In order to activate AUDIT for only updates to a data set, the following was added to the AUDIT ACID:

ACCESSORID = *AUDIT*   NAME       = RESOURCE-AUDITING
TYPE       = GLOBAL    SIZE       =      256  BYTES
CREATED    = 10/26/87  00:00  LAST MOD   = 03/12/20  11:22
DATASET    = 'SYS1.PARMLIB'
   ACCESS  = UPDATE

TSS0300I  LIST     FUNCTION SUCCESSFUL

The TSSUTIL report shows the audit for READ accesses in addition to the UPDATE accesses.

Release : 16.0

Component : CA Top Secret for z/OS

Because UPDATE access implies READ access for datasets, ACCESS=UPDATE in the AUDIT record for a dataset will also audit the successful attempts to read the dataset. Since the access level for an actual 'update' is a WRITE, using ACCESS(WRITE) instead of ACCESS(UPDATE) in the AUDIT record should only audit the update accesses, not the read accesses. 

TSS ADD(AUDIT) DSN('SYS1.PARMLIB') ACCESS(WRITE)