IT auditors are responsible for evaluating information systems, identifying control weaknesses, and ensuring organizations meet compliance requirements across frameworks like SOC 2, ISO 27001, and NIST. The role demands both technical depth and the ability to translate complex findings into clear, actionable language for executives and boards. These 35 prompts help IT auditors move faster through planning, fieldwork, reporting, and follow-up.
1. Audit Planning and Scoping
I am planning an IT general controls audit for a mid-size company using [ERP system]. Create a detailed audit scope document covering access management, change management, backup and recovery, and IT operations.
We are about to begin a SOC 2 Type II readiness assessment for a SaaS company. List the key areas I should scope into the audit and the evidence types I will need to collect for each Trust Services Criteria.
Help me build a risk-based audit plan for a cloud infrastructure environment hosted on AWS. Identify the top 10 IT risks I should prioritize and explain why each is high-risk in a cloud context.
Create an audit planning memo template for an IT audit engagement that covers objectives, scope, methodology, team roles, timeline, and key stakeholder contacts.
I need to present the audit scope and objectives to the IT leadership team before fieldwork begins. Draft a one-page scope presentation outline that explains what we will test, why we selected those areas, and what we expect from their team.
2. Control Testing and Evidence Collection
Develop a testing procedure for evaluating the effectiveness of a company's user access review process. Include the population to sample, the sample size methodology, the evidence to request, and the pass/fail criteria.
I am testing change management controls in a software development environment. List 15 specific pieces of evidence I should request to verify that changes are authorized, tested, and approved before deployment.
Create a workpaper template for documenting a control test. Include fields for control objective, test procedure, population, sample, evidence obtained, exceptions noted, and conclusion.
We identified that privileged access accounts are not reviewed on a regular schedule. Write an exception memo documenting the control deficiency, root cause, risk impact, and recommended remediation.
Describe the steps I should take to test the effectiveness of a company's patch management program, including how to verify that critical patches are applied within the required timeframe.
3. Cybersecurity and Vulnerability Assessment
I need to assess a company's cybersecurity posture against the NIST Cybersecurity Framework. Create a high-level gap analysis template organized by the five framework functions: Identify, Protect, Detect, Respond, and Recover.
Our client recently experienced a ransomware incident. Draft an audit program to evaluate the adequacy of their incident response controls before, during, and after the event.
Explain the key differences between a penetration test and a vulnerability assessment in terms that a non-technical audit committee member would understand, and describe when each is appropriate.
Create a checklist for reviewing a company's network segmentation controls, including firewall rule review, DMZ configuration, and lateral movement prevention measures.
I am auditing a company's endpoint security program. List the 10 most critical controls I should verify are in place and the test procedures for each.
4. Compliance and Regulatory Frameworks
Create a controls mapping matrix that aligns a company's existing IT controls to the requirements of SOC 2 Trust Services Criteria, ISO 27001 Annex A, and NIST SP 800-53. Use a table format with columns for each framework.
Our client is subject to both GDPR and CCPA. Identify the top 10 IT controls they should have in place to address data privacy requirements under both regulations and flag any areas where the two frameworks conflict.
Draft an audit finding for a company that does not have a documented data retention and destruction policy as required by [specific regulation]. Include the criteria, condition, cause, effect, and recommendation.
Help me prepare for a PCI DSS audit by creating a pre-audit readiness checklist organized by PCI DSS requirement number, covering the most commonly failed controls.
A client is asking whether their current controls satisfy HIPAA Security Rule requirements. Create a gap analysis questionnaire I can use during interviews with their IT and compliance teams.
5. Audit Report Writing and Finding Communication
Draft a professionally worded audit finding using the CCAR format (Criteria, Condition, Cause, Risk/Effect, Recommendation) for the following issue: [describe the control weakness in plain terms].
I need to write an executive summary for an IT audit report that contains three high-risk and five medium-risk findings. Draft an executive summary that conveys urgency without being alarmist and uses clear business language.
Translate this technical finding into business language for a board-level audience: [paste technical finding]. Explain the risk in terms of financial impact, reputational damage, or operational disruption.
Create a risk rating matrix for IT audit findings with definitions for Critical, High, Medium, and Low risk levels, based on likelihood and impact factors.
Draft management responses for the following three audit findings: [paste findings]. Write the responses from the perspective of an IT manager who accepts the findings and commits to specific remediation actions with target dates.
6. Stakeholder Interviews and Fieldwork Communication
Create an interview guide for a meeting with a company's IT Director covering their change management, access governance, and disaster recovery programs. Include 15 open-ended questions.
Draft a fieldwork kickoff email to send to client IT staff that explains the audit process, lists the initial document requests, sets the evidence submission deadline, and provides our contact information.
I received pushback from a client manager who disagrees with one of our audit findings. Draft a diplomatic response that reaffirms our position, acknowledges their perspective, and explains the audit standard we applied.
Create a status update template for a weekly audit progress meeting that covers: work completed, evidence still outstanding, issues identified, and tasks for the following week.
An auditee claims that a compensating control offsets the deficiency we identified. Write a framework for evaluating whether a compensating control is sufficient to mitigate the original risk.
7. Continuous Auditing and Professional Development
Design a continuous auditing program for user access management that uses automated data analytics to monitor access provisioning, deprovisioning, and privileged account activity on a monthly basis.
Create a data analytics test plan for detecting anomalous transactions in a financial system. Include the data fields needed, the analytics scripts logic, and the exception thresholds to investigate.
I want to build an IT audit quality assurance checklist to self-review my workpapers before submission. List 20 items that should be verified to ensure completeness, accuracy, and compliance with auditing standards.
Suggest a 12-month professional development plan for an IT auditor pursuing their CISA certification. Include study milestones, practice exam schedule, and supplementary resources for each CISA domain.
List the top 10 emerging IT risks that internal audit departments should be adding to their audit universe in the next two years, and briefly explain why each represents a growing threat.
Get All 35 Prompts in One Place
If these prompts were useful, I've compiled all 35 into a ready-to-use toolkit with bonus prompts and usage notes.
Get the complete AI Prompt Toolkit for this profession →
Works with ChatGPT, Claude, and DeepSeek.
Top comments (0)