DORA Audit

DORA Audit

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) introduces extensive audit, assurance and documentation requirements for the European financial sector and its ICT third-party service providers. Supervisory authorities across the EU expect financial entities and ICT providers to demonstrate full compliance with DORA Articles, RTS/ITS specifications and ESA guidance.

Our DORA Audit services help organisations assess their level of compliance, identify control gaps and prepare for supervisory reviews, internal assurance or client-driven due-diligence processes.

We offer two types of audit engagements:

  1. DORA Audit for Financial Entities
  2. DORA Audit for ICT Third-Party Service Providers

Our audits follow a consistent, evidence-based methodology aligned with the expectations of European NCAs (BaFin, AMF, DNB, CSSF, NBB, FMA, etc.).

DORA Audit for Financial Entities

Financial institutions must implement a robust digital operational resilience framework and demonstrate its effectiveness through regular audits. We provide four distinct audit formats—each tailored to a specific regulatory need.

Control Function Audit

Designed for Risk Management, Compliance and Information Security Officers, this audit evaluates:

  • Governance & organisational setup
  • ICT risk management framework (RMF)
  • ICT security controls & monitoring
  • Incident classification, handling & reporting
  • ICT third-party risk management
  • ICT business continuity and disaster recovery
  • Identity & access management
  • Audit trails, documentation and reporting obligations

Outcome:
A detailed assessment enabling control functions to verify compliance and strengthen the organisation’s second line of defence.

ICT Third-Party Service Provider Audit

This audit focuses on your complete outsourcing landscape, including:

  • Outsourcing policy and governance
  • Register of ICT third-party arrangements
  • Risk assessments and criticality classifications
  • Subcontracting oversight
  • Minimum contractual clauses
  • Monitoring, KPIs, SLAs and performance reporting
  • Exit strategies and termination controls

Outcome:
An audit-ready and NCA-compliant ICT third-party management framework.

Internal Audit (Third Line)

This engagement supports Internal Audit with an independent, regulator-aligned assessment covering:

  • Effectiveness of ICT controls across all DORA domains
  • Sample testing of controls and procedures
  • Evidence review, documentation quality and process maturity
  • Assessment of DORA-relevant RTS/ITS technical standards
  • Compliance with supervisory expectations and auditability requirements

Outcome:
A full internal audit report suitable for audit committees, regulators and governance bodies.

External Audit (Annual Report)

For organisations subject to statutory audits, we support the annual external reporting cycle, including:

  • Verification of DORA-relevant processes and controls
  • Testing of operational effectiveness (OE)
  • Annual reporting obligations under Articles 5–30
  • Evidence collection, control descriptions and management representation
  • Support for supervisory inquiries and inspections

Outcome:
Audit assurance aligned with the annual reporting obligations under DORA.

DORA Audit for ICT Third-Party Service Providers

ICT third-party providers play a critical role in the operational resilience of financial institutions. DORA requires them to support client audits, provide transparency, ensure resilience and comply with mandatory contractual clauses.

Our audits assess whether ICT providers meet the expectations financial institutions must pass on to them.

Scope of the Audit

  • Governance, security and resilience setup
  • Incident management, reporting and communication
  • Subcontracting transparency and approval processes
  • Compliance with minimum contractual clauses
  • Monitoring, logging and evidence structure
  • Service continuity, testing and recovery capabilities
  • Data security, access controls and operational security
  • Support for DORA-compliant client audits

Outcome

An audit report demonstrating that your organisation fulfils the obligations placed on ICT service providers under DORA—essential for tender processes, client assurance, onboarding and maintaining trusted relationships with regulated financial entities.

Why Choose Our DORA Audit Services?

  • Deep regulatory expertise in DORA, RTS/ITS and ESA guidance
  • Audit methodology aligned with European supervisory expectations
  • Evidence-based, independent and fully documentation-driven
  • Suitable for internal audit, risk, compliance, security and external assurance
  • Supports readiness for supervisory inspections and client-driven due diligence

For questions or to schedule a DORA Audit engagement, please contact us anytime.