My Take-aways from the IIA Luxembourg & Deloitte EU DORA lunch briefing

The IIA Luxembourg organised today's EU DORA brief for the Internal Audit function with Laureline Senequier and Stéphane Hurtaud from Deloitte.

I found the overview useful and got answers to questions that I've been pondering for a bit. Below are my quick-hit impressions, Internal Audit take-aways and answers to my questions from earlier:

Impressions: Stéphane did mention that there will be more technical guidance on what incidents to report, but I left with the impression that this will initially depend on the classification and filtering of organisations themselves. This could potentially cause a backlog of reports to follow up with, if it takes a while to get technical guidance from the EU authorities (think FIUs being flooded with SARs in Germany). My hunch that DORA focuses on ICT risk from ICT vendors was confirmed. To me this means that strict adherence to the letter of the regulation instead of its goal-cyber resilience-might cause organisations to miss ICT risks emanating from third-parties that are not ICT vendors i.e. law firms, AISPs and others.

Internal Audit take-aways: A lot of what DORA requires from the Internal Audit function builds on IT risk management and audit requirements from existing regulations-in some ways it is best practice heightened by regulatory rigor.

Key expectations for the Internal Audit that I could make out were:

• Have a risk-based Audit Plan
• Ensure adequacy of Risk Management Frameworks
• Implement a comprehensive IT Resilience Design & Approach
• Close engagement and alignment with IT

The last two points resonated with me in particular, because the Deloitte team expounded on it by sharing that they see a lot of fragmented IT processes, which impact the audit. An observation that I can absolutely co-sign, because organisations I speak with often grapple with dispersed processes and could stand to benefit from a connected GRC approach as baseline for audits.

Answers to my questions:

• The PRA Policy Statement sets implementation milestones i.e., determining critical vendors and setting impact tolerances by March 2022. Does DORA have similar implementation milestones and deliverables for auditors to be aware of?

A: There are no strict implementation milestones like in the UK.

My comment: As mentioned above. A lot of DORA builds on best practice from existing regulations and guidelines. It won't be "a tick box exercise" as the speakers from Deloitte noted and will call for having a sound GRC process in place. The adequacy of audit processes will be down to established best practice of financial institutions and the judgement of competent authorities that are enforcing DORA.

• Will there be some thresholds for incident reporting to avoid flooding the authorities with reports that make the actual follow up hard? Background/parallel: Germany’s FIUs are struggling with this in the AML domain.

A: Yes, there will be clear technical guidance on incident reporting.

• Is DORA looking at ICT risks from ICT vendors or ICT risks more broadly? Rationale: ICT risks can emanate from law firms and other vendors.

A: DORA indeed focuses on ICT vendors.