In 2025, the California Privacy Protection Agency (CPPA) adopted regulations that implemented requirements, under the California Consumer Privacy Act (CCPA), for certain businesses to perform annual cybersecurity audits. Those regulations went into effect on January 1, 2026. This blog breaks down the CCPA cybersecurity audit regulation and highlights the core requirements that must be met.
Does Your Business Have to Undergo a CCPA Cybersecurity Audit?
It depends on the nature and size of your business. Not every business that is required to comply with the CCPA will need to do an annual cybersecurity audit. The cybersecurity requirements target companies whose processing of consumers’ personal information presents a “significant risk” to consumers’ security. Your business presents “significant risk” if any of the following are true:
- Your business generated 50% or more of its annual revenue in the preceding year from selling or sharing consumers’ personal information. –OR–
- Your business made over $26,625,000 in annual gross revenue last year –AND–
- Your business processed the personal information of 250,000 or more consumers or households in the preceding calendar year. – OR –
- Your company processed the sensitive personal information of 50,000 or more consumers in the preceding calendar year.
CCPA Cybersecurity Audit Deadlines: When Is Your First Report Due?
This also depends on the size of your business and if you reach certain thresholds. If your business meets the criteria above, the audit period and due date for your first assessment will vary based on your annual gross revenue as noted in the table as follows.
After April 1, 2030, if on January 1, your processing of consumers’ personal information presents a significant risk, then a cybersecurity audit is required to be performed covering the next 12 months, with the audit report due by April 1 of the following year.
| Tier | Revenue Threshold / Audit Period | Deadline |
|---|---|---|
| 1 | If annual gross revenue for 2026 exceeds $100 million as of January 1, 2027.
Audit Period: January 1, 2027, through January 1, 2028. |
April 1, 2028 |
| 2 | If annual gross revenue for 2027 is between $50 million and $100 Million as of January 1, 2028.
Audit Period: January 1, 2028, through January 1, 2029. |
April 1, 2029 |
| 3 | If annual gross revenue for 2028 is under $50 million as of January 1, 2029.
Audit Period: January 1, 2029, through January 1, 2030. |
April 1, 2030 |
Who Can Conduct the CCPA Cybersecurity Audit? Does It Have to Be Independent?
The CPPA requires that the audit be performed by a qualified, objective, and independent professional. The auditor must follow recognized auditing standards, such as those established by the American Institute of Certified Public Accountants (AICPA) or the International Organization for Standardization (ISO). Additionally, it is expected that the auditor has knowledge of cybersecurity and how to audit a cybersecurity program.
The audit professional can be an internal resource. However, there are additional requirements that must be met to maintain the internal auditor’s independence:
- Reporting & Evaluation: The highest-ranking internal auditor must report directly to a member of the business’s executive management team who is not responsible for the business’s cybersecurity program. This executive member must also perform the auditor’s performance evaluation and determine their compensation.
Depending on the size of your business and division of responsibilities, it can be difficult for an internal auditor to remain independent of the cybersecurity program so as not to audit their own work or be influenced by management. In practice, most organizations subject to this requirement will find it prudent to hire an external auditor to perform the assessment, given the challenges to satisfy the independence criteria internally.
Timing the Audit: What the Audit Period Actually Means in Practice
Like other audits or assessments, the auditor will determine the appropriate nature and timing of their test procedures in accordance with the standards they are using to perform the audit. In general, since the audit is covering a period of time with a start and end date, the audit will need to be performed at some point during that period, and can extend beyond the period for certain procedures. However, one touch point or testing round near the beginning of the period would not be sufficient to cover the entire audit period.
What Does the Auditor Actually Examine? A Look at CCPA Cybersecurity Audit Scope
The primary purpose of the audit is to assess how the business’s cybersecurity program protects personal information from unauthorized access, destruction, use, modification, or disclosure; and protects against unauthorized activity resulting in a loss of availability of personal information.
The auditor will evaluate how well your company establishes, documents, and maintains its security policies. While the rules consider your company’s size, complexity, and implementation costs, the auditor will review several baseline technical components related to the following areas:
- Authentication & Access Management
- Encryption
- Inventory Management
- Vulnerability Management
- Network Security and Threat Detection
- Incident Response
- Cybersecurity Awareness
- Change Management
- Vendor Management
- Business Continuity and Disaster Recovery
- Audit-log management
Auditors may also include other areas of a cybersecurity program based on their evaluation and understanding of your business. Further, the auditor is assessing the operating effectiveness of controls, and is required to support their conclusion with evidence. A common pitfall we see when performing cybersecurity audits is companies that have robust policies in place but have not implemented procedures in accordance with the policies, or have not implemented formal documentation or audit trails to evidence the actions performed. As you prepare for the scope of the audit, it is important to identify how you will evidence the completion of the control/task to the auditor.
What’s in the Final Audit Report & Who Has to Sign Off?
Upon completion of the audit, your auditor will provide a formal, documented cybersecurity audit report that is required to provide a description of the business, along with the testing and results of the audit.
The final report must include the following:
- System Description: A description of your business’s information systems, including the policies, procedures, and controls audited, and the criteria used for the evaluation.
- Description of Testing: A description of the testing performed, evidence examined, and methods used by the auditor.
- Scope and Policy Compliance: Identification of the applicable components assessed, and a description of how the business implements and enforces compliance with policies and procedures.
- Gap Identification: A detailed log of any discovered gaps or weaknesses.
- Remediation Roadmaps: A remediation plan documenting your strategy to fix identified gaps.
- Responsible Parties: Title(s) of individuals responsible for the business’s cybersecurity program, including the auditor’s name, affiliation, and relevant qualifications.
- Auditor Sign-off: A signed and dated statement from the highest-ranking auditor certifying that they performed an independent review of the cybersecurity program and did not rely primarily on management’s assertions.
- Breach History: Sample copies or descriptions of any data breach notifications sent to consumers or California state regulatory agencies over the audit period.
Both your business and your auditor are required to retain all documents and evidence related to the audit, including the audit report, for at least five years.
Can a SOC 2 or ISO 27001 Report Satisfy the CCPA Cybersecurity Audit?
Yes. The regulation allows businesses to utilize other cybersecurity audits or assessments, but all requirements must still be met. If your existing assessment does not cover all the required components, your auditor can supplement it with the missing components rather than redoing or retesting the entire process. If your organization already undergoes other security assessments, such as a SOC 2 Type 2 examination or ISO 27001, many of the required components of the cybersecurity audit may already be covered. In that case, your auditor will only need to focus on the components not specifically addressed by those frameworks.
While the scope of other assessments can vary, common components that will likely need additional work include inventory and management of personal information, network monitoring and defenses, oversight of service providers, contractors, and third parties, and retention schedules and proper disposal of personal information. Also, the timing of other assessments may need to be shifted to correspond with the timing of the cybersecurity audit. Further, it is likely that in most cases, supplemental testing will need to be performed unless other assessments were planned to account for all of the cybersecurity audit requirements.
The Final Step: Submitting Your Certification to the CPPA
After receiving the audit report, the business is required to submit to the CPPA a written certification that the business completed the cybersecurity audit as required by the CCPA regulations. The certification is to be completed by a member of the business’s executive management team who is directly responsible for cybersecurity audit compliance, has knowledge of the business’s cybersecurity audit, and has the authority to submit the certification on behalf of the business. This certification must be submitted to the CPPA website by April 1.
Other Frequently Asked Questions About the CCPA
These are some common questions clients also ask us when it comes to CCPA compliance.
Who Enforces the CCPA?
The CPPA is responsible for implementing and enforcing the CCPA, among other responsibilities such as promoting the awareness of consumers’rights and business responsibilities as they relate to the CCPA.
Is CCPA a Federal or State Law?
The CCPA is a state law implemented in California and applies to for–profit businesses that do business in California, collect consumers’ personal information, determine why and how the information will be processed, and meet certain revenue or processing thresholds.
Work With an Auditor Who Knows CCPA Cybersecurity Audits
As an independent audit firm specializing in IT audits, Linford & Company can perform the annual cybersecurity audit and provide the required audit report. Additionally, we can perform readiness assessments for your business to help you as you prepare for your first audit. We also offer a number of different audit services, such as SOC 2 and ISO 27001, which can be used to support the annual cybersecurity audit.
If you would like more information about our services and how we can assist you, please feel free to contact us.
