A new California Privacy Protection Agency rule requires many companies to complete an annual cybersecurity audit that would evaluate two dozen components. For each company that completes the requisite audit, the auditors’ resulting nonpublic report must detail gaps found in the company’s cyber program along with needed remediations, and a company executive is obligated to certify compliance publicly. While the deadline for audit reporting begins in 2028, practitioners recommend that companies complete a robust internal audit in 2026 to give ample time to improve on weak points in their cyber programs. With insights from Blank Rome, Perkins Coie, Polsinelli, and Shook Hardy & Bacon, this article sets out steps for companies to consider while conducting the recommended preparatory audits. It also examines less-standard cyber controls among California’s required measures, cost and timing concerns, and risks tied to the ultimate audit report. See “Show Me the Data: How to Conduct Audits for Data Minimization” (Nov. 18, 2020).