In theory, privacy audits are a sensible and useful thing. Regardless of whether they're conducted internally or externally, they can provide insights into data handling systems, identify shortcomings, and help prioritize resources. They can provide external, independent validation of compliance with privacy laws and contractual commitments. And they can be a useful source of transparency. Sometimes, they're even mandated by privacy law, e.g., in some controller-processor outsourcing arrangements under EU data protection rules. Considering how many good reasons there are to conduct privacy audits, it's a bit of a mystery to me why there isn't more of an industry to provide them. Indeed, if you were looking to hire external experts to conduct privacy audits, and if you asked me for a recommendation, well, I'd be kind of stuck to give you a name. I've asked a bunch of my peers at other companies too, and privately, they're stumped too.
So, here's a business idea. Why don't some enterprising people work to establish a privacy auditing business, combining some deep technical understanding with process rigor, offer the service at a competitive cost, and help fill a vacuum? Almost everyone in the profession whom I know agrees that privacy audits are, in theory, a useful tool for privacy hygiene, but in practice, it's hard to find the right level of professional service.
There seems to be a clear market failing here. Over time, surely, the idea of privacy audits will become more integrated into good privacy practice. Whoever can figure out how to provide this service will be contributing to the privacy profession and probably end up making a lot of money. Good luck!