IT Auditor Common and Possible Questions
Introduce /tell us about yourself
I am an IT Auditor with over 3 years of experience in SOX testing, SOC 1 - Type 2 reviews
and supporting financial statement audits.
I have Bachelors of Science (BS) in COMPUTER SCIENCE. I am currently an IT Auditor
with THE NIGBEL GROUP, which is an IT consulting company.
Prior to this, I worked as an IT Auditor with PERFECTNET INC., which is also an IT
consulting firm located in Woodbridge Virginia.
What do you do as an IT Auditor? Or what is your typical day like? What do you do on daily
I perform IT audit of clients and test Access Control, Change Management and IT Operations.
In access control, we test (give the first 3 controls from the Control Table),
In change management, we test (give all the 4 controls from the Control Table),
And in IT Operations, we test (give all the 2 controls from the Control Table).
: It may be helpful to buttress these with relevant ITGC tasks storytelling. See the Appendix
A of this document for the section titled Helpful Storytelling related sample example and
How do you perform IT audit or what is the audit process?
Paraphrase the IT Audit Process in the IT Audit introduction document, from planning to follow-
What do you test in Change Management, Access Control or IT Operations?
Mention 4 of the Change management controls, at least 3 of the Access Controls, if asked, and
the 2 IT operations, also if asked
What do you test for in Password, New users or terminated users?
Mention the control objective of each test from the Audit Program section of your IT Audit
Introduction handout, such as in password you test for minimum password length to see if up to
8 characters, password composition/complexity and 6 other attributes; while in new users, you
test if the new user's access is in line with his/her job function, if it is approved and if what is
approved is what is set up on the system by the system administrator. In terminated users, you
test if the users that left the organization are promptly removed from the system, usually within
1-3 business days, the earlier the better based on the organization's policy. Know similar
objectives for the other controls not indicated here.