AppSec - Short for application security, refers to the security of software.
Control - In security, a control is something which protects us. It could be a technical measure, like antivirus/EDR. It could be a process that we follow to make sure certain situations don't happen - like the process for deprovisioning a user.
In the context of an audit, a control must be testable. That means that we need to be able to demonstrate, with evidence, that we have that control in place. That could be by checking the presence of antivirus on all company laptops. It could be spot checking documentation and audit trails around provisioning and deprovisioning users.