Your Auditor Is In The Dark Ages
Yes, it's a clickbait title. Is your auditor stuck in the IT dark ages? They are if they are fixed on antiquated data collection practices.
I'm sure by now, everyone has been to the This Person Does Not Exist website and clicked through several rounds of realistic looking but very fake photos of people. The site occasionally generates an image with a flaw, but overall the images are very believable. What does this have to do with auditors?
It's that time of year when publicly traded companies bring in their external auditors to perform their yearly SOX audit of their IT systems. The whole point of the exercise is to verify that organizations are following the IT best practices and organizational policies. For example, if a company policy states that only select individuals will have access to a server, then the auditor will ask for evidence of who has accounts on the server. Without fail, the auditors want screenshots with a date stamp. Why screenshots and not the /etc/passwd file itself?
The answer is usually "text files can be edited", which implies that screenshot cannot be edited. In addition, generating screenshots for large environments is very cumbersome and time consuming. If an auditor asks for a log file, then it's screenshot, scroll, screenshot, scroll, screenshot, ... ... ... (Multiple ellipsis because this process can go on forever for very large log files.) This often leads to Oh, it's OK to export the log files, but remember text files can be edited. With a flawed assumption and an exception, sending sys admins off to generate hundreds of screenshots is not the correct approach.
What is the correct approach? As with any IT challenge, there is not one absolute correct answer. The solution will vary with the resources and maturity of the organization. On the less advanced end of the spectrum, organizations can use a script to collect all of the files and configuration evidence, generate a file listing, and sign the set with a known PGP key. The script can be audited, and the PGP signature can be verified against the provided data. More mature organizations will have devops tools like SaltStack or Ansible in place for configuration management and deployment automation. The same tools can be used for configuration enforcement and exception reporting.
Regardless of the process that is implemented, it needs to be understandable, well documented, and repeatable. Compliance reporting does not need to be a cumbersome manual process that everyone dreads. Make the technology work for you.
