ISACA CISA

IT Auditor interview questions

IT auditors are responsible for performing independent verifications of an organization’s security posture. These positions can have many name variations on job boards, including: information technology auditor, IT compliance analyst, internal auditor, CISA or business analyst.

IT auditor positions exist in almost every industry, with salaries ranging from $50,000 to $175,000 depending on industry, company size and years of experience. To succeed in this role, you must understand networking, architecture, software and hardware deployment and integration, as well as security controls.

In the following list, we compiled 16 IT auditor interview questions to help you prepare for your next interview.

• Describe tools that can be used to assess the security posture of an enterprise or company architecture.

Describe tools used in both Linux and Windows environments. These include: nmap, ping, traceroute, nslookup and scanners such as Nessus and Wireshark. John the Ripper can be used to detect weak passwords, and any of the current virus scanners can be used to detect viruses on the system: ClamAV, McAfee and Symantec are some of the most popular.

• Describe the purpose of ACL software.

ACL is access control list software, such as Microsoft’s Active Directory, that is used to control a user’s accesses to system services, directories or other components.

• What do you know about the company?

This is not a technical question but is often used to see your capability to perform research. Visit the company’s webpage and LinkedIn page to learn as much information you can. Google recent press releases or news stories that relate to the company. Make sure you can state what the company’s mission and vision are, and how long they have been in business. If you were able to go a few steps further and find out information about their architecture structure, share that as well.

• How do you keep up with current industry trends?

This is a personal question. Mention any technical magazines and newsletters you subscribe to. If you are in school, mention things you’ve learned that are relevant. Use this question to illustrate your passion for the industry.

• What are your strong points?

This is a frequently asked, non-technical question. Make sure you review the requirements for the job and tailor your answer to show how your strong points are a fit for the company and the position.

• What is the difference between auditing in a Windows and Linux environment?

A lot of tools used in Windows are more automated, or launched through a GUI. In Linux, you have to use the command line more often. An audit policy in Windows is created through the GPO and distributed through the domain controller. In Linux, it is normally done through the /etc/audit.rules files and through use of the audited service. Because of these differences in how the system pulls information for audit logs, the controls for the two environments are different as well. In a Linux environment, the ability to use a GRUB password to log into the system in single-user mode is a feature an auditor would not need to review in a Windows environment. The overall file structure is different, so it is important to understand /etc, /var, /home, /opt /usr and the /tmp directories.

• What is the purpose of network encryption?

To protect data from unauthorized access (which is its confidentiality).

• What are the biggest flaws in using Cloud-based applications?

The security issues related to cloud security are heavily debated, but having information available to the public via Cloud services creates a larger threat landscape.

• If you find a defect or bug in an application, do you try to fix it yourself?

No. The best option is to bring it to the attention of the engineering team as well as the system owners. The issue can also be documented in the final report.

• What is the benefit of an IT audit for an organization?

IT audits help identify flaws and vulnerabilities in the system architecture, which gives the organization useful information to further harden their systems.

• What is the difference between an internal and external audit?

An internal audit is performed by employees of the company. External audits are performed by members of an outside firm. Some industries require an external audit in order to be compliant with industry regulations.

• How do you perform a risk assessment?

Risk assessments can vary based on industry. Some industries have pre-written risk assessment methodologies that an auditor is obligated to use. But the point of every risk assessment is to use available tools or methodologies to identify the vulnerabilities specific to the organization being evaluated, and create a strategy to remediate the vulnerabilities.

• Can you describe some of the vulnerabilities listed on the OWASP Top 10 Vulnerabilities list?

This list is updated yearly with the current top 10 application security risks. Cross-site scripting is one item that has been on the list year after year. But others on the most current list include injections such as SQL, OS and LDAP, security misconfigurations, sensitive data exposure and under-protected APIs.

NOTE: You can memorize the entire list, but most interviewers want to know you are at least familiar with the list.

• What are the differences between C and C++?

C is a procedural-only language and does not support the use of classes and object. C++ is object-oriented.

• How do you handle tough situations? Or, if a client was being difficult and refused to provide you with needed information, how would you handle this?

This is a great opportunity to share a personal experience where you handled a difficult situation. IT auditors are not the favorite employees in the industry. They can make life harder for other IT team members. With that in mind, this question gives you the opportunity to showcase your ability to defuse a potentially hostile situation. If you have never had this experience, you can discuss methods you would use to deal with a hostile person.

• If you were asked to help implement a new tool, e.g., a new SharePoint site, what questions would you ask?

What is the business purpose and/or objective? What problem are you trying to solve? Who will need to have access? These are three questions an organization should ask before making major IT changes.

Conclusion

Being able to answer these and related questions will boost your odds of being selected for an IT auditor position. At the end of the interview, you will likely be asked if you have questions for them. Always have questions prepared. It shows you are truly interested in the job. For example:

• What are your expectations for my first 90 days?
• What is the synergy like with the team I will be supporting?
• What types of things can I do to contribute to the culture of the company?

Questions like this will show you are a team player who is focused on making continued contributions to the organization.