California privacy enforcement is shifting from “paper compliance” to whether controls work in practice across systems, platforms, vendors, and data flows. At the same time, the California Privacy Protection Agency (CalPrivacy) has formalized audit capability through a dedicated Audits Division and a chief privacy auditor, signaling increased scrutiny of operational and technical compliance.
What Are CPRA Cybersecurity Audits?
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), requires certain businesses whose processing presents a “significant risk” to conduct independent, thorough cybersecurity audits that evaluate the design and effectiveness of their cybersecurity programs.
The regulations don’t prescribe a single security framework or specific technologies. Instead, they require a risk-based assessment of how the program protects “California personal information” and sensitive personal information in practice.
What Should Businesses Know About CPRA?
Not every CCPA-covered business must conduct an annual cybersecurity audit. The audit obligation applies to businesses that meet the CCPA definition of a “business” and whose processing meets the regulatory “significant risk” thresholds, including:
- Revenue from selling/sharing: If the business derives 50% or more of annual revenue from selling or sharing personal information, an audit is required.
- Revenue + volume thresholds: If the business had more than $26.625 million in annual gross revenue in the preceding calendar year, and either (i) processed personal information of 250,000+ consumers or households, or (ii) processed sensitive personal information of 50,000+ consumers, an audit is required.
Note: These thresholds can capture organizations that do not consider themselves “high risk,” including those processing large volumes of basic identifiers and contact data.
When Do Audits Start & When Are They Due?
CalPrivacy’s cybersecurity audit regulations were approved in September 2025 and became effective January 1, 2026. Covered businesses must complete an initial cybersecurity audit under a phased rollout based on revenue, and then perform audits annually covering a 12-month period. The audit report for each covered period is due by April 1 of the following year.
- Group 1: 2026 revenue > $100 million (as of January 1, 2027) → initial audit period January 1, 2027–January 1, 2028; report due April 1, 2028.
- Group 2: 2027 revenue $50 million to $100 million (as of January 1, 2028) → initial audit period January 1, 2028–January 1, 2029; report due April 1, 2029.
- Group 3: 2028 revenue < $50 million (as of January 1, 2029) → initial audit period January 1, 2029–January 1, 2030; report due April 1, 2030.
What’s in Scope for the Audit?
A CCPA cybersecurity audit goes beyond looking at a company’s own IT setup. This audit follows the data wherever it travels. The focus is on any environment where California personal information, especially sensitive data, is stored, processed, or accessed. This includes company databases (on-premises or cloud-based), software applications, end-user devices, backups, and third-party environments used to process or access that data. Essentially, if the data is present or reachable, that “information system” is part of the audit, regardless of who owns the infrastructure.
The CCPA’s existing exemptions still apply for audit scoping purposes in many cases, e.g., certain Gramm-Leach-Bliley Act (GLBA)-regulated and Fair Credit Reporting Act (FCRA) data. Determining what’s exempt and how exemptions apply often is a joint legal and privacy/security exercise.
Independence: Who Can Perform the Audit?
According to CalPrivacy’s Draft Cybersecurity Audit Regulations Fact Sheet, audits must be conducted by a qualified, objective, independent professional using procedures and standards accepted in the auditing profession. CalPrivacy allows either internal or external auditors, provided the auditor can exercise impartial judgment and is not “grading their own homework,” i.e., they did not design or implement the cybersecurity program they are auditing.
For internal auditors, the regulations place special emphasis on reporting-line separation. The highest-ranking auditor should report to an executive who doesn’t have direct responsibility for the cybersecurity program, including for performance reviews and compensation decisions.
Thorough & Evidence-Based: What CalPrivacy Expects
- Business cooperation: The business must make relevant information available, make good-faith efforts to disclose relevant facts, and avoid misrepresenting facts that matter to the audit, including scope and criteria.
- Evidence, not assurances: Audits shouldn’t rely solely on management assertions. Findings should be supported by evidence such as documents/records, sampling and testing, interviews, configurations/screenshots, logs/reports, tickets/workflows, training records, and third-party assurance materials, e.g., SOC 2, where appropriate.
- Risk-based evaluation: The audit evaluates whether the program is appropriate to the business’s size, complexity, and processing. It’s not a one-size-fits-all control checklist.
What Should Be in the Audit Report
The written cybersecurity audit report should be detailed and practical, describing what was examined, what was found, and what will be addressed. Key required elements include:
- Description of the business’s information systems and the cybersecurity program components evaluated.
- The criteria used for the audit and the evidence examined, tied to the auditor’s findings.
- Identification of gaps/weaknesses and the remediation plan, including timeframes.
- Any corrections or amendments to prior audit reports.
- Identification of up to three qualified individuals who are responsible for the cybersecurity program.
- Auditor name/affiliation/qualifications and a signed statement by the highest-ranking auditor confirming an independent, thorough review.
- If applicable, a sample or description of data breach notifications issued during the audit period (to individuals and, where relevant, regulators).
What’s Submitted & What’s Retained
- Certification to CalPrivacy: For each year an audit is required, the business must submit a certification of completion to CalPrivacy by April 1 of the following year. The certification must be signed under penalty of perjury by an executive who is directly responsible for cybersecurity audit compliance and has sufficient knowledge to provide accurate information.
- Audit report submission: The audit report itself isn’t automatically filed with CalPrivacy, but CalPrivacy may request or subpoena it in an investigation or enforcement action.
- Retention: Both the business and the auditor must retain audit-relevant documents for five years after the audit is completed.
How to Prepare: Practical Next Steps
- Confirm coverage early: Validate whether you meet the “significant risk” thresholds and document the analysis.
- Map California personal information: Inventory categories, systems, locations, data flows, and vendors handling California personal information and sensitive personal information. Also, identify potentially exempt data sets, i.e., federally regulated data.
- Define audit scope and criteria: Memorialize what’s in and out of scope and why; align on the framework and criteria the auditor will use.
- Engineer for evidence: Standardize how policies, configurations, logs, testing, and tickets are collected and organized so the audit can be repeatable year over year.
- Validate auditor independence: Confirm role separation before the audit begins, including internal reporting-line requirements where applicable.
- Plan remediation: Build a realistic remediation road map with owners and dates so progress is demonstrable in the next cycle.
How Forvis Mazars Can Assist With CPRA Cybersecurity Audits
Our IT Risk & Compliance team at Forvis Mazars can help organizations operationalize CPRA cybersecurity audit readiness with a coordinated privacy and security approach. Our professionals can help your business scope audits around California personal information, align audit criteria to existing security frameworks, validate auditor independence and evidence practices, and develop remediation roadmaps.
Where appropriate, we also can support pre-audit readiness and gap assessments in a manner designed to reduce downstream regulatory and litigation risk.
To help your organization prepare for what’s next with the unique demands of a data-centric audit, connect with a professional at Forvis Mazars today.