A focused course, tailored for you
The DORA ICT Audit Methodology for Banking Internal Auditors
Build the complete DORA ICT audit cycle from scoping through finding closure, to IIA standards and EBA examination expectations.
The third-party ICT register is back. The ACPR follow-up named it by section, the ICT risk team provided a remediation memo, and the one thing missing is a workpaper that meets the audit evidence standard. Most internal audit teams at large banks are running DORA audit procedures for the first time this cycle and discovering that the ICT risk audit is not an extension of the IT general controls audit they have run for a decade.
Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.
Why this course
DORA changed the evidence standard for ICT audit work in ways that prior-year ITGC procedures did not prepare your team for. The third-party ICT register has a different scoping methodology than anything in your existing workpaper library. The incident classification workpaper needs to document a regulatory decision made in real time, not a retrospective assessment. The operational resilience testing evidence involves documents the bank did not author. And the finding language that the business line accepts internally is not the language the ACPR examiner accepts in a prudential examination. Internal auditors at large European banks are carrying the full DORA audit universe into their rolling plan with procedures built for a different regulatory era.
What you walk away with
- Scope the DORA ICT audit universe correctly across entities, ICT systems, and critical third parties under EBA RTS criteria.
- Build workpapers for the ICT risk register, incident classification, and operational resilience testing that meet IIA standards and ACPR examination expectations.
- Write finding language calibrated to DORA severity definitions that survives both the business line rebuttal and the external quality assurance review.
- Validate management remediation evidence rather than accepting attestation as closure, with a structured follow-up procedure for each finding type.
- Sequence DORA audit coverage across a 24-month rolling plan with a defensible Audit Committee coverage statement.
The 12 modules
How this addresses your situation
Specific modules that map to what you said you are dealing with.
What you get with this course
- 12 text-based modules covering the complete DORA ICT audit methodology from scope mapping through audit plan sequencing
- Downloadable workpaper templates for ICT risk register audit, incident classification, third-party ICT register review, and operational resilience testing
- Finding language calibration guide aligned to IIA severity definitions and EBA examination expectations
- Remediation tracking and closure validation methodology with follow-up fieldwork templates
- Hand-built implementation playbook: a 24-month DORA audit plan template with Audit Committee coverage statement
What you will have in hand by Day 1, Week 1, Month 1
Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.
Before and after
Running DORA audit procedures built on ITGC foundations, receiving follow-up questions from the prudential examiner on workpaper evidence that the prior-year approach did not anticipate, and writing finding language that the business line accepts but the examiner treats as inconclusive.
A complete DORA ICT audit methodology in place: scope documentation the EBA guidelines recognize, workpapers that close examination follow-ups in one response, finding language calibrated to IIA standards, and a 24-month audit plan with a defensible Audit Committee coverage statement.
What happens if you do not address this
First-cycle DORA audits that run on ITGC procedures produce workpapers with evidence gaps that prudential examiners treat as methodology findings. A methodology finding is a finding about the internal audit function, not about the ICT risk team. That is a different conversation with the Audit Committee.
Who it is for
You are an internal auditor at a large European bank, carrying DORA audit coverage in your rolling plan for the first time. You have a strong background in credit risk, conduct, or financial crime audit, but ICT risk is newer territory and the DORA-specific evidence standard was not in your prior training. Your Audit Committee expects DORA coverage in the annual audit opinion. Your relationship with the prudential regulator is established, but the DORA examination cycle has a different evidence expectation than the supervisory reviews you have managed before.
How it arrives
Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.
Time investment. Approximately 8 to 10 hours across the 12 modules. Each module is designed to be completed in a single working session and applied to a live audit engagement immediately.
Why $199 is the right number
The IIA offers technology audit training but none maps DORA requirements to IIA International Standards at the workpaper level. Engaging an external specialist to review your DORA workpaper methodology costs significantly more and produces a point-in-time assessment rather than a reusable methodology your team applies independently each audit cycle.
FAQ
30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.
Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.