CPS 230 Compliance

Get CPS 230 Audit-Ready in Weeks

Police Bank and Pepper Money replaced spreadsheets with audit-ready vendor compliance. One platform for contracts, vendor risk, and spend.

Pre-existing vendor contracts must comply by 1 July 2026. The deadline is not moving.

Book a demo Your Checklist

GK_Dashboard_Workflow

Australian Companies trust Gatekeeper

What APRA CPS 230 Requires of Vendor-Facing Teams

APRA's Prudential Standard CPS 230 for Operational Risk Management sets obligations across vendor compliance, material service provider oversight, and operational resilience. These are the requirements most relevant to Procurement, Legal, and Finance teams.

Material Service Provider Register

Maintain a documented register of every vendor that performs a critical operation or creates material operational risk. Include service scope, SLA obligations, and materiality classification.

Mandatory Contract Clauses

Contracts with material service providers must include seven mandatory clauses covering SLAs, risk management, security, audit and regulator access, subcontracting, contingency, and data ownership.

Continuous Oversight and Audit Trails

Ongoing monitoring of vendor performance, incident reporting, and risk changes. Every screening, approval, and risk assessment must produce a complete audit trail accessible to APRA.

The Challenge

Still Managing Vendor Risk in Spreadsheets? APRA Expects More.

CPS 230 expects systematic vendor oversight with complete audit trails. Spreadsheets cannot deliver that at the standard APRA expects.

Police Bank's Procurement Lead described how spreadsheets created friction across every vendor management process. No centralised repository. No continuous oversight. No self-service access for business users. Read the Police Bank case study.

GK_Dashboard_ThirdPartyRiskManagement_2

“CPS 230 is really asking the question of making sure you're effectively managing your vendors. Gatekeeper removed all that friction.”

Bradley Dollin, Procurement Lead, Police Bank

PoliceBank_Logo-2

The Challenge

CPS 230 Requires Proof You're in Control of Vendor Spend

Canstar's Legal Counsel described an ongoing risk of contracts auto-renewing before Legal and Finance could review them. Contracts lived in spreadsheets. Finance had no visibility of committed spend. Read the Canstar case study.

When that gap surfaces in a board-level audit, spreadsheets become a governance failure. CPS 230 makes this explicit.

canstar-testimonial-light-600w

Every CPS 230 Obligation Mapped to a Working Control

Each CPS 230 requirement maps to a specific Gatekeeper capability. Evidence is generated automatically as part of normal operation, not assembled retrospectively when the auditor asks.

1.

Material Services Provider Register

Maintain a current register of all material service providers with service scope, materiality classification, and risk profile.

Gatekeeper Control

Living vendor register with materiality tagging, linked contracts, Market IQ risk scores, SLA performance history, and fourth-party dependencies. Always current. Always exportable

2.

Seven Mandatory Contract Clauses

MSP contracts must include SLAs, risk management, security, audit access, subcontracting controls, contingency, and data ownership.

Gatekeeper Control

Gatekeeper AI extracts contract metadata at upload and flags missing mandatory clauses. Approval workflows enforce clause compliance before signature.

3.

Continuous SLA Monitoring

Ongoing oversight of service provider performance against agreed service levels with documented evidence of review.

Gatekeeper Control

Smart Forms collect SLA performance monthly. Contract owners complete weighted assessments. RAG status, performance score, and 12-month historical trends produced automatically.

4.

Pre-Engagement Risk Assessment

Entities must assess operational risks from vendors before engagement and not rely on a service provider unless compliance can be ensured.

Gatekeeper Control

Risk-first vendor onboarding: screening happens before the vendor reaches IT, Legal, or Procurement. Due diligence questionnaires, financial and cyber risk scoring, and sanctions checks built into the onboarding workflow.

5.

Fourth-Party Dependency Oversight

Manage risks from fourth parties, your providers' key subcontractors, where those dependencies are material.

Gatekeeper Control

Fourth-party relationships tracked within the vendor record. Concentration risk flagged where multiple MSPs share a subcontractor. Subcontracting clauses monitored via contract extraction.

6.

Board and Senior Management Accountability

The Board is accountable for operational risk oversight. Senior management is responsible for end-to-end governance processes.

Gatekeeper Control

Board-level reporting dashboards showing MSP register status, SLA compliance rates, risk score trends, and contract renewal pipeline. Evidence exportable for APRA at any time.

How Police Bank Achieved CPS 230 Vendor Compliance.

Vendor Compliance In Practice

How Police Bank Got CPS 230 Audit-Ready

Police Bank implemented risk-first vendor onboarding: screening happens before the vendor reaches IT, Legal, or Procurement.

Smart Forms track SLA performance monthly. Contract owners receive automated notifications, complete a five-question weighted assessment, and the system produces a RAG status and performance score. Historical trends give APRA the evidence of continuous oversight CPS 230 requires. Read the Police Bank case study.

90% Faster Onboarding

gatekeeper-audit-ready-compliance-dashboard

Spend Management

How Canstar Eliminated Unwanted Auto-Renewals and Gave Finance Real Spend Visibility

Canstar's invested in NetSuite. Gatekeeper's native SuiteApp gave Finance contract visibility and spend without custom development.

Renewals are planned decisions, not budget surprises. Every contract follows standardised approval workflows: executive approval, finance budget validation, security review, legal sign-off, e-signature.

Zero Unwanted auto-renewals since go-live

GK_Dashboard_SpendManagementNetsuite

“"We now have a central place where we can see every renewal coming up across the entire year, which means no more surprises, no more last-minute reviews, and no more accidental auto-renewals."”

Chelsea Simmons Legal Counsel, Canstar Pty Ltd

Canstar

Trusted by 300+ companies in 23 countries. Recognised by Gartner, G2, and Capterra.

ContractManagement_Leader_Leader

SpendManagement_BestSupport_Mid-Market_QualityOfSupport

VendorManagement_EasiestToDoBusinessWith_Small-Business_EaseOfDoingBusinessWith

Governance,Risk&Compliance_HighPerformer_HighPerformer

YOUR DIGITAL WORKFORCE

APRA CPS 230 Compliance Checklist

A practical checklist for Procurement, Legal, and Finance teams at APRA-regulated entities. Maps CPS 230 requirements to the vendor-facing processes you need in place: material service provider identification, mandatory contract clauses, SLA monitoring, fourth-party oversight, and audit trail evidence.

Use it to assess your current gaps and prioritise what needs to change before the 1 July 2026 deadline for pre-existing service provider contracts. Download your Checklist

cps230-checklist

Insert copy here to support stats

100%

Audit Read

90%

Faster Onboarding

$1.3m

Average Saving from unwanted renewals

Zero

Unwanted renewals

Common Questions About CPS 230 and Gatekeeper

What is CPS 230 and who does it apply to?

CPS 230 is APRA's Prudential Standard for Operational Risk Management. It applies to all APRA-regulated entities: banks, insurers, and superannuation trustees. CPS 230 took effect on 1 July 2025. For pre-existing service provider contracts, requirements apply from the earlier of the next renewal date or 1 July 2026. Read the full CPS 230 guide

Is Gatekeeper enough to satisfy APRA on CPS 230?

Gatekeeper maps every CPS 230 vendor obligation to a working platform control. This includes a material service provider register, risk-first vendor onboarding, continuous SLA monitoring via Smart Forms, automated audit trail generation, fourth-party dependency tracking, and AI-powered contract clause compliance checks. Police Bank uses these capabilities to demonstrate CPS 230 readiness.

What is a material service provider register under CPS 230?

A material service provider register is a documented record of every vendor that performs a critical operation or exposes your entity to material operational risk. CPS 230 requires this register to be current and accessible. Gatekeeper maintains the register as a living dataset: vendor records tagged by materiality tier, linked to contracts, risk scores, SLA performance data, and fourth-party dependencies.

Does Gatekeeper integrate with NetSuite?

Gatekeeper maps every CPS 230 vendor obligation to a working platform control. This includes a material service provider register, risk-first vendor onboarding, continuous SLA monitoring via Smart Forms, automated audit trail generation, fourth-party dependency tracking, and AI-powered contract clause compliance checks. Police Bank uses these capabilities to demonstrate CPS 230 readiness.s.

How fast can we actually deploy this?

Weeks, not months. Import existing contracts and vendor records from spreadsheets or SharePoint. Gatekeeper AI extracts metadata automatically. Configure governance workflows and Smart Forms for SLA tracking. Canstar saw value within months of go-live.

How does Gatekeeper handle fourth-party risk under CPS 230?

CPS 230 requires oversight of material fourth-party dependencies, your providers' key subcontractors. Gatekeeper tracks fourth-party relationships within the vendor record, links them to SLA performance data, and flags concentration risk where multiple material providers depend on the same subcontractor.