DORA and Internal Audit: The Third Line's New Operational Resilience Mandate
The Audit Function's Expanded Mandate
DORA Article 6(6) states that financial entities shall ensure "the review of the ICT risk management framework, at least once a year or on the occurrence of a major ICT-related incident." Art. 6(7) adds that "internal audit functions, where applicable" shall review the framework's adequacy. This is not a suggestion — it is a regulatory expectation that the third line of defense provides independent assurance over the institution's operational resilience.
For Chief Audit Executives (CAEs), this creates both an expanded audit universe and a competency challenge. Traditional IT audit focused on controls — access controls, change management, data backup. DORA-driven audit must assess an entire governance framework: the completeness of the ICT asset register, the effectiveness of the incident reporting pipeline, the adequacy of third-party contractual provisions, the rigor of resilience testing, and the quality of board reporting.
The EBA's guidelines on internal governance reinforce this expectation, requiring that internal audit functions possess adequate skills and resources to assess ICT risk management. The IIA's Three Lines Model positions internal audit as the independent assurance provider — the function that tells the board whether the first line (ICT operations) and second line (ICT risk management) are working effectively.
The DORA Audit Universe
The audit universe for operational resilience spans DORA's five pillars plus cross-cutting governance:
Audit Programme Structure
A risk-based DORA audit programme should follow a three-year rotation with annual touchpoints on the highest-risk areas:
| Audit engagement | Year 1 | Year 2 | Year 3 | Risk basis |
|---|---|---|---|---|
| ICT risk framework review (Art. 5-7) | Full audit | Follow-up | Full audit | Art. 6(6) annual review mandate |
| ICT asset register (Art. 8) | Full audit | Continuous monitoring | Full audit | Foundation for all DORA obligations |
| Incident management (Art. 17-23) | Focused audit | Full audit | Follow-up | Regulatory reporting risk |
| Resilience testing (Art. 24-27) | Focused audit | Follow-up | Full audit | Evidence adequacy risk |
| Third-party risk (Art. 28-30) | Full audit | Focused audit | Follow-up | Concentration risk, contractual risk |
| Board reporting (Art. 14) | Continuous monitoring | Continuous monitoring | Continuous monitoring | Governance obligation every year |
| Audit trail integrity | Continuous monitoring | Continuous monitoring | Continuous monitoring | Tamper risk, retention compliance |
Key Risk Indicators for Audit Planning
The audit function should track KRIs that inform audit planning and trigger ad hoc engagements:
| KRI | Threshold for audit escalation | Data source |
|---|---|---|
| ICT asset register coverage | <90% of critical function assets registered | Asset register vs. infrastructure discovery |
| Risk assessment currency | >180 days since last comprehensive assessment | Risk register metadata |
| Major incident response time | Initial notification >4 hours after classification | Incident management workflow logs |
| Third-party contractual compliance | >20% of critical contracts non-compliant with Art. 30 | Contract register vs. Art. 30 checklist |
| Resilience testing coverage | <80% of critical functions tested in rolling 12 months | Testing programme records |
| Board reporting gaps | Art. 14 content requirements not met in latest report | Board minutes and report review |
| Audit trail integrity | Any Merkle tree verification failure | Automated integrity monitoring |
| Evidence retention | Any evidence below retention threshold or missing integrity hash | Evidence vault monitoring |
Sample Audit Procedures by Pillar
Pillar I: ICT Asset Register (Art. 8)
- Obtain the ICT asset register and the critical function inventory
- For a sample of critical functions, trace downward through technology dependencies. Verify that all supporting ICT assets are in the register
- For a sample of registered assets, validate attribute completeness (owner, classification, RTO/RPO, dependencies, third-party provider)
- Compare the register against cloud console inventories, network discovery outputs, and procurement records. Identify unregistered assets
- Verify that the register was reviewed within the last 12 months (Art. 8(4))
- Assess the governance process for asset registration, modification, and decommission
Pillar II: Incident Reporting (Art. 17-23)
- Obtain the incident register for the audit period
- For all major incidents, verify classification against Art. 18 criteria. Assess whether classification was timely
- Verify that initial NCA notification was submitted within the required window (4 hours from classification)
- Review interim and final reports for completeness against RTS requirements
- Assess root cause analysis quality — is it genuine root cause or surface-level symptom description?
- Verify that post-incident risk reassessment was conducted and the risk register was updated
- Examine the evidence chain for each major incident: detection records, classification logs, report drafts, approval records, submission confirmations
Pillar III: Resilience Testing (Art. 24-27)
Pillar IV: Third-Party Risk (Art. 28-30)
- Obtain the register of information under Art. 28(3)
- For all critical or important function providers, verify that contracts contain Art. 30 mandatory provisions (use the Art. 30 checklist)
- Assess the concentration risk analysis — methodology, data completeness, HHI calculations
- Review exit strategies for critical providers — are they credible, tested, and current?
- Verify that sub-outsourcing transparency is in place — does the institution know its providers' sub-outsourcing chains?
- Assess ongoing performance monitoring — are SLAs tracked and breaches escalated?
Competency Requirements
DORA audit requires skills that many internal audit functions currently lack:
| Competency | Traditional IT audit | DORA audit (additional) |
|---|---|---|
| Technology knowledge | Infrastructure, applications, databases | Cloud architecture, API security, container orchestration |
| Risk methodology | Control testing, compliance checking | Risk appetite validation, concentration risk analysis |
| Regulatory knowledge | General financial regulation | DORA articles, RTS/ITS, ESA guidance, NCA expectations |
| Data analytics | Sampling techniques | Continuous monitoring, automated KRI tracking |
| Testing assessment | Pen test report review | TLPT methodology assessment, scenario adequacy evaluation |
| Third-party assessment | Outsourcing control review | Concentration risk, exit strategy credibility, Art. 30 compliance |
The CAE must assess the current team's capabilities against these requirements and develop a competency development plan. Options include:
- Training: CISA, CRISC, DORA-specific training programmes
- Co-sourcing: Engage external specialists for specialized audits (TLPT assessment, cloud architecture review)
- Rotation: Bring technology specialists into the audit function through rotational assignments
- Technology tools: Invest in continuous monitoring tools that automate KRI tracking and reduce manual testing effort
Reporting to the Audit Committee
The audit function's DORA findings must be reported to the audit committee (or equivalent governance body) with a structure that enables governance decisions:
| Report element | Content | Frequency |
|---|---|---|
| Audit universe coverage | Percentage of DORA audit universe covered in the period | Quarterly |
| Key findings | Material deficiencies organized by DORA pillar | Per engagement |
| Remediation tracking | Status of open findings, overdue items, trend analysis | Quarterly |
| KRI dashboard | Key risk indicators with threshold breaches | Quarterly |
| Management response | First and second line responses to findings | Per engagement |
| Thematic insights | Cross-cutting themes observed across engagements | Semi-annual |
The audit committee should use these reports in conjunction with the CRO's risk reporting and the CISO's operational dashboard to form a complete governance picture.
Use the DORA readiness assessment as a self-assessment baseline for audit planning, consult the glossary for precise DORA terminology, and review the RTS/ITS reference for the technical standards that inform audit criteria. The ENISA guidelines provide additional context for assessing ICT risk management adequacy.
Conclusion
Internal audit's DORA mandate is not an incremental expansion of IT audit. It is a qualitative shift — from testing IT controls to assessing an entire operational resilience governance framework. The CAE who approaches this as "we'll add a few DORA procedures to our existing IT audit programme" will produce findings that are too narrow to be useful. The CAE who builds a dedicated DORA audit universe, develops the necessary competencies, implements continuous monitoring of key risk indicators, and reports to the audit committee with the same rigor applied to financial audit will provide the independent assurance that the board needs and that supervisors expect.
Resume en francais
L'article 6(6)-(7) de DORA impose une revue annuelle du cadre de gestion des risques TIC, avec un role explicite pour l'audit interne. Cet article fournit au directeur de l'audit un programme d'audit DORA structure : l'univers d'audit couvrant les cinq piliers plus la gouvernance transversale, un programme de rotation sur trois ans avec des points de contact annuels sur les zones a haut risque, des indicateurs cles de risque pour la planification d'audit, des procedures d'audit detaillees par pilier (registre des actifs TIC, signalement des incidents, tests de resilience, risque tiers), les exigences de competences pour les auditeurs evaluant la resilience operationnelle (au-dela de l'audit IT traditionnel), et la structure de reporting au comite d'audit. Le mandat d'audit DORA n'est pas une extension incrementale de l'audit IT — c'est un changement qualitatif de l'evaluation des controles IT a l'evaluation d'un cadre complet de gouvernance de la resilience operationnelle.