Audit

An audit is an independent review of controls against a standard or framework, and independence is what gives it credibility. Internal audits drive improvement and self-correction; external audits drive attestation and certification (SOC 2, ISO 27001). Audits test both design effectiveness (is the control well-conceived?) and operating effectiveness (did it actually work over the period?).