Managing Sensitive Audit Conversations

After years of conducting audits across various organizations, I've learned that sometimes the most challenging part isn't reviewing the documentation—it's managing difficult auditees. Here's what I've found works: Start with empathy: Remember that audits can feel threatening. Your auditee might be defensive because they're worried about their work being criticized. Acknowledge their expertise and make it clear you're there to help improve processes, not to find fault. Set clear expectations early: Explain your process, timeline, and exactly what you need. When people understand the 'why' behind your requests, they're more likely to cooperate. I always start with: "Here's what success looks like for both of us..." Document everything professionally: A difficult auditee might challenge your findings later. Keep detailed notes of all interactions and evidence requests. But avoid using confrontational language in your documentation—stay objective and fact-based. Build informal relationships: I've found that grabbing a coffee with the auditee before diving into work can transform the entire dynamic. The walls come down when they see you as a person, not just an auditor. Use the "feedback sandwich" technique: When discussing findings, start with something positive, address the issues, and then end with constructive suggestions. It helps maintain a collaborative atmosphere even during tough conversations. Remember: The goal isn't to win an argument—it's to help the organization improve. Sometimes the most resistant auditees become your biggest allies once they understand you're on their side. What strategies have you found effective in handling challenging audit situations? Share your experiences below! 👇 PS: Below pic is just for LinkedIn algorithm and not at all related to this post, don't consider it as a tip :D #InternalAudit #Leadership #ProfessionalDevelopment #IA #AuditBestPractices #CorporateGovernance

How to Win Any Audit Conversation 5P Audit Talk Code Ever feel like you're walking into an ISO audit with a target on your back? You know your work is solid — but the moment the auditor walks in, your confidence walks out. One wrong word. One nervous ramble. One offhand comment — and suddenly, the conversation spirals. Let’s fix that. Here’s how to talk to any ISO Auditor — without slipping up or sounding unsure. 🧭 THE 5P Audit Talk Code **Think of it like your GPS for audit conversations 1. Polite – But Not Passive Tone rule: calm, respectful, not overly eager. → Avoid over-explaining or defending. → Don’t fill silences — let them ask. → Use neutral phrasing:  “Let me walk you through how we approach that”  “This is how it’s currently structured” 2. Precise – No Rambles Stick to the question. Answer what was asked. Nothing more. Nothing less. Auditor: “Do you monitor this?” Wrong: “Well… not really, but we tried to set it up last year…” Right: “Yes. We monitor it monthly using [X]. I can show you the last three reports.” → Think Twitter, not TED Talk. 3. Process-Based – Not People-Based Talk about the system, not individuals. Wrong: “John usually checks it.” Right: “The process requires a monthly review by the department lead, documented in [system/tool].” Use phrasing like:  “The process we follow is…”  “Our current procedure outlines…” 4. Proof-Backed → Don’t explain it — show it.  → If you say it exists, have it ready.  → Screenshots, logs, reports, checklists — whatever backs your point. Pull up real examples if asked: “Here’s the form we use” Don’t explain verbally what you can demonstrate visually. 5. Professional – Stay in Audit Mode No complaints. No sarcasm. No improvisation. And never (!) blame another person or team — even if you really want to. If you don’t know, say:  “That’s outside my scope, but I can connect you with the right owner”  “Let me confirm that and follow up — would you like that in writing?” 🔄 Bonus: When You’re Unsure – How to Stay in Control Even the best-prepared person hits a moment of doubt. When that happens, don’t guess. Use audit-fluent bridging phrases like: → “I want to be accurate on that — let me double-check the current setup” → “That’s owned by another team — I’ll loop them in so you get the full picture” → “We’ve been updating this area — can I show you where we are with it right now?” → “Give me a second — I’ll pull up the latest record so you can see exactly what we’ve got” → “That’s a fair question. The way we currently approach it is evolving, but here’s what’s in place today” These buy you time, maintain confidence and show that you know your process. *** Auditors don’t just listen to your words. They read your behavior and mindset. This Code helps you speak with clarity, alignment and credibility. Tell me — what you always use to stay cool during an audit? P.S. Want the 5P Audit Talk Code™ as a printable card? Comment “5P” and I’ll send it your way. #Auditor #Quality

I used to treat IT audit walkthroughs like a police interrogation.   Early in my career, I’d march in with a 50-question checklist and a serious face.   I thought my job was to prove how much I knew and find the "gotchas" immediately.   The result?   Terrified stakeholders. One-word answers. And zero insight into what was actually happening in the environment.   I was auditing the person, not the process.   Then I realized that if I wanted the truth, I had to stop acting like an adversary and start acting like a partner.   I’ve visualized the 5 steps to a perfect walkthrough in the guide below 👇   But here are 3 advanced rules I learned the hard way (that go beyond the guide):   1. The "Silent Wingman" Strategy: Bring a junior auditor, but give them one job: observe. While you manage the conversation flow, they catch the details you miss. Just make sure they know to stay silent unless something critical is being overlooked, two people firing questions at once feels like an ambush.   2. The "Souvenir" Tactic: If you map a process on a whiteboard (which you should), don't just take a photo for your workpapers and leave. Offer the diagram to the auditee for their own documentation. It turns the audit from a compliance exercise into free consulting, proving you're there to help, not just judge.   3. Watch Your "Red Pen": I once had an auditee panic just because I switched pen colors to mark a follow-up note, they thought I’d found a "major failure." Your physical cues matter as much as your questions. I swapped my red pen for a neutral one and used symbols instead. Don't let your note-taking habits derail the rapport.   Audit is 10% technical and 90% human.   What’s your go-to move to break the ice during a tense walkthrough?   #ITAudit #InternalAudit #RiskManagement #ProfessionalDevelopment #CorporateCulture #SoftSkills #Governance #CyberSecurity #Big4 #Auditlife

🎯 𝗜𝗻𝘁𝗲𝗿𝗻𝗮𝗹 𝗔𝘂𝗱𝗶𝘁 𝗦𝘂𝗰𝗰𝗲𝘀𝘀 𝗦𝗲𝗰𝗿𝗲𝘁: 𝗟𝗶𝘀𝘁𝗲𝗻 𝗙𝗶𝗿𝘀𝘁, 𝗔𝘂𝗱𝗶𝘁 𝗟𝗮𝘁𝗲𝗿𝗅 One game-changing lesson I learned as Chief Internal Auditor: before opening a single work paper, invest time in listening. When I first implemented "Coffee Chats with Audit," many were skeptical. But here's how this simple approach transformed our effectiveness: 𝗧𝗵𝗲 𝗣𝗿𝗼𝗰𝗲𝘀𝘀: ☕️ 1. 𝗡𝗼 𝗔𝘂𝗱𝗶𝘁 𝗧𝗮𝗹𝗸 𝗙𝗶𝗿𝘀𝘁 30 𝗠𝗶𝗻𝘂𝘁𝗲𝘀 🤫 - Focus on understanding their role - Learn about their daily challenges - Get to know them as people, not auditees 2. 𝗗𝗲𝗲𝗽 𝗗𝗶𝘃𝗲 𝗶𝗻𝘁𝗼 𝗧𝗵𝗲𝗶𝗿 𝗪𝗼𝗿𝗹𝗱 🔍 - Ask about their biggest concerns - Understand their department goals - Learn what keeps them up at night 3. 𝗣𝗮𝗶𝗻 𝗣𝗼𝗶𝗻𝘁𝘀 𝗗𝗶𝘀𝗰𝗼𝘃𝗲𝗿𝘆 💭 - What systems frustrate them? - Where do they feel blocked? - What support do they need? 4. 𝗙𝘂𝘁𝘂𝗿𝗲 𝗩𝗶𝘀𝗶𝗼𝗻 𝗦𝗵𝗮𝗿𝗶𝗻𝗴 🎯 - Their improvement ideas - Planned initiatives - Resource needs 𝗧𝗵𝗲 𝗜𝗺𝗽𝗮𝗰𝘁: 🌟 - Built trust before audits began - Received unsolicited calls for advice - More collaborative audit planning - Better-targeted recommendations - Higher implementation rates People don't care how much you know until they know how much you care! 💡 𝗣𝗿𝗼 𝗧𝗶𝗽𝘀 𝗳𝗼𝗿 𝗦𝘂𝗰𝗰𝗲𝘀𝘀: 📝 - Schedule regular, not just pre-audit meetings - Take notes and follow up on concerns - Share relevant insights from other departments - Keep conversations confidential - Follow through on commitments made Remember that every conversation is an opportunity to transform from "corporate police" to trusted advisor. 🤝 Would love to hear your experiences! How do you build trust with stakeholders? What relationship-building techniques work best in your role? Like and share if you found this valuable - let's help each other build stronger professional relationships! #InternalAudit #ProfessionalDevelopment #Leadership #BusinessRelationships #CommunicationSkills #AuditInnovation #ChangeManagement

#GRC It’s how little of the job is actually about finding the risk and how much of it is about tracking what people decide to do with it. One of my early projects involved reviewing a system where access wasn’t being removed when employees left. I flagged it, explained the impact, walked through the risk. Everyone nodded. And then… nothing changed. A few weeks later, during a walkthrough, someone asked, “Was this risk ever reviewed or accepted?” That’s when it clicked to me. It wasn’t enough that I’d raised the concern. I hadn’t captured who made the decision to leave it as-is, or why. There was no clear record of what was said, or when it was decided. Now, I always document those moments. Not just the risk, but the conversation around it; who was involved, what they agreed on, and what context shaped that choice. Not to point fingers. Just to keep a history. So if that risk resurfaces, we’re not scrambling to remember what happened or why. For anyone learning GRC .. spotting a gap is just one step. The actual work is in following it through; making sure it’s not just noted, but owned, discussed, and either acted on or intentionally accepted. And keeping that trail matters more than you think. Here’s a few of my recommendations: 1. Risk Acceptance vs Risk Mitigation (Article by TechTarget) Breaks down how risks are either accepted or acted on, and why documenting the decision matters. https://lnkd.in/g82uYRk6 2. Hyperproof Risk Ownership and Documentation Best Practices A plain-language overview of how GRC teams manage risk conversations, decision logs, and assignments. https://lnkd.in/gzWZUBah 3. GRC Fundamentals Training by ISACA (Free & Paid Options) Includes lessons on risk management, documentation, and audit readiness. https://lnkd.in/gDPyqv24 4. The Importance of an Audit Trail (OneTrust Resource) Covers why clear documentation is your strongest evidence in any control or risk review. https://lnkd.in/gfB5EE5k

Everyone says auditors need more empathy. After a 1,000 audits, I'll say it... too much empathy can destroy your effectiveness: Let me be clear: I'm not saying be heartless. I'm saying empathy without boundaries makes you useless. Here's what happens when auditors get too empathetic: 𝗬𝗼𝘂 𝘀𝘁𝗮𝗿𝘁 𝗺𝗮𝗻𝗮𝗴𝗶𝗻𝗴 𝗳𝗲𝗲𝗹𝗶𝗻𝗴𝘀 𝗶𝗻𝘀𝘁𝗲𝗮𝗱 𝗼𝗳 𝗿𝗶𝘀𝗸𝘀. "They're already stressed" becomes your reason to soften a critical finding. "They've been through a lot" becomes your excuse to delay the report. "I don't want to hurt their career" becomes why fraud goes unreported. I've been there. You probably have too. 𝗧𝗵𝗲 𝗺𝗼𝗺𝗲𝗻𝘁 𝘁𝗵𝗮𝘁 𝗰𝗵𝗮𝗻𝗴𝗲𝗱 𝗺𝗲...𝟮𝟬𝟬𝟰. I was auditing a department led by someone I genuinely liked. Great person. Struggling with budget cuts and staff turnover. I found control gaps. Significant ones. But I emphasized the "mitigating factors" too much in the report. Several months later, there was almost an incident. 𝗛𝗲𝗿𝗲'𝘀 𝘄𝗵𝗮𝘁 𝗜 𝗹𝗲𝗮𝗿𝗻𝗲𝗱: • Empathy helps you understand context. • Empathy helps you communicate findings effectively. • Empathy helps you build relationships that make audit work. But empathy cannot change facts. The control either works or it doesn't. The risk either exists or it doesn't. Our job is to report reality. 𝗧𝗵𝗲 𝗯𝗮𝗹𝗮𝗻𝗰𝗲 𝗹𝗼𝗼𝗸𝘀 𝗹𝗶𝗸𝗲 𝘁𝗵𝗶𝘀: ❌ "I know you're overwhelmed, so I'll downgrade this to low risk." ✅ "I know you're overwhelmed. Here's the risk as it exists. How can we help you address it?" ❌ "I don't want to hurt their reputation, so I'll leave it out." ✅ "This is uncomfortable to report, but it's my responsibility to be honest." ❌ "They're good people, so this can't be intentional." ✅ "They're good people, and the control gap still needs to be fixed." 𝗘𝗺𝗽𝗮𝘁𝗵𝘆 𝗶𝘀 𝗮 𝘁𝗼𝗼𝗹, 𝗻𝗼𝘁 𝗮 𝗽𝗵𝗶𝗹𝗼𝘀𝗼𝗽𝗵𝘆. • Use it to understand. • Use it to communicate. • Use it to build trust. But never let it override your obligation to tell the truth. We dive deeper into this tension on 𝗘𝗽𝗶𝘀𝗼𝗱𝗲 𝟲𝟵 𝗼𝗳 𝗔𝘂𝗱𝗶𝘁 𝗕𝗶𝘁𝗲𝘀: 𝗪𝗵𝗲𝗻 𝗘𝗺𝗽𝗮𝘁𝗵𝘆 𝗧𝗲𝘀𝘁𝘀 𝗜𝗻𝘁𝗲𝗴𝗿𝗶𝘁𝘆 𝗶𝗻 𝗜𝗻𝘁𝗲𝗿𝗻𝗮𝗹 𝗔𝘂𝗱𝗶𝘁𝗶𝗻𝗴. Link in comments.

"My door is always open" is a lazy strategy. Harassment cases rarely walk through open doors. You have to walk out to them. If you are a manager and you think, "My team is fine because no one has complained," you are missing the data. Most people do not report harassment. Not because it isn’t happening. But because they are scared, confused, or ashamed. They don't want to be the "difficult" employee. So they bury it. As a leader, you cannot wait for the crisis to hit your inbox. You have to go looking for the smoke before you see the fire. Here are 15 Questions to ask in your next check-in. (Do not ask them like a robot. Ask them like a human auditing the safety of their team.) The "Environment" Audit 1. Do you feel safe at work, both in person and online? 2. Do you feel respected when you speak in meetings? 3. Do you feel like your boundaries are respected at social events? 4. Do you feel like your gender affects how you are treated here? The "Gut" Audit 5. Is there someone whose behaviour feels ‘off’ but is hard to explain? 6. Is there anyone you avoid being alone with? (This is the most important question). 7. Has anyone made you feel uncomfortable with their words, even if it was "just a joke"? 8. Has someone ever complimented you in a way that felt too personal? The "Observation" Audit 9. Have you hesitated to speak up to avoid unwanted attention? 10. Have you seen inappropriate jokes in the team chats? 11. Have you ever seen someone else being treated in a way that bothered you? The "Trust" Audit 12. Have you ever felt like someone crossed a line, even slightly? 13. Is there anything you’ve been tolerating because you weren’t sure how to bring it up? 14. Do you know exactly who to talk to if something feels unsafe? 15. If you raised a concern today, do you trust it would be taken seriously? Why these work: They move the conversation from "legal violations" to "psychological safety." They catch the "off" vibes and the blurred lines before they explode. Competence includes the ability to hold uncomfortable conversations. If you aren't brave enough to ask the question, you aren't ready to lead the team.

Leadership isn't just about vision and strategy. It's about navigating the minefield of human emotions. The most influential leaders? They're masters of the delicate conversation. Here's how to broach sensitive subjects without burning bridges: 1. Set the Stage: • Choose a private, neutral space. • Timing is everything. Ensure you both have bandwidth. 2. Open with Connection: • "I value our partnership and want to discuss something important." • This isn't just pleasantry. It's psychological priming. 3. Deploy "I" Statements: • "I feel concerned about..." not "You always..." • It's not just grammar. It's defusing defensiveness. 4. Invite Dialogue: • "How do you see this situation?" • This isn't just polite. It's gathering crucial intel. 5. Acknowledge Emotions: • "I understand this might be difficult to hear." • It's not coddling. It's emotional intelligence in action. 6. Focus on Solutions: • "How can we address this together?" • It's not avoiding issues. It's forward-thinking leadership. 7. Confirm Understanding: • "To ensure we're aligned, can you summarize your takeaways?" • It's not redundant. It's ensuring clarity and buy-in. Remember: These aren't just communication tips. They're leadership force multipliers. Your ability to navigate sensitive conversations directly impacts: • Team trust • Innovation culture • Conflict resolution speed • Overall organizational health The most respected leaders aren't those who avoid tough talks. They're the ones who lean in, with tact and empathy. Your challenge: Identify one sensitive topic you've been avoiding. Apply these principles in addressing it this week. Because in the end, your legacy as a leader isn't built on easy conversations. It's forged in the crucible of the tough ones. What sensitive topic will you tackle, armed with these strategies? Your team is waiting for you to lead. Even in the uncomfortable moments. Especially in the uncomfortable moments. __________ 💡 React if this resonated. 💬 Comment to share your view. ♻️ Repost to benefit those in your network. ➕ Follow Johnny Nel for more innovation content like this.

Most Chief Auditors already have a seat at the table. The real challenge is not access, but being heard once they are there. In most organisations, that seat is at the audit committee table rather than the full board, and the difficulty rarely lies in credibility or mandate. It lies in range. Audit committee members are comfortable listening in more than one language. They understand audit language because that is the environment they operate in, but they also listen for decision language, for signals about exposure, trade offs and what might be forming beneath the surface. Too often, internal audit speaks fluently in only one of those languages. Many audit committees are not waiting for better information. They are waiting for earlier judgement from the Chief Auditor. This is where the shift tends to happen in practice. A disciplined audit plan continues to do the heavy lifting, providing coverage, credibility and confidence that the basics are being handled properly, and that foundation matters because without it nothing else carries weight. Where Chief Auditors begin to be heard differently is in how they connect what they see across audits and how early they are prepared to talk about it. Findings, ratings and controls explain what happened, but audit committees are usually more interested in what those observations suggest if the pattern continues, what assumptions they rely on, and what that means for future decisions. This is where strategic audit actually shows up, not as a new methodology, but as recognising patterns and communicating them while choices can still be influenced. That shift also changes the timing of conversations. Insight shared informally with the audit committee chair, while options are still open and positions are not yet fixed, will almost always have more impact than a carefully polished paper presented once decisions have largely settled. Over time, it is consistency that makes the difference. A seat at the audit committee table is not converted into influence through a single strong meeting, but through repeated demonstrations of judgement, clarity and the ability to move naturally between assurance and consequence. This is the approach I describe in my book, Getting Ready to Roar, because it reflects what I have seen work in practice. Most internal audit functions already have the seat. The difference is whether the Chief Auditor chooses to use the full language the room already understands.

The One Audit Skill They Don't Teach in ACCA Training: ACCA taught me standards, procedures, and technical knowledge. But there's one skill I use almost daily that no textbook covered: Managing difficult client conversations. When a client pushes back on findings, questions your judgment, or gets defensive, that's the real test. ACCA doesn't prepare you for: ❌ The FD who insists their aggressive accounting is "fine" ❌ Telling a client their controls are weak ❌ Balancing independence with professionalism ❌ Knowing when to escalate vs handle it yourself What I've learned: 1. Stay calm, not defensive. Listen first. Acknowledge their perspective. Then explain calmly. 2. Use questions, not accusations "Can you help me understand the rationale?" opens dialogue better than "This is wrong." 3. Knowing when to escalate. Escalating isn't weakness, it's professional judgment. 4. Document everything: What was said. What was agreed. What's unresolved. 5. Separate issue from relationship You can disagree professionally and maintain respect. Do not attack people’s personalities rather address the problem. The reality: Technical skills get you the job. How you handle people and pressure makes you effective. ACCA gave me the foundation. The audit room taught me how to use it. What's one skill you learned on the job that no textbook taught you? #ProfessionalSkills #CareerGrowth #CommunicationSkills #SoftSkills #LeadershipDevelopment #FinanceProfessionals #ContinuousLearning #WorkplaceSkills #PersonalDevelopment