When using MTTD and MTTR metrics, what should auditors evaluate about the data sources?

Data quality in source data is essential for MTTD and MTTR, because these metrics measure time intervals based on detection and response events. If the logs and feeds feeding those metrics are inaccurate or incomplete, the calculated times will be biased or wrong. Auditors should assess accuracy and completeness of the data sources: are the logs capturing all relevant security events, are timestamps correct and time-synced across systems, are events consistently labeled and mapped to the same incident, and is there coverage from all detection tools (SIEM, EDR, IDS, ticketing) so no gaps exist? They should also check provenance and data integrity, the implementation of data quality controls, deduplication, and normalization across sources. Evaluating only speed ignores the data's correctness; relying on anecdotes is unreliable; and focusing only on data collection cost ignores whether the data truly reflects reality.