This article is meant to provide examples of evidence for the ‘Not Monitored’ CPS 230 Controls in Drata. For each Control, you’ll find one or more examples of evidence to upload.
NOTE: This document should not be interpreted as legal advice. When supplying evidence for Controls, you should work with your legal and compliance advisors to ensure that documents are appropriate for your organization’s specific facts and circumstances. In addition, we cannot guarantee that the recommendations provided below will meet the specific requirements of your CPS 230 implementation, your auditor’s expectations, or APRA’s supervisory expectations.
How This Article Is Organized
Drata’s CPS 230 framework includes complementary configurations for APRA-regulated entities and Material Service Providers (MSPs). Each control appears once in the table below, and the Applies To column indicates whether the control is mapped in the APRA-regulated entity configuration only, or in both configurations. See the related article, APRA CPS 230: Set Up Guidance (APRA-Regulated Entity vs. Material Service Provider), for help determining which configuration applies to you.
Several controls below include a note that the standard control wording does not cover the full requirement of CPS 230. For those controls, the evidence you upload should demonstrate the additional CPS 230-specific elements described, not just the baseline control activity. For broader context on what good evidence looks like, see the General Evidence Best Practices (CPG 230) section at the end of this article.
Not Monitored Controls and Example Evidence
Code | Name | Applies To | Evidence |
DCF-15 | Risk Assessment Policy | APRA-Regulated Entity and MSP | Upload the most recent approved Risk Assessment Policy that was in effect during the current audit period. Ensure the policy covers the full range of operational risks, including but not limited to legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk, and change management risk. Example Evidence
|
DCF-16 | Periodic Risk Assessment | APRA-Regulated Entity and MSP | Upload your most recent completed operational risk assessment, performed at the frequency required by your policy. Ensure the assessment includes the full range of operational risks (legal, regulatory, compliance, conduct, technology, data, and change management risk), and supports a defined risk appetite with indicators, limits, and tolerance levels. Example Evidence
|
DCF-17 | Risk Treatment Plan | APRA-Regulated Entity and MSP | Upload the documented risk treatment plan that formally manages the risks identified in your risk assessment. Ensure the plan addresses the full range of operational risks identified (legal, regulatory, compliance, conduct, technology, data, and change management risk). Example Evidence
|
DCF-26 | BCP/DR Tests | APRA-Regulated Entity and MSP | Upload the results of your most recent business continuity / disaster recovery test, completed within the past year.
Note: the standard wording of this control does not cover the full requirement of CPS 230. Ensure your BCP testing includes your critical operations, the tolerance levels set for those critical operations, and a range of severe but plausible scenarios, with results measured against those tolerance levels. Also ensure the testing program is updated annually to reflect changes in legal or organisational structure, business mix, strategy, or risk profile, and for shortcomings identified through prior reviews and tests.
Example Evidence
|
DCF-56 | Vendor Register and Agreements | APRA-Regulated Entity and MSP | Upload your vendor/third-party register and a sample of executed agreements with material service providers.
Note: the standard wording of this control does not cover the full requirement of CPS 230. Ensure the register identifies whether each vendor is a Material Service Provider, and ensure agreements with material service providers include: (a) the services covered and associated service levels; (b) the rights, responsibilities, and expectations of each party, including ownership of assets, ownership and control of data, dispute resolution, audit access, liability, and indemnity; (c) provisions ensuring the entity can meet its legal and compliance obligations; (d) notification by the provider of material subcontracting arrangements; (e) provider liability for any subcontractor failures; (f) a force majeure provision indicating the parts of the contract that would continue; and (g) termination rights covering the arrangement in whole or in part. Agreements must also allow APRA access to documentation, data, and other information related to the service, allow APRA the right to conduct an on-site visit to the service provider, and ensure the provider agrees not to impede APRA in fulfilling its duties as prudential regulator.
Example Evidence
|
DCF-135 | Notification of Incidents or Breaches | APRA-Regulated Entity only | Upload appropriately redacted evidence of notifications to APRA, or your documented notification procedures if no notifiable event has occurred.
Note: the standard wording of this control does not cover the full requirement of CPS 230. Ensure your notification procedures and evidence address all three CPS 230 notification obligations: (1) notifying APRA as soon as possible, and no later than 72 hours, after becoming aware of an operational risk incident likely to have a material financial impact or a material impact on the ability to maintain critical operations; (2) notifying APRA as soon as possible, and no later than 24 hours, after suffering a disruption to a critical operation outside tolerance, covering the nature of the disruption, the action taken, the likely impact on business operations, and the timeframe for returning to normal operations; and (3) notifying APRA no more than 20 business days after entering into or materially changing an agreement relied on for a critical operation, and prior to entering into any material offshoring arrangement (or any significant proposed change to one, including where data or personnel will be located offshore).
Example Evidence
|
DCF-144 | Board Charter Documented | APRA-Regulated Entity and MSP | Upload the documented Board charter (or equivalent governing body charter) in effect during the current audit period.
Ensure the charter covers the Board’s accountabilities and responsibilities for operational risk management, including oversight of business continuity and service provider arrangements.
Example Evidence
|
DCF-146 | Board Meetings | APRA-Regulated Entity only | Upload appropriately redacted Board meeting minutes or papers from the current audit period. Ensure the minutes demonstrate that the Board receives regular updates on the operational risk profile, and that senior management provides clear and comprehensive information to the Board on the expected impacts on critical operations when the Board makes decisions that could affect the resilience of critical operations.
Example Evidence
|
DCF-154 | Incident Response Test | APRA-Regulated Entity only | Upload documentation of your most recent incident response test, completed within the required period. Ensure the test includes scenario analysis to identify and assess the potential impact of severe operational risk events, test operational resilience, and identify the need for new or amended controls and other mitigation strategies.
Example Evidence
|
DCF-165 | Periodic Independent Assessments | APRA-Regulated Entity and MSP | Upload your most recent independent assessment or internal audit reports covering operational risk management.
Note: the standard wording of this control does not cover the full requirement of CPS 230. Ensure that: assessments cover the management of operational risks; testing is conducted at a frequency commensurate with the materiality of the risks being controlled; results are reported to senior management and gaps or deficiencies are rectified in a timely manner; internal audit periodically reviews the BCP and provides assurance to the Board that it sets out a credible plan for maintaining critical operations within tolerance levels through severe disruptions, and that testing procedures are adequate and have been conducted satisfactorily; and internal audit reviews any proposed material arrangement involving the outsourcing of a critical operation and regularly reports to the Board or Board Audit Committee on compliance of such arrangements with the service provider management policy.
Example Evidence
|
DCF-166 | Business Continuity Plan | APRA-Regulated Entity and MSP | Upload the most recent approved Business Continuity Plan (BCP), dated within the current audit period.
Note: the standard wording of this control does not cover the full requirement of CPS 230. Ensure the BCP includes: (a) the register of critical operations and associated tolerance levels; (b) triggers to identify a disruption and prompt activation of the plan, and arrangements to direct resources in the event of activation; (c) the actions the entity would take to maintain its critical operations within tolerance levels through disruptions; (d) an assessment of the execution risks, required resources, and preparatory measures, including key internal and external dependencies needed to support effective implementation of the BCP actions; and (e) a communications strategy to support execution of the plan. The BCP should also define “severe but plausible scenarios” and include a plan to address them.
Example Evidence
|
DCF-167 | Business Impact Analysis | APRA-Regulated Entity only | Upload your most recent Business Impact Analysis (BIA).
Ensure the BIA applies the CPS 230 definition of critical operations: processes which, if disrupted beyond tolerance levels, would have a material adverse impact on depositors, policyholders, beneficiaries, other customers, or the entity’s role in the financial system, including the operations APRA prescribes as critical for your industry unless you can justify otherwise. The critical operations identified through the BIA should flow into the BCP (DCF-166) and BCP/DR testing (DCF-26).
Example Evidence
|
DCF-168 | Vendor Management Policy | APRA-Regulated Entity and MSP | Upload the most recent approved Vendor Management Policy in effect during the current audit period.
Note: the standard wording of this control does not cover the full requirement of CPS 230. Ensure the policy contains: how the entity identifies material service providers and manages service provider arrangements, including the management of material risks associated with those arrangements; the entity’s approach to entering into, monitoring, substituting, and exiting agreements with material service providers; the entity’s approach to managing the risks associated with material service providers; and the entity’s approach to managing the risks associated with any fourth parties that material service providers rely on to deliver a critical operation.
Example Evidence
|
DCF-184 | Management System Plan | APRA-Regulated Entity and MSP | Upload your management system plan or equivalent risk management framework documentation. Ensure the plan includes review of operational risk management covering: (a) governance arrangements for the oversight of operational risk; (b) an assessment of the operational risk profile, with a defined risk appetite supported by indicators, limits, and tolerance levels; (c) internal controls that are designed and operating effectively; (d) appropriate monitoring, analysis, and reporting of operational risks and escalation processes for operational incidents and events; (e) business continuity plans that set out how the entity would identify, manage, and respond to a disruption within tolerance levels and are regularly tested with severe but plausible scenarios; and (f) processes for the management of service provider arrangements.
Example Evidence
|
DCF-507 | Vendor Due Diligence | APRA-Regulated Entity and MSP | Upload completed due diligence records for a recently engaged or materially modified service provider arrangement.
Note: the standard wording of this control does not cover the full requirement of CPS 230. Ensure due diligence includes an appropriate selection process and an assessment of the provider’s ability to provide the service on an ongoing basis, and assesses the financial and non-financial risks from reliance on the provider, including risks associated with the geographic location or concentration of the provider or the parties it relies on. For each material arrangement, also ensure the entity: identifies and manages risks that could affect the provider’s ability to deliver the service on an ongoing basis; identifies and manages risks to the entity that could result from the arrangement, such as step-in risk or contagion risk; ensures it can execute its BCP if needed; and ensures it can conduct an orderly exit from the arrangement if needed.
Example Evidence
|
DCF-762 | Managing Changes to Supplier Services | APRA-Regulated Entity and MSP | Upload evidence that changes to the provision of services by vendors, including expansions of services and supplier-initiated changes, are risk-assessed and managed. Ensure that material modifications to a service provider arrangement trigger a reassessment equivalent to the due diligence performed when entering the arrangement (see DCF-507), including the financial and non-financial risks of continued reliance on the provider, and that ongoing monitoring assesses performance against agreed service levels, the effectiveness of controls managing provider risks, and both parties’ compliance with the agreement.
Example Evidence
|
DCF-833 | Resilience Objectives | APRA-Regulated Entity only | Upload your documented resilience objectives (tolerance levels) for critical operations.
Ensure tolerance levels are established for each critical operation, covering the maximum period of time the entity would tolerate a disruption, the maximum extent of data loss the entity would accept, and, importantly, the minimum service levels the entity would maintain while operating under alternative arrangements during a disruption.
Example Evidence
|
General Evidence Best Practices (CPG 230)
Regardless of the specific control, APRA’s Prudential Practice Guide CPG 230 points to a consistent set of artifacts that demonstrate CPS 230 compliance. When preparing evidence for any Not Monitored control in this framework, keep the following best practices in mind:
Connect your artifacts. Your BIA (DCF-167), critical operations register, tolerance levels (DCF-833), BCP (DCF-166), and BCP/DR tests (DCF-26) should reference the same critical operations and thresholds. Disconnected documents are a common supervisory finding.
Evidence outcomes, not just documents. A test report that measures recovery against the stated maximum outage, data loss, and minimum service levels is far stronger evidence than a test report that simply confirms an exercise occurred.
Date everything within the audit period. Policies, plans, assessments, and test reports should be approved and dated within the current period, with version history where available.
Show Board engagement, not just sign-off. CPG 230 emphasizes that the Board should be able to challenge management. Minutes showing discussion of tolerance levels, testing outcomes, and MSP reporting are stronger evidence than approval signatures alone.
Document justifications at the time of decision. Where CPS 230 allows departure from a default (for example, not classifying an APRA-prescribed operation as critical, or a prescribed provider type as material), retain the documented justification; an undocumented exclusion will generally be treated as a gap.
Redact appropriately. Notifications to APRA, Board minutes, and incident records may contain sensitive information; redact customer data and confidential commercial details while preserving the evidence of timeliness and content.
Reuse cross-mapped evidence. Many of these controls are cross-mapped to frameworks such as SOC 2, ISO 27001, and CPS 234. Evidence prepared for those frameworks can often satisfy the CPS 230 mapping, provided the CPS 230-specific elements noted in the table above are present.
Note: For additional support on CPS 230, your request will be forwarded to the Drata Customer Success Team based in APAC for further assistance.
