Independent AI audit and assessment for Australian organisations.
ASIC REP 798 reviewed 23 AFS and credit licensees across 624 AI use cases and found governance gaps at nearly all of them. APRA CPS 230 is in force. An independent audit tells you where your organisation stands before regulators do.
Built for
What you walk away with.
Assessment report
Board-ready findings with executive summary, observations, severity ratings, and evidence documentation.
Gap analysis matrix
Current state mapped against APRA CPS 230, ASIC REP 798, ISO 42001, NIST AI RMF, the Privacy Act, and AI Ethics Principles.
Maturity scorecard
Ratings across framework design, policies, risk management, data governance, controls effectiveness, monitoring, and reporting.
Remediation roadmap
Prioritised action plan with owners, effort estimates, and timelines aligned to regulatory deadlines.
Three reasons regulators expect you to assess now.
Australia has the most stringent AI governance requirements in the Asia-Pacific region for financial services. The audit, the assessment, and the evidence trail all need to be in place before a regulator asks.
- 01ASIC REP 798
ASIC found systemic governance gaps.
ASIC REP 798 reviewed 23 AFS and credit licensees across 624 AI use cases and found governance gaps at nearly all of them. Nearly half lacked policies addressing consumer fairness or algorithmic bias. Most had immature generative AI governance. Third-party AI risks were inadequately assessed at organisations relying on external vendors for over 50% of their machine learning models.
- 02In force
Mandatory requirements are already live.
APRA CPS 230 took effect 1 July 2025, requiring board-approved operational risk management frameworks that explicitly cover AI technologies. Privacy Act automated decision-making transparency requirements commence December 2026. The ANAO has already audited the ATO's governance of 43 AI models in production. Assessment now gives organisations time to identify and close gaps before enforcement escalates.
- 03FAR liability
Personal liability under the Financial Accountability Regime.
The Financial Accountability Regime holds accountable persons personally liable for AI governance failures, with individual penalties up to $1.565 million. Directors and senior executives need independent assurance that AI governance is adequate. Board self-assessment is not sufficient when regulators can demonstrate that governance gaps existed and responsible individuals failed to take reasonable steps.
Three assessment options, scoped to your starting point.
Targeted regulatory gap analysis, comprehensive governance review, or deep-dive technical audit. Each engagement closes with documented evidence sized for internal audit and external review.
Option A
Regulatory gap analysis
3 to 4 weeks
Targeted assessment against specific regulatory requirements. We map current practice against APRA CPS 230, ASIC REP 798, or Privacy Act automated decision-making provisions, identifying exactly where gaps exist and how severe they are.
- Requirement mapping against ASIC's 11 questions
- Severity rating with business value at risk
- Remediation strategy aligned to deadlines
Option B
Governance maturity assessment
6 to 8 weeks
End-to-end review of AI governance maturity across the organisation. Framework design, policies, processes, controls, and reporting are evaluated against ISO 42001 and NIST AI RMF benchmarks.
- Complete AI inventory including shadow AI
- Framework evaluation against six standards
- Maturity scoring with peer benchmarking
- Prioritised improvement roadmap
Option C
AI system audit
4 to 6 weeks per system
Deep-dive review of specific systems. Model validation, algorithmic bias testing, performance monitoring effectiveness, data governance practices, documentation completeness, and control operating effectiveness for high-risk AI making decisions that affect consumers.
- Model documentation and lineage review
- Bias testing across protected characteristics
- Control design and operating effectiveness testing
The findings that appear in nearly every audit.
Drawn from ASIC REP 798 and our assessment experience across Australian organisations. Recognise them early and remediation costs a fraction of what it does after enforcement.
- 01
Incomplete AI inventories.
78% of organisations use AI, but most cannot produce a comprehensive inventory of every system in operation. Shadow AI, tools adopted without formal approval, creates unknown risk exposure that businesses cannot manage, measure, or report.
- 02
Missing fairness and bias policies.
ASIC found that nearly half of licensees lack policies addressing consumer fairness or algorithmic bias. Without these policies, organisations have no consistent method to detect or prevent discriminatory outcomes in credit scoring, insurance pricing, or customer segmentation.
- 03
Governance not keeping pace with innovation.
Only 11% of organisations have fully implemented responsible AI practices, even as adoption accelerates across every sector. The result is a growing gap between deployment velocity and the maturity of governance frameworks meant to manage the risks.
- 04
Inadequate third-party AI oversight.
ASIC found that 30% of all AI use cases involve third-party developed models, yet many businesses lack formal vendor management procedures for AI solutions. Most licensees rely on external providers for at least half of their models without adequate due diligence, performance monitoring, or contractual protections.
- 05
Generative AI without guardrails.
63% of Australian and New Zealand organisations observed unauthorised generative AI use by employees, yet only 36% expressly permit AI use with appropriate controls. Adoption of large language models has outpaced policy development, creating risks around data leakage, hallucinated outputs, and intellectual property exposure.
- 06
Weak board-level reporting.
Boards and audit committees frequently receive insufficient information about AI risk exposure. ASIC identified that many organisations assess AI risk through a business lens rather than a consumer lens, and board reporting rarely includes the model performance, bias indicators, or incident trends that directors need for effective oversight.
How the engagement runs.
Five stages, every finding documented with the evidentiary rigour APRA, ASIC, and internal audit committees expect.
- 01
Scoping, planning, and AI discovery.
Define assessment scope with your team, identify key stakeholders, and conduct comprehensive discovery of all AI systems across the organisation including shadow AI. Map each system to its data sources, business processes, and consumer impact to establish a risk-based audit plan.
- 02
Documentation and data governance review.
Review governance frameworks, policies, procedures, AI inventories, risk registers, data governance practices, and board reporting to assess design effectiveness. Evaluate whether documentation meets the standards APRA, ASIC, and internal audit functions require.
- 03
Stakeholder interviews.
Conduct structured interviews with executives, risk teams, compliance officers, IT specialists, data science teams, legal, and business units. Assess whether actual practices align with documented policies, and whether the organisation has the capabilities to govern AI as adoption scales.
- 04
Control testing and algorithmic assessment.
Test the operating effectiveness of key controls: approval workflows, monitoring, incident response, algorithmic bias detection, model validation, and reporting. For machine learning systems we assess model performance, drift monitoring, and fairness metrics.
- 05
Findings, reporting, and remediation strategy.
Document findings with severity ratings, root cause analysis, and specific remediation recommendations. Reports are designed for board, audit committee, and regulator consumption. Every finding maps back to a specific regulatory requirement or industry standard.
The regulators that shape every Australian AI audit.
Australia uses a multi-layered, sector-specific approach to AI regulation. Each authority brings distinct expectations, and an effective audit covers all of them at once.
Effective 1 July 2025. AI systems supporting critical operations (payments, claims, investment management) must have tolerance levels, business continuity plans, and recovery objectives. Third-party AI vendors are subject to Material Service Provider requirements including registers, right-to-audit, and ongoing monitoring.
23 licensees reviewed across 624 AI use cases. ASIC classified organisations into latent, decentralised, and strategic maturity and published 11 questions every licensee should be able to answer on visibility, third-party governance, consumer fairness, and board oversight.
From 10 December 2026, organisations must provide transparency about substantially automated decisions that significantly affect individuals. Identify which systems fall in scope, document decision logic, and establish mechanisms for individuals to request human review.
APRA (prudential), ASIC (market conduct), OAIC (privacy), ACCC (consumer law). Each holds distinct expectations for AI governance. The Financial Accountability Regime adds personal liability for accountable persons, while the AI Safety Institute provides advisory support on emerging risks.
Related services.
Remediation runs as a separate engagement to maintain audit independence.
Build the governance framework and operating model to address assessment findings.
Develop AI risk taxonomies and assessment methodologies aligned to CPS 230 and NIST AI RMF.
Create the policies, standards, and procedures identified as gaps during assessment.
Know where your governance stands before a regulator tells you.
Request an independent AI governance assessment to understand current maturity, identify compliance gaps across APRA CPS 230, ASIC REP 798, ISO 42001, and the Privacy Act, and get a clear remediation strategy aligned to regulatory deadlines.