Glossary · General Audit
Attestation
An engagement in which an independent CPA examines a subject matter — such as a set of controls — and issues an opinion on it. SOC 1, SOC 2, and SOC 3 are attestation reports: the auditor attests to management's description and the operating effectiveness of controls, rather than awarding a pass/fail certificate.
This definition is part of TCSA’s plain-English compliance glossary, written and reviewed by the auditors who prepare organizations for these frameworks — 500+ audits delivered across India, USA, UK, Australia & UAE.
Go deeper: the full Attestation guide
The complete plain-English explainer behind this definition.
Related General Audit terms
Control
A safeguard or measure — technical, administrative, or physical — put in place to reduce a specific risk, such as enforcing multi-factor authentication or reviewing access quarterly. Compliance frameworks are essentially structured sets of controls that an auditor tests for design and operating effectiveness.
Evidence
The records an auditor collects to confirm a control was actually operating — screenshots, configuration exports, tickets, policy documents, access logs, and the like. In a Type II engagement, evidence must show the control ran consistently across the entire observation window, not just on the day of testing.
Gap Assessment
A structured comparison of an organisation's current state against the requirements of a target framework, producing a list of "gaps" to remediate before a formal audit. It is the usual first step in any certification or attestation project.
Nonconformity
A failure to meet a requirement of a standard, identified during an ISO audit. Major nonconformities must be resolved before certification can be granted, while minor ones require a corrective-action plan and are verified at the next audit.
Observation Window
The period — typically three to twelve months — over which an auditor evaluates whether controls operated effectively in a SOC 2 Type II engagement. Evidence must demonstrate the controls ran consistently throughout this window, also called the audit or review period.
Readiness Assessment
A pre-audit review that tests whether an organisation's controls and evidence would withstand a formal audit, so issues can be fixed in advance. It is broader than a gap assessment, often including a dry run of control testing.
Written By Expert Auditors
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours