DORA Internal Audit function

DORA Internal Audit function

What is the DORA Internal Audit function?

Within the framework of the Digital Operational Resilience Act (DORA), the internal audit function plays a central role in the independent review of ICT risk management. Its tasks are not optional , but are clearly regulated by several articles of the regulation – in particular by Article 6(6) , Article 6(7) , Article 5(2)(f) and Article 11(3) DORA .

Art. 6 (6) DORA

“[…] the ICT risk management framework […] is to be subjected to regular internal audits by auditors […]. These auditors have sufficient knowledge […] in the area of ICT risks as well as appropriate independence.”

Financial institutions (excluding micro-enterprises) are required to have their ICT risk management systems regularly audited by internal auditors who must be both professionally qualified and organizationally independent . The scope and frequency of the audits must be risk-oriented .

Core tasks of DORA’s internal audit function

  1. Review of the ICT risk management framework
    • Controls processes, procedures and strategies in accordance with Article 6, paragraph 1 of DORA.
    • Monitors the effectiveness of ICT controls and reporting lines
  2. Revision of ICT response and recovery plans (Article 11, paragraph 3)
    • Review the suitability of the emergency and incident response plans.
    • Evaluates testing procedures, escalation paths, and communication processes
  3. Monitor the follow-up process (Art. 6 para. 7)
    • Findings from the audit must be formally followed up.
    • Auditors review the implementation and sustainability of measures.
  4. Report to the governing body (Art. 5 para. 2 lit. f)
    • The governing body is responsible for approving and reviewing ICT revisions.
    • The audit function provides management with verifiable findings and implementation statuses.

Demarcation

FunctionPurpose / Focus
ICT risk control functionMonitoring & analysis of ICT risk (2nd line)
Internal Audit functionReview of the effectiveness of all ICT controls (3rd line)

Internal audit is part of the third line of defense and must operate independently of the operational and control functions .

Practical recommendations for implementation

  • Check qualifications : Auditors must demonstrably possess ICT expertise (e.g., DORA, ISO 27001, IT processes)
  • Adjust the audit plan : Include ICT-specific audit objects (e.g., Incident Management, Logging, BCM)
  • Structuring documentation :
    • Test plan
    • Audit reports
    • Follow-up of measures
    • Board Reporting
  • Utilize tool support : auditing software or structured Excel trackers for action tracking.
  • Promote interdisciplinary collaboration : e.g., joint workshops with CISO, ISB, ICT risk manager

Examples of audit objects from DORA’s internal audit function

  • Effectiveness of the ICT risk management system (Art. 6 DORA)
  • Emergency Management & Restart Procedures (Art. 11 DORA)
  • Incident Detection & Reporting (Articles 15–17 DORA)
  • Outsourcing & Third-Party Management (Articles 28–30 DORA)
  • Tests for digital operational resilience (Art. 24 DORA)