GS 007 Audit 

GS 007, or Guidance Statement 007, is an Australian assurance framework developed for financial services organizations. It outlines control objectives related to key investment management services, including custody, fund administration, registry, and information technology.

While GS 007 reporting is optional, it provides a powerful tool to build customer confidence. By demonstrating that your systems operate in accordance with relevant client agreements and industry expectations, GS 007 reporting helps establish trust, improve operational transparency, and streamline compliance.

GS 007 reporting covers the following investment management services:

A. Custody
B. Asset Management
C. Property Management
D. Superannuation Member Administration
E. Administration
F. Investment Administration
G. Registry
H. Information Technology

We currently support GS 007 reporting for the following sections:

• Section A – Custody
• Section B – Asset Management
• Section E – Investment Administration
• Section F – Registry
• Section G – Information Technology

We begin with a readiness assessment, mapping your systems, processes, and controls to the GS 007 objectives. From there, we identify any control gaps and help you prepare for a smooth, successful audit.

Currently, we do not cover:

• Section C – Property Management
• Section D – Superannuation Member Administration

Not at all. Only the services relevant to your business operations are included in the scope of your GS 007 audit. The framework is designed to be flexible and tailored to your service offerings.

A Type 1 report provides point-in-time assurance that your control design meets the GS 007 criteria. It shows that appropriate systems and processes are in place.

A Type 2 report offers assurance over a defined period—typically 3 to 12 months—that your controls exist and are operating consistently as intended.

Most organizations begin with a Type 1 report to baseline their compliance and move into an annual Type 2 audit cycle for ongoing validation.

GS 007 reports aren’t pass/fail. However, they can be issued with exceptions or qualifications. Many companies opt to delay issuance until they can present a “clean” report. If you’re on a set reporting cycle with client obligations, a report may be issued with notes explaining any exceptions or control deficiencies.

There is considerable overlap with other security and operational assurance frameworks such as SOC 1, SOC 2, and ISO/IEC 27001. Like these standards, GS 007 emphasizes the importance of robust internal controls, particularly around system security and process integrity.

SOC reports focus on the design and operating effectiveness of specific controls.
ISO 27001 looks at your broader Information Security Management System (ISMS) and prescribes a systematic approach to risk.

Each framework has a different lens, but they all aim to strengthen trust and compliance in your operations.

GS 007 does not prescribe a fixed number of audit days, so compliance automation platforms can support a more efficient and scalable audit process. However, the success of automation depends on the compatibility between your control environment, the platform’s capabilities, and your auditor’s familiarity with the tool.

We integrate with leading compliance automation platforms to help you streamline your GS 007 audit while maintaining flexibility and alignment with your business processes.