Skip to main content
DORA Auditor

DORA Audit

Last updated: 2 authoritative sourcesDORA Auditor Editorial Team

A DORA auditis an independent examination that verifies a financial entity's compliance with DORA's requirements and the effectiveness of its ICT risk controls. Unlike a gap assessment, an audit tests and evidences that controls actually operate as designed.

What an audit examines

Auditors review the ICT risk-management framework, governance and board oversight, the register of information, incident-handling procedures, and the resilience-testing programme. They sample evidence, interview staff, and report findings with severity ratings.

Who performs DORA audits

Internal audit functions, external assurance firms, and specialist consultancies all perform DORA reviews. DORA also requires that the ICT risk-management framework itself be subject to internal audit on a risk-based schedule. Browse ranked providers or see the full directory.

Frequently asked questions

Does DORA require an external audit?
How often should a DORA audit happen?
What happens if an audit finds non-compliance?

Sources

  1. Regulation (EU) 2022/2554 (DORA), EUR-Lex
  2. European Banking Authority, DORA