CCPA Article 9: Preparing for a New Kind of Audit

CCPA Article 9 creates the first mandatory annual cybersecurity audit obligation for covered businesses above USD100 million in revenue — and it is meaningfully different from the framework assessments most companies already conduct. This session examines what Article 9 actually requires: 18 enumerated control domains, an evidence standard that goes beyond management assertions to independent operational effectiveness testing, a prescribed report format under §7123(e), and an annual executive certification under §7124 signed under penalty of perjury. It also addresses the auditor independence constraint under §7122(a)(2) and the architectural decision it forces. Attendees will leave with the substantive grounding to evaluate what Article 9 actually requires, identify where existing programs fall short, and make the structural decisions that cannot wait until 2027.

What you will learn:

• How Article 9 imposes an evidence standard that goes beyond framework alignment — controls must be verified through independent operational effectiveness testing, not management assertions, which is a materially different bar than most companies have met before.

• How the §7124 annual certification attaches personal liability to a named executive signing under penalty of perjury, making this a board and C-suite conversation with stakes beyond organizational compliance.
• How §7122(a)(2) creates an auditor independence constraint that must be resolved before any assessor is engaged — for companies with existing advisory relationships, this decision may already be overdue.

Sponsored by FTI Consulting