A focused course, tailored for you
DORA Audit Playbook for Internal Auditors in Banking
Plan, execute, and write DORA audit reviews that satisfy ECB supervisory expectations and produce action plans that stick.
DORA fieldwork is not the hard part. Writing findings that survive the quality review, get rated correctly under the RTS, and produce action plans that first-line management actually implements is the hard part. Most internal audit teams are applying legacy operational risk finding methodology to a regulatory framework that has specific language requirements, severity thresholds, and ECB supervisory expectations. The gap shows up when findings get downgraded, management challenges the root cause, or the action plan addresses the symptom rather than the control failure.
Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.
Why this course
Digital operational resilience audit is new territory for most internal audit functions. The ICT third-party risk review looks different from a vendor outsourcing audit. The incident classification test looks different from a business continuity review. The threat-led penetration testing assessment is not the same as a standard IT controls review. The DORA RTS and ITS have specific requirements on what an internal audit function should test, how findings should be documented, and what constitutes a significant versus critical gap under the regulation. ECB SSM supervisory expectations for internal audit under DORA add another layer that most IIA-trained auditors have not yet worked through. This course bridges the gap between what an experienced internal auditor already knows and the specific methodology DORA requires.
What you walk away with
- Scope a DORA internal audit review using the RTS and ITS requirements as the control framework, not a generic IT audit checklist.
- Design fieldwork programmes for ICT third-party risk, incident classification, and TLPT requirements that produce sufficient audit evidence under IIA standards.
- Write findings with root cause language that matches DORA control requirements and survives management challenge.
- Rate finding severity correctly using the significant versus critical threshold language the RTS specifies.
- Build an audit coverage plan that satisfies ECB SSM supervisory expectations for the internal audit function at a significant institution.
- Deliver an action plan follow-up process that tracks DORA remediation to closure and feeds the next audit cycle.
The 12 modules
How this addresses your situation
Specific modules that map to what you said you are dealing with.
What you get with this course
- Twelve written modules covering the full DORA audit lifecycle from scoping through fieldwork to action plan follow-up and remediation validation.
- Downloadable audit work programme templates for each DORA pillar, pre-mapped to the relevant RTS and ITS articles.
- Sample finding language and severity rating documentation for the most common DORA audit gaps, ready to adapt to your institution's house style.
- Hand-built implementation playbook for the ICT risk audit and incident classification review, tailored to your institution type and DORA exposure profile.
- Self-paced access in the Art of Service learning environment, structured so that individual modules apply directly to an audit already in progress.
What you will have in hand by Day 1, Week 1, Month 1
Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.
Before and after
Applying generic operational risk finding methodology to DORA gaps, getting into protracted management challenges on severity ratings, and producing action plans that address the symptom rather than the underlying control failure.
Writing DORA findings with precise root cause language, defending severity ratings with specific RTS criteria, and producing action plans that management implements because the root cause is documented clearly and without ambiguity.
What happens if you do not address this
The ECB SREP cycle for significant institutions now includes specific review of whether internal audit provides independent assurance on DORA compliance. Audit teams that rely on compliance-generated control self-assessments rather than independent fieldwork are generating supervisory observations rather than preventing them. Getting the methodology right before the next audit cycle protects the function's independence rating and avoids having the first DORA audit report revised under examiner scrutiny.
Who it is for
Internal audit professionals at SSM-supervised banks and significant banking groups who are being asked to lead or contribute to DORA readiness reviews, ICT risk audits, or digital operational resilience assurance programmes. You know how to plan and execute an audit. You know the IIA standards. You have delivered findings in credit risk, operational risk, or compliance audits. What you do not yet have is a working methodology for the specific DORA domains and the ECB supervisory lens on what good internal audit work in this area looks like.
How it arrives
Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.
Time investment. Eight to twelve hours across twelve modules, structured so that the scoping and finding-construction modules can be applied to an audit already in progress without completing the full course first.
Why $199 is the right number
IIA DORA-specific training covers the regulatory framework but not the audit execution methodology. ECB supervisory guidance on internal audit is written for compliance officers, not auditors who need to execute fieldwork and write findings. This course bridges the two: it takes the regulatory requirements and translates them into a working audit methodology with templates, worked examples, and finding language ready to adapt.
FAQ
30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.
Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.