What does the practitioner rule on confidentiality imply about 'off the record' material?

Confidentiality in internal auditing requires that information is protected and used only for the audit, but it still must be captured in a controlled, auditable record. When material is discussed off the record, it does not disappear; it should be documented so there is a trace of the discussion, the context, and any actions taken, while still keeping sensitive content appropriately protected. This ensures accountability, supports the audit conclusions, and aligns with records retention and access controls. Why the other ideas don’t fit: destroying material after a discussion would break the audit trail and violate policy about retaining evidence; sealing it and never disclosing again would block legitimate disclosures to authorized stakeholders; and saying it’s exempt from audit trails contradicts the fundamental need to maintain documented evidence of the audit process.