A purpose-built assessment tool for Australian APRA-regulated entities — covering all nine assessable obligation areas under Prudential Standard CPS 234 Information Security, the six common gaps identified in APRA's tripartite assessment programme, multi-entity group portfolio mode, FAR-aligned accountability mapping, and APRA-ready Word and Excel reports — supercharged by optional AI assistance at every stage of the workflow.
The CPS 234 Assessment Tool gives Australian APRA-regulated entities a structured, evidence-backed way to evaluate their compliance posture against Prudential Standard CPS 234 Information Security — at the individual entity level and across the entire APRA-regulated group. Whether you are preparing for an APRA prudential review, a board briefing, an independent ASAE assurance engagement, your FAR Accountable Person attestation, or your own internal gap analysis, the tool does the heavy lifting: scoring, gap identification, risk prioritisation, evidence management, and report generation — entirely within your browser, with no data leaving your environment unless you explicitly enable an AI feature.
The assessment covers all nine assessable obligation areas across the three functional groupings — Govern, Protect, and Respond & Assure — translated from the Standard and CPG 234 (Prudential Practice Guide) into structured, defensible practices. Multi-entity group mode aggregates assessments across every APRA-regulated entity in your group, surfacing cross-portfolio patterns no single-entity view can show. Period tracking and year-over-year comparison turn point-in-time scoring into a defensible trajectory of improvement — exactly the evidence APRA examines in supervisory engagement and post-incident review.
Select SFI, Tier 2 or smaller-entity targeting per regulated entity and the tool calibrates expectations automatically — capability and controls scaled to the size and threat profile, with live commensurate-with-threats scoring as you progress.
Every APRA-regulated entity in your group, scored consistently, rolled up into a single Level 2/3 group view — with cross-entity heatmaps, common gap analysis, common evidence weaknesses, FAR Accountable Person mapping, and AI-narrated group executive summary.
Runs entirely in your browser. No SaaS dependency, no account required, air-gap compatible. Optional AI features connect only when you choose to enable them, using your own API key — and can be disabled entity-wide for regulated environments and APRA supervisory engagements.
CPS 234 has been in force since 1 July 2019 and applies to every APRA-regulated entity: authorised deposit-taking institutions, general insurers, life insurers, private health insurers, RSE licensees (superannuation), and non-operating holding companies. It is APRA's first mandatory cross-industry prudential standard for information security, placing ultimate responsibility on the board and requiring information security controls commensurate with the vulnerabilities and threats to which the entity's information assets are exposed.
The Standard's 42 paragraphs structure into nine assessable obligation areas — from board accountability and information security capability through to control implementation, testing, internal audit, and APRA notification within 72 hours. The tool integrates every element of the framework — the structural obligations, the proportionality expectation, the third-party flow-down requirements, the FAR (Financial Accountability Regime) linkage that APRA's June 2025 letter made explicit — so the question is never "did we cover the Standard?" but rather "what does the evidence support?".
All nine CPS 234 assessable obligation areas, structured across three functional categories aligned to the Standard:
Govern
Protect
Respond & Assure
APRA's independent tripartite assessment programme — covering more than 300 banks, insurers and superannuation trustees — identified six common gaps in CPS 234 compliance across the regulated population. These are not theoretical weaknesses. They are the patterns APRA itself has observed in real entities and continues to surface in supervisory engagement.
The tool embeds these six common gaps directly into the assessment workflow as a dedicated Common Gap Detection view — assessing each one binary (present / not present), surfacing the structural weaknesses traditional self-assessment misses, and turning APRA's tripartite findings into actionable internal evidence.
APRA-regulated groups frequently span multiple regulated entities — a Level 2 banking group with subsidiaries, a Level 3 conglomerate spanning banking and insurance, a superannuation trustee licensee with multiple registrable superannuation entities. CPS 234 obligations apply at the entity level, but supervisory expectations increasingly look across the group. The Entity Registry holds every APRA-regulated entity in your group, each with its own APRA registration class, FAR Accountable Person mapping, proportionality tier, and assessment progress — all visible on a single group dashboard. The portfolio-level views go well beyond simple aggregation:
Each practice presents the assessor with a structured answer scale (None, Partial, Strong, plus N/A with justification), an inline guide to what good evidence looks like under CPS 234 and CPG 234, and a drag-and-drop area for attaching supporting documents — PDFs, Word, Excel, images, CSV — directly to the practice.
An independent reviewer workflow captures observations against the evidence in structured fields. The reviewer can override the self-assessed compliance level where the evidence clearly contradicts it, with both the original answer and the reviewer override preserved in the audit trail. This is the dual-control pattern APRA expects under independent assurance engagements. When AI is enabled, AI-suggested compliance levels (with confidence rating low/medium/high) sit alongside the self-assessment and the reviewer override — three independent signals, all visible side-by-side, all auditable.
CPS 234 places ongoing obligations — control testing on a frequency commensurate with the rate at which threats and vulnerabilities change, annual internal audit review, board reporting at a frequency that supports informed decision-making. Single-point assessments are necessary but insufficient. The tool treats assessment as a continuous activity, with first-class support for the time dimension:
For FAR Accountable Persons, this is the evidence trail that demonstrates credible diligence — period by period, not just at point-in-time review.
Every answer, note, evidence change and reviewer override is captured in a chronological audit log — the complete record of who did what and when, with full version history accessible from the in-app log viewer. This is the artefact that supports APRA's supervisory powers and the independent assurance opinions required under ASAE 3000 / ASAE 3402.
Optional Shared Folder Mode turns the assessment into a team workspace. Multiple assessors work in parallel on a multi-entity group via OneDrive, SharePoint, Microsoft Teams, Google Drive, or Dropbox. Per-entity file locking prevents conflicting edits; identity stamping records who changed what; live change polling surfaces edits in seconds; and the sync provider conflict detector flags "conflicted-copy" files created by the sync provider so you can resolve them manually rather than discovering them at audit time. A 30-day soft delete with one-click restore prevents accidental data loss.
Evidence storage is resilient by design — content-derived filenames (so evidence titles never leak through the folder browser), per-file and per-question caps, browser-storage quota monitoring, optional encryption-at-rest, a crash-recovery mirror, and a read-only Evidence Health Check audit available from Settings.
Comprehensive entity-level and group-level CPS 234 compliance outputs — every deliverable drawn from the same underlying data, so one assessment becomes every artefact you need.
Per-entity narrative deliverable — domain compliance status, paragraph-by-paragraph gap register, common gap findings, evidence register, and prioritised remediation plan. When AI is enabled, includes an AI-generated executive summary and per-domain narratives. APRA-ready.
The same data in tabular form across multiple sheets — gap register, remediation plan, evidence register, full results matrix, common gap findings, N/A exclusions. Drops into JIRA, Asana or Smartsheet without re-keying.
Cross-entity executive summary, entity × domain heatmap, common gaps register, common evidence weaknesses, common low-compliance practices, and group-wide recommendations — generated automatically from per-entity data.
Cross-group matrix of regulated entities against the nine obligation areas, colour-coded by compliance level, sortable to surface the weakest domains and the weakest entities.
At-a-glance compliance status per entity for each obligation area, with Domain Movement view tracking which entities have improved or regressed between assessment periods.
Binary assessment against the six common gaps APRA's tripartite programme identified across 300+ regulated entities — surfaces the structural weaknesses that traditional self-assessment misses and demonstrates active management to supervisors.
Every attached evidence file organised by entity and practice, with an Excel register cataloguing each file with metadata. Ships in one click when APRA, the appointed auditor, or an independent assessor asks for substantiation.
Domain-by-domain change reports between any two periods — improvements, regressions, evidence added/removed, reviewer-decision changes, and domain-level compliance movement. AI-narrated when enabled.
Load three or more historical periods to visualise compliance trajectory across time, with per-entity and per-domain trends. The trajectory APRA examines in supervisory engagement.
Every domain mapped to the responsible FAR Accountable Person, with consolidated views showing each named person's accountabilities, evidence status, and outstanding actions. Supports FAR attestation cycles.
Chronological record of every answer, note, evidence change and reviewer override — viewable in-app with full version history, exportable as JSON for long-term retention and supervisory disclosure.
Team workspace via OneDrive, SharePoint, Microsoft Teams, Google Drive or Dropbox — with per-entity locking, identity stamping, live change polling, sync conflict detection, and 30-day soft delete with restore.
Twelve AI capabilities — entirely optional, opt-in via your own Anthropic API key — accelerate every phase of CPS 234 compliance work, from understanding a paragraph in the Standard to drafting the board narrative inside the Word report itself. The tool works fully without them; with them, the per-cycle effort that used to consume weeks of consultant time becomes an internal audit cadence your own team operates.
Phase 1
During the assessment
Phase 2
During review
Phase 3
Before & in the deliverables
Phase 4
Across periods
Phase 1
Connected Claude assistant that explains any CPS 234 paragraph, CPG 234 guidance, or compliance criterion in plain English — with conversational follow-up. Entity name, registration class, proportionality tier, your scores and notes are passed as context, so answers are tied to your actual posture, not generic regulatory boilerplate.
Phase 1
Turn bullet-point facts into a structured assessment note — the assessor captures key facts, AI drafts the defensible written rationale that lives with the practice answer. The slow, low-energy step that usually gets skipped now takes seconds.
Phase 1
One-tap prompt chips built into the AI Advisor — "Biggest gaps?", "Uplift plan", "Evidence to gather", "Board summary" — each pre-wired to your actual assessment data and domain compliance status. The fastest way to get useful AI output without crafting prompts.
Phase 2
Attached PDFs, images, Word, Excel and CSV files are read by AI and assessed against the CPS 234 paragraph requirement — with a suggested compliance level and a low/medium/high confidence rating. The reviewer keeps the final call; AI does the first pass.
Phase 2
A more thorough AI pass for higher-criticality evidence — multi-pass analysis with finer-grained gap identification, traceable back to specific CPS 234 paragraphs and CPG 234 guidance. For the practices where "looks about right" isn't good enough.
Phase 2
For each identified gap, AI drafts a specific remediation action — what to do, why it matters, how it lifts compliance. Regenerate if the first draft isn't quite right. The gap register stops being a list of problems and starts being a list of next actions.
Phase 3
Diagnostic AI scan over the entire entity or group assessment before export — surfaces empty notes on Strong answers, missing evidence on key obligations, reviewer/confidence inconsistencies, and overrides without justification. Diagnostic only; no answers are changed.
Phase 3 · In the Word report
The entity Word report opens with an AI-generated executive summary written from your actual assessment data — domain compliance, headline gaps, common gap findings, and recommended priorities for this entity. The CISO's board narrative, pre-drafted.
Phase 3 · In the Word report
A different summary — written from the cross-entity view. Group-wide compliance status, weakest domains across the portfolio, common gaps with the highest leverage, systemic evidence weaknesses, and the cross-entity investment case. The Group CISO or Chief Risk Officer's narrative, drafted.
Phase 3 · In the Word report
Board-ready prose inside the Word report — for each of the nine CPS 234 obligation areas, an AI-written narrative explaining what the domain covers, your posture, where the gaps sit, and what to do next. Audit-committee language, generated from your data.
Phase 4
When you load a previous assessment for year-over-year comparison, AI drafts the narrative of what changed — improvements, regressions, where evidence strengthened, and the trajectory story for the board. The "is compliance improving?" question, answered in prose.
Phase 4
For each Common Evidence Weakness or Common Low-Compliance Practice across the group, AI drafts a cross-entity systemic remediation plan — the leverage point that turns dozens of entity-level findings into a single funded programme.
All twelve AI features connect using your own Anthropic Claude API key, stored only in your browser's session memory — never saved to disk, never sent to CyberAssure. Typical usage is a few Australian dollars per full assessment cycle. AI can be disabled entity-wide via Settings for sensitive supervisory engagement environments, and a sensitive-data warning is shown before evidence is submitted for AI review.
Regulatory Context
Prudential Standard CPS 234 has applied to APRA-regulated entities since 1 July 2019, but the compliance environment has shifted significantly. The tripartite assessment programme covering 300+ entities has surfaced six common gaps. The Financial Accountability Regime has made individual executive accountability for CPS 234 compliance explicit. CPS 230 Operational Risk Management has added overlapping obligations from 1 July 2025. The Cyber Security Act 2024 has added mandatory ransomware reporting that runs alongside the existing 72-hour APRA notification. The tool's nine-domain coverage, multi-entity group mode, and FAR mapping were built precisely for this environment.
Read: The six common gaps and what's changed since 2019 →Get in touch to discuss access to the APRA CPS 234 Assessment Tool.
Contact for PricingAPRA-regulated entities frequently combine this assessment with complementary frameworks to address overlapping prudential and statutory obligations.
For Australian financial entities and ICT third-party service providers in scope of the EU Digital Operational Resilience Act — comparable financial-sector operational resilience regime applicable to EU operations or EU-supervised customers.
Learn moreFor CPS 234 third-party flow-down obligations — comprehensive vendor and third-party assessment with contractual obligation tracking, supporting both CPS 234 and CPS 230 material service provider obligations.
Learn moreHave questions about how our assessments work?
Read the Enterprise Assessment FAQ →