Skip to main content

Example Evidence for Not Monitored Controls (CPS 230)

This article is meant to provide examples of evidence for the ‘Not Monitored’ CPS 230 Controls in Drata. For each Control, you’ll find one or more examples of evidence to upload.

NOTE: This document should not be interpreted as legal advice. When supplying evidence for Controls, you should work with your legal and compliance advisors to ensure that documents are appropriate for your organization’s specific facts and circumstances. In addition, we cannot guarantee that the recommendations provided below will meet the specific requirements of your CPS 230 implementation, your auditor’s expectations, or APRA’s supervisory expectations.

How This Article Is Organized

Drata’s CPS 230 framework includes complementary configurations for APRA-regulated entities and Material Service Providers (MSPs). Each control appears once in the table below, and the Applies To column indicates whether the control is mapped in the APRA-regulated entity configuration only, or in both configurations. See the related article, APRA CPS 230: Set Up Guidance (APRA-Regulated Entity vs. Material Service Provider), for help determining which configuration applies to you.

Several controls below include a note that the standard control wording does not cover the full requirement of CPS 230. For those controls, the evidence you upload should demonstrate the additional CPS 230-specific elements described, not just the baseline control activity. For broader context on what good evidence looks like, see the General Evidence Best Practices (CPG 230) section at the end of this article.

Not Monitored Controls and Example Evidence

Code

Name

Applies To

Evidence

DCF-15

Risk Assessment Policy

APRA-Regulated Entity and MSP

Upload the most recent approved Risk Assessment Policy that was in effect during the current audit period.

Ensure the policy covers the full range of operational risks, including but not limited to legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk, and change management risk.

Example Evidence

  • Approved policy defining the process for risk assessment and risk management, including roles, methodology, and frequency

  • Policy sections explicitly addressing legal, regulatory, compliance, conduct, technology, data, and change management risk

DCF-16

Periodic Risk Assessment

APRA-Regulated Entity and MSP

Upload your most recent completed operational risk assessment, performed at the frequency required by your policy.

Ensure the assessment includes the full range of operational risks (legal, regulatory, compliance, conduct, technology, data, and change management risk), and supports a defined risk appetite with indicators, limits, and tolerance levels.

Example Evidence

  • Completed risk assessment or risk register extract covering the full range of operational risks above

  • Documentation showing the assessment considers the impact of business and strategic decisions, including new products, services, geographies, and technologies, on the operational risk profile

  • Evidence of the assessment date demonstrating the required frequency was met

DCF-17

Risk Treatment Plan

APRA-Regulated Entity and MSP

Upload the documented risk treatment plan that formally manages the risks identified in your risk assessment.

Ensure the plan addresses the full range of operational risks identified (legal, regulatory, compliance, conduct, technology, data, and change management risk).

Example Evidence

  • Risk treatment plan with named owners, planned actions, and target dates for identified operational risks

  • Remediation tracking showing material weaknesses and control gaps are addressed at the root cause, remain on the risk profile until remediated, and are closed in a timely manner

DCF-26

BCP/DR Tests

APRA-Regulated Entity and MSP

Upload the results of your most recent business continuity / disaster recovery test, completed within the past year.

Note: the standard wording of this control does not cover the full requirement of CPS 230. Ensure your BCP testing includes your critical operations, the tolerance levels set for those critical operations, and a range of severe but plausible scenarios, with results measured against those tolerance levels. Also ensure the testing program is updated annually to reflect changes in legal or organisational structure, business mix, strategy, or risk profile, and for shortcomings identified through prior reviews and tests.

Example Evidence

  • Annual business continuity exercise report showing the scenarios tested (including disruption to a material service provider) and recovery performance measured against tolerance levels

  • Test scope demonstrating coverage of all critical operations

  • Remediation records for shortcomings identified during testing

DCF-56

Vendor Register and Agreements

APRA-Regulated Entity and MSP

Upload your vendor/third-party register and a sample of executed agreements with material service providers.

Note: the standard wording of this control does not cover the full requirement of CPS 230. Ensure the register identifies whether each vendor is a Material Service Provider, and ensure agreements with material service providers include: (a) the services covered and associated service levels; (b) the rights, responsibilities, and expectations of each party, including ownership of assets, ownership and control of data, dispute resolution, audit access, liability, and indemnity; (c) provisions ensuring the entity can meet its legal and compliance obligations; (d) notification by the provider of material subcontracting arrangements; (e) provider liability for any subcontractor failures; (f) a force majeure provision indicating the parts of the contract that would continue; and (g) termination rights covering the arrangement in whole or in part. Agreements must also allow APRA access to documentation, data, and other information related to the service, allow APRA the right to conduct an on-site visit to the service provider, and ensure the provider agrees not to impede APRA in fulfilling its duties as prudential regulator.

Example Evidence

  • Vendor register with a column or field designating Material Service Providers

  • Executed agreement (or contract clause gap analysis) evidencing the CPS 230 minimum provisions listed above, including the APRA access, on-site visit, and non-impediment clauses

DCF-135

Notification of Incidents or Breaches

APRA-Regulated Entity only

Upload appropriately redacted evidence of notifications to APRA, or your documented notification procedures if no notifiable event has occurred.

Note: the standard wording of this control does not cover the full requirement of CPS 230. Ensure your notification procedures and evidence address all three CPS 230 notification obligations: (1) notifying APRA as soon as possible, and no later than 72 hours, after becoming aware of an operational risk incident likely to have a material financial impact or a material impact on the ability to maintain critical operations; (2) notifying APRA as soon as possible, and no later than 24 hours, after suffering a disruption to a critical operation outside tolerance, covering the nature of the disruption, the action taken, the likely impact on business operations, and the timeframe for returning to normal operations; and (3) notifying APRA no more than 20 business days after entering into or materially changing an agreement relied on for a critical operation, and prior to entering into any material offshoring arrangement (or any significant proposed change to one, including where data or personnel will be located offshore).

Example Evidence

  • Redacted copies of notifications sent to APRA, with timestamps demonstrating the applicable timeframe was met

  • Incident response or regulatory notification procedure documenting the 72-hour, 24-hour, and 20-business-day obligations, decision criteria, and owners

  • Internal tickets or logs documenting the notification decision and process for a recent incident

DCF-144

Board Charter Documented

APRA-Regulated Entity and MSP

Upload the documented Board charter (or equivalent governing body charter) in effect during the current audit period.

Ensure the charter covers the Board’s accountabilities and responsibilities for operational risk management, including oversight of business continuity and service provider arrangements.

Example Evidence

  • Board charter sections evidencing oversight of operational risk management and the effectiveness of key internal controls

  • Charter provisions covering Board approval of the BCP and tolerance levels for disruptions to critical operations, and approval of the service provider management policy

DCF-146

Board Meetings

APRA-Regulated Entity only

Upload appropriately redacted Board meeting minutes or papers from the current audit period.

Ensure the minutes demonstrate that the Board receives regular updates on the operational risk profile, and that senior management provides clear and comprehensive information to the Board on the expected impacts on critical operations when the Board makes decisions that could affect the resilience of critical operations.

Example Evidence

  • Minutes or Board papers showing operational risk profile reporting and discussion of areas of concern

  • Minutes evidencing Board approval of tolerance levels, the BCP, or the service provider management policy, and review of BCP testing results

  • Papers showing senior management briefings on critical-operations impacts for resilience-affecting decisions

DCF-154

Incident Response Test

APRA-Regulated Entity only

Upload documentation of your most recent incident response test, completed within the required period.

Ensure the test includes scenario analysis to identify and assess the potential impact of severe operational risk events, test operational resilience, and identify the need for new or amended controls and other mitigation strategies.

Example Evidence

  • Incident response test report covering severe operational risk scenarios and their assessed impacts

  • Documented outcomes showing new or amended controls or mitigation strategies identified as a result of the test

DCF-165

Periodic Independent Assessments

APRA-Regulated Entity and MSP

Upload your most recent independent assessment or internal audit reports covering operational risk management.

Note: the standard wording of this control does not cover the full requirement of CPS 230. Ensure that: assessments cover the management of operational risks; testing is conducted at a frequency commensurate with the materiality of the risks being controlled; results are reported to senior management and gaps or deficiencies are rectified in a timely manner; internal audit periodically reviews the BCP and provides assurance to the Board that it sets out a credible plan for maintaining critical operations within tolerance levels through severe disruptions, and that testing procedures are adequate and have been conducted satisfactorily; and internal audit reviews any proposed material arrangement involving the outsourcing of a critical operation and regularly reports to the Board or Board Audit Committee on compliance of such arrangements with the service provider management policy.

Example Evidence

  • Independent assessment or internal audit report covering operational risk management and control effectiveness

  • Internal audit BCP review and assurance reporting to the Board

  • Internal audit review of a proposed material outsourcing arrangement, with reporting to the Board or Board Audit Committee

  • Evidence that findings were reported to senior management and remediated in a timely manner

DCF-166

Business Continuity Plan

APRA-Regulated Entity and MSP

Upload the most recent approved Business Continuity Plan (BCP), dated within the current audit period.

Note: the standard wording of this control does not cover the full requirement of CPS 230. Ensure the BCP includes: (a) the register of critical operations and associated tolerance levels; (b) triggers to identify a disruption and prompt activation of the plan, and arrangements to direct resources in the event of activation; (c) the actions the entity would take to maintain its critical operations within tolerance levels through disruptions; (d) an assessment of the execution risks, required resources, and preparatory measures, including key internal and external dependencies needed to support effective implementation of the BCP actions; and (e) a communications strategy to support execution of the plan. The BCP should also define “severe but plausible scenarios” and include a plan to address them.

Example Evidence

  • Approved BCP document containing the elements (a) through (e) above

  • BCP sections defining severe but plausible scenarios and the planned response to each

DCF-167

Business Impact Analysis

APRA-Regulated Entity only

Upload your most recent Business Impact Analysis (BIA).

Ensure the BIA applies the CPS 230 definition of critical operations: processes which, if disrupted beyond tolerance levels, would have a material adverse impact on depositors, policyholders, beneficiaries, other customers, or the entity’s role in the financial system, including the operations APRA prescribes as critical for your industry unless you can justify otherwise. The critical operations identified through the BIA should flow into the BCP (DCF-166) and BCP/DR testing (DCF-26).

Example Evidence

  • Completed BIA identifying critical operations, their criticality, and the people, technology, information, facilities, and service providers they depend on

  • Documented justification for any APRA-prescribed business operation not classified as critical

  • Linkage from BIA outputs to the critical operations register and tolerance levels

DCF-168

Vendor Management Policy

APRA-Regulated Entity and MSP

Upload the most recent approved Vendor Management Policy in effect during the current audit period.

Note: the standard wording of this control does not cover the full requirement of CPS 230. Ensure the policy contains: how the entity identifies material service providers and manages service provider arrangements, including the management of material risks associated with those arrangements; the entity’s approach to entering into, monitoring, substituting, and exiting agreements with material service providers; the entity’s approach to managing the risks associated with material service providers; and the entity’s approach to managing the risks associated with any fourth parties that material service providers rely on to deliver a critical operation.

Example Evidence

  • Approved policy sections covering MSP identification criteria and the management of material risks

  • Policy sections covering entering, monitoring, substituting, and exiting MSP agreements, and the management of fourth-party risk

DCF-184

Management System Plan

APRA-Regulated Entity and MSP

Upload your management system plan or equivalent risk management framework documentation.

Ensure the plan includes review of operational risk management covering: (a) governance arrangements for the oversight of operational risk; (b) an assessment of the operational risk profile, with a defined risk appetite supported by indicators, limits, and tolerance levels; (c) internal controls that are designed and operating effectively; (d) appropriate monitoring, analysis, and reporting of operational risks and escalation processes for operational incidents and events; (e) business continuity plans that set out how the entity would identify, manage, and respond to a disruption within tolerance levels and are regularly tested with severe but plausible scenarios; and (f) processes for the management of service provider arrangements.

Example Evidence

  • Management system plan or risk management framework documentation addressing the six elements (a) through (f) above

  • Evidence of the periodic review of operational risk management as part of the broader risk management framework review

DCF-507

Vendor Due Diligence

APRA-Regulated Entity and MSP

Upload completed due diligence records for a recently engaged or materially modified service provider arrangement.

Note: the standard wording of this control does not cover the full requirement of CPS 230. Ensure due diligence includes an appropriate selection process and an assessment of the provider’s ability to provide the service on an ongoing basis, and assesses the financial and non-financial risks from reliance on the provider, including risks associated with the geographic location or concentration of the provider or the parties it relies on. For each material arrangement, also ensure the entity: identifies and manages risks that could affect the provider’s ability to deliver the service on an ongoing basis; identifies and manages risks to the entity that could result from the arrangement, such as step-in risk or contagion risk; ensures it can execute its BCP if needed; and ensures it can conduct an orderly exit from the arrangement if needed.

Example Evidence

  • Completed due diligence assessment for a material service provider, covering selection, ongoing capability, and financial and non-financial risks (including geographic location and concentration)

  • Risk assessment for the arrangement addressing ongoing service delivery, step-in and contagion risk, BCP executability, and orderly exit

DCF-762

Managing Changes to Supplier Services

APRA-Regulated Entity and MSP

Upload evidence that changes to the provision of services by vendors, including expansions of services and supplier-initiated changes, are risk-assessed and managed.

Ensure that material modifications to a service provider arrangement trigger a reassessment equivalent to the due diligence performed when entering the arrangement (see DCF-507), including the financial and non-financial risks of continued reliance on the provider, and that ongoing monitoring assesses performance against agreed service levels, the effectiveness of controls managing provider risks, and both parties’ compliance with the agreement.

Example Evidence

  • Change records or reassessment documentation for a recent material change to a vendor service

  • Updated risk assessment reflecting the modified arrangement

  • Monitoring or service review reports for the affected arrangement, with reporting to senior management

DCF-833

Resilience Objectives

APRA-Regulated Entity only

Upload your documented resilience objectives (tolerance levels) for critical operations.

Ensure tolerance levels are established for each critical operation, covering the maximum period of time the entity would tolerate a disruption, the maximum extent of data loss the entity would accept, and, importantly, the minimum service levels the entity would maintain while operating under alternative arrangements during a disruption.

Example Evidence

  • Approved tolerance level documentation per critical operation covering maximum tolerable outage, maximum data loss, and minimum service levels under alternative arrangements

  • Evidence of Board approval of the tolerance levels

  • Tolerance monitoring reports and, where applicable, Board reporting of any failure to meet tolerance levels together with a remediation plan

General Evidence Best Practices (CPG 230)

Regardless of the specific control, APRA’s Prudential Practice Guide CPG 230 points to a consistent set of artifacts that demonstrate CPS 230 compliance. When preparing evidence for any Not Monitored control in this framework, keep the following best practices in mind:

  • Connect your artifacts. Your BIA (DCF-167), critical operations register, tolerance levels (DCF-833), BCP (DCF-166), and BCP/DR tests (DCF-26) should reference the same critical operations and thresholds. Disconnected documents are a common supervisory finding.

  • Evidence outcomes, not just documents. A test report that measures recovery against the stated maximum outage, data loss, and minimum service levels is far stronger evidence than a test report that simply confirms an exercise occurred.

  • Date everything within the audit period. Policies, plans, assessments, and test reports should be approved and dated within the current period, with version history where available.

  • Show Board engagement, not just sign-off. CPG 230 emphasizes that the Board should be able to challenge management. Minutes showing discussion of tolerance levels, testing outcomes, and MSP reporting are stronger evidence than approval signatures alone.

  • Document justifications at the time of decision. Where CPS 230 allows departure from a default (for example, not classifying an APRA-prescribed operation as critical, or a prescribed provider type as material), retain the documented justification; an undocumented exclusion will generally be treated as a gap.

  • Redact appropriately. Notifications to APRA, Board minutes, and incident records may contain sensitive information; redact customer data and confidential commercial details while preserving the evidence of timeliness and content.

  • Reuse cross-mapped evidence. Many of these controls are cross-mapped to frameworks such as SOC 2, ISO 27001, and CPS 234. Evidence prepared for those frameworks can often satisfy the CPS 230 mapping, provided the CPS 230-specific elements noted in the table above are present.

Note: For additional support on CPS 230, your request will be forwarded to the Drata Customer Success Team based in APAC for further assistance.

Related Articles

Did this answer your question?