Enhancing operational resilience: The implications of DORA on internal audit

What is the Digital Operational Resilience Act (DORA)?

The EU, through Regulation 2022/2554/EU, also known as the Digital Operational Resilience Act (DORA), has set out a regulatory framework to ensure the financial industry is resilient to digital disruptions, like we’ve seen with Generative AI. Cyberthreats, IT failures, and other digital disruptions are becoming more prevalent as the financial sector relies more and more on technology. You might recall a recent incident where a Hong Kong finance employee paid a fraudster US $25 million during a video call with a deep-fake "chief financial officer". According to Deloitte's Center for Financial Services, Generative AI could increase US fraud losses to $40 billion by 2027, representing a 32% compound annual growth rate from 2023. Additionally, a recent report by Sophos revealed that ransomware impacted 65% of financial services organizations in 2024, infecting 43% of their computers. To mitigate these risks, DORA rigorously regulates financial institutions and their service providers.

Interpreting the purpose, scope, and key requirements of DORA

The principal goal of DORA is to develop an integrated regulatory environment that will improve the operational resilience of financial entities. It provides comprehensive standards for managing and mitigating Information Communication Technology (ICT) risks. By standardizing these requirements, DORA tries to ensure strong digital resilience across all EU-based financial entities.

What is operational resilience?

According to the European Banking Authority, operational resilience is the ability of an institution to deliver critical operations through disruption. Preparing for unforeseen natural disasters is similar to building operational resilience. Just like how a well-prepared individual or community gathers emergency supplies, creates a plan, and conducts drills to stay safe during an earthquake, tornado, or hurricane, a financial institution focused on operational resilience and establishes protocols, backup systems, and response strategies to ensure critical operations continue, even in the face of disruptions. It’s all about being able to respond, adapt to, recover, and learn from disruptive events.

What are the 5 pillars of DORA?

DORA is built on five key pillars, each addressing different aspects of digital operational resilience for financial institutions:

1. ICT risk management: An effective Information Communication Technology (ICT) risk management framework is to be implemented and in place to identify, assess, and mitigate risks in their digital operations.
2. ICT incident reporting: For the sake of transparency and to enable a swift response to lessen the impact, they must promptly notify the appropriate authorities of significant ICT-related incidents.
3. Digital operational resilience testing: It is necessary for them to conduct routine testing of ICT systems and processes to help ensure that they can withstand and recover from a variety of disruptions.
4. ICT third-party risk management: They are responsible for managing the risks associated with third-party service providers, ensuring that these providers also adhere to DORA's requirements.
5. Information sharing: To increase collective resilience, DORA encourages the sharing of information about cyber threats and vulnerabilities with other financial institutions.

Who needs to comply with DORA?

DORA applies to all financial institutions in the EU, as well as non-EU financial institutions operating within the EU, including, but not limited to:

• Banks
• Insurance companies
• Investment firms
• Payment service providers
• Credit rating agencies
• Crypto-asset service providers

Furthermore, third-party ICT providers who provide services to financial entities, such as data centers/cloud computing and software providers, must comply with DORA requirements.

Essentially, any organization that provides financial services or critical support to financial institutions within the EU must adhere to DORA's requirements.

The role of internal audit in achieving operational resilience

Internal audit is an important component in the strengthening of the operational resilience of financial institutions and their adherence to DORA. In fact, as the European Confederation of Institutes of Internal Auditing (ECIIA) reminds us, DORA calls for the ICT risk management structure to follow the Three Lines model where internal audit's primary objective is to provide independent assurance and advisory services that will assist the financial institution in identifying and addressing potential risks and vulnerabilities.

Collaboration for operational resilience

Internal audit and other stakeholders, including risk management, IT, and compliance functions, can only achieve overall operational resilience by working in close synergy. It is essential for internal audit to be a trusted business partner and promote the integration and collaboration with other functions. Internal audit can facilitate collaboration and stakeholder engagement by:

• Risk assessment and identification: Internal audit can conduct joint risk assessments to help in identifying and assessing potential risks that could impact operational resilience, including reliance on ICT systems and third-party providers.
• Policy and framework development: Internal audit can review and validate the effectiveness of ICT risk management frameworks and controls, and make sure that ICT risk management policies are robust and aligned with DORA's requirements.
• Incident response planning: Internal audit can contribute to the development of effective incident response plans and accessing those plans to help identify gaps and areas for improvement.
• Continuous Improvement: Internal audit can perform regular audits and reviews to provide valuable feedback and recommendations for continuous improvement of the institution’s operational resilience framework. Internal audit can also coordinate with external auditors and regulatory bodies to ensure alignment with DORA requirements.

In fact, Standard 11.1 of the new Global Internal Audit Standards specifically states that the chief audit executive must build relationships with key stakeholders to promote effective communication with them and ensure a mutual understanding of the approach for identifying and managing risks, providing assurance, and relevant regulatory requirements.

Monitoring and reporting mechanisms for operational resilience

Implementing robust monitoring and reporting mechanisms that work effectively is necessary for maintaining operational resilience. By implementing these mechanisms, you can ensure a constant detection and response to any type of digital disruption, which will help in achieving a speedy recovery.

ICT risk monitoring

Continuous monitoring of ICT systems and processes is essential for identifying potential issues before they escalate into significant incidents. Internal audit can support this by:

• Evaluating the effectiveness of monitoring tools and technologies that are available.
• Assessing the adequacy of alerting and escalation procedures.
• Ensuring that monitoring processes cover all critical and essential ICT assets and activities.

Incident reporting and response

As pointed out by the European Banking Authority, timely reporting of ICT incidents is a key requirement of DORA. Similar to the US Securities and Exchange Commission (SEC) and NIS2, entities must report the initial notification 4 hours after a major event is classified, 24 hours after the incident is detected, 72 hours for the intermediate report, and 1 month for the final report. Internal audit should review and assess the organization’s incident reporting processes to ensure they meet regulatory standards. This includes:

• Verifying that incidents are reported to relevant authorities within the required timeframes.
• Evaluating the completeness and accuracy of incident reports.
• Reviewing the effectiveness of incident response plans and procedures already in place and identifying any gaps that need to be implemented.

In addition, internal audit should ensure that there is regular reporting to senior management and the board of directors, which is essential for maintaining operational resilience. Internal audit functions should provide insights and recommendations based on their reviews and assessments to support informed decision-making.

Resilience testing and validation

Regular testing and validation of ICT systems and processes are essential for ensuring they can withstand and recover from disruptions — in fact, it’s mandated by DORA. Internal audit can contribute by:

• Reviewing the scope and frequency of resilience testing activities.
• Assessing the adequacy of test plans and scenarios.
• Evaluating the effectiveness of testing methodologies and tools.

Implementing effective monitoring and reporting mechanisms is crucial for maintaining operational resilience under DORA. Internal audit functions play a critical role in ensuring these mechanisms are in place and functioning as intended, including the implementation and evaluation of real-time monitoring tools to detect and respond to ICT incidents promptly, as well as the establishment and assessment of key performance indicators (KPIs) and metrics for operational resilience.

Third-party risk management

Managing risks associated with third-party service providers is a critical aspect of DORA compliance. Internal audit should evaluate the organization’s third-party risk management practices to ensure they meet regulatory requirements. This includes:

• Reviewing the process for selecting and onboarding third-party providers.
• Assessing the effectiveness of ongoing monitoring and oversight of third-party providers.
• Ensuring that third-party contracts include ICT risk management and incident reporting conditions.

Exchange of information and collaboration

DORA highlights the significance of exchanging information about cyber threats and vulnerabilities across financial institutions. Internal audit can facilitate this by:

• Assessing the organization's practices and guidelines for exchanging information.
• Evaluating the effectiveness of information-sharing agreements with other financial institutions.
• Reviewing the efficiency of collaboration initiatives with industry associations and regulatory bodies.

Leveraging technology for enhanced operational resilience

Modern internal audit technology, like TeamMate+, allows internal audit teams to monitor operational resilience metrics more effectively in real-time. By leveraging capabilities such as centralized audit planning to align audit activities with regulatory requirements, and automated risk assessment processes to enable timely identification and evaluation of potential issues, TeamMate+ enhances the audit process. Integrated data analytics and custom dashboards provide deep insights into audit data, allowing teams to identify trends and anomalies quickly. Comprehensive reporting ensures that all findings and recommendations are clearly documented and communicated.

Furthermore, workflow automation streamlines audit processes, reducing manual effort and minimizing errors, while issue management tracks the resolution of identified issues to ensure they are addressed promptly. Continuous auditing supports the ongoing review of transactions and controls, with alerts and notifications for potential issues, enhancing proactive decision-making. Together, these features help internal audit teams maintain a robust monitoring framework that enhances operational resilience and ensures ongoing compliance with DORA.

Conclusion

When it comes to making the financial sector more digitally resilient, the Digital Operational Resilience Act is a big step forward. DORA wants to make the regulatory environment stronger so that the risks of digital disruptions are lower. They plan to do this by setting specific rules for ICT risk management, incident reporting, resilience testing, third-party risk management, and the exchange of information.

Internal audit functions play a crucial role in achieving and maintaining operational resilience under DORA. Through effective collaboration, continuous monitoring, and robust reporting mechanisms, internal auditors can help organizations identify and address potential risks and vulnerabilities, ensuring compliance with DORA and enhancing overall resilience.

Given the factors mentioned earlier, internal audit in financial institutions will play a major part in providing requisite support to organizations to enhance operational resilience in the constantly evolving digital environment. Internal audit must stay updated on regulatory changes in ICT risk mitigation to ensure their organization remains operationally resilient. With the implementation of DORA, internal audit departments can use solutions like TeamMate+ to monitor compliance requirements and integrate them into their risk management strategies, or quickly adapt their controls and processes for compliance, thereby helping their organizations effectively manage and mitigate ICT risks.

Review the DORA Regulation in its entirety.