Common&possible q's view in word

IT Auditor Common and Possible Questions 1. Introduce /tell us about yourself I am an IT Auditor with over 3 years of experience in SOX testing, SOC 1 - Type 2 reviews and supporting financial statement audits. I have Bachelors of Science (BS) in COMPUTER SCIENCE. I am currently an IT Auditor with THE NIGBEL GROUP, which is an IT consulting company. Prior to this, I worked as an IT Auditor with PERFECTNET INC., which is also an IT consulting firm located in Woodbridge Virginia. 2. What do you do as an IT Auditor? Or what is your typical day like? What do you do on daily basis? I perform IT audit of clients and test Access Control, Change Management and IT Operations. In access control, we test (give the first 3 controls from the Control Table), In change management, we test (give all the 4 controls from the Control Table), And in IT Operations, we test (give all the 2 controls from the Control Table). NB : It may be helpful to buttress these with relevant ITGC tasks storytelling. See the Appendix A of this document for the section titled Helpful Storytelling related sample example and guidance. 3. How do you perform IT audit or what is the audit process? Paraphrase the IT Audit Process in the IT Audit introduction document, from planning to follow- up phases 4. What do you test in Change Management, Access Control or IT Operations? Mention 4 of the Change management controls, at least 3 of the Access Controls, if asked, and the 2 IT operations, also if asked 5. What do you test for in Password, New users or terminated users? Mention the control objective of each test from the Audit Program section of your IT Audit Introduction handout, such as in password you test for minimum password length to see if up to 8 characters, password composition/complexity and 6 other attributes; while in new users, you test if the new user's access is in line with his/her job function, if it is approved and if what is approved is what is set up on the system by the system administrator. In terminated users, you test if the users that left the organization are promptly removed from the system, usually within 1-3 business days, the earlier the better based on the organization's policy. Know similar objectives for the other controls not indicated here.
6. How do you perform walkthrough and detailed testing/test of control? Paraphrase the walkthrough key words in your handout titled Walkthrough and Test of Controls in Practice, by mentioning the 4 components of walkthrough by saying that you will obtain the understanding of the controls being tested from walkthrough meeting with the client, observe the control from the evidence provided, reference the evidence provided and making an opinion whether exception is noted or not. For how to perform detailed testing, mention that you will obtain population, validate the population by observing the pulling of the population or by obtaining the screenshot of the parameters used to pull the population, and then select a sample (usually 10%) and requesting the evidence similar to those from walkthrough for each of the sample, and then testing the controls/testing attributes with the evidence provided (the rest is similar to walkthrough as 3 of the 4 components are observed with the exception of understanding the control since that was already obtained during walkthrough). Note that this details is what the interviewer needs each time they ask you what control you test and then ask you how do you test that control. 7. When performing a test of controls of transactions such as in change management where you have a list of 100 changes during your audit period, how many changes AND what percentage of the changes would you select as your sample and test? Indicate that you will test 10% of the 100 changes, which will be 10 changes. Remember that it would be 1 change if you were asked how many changes you would perform a walkthrough on 8. What would you recommend if you find that there is segregation of duties (SOD) in access control or change management, and it is due to limited or few personnel in the IT group which make it impossible to separate the duties? I will recommend that the work or activities (usually captured in activity log of their accounts) of those involved in performing incompatible duties are monitored or reviewed by someone else (typically by their supervisor or other colleagues who understand what they do) on a periodic basis, which could be weekly or monthly depending on the volume of activities with SOD conflict performed by such people. This is commonly seen with system administrators or change developers performing additional functions such as having to perform multiple controls in change management. 9. What projects have you worked on? IT audit as part of financial statement audit, SOX testing, SAS 70 (pronounced sirs-70) /SSAE 16/Service Organization Control (SOC, pronounced suck) audit, A-123 audit (pronounced A-one- twenty-three audit), FISCAM or federal financial statement audit, PCI DSS and HIPAA audit. 10. Is your company the prime or sub-contractor on the project you worked on? Indicate that your company was a sub-contractor in most cases since the project are usually large and the prime contractors could be known or easily checked on the internet, but know the
prime contractor in charge of the project under which you worked as a sub- contractor as indicated above. e. Make the timeframe of these audits fall within your IT audit experience period. Each takes about 3 months for commercial and 6 months for government. 11. Which clients have you worked on? a. Provide names of companies looked up on Google by industries such as Suntrust or BB&T in banking, Nationwide or Allstates in insurance, and AT&T or Verizon in communication; but be sure to check out their external auditors on their websites with whom you have worked as a sub-contractor. Also know their locations where you have worked. b. If interviewer is interested in federal project, provide federal agencies like Department of Commerce, Department of Labor, Department of Agriculture, Department of Health and Human Services (HHS), and know their branches or operating divisions (including their locations/city which are mostly in Washington DC) where you have worked, such as National Oceanic And Atmospheric Administration (NOAA) for Department of Commerce, US Forest Service for Department of Agriculture, and National Institute of Health (NIH) and Centers for Medicare & Medicaid Services (CMS) for Department of Health and Human Services (HHS) (Note that HHS is located in Rockville MD) (see this link for the full list: Click the agency's name links for their websites and contact tab for their locations). Also know their external auditors or the consulting companies that performed these projects you work on, with whom you worked as a subcontractor, such as on A-123, HIPAA. These information are also available on the agencies websites. Check if the firm you are interviewing with is the external auditor or consultant for the mentioned companies or federal agencies. You can look up their most current financial statement audit reports on Google and know their external auditors from the Independent Auditor's Report section of the report by adding Independent Auditor's Report or Consolidated Financial statement to their names, such as typing into Google, Department of Agriculture's Independent Auditor's Report. Note that Department of Agriculture's financial statement audit is performed by its Office of Inspector General (OIG), Department of Commerce and Department of Labor audits are performed by KPMG while the audit of Department of Health and Human Services (HHS) is performed by Ernst and Young. Also note that Grant Thornton audits Social Services Administration (SSA) located in Baltimore and performs A-123 audit at the Centers for Medicare & Medicaid Services (CMS) (also located in Baltimore) which is a branch of HHS and at the United States Patent and Trademark Office (USPTO) located in Alexandria Virginia which is a branch of Department of Commerce.
Uploaded by celineasare on