Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Whether you are preparing for your first IT audit role or moving into a senior position, knowing how to answer IT audit interview questions confidently can make the difference. This guide covers the most common questions asked in IT audit interviews, from foundational concepts through to scenario-based and technical questions, with detailed model answers you can adapt.
Foundational IT Audit Interview Questions
1. What is an IT audit and what is its purpose?
An IT audit is an independent examination of an organisation’s IT infrastructure, policies, and operations to evaluate whether controls are adequate, effective, and aligned with business objectives. The purpose is threefold: to provide assurance that IT systems are reliable and secure, to identify weaknesses or gaps in controls, and to give management and the board confidence in IT-dependent processes.
A strong answer should mention that IT audits support financial audit reliance (by validating IT General Controls), regulatory compliance (NCA ECC, SAMA, ISO 27001), and operational risk management. Avoid describing it purely as a “checkbox exercise” — emphasise assurance and improvement.
2. What are IT General Controls (ITGC) and why do they matter?
ITGCs are organisation-wide controls that govern how IT systems are managed, changed, and operated. The four core ITGC domains are: Access Management (who can access systems and data), Change Management (how changes to systems are authorised and deployed), IT Operations (backup, job scheduling, monitoring, incident management), and Data Management (data integrity and retention).
They matter because application controls — the automated controls embedded in business systems like ERP platforms — can only be relied upon if the underlying ITGC environment is sound. If ITGCs are weak, external auditors cannot rely on system-generated reports, which increases the risk of misstatement in financial reporting.
3. What is the difference between ITGC and application controls?
ITGCs are pervasive controls that apply across all systems and are tested at the infrastructure and process level. Application controls are specific to individual software systems and operate at the transaction level — they ensure that data entered into, processed by, and output from a system is complete, accurate, and valid.
A practical example: the ITGC access management control governs whether only authorised users can log in to the ERP system. The application control governs whether a user in the procurement role cannot also approve their own purchase orders (segregation of duties at the application level). Both are needed — ITGCs set the control environment, application controls operate within it.
4. Walk me through a typical IT audit process.
The IT audit process follows four main phases. Planning involves scoping the audit, understanding the entity’s IT environment, conducting a risk assessment, and developing an audit programme. Fieldwork involves executing test procedures — reviewing configurations, selecting samples, obtaining evidence, and documenting findings. Reporting involves drafting findings with root causes and recommendations, reviewing with management for factual accuracy, and finalising the report. Follow-up involves tracking whether management has implemented agreed remediation actions.
When answering this in an interview, tailor your response to the context: for an internal audit role, emphasise the risk-based planning and the management engagement throughout; for an external audit support role, emphasise ITGC testing timelines aligned with the financial audit cycle.
Technical IT Audit Interview Questions
5. How do you test access management controls?
Access management testing involves four main procedures. First, obtain a full user listing from Active Directory or the application and review it for terminated employees, generic accounts, and over-privileged users. Second, select a sample of joiners from the review period and verify that access was formally requested and approved before provisioning. Third, select a sample of leavers and verify that access was revoked within the organisation’s defined SLA (typically 24 hours for terminations). Fourth, review a sample of privileged accounts and confirm they have enhanced authentication controls and are subject to regular review.
A common follow-up question is: “What sample size would you use?” A typical answer for a medium-risk environment is 25 items for population-based tests (joiners/leavers), and full population review for privileged accounts if the number is manageable.
6. What would you look for when reviewing change management controls?
For change management testing, select a sample of production changes from the review period and verify: that each change has a formal change request with a unique ID, that the change was approved by the Change Advisory Board or a designated approver before implementation, that testing was completed in a non-production environment, and that segregation of duties was maintained (i.e., the developer who coded the change did not independently deploy it to production).
Additionally, review the emergency change process — emergency changes should require retroactive approval and post-implementation review. A high volume of emergency changes is itself a finding, as it suggests the standard change process is being bypassed.
7. How would you audit backup and recovery controls?
Backup controls testing involves verifying that backups are scheduled for all critical systems (per the organisation’s recovery point objectives), that backup jobs are monitored for success or failure, that failures are investigated and resolved, and that restore testing is conducted periodically to confirm recoverability. Evidence typically includes backup job logs, incident tickets raised for failures, and documentation of restore tests.
A common finding in this area is that backups are running but restore testing has never been conducted — meaning the organisation does not actually know whether its backups are recoverable. This is a High finding in most frameworks.
8. What is segregation of duties and how do you test for conflicts?
Segregation of duties (SoD) is the principle that no single individual should be able to initiate, authorise, and record a transaction without oversight. In IT, SoD conflicts arise when a user has access rights that allow them to perform incompatible functions — for example, creating a vendor and approving payments to that vendor in the same ERP system.
Testing involves extracting user access data from the system, mapping roles to transaction codes or functions, and running the data against an SoD conflict matrix. Automated GRC tools can do this at scale. For smaller engagements, a manual review of high-risk role combinations (e.g., vendor creation + payment approval in the procurement-to-pay cycle) is standard.
Scenario-Based IT Audit Interview Questions
9. You discover that a system admin has been creating user accounts without formal approval. How do you handle this?
First, document the finding with clear evidence — the user accounts created, the dates, and the absence of approval documentation. Then determine the extent: is this isolated to one admin or systemic? Review all new accounts created in the period and check for approval documentation. Assess the risk: were any of the accounts created for terminated employees, contractors, or unknown individuals? If so, escalate immediately to management and the CISO.
In the report, classify this as a High finding if there is evidence of active unauthorised accounts, or Medium if it is a process gap where accounts were created for legitimate users but without formal approval. The recommendation should address both the immediate remediation (review and validate all accounts) and the root cause (implement system-enforced controls requiring approval before provisioning).
10. Management pushes back on a finding, claiming the control is compensating. How do you respond?
Compensating controls are legitimate — they are alternative controls that mitigate the same risk when the primary control cannot be implemented. However, a compensating control must actually operate effectively and address the same risk objective. Ask management to document the compensating control, including how it operates, its frequency, who performs it, and evidence that it has been operating throughout the audit period.
If the compensating control is valid and evidenced, update the finding accordingly. If it is theoretical (it could mitigate the risk but has not been evidenced as operating), maintain the finding and note that management has proposed a compensating control that requires implementation and testing. The auditor’s role is to report on the control environment as it exists — not as management intends it to be.
11. How do you prioritise findings in an IT audit report?
Findings are prioritised based on two factors: likelihood and impact. A High finding is one where a control failure could directly result in financial misstatement, regulatory breach, data loss, or significant operational disruption, and where the control gap is material. A Medium finding represents a moderate gap that could be exploited with additional access or Effort. A Low finding is a process improvement opportunity with limited direct exposure.
In practice, always rate by impact to the business — an access management gap in a non-financial system with no sensitive data is lower risk than the same gap in the ERP payroll module. Frame findings in terms the business understands: not “privileged access was not reviewed” but “10 former employees retained active access to the finance system for an average of 47 days after termination.”
IT Audit Interview Questions on Frameworks and Standards
12. What IT audit frameworks are you familiar with?
Key frameworks to know include: COBIT (Control Objectives for Information and Related Technologies) — the primary IT governance and management framework; ITIL — for IT service management and operations; ISO/IEC 27001 — the international standard for information security management; NIST Cybersecurity Framework — widely used for cybersecurity risk management; SOX ITGC — the IT control requirements for companies subject to Sarbanes-Oxley; and, for Saudi Arabia specifically, NCA ECC and the SAMA Cybersecurity Framework.
When answering, mention the frameworks most relevant to the role. For a Big Four IT audit role, emphasise SOX ITGC and ISO 27001. For a Saudi government or financial sector role, lead with NCA ECC and SAMA.
13. What is the difference between ISO 27001 certification and NCA ECC compliance?
ISO 27001 is an internationally recognised standard for information security management systems. It is voluntary and results in a formal third-party certification valid for three years, with annual surveillance audits. NCA ECC is a Saudi regulatory framework mandatory for government entities and critical infrastructure operators. It uses a maturity model assessment format rather than a pass/fail certification, and organisations report results to the NCA annually.
The two frameworks have significant overlap in control areas, but NCA ECC includes Saudi-specific requirements (e.g., data localisation, national incident reporting obligations) that are not covered by ISO 27001. Organisations operating in Saudi Arabia often pursue both: ISO 27001 for international credibility and NCA ECC for regulatory compliance.
14. What tools do IT auditors use?
Common IT audit tools include: data analytics tools such as ACL (Galvanize), IDEA, or Python/SQL for analysing large datasets and identifying anomalies; vulnerability scanning tools such as Nessus or Qualys for technical security assessments; GRC platforms such as ServiceNow GRC, MetricStream, or RSA Archer for managing audit programmes and control frameworks; and standard productivity tools (Excel, TeamMate, or AuditBoard) for working paper documentation.
For Saudi-specific audits, familiarity with the NCA’s official self-assessment tools and SAMA’s examination templates is valuable. Interviewers asking about tools want to understand your technical depth — be specific about which tools you have actually used and for what purpose.
Career and Behavioural IT Audit Interview Questions
15. How do you stay current with IT audit developments?
Strong answers mention specific sources: ISACA publications and the CISA/CRISC study materials, IIA (Institute of Internal Auditors) guidance on technology audit, regulatory updates from SAMA and NCA for Saudi-based auditors, vendor security advisories for technologies in scope, and professional networks or CPE programmes. If you hold CISA or are studying for it, mention it — it is the gold standard qualification for IT auditors.
16. Describe a challenging audit engagement and how you handled it.
Use the STAR format: Situation (what was the audit and what made it challenging), Task (what your specific responsibility was), Action (what you did to address the challenge), Result (the outcome). Challenges that resonate well include: an auditee who was uncooperative with evidence requests (demonstrates your ability to manage relationships and escalate appropriately), a technical area outside your expertise (shows intellectual curiosity and how you used subject matter experts), or a tight deadline with a high-risk finding (shows judgement under pressure).
Avoid choosing an example where the challenge was essentially “management did not implement the recommendations.” Focus on challenges you actively navigated.
If you are building an IT audit function or preparing your team for regulatory assessments under NCA ECC or SAMA, a GRC platform can streamline evidence collection, automate control testing workflows, and generate audit-ready reports. GRCVantage is built for Saudi and GCC organisations managing exactly this challenge.
