Contents
(ICT) audit plan incl. follow-up process of critical audit findings
Mandatory ICT Internal Audit Requirements (Article 6(6) DORA)
For financial entities other than microenterprises, the ICT risk management framework must be:
Subject to Internal Audit
- ICT internal audits must be performed on a regular basis,
- in line with the financial entity’s audit plan.
Auditors‘ Competence Requirements
ICT auditors must possess:
- sufficient knowledge, skills and expertise in ICT risk, and
- appropriate independence.
Risk-Based Audit Frequency and Focus
- The frequency and focus of ICT audits must be commensurate to the ICT risk of the financial entity.
Management Body Responsibilities (Article 5(2)(f) DORA)
The management body must:
Approve the ICT Internal Audit Plan
- Approve the ICT internal audit plans,
- Approve ICT audits, and
- Approve material modifications to such plans.
Periodically Review the ICT Audit Plan
- Conduct periodic reviews of the ICT internal audit plan to ensure it remains appropriate, risk-based and aligned with the ICT risk management framework.
Mandatory Follow-Up Process for Critical Findings (Article 6(7) DORA)
Based on the conclusions of the internal audit review, the financial entity must establish:
A Formal Follow-Up Process
The follow-up process must:
- be formalised,
- apply to all ICT audit findings, and
- explicitly address critical findings.
Rules for Timely Verification of Remediation
The follow-up process must include rules for:
- the timely verification that remediation actions have been completed, and
- the timely remediation of critical ICT audit findings.
This follow-up process becomes part of the ICT risk management framework and must be fully aligned with Articles 6(1), 6(8) and the overall governance obligations under Article 5 DORA.