Find what DCC would find.
Before they do.

When we finish this engagement, you’ll have a specific set of documents, records, and outcomes in your possession. These are not work-product narratives or ‘summary memos.’ They are archivable artifacts — cited, timestamped, and defensible against future renewal review, acquisition diligence, or DCC enforcement inquiry.

The seven outputs, in detail

• Comprehensive written audit report. 30–80 pages depending on scope, organized by CCR subsection with severity classification on every finding. Each entry cites the regulation, describes the observed condition, quantifies the exposure, and recommends the corrective action. The report is the primary work product and the document that drives every subsequent remediation step.
• Executive summary of findings. A 3–5 page board-ready summary organized by severity band (critical / major / minor), total count per band, estimated exposure in dollars, and the 30/60/90 day remediation plan. Written for a CEO or GM who needs the operational picture without reading the full CCR subsection annex.
• Severity-classified findings matrix with CCR citations. A tabular index tying every finding to its CCR subsection, BPC statute, or DCC form, with severity, estimated remediation cost, and named owner. The same matrix DCC enforcement staff use internally when building a Notice to Comply — we deliver it to you first.
• Visual evidence package. Timestamped and GPS-tagged photographs of cited conditions, annotated METRC screenshots showing specific package or manifest issues, and video stills from surveillance where camera coverage gaps or retention failures are noted. Every image survives chain-of-custody challenge.
• Prioritized Corrective Action Plan. CAPA in the exact format DCC expects under the BPC 26031(b) factor analysis — root cause, corrective action, preventive control, responsible personnel, completion deadline, and effectiveness verification for every critical and major finding. Ready to file as-is if a Notice to Comply lands.
• Regulatory exposure quantification. Estimated fine range per finding using the per-violation, per-day framework of BPC 26031(a), aggregated by severity band. Includes secondary exposures (licensure, CEQA, CDTFA) where the finding touches more than one regulatory regime. Lets you prioritize remediation spend against actual enforcement risk.
• Remediation tracker and follow-up schedule. A living document maintained from finding through closure, with evidentiary attachments (photos of corrected condition, revised SOPs, training logs, vendor invoices). Closed findings are archived with signoff; open findings carry a deadline and an owner until they close.

Format and delivery

Every document is delivered in editable source (Word or Pages) and final PDF. File naming follows a consistent convention so the compliance vault stays auditable. Records are retained for 7 years per CCR 15037 where applicable, and for 5 years under our own engagement retention policy regardless. The audit report is attorney-client privileged work product when engaged under counsel’s direction; the default engagement is not privileged, and we will flag this before fieldwork begins.

Defensibility anchor

Every recommendation cites a specific regulation, statute, or DCC form number. CCR 15006 for premises diagrams, CCR 15037 for record retention, CCR 15044–15047 for surveillance, CCR 15048 and BPC 26069 for waste, CCR 15046 for METRC track-and-trace, CCR 15003 and 15004 for owner and financial-interest-holder disclosures. When DCC, an auditor, a diligence team, or your counsel asks ‘why this recommendation?’ the answer is in the margin of the document, not in an email thread.

What’s not included

Privileged legal analysis (accusation defense, administrative litigation strategy), financial attestation work (tax-return preparation, GAAP audit), and capital-raise documentation are explicitly outside this scope. Where those are needed, we coordinate with retained counsel or refer to specialist firms from our network. The engagement letter names this boundary from day one so there is no ambiguity about who owns what.

Most compliance engagements feel opaque because firms guard their process. The work below is the opposite — exactly what happens, in order, and when each deliverable lands.

The playbook

• Scope & Intake. We review your license portfolio across CLEaR, CLS, and MLS, the licensed premises footprint, operational complexity, prior enforcement history on the DCC compliance-action record, and your audit objectives. The scoping document maps the engagement to the four named focus areas (mock inspection, METRC, pre-renewal, post-citation) and lists every CCR subsection within scope. You receive it within 2 business days of intake, signed before any document request goes out.
• Document Request. We send a secure document request list covering METRC export from the Franwell API, your full Form DCC-LIC-019 SOP package, training records under your internal training program, security and surveillance plans, the as-filed premises diagram under CCR 15006, the waste-destruction log under CCR 15048, owner and FIH disclosure schedules under CCR 15003–15004, and CDTFA filing history. Clients upload to our secure portal before on-site work begins, and we run the desktop pre-review against the documents so the on-site day is spent verifying what the records show.
• On-Site Audit Visit. A senior compliance analyst conducts the on-site audit — typically 1 full day for a single-premises retailer, 2–3 days for a vertically integrated operator with cultivation and manufacturing under one license stack. We walk the premises against the diagram, observe operations end to end, interview security and inventory staff using a structured script modeled on the DCC investigator interview, conduct physical-to-METRC inventory sampling under CCR 15046, and pull historical surveillance footage to verify CCR 15044 90-day retention. Critical findings are flagged the same day so remediation begins before the report is even drafted.
• Findings Analysis. We analyze all collected evidence against current DCC regulations and the Disciplinary Guidelines (amended July 2022). Each finding is classified by severity (critical / major / minor) using the BPC 26031(b) factor analysis, mapped to a specific CCR subsection or DCC form, and quantified for regulatory exposure using the per-violation per-day fine framework of BPC 26031(a). Where a finding crosses into adjacent regulatory regimes (CDTFA tax remittance, Cal-OSHA training records, local authorization currency), the secondary exposures are flagged separately so remediation spend can be prioritized against actual enforcement risk.
• Audit Report Delivery. Within 10 business days of the on-site visit, you receive the comprehensive written audit report (30–80 pages depending on scope) with executive summary, severity-classified findings matrix with CCR citations, visual evidence package, prioritized CAPA in DCC-expected format, and the remediation tracker. The report is delivered in editable Word source plus final PDF, version-controlled and named against a consistent convention so the compliance vault stays auditable over the 7-year CCR 15037 retention horizon.
• Remediation Support. Optional follow-up where we guide remediation of every critical and major finding, re-photograph cited conditions once corrected, update SOPs against revised practice, and re-audit before your next DCC inspection or license renewal cycle. Closure of every finding is documented with an evidentiary attachment so the remediation record itself becomes part of the BPC 26031(b) good-faith mitigation factor if a Notice ever lands on the same subsection.

Duration and rhythm

From intake to report delivery is typically 2–3 weeks for a single-premises engagement and 4–6 weeks for a vertically integrated operator with multiple licensed premises. Rush audits scoped to a known DCC visit, an imminent renewal, or a Notice already in hand can be completed in 7–10 days. Quarterly retainer cadence is shorter at each cycle because baseline documentation is already established and the work focuses on the rotating scope (Q1 disclosure, Q2 security, Q3 METRC, Q4 renewal) plus open remediation items from prior quarters.

Who you work with each phase

One named senior compliance analyst owns the engagement from scoping through report delivery and remediation support — the same person on the kickoff call, the on-site visit, the findings call, and every remediation checkpoint. Specialist contributors come in at the milestones their work demands: a METRC reconciliation specialist for the Franwell pull, a CCR 15006 diagram reviewer where premises drift is suspected, a former DCC investigator for the mock inspection where one is in scope. Where the engagement runs under counsel direction for privilege, we report directly to your retained counsel and the work product carries attorney-client privilege from the first photograph forward.

• What does a compliance audit cost?. Standalone compliance audits range from $3,500 for single-premises cultivation or retail audits to $8,500+ for complex multi-premises or vertically integrated operations. Audits are included at no additional cost in the Standard and Premium compliance retainer tiers.
• How long does a compliance audit take?. Typical engagement: 2 business days for scoping and document review, 1–3 days on-site, and 10 business days for report delivery. Total elapsed time is 2–3 weeks. Rush audits (for imminent renewals or post-citation response) can be completed in 7–10 days.
• What's the difference between an internal audit and a mock DCC inspection?. An internal audit is a comprehensive review of all compliance records and documents. A mock DCC inspection is a surprise visit simulating how DCC inspectors actually show up — unannounced, asking for specific records on the spot, observing operations in real-time. Most clients start with an internal audit, then schedule a mock inspection 60–90 days before renewal.
• Do you audit METRC records?. Yes — METRC audit is a core component. We review UID tags, harvest batch creation compliance, package lifecycle, transfer manifests, and identify every discrepancy. For deeper METRC work we recommend our dedicated METRC Reconciliation service.
• Can you audit before a DCC inspection?. Absolutely — that's one of the most common engagement types. Pre-inspection audits (or pre-renewal audits) are scheduled 30–90 days before an expected DCC visit or renewal deadline to identify and close compliance gaps.
• What's in the audit report?. Executive summary, scope and methodology, findings classified by severity (critical/major/minor), specific CCR citations per finding, photo and document evidence, estimated fine exposure per finding, and a prioritized Corrective Action Plan with remediation timeline.
• What if the audit finds critical issues?. Critical findings are flagged immediately (not held for the report). You're notified same-day so remediation can begin. We help prioritize remediation by enforcement risk and coordinate follow-up verification once corrective actions are complete.
• Do you audit multi-premises operations?. Yes — our multi-premises audit synchronizes fieldwork across all licensed locations, identifies cross-site inconsistencies in SOPs and procedures, and produces consolidated reporting for executive review. We've audited vertically integrated operations with 5+ licensed premises.
• Can you audit a facility that's about to open?. Yes — our pre-opening readiness audit (facility readiness verification) validates your premises, SOPs, security systems, METRC setup, and first-harvest or first-sale readiness before DCC pre-licensure inspection. Best scheduled 30 days before anticipated DCC visit.
• How often should we audit?. Annual audits are minimum best practice. Operators in first year of license, operators with prior citations, and multi-premises operations benefit from quarterly or semi-annual audits. Our Standard retainer includes one full audit per year; Premium includes a mid-year review as well.
• Do audits cover CDTFA tax compliance?. Yes — our financial compliance module audits CDTFA cultivation tax, excise tax remittance, sales tax filings, and 280E tax posture. We identify missed remittances and reconciliation gaps between METRC and sales records. For deeper tax work we refer to specialist tax advisors.
• Will DCC see our audit report?. No — our audit report is attorney-client privileged work product when requested. You own the report and control whether, when, and to whom it's disclosed. We recommend sharing with your compliance counsel and senior leadership only; never with DCC unless strategically advantageous.

Compliance audit work breaks cleanly into four operational areas (with a fifth, multi-premises, as a structural overlay for vertically integrated operators). These are named responsibilities — not coordination tasks, not support roles, not ‘keep you informed’ meetings. Where we own, we run the fieldwork, draft the findings, and build the CAPA. Where you own, we coordinate in support but the decision remains yours.

When DCC asks ‘why did you recommend this?’, we cite the regulation. When an auditor asks ‘what is this based on?’, we cite the CCR subsection. When counsel reviews the CAPA package, the chain from observed condition to cited authority to corrective action is visible on the first page. The specificity matters — it is the difference between advisory opinion and defensible compliance work, and it is what survives a deficiency response, a Notice to Comply, an ownership change, and a buyer’s diligence three years later.

California cannabis compliance sits on top of a four-layer regulatory stack: state statute (Business & Professions Code Division 10, starting at BPC 26000), state regulation (California Code of Regulations Title 4 Division 19, the CCR 15000 series for general licensing plus the cultivation, manufacturing, and distribution-specific subseries), the DCC Disciplinary Guidelines (amended July 2022) governing the enforcement matrix, and the local cannabis ordinance of the premises jurisdiction. The audit works from all four simultaneously, with each finding resolved against the most specific authority that governs it.

Business & Professions Code (statute)

• BPC 26013 — DCC regulatory authority. Establishes the Department’s rulemaking authority, inspection rights, and subpoena powers. The basis for unannounced premises inspection during operating hours, examination of records on demand, and formal interviews with employees on premises.
• BPC 26031 — enforcement authority and fine framework. Authorizes administrative fines up to $5,000 per violation per day for licensees and up to $30,000 per violation per day for unlicensed activity. The BPC 26031(b) factor analysis governs fine mitigation and is the framework every CAPA we draft is structured against.
• BPC 26031.5 — accusations and license discipline. Authorizes the Department to bring an accusation seeking suspension or revocation for serious or repeated violations. Findings that touch this section are the ones we engage under counsel direction so the audit work product carries privilege.
• BPC 26051.5 — application requirements (carried forward at renewal). The statutory list of disclosures, fingerprints, financial-interest disclosures, and operating procedures that must remain accurate over the life of the license. Material-change drift against this baseline is a recurring renewal-cycle finding.
• BPC 26055 — local authorization. No DCC license remains valid without continuing local authorization at the licensed premises. Lapsed local permits are the most common renewal-cycle blocker and the easiest finding to miss without a calendar-driven check.
• BPC 26069 — cannabis waste destruction. Statutory requirement that cannabis waste be rendered unusable and unrecognizable before disposal. Operationalized through the CCR 15048 procedural rules and the METRC waste-event reporting cadence.

California Code of Regulations Title 4 Division 19 (DCC operational rules)

• CCR 15000.6 — employee minimum age. All employees on a licensed premises or handling cannabis must be 21 or older. A common quiet finding when staffing scales quickly without an HR check on every new hire.
• CCR 15003 — Owner definition and disclosure. Defines who must be disclosed as an Owner (any individual with 20% or greater aggregate ownership, any CEO or board member, any individual who participates in management or direction, or any individual entitled to profits from a 20%-or-greater share). Misclassification surfaces as an “undisclosed owner” finding two years into operations.
• CCR 15004 — Financial Interest Holder disclosure. Captures every passive investor, profit-sharing landlord, profit-participating lender, and revenue-share consultant below the 20% Owner threshold. The schedule that prevents an undisclosed-interest finding at a diligence event or whistleblower report.
• CCR 15006 — premises diagram. Sets the scale, labeling, and content standards for the as-filed premises diagram. Inspectors compare this to the physical site at every visit; mismatches trigger Notices to Comply and are the most common citation pattern at surprise inspection.
• CCR 15020 — notification of changes. Material changes (ownership, premises, officers, DRP) must be reported within 14 business days. The deadline that converts a recoverable disclosure into a willful concealment finding when missed.
• CCR 15037 — record retention. Seven-year retention floor for most commercial cannabis activity records, including sales, manifests, METRC data, lab COAs, personnel files, security incidents, SOP versions, and DCC correspondence. The most-cited subsection in routine DCC inspections.
• CCR 15042 — limited-access areas. Defines who may enter back-of-house and storage areas (employees, logged vendors and contractors, logged outside professionals, DCC inspectors, law enforcement) and prohibits public access. Visitor-log gaps and unauthorized presence are common findings on first inspection.
• CCR 15044–15047 — video surveillance. 24/7 recording at minimum 1280×720 resolution, 90-day retention floor, backup power for outage continuity, coverage of every entry/exit, point-of-sale, limited-access area, and vault. The plan is the document inspectors test with a stopwatch and a tape measure.
• CCR 15048 — waste management. Cannabis waste rendered unusable and unrecognizable before disposal, logged in METRC, routed through a licensed hauler or self-hauled to an authorized facility. The waste log is the page DCC inspectors check first on a manufacturing or cultivation visit.

DCC Forms (the operational documents)

• Form DCC-LIC-019 — consolidated Standard Operating Procedures. The single SOP package that replaced the legacy BCC, CDFA, and CDPH SOP forms in February 2022. Covers inventory, security, quality control, transportation, delivery, and waste; required at application for cultivators and provided-on-request for other license types but maintained on premises in either case.
• Form 9205 — Labor Peace Agreement notarized statement. Required for licensees with 10 or more employees per the July 2024 threshold change (lowered from the prior 20-employee threshold). Either the notarized attestation to enter into an LPA or the executed signature page; under-10 operators carry a forward attestation to enter into an LPA within 60 days of hiring the 10th employee.
• Form DCC-LIC-027 — notifications and modifications. The post-issuance form for premises changes, ownership changes, DRP changes, and license-type modifications. Material changes require prior DCC approval; minor changes are notification-only; the form is the gate either way and the audit drafts it whenever drift is detected.

How the authorities interact

BPC 26013 and BPC 26031 establish the inspection and enforcement powers under which the audit operates — everything DCC can do at the premises and on the record traces back to those two sections. CCR Title 4 Division 19 then governs the operational obligations themselves, with each operational rule (15006 diagram, 15042 limited-access, 15044–15047 surveillance, 15048 waste, 15037 retention) carrying its own per-violation per-day exposure. The DCC Disciplinary Guidelines convert findings into severity bands and proposed fines, BPC 26031(b) provides the mitigation framework that the CAPA is structured against, and the local cannabis ordinance sits alongside as the BPC 26055 prerequisite that keeps the state license valid in the first place. If any one layer falls out of sync — surveillance retention drops below 90 days, ownership shifts without a Form DCC-LIC-027 filing, the local permit lapses, the SOP no longer matches practice — the entire stack becomes vulnerable. The audit’s job is to keep all four layers aligned through the next inspection, the next renewal, and the next ownership event.

Deliverables are what we produce. Outcomes are what those deliverables enable — the specific operational results that follow from the work being done right the first time. The twelve outcomes below cover what an audit engagement actually buys you once the fieldwork closes and the remediation cycle completes.

Twelve outcomes, in detail

• Full premises compliance audit aligned with the live DCC inspection criteria. Every operational obligation under the CCR 15000 series tested against actual practice on the floor, with each finding mapped to a specific subsection and severity-classified for prioritization. The same scope an unannounced DCC inspector would run, documented in the same format. Multi-premises operators get a synchronized run across sites with cross-site SOP-deviation analysis layered on top.
• METRC record audit reconciled to the package level. UID tag accuracy verified against the Franwell active-package set, harvest batch creation tested against the one-business-day deadline, transfer manifest review for the 24-hour reporting obligation, package lifecycle traceability from intake through final disposition, and every variance worked to root cause with the recommended adjustment. Late receipt acceptances, stale API keys for terminated employees, and missing destruction events are the recurring patterns that surface CCR 15046 exposure.
• SOP library reviewed for the disconnect that DCC tests first. Form DCC-LIC-019 SOP package read against actual practice on the floor (the most common Notice to Comply trigger is the gap between written procedure and observed behavior), record-retention completeness verified under CCR 15037 (7-year minimum), and gap identification with red-line recommendations for each procedure that needs revision. SOP-to-practice alignment is tested by structured staff interviews, not by reading the binder.
• Security system compliance verified end to end. Camera position and field-of-view tested against the surveillance plan, 1280×720 minimum resolution and 24/7 recording verified at the DVR, 90-day retention pulled and viewed as a spot-check, alarm-system function and central-station monitoring confirmed, panic-button and access-log review at points of sale and limited-access boundaries. CCR 15042–15047 satisfied, including the limited-access area definitions that catch operators with unauthorized public access to back-of-house spaces.
• Premises diagram reconciled to the building DCC actually finds. Walk-through against the as-filed CCR 15006 diagram with every camera, every limited-access boundary, and every cannabis storage location verified in place. Where drift has occurred, Form DCC-LIC-027 premises-modification filings are drafted ready to submit (some changes require prior DCC approval; some are notification-only; we name which is which). Diagram-versus-physical mismatch is among the most-cited findings on first inspection — eliminated at the source.
• Employee compliance documentation defensible at inspection. 21+ age verification confirmed for every employee on premises under CCR 15000.6, training records audited for completeness against your internal training program (the inspector will ask staff to demonstrate procedures and compare to the written SOP), Live Scan completion confirmed for owners under BPC 26051.5(a)(3), and Labor Peace Agreement attestation under Form 9205 verified against the 10-or-more-employee threshold (lowered from 20 in July 2024). Personnel file gaps are a quiet finding that compounds at renewal.
• Waste disposal record audited witness-signature by witness-signature. CCR 15048 and BPC 26069 protocol verified end to end — cannabis waste rendered unusable and unrecognizable, METRC waste-event reporting cadence current, licensed-hauler contract or self-haul authorization on file, witness signatures present on every destruction log entry. The waste log is the page DCC inspectors check first on a manufacturing or cultivation visit; we test it the same way.
• Financial records and tax remittance reconciled across regimes. CDTFA excise tax remittance reconciled against METRC sales receipts and POS records (the 15% rate under AB 564 effective Oct 1 2025 through June 30 2028), local cannabis tax filings verified against the local ordinance schedule, sales tax reconciled, and any 280E posture flagged for the financial advisor. Missed remittances are an automatic license-discipline trigger; we surface them at the audit, not at the renewal.
• Written audit report formatted to survive cross-examination. Severity-classified findings (critical / major / minor) with CCR citations on every entry, executive summary in 3–5 pages, evidentiary appendices with timestamped photographs and METRC screenshots, and a defensibility chain from observed condition to cited authority to recommended remediation visible on the first page. Diligence-ready, counsel-ready, and renewal-ready in the same document.
• Corrective Action Plan in DCC-expected format. CAPA drafted to the exact BPC 26031(b) factor analysis — root cause, corrective action, preventive control, responsible personnel, completion deadline, effectiveness verification — ready to file unchanged if a Notice to Comply lands inside the 30-day response window or the shorter 15-business-day window for serious findings. The CAPA itself becomes the good-faith mitigation factor on the next inspection.
• Pre-renewal audit with the renewal-readiness gaps closed before submission. 60–90 days before annual renewal under CCR 15020, the audit is scoped to the items DCC actually reviews at renewal: premises-diagram fidelity, owner and FIH disclosure freshness, material-change filings, training records, surveillance compliance, waste documentation, and any unresolved enforcement matters on the license record. Renewal goes in clean rather than triggering a deficiency notice that pushes issuance into the next operating quarter.
• Mock DCC inspection that rehearses the team for the real thing. Unannounced-visit simulation against the same checklist DCC field staff use, including the surprise document-retrieval test, real-time METRC scan against active packages, premises walk against the diagram, and structured staff interviews. The deliverable is a mock-inspection report in DCC format plus a debrief with the team that walked it — the rehearsal is the outcome.

How we measure

Outcomes are measured at three checkpoints: completeness of the findings matrix at report delivery (every CCR subsection within scope addressed, every finding cited and severity-classified), velocity through remediation (critical findings closed inside 14 days, major findings inside 30 days, minor findings on the normal cycle), and post-engagement enforcement posture (no surprise citations on the audited subsections within the next inspection cycle). Every measurement is on the record so a buyer’s diligence two years later sees the work, not just the result.

Post-engagement review

30 days after the report lands, we run a 60-minute post-engagement review covering remediation status against the tracker, any new findings that surfaced during corrective work, the upcoming renewal-cycle calendar under CCR 15020, and any Form DCC-LIC-027 modification filings now in flight. Where the engagement continues into the Ongoing Compliance Retainer, this becomes the kickoff for the steady-state quarterly cadence; where it does not, the document vault, the remediation tracker, and a one-page handoff brief transfer to your team.