Skip to main content
Image coming soon

The DORA ICT Audit Methodology for Banking Internal Auditors

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The DORA ICT Audit Methodology for Banking Internal Auditors

Build the complete DORA ICT audit cycle from scoping through finding closure, to IIA standards and EBA examination expectations.

The third-party ICT register is back. The ACPR follow-up named it by section, the ICT risk team provided a remediation memo, and the one thing missing is a workpaper that meets the audit evidence standard. Most internal audit teams at large banks are running DORA audit procedures for the first time this cycle and discovering that the ICT risk audit is not an extension of the IT general controls audit they have run for a decade.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

DORA changed the evidence standard for ICT audit work in ways that prior-year ITGC procedures did not prepare your team for. The third-party ICT register has a different scoping methodology than anything in your existing workpaper library. The incident classification workpaper needs to document a regulatory decision made in real time, not a retrospective assessment. The operational resilience testing evidence involves documents the bank did not author. And the finding language that the business line accepts internally is not the language the ACPR examiner accepts in a prudential examination. Internal auditors at large European banks are carrying the full DORA audit universe into their rolling plan with procedures built for a different regulatory era.

What you walk away with

  • Scope the DORA ICT audit universe correctly across entities, ICT systems, and critical third parties under EBA RTS criteria.
  • Build workpapers for the ICT risk register, incident classification, and operational resilience testing that meet IIA standards and ACPR examination expectations.
  • Write finding language calibrated to DORA severity definitions that survives both the business line rebuttal and the external quality assurance review.
  • Validate management remediation evidence rather than accepting attestation as closure, with a structured follow-up procedure for each finding type.
  • Sequence DORA audit coverage across a 24-month rolling plan with a defensible Audit Committee coverage statement.

The 12 modules

Module 1. DORA Scope Mapping for Internal Audit
DORA applies across entities, ICT systems, and third parties, but your audit universe is not identical to the compliance team's scope. This module maps the audit coverage obligations: ICT risk function audit, third-party ICT audit, and operational resilience testing oversight audit. You learn to document your scope rationale in the planning memo in terms the EBA guidelines recognize, not just internal taxonomy.
Module 2. ICT Risk Register Audit Evidence
The register itself is not evidence of control. This module covers what the auditor needs: update cadence documentation, owner accountability records, escalation logs when a risk breaches appetite, and the remediation timeline tracker. You build the workpaper population selection rationale, design attribute testing for register completeness, and draft the finding language when the register is structurally complete but operationally hollow.
Module 3. Third-Party ICT Register: Scoping and Audit Procedures
DORA Article 28 criteria determine which ICT third parties require a full audit. This module walks through the classification methodology, the contractual audit rights clause review, and the fieldwork procedures for critical providers where on-site access is limited or subcontracted. You document why certain providers were excluded from the critical ICT universe, which is the question ACPR examiners ask first.
Module 4. ICT Incident Classification Workpapers
DORA's incident taxonomy distinguishes major incidents from significant cyber threats, and the classification decision must be documented at the time it was made, not reconstructed in response to an audit. This module builds the workpaper template: classification rationale, reporting timeline evidence, notification records to the prudential authority and affected clients, and the lessons-learned closure loop the follow-up audit will verify.
Module 5. Operational Resilience Testing Evidence
Auditing TLPT and DR/BCP test outcomes requires evidence the bank did not select. This module covers the test plan sufficiency review, execution log completeness, gap register ownership, and management attestation structure. You handle third-party-conducted tests where internal access to the methodology is limited, and document the audit conclusion where testing evidence exists but coverage gaps remain unaddressed.
Module 6. ICT Concentration Risk Assessment
Single-provider concentration is a finding category DORA explicitly created. This module builds the concentration analysis audit: geographic concentration, functional concentration, contractual substitutability assessment. You audit the bank's own concentration map for completeness and methodology, frame findings where no contractual remedy exists, and write the audit opinion for the risk committee when the concentration is known but the exit plan is undeveloped.
Module 7. Finding Language and Regulatory Calibration
An ACPR examiner reads your finding and asks whether the internal audit function understands DORA. This module calibrates severity grading to IIA standards and EBA examination expectations, drafts the finding statement in language that survives both the business line rebuttal and the external reviewer, and structures the recommended action so management's response is auditable at follow-up.
Module 8. Remediation Tracking and Follow-Up Procedures
Management attestation that a finding is closed is not evidence of closure. This module builds the closure validation methodology: what documentary evidence is required by finding type, how to plan follow-up fieldwork for partial remediation, and how to document ongoing exceptions in the audit tracking log without reopening closed findings. Includes the escalation trigger to the Audit Committee when remediation stalls past agreed deadlines.
Module 9. IT General Controls in a DORA Context
Your prior-year ITGC audit work covers some DORA territory and none of it automatically transfers. This module maps existing ITGC procedures including access management, change management, and patch cadence to DORA requirements, identifies where additional fieldwork is required, and documents the scope rationale in the planning file. You avoid duplicating work the IT audit team already completed while demonstrating DORA-specific coverage to the examiner.
Module 10. ICT Audit Report for the Audit Committee
The ICT risk audit opinion lands in front of board members who did not approve the ICT strategy they are now being asked to govern. This module structures the audit report: executive summary, finding matrix, heat map calibrated to DORA severity language, management response adequacy assessment, and the closing opinion paragraph that the Audit Committee chair can cite to the regulator.
Module 11. IIA Standards Alignment for DORA Workpapers
A Quality Assurance Review will scrutinize DORA workpapers because they are new territory for most internal audit functions. This module maps DORA audit procedures to IIA International Standards covering planning, fieldwork, and reporting, documents the methodology rationale in terms external validators recognize, and builds the evidence trail that demonstrates your audit approach was risk-based. Covers what QAR reviewers flag most often in first-cycle DORA audits.
Module 12. DORA Coverage in the Annual Audit Plan
Rolling DORA coverage across a 24-month audit cycle requires sequencing decisions: which audits are annual, which are cyclical, which are triggered by incidents or regulatory change. This module builds the audit universe for DORA, sequences third-party audits against regulatory deadlines, and drafts the Audit Committee coverage statement. Includes the gap disclosure approach when full coverage is not achievable within the current resource budget.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

You are mapping the DORA audit universe into your rolling plan for the first time and need to explain scope decisions to the Audit Committee.
The third-party ICT register came back from the prudential examination with a follow-up question your last workpaper did not answer.
A major ICT incident occurred and your team is now auditing whether the classification and reporting procedures worked as designed.
A Quality Assurance Review is scheduled and you need to demonstrate that DORA audit work meets IIA standards, not just regulatory compliance expectations.

What you get with this course

  • 12 text-based modules covering the complete DORA ICT audit methodology from scope mapping through audit plan sequencing
  • Downloadable workpaper templates for ICT risk register audit, incident classification, third-party ICT register review, and operational resilience testing
  • Finding language calibration guide aligned to IIA severity definitions and EBA examination expectations
  • Remediation tracking and closure validation methodology with follow-up fieldwork templates
  • Hand-built implementation playbook: a 24-month DORA audit plan template with Audit Committee coverage statement

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Before and after

Before

Running DORA audit procedures built on ITGC foundations, receiving follow-up questions from the prudential examiner on workpaper evidence that the prior-year approach did not anticipate, and writing finding language that the business line accepts but the examiner treats as inconclusive.

After

A complete DORA ICT audit methodology in place: scope documentation the EBA guidelines recognize, workpapers that close examination follow-ups in one response, finding language calibrated to IIA standards, and a 24-month audit plan with a defensible Audit Committee coverage statement.

What happens if you do not address this

First-cycle DORA audits that run on ITGC procedures produce workpapers with evidence gaps that prudential examiners treat as methodology findings. A methodology finding is a finding about the internal audit function, not about the ICT risk team. That is a different conversation with the Audit Committee.

Who it is for

You are an internal auditor at a large European bank, carrying DORA audit coverage in your rolling plan for the first time. You have a strong background in credit risk, conduct, or financial crime audit, but ICT risk is newer territory and the DORA-specific evidence standard was not in your prior training. Your Audit Committee expects DORA coverage in the annual audit opinion. Your relationship with the prudential regulator is established, but the DORA examination cycle has a different evidence expectation than the supervisory reviews you have managed before.

Who this is NOT for. This course is not for IT auditors who already run mature DORA programs and are looking for advanced threat-led penetration testing methodology. It is not for compliance officers building the DORA compliance framework from scratch. It is for internal auditors who have accountability for DORA audit coverage and need a complete methodology from scoping through finding closure, written in audit language rather than regulatory technical language.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Approximately 8 to 10 hours across the 12 modules. Each module is designed to be completed in a single working session and applied to a live audit engagement immediately.

Why $199 is the right number

The IIA offers technology audit training but none maps DORA requirements to IIA International Standards at the workpaper level. Engaging an external specialist to review your DORA workpaper methodology costs significantly more and produces a point-in-time assessment rather than a reusable methodology your team applies independently each audit cycle.

FAQ

Do I need a deep IT background to apply this methodology?
No. The course is written for internal auditors with financial or operational audit backgrounds entering ICT risk territory. Technical ICT concepts are explained in audit terms, and the workpaper templates are designed to be completed by an auditor who understands controls testing, not one who configures ICT systems.
Does this cover DORA as it applies within the EU prudential supervision framework?
Yes. The methodology is built on the EBA regulatory technical standards under DORA, which apply uniformly across EU member states. Prudential examination expectations are referenced where they differ in practice from the base EBA guidance, including the established pattern of examiners requesting third-party register scope rationale in the first examination cycle.
How current is the DORA content?
The course covers DORA as it entered into force together with the associated EBA regulatory technical standards and examination expectations from the first examination cycle. The implementation playbook is updated when material EBA guidance or supervisory expectation changes are issued.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.