Practice compliance audit vocabulary: audit evidence, control objectives, remediation plan, risk accepted, audit findings vs. observations, management response, and audit trail.
0 / 5 completed
1 / 5
What is 'audit evidence' in a compliance context?
Audit evidence is the information — such as logs, screenshots, policies, access reports, and test results — that auditors examine to determine whether controls are operating effectively and whether the organization is compliant.
2 / 5
An auditor issues an 'audit finding' versus an 'observation.' What is the key difference?
An audit finding typically signals a deficiency — a control is missing, ineffective, or non-compliant. An observation is a lower-severity note flagging a potential risk or area for improvement that may not rise to the level of a formal finding.
3 / 5
What is a 'remediation plan' in an audit context?
A remediation plan is the auditee's documented response to audit findings, specifying the corrective actions to be taken, the responsible owner, and the target completion date. Auditors review remediation plans during follow-up assessments.
4 / 5
What does it mean when a risk is 'risk accepted' in a compliance process?
'Risk accepted' is a formal decision where management acknowledges a known risk and chooses to accept it rather than remediate — often because the cost of mitigation exceeds the risk's impact. It must be documented and approved.
5 / 5
What is an 'audit trail' and why is it important?
An audit trail is a time-stamped, tamper-evident record of system and user activity. It is essential for forensic investigation, demonstrating compliance, and proving that controls were operating correctly during an audit period.