Skip to main content
Image coming soon

DORA Audit Playbook for Internal Auditors in Banking

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

DORA Audit Playbook for Internal Auditors in Banking

Plan, execute, and write DORA audit reviews that satisfy ECB supervisory expectations and produce action plans that stick.

DORA fieldwork is not the hard part. Writing findings that survive the quality review, get rated correctly under the RTS, and produce action plans that first-line management actually implements is the hard part. Most internal audit teams are applying legacy operational risk finding methodology to a regulatory framework that has specific language requirements, severity thresholds, and ECB supervisory expectations. The gap shows up when findings get downgraded, management challenges the root cause, or the action plan addresses the symptom rather than the control failure.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Digital operational resilience audit is new territory for most internal audit functions. The ICT third-party risk review looks different from a vendor outsourcing audit. The incident classification test looks different from a business continuity review. The threat-led penetration testing assessment is not the same as a standard IT controls review. The DORA RTS and ITS have specific requirements on what an internal audit function should test, how findings should be documented, and what constitutes a significant versus critical gap under the regulation. ECB SSM supervisory expectations for internal audit under DORA add another layer that most IIA-trained auditors have not yet worked through. This course bridges the gap between what an experienced internal auditor already knows and the specific methodology DORA requires.

What you walk away with

  • Scope a DORA internal audit review using the RTS and ITS requirements as the control framework, not a generic IT audit checklist.
  • Design fieldwork programmes for ICT third-party risk, incident classification, and TLPT requirements that produce sufficient audit evidence under IIA standards.
  • Write findings with root cause language that matches DORA control requirements and survives management challenge.
  • Rate finding severity correctly using the significant versus critical threshold language the RTS specifies.
  • Build an audit coverage plan that satisfies ECB SSM supervisory expectations for the internal audit function at a significant institution.
  • Deliver an action plan follow-up process that tracks DORA remediation to closure and feeds the next audit cycle.

The 12 modules

Module 1. DORA for Internal Auditors: The Regulatory Map
The DORA regulation, the Level 1 text, and the Level 2 RTS and ITS that create the specific audit targets. This module maps the six pillars (ICT risk management, incident management, TLPT, third-party risk, information sharing, and reporting) to the control domains an internal auditor will test. You leave with a clear picture of what your audit universe looks like and which RTS articles generate the hardest findings and the most management pushback.
Module 2. ECB SSM Supervisory Expectations for Internal Audit Under DORA
The ECB has published supervisory expectations on how significant institutions should organise their internal audit function relative to DORA. This module covers what examiners look for when reviewing the DORA assurance plan, what constitutes sufficient independent coverage, and how the ECB has responded in early SREP cycles to internal audit teams that relied on compliance self-assessments rather than independent fieldwork and testing of implemented controls.
Module 3. ICT Risk Management Audit: Scoping and Risk Assessment
How to scope the ICT risk management framework audit against DORA Articles 6 through 16. The module translates those requirements into an audit risk assessment, identifies the key control areas including ICT strategy, asset management, encryption standards, patch management, and access controls, and calibrates testing depth against the institution's ICT risk profile. The output is a scoped audit work programme ready for fieldwork planning and senior partner review.
Module 4. Third-Party ICT Risk Review Design
DORA Articles 28 through 44 create specific requirements for third-party ICT risk management. This module covers how to design the review of the third-party register, test contractual provisions against the RTS minimum clauses, and assess concentration risk. You learn which evidence to request from each review stage, which contract provisions to test for completeness, and how to structure findings when the gap is in the register governance rather than a specific vendor contract.
Module 5. ICT Incident Classification and Reporting Audit
The incident classification taxonomy under DORA has specific criteria for what constitutes a major incident requiring supervisory notification. This module covers how to audit the classification process: sampling incidents from the register, testing classification decisions against RTS criteria, reviewing notification timelines, and testing the root cause analysis process. The most common finding in this domain is a classification methodology not aligned to the regulatory threshold the RTS sets.
Module 6. Threat-Led Penetration Testing: Internal Audit's Role
DORA TLPT requirements create a role for internal audit distinct from commissioning a standard penetration test. This module covers what internal audit is expected to assess about the TLPT programme, how to evaluate scope and threat intelligence input, what the red team output report should contain for audit purposes, and how to write findings when the TLPT programme has not yet run or when scope exclusions were not adequately justified to the supervisory authority.
Module 7. Writing DORA Audit Findings That Survive Review
DORA findings have specific language requirements. The significant versus critical distinction in the RTS creates a defensible classification if the finding language is precise. This module covers root cause analysis for ICT control failures, the condition-criteria-cause-effect structure applied to DORA gaps, common patterns where management challenges findings on scope or evidence, and how to document sufficient audit evidence so that the quality review closes without rework or reclassification.
Module 8. Severity Rating: Significant vs Critical Under the RTS
The boundary between a significant and a critical DORA gap carries consequences for remediation timelines and supervisory reporting requirements. This module works through the RTS criteria with worked examples of the boundary cases that create the most dispute with management. You learn how to document the rating rationale so it holds up to internal quality review and, if escalated, to ECB examiner scrutiny during the next SREP cycle review of the internal audit function.
Module 9. Audit Report Construction for DORA Reviews
How to build the DORA audit report for the board audit committee. This module covers the executive summary structure, finding sequencing so that systemic gaps are visible before individual control failures, the management action plan section written so each action addresses the root cause rather than the symptom, and implementation timeline setting based on DORA's own remediation expectations and the institution's current ICT programme calendar and resource constraints.
Module 10. Audit Universe and Coverage Planning for DORA
Building the multi-year DORA audit coverage plan. This module covers how to map the six DORA pillars to annual and rolling reviews, how to prioritise coverage based on the institution's ICT risk profile and supervisory heat, how to argue for resource allocation against an audit committee still treating DORA as a compliance project rather than an ongoing audit domain, and how to update the coverage plan when supervisory feedback shifts the priority areas.
Module 11. Action Plan Follow-Up and Remediation Validation
DORA remediation takes longer than a standard operational risk action plan because the control frameworks being built are new. This module covers how to design the follow-up process, what evidence to request to validate that an ICT control has been implemented rather than documented, how to handle partial remediation and rollover actions, and how to escalate persistent gaps to the audit committee without triggering a quality challenge on the original finding's root cause language.
Module 12. Integrating DORA Findings into the Enterprise Risk View
DORA findings sit within a broader internal audit picture that includes credit risk, model risk, operational risk, and compliance output. This module covers how to ensure DORA findings flow into the enterprise risk report, how to link ICT gaps to the operational risk event framework, how to report the aggregate DORA posture to the board audit committee in a way that is actionable rather than regulatory checklist, and how to position internal audit as the governance layer connecting DORA compliance to strategic resilience.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Planning a first DORA readiness review: start with Module 1 (regulatory map) and Module 2 (ECB supervisory expectations) to anchor the audit scope before building the work programme.
Executing fieldwork on ICT incident classification or third-party ICT risk: Modules 4 and 5 cover the specific testing approaches and evidence requirements for those two DORA domains.
Stuck on finding rating or root cause language before quality review: Module 7 (finding construction) and Module 8 (severity rating) address the exact disputes that delay sign-off.
Building the multi-year DORA coverage plan for the audit committee: Module 10 provides the coverage logic and Module 11 covers the action plan follow-up process that closes the cycle.

What you get with this course

  • Twelve written modules covering the full DORA audit lifecycle from scoping through fieldwork to action plan follow-up and remediation validation.
  • Downloadable audit work programme templates for each DORA pillar, pre-mapped to the relevant RTS and ITS articles.
  • Sample finding language and severity rating documentation for the most common DORA audit gaps, ready to adapt to your institution's house style.
  • Hand-built implementation playbook for the ICT risk audit and incident classification review, tailored to your institution type and DORA exposure profile.
  • Self-paced access in the Art of Service learning environment, structured so that individual modules apply directly to an audit already in progress.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Before and after

Before

Applying generic operational risk finding methodology to DORA gaps, getting into protracted management challenges on severity ratings, and producing action plans that address the symptom rather than the underlying control failure.

After

Writing DORA findings with precise root cause language, defending severity ratings with specific RTS criteria, and producing action plans that management implements because the root cause is documented clearly and without ambiguity.

What happens if you do not address this

The ECB SREP cycle for significant institutions now includes specific review of whether internal audit provides independent assurance on DORA compliance. Audit teams that rely on compliance-generated control self-assessments rather than independent fieldwork are generating supervisory observations rather than preventing them. Getting the methodology right before the next audit cycle protects the function's independence rating and avoids having the first DORA audit report revised under examiner scrutiny.

Who it is for

Internal audit professionals at SSM-supervised banks and significant banking groups who are being asked to lead or contribute to DORA readiness reviews, ICT risk audits, or digital operational resilience assurance programmes. You know how to plan and execute an audit. You know the IIA standards. You have delivered findings in credit risk, operational risk, or compliance audits. What you do not yet have is a working methodology for the specific DORA domains and the ECB supervisory lens on what good internal audit work in this area looks like.

Who this is NOT for. Compliance officers building the DORA compliance programme from scratch. Risk managers implementing ICT risk frameworks. Technology teams designing the incident classification taxonomy. This course is for the internal audit function assessing whether those implementations meet the regulatory standard, not for the teams doing the implementation.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Eight to twelve hours across twelve modules, structured so that the scoping and finding-construction modules can be applied to an audit already in progress without completing the full course first.

Why $199 is the right number

IIA DORA-specific training covers the regulatory framework but not the audit execution methodology. ECB supervisory guidance on internal audit is written for compliance officers, not auditors who need to execute fieldwork and write findings. This course bridges the two: it takes the regulatory requirements and translates them into a working audit methodology with templates, worked examples, and finding language ready to adapt.

FAQ

Do I need to have completed a DORA audit to take this course?
No. The course is designed for audit professionals who are planning their first DORA review or who have started one and need to strengthen the methodology before findings go to quality review.
Does the course cover EBA guidelines on internal governance as well as DORA?
Module 2 addresses the ECB supervisory expectations, which reference the EBA governance guidelines. The primary focus is DORA RTS and ITS requirements, with cross-references to EBA guidelines where they add requirements to the internal audit function.
How is the implementation playbook tailored?
The playbook is built by Gerard to your institution type: significant institution, less significant institution, or banking group. It reflects the specific DORA domains that create the highest audit risk based on your context and the current supervisory priority areas.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.