Excerpt from: The Windows Server 2003 Security Log Revealed

Audit policy change

The Policy Change category provides notification of changes to important security policies on the local system, such as to the system’s audit policy or, in the case of DCs, to trust relationships.
Windows logs event ID 612 (

Figure 11‑1 when it detects a change to the system’s audit policy.

Figure 11‑1 Event ID 612

This is an important event that might indicate tampering with the Security log. Fortunately, the event tells you the new status of all nine audit policies, as Figure 11‑2 shows. Unfortunately, the Changed By fields don’t tell you which administrator modified the audit policy; the user name always lists the computer name of the local system. In Windows 2000 and later, no one directly modifies security settings such as audit policy; instead, you edit the system’s local GPO or a GPO stored in AD. Subsequently, the system applies Group Policy and so it’s the system that makes the actual configuration settings based on the resultant set of policy derived from all applicable GPOs.

More information on this audit category is available in WinSecWiki

This is just a fraction of the wealth of information available only in Randy Franklin Smith's eBook, The Windows Server Security Log Revealed.