“Audit logs” should normally refer to journals (and their associated journal receivers). Most common would be system audit journal, QAUDJRN, and database journals created by system users.
There are no interfaces exposed to programmers that allow changes to existing entries in any journal receiver. AFAIK, the interfaces that could cause a change to an entry, including removal of an entry but not including deletion of the receiver objects themselves, are not even surfaced above the virtual machine layer to the operating system itself.
So, although receivers and journals are objects that can be deleted when sufficient authority is granted, the entries are secure. Also, entries can not be added into the receivers that can look like actual audit entries. A “forged” entry would have an entry code that identified it as a non-system entry.
(Someone who programs to the virtual machine level could circumvent system controls, but who would configure their system to allow that?)