Remember Audit’s in DORA

Read here why Internal and External Audits are key in DORA?

The Digital Operational Resilience Act (DORA) requires financial institutions to conduct regular audits to ensure that their ICT risk management frameworks, operational resilience strategies, and compliance with the regulation are up to standard. The Regulatory Technical Standards (RTS) provide additional details on how these audits should be carried out and reported. Below is a summary of the key audit requirements under DORA and the RTS:

?1. Regular Internal Audits of ICT Risk Management Framework

• Requirement: Financial institutions must conduct regular internal audits of their ICT risk management framework to evaluate its effectiveness in managing and mitigating ICT risks.
• Purpose: The audits help institutions identify gaps in their risk management processes, ensure compliance with DORA, and improve operational resilience.
• Key Focus Areas:

Evaluation of the ICT risk identification, assessment, and mitigation processes.

Examination of the effectiveness of controls in preventing, detecting, and responding to ICT incidents.

2. Scope of ICT Audits

• Requirement: Audits must cover all aspects of ICT risk management, including the institution’s ICT infrastructure, business continuity plans, and cybersecurity measures.
• Scope:

ICT infrastructure: Systems, hardware, software, and networks must be audited to ensure they meet operational resilience standards.

Cybersecurity controls: Audits must assess the effectiveness of cybersecurity measures such as access controls, data encryption, and threat detection tools.

Business continuity and disaster recovery: These plans must be reviewed to ensure they are adequate, regularly tested, and capable of handling disruptions.

3. Independent Audits

• Requirement: In addition to internal audits, independent audits must be conducted to provide an objective evaluation of the institution’s ICT risk management framework and compliance with DORA.
• Purpose: Independent audits offer unbiased insights into the effectiveness of the institution’s resilience strategies and identify areas for improvement.
• Key Focus: Independent auditors must assess both the technical controls in place and the governance framework overseeing ICT risk management.

4. Frequency of Audits

• Requirement: Financial institutions are required to conduct audits at regular intervals, with the frequency determined by the size, complexity, and risk profile of the institution.
• General Guidance:

Annual Audits: Institutions should aim to conduct at least one comprehensive audit of their ICT risk management framework every year.

Event-Triggered Audits: Additional audits may be required after major incidents or significant changes to the ICT infrastructure.

5. Specific Audits for Critical Functions and Third-Party Providers

• Requirement: Audits must specifically assess critical functions and third-party service providers, especially those providing essential ICT services.
• Key Focus:

Assess the resilience and security of critical ICT systems and outsourced services.

Evaluate third-party contracts to ensure compliance with resilience and reporting obligations.

Audit the performance of third-party providers in terms of risk management, incident reporting, and resilience testing.

6. Role of Senior Management in Audits

• Requirement: Senior management is responsible for ensuring that audit findings are reviewed, understood, and acted upon.
• Key Responsibilities:

Management must review audit reports and approve any corrective actions recommended.

Ensure that audit findings are addressed in a timely manner and that the institution’s ICT risk management framework is updated accordingly.

7. Audit Documentation and Reporting

• Requirement: Institutions must maintain detailed documentation of all audit activities and findings. This documentation must be available for review by regulators during supervisory inspections.
• Key Reporting Elements:

Comprehensive records of audit activities, including the scope, methodology, and findings.

Action plans for addressing any deficiencies identified during the audit.

Documentation of follow-up actions and their impact on improving ICT resilience.

8. Regulatory Reporting and Supervisory Review

• Requirement: Audit results, particularly those relating to major findings or risks, must be reported to competent authorities. Regulatory bodies may request these reports during supervisory reviews or in response to specific incidents.
• Key Focus:

Regularly submitting audit reports that demonstrate compliance with DORA’s requirements.

Sharing insights into how identified risks are being mitigated and any planned improvements to the ICT risk management framework.

9. Compliance Audits

• Requirement: Financial institutions must also conduct compliance audits to ensure that they meet all relevant DORA requirements and the related RTS provisions.
• Purpose: These audits ensure that institutions are fully compliant with DORA’s regulations, particularly in areas such as incident reporting, resilience testing, and third-party management.
• Key Components:

Auditing compliance with incident reporting timelines and procedures.

Verifying that resilience tests, such as penetration testing, have been conducted regularly and results are acted upon.

10. Continuous Improvement Based on Audit Findings

• Requirement: Institutions must use audit findings to implement continuous improvements to their ICT risk management and operational resilience practices.
• Key Actions:

Regularly updating the ICT risk management framework based on audit recommendations.

Monitoring the effectiveness of corrective actions taken in response to audit findings.

Key Takeaways

• Regular Audits: Financial institutions must conduct regular internal and independent audits of their ICT risk management framework to ensure its effectiveness and compliance with DORA.
• Comprehensive Scope: Audits must cover all ICT-related aspects, including infrastructure, cybersecurity controls, business continuity plans, and third-party service providers.
• Senior Management Involvement: Senior management must review audit findings, ensure corrective actions are taken, and oversee the continuous improvement of resilience strategies.
• Documentation and Reporting: Institutions must maintain detailed records of audit activities and report findings to competent authorities when required.
• Continuous Improvement: Audit findings should lead to continuous improvements in ICT risk management, operational resilience, and compliance with DORA.

By adhering to these audit requirements, financial institutions can ensure that they meet DORA’s standards for ICT risk management, improve their operational resilience, and maintain compliance with regulatory expectations.