Approach of IT audit interviews & sample questions to ask auditees

sunhux used Ask the Experts™
For IT audit purposes, what are some of the questions that an auditor should ask
during the audit interview especially for Cyber, IT Infra, End-user computing  audit?

What are some of the open-ended question like "Can you describe your
network architecture", "what's your patch procedure/policy like", "what are
your perimeter & endpoint defenses" ...  <pls add on>.

Presume auditors should start with such open questions first before going
into more targetted questions?

What are some of the more targetted questions?  
Eg: "how long is your backup retention for DB,  logs, ...", "share some of
      the recent patch logs", ...<pls add on> ...
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
btanExec Consultant
Distinguished Expert 2018
The question to be asked should not to overly open-ended as it still need to be scoped to the organisation policy and standard that need to be audited, or even the specific legislative and regulation. Question has to be related to the domain and not be hoping around or be mixed unless there is rationale for the asking. There is always a preparation work to ask user to declare the list of system and from there scope out which is the targeted system and state the policy / standard to be audited. I am assuming not an surprised audit check per se.

Set the objective of the audit
- Review of the controls of the IT systems to gain assurance about their adequacy and effectiveness.
- Evaluation of the performance of a system or a specific programme.
- Review of the security of the IT systems.
- Examine the system development process and the procedures followed at various stages involved therein.

With that in mind then start planning your interview, review and onsite visit

I tend to see the open ended ones will start with the "How" and then drill into it with the "What", "Where", "When" and "Who"

So assuming the audit scope are on  organization and management controls (IT policies and standards), below are some that I can think of:

1- IT operational controls.
> Capacity planning - How do you ensure the computer systems will continue to provide a satisfactory level of performance in the longer term?
   >> Who made the estimate for the storage capacity and network load capacity? Who approved that this set of SLA is satisfactory for the longer term?  

> Performance Monitoring - How do monitor the day to day performance of the system in terms of measures such as response time?
   >> Who is monitoring this and are they authorised by the IT manager? When is the performance report submitted for review for complying to SLA?

> Media Management - How do you keep track and control the storage medias?
   >> What are the media tracked, who approves the issuance, and where are all these requests and return of asset recorded?

> Backup - How do you ensure backups of data and software should be carried out?
   >> Who perform the IT operations and how regular is this done ie. daily, weekly, monthly etc

> Service Level Agreement - How do the SLA get enforced such that project team is really putting it in practice?
   >> List out the process for getting SLA approved and eventually writing it into the tender specification template the project team has to use as baseline?
   >> List out all the baseline SLA that project team should minimally has and show one of the system specification demonstrating it?

> Network Management and Control - How do you ensure there are appropriate controls to secure data in networks, and that the network is adequately protected from unauthorised access
   >> List out the separation of duties between operators and network administrators
   >> State the report and utilities for monitoring network availability and performance
   >> List out the security event that the IT team will be looking out for to trigger for further investigation

2- Logical access controls.
> Login Mechanism - How do you ensure the logical access controls is functioning effectively?
   >> What are the authentication  form factor used for login to the endpoint, server and network, and how about for all administrative access
   >> What are the limited privileges granted to ensure "super users" does not have all the privileges to the system and user endpont
   >> List out the roles and access matrix created to ensure least privileges principles are adopted
   >> Who are the current list of authorised users and their access privileges for this system

> Program Change Control - How do you ensure system development process are governed?
   >> What are the change request handled thus far and who is the approving authority
   >> For emergency patch deployment, who can approve it and where are all these approval tracked and archived
   >> What are the frequency of review for each change and what is the SLA to be follow through
   >> Will the user making request be informed if there are changes to the process or request has to be delayed or deferred

3- Internet Control
> Use of device and network - How do you ensure that users surf the internet using the designated network
   >> Where is the separation point from intrante and internet and is that the only egress out to internet
   >> What are the machine and device allowed to surf internet and how often is the random check on user surfing machine being checked
   >> When the network is down, what are the approved media used for file transfer from internet and who approved their usage and for how long

> Use of internet controls - How do you ensure safe surfing
   >> What is the isolation mechanism or tool used for the machine when it is infected or suspected to have been hacked
   >> What are the security configuration for the port and services allowed in the machine
   >> What are the list of whitelisted file extension and for additional one, who is the approving authority
Audit ScopeThe first step in audit planning is to gain an understanding of the business. Then you set the audit scope and audit objectives.

The scope can vary based on the terms and conditions of the client and requirements.  As an IT auditor, you should understand that policies are a part of the audit scope and test the policies for compliance.

For example, the following are helpful in performing an IT General Controls review.

1-      IT Organization and Management
§  Organization chart for information system (IS) management
§  IT security policy and relevant policies and procedures.

2-      Computer Operations
§  Listing of critical operating system software and utilities.
§ Essential listing of application software and their hardware vendor and model.
§  Network diagram.
§  Procedures used to manage/monitor service level agreements.

3-      Application Development and Change Control
§  list of new financial systems projects, significant system upgrades/acquisitions/interface, and conversions to the financial reporting system.

4-      Access Controls and Security Administration
§  List of users {SOFTCOPY} (including employee number, userID, full name, department, last login date, privileges, and status [active/disabled]) have access to:
-          Core financial application.
-          The database of the core financial application.
-          The operating system of the core financial application.
-          Network domain controllers.

§  System generated report or screenshot of security configuration parameters for password policies, and audit logging on:
-          Core financial application
-          The database of the core financial application.
-          The operating system of the core financial application.
-          Network domain controllers.

5-      Business Continuity and Physical Access
§  IT disaster recovery plan and the latest test results
§  List of individuals with access to the datacenter.

6-      Human Resources
List of personnel/users {SOFTCOPY}, including their employee number:
§  New hires (within the last three months)
§  Transfers between departments during 20xx.
§  Individual currently on long leave
§  Individual resigned during 20xx.

7-      Internal Audit
§  Latest internal IT audit scope and results of internal audit testing of controls and follow-up of actions.  (Source of Picture)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial