What is the three lines of defence model under APRA?

The three lines of defence model separates risk management responsibilities: the first line (business operations) owns and manages risk day-to-day, the second line (risk and compliance functions) provides oversight and frameworks, and the third line (internal audit) provides independent assurance that the first and second lines are operating effectively.

What does APRA CPS 510 require for internal audit?

CPS 510 requires APRA-regulated entities to maintain an internal audit function that is independent, adequately resourced, and has unrestricted access to all business activities, records, and personnel. The function must operate under a Board-approved audit charter and report directly to the Board Audit Committee.

Can an APRA-regulated entity outsource internal audit?

Yes, entities can co-source or fully outsource internal audit, but APRA expects the Board to retain oversight and accountability. A co-sourcing model — where a small in-house team manages the function and specialists are brought in for technical audits — is the most common approach. Full outsourcing requires stronger governance controls and APRA may scrutinise independence.

What are common APRA findings on internal audit deficiencies?

Common findings include: insufficient independence from management, inadequate coverage of material risks, lack of a risk-based audit plan, slow closure of audit findings, under-resourcing of the audit function, weak follow-up on prior recommendations, and failure to assess the effectiveness of the risk management framework rather than just compliance.

How does internal audit relate to external audit?

Internal and external audit are complementary but distinct. Internal audit provides ongoing assurance to the Board on risk management, controls, and governance. External audit provides an independent opinion on financial statements. APRA expects coordination between the two to avoid duplication and ensure comprehensive coverage, but internal audit must not rely on external audit to fulfil its mandate.

Internal Audit and Three Lines of Defence for APRA-Regulated Entities

By Pranjal | Updated March 2026 | 8 min read

Internal audit is the final line of independent assurance in any APRA-regulated entity. Under CPS 510 (Governance), boards must ensure that internal audit is properly constituted, resourced, and empowered to challenge both business operations and risk management functions. Yet APRA consistently identifies internal audit deficiencies as a top governance concern across ADIs, insurers, and superannuation trustees.

This guide covers the regulatory requirements, the three lines of defence model in practice, and the most common pitfalls that draw APRA scrutiny.

Need to check whether your governance documents address internal audit requirements? Ask GoComply's AI chatbot — it covers CPS 510, CPG 510, and related prudential guidance with clause-level references.

The Three Lines of Defence Model

APRA expects regulated entities to implement a three lines of defence model as the foundation of their risk governance. The model creates clear accountability boundaries:

First Line — Business Operations: Operational management owns and manages risk on a day-to-day basis. This includes frontline staff, business unit heads, and operational managers who make risk decisions as part of normal business activity. They implement controls, follow procedures, and escalate issues.
Second Line — Risk and Compliance: The risk management function and compliance function provide the frameworks, policies, tools, and oversight that the first line operates within. They set risk appetite parameters, monitor risk exposures, challenge business decisions, and report to the Board on the overall risk profile.
Third Line — Internal Audit: Internal audit provides independent, objective assurance to the Board that the first and second lines are operating effectively. It evaluates the adequacy of risk management, control, and governance processes — and reports findings directly to the Board Audit Committee.

The critical word is independence. If the third line reports to the CEO or CFO rather than the Board, or if audit findings are filtered through management before reaching directors, the model breaks down.

CPS 510: What APRA Actually Requires

APRA Prudential Standard CPS 510 sets out specific governance requirements that directly affect internal audit:

Board Audit Committee: Every APRA-regulated entity must establish a Board Audit Committee composed of non-executive directors, with at least one member holding financial expertise. The committee oversees internal audit, external audit, and financial reporting.
Audit Charter: The internal audit function must operate under a formal, Board-approved charter that defines its purpose, authority, scope, and reporting lines. The charter must grant unrestricted access to all activities, records, property, and personnel.
Independence: The head of internal audit (Chief Audit Executive) must have a direct reporting line to the Board Audit Committee. Administrative reporting may go through the CEO, but functional reporting — audit plans, findings, resourcing — must go to the Committee.
Adequate Resourcing: The Board must ensure internal audit has sufficient staff, skills, and budget to execute its mandate. Under-resourcing is a breach of CPS 510.
Unrestricted Scope: Internal audit must be able to audit any function, process, or entity within the group, including outsourced and offshored activities.

Risk-Based Audit Planning

APRA expects internal audit plans to be risk-based, not cyclical. A common deficiency is audit functions that rotate through business units on a fixed schedule rather than directing resources to the highest-risk areas.

A sound risk-based audit plan should:

Align with the entity's Risk Management Framework and current risk appetite statement
Prioritise areas with material or emerging risks, recent control failures, or significant change programs
Cover all material risks over a reasonable cycle (typically 3 years), with high-risk areas audited annually
Include thematic audits on cross-cutting risks such as cyber security, conduct risk, and third-party management
Reserve capacity for ad hoc and management-requested reviews
Be approved by the Board Audit Committee and updated at least annually

APRA's expectation: The audit plan should be a living document. If the risk profile shifts — for example, due to a new prudential standard like CPS 230 — internal audit should reprioritise accordingly, not wait for the next annual planning cycle.

IIA Standards Alignment

APRA does not mandate compliance with the Institute of Internal Auditors (IIA) Global Internal Audit Standards, but it strongly expects alignment. In practice, APRA supervisors assess internal audit functions against IIA Standards as a benchmark.

Key areas of alignment include:

Standard 9.1 — Internal Audit Charter: Matches CPS 510's charter requirement
Standard 9.4 — Chief Audit Executive Roles and Responsibilities: Independence, direct Board access, authority to audit anything
Standard 10.1 — Risk-Based Audit Plan: Planning based on assessed risk, not arbitrary rotation
Standard 13.1 — Communicating Results: Timely, clear reporting to the Board Audit Committee
Standard 12.1 — Quality Assurance and Improvement Program (QAIP): Internal audit must assess its own effectiveness, including periodic external quality assessments

Entities that have not undergone an external quality assessment of their internal audit function within the last 5 years should expect APRA questions.

Board Audit Committee: Governance in Practice

The Board Audit Committee is not a rubber stamp. APRA expects the Committee to:

Approve the internal audit charter and annual audit plan
Monitor the progress of audit findings and management remediation
Meet privately with the Chief Audit Executive (without management present) at least quarterly
Assess the independence, effectiveness, and resourcing of internal audit annually
Oversee the appointment, performance evaluation, and remuneration of the Chief Audit Executive
Coordinate between internal audit and the external auditor to ensure coverage without duplication

Internal Audit vs External Audit

Internal and external audit serve different masters and different purposes:

Internal audit reports to the Board and provides assurance on risk management, controls, and governance across the entire entity
External audit reports to shareholders and provides an opinion on whether financial statements are true and fair

APRA expects the two functions to coordinate — sharing audit plans, findings, and risk assessments — to maximise coverage and minimise duplication. However, internal audit must not delegate its responsibilities to the external auditor or rely on external audit work as a substitute for its own assurance activities.

Co-Sourcing vs In-House Internal Audit

APRA-regulated entities broadly use three models:

Fully in-house: All internal audit staff are employees of the entity. Common at larger ADIs and insurers. Provides deep institutional knowledge but may lack specialist skills.
Co-sourced: A small in-house team manages the function, supplemented by external firms for specialist audits (e.g., IT security, actuarial, model risk). This is the most common model across mid-tier entities.
Fully outsourced: The entire internal audit function is provided by an external firm. APRA permits this but scrutinises independence carefully — particularly if the same firm provides consulting or external audit services.

Regardless of the model, the Board retains full accountability for the effectiveness of internal audit. Outsourcing does not outsource responsibility.

Common APRA Findings on Internal Audit Deficiencies

Based on APRA supervisory activities, prudential inquiries, and enforcement actions, the most frequent deficiencies include:

Insufficient independence: Chief Audit Executive reporting to the CFO or CRO rather than the Board Audit Committee
Inadequate risk coverage: Audit plans that miss material risks or over-focus on financial controls at the expense of operational, conduct, and technology risks
Slow finding closure: Audit findings remaining open for 12+ months without effective remediation, sometimes downgraded or closed without proper evidence
Under-resourcing: Audit teams too small to cover the entity's risk profile, or lacking specialists in areas like cyber, data, and outsourcing risk
Weak effectiveness assessments: Internal audit testing compliance (did the policy exist?) rather than effectiveness (did the control actually work?)
Poor escalation: Significant findings not escalated to the Board Audit Committee in a timely manner
No QAIP: Absence of a quality assurance and improvement program, or failure to act on external quality assessment recommendations

Lesson from CBA Prudential Inquiry (2018): APRA found that CBA's internal audit function lacked sufficient stature, independence, and resourcing to challenge management effectively. This finding contributed to APRA's $1 billion capital add-on and remains a cautionary benchmark for all regulated entities.

Strengthening Your Internal Audit Function

Practical steps to address APRA's expectations:

Review the audit charter annually — ensure it reflects current CPS 510 requirements and IIA Standards
Implement a risk-based methodology — link audit planning directly to the entity's risk register and RAS
Track finding closure rigorously — set maximum timeframes, escalate overdue items to the Committee, and require evidence of remediation
Invest in specialist skills — cyber, data analytics, model risk, and conduct risk are areas where generalist auditors often fall short
Commission an external quality assessment every 5 years at minimum, with action plans for all recommendations
Ensure private sessions between the Chief Audit Executive and the Board Audit Committee occur without management present

Scan Your Governance Documents Against CPS 510

Upload your audit charter, governance framework, or Board Audit Committee terms of reference. GoComply checks against 125 rules across 38 regulations.

Start Free Scan

Key Takeaways

Internal audit is not a cost centre — it is a regulatory requirement and a critical governance function. APRA has demonstrated through enforcement actions that weak internal audit is treated as a Board-level governance failure. Entities that invest in a properly independent, risk-based, and well-resourced internal audit function are better positioned to identify control weaknesses before APRA does.

The three lines of defence model only works when each line is genuinely independent and adequately empowered. When the lines blur — when internal audit pulls its punches, when risk functions are under-resourced, or when the Board Audit Committee does not actively challenge — the entire governance framework is compromised.