"Tell me about a time you had to assess or audit a client's internal security controls when the environment was complex or poorly documented. How did you structure your approach, work with stakeholders to validate gaps, and communicate your findings and recommendations?"
