The CPS 234 Tripartite Audit, a critical assessment mandated by APRA, is designed to ensure these entities have robust controls in place to protect against cyber threats. 

 In today's increasingly complex cybersecurity landscape, APRA-regulated entities are required to meet rigorous standards to safeguard sensitive information.

At RSM, we are uniquely positioned to perform these audits in strict accordance with ASAE 3150 standards, delivering the highest level of assurance for your organisation's information security practices.

In today’s digital landscape, where cyber threats are increasingly sophisticated, ensuring the protection of critical and sensitive information assets is paramount. APRA-regulated entities, including banks, insurers, and superannuation trustees, must adhere to the Prudential Standard CPS 234, which mandates robust information security controls and a comprehensive cyber security strategy.

 

In his speech to the Financial Services Assurance Forum on 26 November 2020, Executive Board Member Geoff Summerhayes announced APRA’s oneoff tripartite independent cyber security reviews across all APRA regulated industries. To quote – 

“We are also going to take a much more targeted approach to ensuring CPS 234 is being fully complied with, and holding boards and management accountable where it is not. 

As background, at the end of 2020, APRA supervisors reached out to their entities to directly ask if they were CPS 234 compliant. Around 100 entities confessed to shortcomings and requested more time, but most provided generally positive accounts of their compliance status. Yet when our IT Risk specialist team has conducted cyber reviews of some of these entities, we’ve discovered significant weaknesses in every instance, in areas such as testing programs, control environments and incident response capabilities. In response APRA will shortly be requesting one-off tripartite independent cyber security reviews across all our regulated industries. 

Starting in 2021, APRA will be asking boards to engage an external audit firm to conduct a thorough review of their CPS 234 compliance and report back to both APRA and the board. We haven’t made a final determination on which entities this will apply to, but all entities should prepare accordingly.” In line with Mr. Summerhayes’ speech, the tripartite audits have commenced and RSM is one of those few organisations that are uniquely qualified to perform the audit and report in line with the ASAE 3150 standards required by APRA.

 

What is the CPS 234 Tripartite Audit?

The CPS 234 Tripartite Audit is a one-off audit requested by APRA in response to an increasing number of cyber incidents and data breaches reported to the Australian Cyber Security Centre (ACSC). The audit must be completed by an independent assurance practitioner (a registered public audit firm) to assess the design and operating effectiveness of the controls in place against predefined control objectives that are based upon the requirements in the CPS 234 – Information Security Standard. The outcome of the Tripartite Audit is a detailed report developed in accordance with the ASAE 3150 Assurance Engagements on Controls issued by the Australian Auditing and Assurance Standards Board, with three key participants – APRA, the organisation in focus, and the independent assurance practitioner. The CPS 234 Tripartite Audit is a mandatory assessment requested by the Australian Prudential Regulation Authority (APRA) to evaluate an entity's information security controls. The audit is conducted by an independent assurance practitioner and focuses on the design and operating effectiveness of the controls in place. This audit ensures compliance with the CPS 234 Information Security Standard, which is crucial for APRA-regulated entities in the financial services sector, including banking, insurance, and superannuation.

Our audit methodology will ensure a thorough analysis of your CPS 234 environment. The ASAE 3150 audit will cover the following areas: 

  • Critical and Sensitive Information Assets: Ensuring that these assets are protected against cyber threats.
  • Cyber Security Strategy: Assessing the effectiveness of the organisation’s strategy to mitigate risks.
  • Information Security Controls: Evaluating the design and implementation of controls to meet CPS 234 requirements.
  • Incident Response Plan: Reviewing the organisation’s ability to respond to and recover from data breaches.

Who needs to comply with CPS 234?

All APRA-regulated entities, including banks, insurers, and superannuation trustees, must comply with the Prudential Standard CPS 234. This includes demonstrating that they have the necessary control objectives in place to manage information security risks effectively. The CPS 234 Tripartite Audit is not just a regulatory requirement but a critical step in building and maintaining cyber resilience within these organisations.

 

Why Choose RSM for Your CPS 234 Tripartite Audit?

RSM is uniquely qualified to perform CPS 234 audits, providing independent and comprehensive assessments that align with the ASAE 3150 standards required by APRA. Our expertise in financial services and deep understanding of APRA’s regulatory environment ensure that your organisation is fully compliant with CPS 234.

  • Independent Auditors: Our audits are conducted with the highest level of integrity, ensuring unbiased and accurate assessments.
  • Cyber Security Expertise: We bring extensive experience in cyber security strategy and information security controls, ensuring that your organisation is protected against evolving threats.
  • Comprehensive Audit Methodology: Our audit covers all aspects of CPS 234, from system descriptions to control effectiveness, ensuring thorough compliance.
  • Proven Track Record: We have successfully conducted CPS 234 audits for numerous APRA-regulated entities, helping them enhance their cyber resilience and safeguard their critical information assets.
     

How is the CPS 234 Tripartite Audit conducted 

Our audit methodology has been customised to the CPS 234 standard based on years of experience working with APRA regulated entities and assisting them with CPS 234 compliance. The methodology is depicted below:

Engagement process

Our audit methodology has been customised to the CPS 234 standard based on years of experience working with APRA regulated entities and assisting them with CPS 234 compliance. The methodology is depicted below:

Items for Audit Entity to Consider

Depicted below are key items for the audit entity to consider particularly if this is their first
audit related to CPS 234. This will help guide and prepare the Entity prior to the audit:


Key Items for Entity to Note for Audit

Depicted here is key items for the audit entity to consider particularly if this is their first audit related to CPS 234. This will help guide and prepare the Entity prior to the audit:

A complete assessment – CPS 234 Tripartite Audit

Our audit methodology will ensure a thorough analysis of your CPS 234 environment. The ASAE 3150 audit will cover the following areas:

  • A fair presentation of the system description
  • Suitability of design and implementation of controls to achieve the required control objectives
  • Operating effectiveness of controls as designed throughout the 12 months prior to the start of the assessment.

     

RSM is one of those few organisations that are uniquely qualified to perform the audit and report in line with the ASAE 3150 standards required by APRA.

At RSM, we specialise in conducting the CPS 234 Tripartite Audit, a key component in achieving compliance with CPS 234 and safeguarding your organisation’s cyber resilience. This audit, performed by our team of independent auditors, is essential for APRA-regulated entities to demonstrate their commitment to protecting data against breaches and ensuring the effectiveness of their incident response plans.

 

RSM credentials

  • We have conducted a number of CPS 234 audits for APRA regulated entities in Australia
  • We have assisted APRA regulated entities through the design and implementation of controls to meet CPS 234 compliance
  • We have worked with APRA regulated entities to improve information security controls, control effectiveness testing programs, third party control assessments and incident response capabilities
  • We have extensive information security control framework experience and use specialist information security auditors to complete the audits
  • We have completed ASAE 3150 reports for compliance with the Consumer Data Right information security requirements to become an accredited data recipient for Open Banking
  • We are fiercely independent in our role to ensure the highest integrity in our work

For more information on how RSM can help you with the ASAE 3150 standards required by APRA:

GET IN TOUCH

How can we help?