|
|
| Regulator |
APRA |
| Jurisdiction |
AU |
| Status |
live |
| Applicability |
Platform |
Prudential Standard APS 310 Audit and Related Matters governs the internal and external audit
arrangements of APRA-regulated entities, including ADIs. It requires a board-approved internal
audit charter, an internal audit function with direct access to the board audit committee, an
annual programme of audit coverage, and APRA's right of access to audit findings and management
letters. The Head of Internal Audit must have unrestricted access to the audit committee and to
all business units, systems, and records.
APS 310 is overwhelmingly an institutional standard. The platform does not own the audit function,
but provides the evidence base — immutable transaction records, agent action logs, and system
decision logs — that enables internal and external audit to operate efficiently and with complete
coverage.
Compliance register
This register maps every material obligation under the standard to the platform control or
institutional process that satisfies it. It is the static traceability layer for the Totara
compliance report — dynamic data (module build status, test evidence, control test dates) is
overlaid at runtime.
Scope legend
| Symbol |
Meaning |
| 🤖 Automated |
Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case. |
| 📊 Evidenced |
Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional |
Obligation is met by a process entirely outside the platform — training programmes, board governance, HR, legal. Platform may generate evidence inputs but does not own the process. |
| N/A |
Obligation does not apply to this deployment configuration. |
Build legend
| Symbol |
Meaning |
| ✅ |
Module built and deployed |
| 🔨 |
Module planned — not yet built (build_status: Not started) |
| ❌ |
Uncontrolled gap — no module attributed |
Part 2 — Internal audit function
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Para 17 |
Board must approve an internal audit charter setting out the mandate, independence, and scope of the internal audit function |
🏛 Institutional |
GOV-006 |
No platform control — the charter is a board-approved governance document. MOD-047 (LOG) and MOD-048 (LOG) provide the evidence base that internal audit will rely on. |
🔨 |
| Para 18 |
Internal audit function must be independent of management — Head of Internal Audit reports to the board audit committee |
🏛 Institutional |
GOV-006 |
Structural independence is an HR and governance matter. The platform does not control reporting lines. |
— |
| Para 19 |
Internal audit programme must cover all material business activities, systems, and controls at least annually |
📊 Evidenced |
GOV-006 |
MOD-047 (LOG) — all agent actions logged and accessible to the internal_audit role; MOD-048 (LOG) — all system decisions logged; MOD-002 (LOG) — immutable transaction ledger available for audit sampling; MOD-150 (LOG) — operational risk register and control test results available for audit review |
🔨 |
| Para 20 |
Internal audit must have unrestricted access to all records, systems, and personnel |
📊 Evidenced |
GOV-006 |
MOD-046 (LOG) — privileged access to production systems is session-logged and available to audit; MOD-044 (LOG) — all authenticated API calls logged with user ID, role, and endpoint; role-based access grants the internal_audit role read access across all system domains |
🔨 |
| Para 21 |
APRA has the right to access internal audit findings, working papers, and management letters |
🏛 Institutional |
GOV-006 |
APRA access is facilitated by the Compliance Officer and is a governance/legal process. MOD-047, MOD-048, and MOD-002 provide structured evidence packages that can be extracted for APRA on request. |
— |
Part 3 — External audit
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Para 22 |
ADI must appoint an external auditor approved or accepted by APRA |
🏛 Institutional |
GOV-006 |
Auditor appointment is a board governance matter. Platform has no role. |
— |
| Para 23 |
External auditor must have unrestricted access to all books, accounts, and records |
📊 Evidenced |
GOV-006 |
MOD-002 (LOG) — immutable transaction log is the authoritative record; MOD-076 (LOG) — platform-level system events available; MOD-080 (LOG) — all ERP extracts and statutory reporting data available for auditor review |
🔨 |
| Para 24 |
External auditor provides an annual audit opinion on the financial statements and prudential returns |
🏛 Institutional |
GOV-006 |
Audit opinion preparation is entirely institutional. The platform provides the data inputs: MOD-036 (AUTO) produces prudential returns; MOD-080 (AUTO) produces statutory financials. |
🔨 |
| Para 25 |
Management letters and audit findings must be provided to APRA within 3 months of financial year end |
🏛 Institutional |
GOV-006 |
Submission of management letters to APRA is a Compliance Officer process. Platform is not involved. |
— |
The following obligations under APS 310 are the responsibility of the institution, not the platform.
The platform may generate evidence inputs but does not own these processes.
| Obligation |
Owner |
Platform evidence input |
| Approval and maintenance of the internal audit charter |
Board Audit Committee |
None — governance document only |
| Annual audit programme planning and execution |
Head of Internal Audit |
MOD-047, MOD-048, MOD-002, MOD-150 provide the evidence base |
| Independence of the internal audit function |
Board / CEO |
Structural governance — not a platform function |
| Appointment and tenure of external auditors |
Board Audit Committee |
None — governance process |
| Submission of management letters and findings to APRA |
Chief Compliance Officer |
MOD-036 and MOD-080 provide supporting data extracts |
| APRA examination responses relating to audit findings |
Chief Compliance Officer |
MOD-047, MOD-048 provide structured log extracts |
Coverage summary
| Area |
Total obligations |
Platform automated 🤖 |
Platform evidenced 📊 |
Institutional 🏛 |
N/A |
| Internal audit function |
5 |
0 |
2 |
3 |
0 |
| External audit |
4 |
0 |
2 |
2 |
0 |
| Total |
9 |
0 (0%) |
4 (44%) |
5 (56%) |
0 (0%) |
APS 310 is an institutional standard. The platform's contribution is to provide a complete,
tamper-evident evidence base that internal and external audit can rely on without manual
data assembly. All attributed modules are currently build_status: Not started.
| Policy |
Title |
| GOV-006 |
Internal Audit Policy |
Official documentation
Policies referencing this standard
Compiled 2026-05-22 from source/entities/regulations/au-aps-310.yaml