Westpac knew its ability to fight financial crime was inadequate two years before legal action in November in which authorities accused it of 23m breaches of the law that included allowing customers to pay for child exploitation in the Philippines, federal parliament has heard.

The bank’s risk of breaching anti-money-laundering and counter-terrorism finance (AML-CTF) laws was unacceptably high and the bank accepted it needed to improve its systems, the prudential regulator was told in a secret report delivered by accounting firm EY in 2017.

On Friday, Labor senator Deborah O’Neill read out sections of the report during a committee inquiry into auditors, steamrolling through objections from Westpac executives and warnings from the chair of the committee, Liberal James Paterson.

O’Neill also blasted Westpac for refusing to give the committee a list of documents she requested on 28 January, and only informing the committee of its position at 6.30pm on Thursday night.

The report was prepared by EY for the Australian Prudential Regulation Authority (Apra) so that Westpac could comply with a prudential standard, CPS 220, that requires it to have systems in place to monitor and mitigate its risk.

O’Neill said: “EY’s overall conclusion was the design of Westpac’s risk management framework was overall adequate, appropriate and partially effective for an institution of the size and complexity of Westpac.”

However, EY found that “risk identification, assessment and management of non-financial risk was evaluated as partially effective and partially adequate”.

“Westpac has noted that financial crime is an area that requires improvement,” she said, reading from the report.

She continued: “The risk of breaching AML-CTF obligations has at times been outside of appetite and we observe there have been issues across several jurisdictions reflecting heightened regulatory expectations and an acknowledgment by Westpac that its current AML-CTF capabilities require improvement.”

“Outside of appetite” is a term meaning that the risk of a breach of the law was higher than management of the bank was willing to accept.

“Westpac are investing in the roll-out of a new transaction monitoring system … to enhance its financial crime capability,” O’Neill said, again reading from the report.

Westpac’s chief risk officer, David Stephen, who was giving evidence to the hearing, repeatedly complained that the report had been provided to the committee on a confidential basis.

He and the acting chief financial officer, Gary Thursby, declined to answer most of O’Neill’s questions on the basis that Westpac was facing multiple investigations and lawsuits over the breaches.

Australia’s financial intelligence agency, Austrac, launched federal court legal action against Westpac over the alleged breaches on 20 November last year, sending the bank’s share price into a steep decline.

While most of the 23m breaches alleged by Austrac relate to its treatment of international funds transfer instructions, the regulator also alleged it failed to stop a dozen customers making more than 3,000 low-value payments to the Philippines that were consistent with child exploitation.

These customers included six who had repeatedly travelled to the Philippines or south-east Asia and one who had a prior conviction for child abuse, Austrac said in court documents.

The lawsuit resulted in the former chief executive Brian Hartzer, chairman Lindsay Maxsted and the non-executive director responsible for oversight of risk, Ewen Crouch, tendering their resignations.

Thursby was elevated into his current role as a temporary replacement for Peter King, who is acting as CEO until a new boss is found.

O’Neill savaged the bank over its lack of cooperation with the committee, saying that despite its ability to command legions of lawyers it had failed to make a proper application for public interest immunity against production of documents.

“Your counsel simply doesn’t understand the rights of parliament to demand that information,” she told Stephen and Thursby.

Stephen apologised for the lateness of Westpac’s letter on Thursday night.

“With the benefit of hindsight that communication wasn’t appropriate,” he said.

O’Neill had requested documents including all the drafts of the EY report, and information about remediation efforts following on from it.

The drafts are potentially significant because the recent financial services royal commission heard allegations that AMP put pressure on law firm Clayton Utz to change a review it was conducting for the company.

In its Thursday night letter, obtained by Guardian Australia, Westpac said it received a draft of the EY report on 30 June 2017 “to enable verification of the factual accuracy of the report”.

It said it had “corrected factual inaccuracies” in the report, “sought clarification of the wording in the report where EY’s drafting was not clear or needed additional context” and provided “additional information and evidence to EY to ensure that their report and recommendations were based on a full assessment of Westpac’s current risk framework and practices”.