At a company I worked for, Tidal was in-scope as it ran jobs on in-scope applications. We had to show how security policies were setup to prevent unauthorized Tidal users from accessing those jobs or the agent/adapter. We had to show what our procedure was for adding and deleting interactive users. We had to show that alerts were generated for job failures for those applications, show how we entered the incidents in our ticketing system. And then show how we responded to the incident and what our resolution was.
I did a couple of things to help with the process. One was to require an agent/adapter was defined on each job, not inherited to ease showing auditors what job was running on what system (I know this one might generate comments. I was over-cautious since it was a financial audit. 6.x also improves searching). The second was that we were required to keep a full fiscal year up to the time of the audit, so I built a process to copy data to a Tidal_Archive database that I built. That way my production database stayed small, but I still had the history (alerts, operator actions, logs, events) for review.
Hope that helps,