Management may spend considerable time and energy making sure that personnel understand one thing when dealing with auditors: specifically answer the question that the auditor asked, not the question the auditor should have asked; and do not volunteer any information.
There is, however, a useful technique that management (and only management) sometimes uses when working with auditors. I prefer to call this seeding the audit results. Similar to the technique of cloud seeding, where rain clouds are seeded with substances to cause them to release rain, management can use audit seeding as a way of ensuring that auditors are aware of specific situations that they are willing to include in their audit report. The purpose of audit seeding is generally the creation of an audit issue that will permit management to prioritize an initiative to improve the business.
For example, external auditors are examining access controls, an area where a security manager has had difficulty obtaining funds to make key improvements. While in a discussion with auditors, the security manager may choose to illuminate particular actions, inactions, or other situations in access control processes or technology that the auditor might not have otherwise noticed.
Persons who are considering audit seeding must have a thorough understanding of the subject matter, the controls being tested, the procedures and technologies in play, the auditing methodology in use, and a bit of grit. Audit seeding may be considered a daring move that may have unforeseen results. Finally, persons considering audit seeding must not make auditors feel they are being manipulated, as this could have greater consequences. Instead, management is simply making auditors aware of an important aspect of a control they are auditing.
— excerpt from CISM All-In-One Study Guide