---
title: "What should teams do about Risk And Cyber Audits under the US CCPA?"
canonical_url: "https://www.sorena.io/artifacts/us/california-consumer-privacy-act/faq/risk-and-cyber-audits"
source_url: "https://www.sorena.io/artifacts/us/california-consumer-privacy-act/faq/risk-and-cyber-audits"
author: "Sorena AI"
description: "US CCPA guidance for Risk And Cyber Audits, with practical decisions, evidence, edge cases, and external source citations."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "US CCPA"
  - "Risk And Cyber Audits"
  - "US CCPA Risk And Cyber Audits"
  - "compliance checklist"
  - "practical guidance"
  - "Compliance"
  - "Regulatory guidance"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# What should teams do about Risk And Cyber Audits under the US CCPA?

US CCPA guidance for Risk And Cyber Audits, with practical decisions, evidence, edge cases, and external source citations.

*Artifact Guide* *US* *Risk And Cyber Audits*

## US CCPA Risk And Cyber Audits

Risk And Cyber Audits decisions under the US CCPA should be written in operational language: who is in scope, what must happen, what evidence proves it, and when escalation is needed.

This guide converts official requirements into scope, evidence, ownership, and review decisions for practical implementation, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation.

This page maps US CCPA risk assessments and cybersecurity audits to the concrete workflow teams need: who must do them, what activities trigger them, when the first deadlines arrive, what evidence to keep, and what to submit to the California Privacy Protection Agency.

## What should teams do about Risk And Cyber Audits under the US CCPA?

Teams should treat Risk And Cyber Audits under the US CCPA as an operating workflow, not a generic privacy note: identify whether the business must do a risk assessment before selling or sharing personal information, processing sensitive personal information, using ADMT for a significant decision, or using personal information to train ADMT or AI; identify whether the business must do a cybersecurity audit because its processing presents significant risk to consumers' security; then assign legal, privacy, security, compliance, and executive owners who can approve the work and preserve evidence.

For cybersecurity audits, the first report deadlines in the regulations are April 1, 2028 for qualifying businesses with 2026 revenue above $100 million, April 1, 2029 for qualifying businesses with 2027 revenue between $50 million and $100 million, and April 1, 2030 for qualifying businesses with 2028 revenue below $50 million. For risk assessments, the regulations require the assessment before the processing starts, with older processing that continued into the effective period documented by no later than December 31, 2027.

- Write the Risk And Cyber Audits decision in one sentence before drafting controls.
- Attach the external source URL and a short source quote to the evidence record.
- Route unclear cases to legal, privacy, security, or compliance review before launch.

Sources for this answer:

- [CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Regulations](https://cppa.ca.gov/regulations/ccpa_updates.html?ref=sorena.io) - The CPPA final rulemaking page confirms that the adopted CCPA regulations implement risk-assessment and annual cybersecurity-audit requirements for covered businesses.
- [Laws & Regulations](https://cppa.ca.gov/regulations/?ref=sorena.io) - The CPPA regulations page is the official hub for CCPA rulemaking materials, including the final cyber, risk, ADMT, and insurance regulation documents.
- [Final Regulations Text](https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_appr_text.pdf?ref=sorena.io) - The final CPPA regulations text contains the operative definitions and report requirements for CCPA cybersecurity audits and risk assessments.

## What evidence should teams keep for Risk And Cyber Audits under the US CCPA?

Useful evidence is not just a privacy policy. Keep the source, threshold notes, notices, request logs, vendor terms, audit workpapers, approval trail, and submission records together so the team can show who made the decision, what triggered it, and when the report or certification was due.

For cybersecurity audits, the business and auditor must retain documents relevant to each audit for at least five years after completion, and the audit report must identify the systems assessed, the evidence reviewed, the gaps found, and the plan to address them. For risk assessments, the business must retain the assessment for as long as the processing continues or for five years after completion, whichever is later.

- Source URL and quote used for the decision.
- Scope notes, screenshots, data-flow or system references, and role mapping.
- Implementation ticket, approval record, exception notes, and review date.

Sources for this answer:

- [Laws & Regulations](https://cppa.ca.gov/regulations/?ref=sorena.io) - The CPPA regulations page is the official hub for CCPA rulemaking materials, including the final cyber, risk, ADMT, and insurance regulation documents.
- [Final Regulations Text](https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_appr_text.pdf?ref=sorena.io) - The final CPPA regulations text contains the operative definitions and report requirements for CCPA cybersecurity audits and risk assessments.
- [Final Regulations Text](https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_appr_text.pdf?ref=sorena.io) - The CPPA regulations define the risk assessment report as the record used to document required risk-assessment information.

## Which mistakes create risk when handling Risk And Cyber Audits under the US CCPA?

The common failure pattern is treating CCPA as one static notice instead of checking each trigger condition, deadline, and evidence requirement against current source material. Teams also create risk when they miss the specific owner for the audit or assessment, fail to preserve the required records, or assume a completed assessment can never need updating after a material change.

For cybersecurity audits, the audit has to be independent and objective, and the business must make relevant information available to the auditor. For risk assessments, the business must review and update them at least once every three years and within 45 calendar days after a material change that affects the processing or reduces the effectiveness of safeguards.

- Using an old threshold, deadline, source page, or contract template without checking current source text.
- Treating a source-linked exception as a general exemption for every product or data flow.
- Publishing notices, controls, or answers that do not match the actual product behavior.

Sources for this answer:

- [CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Regulations](https://cppa.ca.gov/regulations/ccpa_updates.html?ref=sorena.io) - The CPPA final rulemaking page confirms that the adopted CCPA regulations implement risk-assessment and annual cybersecurity-audit requirements for covered businesses.
- [Laws & Regulations](https://cppa.ca.gov/regulations/?ref=sorena.io) - The CPPA regulations page is the official hub for CCPA rulemaking materials, including the final cyber, risk, ADMT, and insurance regulation documents.
- [Final Regulations Text](https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_appr_text.pdf?ref=sorena.io) - The final CPPA regulations text contains the operative definitions and report requirements for CCPA cybersecurity audits and risk assessments.
- [Final Regulations Text](https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_appr_text.pdf?ref=sorena.io) - The CPPA regulations define the risk assessment report as the record used to document required risk-assessment information.

## Primary sources

- [CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Regulations](https://cppa.ca.gov/regulations/ccpa_updates.html?ref=sorena.io) - The CPPA final rulemaking page confirms that the adopted CCPA regulations implement risk-assessment and annual cybersecurity-audit requirements for covered businesses.
  - Quote: "implemented requirements for certain businesses to conduct risk assessments and complete annual cybersecurity audits"
- [Laws & Regulations](https://cppa.ca.gov/regulations/?ref=sorena.io) - The CPPA regulations page is the official hub for CCPA rulemaking materials, including the final cyber, risk, ADMT, and insurance regulation documents.
  - Quote: "To fulfill its duties, the Agency is authorized to adopt and amend regulations through the Administrative Procedures Act"
- [Final Regulations Text](https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_appr_text.pdf?ref=sorena.io) - The CPPA regulations define the risk assessment report as the record used to document required risk-assessment information.
  - Quote: "Risk assessment report means the document that every business that is required to conduct a risk assessment must create"
- [How to Implement Global Privacy Control (GPC) for Publishers](https://globalprivacycontrol.org/implementation?ref=sorena.io) - GPC implementation guidance supports the opt-out signal evidence referenced alongside CCPA control testing.
  - Quote: "Sites that detect GPC may interpret the signal in a variety of ways"

## Topic Guides

- [California CCPA/CPRA Opt Out Signal Workflow Guide](/artifacts/us/california-consumer-privacy-act/opt-out-signal-workflow.md): California CCPA/CPRA guidance for Opt Out Signal Workflow, with practical decisions, evidence, edge cases, and external source citations.
- [CCPA Global Privacy Control (GPC): team obligations and technical implementation](/artifacts/us/california-consumer-privacy-act/faq/gpc.md): US CCPA guidance for GPC, with practical decisions, evidence, edge cases, and external source citations.
- [How should teams decide whether US CCPA applies?](/artifacts/us/california-consumer-privacy-act/faq/thresholds.md): US CCPA guidance for Thresholds, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA Applicability Test Guide](/artifacts/us/california-consumer-privacy-act/applicability-test.md): Practical guidance for the US CCPA applicability test, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA Compliance Checklist](/artifacts/us/california-consumer-privacy-act/checklist.md): Practical guidance for the US CCPA checklist, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA Compliance Guide](/artifacts/us/california-consumer-privacy-act/compliance.md): Practical guidance for the US CCPA compliance, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA Consumer Rights Workflow Guide](/artifacts/us/california-consumer-privacy-act/consumer-rights-workflow.md): US CCPA guidance for Consumer Rights Workflow, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA Contract Classification Workflow Guide](/artifacts/us/california-consumer-privacy-act/contract-classification-workflow.md): US CCPA guidance for Contract Classification Workflow, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA Dark Patterns Guide](/artifacts/us/california-consumer-privacy-act/dark-patterns.md): US CCPA guidance for Dark Patterns, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA Data Broker Crossover Guide](/artifacts/us/california-consumer-privacy-act/data-broker-crossover.md): US CCPA guidance for Data Broker Crossover, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA Deadlines and Compliance Calendar Guide](/artifacts/us/california-consumer-privacy-act/deadlines-and-compliance-calendar.md): US CCPA guidance for Deadlines and Compliance Calendar, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA Do not sell or share Guide](/artifacts/us/california-consumer-privacy-act/do-not-sell-or-share.md): US CCPA guidance for Do not sell or share, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA Do Not Sell Share Implementation Guide](/artifacts/us/california-consumer-privacy-act/do-not-sell-share-implementation.md): US CCPA guidance for Do Not Sell Share Implementation, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA DSAR Verification Guide](/artifacts/us/california-consumer-privacy-act/dsar-verification.md): US CCPA guidance for DSAR Verification, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA DSAR Workflow Guide](/artifacts/us/california-consumer-privacy-act/dsar-workflow.md): US CCPA guidance for DSAR Workflow, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA Enforcement And Penalties Guide](/artifacts/us/california-consumer-privacy-act/enforcement-and-penalties.md): US CCPA guidance for Enforcement And Penalties, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA Financial Incentives Guide](/artifacts/us/california-consumer-privacy-act/financial-incentives.md): US CCPA guidance for Financial Incentives, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA GPC Signal Guide](/artifacts/us/california-consumer-privacy-act/gpc.md): US CCPA guidance for GPC, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA Minors Guide](/artifacts/us/california-consumer-privacy-act/minors.md): US CCPA guidance for Minors, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA Notice at collection Guide](/artifacts/us/california-consumer-privacy-act/notice-at-collection.md): US CCPA guidance for Notice at collection, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA penalties and fines Guide](/artifacts/us/california-consumer-privacy-act/penalties-and-fines.md): US CCPA guidance for penalties and fines, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA Personal And Sensitive Pi Categories Guide](/artifacts/us/california-consumer-privacy-act/personal-and-sensitive-pi-categories.md): US CCPA guidance for Personal And Sensitive Pi Categories, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA Privacy Law FAQ](/artifacts/us/california-consumer-privacy-act/faq.md): Practical guidance for the US CCPA FAQ, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA Privacy Notices And Disclosures Guide](/artifacts/us/california-consumer-privacy-act/privacy-notices-and-disclosures.md): US CCPA guidance for Privacy Notices And Disclosures, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA Privacy Policy Guide](/artifacts/us/california-consumer-privacy-act/privacy-policy.md): US CCPA guidance for Privacy Policy, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA Privacy Policy Template Guide](/artifacts/us/california-consumer-privacy-act/ccpa-privacy-policy-template.md): US CCPA guidance for CCPA Privacy Policy Template, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA Requirements Guide](/artifacts/us/california-consumer-privacy-act/requirements.md): Practical guidance for the US CCPA requirements, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA Risk And Cyber Audits Guide](/artifacts/us/california-consumer-privacy-act/risk-and-cyber-audits.md): US CCPA guidance for Risk And Cyber Audits, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA Scope and Thresholds Guide](/artifacts/us/california-consumer-privacy-act/scope-and-thresholds.md): US CCPA guidance for Scope and Thresholds, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA Service Provider Contractor And Third Party Contracts Guide](/artifacts/us/california-consumer-privacy-act/service-provider-contractor-and-third-party-contracts.md): US CCPA guidance for Service Provider Contractor And Third Party Contracts, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA Service Provider Contractor Contracts Guide](/artifacts/us/california-consumer-privacy-act/service-provider-contractor-contracts.md): US CCPA guidance for Service Provider Contractor Contracts, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA Thresholds Guide](/artifacts/us/california-consumer-privacy-act/thresholds.md): US CCPA guidance for Thresholds, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA vs CPRA Guide](/artifacts/us/california-consumer-privacy-act/ccpa-vs-cpra.md): US CCPA guidance for CCPA vs CPRA, with practical decisions, evidence, edge cases, and external source citations.
- [US CCPA vs GDPR Guide](/artifacts/us/california-consumer-privacy-act/ccpa-vs-gdpr.md): US CCPA guidance for CCPA vs GDPR, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about consumer request verification under the CCPA?](/artifacts/us/california-consumer-privacy-act/faq/dsar-verification.md): US CCPA guidance for consumer request verification, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about Dark Patterns under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/dark-patterns.md): US CCPA guidance for Dark Patterns, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about Data Broker Crossover under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/data-broker-crossover.md): US CCPA guidance for Data Broker Crossover, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about Do not sell or share under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/do-not-sell-or-share.md): US CCPA guidance for Do not sell or share, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about Financial Incentives under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/financial-incentives.md): US CCPA guidance for Financial Incentives, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about Minors under the California CCPA?](/artifacts/us/california-consumer-privacy-act/faq/minors.md): US CCPA guidance for Minors, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about Notice at collection under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/notice-at-collection.md): US CCPA guidance for Notice at collection, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about Personal And Sensitive Pi Categories under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/personal-and-sensitive-pi-categories.md): US CCPA guidance for Personal And Sensitive Pi Categories, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about Privacy Policy under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/privacy-policy.md): US CCPA guidance for Privacy Policy, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about Service Provider And Contractor Contracts under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/service-provider-and-contractor-contracts.md): US CCPA guidance for Service Provider And Contractor Contracts, with practical decisions, evidence, edge cases, and external source citations.

*Recommended next step*

*Placement: after the practical guidance*

## Turn US CCPA Risk And Cyber Audits into assigned work

This US CCPA guide turns Risk And Cyber Audits into owners, evidence requests, review checkpoints, and reusable operating records inside Sorena.

- [Open Assessment Autopilot for US CCPA](/solutions/assessment.md): Turn Risk And Cyber Audits into scoped questions, evidence fields, and review tasks.
- [Review US CCPA source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited source material.
- [Talk through implementation](/contact.md): Review scope, evidence, owners, and the next compliance actions with Sorena.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/us/california-consumer-privacy-act/faq/risk-and-cyber-audits