IIA-Australia White Paper - APRA CPS 234 Information Security

APRA CPS 234 IIA-Australia White Paper - APRA CPS 234 Information Security

This is a members only resource. Please login to access. 


Malcolm Webster BComm(Mgmt), GradDip(CIT), DipFP, GradCert (Cyber Security)



Topics Explored

Internal Audit


White Paper


As we continue to live in an interconnected electronic world, protection of information from the perspective of both organisations and customers is paramount.  APRA has flagged their intentions in this area, and it is time for financial service and insurance entities to critically analyse their people, systems and processes with respect to information security.  Demonstrated information security skills and experience on the audit team will go a long way to an effective CPS 234 audit regime and a sound outcome for stakeholders.

Key Points

  1. CPS 234 came into force on 1 July 2019. The standard applies to all APRA regulated entities which includes banks, general insurers, life insurers, private health insurers and superannuation funds.
  2. The APRA ‘Cyber Security Strategy’ aims to increase board and executive management focus on information security risks, with internal audit seen as the ‘eyes and ears’ of a board into their organisation’s information security operations and practices.
  3. Internal audit is required to evaluate information security controls, whether a service is provided in-house or by a related party or third party supplier. 

Relevant Industries

Financial Services

Level of Assumed Knowledge