Audit capability is the ability of a system or application to generate and store audit records that can be used to monitor, analyze, and investigate the activities and events that occur within the system or application. Audit records should contain sufficient information to identify the who, what, when, where, and how of each auditable event. This information is essential for accountability, nonrepudiation, and forensic analysis. Therefore, when assessing the audit capability of an application, the most important activity is to determine if the audit records contain sufficient information. Reviewing the security plan for actions to be taken in the event of audit failure, verifying if sufficient storage is allocated for audit records, and identifying procedures to investigate suspicious activity are also important activities, but they are secondary to the quality of the audit records. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, Security Operations, page 654. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 7, Security Operations, page 705.