Cybersecurity
audits in finance:
what APRA
actually expects.

Cybersecurity Audits in Financial Services Are Not Optional

There is a persistent misconception that cybersecurity audits are a best-practice recommendation for financial institutions. They are not. For any entity regulated by APRA, cybersecurity auditing is a legally binding obligation under CPS 234.

Paragraph 32 of CPS 234 requires internal audit to review the design and operating effectiveness of information security controls, including those maintained by third parties. Paragraph 27 requires control testing to be performed by appropriately skilled and functionally independent specialists. These are not suggestions. They are enforceable requirements backed by APRA's supervisory toolkit, which includes intensified supervision, remediation directions, additional capital charges, and formal enforcement action.

The practical meaning is straightforward: every APRA-regulated bank, insurer, superannuation trustee, and private health insurer must have a functioning cybersecurity audit programme. That programme must cover technical controls, governance arrangements, third-party risk, and incident response. And the people conducting the audit must be both skilled and independent.

Why Most Financial Sector Audit Programmes Are Falling Short

APRA's tripartite review programme, which assessed more than 300 entities between 2021 and 2023, found that cybersecurity audit and testing programmes were among the most common areas of weakness. The findings were specific and damning.

The six gaps APRA identified most frequently were:

• Incomplete identification and classification of information assets. Entities could not demonstrate they knew what they were protecting. Without a current, accurate asset register, any audit is auditing an incomplete picture.
• Limited assessment of third-party security capability. Outsourcing arrangements were often treated as a contract management exercise rather than a security assurance obligation. Entities lacked visibility into the actual security posture of their critical service providers.
• Inadequate control testing programmes. Testing was incomplete, inconsistent across business units, lacked functional independence, or was performed by personnel without appropriate skills. Some entities were self-assessing controls that CPS 234 requires to be independently tested.
• Incident response plans not regularly reviewed or tested. Plans existed on paper but had not been exercised. When incidents occurred, entities discovered their plans contained assumptions that no longer held.
• Limited internal audit review of security controls. Internal audit functions either lacked the cybersecurity expertise to conduct meaningful reviews or treated information security as a low-priority audit area.
• Inconsistent reporting of material incidents and control weaknesses to APRA. Entities were uncertain about what constituted a notifiable event, leading to both under-reporting and delayed reporting.

These are not edge cases. APRA found them across a representative cross-section of the industry. If your audit programme has not been redesigned since these findings were published, it is likely exposed to at least some of these gaps.

What a Rigorous Financial Sector Cybersecurity Audit Covers

A cybersecurity audit that meets current regulatory expectations goes well beyond running a vulnerability scan and producing a findings report. For APRA-regulated entities, the audit must address the full scope of CPS 234's eight obligation areas.

Governance and board accountability

CPS 234 places ultimate responsibility for information security with the Board. A proper audit assesses whether the Board receives adequate reporting on information security posture, whether roles and responsibilities are clearly defined from Board level through to operational teams, and whether the entity has sufficient capability, both in-house and through qualified external providers, to manage its information security obligations.

Under the Financial Accountability Regime, individual executives can now be held personally accountable for failures in their areas of responsibility. This has changed the audit dynamic. Boards and senior management are asking harder questions, and auditors need to provide harder answers.

Information asset identification and classification

You cannot protect what you have not identified. The audit must verify that the entity maintains a current register of information assets, that those assets are classified by criticality and sensitivity, and that the classification drives proportionate control requirements. APRA's tripartite findings showed this is where many entities fail first.

Control effectiveness testing

This is the technical heart of the audit. CPS 234 requires controls to be commensurate with the size and extent of threats to the entity's information assets. The audit must assess whether controls are appropriately designed, consistently implemented, and operating effectively. This includes penetration testing, configuration reviews, access control assessments, and validation of detection and monitoring capabilities.

Critically, CPS 234 requires this testing to be performed by appropriately skilled and functionally independent specialists. An IT team reviewing its own controls does not meet this requirement. The independence obligation is one of the most frequently misunderstood aspects of the standard.

Third-party and supply chain risk

Financial institutions outsource extensively, from core banking platforms to cloud infrastructure to customer-facing applications. CPS 234 requires entities to assess the information security capability of third parties managing information assets. With CPS 230 Operational Risk Management now in effect from 1 July 2025, the requirements for third-party risk management have expanded further, covering critical operations identification, service provider resilience, and fourth-party risk.

The audit must assess whether the entity has meaningful visibility into the security posture of its critical suppliers, not just contract clauses, but actual assurance evidence such as SOC 2 reports, independent assessments, or direct audit rights being exercised.

Incident management and notification

CPS 234 contains two notification rules that auditors must verify the entity can meet. Paragraph 35 requires notification to APRA within 72 hours of becoming aware of a material information security incident. Paragraph 36 requires notification within 10 business days of becoming aware of a material control weakness that cannot be remediated in a timely manner.

The Cyber Security Act 2024 has added another layer: mandatory reporting of ransomware payments, also with a 72-hour window. Audit programmes must now verify the entity can meet both notification regimes simultaneously, with different triggers, different reporting channels, and potentially different timelines running in parallel.

A well-designed audit tests incident response capability through realistic scenarios. Tabletop exercises and breach simulations reveal whether the incident management process actually works under pressure, or whether it only works on paper.

The Regulatory Stack Has Changed

Auditing a financial institution's cybersecurity in 2026 requires understanding how multiple regulatory obligations interact. CPS 234 does not operate in isolation.

• CPS 234 (in force since July 2019) sets the baseline information security obligations for all APRA-regulated entities.
• CPS 230 (in force since July 2025) replaced the outsourcing standard and added operational resilience requirements. It explicitly requires entities to meet CPS 234 requirements when managing technology risks and has significantly expanded third-party management obligations.
• The Cyber Security Act 2024 introduced mandatory ransomware payment reporting, a 72-hour notification window, and a limited-use provision for reported information.
• The Financial Accountability Regime (FAR) applies to ADIs, insurers, and superannuation trustees, making individual executives personally accountable for obligations in their areas of responsibility, including CPS 234 compliance.
• The Security of Critical Infrastructure Act 2018 (SOCI) applies to entities operating critical financial market infrastructure and imposes additional positive security obligations, including risk management programmes and mandatory cyber incident reporting.
• The ASD Essential Eight is not formally mandated by CPS 234, but APRA has increasingly established it as the de facto technical baseline through industry letters, particularly around MFA, patching, and daily backups.

An audit programme that only assesses against CPS 234 in isolation is incomplete. The practical audit scope now needs to account for the full regulatory stack and the points where these obligations overlap and reinforce each other.

Common Mistakes in Financial Sector Cybersecurity Audits

After working with APRA-regulated entities across banking, insurance, and superannuation, we see the same mistakes repeatedly.

Treating the audit as a point-in-time compliance exercise. Annual audits that produce a report, trigger some remediation, and then go quiet until next year do not meet the spirit of CPS 234. The standard expects continuous, systematic management of information security. A mature audit programme operates as an ongoing assurance cycle, not a calendar event.

Conflating penetration testing with a full audit. Penetration testing is an important technical component, but it tests exploitability of specific systems. It does not assess governance, third-party risk, incident preparedness, or whether the Board is receiving adequate information. A penetration test is one input to the audit, not the audit itself.

Using internal resources that lack independence. CPS 234's requirement for functionally independent testing is specific. The IT security team assessing its own controls, or internal audit relying entirely on management self-assessments, does not satisfy this obligation. Independence means organisational separation from the team responsible for the controls being tested.

Ignoring third-party assurance. Many entities include third-party risk in their risk management framework on paper but cannot produce current assurance evidence for their critical service providers. APRA has been explicit that contractual clauses alone are insufficient; entities need actual evidence of third-party security capability.

Failing to test incident response. Having an incident response plan is necessary but not sufficient. The audit must assess whether the plan has been tested, whether it reflects the current environment, and whether the entity can actually meet its 72-hour and 10-business-day notification obligations under pressure. Untested plans fail when they matter most.

What Good Looks Like

A well-designed cybersecurity audit programme for an APRA-regulated entity has several distinguishing characteristics.

It is risk-driven, not checklist-driven. The scope and depth of testing are determined by the entity's threat environment, asset criticality, and regulatory obligations, not by a generic template applied uniformly across the industry.

It uses independent, skilled assessors. Whether internal audit with appropriate cybersecurity expertise or qualified external providers, the people conducting the audit have both the technical skills and the organisational independence to provide honest findings.

It covers the full regulatory scope. CPS 234 is the baseline, but the audit programme also addresses CPS 230 third-party obligations, Essential Eight maturity, ISO 27001 alignment where relevant, and the notification obligations under the Cyber Security Act.

It operates on a continuous assurance cycle. Annual comprehensive reviews are supplemented by quarterly targeted assessments, event-driven reviews after significant changes, and ongoing monitoring of remediation progress. Findings are tracked to closure, not just reported.

It reports to the right level. Audit findings reach the Board and senior management in a format that supports decision-making. Risk ratings, remediation timelines, and residual risk assessments are clear, honest, and actionable. The Board should be able to understand the entity's information security posture without needing to interpret technical jargon.

And it produces defensible evidence. If APRA asks to see your audit programme, you should be able to demonstrate the scope, methodology, findings, remediation actions, and evidence of control effectiveness without a scramble. This is the practical test of audit quality.

How Cliffside Approaches Financial Sector Cybersecurity Audits

Cliffside's cybersecurity audit practice works with APRA-regulated entities to design and execute audit programmes that meet current regulatory expectations. We provide the functional independence CPS 234 requires, the technical depth to test controls meaningfully, and the regulatory knowledge to assess compliance across the full 2025-2026 stack.

We do not run generic audits. Every engagement starts with understanding the entity's specific regulatory obligations, threat environment, and operating model. The output is a clear, honest assessment of where the entity stands, what needs to change, and how to prioritise remediation in a way that addresses the highest-risk gaps first.

If your audit programme was designed before CPS 230 commenced, before the Cyber Security Act added ransomware reporting obligations, or before APRA published its tripartite findings, it is worth having an honest conversation about whether it still meets expectations. Start with a Lighthouse Assessment.