Auditors don't ask hard questions. They ask simple questions that expose hard truths.
After watching dozens of comp teams go through audits — internal, external, SOX, and regulatory — the same three questions cause panic every time. Not because the answers are complicated, but because most teams can't produce them fast enough.
Question #1: "Who approved this exception, and what was the business rationale?"
This is the question that ends careers.
The auditor picks a random exception from last quarter. They want the approval chain, the rationale, and the financial impact. They want it in minutes, not days.
What usually happens: the comp admin opens email, searches for the rep's name, finds a thread where someone said "yeah that's fine," and hopes the auditor accepts it.
What should happen: every exception has a record — request date, category, rationale, financial impact, approver, approval date, and expiration. Retrievable in under 60 seconds.
How to be ready:
- Implement exception tracking (even a structured spreadsheet beats email)
- Require written rationale for every exception
- Log approvals with timestamps
- Policy reference: SCP-009 (Exception Management)
Question #2: "Show me the calculation for this rep's commission on this deal."
The auditor picks a deal. They want the full chain: source data, plan rules applied, rate table used, any adjustments, and the final payout amount. End to end.
What usually happens: the comp admin opens the ICM tool, exports a report, opens a spreadsheet to cross-reference, pulls up the plan document to find the relevant section, and 45 minutes later has a "pretty confident" answer.
What should happen: any payout traces back to source data in four clicks. Deal value from CRM, rule from plan section 3.2, rate from table B, payout calculated. Clean chain.
How to be ready:
- Document your calculation logic outside of the ICM tool
- Maintain a rate table version history
- Keep plan document versions with effective dates
- Policy reference: SCP-014 (Calculation Audit Trail)
Question #3: "What changed in the plan mid-year, and how were affected reps notified?"
This is the sleeper. Auditors know that mid-year changes are where governance breaks down.
They want: what changed, effective date, approval chain, financial impact analysis, and proof that affected reps were notified and acknowledged the change.
What usually happens: "We sent an email." No acknowledgment tracking. No impact analysis. No version control on the plan document.
What should happen: version-controlled plan documents, change logs with before/after comparisons, distribution records with acknowledgment receipts, and impact analysis showing how the change affected payout projections.
How to be ready:
- Version control every plan document (not just the current version)
- Require rep acknowledgment for plan changes (digital signature or email confirmation)
- Run impact analysis before deploying changes
- Policy reference: SCP-003 (Mid-Year Plan Changes) + SCP-004 (Communication Requirements)
The Meta-Lesson
Notice the pattern: none of these questions are about whether your calculations are correct. They're about whether you can prove your calculations are correct, your exceptions are governed, and your changes are controlled.
Audit readiness isn't about accuracy. It's about evidence.
Build your evidence chain: our 17 SCP Policies cover every governance surface area auditors examine.
See all 17 policies at intelligentspm.com/learn/policies — build audit readiness before audit season, not during it.
Not sure where your gaps are? Take The Checkup at intelligentspm.com/healthcheck.
Tags