Key Concepts and Terminologies

Estimated reading: 5 minutes 1786 views

Audit Scope

Key Concepts and Terminologies – The scope of an audit is the focal point of the audit. The range of activities is the subject of the audit examination. Each compliance standard, framework, and regulation has a specific point of focus. The scope involves determining that point of focus before engaging in the audit. The scope is usually determined through a series of discussions with the auditors.


Control is something you do as an organization to mitigate potential risks. Control is part of a process designed to accomplish a goal. For example, a goal might be to train your employees in the matter of security because it is important to safeguard data. Control might be: Every year, security training is provided to all employees.


To design is to decide on the functioning of a particular process. An effective design plan requires a series of steps or action plans to achieve a specific goal. This is usually documented in a policy or a procedure. To implement a control, you need to design it. Control is a process to accomplish a goal, and design is the “how” to achieve the goal. For a security training control, the design is to identify the steps to make it happen, such as,

  1. The month during which the training must happen
  2. Who is included in the training (i.e., full-time personnel or contractors)?
  3. The tools that are used to administer the training
  4. The designated personnel involved in administering the training


Auditors and sometimes customers require an organization to provide evidence to validate that it is actually meeting the compliance obligations it claims. Evidence can take the form of:

  1. Documentation
  2. Screenshots from a system
  3. Or a test report from an API-based query
  4. Population or list of events

For a security training control, the evidence is the complete report that shows your employee’s name, training date, training completion date, and any related score.


Implementation is putting into effect the steps documented in the design plan. This is what your auditors look for. For security training control, the implementation is to administer the training consistently every year to all your employees.

Personal Data

Personal data is information that helps identify an individual. This can be as simple as their name, phone number, or e-mail address. The definition can also extend to an IP address or cookie identifier. Some examples of personal data include:

  1. First or Last name
  2. Address
  3. Age
  4. Gender
  5. Employer
  6. Date of Birth


A policy is a high-level statement document that defines “what” must happen. Policies are the rules and laws to be followed and serve as the foundation of any process. Policies must be formally reviewed and approved at least once a year.

For example, a policy can say, We must conduct a risk assessment every year to effectively prevent and mitigate risks.


As part of your compliance audit, it is common for auditors to ask for evidence to prove that a certain control activity occurred. This evidence can be a population of events from which the auditor picks a random sample. A population of events means a pool or list of specific events.

For example, a population of new hires means a list of new hires. A population of incidents is a list of incidents. As an organization, it is good practice to have a method to pull out these lists of events in a way that is automated and not manual. This is because an auditor trusts a computer system to generate a list of events rather than a manually maintained list.


A process is a series of actions or steps taken in order to achieve a particular goal. In compliance, the term ‘process’ gets used often. For example, your auditor might ask, What is your process for granting access to a new hire? Or, what is your hiring process? The process referred to here is the set of steps and actions taken to provide access or hire a new employee in your organization. A process can be any goal or phenomenon in your organization that requires some particular action.

Sensitive / Critical data or Personally Identifiable Information (PII)

Sensitive data differs from personal data in the sense that some types of information are considered more sensitive than others. Sensitive information can be misused and cause potential harm to a person. This is about the potential impact if a set of data were lost or stolen.

For example, though a first and last name can be sensitive, is it as sensitive as a credit card number? Some examples of PII include, but are not limited to:

  • First or Last name
  • Passport or driver’s License number
  • Social Security Number
  • Credit Card Number
  • Photos
  • Account username
  • Fingerprints
  • Financial records
  • Medical records

After reading through these concepts, proceed to the next article to learn more about compliance.

Join the conversation