Skip to main contentChat with us

Glossary · General Audit

Control

A safeguard or measure — technical, administrative, or physical — put in place to reduce a specific risk, such as enforcing multi-factor authentication or reviewing access quarterly. Compliance frameworks are essentially structured sets of controls that an auditor tests for design and operating effectiveness.

This definition is part of TCSA’s plain-English compliance glossary, written and reviewed by the auditors who prepare organizations for these frameworks — 500+ audits delivered across India, USA, UK, Australia & UAE.

Related General Audit terms

Attestation

An engagement in which an independent CPA examines a subject matter — such as a set of controls — and issues an opinion on it. SOC 1, SOC 2, and SOC 3 are attestation reports: the auditor attests to management's description and the operating effectiveness of controls, rather than awarding a pass/fail certificate.

Evidence

The records an auditor collects to confirm a control was actually operating — screenshots, configuration exports, tickets, policy documents, access logs, and the like. In a Type II engagement, evidence must show the control ran consistently across the entire observation window, not just on the day of testing.

Gap Assessment

A structured comparison of an organisation's current state against the requirements of a target framework, producing a list of "gaps" to remediate before a formal audit. It is the usual first step in any certification or attestation project.

Nonconformity

A failure to meet a requirement of a standard, identified during an ISO audit. Major nonconformities must be resolved before certification can be granted, while minor ones require a corrective-action plan and are verified at the next audit.

Observation Window

The period — typically three to twelve months — over which an auditor evaluates whether controls operated effectively in a SOC 2 Type II engagement. Evidence must demonstrate the controls ran consistently throughout this window, also called the audit or review period.

Readiness Assessment

A pre-audit review that tests whether an organisation's controls and evidence would withstand a formal audit, so issues can be fixed in advance. It is broader than a gap assessment, often including a dry run of control testing.

Browse all 54 glossary terms

Written By Expert Auditors

Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Last reviewed: July 2026Content verified by certified lead auditors

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations