Leonid
Submit a vacancy
Upload CV
The Digital Operational Resilience Act (DORA): Implications for Internal Audit Teams

The Digital Operational Resilience Act (DORA): Implications for Internal Audit Teams

Rapid digital transformation across the financial services industry has delivered many benefits and advantages, including increased efficiency, elevated customer experiences and entirely new ways of storing, accessing and processing data.

However, such accelerated change in a short period of time inevitably leads to increased IT failures and cyber threats and thereby drives regulatory changes to ensure a uniformed approach to safety and compliance. The Digital Operational Resilience Act (DORA) was created in December 2022, as part of the EU’s broader Digital finance Package, to effectively address this.

With the deadline of 17 January 2025 fast approaching, internal audit teams within financial services are busy getting prepared. But how exactly is their remit changing? This article explores the challenges and opportunities which DORA poses for Internal Auditors.

 

What are the 5 pillars of DORA?

DORA is built on five key pillars, each addressing different aspects of digital operational resilience for financial institutions:

  1. ICT risk management: An effective Information Communication Technology (ICT) risk management framework is to be implemented and in place to identify, assess, and mitigate risks in digital operations.
  2. ICT incident reporting: For the sake of transparency and to enable a swift response to lessen the impact, they must promptly notify the appropriate authorities of significant ICT-related incidents.
  3. Digital operational resilience testing: Routine testing of ICT systems and processes is essential, to help ensure that they can withstand and recover from a variety of disruptions.
  4. ICT third-party risk management: Firms are responsible for managing the risks associated with third-party service providers and ensuring that these providers also adhere to DORA's requirements.
  5. Information sharing: To increase collective resilience, DORA encourages the sharing of information about cyber threats and vulnerabilities with other financial institutions.

 

Who needs to comply with DORA?

DORA applies to all financial institutions in the EU, as well as non-EU financial institutions operating within the EU, including, but not limited to:

  • Banks
  • Insurance companies
  • Investment firms
  • Payment service providers
  • Credit rating agencies
  • Crypto-asset service providers

Third-party ICT providers who provide services to financial entities, such as data centres/cloud computing and software providers, must comply with DORA requirements.

 

The Role of Internal Audit Under DORA

Internal audit is an important component in the strengthening of the operational resilience of financial institutions and their adherence to DORA.

The remit of internal audit will include new responsibilities, such as:

  • Risk assessment and identification: pinpointing potential risks that could impact operational resilience, including reliance on ICT systems and third-party providers.
  • Policy and framework development – and ensuring that ICT risk management policies are robust and aligned with DORA's requirements.
  • Incident response planning: developing and assessing plans to help identify gaps and areas for improvement.
  • Continuous Improvement: regular audits and reviews will provide valuable feedback and recommendations for continuous improvement of their employer’s operational resilience framework.
  • Effective stakeholder communications: liaising with key internal departments as well as external auditors and regulatory bodies to ensure alignment with DORA requirements. Furthermore, Stanard 11.1 of the new Global Internal Audit Standards specifically states that the Chief Audit Executive must build relationships with key stakeholders to promote effective communication with them and ensure a mutual understanding of the approach for identifying and managing risks, providing assurance, and relevant regulatory requirements.
  • Providing assurance over the governance and operational resilience of critical ICT systems.

 

Skills Required for DORA Compliance

DORA’s emphasis on digital resilience and cybersecurity means that the following skill sets will be absolutely key for internal audit teams:

 

Technical Proficiency:

A deep understanding of ICT systems, cybersecurity frameworks and digital risk management and proficiency in tools and techniques for assessing ICT controls, such as vulnerability scanning and penetration testing.

Regulatory Knowledge:

Comprehensive knowledge of DORA’s requirements, including incident reporting protocols and third-party risk management guidelines, as well as familiarity with other relevant regulatory frameworks, such as GDPR and NIS2, to ensure aligned compliance efforts.

Data Analytics and Automation:

Using data analytics to identify patterns and anomalies in ICT operations and automation tools to streamline audit processes and enhance efficiency.

Communication and Stakeholder Engagement:

Ability to communicate complex technical findings in a clear and actionable manner and building strong relationships with ICT teams, senior management and regulatory bodies.

Continuous Learning and Adaptability:

Staying updated on emerging technologies, cyber threats, and regulatory developments and adapting audit approaches to address evolving risks and organisational changes.

 

Challenges for Internal Audit Teams

 The implementation of DORA presents several challenges for internal audit teams, such as:

  • Resource Constraints: Balancing the need for specialised skills with budgetary and staffing limitations.
  • Evolving Threat Landscape: Keeping pace with the rapid evolution of cyber threats and ICT vulnerabilities.
  • Complex Compliance Requirements: Navigating the intricate requirements of DORA while maintaining focus on other regulatory obligations.

 

Opportunities

While the scope of internal audit is growing to accommodate DORA’s requirements, this does of course bring opportunities to learn new skills, achieve new accreditations, enjoy increased visibility within organisations and see the role become ever-more strategic in nature.

 

Is it time to grow your internal audit team?

To effectively navigate DORA’s requirements, internal audit teams must ensure they have the rights skills and experience in place.

It is worth investing in targeted training programmes to enhance technical and regulatory expertise and offering staff the opportunity to acquire certifications in cybersecurity and ICT auditing, such as CISA, CISSP or CRISC.

However, we anticipate that teams will also need to bring in new talent, as the additional workload under DORA is likely to be significant.  We have already witnessed a significant surge in demand at the end of 2024 and this is likely to continue, as firms navigate the challenges of DORA in the early implementation stage.

 

To discuss your internal audit hiring requirements, please don’t hesitate to get in touch with Adam Bond, Head of Audit Recruitment at Leonid.