Unauthorised entities are using au-gt.com impersonating our au.gt.com domain. Please confirm emails by contacting us here
After an initial pilot group of nine (9) audits, that were performed in 2021, the focus in 2022 has been on mid to larger Authorised Deposit-taking Institutions (ADIs). For 2023, it appears the focus will shift to the remaining regulated entities – ADIs who have not yet been notified of the audit (including local subsidiaries of foreign banks), superannuation funds and private health insurers. For any regulated entity that has not yet received a notification for the tripartite audit, you should expect to receive it soon.
The reviews are part of APRA’s four year strategy to increase the rigour of compliance with CPS 234: Information Security and require the Board of regulated entities to engage third party independent Auditors to undertake a thorough CPS 234 compliance audit under ASAE 3150. The results are reported not only to the Board, but also directly to APRA.
The CPS 234 Tripartite Audit is a one-off requirement from APRA (utilising APS 310 Audit and Related Matters) to require regulated entities to engage an independent auditor to report on each entity’s compliance against CPS 234 – Information Security. The scope of the audit is comprised of twenty-one (21) control objectives that map to paragraphs 13-36 of CPS 234 along with additional “Items to Consider” that are outlined in the APRA notification letters.
In November 2020, APRA released the 2020-2024 Cyber Security Strategy on a Page which gave unique insight into APRA’s view of the CPS 234 compliance practices at the time. In a speech to the Financial Services Assurance Forum, APRA Executive Board Member Geoff Summerhayes made it known the regulator saw significant information security shortcomings across the sector and was looking to create a framework to lift standards and increase accountabilities. The requirement to undertake a one-off tripartite audit of CPS 234 compliance was also announced at this time.
Each entity is receiving a tailored notification letter that includes the indicative scope and a deadline for completing the audit. We have observed that entities receiving notifications recently have been given deadlines ranging from April 2023 to July 2023.
Each entity will be required to select an auditor that has the appropriate skills, capabilities and independence. ASAE 3150 reports are normally issued by Chartered Accountants, however, the auditor will also need to demonstrate relevant experience with CPS 234 and/or information security more broadly.
Entities are expected to review their existing ongoing engagements with the potential auditor to determine if those arrangements could compromise the provision of an objective and independent opinion. Items such as past internal reviews of CPS 234 compliance should be given particular attention as this may impair independence.
The selected auditor may also need to be approved by APRA prior to the commencement of the tripartite audit.
For entities that are just receiving their notifications, you may feel as though there is significant time to plan and prepare for the tripartite audit. In our experience, however, it is highly beneficial to begin engaging with your chosen auditor as soon as possible. Acting quickly on this will be of benefit including giving the auditor time to become familiar with your environment, agreeing the detailed audit requirements upfront, and the opportunity to schedule audit fieldwork at a time that is least disruptive to your business.
To assess audit readiness, below are some areas that regulated entities should consider:
Our team has been engaged to perform tripartite audits for almost a dozen regulated entities across a diverse range of client profiles (including both ADIs and non-ADIs) who were amongst the first organisations required to undergo these audits. We have also been engaged to work alongside one of the pilot entities as their internal audit advisor – helping to respond to the findings of the tripartite and reporting to the Board regarding the progress of remediation.
We approach each engagement collaboratively with our clients, balancing the commercial implications of such audit and compliance efforts with APRA’s overarching goal of uplifting information security practices across the sector.
Beyond the tripartite audit, we can also assist you in developing and enhancing your approach to CPS 234 compliance to be better prepared against cyber threats and to better meet the changing regulatory requirements going forward.
To discuss how we can assist you with CPS 234, please get in touch.
