An entity is the organization. A system is what gets audited.
The entity is the company, business unit, or organization that owns or operates the CCSS trusted environment. The system is the specific set of people, processes, and technology that handle key material that make up the CCSS trusted environment.
CCSS certification applies to the system, not the entity.
This means the audit focuses on how key material is managed within a defined environment, not everything the organization does. An entity may have multiple systems with different designs, controls, and risk profiles, and each one is considered separately.