CPS 234 Tripartite Review – Considerations for APRA-regulated entities

CPS 234 Tripartite Review
Following the announcement of the CPS tripartite audits in November 2020, Australian Prudential Regulatory Authority (APRA) began issuing notices to regulated entities to undergo the independent assessment.

After an initial pilot group of nine (9) audits, that were performed in 2021, the focus in 2022 has been on mid to larger Authorised Deposit-taking Institutions (ADIs). For 2023, it appears the focus will shift to the remaining regulated entities – ADIs who have not yet been notified of the audit (including local subsidiaries of foreign banks), superannuation funds and private health insurers. For any regulated entity that has not yet received a notification for the tripartite audit, you should expect to receive it soon.

The reviews are part of APRA’s four year strategy to increase the rigour of compliance with and require the Board of regulated entities to engage third party independent Auditors to undertake a thorough CPS 234 compliance audit under ASAE 3150. The results are reported not only to the Board, but also directly to APRA.

What is the CPS 234 Tripartite Audit requirement?

The CPS 234 Tripartite Audit is a one-off requirement from APRA (utilising APS 310 Audit and Related Matters) to require regulated entities to engage an independent auditor to report on each entity’s compliance against CPS 234 – Information Security. The scope of the audit is comprised of twenty-one (21) control objectives that map to paragraphs 13-36 of CPS 234 along with additional “Items to Consider” that are outlined in the APRA notification letters.

Why is APRA requiring this?

In November 2020, APRA released the 2020-2024 Cyber Security Strategy on a Page which gave unique insight into APRA’s view of the CPS 234 compliance practices at the time. In a speech to the Financial Services Assurance Forum, APRA Executive Board Member Geoff Summerhayes made it known the regulator saw significant information security shortcomings across the sector and was looking to create a framework to lift standards and increase accountabilities. The requirement to undertake a one-off tripartite audit of CPS 234 compliance was also announced at this time.

When does the audit need to be completed?

Each entity is receiving a tailored notification letter that includes the indicative scope and a deadline for completing the audit. We have observed that entities receiving notifications recently have been given deadlines ranging from April 2023 to July 2023.

Who can perform the CPS 234 audit?

Each entity will be required to select an auditor that has the appropriate skills, capabilities and independence. ASAE 3150 reports are normally issued by Chartered Accountants, however, the auditor will also need to demonstrate relevant experience with CPS 234 and/or information security more broadly.

Entities are expected to review their existing ongoing engagements with the potential auditor to determine if those arrangements could compromise the provision of an objective and independent opinion. Items such as past internal reviews of CPS 234 compliance should be given particular attention as this may impair independence.

The selected auditor may also need to be approved by APRA prior to the commencement of the tripartite audit.

What can you do to prepare ahead of the review?

For entities that are just receiving their notifications, you may feel as though there is significant time to plan and prepare for the tripartite audit. In our experience, however, it is highly beneficial to begin engaging with your chosen auditor as soon as possible. Acting quickly on this will be of benefit including giving the auditor time to become familiar with your environment, agreeing the detailed audit requirements upfront, and the opportunity to schedule audit fieldwork at a time that is least disruptive to your business.

To assess audit readiness, below are some areas that regulated entities should consider:

  • Has your organisation identified and documented your information security controls (rather than testing against the APRA standard)?
  • Have you implemented an annual plan for testing controls?
  • Does your internal audit form clear conclusions on design and operating effectiveness (OE) of controls?
  • Does your internal audit plan demonstrate that comprehensive assurance over information security risk is achieved over time, and testing is triggered by risks or changes to the IT environment?
  • Do you have clarity over the information assets and the controls that are required to protect them?
  • Do you have visibility over compliance around third-parties and key suppliers?
  • Does your Board reporting process demonstrate how expectations for engagement in respect to information security, including the escalation of risks, issues and vulnerabilities?
  • Have you considered the expertise and qualifications of personnel conducting information security control testing and performing internal audits under this standard?

How can Grant Thornton assist?

Our team has been engaged to perform tripartite audits for almost a dozen regulated entities across a diverse range of client profiles (including both ADIs and non-ADIs) who were amongst the first organisations required to undergo these audits. We have also been engaged to work alongside one of the pilot entities as their internal audit advisor – helping to respond to the findings of the tripartite and reporting to the Board regarding the progress of remediation.

We approach each engagement collaboratively with our clients, balancing the commercial implications of such audit and compliance efforts with APRA’s overarching goal of uplifting information security practices across the sector.

Beyond the tripartite audit, we can also assist you in developing and enhancing your approach to CPS 234 compliance to be better prepared against cyber threats and to better meet the changing regulatory requirements going forward.

To discuss how we can assist you with CPS 234, please get in touch.

Subscribe to receive our publications

Subscribe now to be kept up-to-date with timely and relevant insights, unique to the nature of your business, your areas of interest and the industry in which you operate.