Internal versus external auditor: Assessing options for CPPA cybersecurity audits

On 24 July, the California Privacy Protection Agency approved a sweeping rulemaking package that will establish new regulatory requirements, including for covered businesses to conduct annual cybersecurity audits.

The rulemaking package now awaits formal approval by the California Office of Administrative Law. Once approved, covered California businesses should take steps to proactively prepare themselves for these new audit obligations, which can be found in Article 9 of the proposed regulations.

Whether to utilize an internal or external auditor to conduct the cybersecurity audit is a key question companies will need to answer early on. There are pros and cons to both options that need to be assessed in the context of the company's organizational structure and cybersecurity program.

What the regulations say about auditors

According to Section 7122 of the looming CPPA regulations, covered businesses will need to select "a qualified, objective, independent" auditor, internal or external, to conduct the cybersecurity audit. The regulations stipulate that regardless of whether the auditor is internal or external to the business, they must use "procedures and standards accepted in the profession of auditing."

In addition, an auditor cannot solely rely on assertions made by a covered business. Instead, they must "primarily" base findings on specific evidence reviewed through the course of the audit. Moreover, an auditor is required to review and assess what security safeguards the company has in place; whether the company's cybersecurity program is "appropriate" based on its size, complexity and the nature and scope of the processing; and how the business implemented the security program.