> Can you show it's actually encrypted?

When someone asks a question like this, they're not literally asking you to show them it.

They just want an expert to confirm it they could show it, so they can check off their box for due diligence.

Congratulations. You were the expert.

I would frame it more like this:

"Can you show it's actually encrypted?"

Yes, we ensure that the data is only available via TLS foo.bar with encryption algorithm baz, which is on the approved list. We have monitoring and logging that ensure that we receive an alert if the port the app is on is not encrypted, and if you'd like we can dump the traffic to show you that there is no clear text available.

Further, only users on the approved admin list can make a change or deploy to production, or login to the server as root. Moreover, we do a background check on employment for all users who have admin access, and all deployments and code changes require at least one other employee to approve them, and we log who they were, and what the change was.

Cool, you have added more word salad. The people ticking the checkbox have tuned out after half of the first sentence, _that_ was the point.

It's encrypted in flight with TLS, and on the back end it's encrypted with the retro-encabulator, with AES 512.

Have you done this in real life? I have....

I once saw the acronym translated as "Keiner prüft mehr genau" (No one does checking accurately any more)

Also “Kinder prüfen meine Gesellschaft”

And „Kommen, prüfen, meckern, gehen“

Translation service:

“Kinder prüfen meine Gesellschaft”

children check my company

„Kommen, prüfen, meckern, gehen“

come, check, complain, go

KPMG seems to have quite a reputation.

Double-meaning: s/mehr genau/genauer/

Though that reading is a bit weird, it's practical enough to tickle the funny.

I've had fun trying to educate auditors, though this was a long time ago and several jobs back. In short: I couldn't educate the auditor.