Our compliance exam was just after GLBA went into effect - that one was just a general review of how we assessed our risk, etc., and the notice we sent out.
Our safety and soundness this year included an extensive IT audit - and they went over the privacy reg quite thoroughly. You'll find lots of threads about what the different agencies and examiners are asking for - but ours wanted it all in one document.
Look out for password security, penetration testing, system access security, and physical items - like data on computer screens, docs on desks, etc.
_________________________
Opinions my own.