APRA CPS 234 & 230: The 2026 Audit Survival Guide

For many Australian financial institutions, 2026 is shaping up to be a pivotal year for regulatory scrutiny. With regulators sharpening their focus on operational resilience, cyber security, and third-party risk, organisations regulated by APRA being challenged to demonstrate control effectiveness under regulatory scrutiny, not just compliance on paper.

Two frameworks sit at the centre of this regulatory spotlight: CPS 234 (Information Security) and CPS 230 (Operational Risk Management).

Individually, these standards place strong expectations on governance, risk management, and security maturity. Together, they represent a clear message from the regulator: operational resilience and cyber security must be embedded across the entire organisation. For organisations preparing for the next audit cycle, the challenge is no longer simply understanding the frameworks — it’s demonstrating real, measurable compliance.

This guide explores what organisations should expect from the upcoming audit environment and how to prepare for an APRA CPS 234 independent audit alongside broader CPS 230 operational risk compliance requirements. In practice, this means auditors will trace controls end-to-end, from policy through to evidence, often requesting artefacts such as SIEM logs, incident tickets, and control testing outputs.

First Things First… What’s APRA?

Before diving into the technical expectations, it’s worth stepping back and answering a common question: what is APRA?

The Australian Prudential Regulation Authority (APRA) is the regulator responsible for supervising banks, credit unions, insurers, and superannuation funds in Australia. Its mandate is to ensure these institutions operate in a financially sound manner and are able to withstand operational disruption, cyber incidents, and systemic risk.

Over the past decade, APRA has steadily increased its expectations around cyber security and operational risk management. The regulator has made it clear that technology failures, cyber breaches, and weak third-party governance can have the same systemic consequences as financial mismanagement.

This is where CPS 234 and CPS 230 come into play.

Understanding CPS 234 – Information Security Accountability

CPS 234 was introduced to ensure APRA-regulated entities maintain a robust information security capability and are able to protect sensitive data and critical systems from cyber threats. While many organisations initially approached CPS 234 as a compliance exercise, APRA’s supervisory approach has evolved. Today, regulators are looking well beyond policy documents.

They expect evidence that organisations can:

• Identify and classify critical information assets
• Implement security controls proportional to risk
• Continuously monitor for vulnerabilities and threats
• Manage cyber risk across third-party suppliers
• Demonstrate effective incident detection and response

For many organisations, the most confronting part of the process is the APRA CPS 234 independent audit requirement. These audits assess whether security controls actually operate as intended — not simply whether they exist on paper. In practice, this means auditors are looking for proof: security monitoring logs, penetration testing results, vulnerability management programs, and board-level oversight of cyber risk.

CPS 230 – The New Operational Resilience Standard

While CPS 234 focuses on information security, CPS 230 operational risk compliance expands the lens to include the entire operational ecosystem. The objective of CPS 230 is straightforward: organisations must be able to continue delivering critical services even when disruptions occur.

These disruptions might include:

• Cyber attacks
• Technology failures
• Supplier outages
• Data breaches
• Natural disasters
• Operational process breakdowns

Under CPS 230, organisations must identify their critical operations, set tolerance levels for disruption, and implement controls that ensure these services remain available. Importantly, CPS 230 also places significant emphasis on third-party service providers. Organisations are expected to understand the operational risks introduced by vendors and maintain visibility into the resilience of those relationships. For many financial institutions, this is where the real work begins.

Why CPS 234 and CPS 230 are Closely Connected

Although they are separate standards, CPS 234 and CPS 230 are designed to complement each other. Cyber incidents are now one of the most common causes of operational disruption – as a result, regulators increasingly assess these frameworks together. For example:

• A cyber breach may represent both an information security failure (CPS 234) and an operational resilience failure (CPS 230).
• A compromised third-party platform may simultaneously breach vendor risk management obligations under both frameworks.
• Weak monitoring or incident detection could raise questions about governance and board oversight across both standards.

For organisations preparing for regulatory review, it’s no longer sufficient to treat cyber security and operational risk as separate compliance streams… APRA increasingly expects them to be integrated. For example, a ransomware incident is no longer just a cyber event, it directly tests an organisation’s ability to maintain critical operations within defined tolerance levels.

Common Gaps Identified During Independent Audits

Across the industry, several recurring themes appear during an APRA CPS 234 independent audit and operational resilience assessments. Some of the most common issues include:

• Incomplete asset visibility: Many organisations struggle to maintain a comprehensive inventory of critical systems, applications, and data repositories.
• Inconsistent third-party risk management: Suppliers often have deep access to internal systems, yet security oversight of these vendors is limited.
• Limited detection and monitoring capabilities: Organisations may deploy security tools but lack the operational processes needed to effectively analyse and respond to alerts.
• Policy-driven compliance rather than operational controls: Security frameworks look strong on paper but fail to translate into practical, measurable controls.
• Board reporting that lacks actionable insight: Senior leadership may receive cyber risk updates, but the reporting often lacks clear indicators of risk exposure or operational resilience.

Addressing these gaps requires more than documentation; it requires an integrated cyber security and risk management program.

Preparing for the 2026 Audit Cycle

With APRA continuing to increase supervisory activity, organisations should assume that regulators will take a deeper look at both information security and operational resilience. Preparation should start well before the formal audit process begins – some practical steps include:

• Conduct a readiness assessment: Evaluate current security and operational risk capabilities against CPS 234 and CPS 230 expectations.
• Validate security controls through testing: Penetration testing, vulnerability assessments, and red-team exercises provide tangible evidence that controls are working.
• Review third-party risk governance: Organisations should ensure vendor risk management frameworks align with CPS 230 requirements.
• Strengthen monitoring and incident response: Security monitoring capabilities should be capable of detecting, investigating, and responding to threats quickly.
• Improve executive-level reporting: Board and executive stakeholders should receive meaningful insights into cyber risk posture and operational resilience.

These measures not only support compliance but also strengthen the organisation’s overall security posture.

Here’s Why Many Organisations Seek Independent Expertise

Preparing for an APRA CPS 234 independent audit while also addressing CPS 230 operational risk compliance can be complex, particularly for organisations with large technology environments and extensive third-party ecosystems. This is typically where organisations require independent validation and specialist support.

Independent advisors can help organisations:

• Assess current cyber maturity against APRA expectations
• Identify gaps in information security and operational risk controls
• Validate monitoring, detection, and response capabilities
• Strengthen governance and reporting frameworks
• Prepare for regulator and auditor scrutiny

By taking a proactive approach, organisations can shift from reactive compliance to genuine operational resilience.

Strengthening cyber and operational resilience with Infotrust

Navigating the intersection of cyber security, operational risk, and regulatory compliance requires both technical expertise and a deep understanding of the Australian regulatory environment. Infotrust works with organisations across Australia to help them strengthen their security posture while meeting evolving compliance obligations. From security assessments and penetration testing through to governance, risk, and compliance advisory services, our team supports organisations preparing for frameworks such as CPS 234 and CPS 230.

With regulators continuing to raise expectations, organisations that invest in cyber resilience today will be far better positioned for tomorrow’s audits. For organisations wondering what APRA expects in practice, the answer is becoming increasingly clear: strong governance, proven security controls, and a mature operational risk framework that can withstand real-world disruption. The organisations that succeed are not those with the most policies, but those that can demonstrate control effectiveness consistently under scrutiny.

And the time to start preparing is now.

‍