An Audit is like a final exam.  The Auditor or Auditing firm will come in and evaluate all of your controls as either compliant or non-compliant.  There is no middle-ground.  The Auditor or Auditing firm will then give you their compliance report.  Some firms will allow your to suggest changes or provide your remediation plan for a deficiency.  Likewise, some firms will include an option to come back in period of time to re-review non-compliant controls.

An assessment is where the Assessor or Assessing firm comes in and evaluates all of your controls as either compliant, partially compliant, or non-compliant.  At Peak InfoSec, we will let you know why anything is off, provide you recommendations on how to remediate, and be there to help you to remediate.  If we are doing an assessment that leads up to an audit, we can even help you build you “Evidence Book.”

When is comes to CMMC, the formal Audit is called a “Conformity Assessment” and we refer to the assessment phase as “Consulting.”