Internal Audit Scenario Based Questions.

1) While understanding the HR and Workflow project, you request the BGV process. The SPOC explains they
only process BGV for team management and above roles. You ask for the SOP where it is stated. Upon
checking the document, the statement the HR SPOC said is not mentioned anywhere. What will you do?
a) Raise a N-C as the stated statement is not mentioned in the SOP.
b) Don't raise a N-C as it is not mandatory to conduct BGV for all employees.
c) Rise an opportunity for improvement to follow the process as per the SOP (or) update the SOP as per the
current process.

2) While conducting an Audit with the HR department, you find that only a few contractors have confidentiality or
non-disclosure agreements implemented. Upon checking the NDA the protection of information is identified
and documented, not regularly reviewed and not signed. What will you do?
a) Raise a N-C as the NDA is not regularly reviewed and Approved.
b) Don't raise a N-C as the NDA is available for contractors.
c) Rise an opportunity for improvement to identify, document, review and sign by personnel for all the
NDA’s.

3) During an operations audit, you are able to notice some of the latest assets were not updated in the asset
inventory and low accuracy of asset data. The SPOC explains that these updates will be made next month. in the
procedure document. You are noticing a statement indicating that devices should be assigned and added to the
asset inventory within a week after an employee joins the organization. What will you do?
a) Raise a N-C as the asset inventory was not updated as per the procedure document.
b) Don't raise a N-C as the SPOC stated that the asset inventory updates will be completed next month.
c) Rise an opportunity for improvement to update the asset inventory immediately with appropriate values.

4) During an operations audit, while verifying role-based access control, you discover that individual contributor
employees can access files in the department's folder. Furthermore, senior management grade employees from
the same department also have access to files in the same folder. The SPOC explains that whoever has access to
this folder can access all files within it. What will you do?
a) Raise a N-C as both individual contributors and senior management employees have access for the
same file.
b) Don't raise a N-C as there is no statement mentioned that both individual contributors and senior
management employees should not have access to the same files.
c) Propose an opportunity for improvement to revoke the access for the individual contributors for the
same files which are accessed by senior management level.

5) During the Audit of the IT department while asking about the protection of malwares in the networking. The IT
department SPOC explains that various tools are used to secure network devices and regularly reviewed by IT
 admins. You are able to notice that a tool securing the network device is not in the latest version. While asking
about this the SPOC explains that the tool is in the testing stage for the latest version and it will be updated
after testing is completed.
a) Raise a N-C as the tool which is protecting a set of networking divides is not in the latest version.
b) Don't raise a N-C as there is a statement stating that installation is only done after a successful testing of
a stable version of any tool.
c) Propose an opportunity for improvement to update the tool to the latest version after testing is
completed.

6) During an Audit of an IT department while asking about the deletion of information they are explaining that
“the information of customers will be deleted after the requirement of the customer is fulfilled and it can be
retained if requested by the customer”. you notices that certain employees in the operations department were
deleting customer records from their local machines but were not consistently deleting backup copies stored on
shared network drives. What will you do?
a) Raise a N-C as backup data was not deleted and no evidence for the retention were requested by the
customer
b) Don't raise a N-C considering it as a backup data on the shared drives.
c) Propose an opportunity for improvement to delete the customers data immediately even if it is stored in
a backup server.

7) During an audit of the Administration Department, you notice that the data storage areas are located in a
secured data center. However, upon closer inspection, you notice that the physical entry access to this secured
area is accessible to all employees. What you will do?
a) Raise a N-C as the secured areas are accessed by all employees.
b) Don't raise a N-C as the secured area is protected by access control devices.
c) Propose an opportunity for improvement to apply proper authorization controls to the access control
devices.

8) During an audit of the admin department you notice that no specific team is defined to identify and assess the
physical and environmental threats. While querying about the process the SPOC explained that no dedicated
employee deployed to assessment admins from each location will identify and assess the physical and
environmental threat.what you will do?
a) Raise a N-C as there are no dedicated teams is implemented for identifying and assessing the physical
and environmental threats.
b) Don't raise a N-C as no specific team is mandatory to identify and assess the physical and environmental
threats.
c) Propose an opportunity for improvement to deploy a dedicated team to identify, assess, review and treat
the physical and environmental threats.

Note: If you are raising a non-conformity, justify controls and clauses that impact the non-conformity.