DORA Audit
A DORA auditis an independent examination that verifies a financial entity's compliance with DORA's requirements and the effectiveness of its ICT risk controls. Unlike a gap assessment, an audit tests and evidences that controls actually operate as designed.
What an audit examines
Auditors review the ICT risk-management framework, governance and board oversight, the register of information, incident-handling procedures, and the resilience-testing programme. They sample evidence, interview staff, and report findings with severity ratings.
Who performs DORA audits
Internal audit functions, external assurance firms, and specialist consultancies all perform DORA reviews. DORA also requires that the ICT risk-management framework itself be subject to internal audit on a risk-based schedule. Browse ranked providers or see the full directory.
Frequently asked questions
Does DORA require an external audit?
DORA requires the ICT risk-management framework to be audited by auditors with sufficient ICT knowledge, on a risk-based schedule. It does not mandate a specific external certification.
How often should a DORA audit happen?
On a risk-based frequency set by the entity, with more frequent review for higher-risk or recently changed areas.
What happens if an audit finds non-compliance?
Findings feed a remediation plan. Unaddressed gaps can attract supervisory measures and penalties if authorities identify them.