Last week, the Society submitted this comment letter on the proposed California Consumer Privacy Act regulations – specifically as relates to the internal audit reporting structure for those in-scope companies that choose to use their internal audit function to conduct the required cybersecurity audit.
The Society proposed alternative language that would afford companies the flexibility to maintain the internal audit reporting structure that best suits their facts and circumstances, whether that be functional reporting to the audit committee or another board-level body (consistent with common and recommended best practices) or a member of senior management who does not have direct responsibility for the business’s cybersecurity program, as currently proposed.
This post first appeared in the weekly Society Alert!