Assess
Dec 7, 2025

CCPA Audit Readiness: A Practical Roadmap in Five Steps

This follow-on article to our article CCPA Audit Requirements are Here includes a plan to use the 2026-2027 runway to be ready to submit your audit report.

CCPA Audit Readiness: A Practical Roadmap in Five Steps

5-Step Practical Roadmap to CCPA Audit Readiness

We went over a lot of information in our article CCPA Audit Requirements Are Here, but this follow-on includes a concrete way to use the 2026-2027 runway that the CPPA has provided for in-scope CCPA companies.

  1. Determine if you're likely in scope.
  2. Assign ownership of the process and build an audit-readiness project plan.
  3. Stand up an evidence library from the start.
  4. Start with a "mock audit".
  5. Integrate the first and future audits into your privacy and security calendar.

Let's dig deeper into each of these steps!

Remember, this article is for general information and education only. This is not legal advice. You should talk to your own counsel about how the law and rules apply to your specific facts.

Step 1: Determine if You're Likely In Scope

We say, likely in scope here because if you are near the thresholds, you want to plan accordingly. In situations such as this, it's better to be over prepared than worrying about scrambling at the last second.

Start by evaluating the last calendar year to see where you fall right now. Some metrics to review include:

  • Confirm you are a "business" under CCPA.
    • Have gross revenue over $25.625M annually (effective January 1, 2025) OR
    • Buy, sell, or share personal information of over 100,000 California residents or households OR
    • Derive 50% or more of your annual revenue from selling or sharing the personal information of California residents.
  • What was your total revenue from selling or sharing personal information? How does it compare to your total revenue?
    • If it's greater than 50%, you are likely in scope.
  • What is your total revenue v.s. the CCPA revenue threshold? (e.g., $100M for 2028 reporting entities, etc.)
    • If it's above $25.625M, you may be in scope depending on whether your processing is a significant risk. See the next two questions.
  • What was the volume of personal information (either consumers or households) that you processed?
    • If it's 250,000 or more, you are likely in scope.
  • What was the volume of sensitive personal information?
    • If it's 50,000 consumers or households or more, you are likely in scope.

Next, look at your projected growth over the next couple of years. Only you and your team know your revenue projections and data processing volumes, but one way to think about it is to add a buffer to your revenue projections (just in case) and see where that lands you. Alternatively, consider your last 3 to 5 years of growth, and extrapolate forward, again, adding in a buffer and accounting for new income streams that might be launching in the short term to make sure that you capture unexpected growth potential.

If you are already at or near the revenue projections but have lower data processing in your business, consider if there's anything that will significantly change about your processing activities over the next couple of years. Some questions to ask are:

  • Will you be launching a new consumer application?
  • Are you adding a rewards program? 
  • Are you entering into any major partnerships that might significantly change your processing ecosystem? 
  • Are you adding anything to the core business that might increase processing of sensitive personal information, such as launching an application for children, moving into health technology?

These are questions to consider in calculating your potential for being in scope.

Step 2: Assign Ownership of the Process and Build an Audit-Readiness Project Plan

This is easier said than done, but the only way to do it is to start. Because the audit must be conducted by either a third party or an internal person who does not report to the cybersecurity program director, for purposes of setting up your audit-readiness project plan, you will likely want your executive sponsor to be outside of the chain of command for the audit preparations but your audit-readiness program owner to be be someone within the organization responsible for the cybersecurity program to manage the project plan. Then designate a separate independent person as auditor when it is time to conduct the actual audit.

If your organization already has to do audits for other regulators, as part of its third-party obligations, or otherwise, you may be able to reuse those existing processes and output for the CCPA audit. However, not all audits are created equal, so you will want to conduct an analysis to confirm that your audit function already covers all of the requirements of the CCPA.

NOTE: If you do have an existing independent annual audit requirement, remember that the CCPA audit is specific to certain information and specific to California. It may be best to have your auditor and legal counsel review your existing process to confirm if and how a separate audit report should be generated for the CPPA and whether certain evidence and artifacts need to be regenerated in a limited fashion or segregated for purposes of potential CPPA review. There may be a cost-benefit analysis that needs to be done to confirm that segregating the processes will result in a reduction of risk by not disclosing irrelevant information to the CPPA or unnecessarily broadening the scope of the reporting to the CCPA that is greater than the cost of modified process.

Helpful considerations:

  • Name an executive sponsor for your audit program. This should be a part of your executive team that, ideally, has no direct participation in any activities that would be the subject of the audit. While it might seem intuitive to appoint your CISO, GC, or CIO, all of these executives have management responsibilities related to the program being audited, so select someone outside of the direct chain if they will be responsible for signing off on the audit report.
  • Name an audit program owner. Here, it may make sense to select someone with deep knowledge of your current systems and practices and ultimately make them responsible for audit-readiness and reserve an independent person for conducting the actual audit of the materials prepared by the audit-readiness project owner.
  • Decide whether you will be following an internal versus external auditor model, recognizing the independence requirements and the market capacity of your company. Check out this helpful article from the IAPP on the pros and cons of using an internal versus external auditor.
  • Build an internal control framework that maps CCPA audit topics to your existing frameworks (e.g., NIST, CSF, ISO 27001, SOC2). If you already use a GRC platform to manage your security controls, they may release a module that cover CCPA audit topics.

Step 3: Begin to Stand Up Your Evidence Library

There is no time like the present to start the readiness process. You may not have perfected your privacy program yet, but effort and documentation is often the key to audit success. Creating a dedicated, access-controlled "CCPA Audit Evidence" workspace on your system and organizing it by domain will give you a place that acts as a repository as you go through the next two years of preparation, rather than than an after-the-fact reconstruction of your activities a year later. As you run your normal operations (e.g., tabletop exercises, vendor onboarding, DSR handling, privacy impact assessments), drop the evidence into the appropriate folder.

There are 18 technical and organizational components (see 11 CCR § 7123(c)) that you will have to address on your CCPA audit, which can generally fit into the following categories:

  1. Governance (business continuity, disaster recovery)
  2. Policies (information security, incident response, data retention)
  3. Data Inventory (inventory and management of personal information, log management and monitoring)
  4. Risk Assessments (including secure development, coding best practices, code reviews, testing)
  5. Security Controls & Testing (authentication, encryption, account management, access controls, secure configuration, vulnerability scans and pen testing)
  6. Incident Response
  7. Third Party Risk Management (oversight of service providers, contractors, and third parties)
  8. Consumer Rights (DSRs)
  9. Training (awareness, education, and training)

The final report will ask not just about the components but will want to know the "policies, procedures, and practices that the cybersecurity audit assessed" as well as the criteria used to conduct the audit and the exact evidence examined. Starting the stockpile of the relevant policies, procedures, SOPs and evidentiary artifacts now will give you an early edge in detecting possible policy gaps, processes that need refinement, and documentation that needs to be logged going forward.

Step 4: Conduct a "mock audit" in late 2026, early 2027

With plenty of time to go before your first audit report is due, we recommend running an internal or consultant-led dry-run of the audit process. This will give you a realistic view of how ready your organization is and surface any ugly issues with time to fix them before the auditor or the CPPA see them.  Depending on whether your final audit is internal or through a third party, you may be given an initial report with an opportunity to cure some areas before the report is finalized, but relyin on a last-minute cure period will add unnecessary stress and expense to an already stressful situation for your team. Doing the mock audit early (just like running a privacy incident tabletop before a real incident) will give your team confidence, experience, and the opportunity to mature your stance meaningfully before you are down to the wire.

To conduct the mock audit, use the following process outline:

  • Scope the mock audit based on the CCPA's content requirements.
  • Use a sample audit report outline (including executive summary, scope, methodology, findings, gap register, and remediation plan). If you're an ARLA Strategies client, you can find a sample in the resources in your Client Portal.
  • To maximize the effectiveness of the mock audit, include findings or evidence from at least one incident response tabletop and one DSR process walkthrough.
  • Document all of the gaps uncovered during the audit process and assign owners and remediation timelines with retesting prior to the final audit.

Step 5: Integrate Audits into Your Privacy & Security Calendar

By the time you make it to this point, you've done a lot of work to implement your audit-readiness project. Maximize all this hard work by standing up a regular cadence to help audit readiness become part of how your organization operates, not just a parallel project that gets run every year. Integrating audit preparation into your standard privacy program maintenance schedule will provide econois of scope, take away the uncertainty, and provide a defensible position to your organization across the spectrum of privacy-related operation.

Below is a sample calendar that you can consider and further adapt for your business:

  • Q1: Complete the audit report, conduct the executive review, and submit CPPA certification by April 1 of each year.
  • Q2: Focus on remediation of any critical or high priority gaps found using the first quarter.
  • Q3: Review risk assessments and vendor posture for potential improvements and refresh your evidence library for next year.
  • Q4: Run at least one privacy incident tabletop and update the incident response plan, policy stack, and employee training.
  • Ongoing: Record and maintain DSR metrics, incidents, and changes to vendors through standard processes.

Conclusion

The CCPA's new cybersecurity audit rules turn "reasonable" administrative, physical, and technical controls from a vague standard into a documented, tested, and annually reviewed privacy and security program that I backed by evidence and signed off by executive leadership. If you're not already subject to cybersecurity audits, you may not be doing these activities yet, but like a good regimen of exercise, healthy eating, and proper sleep, you will reap the benefits of putting in the effort, because your privacy program will level up your entire organization's resilience, defensibility, and even attractiveness to a potential acquirer, investor, or significant business partner.

Start now and use the next two years to:

  • Confirm whether your company is in the significant-risk bucket
  • Built out your evidence library to match the audit content requirements
  • Run privacy incident tabletops and other exercises that double as both operational practice and privileged evidence
  • Make the first official audit in 2028, 2029, or 2030 a confirmation of the work you are and have already been doing, not a fire drill.

And even if you never cross the thresholds for mandatory annual audits, this kind of preparation is your best protection if the CPPA ever shows up for an Agency audit or if a you have a breach go public.

CCPA Audit Readiness: A Practical Roadmap in Five Steps

Alia Luria

A former software engineer turned privacy lawyer, Alia uses 15 years of legal experience to turn strategy into resilient operations.

Articles & resources

Browse all posts
AI Governance Isn’t Optional Just Because Washington Wants a “Light Touch”
Design
Jan 9, 2026

AI Governance Isn’t Optional Just Because Washington Wants a “Light Touch”

Read more
Tabletop Design: Why Your Privacy Tabletops Should Be Cross Functional
Design
Dec 7, 2025

Tabletop Design: Why Your Privacy Tabletops Should Be Cross Functional

Read more
CCPA Audit Readiness: The Requirements Are Here and the Clock Starts Now
Assess
Jan 8, 2026

CCPA Audit Readiness: The Requirements Are Here and the Clock Starts Now

Read more