How to structure privacy audits properly — purpose, scope, control domains, evidence, cross-border overlay and remediation workflow that hold up under scrutiny.