Practise vocabulary for SOC 2, ISO 27001, PCI-DSS, and GDPR audit processes: controls, evidence, findings, and remediation.
0 / 6 completed
1 / 6
In a compliance audit, a 'control' is:
Controls are the specific measures an organisation implements to address risks. Auditors test whether controls exist and are effective. Control examples: MFA enforcement, encryption at rest, quarterly access reviews, change management process.
2 / 6
An auditor issues a 'finding' in an audit report when:
Audit findings identify non-conformities or control deficiencies. Each finding typically includes: what was observed, what the requirement is, the gap between them, and the risk this gap creates. The auditee must provide a remediation plan.
3 / 6
Evidence in a compliance audit typically includes:
Auditors require objective evidence: policy documents showing what should happen, logs and records showing it does happen. 'We have a password policy' is a statement — the auditor needs the policy document plus evidence it is enforced.
4 / 6
SOC 2 Type II differs from SOC 2 Type I in that:
SOC 2 Type I is a snapshot — controls look good today. Type II provides ongoing assurance — auditors test evidence over months, confirming controls are consistently applied. Customers often require Type II as it demonstrates operational maturity.
GDPR Article 33: supervisory authority notification within 72 hours of becoming aware of a breach — if feasible. GDPR Article 34: notification to affected individuals is required 'without undue delay' when the breach is likely to result in high risk to their rights and freedoms.
6 / 6
A remediation plan in an audit context should contain:
Effective remediation plans are SMART: Specific (what exactly will be done), Measurable (how will completion be verified), Assigned (who is responsible), Realistic (is it feasible), Time-bound (when will it be done).