Insufficient logging and monitoring will allow an attacker to execute an attack without any detection. Also, insufficient logging will not allow us to prove any actions. In other words, we cannot verify the repudiation of the user action. For example, a user can buy an item with 0$ from our online store, but we have no proof that he/she did it.