Written in collaboration with Adam Walder, a member of The Blog team.
Imagine a realm where financial institutions are fortified against the whims of the digital age, equipped with robust governance structures, state-of-the-art Information and Communication Technology (ICT) risk management frameworks, and a refined approach to handling ICT-related incidents. The Digital Operational Resilience Act (DORA) brings this vision to life.
In a nutshell, DORA establishes a common regulatory framework to strengthen the resilience of companies operating in the European Union (EU) financial sector. In addition to enhancing governance, ICT risk management, and incident response capabilities, it also ensures these companies implement a distinct digital operational resilience testing strategy—including evaluation criteria, tests, methods, procedures and tools—and maintain a sound process to monitor both critical and non-critical ICT third-party providers.
While significant progress has been made in the financial sector during the DORA preparation phase, this regulation has undeniably reshaped the internal governance framework of impacted companies. To ensure ongoing compliance, internal audit departments will need to take long-term actions.
In this blog, we explore the intricacies of DORA and how internal auditors can rise to the challenge of ensuring compliance while strengthening digital resilience in an evolving regulatory landscape.
Smart strategies for internal audit planning
To stay compliant with DORA, internal auditors will need to develop an internal audit strategy that fully aligns with its requirements. This means adapting the pluriannual internal audit plan and its risk assessment to reflect these regulatory changes and structure it to ensure all requirements are systematically covered within a predefined timeframe (for example, three years).
This raises several questions, including ‘What is the best approach?’ We recommend structuring the audit process around DORA’s pillars, associated risks, and the maturity of internal governance. That being said, there are different ways you can approach it.
You may choose to structure your internal audit unit plan around each of DORA’s key pillars, such as ICT governance and risk management, ICT-related incidents, digital operational resilience testing, and ICT third-party risk management. This approach can be particularly beneficial for group internal audits and for assessing how DORA is implemented across the board.
Another approach is to structure the review around specific value chains or key processes, such as client onboarding, card management, loans, claims, front/back office, or policy administration, within your identified Critical and Important Function/Process (CIF/CIP). This option can offer more flexibility in determining which DORA elements within a particular value chain require the most time and focus.
For example, you might choose to prioritise the card management process, specifically targeting all third-party providers (TPP) and the outsourcing chain, while planning reviews of other processes and pillars in future years.
The choice of the best internal audit approach will vary from one organisation to another and should take into consideration several elements, including:
- Local operations vs group operations;
- IT infrastructure (whether on-premises, cloud or hybrid);
- Outsourcing strategy (no outsourcing, partial outsourcing, or full outsourcing);
- Type of external dependencies (group outsourcing, ICT third-party service providers, or both);
- Organisation size; Process capacity and maturity level.
Other factors may also influence the decision. For example, a critical process identified as weak in previous reviews, at risk due to unforeseen events, or impacted by recent mergers and acquisitions may require prioritisation.
Whichever approach you take to integrate DORA into your internal audit activities, we recommend you remain flexible. Adapting the internal audit plan as needed will help ensure alignment with the organisation’s strategic objectives and evolving risks.
Navigating the outsourcing maze
Another key challenge we observe is the complexity of outsourcing chains and the difficulties internal audit departments face in obtaining thorough information when reviewing these structures, especially when outsourcing occurs at the group level or to external third-party service providers. This challenge becomes even greater when both the group and the external third-party service provider outsource activities and processes in a cascading manner.
To address this risk, you may consider using trusted Controls Reports, such as ISAE3000, ISAE3402, SOC1 or SOC2. These reports, provided by independent external auditors, can serve as valuable tools for internal audit risk assessment and for reviewing the controls implemented by the service provider.
Another option is to activate the right-to-audit clause, if clearly defined in contracts. This enables the internal audit function to assess part or all of the outsourcing chain, ensuring greater visibility and oversight.
Preparing for the unexpected: exit strategy risks
A key question arises: What happens if an internal audit review of ICT outsourced activities uncovers significant deficiencies? This brings us to the well-known ‘exit plan’ or ‘exit strategy’ challenge.
As a reminder, an exit plan or strategy considers risks that may arise at the ICT third-party service provider, and outlines the steps needed to address these risks. More precisely, it defines how an organisation can transfer outsourced ICT activities to another provider or bring them in-house.
The goal is to minimise business disruption and ensure continuity of critical functions by developing, testing, and implementing transition plans, while carefully balancing costs, resources, timelines, and risk mitigation measures.
However, fully testing an exit strategy in practice can be challenging as our IT Digital Audit team often hears counterparts and clients highlight. Some scenarios can’t be realistically simulated—for example, when a core banking system is fully outsourced, conducting a complete exit strategy test and recovery procedure can be financially and operationally impractical.
Our response to this challenge is simple: “Whichever way it starts, it has to start”. Your organisation can take a progressive approach through training, workshops, tabletop exercises, simulations, or real-time testing. The key is to begin the process. This will gradually strengthen its resilience, enhance recovery capabilities, and improve process maturity.
In this evolving landscape, the internal audit departments need to remain flexible, acting as a supportive function. Given the complexity of ICT outsourcing, internal auditors should work collaboratively to drive practical and effective solutions.
Finally, new technologies, such as artificial intelligence (AI), robotic process automation (RPA), dashboarding solutions, and third-party tools, along with wealth of available data within organisations, should be considered as key enablers for internal auditors to automate testing activities and advance the concept of continuous auditing.
Building resilience through DORA-compliant auditing
Internal audit departments have made significant progress in preparing for DORA, but long-term efforts will be essential to maintaining compliance. To keep pace with regulatory changes, internal audit needs to evolve, developing strategies that align with DORA’s requirements and ensuring continuous oversight through structured audit plans.
A key challenge lies in structuring the audit approach, whether by focusing on DORA’s pillars or integrating reviews into critical business processes. The best strategy will vary by organisational size, IT infrastructure, outsourcing models, and process maturity.
Given the complexity of outsourcing chains, internal auditors must make full use of available tools and activate audit clauses to enhance visibility over third-party risks. Meanwhile, adopting AI, RPA, and automation will help drive continuous auditing, strengthening resilience over time.
Ultimately, success lies in adaptability. By embracing new technologies, refined audit strategies, and proactive oversight, internal auditors can turn compliance challenges into opportunities, reinforcing ICT governance and ensuring long-term business continuity in an evolving digital landscape.
What we think
While significant progress has been made in preparing for DORA, it is evident that organisations will need to undertake long-term efforts to remain compliant. Internal audit must evolve to adapt to these changes by developing dedicated strategies that reflect DORA’s requirements and ensuring ongoing assessments through comprehensive audit plans.