Menu

Menu

Menu

Menu

Menu

Menu

Menu

Menu

Menu

Menu

Loading Results

Cyber accountability is rising: Is your organization ready for California’s new cybersecurity audit requirements?

  • Blog
  • April 07, 2026
Mark Cornish

Mark Cornish

Assurance Partner, PwC US

Email

Organizations subject to the California Consumer Privacy Act (CCPA) should be preparing for a more demanding phase of privacy compliance. The focus is shifting from documented intent to demonstrable accountability—including defensible scoping, mapped controls, and evidence that cybersecurity practices are operating effectively over time. As audit expectations evolve, organizations should consider acting now to confirm applicability of the regulations and strengthen readiness before scrutiny intensifies.

CCPA is raising the bar for cyber accountability

Organizations subject to the California Consumer Privacy Act (CCPA) should be preparing for a more demanding phase of privacy compliance. With updated regulations and requirements in September 2025, the focus is shifting from whether an organization has documented privacy and cybersecurity practices to whether it can demonstrate—through independent audits supported by data and documentation—that those practices are functioning as intended.

Preparation may need to begin sooner than some organizations expect. Cybersecurity audit obligations under California’s updated framework begin phasing in 2027 (less than 12 months from now), and the work required to define scope, map controls to the audit requirements within the rule, and demonstrate operating effectiveness throughout the calendar year may require significant time and cross-functional coordination.

Organizations may increasingly need to show that their privacy commitments are supported by a cybersecurity program that is appropriately scoped, governed effectively, and capable of withstanding an independent audit.

Three priorities for CCPA cybersecurity audit readiness

Organizations preparing for the CCPA independent audit requirement should focus on three priorities: a defensible scope, clearly defined and mapped control activities, and evidence that controls are operating effectively over time. The shift isn’t simply toward more documentation. It’s toward demonstrable accountability of safeguarding consumers’ personal information.

How organizations can prepare:

A defensible scope should be grounded in a data mapping exercise that identifies the systems and processes that collect, store, process, transmit, or provide access to personal information, as well as the categories of personal information involved. That mapping creates the foundation for determining which systems and processes fall within the audit scope and which do not.

Any scoping decision, particularly a decision to exclude any systems and processes, should be supported by clearly documented rationale. This may include the facts considered, assumptions made, and any interpretations or judgment calls applied. If the basis for that conclusion is not current, clear, and well documented, it may be difficult to defend during an independent audit.

Many organizations have a foundation for managing cybersecurity risk through established frameworks such as the NIST Cybersecurity Framework (CSF), ISO/IEC 27001, Control Objectives for Information and Related Technology (COBIT), CIS Critical Security Controls, or similar enterprise control frameworks. They often have controls in place that are aligned to those frameworks and embedded in day-to-day operations. The opportunity then becomes demonstrating that those controls are organized, documented, and evidenced in a way that supports readiness for an independent audit. Beyond showing that controls exist, organizations should be prepared to demonstrate that they are implemented across the relevant inventory of information systems, operating effectively over time, and supported by sufficient and sustainable evidence.

A more mature approach includes clearly defined control activities, assigned owners, consistent execution of controls, and documented expectations regarding evidence and retention. Risk-based judgments may be appropriate, but they should be transparent, supportable, and traceable.

Readiness rarely breaks down because policies are missing. It breaks down because organizations can’t demonstrate that controls operate effectively across all relevant information systems over time. Well-designed controls are important, but design alone isn’t enough. Controls need to demonstrate consistent performance throughout the period under audit (under the CCPA requirements; the first cybersecurity audit period covers January 1, 2027 through January 1, 2028).

That’s why a readiness assessment is often valuable. Assessing current preparedness against specific requirements helps organizations identify scope gaps, evaluate whether controls are properly mapped and documented, determine whether evidence capture is sustainable, and assign clear accountability for remediation.

Actions to consider now

Organizations should consider the following actions:

  • Assess scope to confirm that information systems and processes have been appropriately identified and documented.
  • Assess whether control activities are clearly mapped to the independent audit requirements within the regulation and implemented across the defined scope of information systems, where necessary.
  • Assess whether evidence of control operation is being captured and retained in a manner that would support an independent audit.
  • Assess whether the rationale for risk-based decisions has been clearly documented so those judgments can withstand an independent audit.
  • Conduct a readiness assessment to identify—and remediate—scope, control, and evidence gaps before scrutiny increases.

The bottom line

Cyber accountability is coming due to California’s new cybersecurity audit requirements. For organizations preparing for the independent audit requirement, the question is no longer simply whether policies exist. The question is whether the organization can demonstrate—through data and documentation—that its cybersecurity program is appropriately scoped, effectively governed, and operating as intended. Those that assess these issues early should be better positioned as expectations continue to develop.

{{filterContent.facetedTitle}}

Follow us

Required fields are marked with an asterisk(*)

I agree PwC can email me about its insights, newsletters, events, services, products, and offerings.*

Your personal information will be handled in accordance with our Privacy Statement. You can update your communication preferences at any time by clicking the unsubscribe link in a PwC email or by submitting a request as outlined in our Privacy Statement.

Hide

© 2017 - 2026 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.