CPS 234 – Tripartite Audit

RSM is one of those few organisations that are uniquely qualified to perform the audit and report in line with the ASAE 3150 standards required by APRA.

What is the CPS 234 Tripartite Audit?

The CPS 234 Tripartite Audit is a one-off audit requested by APRA in response to an increasing number of cyber incidents and data breaches reported to the Australian Cyber Security Centre (ACSC). The audit must be completed by an independent assurance practitioner (a registered public audit firm) to assess the design and operating effectiveness of the controls in place against predefined control objectives that are based upon the requirements in the CPS 234 – Information Security Standard. The outcome of the Tripartite Audit is a detailed report developed in accordance with the ASAE 3150 Assurance Engagements on Controls issued by the Australian Auditing and Assurance Standards Board, with three key participants – APRA, the organisation in focus, and the independent assurance practitioner.

Who should comply with CPS 234?

It is not a matter of who should comply with CPS 234, but who must comply. All APRA regulated entities must comply with the CPS 234 – Information Security Standard. This includes Authorised deposit-taking institutions (ADIs or banks), including foreign ADIs, credit unions, building societies, friendly societies, general insurance and reinsurance companies, life insurers, private health insurers, and a large part of the superannuation industry.

A complete assessment – CPS 234 Tripartite Audit

Our audit methodology will ensure a thorough analysis of your CPS 234 environment. The ASAE 3150 audit will cover the following areas:

  • A fair presentation of the system description
  • Suitability of design and implementation of controls to achieve the required control objectives
  • Operating effectiveness of controls as designed throughout the 12 months prior to the start of the assessment.


 RSM credentials

  • We have conducted a number of CPS 234 audits for APRA regulated entities in Australia
  • We have assisted APRA regulated entities through the design and implementation of controls to meet CPS 234 compliance
  • We have worked with APRA regulated entities to improve information security controls, control effectiveness testing programs, third party control assessments and incident response capabilities
  • We have extensive information security control framework experience and use specialist information security auditors to complete the audits
  • We have completed ASAE 3150 reports for compliance with the Consumer Data Right information security requirements to become an accredited data recipient for Open Banking
  • We are fiercely independent in our role to ensure the highest integrity in our work


To find out more, please download our brochure below:


Download our brochure on CPS - Tripartite Audit


For more information on how RSM can help you with the ASAE 3150 standards required by APRA:



Darren Booth
National Head of Cyber Security and Privacy Risk Services
Ashwin Pal
Partner - Sydney
Riaan Bronkhorst
Principal - Perth