. Unreviewed logs provide no security value.
Forgetting log integrity—if attackers can modify logs, the audit trail is worthless. Logs need protection through hashing, access controls, and ideally WORM (Write Once Read Many) storage.
Missing the timing requirement—logs without accurate timestamps are difficult to correlate. NTP synchronization across all systems is critical for forensics.

Exam Tips

AAA order: Authentication → Authorization → Accounting. Know that accounting is the tracking/logging component.
SIEM is the primary tool for centralized accounting and log analysis. It collects, normalizes, correlates, and alerts.
Audit logs support non-repudiation by providing evidence of user actions.
Retention periods vary by regulation—PCI DSS (1 year), HIPAA (6 years), SOX (7 years).
The audit trail should answer: Who, What, When, Where, and Result (success/failure).

Memory Trick

"AAA = Who Are You? What Can You Do? What Did You Do?"

  • Authentication = Who are you? (Identity)
  • Authorization = What can you do? (Permissions)
  • Accounting = What did you do? (Tracking)
  • The 5 W's of Audit Trails:
  • Who — User identity
  • What — Action performed
  • When — Timestamp
  • Where — Source location
  • Why — Context (if available)

SIEM = Central Accounting Hub: Security Information and Event Management Collects → Normalizes → Correlates → Alerts → Stores → Reports

Log Protection Memory: Logs that can be modified are logs that can't be trusted. Integrity + Access Control + Retention = Reliable Audit Trail

Test Your Knowledge

Q1.In the AAA framework, which component tracks user activities after access has been granted?

Q2.An organization needs to centrally collect logs from firewalls, servers, and applications, correlate events across systems, and generate alerts on suspicious patterns. Which tool provides these capabilities?

Q3.A forensic investigator needs to reconstruct the sequence of events during a security incident. Which requirement is MOST critical for the audit logs?

Want more practice with instant AI feedback?

Practice with AI

Continue Learning

Authentication FundamentalsAuthorization ModelsNon-repudiationDetective Controls

Ready to test your knowledge?

Practice questions on accounting and auditing and other Objective 1.2 concepts.

Start Practice
Authorization ModelsGap Analysis