Auditor Q&A Tactics

Answering auditor questions effectively is an art. This lesson teaches you how to respond confidently, handle difficult questions, and avoid common traps.

Understanding the Auditor's Perspective

What Auditors Are Doing

Not "Gotcha" Games:

• Auditors aren't trying to trick you
• They want to understand your ISMS
• They're verifying conformity
• They need evidence to support decisions

They Are:

• Following a systematic process
• Sampling to draw conclusions
• Looking for patterns
• Assessing effectiveness
• Gathering evidence

Good Auditors:

• Ask open-ended questions
• Listen actively
• Seek to understand
• Give you chance to demonstrate
• Are professional and respectful

Types of Questions

1. Knowledge Questions "What is your risk assessment methodology?"

• Testing understanding
• Verifying awareness
• Checking involvement

2. Process Questions "How do you handle access requests?"

• Understanding your processes
• Checking implementation
• Looking for consistency

3. Evidence Questions "Can you show me evidence of quarterly access reviews?"

• Verifying claims
• Confirming implementation
• Checking records

4. Effectiveness Questions "How do you know your security awareness training is working?"

• Assessing outcomes
• Checking monitoring
• Evaluating results

5. Scenario Questions "What would happen if an employee's laptop was stolen?"

• Testing incident response
• Checking business continuity
• Verifying preparedness

The STAR Method for Answering

Situation - Task - Action - Result

How to Use STAR

Structure your answers:

Situation: Set the context Task: Explain what needed to be done Action: Describe what you did Result: Share the outcome

Example Application

Auditor: "How do you ensure employees follow security policies?"

Poor Answer: "We have training and policies. Everyone knows what to do."

• Vague
• No evidence
• Not convincing

Good Answer using STAR:

Situation: "We identified that policy awareness was inconsistent across departments."

Task: "We needed to ensure all employees understood and followed our security policies."

Action: "We implemented a multi-layered approach:

• All new employees complete security training on day one
• Annual refresher training is mandatory for all staff
• We conduct quarterly phishing simulations
• Managers reinforce policies in team meetings
• Policies are easily accessible on our intranet"

Result: "We now have 98% training completion rate, phishing click rate dropped from 28% to 8%, and our last internal audit showed strong policy adherence across all departments."

Why This Works:

• Specific and detailed
• Shows systematic approach
• Provides metrics
• Demonstrates effectiveness
• Backs up claims

Question-by-Question Tactics

"Tell me about..."

What They Want: Overview and understanding

How to Answer:

1. Brief summary (30 seconds)
2. Key components
3. Why you designed it that way
4. How it works in practice
5. Outcomes achieved

Example:

Q: "Tell me about your risk assessment process."

A: "Our risk assessment uses a semi-quantitative methodology with a 5x5 risk matrix. We conducted our first assessment in January 2025 with a cross-functional team from IT, operations, legal, and business units. We identified 42 risks across our customer database, web application, and cloud infrastructure. Each risk was assessed for likelihood and impact, scored, and assigned an owner. We reassess quarterly and whenever significant changes occur. Our last assessment in January identified three new risks related to our cloud migration project."

"How do you..."

What They Want: Process details

How to Answer:

1. Step-by-step process
2. Who is involved
3. Tools or systems used
4. Documentation produced
5. Example if helpful

Example:

Q: "How do you handle user access requests?"

A: "We use a formal access request process through ServiceNow:

1. Employee submits access request ticket specifying system and access level needed
2. Their manager reviews and approves based on job role
3. IT Security reviews to ensure least privilege and segregation of duties
4. System owner grants access
5. Employee receives notification
6. Request is logged in our access management system

The process typically takes 1-2 business days. We review all access quarterly to ensure it's still appropriate."

"Show me..."

What They Want: Evidence

How to Answer:

1. "Certainly, let me pull that up"
2. Navigate to evidence
3. Explain what they're seeing
4. Point out key elements
5. Ask if they need anything else

Example:

Q: "Show me evidence of your quarterly access reviews."

A: "Absolutely. Let me open our access review tracker..." [Screen share or open document]

"This is our Q4 2024 access review. You can see:

• Column A lists all systems in scope
• Column B shows the system owner who conducted the review
• Column C shows the review date - all completed in October
• Column D shows the number of users reviewed
• Column E shows any access changes made
• Column F has the sign-off

For example, here on row 5, Jane Smith reviewed the CRM system on October 15th, reviewed 47 users, revoked access for 3 terminated employees, and signed off. Would you like me to show you the detailed review for any specific system?"

"Can you explain the difference between..."

What They Want: Understanding of concepts

How to Answer:

1. Define each term
2. Explain the key differences
3. Give examples from your context
4. Show how both apply to your ISMS

Example:

Q: "Can you explain the difference between inherent risk and residual risk?"

A: "Certainly:

Inherent risk is the level of risk before any controls are applied - the 'raw' risk. For example, our customer database has inherent risk of unauthorized access. Without any controls, this would be likelihood 5, impact 5, for a score of 25 (Critical).

Residual risk is what remains after our controls are applied. We've implemented MFA, access controls, encryption, and monitoring. With these controls, the residual risk is now likelihood 2, impact 4, for a score of 8 (Medium).

We document both in our risk register. The inherent risk helps us understand the true exposure, while residual risk shows the effectiveness of our controls and helps us determine if the remaining risk is acceptable."

"Why did you..."

What They Want: Rationale for decisions

How to Answer:

1. Acknowledge the decision
2. Explain the context that informed it
3. Describe the factors considered
4. Justify the decision
5. Show it was deliberate, not arbitrary

Example:

Q: "Why did you exclude control A.7.4 Physical Security Monitoring from your SoA?"

A: "Good question. We excluded this control because we operate entirely in cloud infrastructure - specifically AWS for all our systems and data. We have no physical data centers or server rooms in our scope.

When we conducted our risk assessment, we identified physical security as a risk, but it's AWS's responsibility under the shared responsibility model. We verified that:

1. AWS has ISO 27001 certification covering their physical controls
2. AWS implements 24/7 physical monitoring at their data centers
3. This is documented in their SOC 2 report which we reviewed
4. Our contract with AWS covers these requirements

So we transferred this risk to AWS rather than implementing the control ourselves. This is documented in our risk register as Risk R-030 'Physical Security of Infrastructure' with treatment decision: Transfer to AWS.

If we were to open a physical office with servers, we would reassess this control for inclusion."

"What would you do if..."

What They Want: Testing preparedness and understanding

How to Answer:

1. Reference your documented procedure
2. Walk through the steps
3. Mention who would be involved
4. Describe expected outcomes
5. Give a real example if one exists

Example:

Q: "What would you do if you discovered unauthorized access to your customer database?"

A: "We would follow our incident response procedure:

Immediate Actions (0-1 hour):

1. IT Security team would be notified via our alerting system
2. Incident manager would be assigned
3. We'd contain the access - likely by disabling the compromised account and rotating database credentials
4. Preserve evidence - take snapshots of logs, system states

Investigation (1-24 hours):

1. Determine scope - what data was accessed, how much, for how long
2. Identify root cause - how did unauthorized access occur
3. Assess impact - which customers affected
4. Document everything in our incident tracking system

Response (24-72 hours):

1. Notify management and legal team
2. If personal data affected, assess GDPR notification requirements
3. Implement additional controls to prevent recurrence
4. Communicate with affected parties per our breach notification procedure

Post-Incident:

1. Conduct post-incident review
2. Update procedures based on lessons learned
3. Update risk assessment if needed

We actually had a similar scenario in a tabletop exercise last month, so the team is practiced in this process. Would you like to see our incident response procedure or the tabletop exercise report?"

"How do you know..."

What They Want: Evidence of effectiveness

How to Answer:

1. State what you measure
2. Explain measurement method
3. Share current metrics
4. Show trends
5. Describe what you do with the data

Example:

Q: "How do you know your vulnerability management process is effective?"

A: "We measure effectiveness through several KPIs:

1. Patching Speed:

• Target: 95% of critical vulnerabilities patched within 7 days
• Current: 97% (January 2025)
• Trend: Improved from 82% in October 2024

2. Vulnerability Age:

• Target: No critical vulnerabilities older than 14 days
• Current: Zero critical vulns > 14 days old
• Trend: Maintaining since December 2024

3. Vulnerability Count:

• Total vulnerabilities: Decreased from 247 (Oct) to 89 (Jan)
• Critical vulnerabilities: Decreased from 12 to 1
• Trend: Steady improvement

We track these in our monthly security metrics dashboard, which goes to management. When we see degradation, we investigate root cause. For example, in November we saw patching speed drop to 88%, discovered it was due to a problematic patch that caused application issues, adjusted our testing process, and performance recovered.

I can show you our vulnerability dashboard if you'd like?"

Handling Difficult Questions

When You Don't Know the Answer

Don't:

• Make something up
• Guess or speculate
• Deflect or change subject
• Get defensive
• Say "I don't know" and stop there

Do:

• Be honest: "I don't have that information right now"
• Explain why: "That's managed by our operations team"
• Offer to find out: "I can get that answer within 30 minutes"
• Offer alternative: "I can show you our process documentation instead"
• Get help: "Let me bring in Sarah who manages that area"

Example:

Q: "What's your current patching compliance rate for servers?"

A (if you don't know): "I don't have those exact figures at my fingertips - our IT operations team tracks that metric in real-time. What I can tell you is that we have an automated patching process that runs weekly, and our target is 95% compliance within 7 days for critical patches. Let me get you the current report - I can have that for you in 10 minutes. Or would you prefer to speak directly with our IT Operations Manager who can walk you through the live dashboard?"

When You're Caught in a Gap

Don't:

• Deny it
• Make excuses
• Blame others
• Minimize it
• Get emotional

Do:

• Acknowledge it honestly
• Explain the context
• Show what you're doing about it
• Demonstrate understanding of the requirement
• Commit to correction

Example:

Q: "I see here that User #47 doesn't have MFA enabled. Why not?"

A: "You're right, thank you for catching that. Looking at the account, this is a service account that was set up two months ago and it appears the MFA enrollment step was missed in our onboarding process.

This is a gap. According to our policy, all accounts including service accounts should have MFA. This particular account doesn't interactively log in - it's used for automated processes - but it should still have MFA on any interactive access paths.

Let me document this as a finding. We'll:

1. Enable MFA on this account today
2. Review all service accounts to ensure no others were missed
3. Update our onboarding checklist to include a verification step for service accounts
4. Add service accounts to our quarterly access review to catch any future gaps

Can I show you our onboarding checklist so we can identify where this step should be added?"

When Auditor Seems to Misunderstand

Don't:

• Say "You're wrong"
• Be condescending
• Get frustrated
• Argue

Do:

• Seek to understand their concern
• Clarify your explanation
• Provide additional context
• Show evidence
• Ask if that addresses their concern

Example:

Q: "Your policy says backups are daily, but this log shows last backup was 3 days ago."

A: "I understand the concern. Let me clarify what you're seeing. This log shows file-level backups, which run weekly on Sundays. Our daily backups are database snapshots, which are in a different system.

Let me show you the database backup log... [pulls up log] ...here you can see daily backups at 2 AM every day, with the most recent being this morning.

We have two backup systems:

1. Database snapshots - daily
2. File-level backups - weekly

Both are documented in our backup procedure on page 3, section 2.1. Does that clarify the backup frequency?"

When Asked About Something Not Implemented Yet

Don't:

• Pretend it's implemented
• Say "we're planning to" without specifics
• Hope they won't find out

Do:

• Be transparent about implementation status
• Refer to your SoA status
• Show your implementation plan
• Explain timeline
• Show what you have done

Example:

Q: "Can you show me your SIEM implementation for centralized logging?"

A: "Our SIEM implementation is currently in progress. In our Statement of Applicability, we documented control A.8.16 as 'In Progress' with target completion of March 31st.

Currently we have:

• SIEM platform selected and procured (Splunk)
• Core infrastructure deployed
• 60% of log sources connected (authentication logs, firewall, database audit logs)
• Alert rules configured for critical events
• SOC team trained

Still in progress:

• Connecting remaining application logs
• Tuning alert thresholds
• Implementing automated response playbooks

Our implementation plan shows we're on track. I can show you the project plan, current dashboard, and the log sources already integrated. Would that be helpful?"

Body Language and Communication Tips

Verbal Communication

Do:

• Speak clearly and at moderate pace
• Use professional language
• Pause to think before answering
• Ask for clarification if needed
• Admit when you need to look something up

Don't:

• Rush your answers
• Use excessive jargon
• Ramble or over-explain
• Interrupt the auditor
• Guess at technical details

Non-Verbal Communication

Do:

• Maintain professional posture
• Make appropriate eye contact
• Stay calm and composed
• Take notes
• Nod to show understanding

Don't:

• Cross arms defensively
• Avoid eye contact
• Show frustration or stress
• Fidget excessively
• Look at phone/computer unless showing evidence

Active Listening

Techniques:

1. Listen completely before responding
2. Paraphrase to confirm understanding: "So you're asking about..."
3. Ask clarifying questions: "When you say 'user accounts,' do you mean..."
4. Acknowledge their points: "That's a good question"
5. Take notes of questions and requests

Common Question Patterns and Responses

"Walk me through how you..."

They Want: End-to-end process

Template Response: "I'd be happy to walk you through that. The process has [X] main steps: [List steps with who does what] Let me show you an example... [Show evidence from real case] The typical timeframe is... [Outcomes/results]"

"What happens when..."

They Want: Exception handling, edge cases

Template Response: "That's handled in our [procedure name]. When [situation] occurs: [Step-by-step response] For example, [real or hypothetical example] The outcome is [result] This ensures [how it meets requirement]"

"How often do you..."

They Want: Frequency, consistency

Template Response: "We [do this activity] [frequency]. This is documented in [procedure/policy]. [Explain why this frequency was chosen] Here's evidence from the last [X] times we did it: [Show log/records/reports] We track compliance to this schedule in [system/document]"

"Who is responsible for..."

They Want: Accountability, roles

Template Response: "[Role/person name] is responsible for [activity]. This is documented in [ISMS roles document/job description]. They report to [manager] and have [authority/resources]. [Name] has been in this role since [date] and has [qualifications]. Would you like to speak with them about [topic]?"

"When was the last time..."

They Want: Recency, evidence of ongoing operation

Template Response: "The last time was [specific date]. [Brief description of what happened] Here's the record/evidence: [show document] Before that, it was [previous date], and [brief description] The frequency is [schedule] as required by [policy/standard]"

Practice Scenarios

Scenario 1: Risk Assessment Challenge

Auditor: "I see you've identified 42 risks, but some of these seem quite similar. Why so many?"

Poor Response: "That's just how many risks we found."

Good Response: "Good observation. We initially identified over 60 potential risks in our brainstorming sessions. We consolidated similar risks where appropriate, but kept some separate where they affect different assets or business processes, even if the threat is similar.

For example, you'll see R-003 'Phishing attack on email system' and R-012 'Social engineering attack on help desk' are separate. While both involve social engineering, they target different assets (email vs. service desk), have different impacts (credential theft vs. unauthorized access), and require different controls (email filtering vs. help desk procedures).

Our risk methodology allows us to consolidate risks if they truly have the same cause, affect the same assets, and warrant the same treatment. But we found value in keeping these granular to ensure each gets appropriate controls and ownership. Would you like me to walk through any specific risks that seem like candidates for consolidation?"

Scenario 2: Missing Evidence

Auditor: "Can you show me evidence that all employees have acknowledged the acceptable use policy?"

Poor Response: "Everyone signed it when they joined."

Good Response: "Let me pull up our policy acknowledgment tracker... [opens spreadsheet]

I'm showing 98% of current employees have signed acknowledgment. The 2% gap represents employees who joined in the last two weeks and are still completing their onboarding checklist. Policy acknowledgment is part of day-one onboarding, so these should be complete within the next week.

For your sample, you mentioned you want to verify employees 1, 15, 23, 34, and 47. Let me filter to those... [filters] ...I can show you the signed acknowledgment forms for each. They're stored digitally and cross-referenced by employee ID.

The two employees who haven't signed yet are employee 51 and 52, both started last Monday. Would you like me to show you their onboarding checklists showing policy acknowledgment is scheduled for completion this week?"

Scenario 3: Control Effectiveness Question

Auditor: "Your security awareness training completion is 87%. Your target is 95%. Why the gap?"

Poor Response: "Some people haven't done it yet."

Good Response: "You're right, we're currently at 87% against our 95% target. Let me explain what's driving that gap and what we're doing about it.

[Shows training dashboard]

The 13% gap breaks down as:

• 5% are new employees still in their 30-day onboarding window
• 4% are on extended leave (maternity, medical)
• 3% are overdue and receiving escalations
• 1% are contractors finishing before their contract end date

For the 3% truly overdue (12 people), we have an escalation process:

• Day 30: Automated reminder
• Day 45: Manager notification
• Day 60: Access restriction until training complete

Looking at the trend, we were at 82% in October, 85% in November, 87% in December, so we're on an improving trajectory. We expect to hit 95% by end of January when onboarding cycles complete and we resolve the overdue cases.

For the employees on extended leave, they'll complete training within 30 days of return per our policy. Would you like to see the overdue employee list and the escalation communications we've sent?"

Final Tips for Success

Before Questions:

1. Take a breath
2. Listen to the complete question
3. Think before you speak
4. Organize your thoughts

During Answers:

1. Start with the key point
2. Provide necessary details
3. Back up with evidence
4. Check for understanding
5. Stop when done (don't ramble)

After Questions:

1. Ask if that answered their question
2. Offer additional information if relevant
3. Document any commitments you made
4. Follow up on anything you promised

Remember:

• Auditors are people too
• They want you to succeed
• Honest and thorough beats perfect
• It's okay to not know everything
• Your preparation shows through

Next Lesson: Learn how to defend against and respond to common audit findings.