DORA in practice: Auditing ICT and Third-Party Risk under the EU’s New Cyber Regime
Dates : 16-17 April 2026
The training is 2x1 day from 09:00 to 17:00
Language : English
CPE Points : 7
Deadline to register : 2 April 2026
Trainer name: Nikolai Hombach, COBIT Assessor (ISACA)
Type of session (Online training/ In-Person Training / Webinar): Online training
Overview
The Digital Operational Resilience Act (DORA) sets a new regulatory benchmark for ICT risk and cyber resilience within the EU financial sector. As internal auditors, we are called upon not only to assess compliance, but to provide assurance over the operational resilience frameworks that underpin digital trust.
This intensive two-day seminar is tailored for internal auditors seeking to deepen their understanding of DORA Pillars 1 and 4: ICT Risk Management (DORA Articles: Art. 5-16) and Third-Party Risk (DORA Articles: Art. 28-44). Participants will explore audit-relevant expectations, design risk-based audit programs, and apply leading practices for reviewing ICT controls and outsourcing arrangements.
Through real-life examples, case studies, and interactive discussion, you will develop an audit-ready mindset and learn how to integrate DORA into your audit universe, risk assessments, and annual audit planning. Emphasis is placed on practical audit execution – from scoping engagements and identifying key controls to testing effectiveness and issuing impactful findings.
Highlight: All inhouse team participants will be a equipped with an ARC actionable audit questionnaire, which is ready to use for DORA audit execution approaches.
Who should attend?
Audit professionals, Audit managers
Course description
Agenda
1. Welcome & Regulatory Overview Introduction to DORA: Scope, goals, and enforcement timeline
Why Pillars 1 & 4 are critical for internal audit
Linking DORA to internal audit frameworks
2. Pillar 1 – ICT Risk Governance & Audit Responsibilities
Key requirements of the ICT risk management framework
Roles of the management body and audit in governance oversight
Embedding DORA risk mitigation activities into audit approaches
3. Audit Planning: ICT Risk Mapping and Scoping Techniques
Identifying critical ICT assets, processes, and risk domains
Aligning ICT risks to audit objectives and risk appetite
Building a DORA-relevant audit risk assessment
4. Auditing ICT Risk Controls & Resilience Measures
Evaluating design and operating effectiveness of ICT controls
Review of control documentation, policies, logs, and reports
Sampling techniques and walkthroughs for ICT processes
5. Pillar 4 – Third-Party Risk: Regulatory Expectations
Overview of DORA’s third-party management requirements
Key risks in outsourcing, cloud, and critical ICT providers
Internal audit’s oversight role in third-party governance
6. Audit Fieldwork: Assessing Third-Party Risk Frameworks
Reviewing due diligence, onboarding, and ongoing monitoring
Auditing SLA clauses, subcontracting, and exit strategies
Auditing risk mitigating actions and controls for resilience, continuity, and compliance
7. Integrating Audit Insights: Reporting & Risk Communication
Typical audit findings and risk-based recommendations
Communicating about critical IT infrastructure, systemic ICT and third-party risks to stakeholders
8. Common Summary and Outlook
- Risk identification, control testing, audit findings
- Key takeaways for audit execution in 2026
Trainer bio
Nikolai Hombach
Nikolai Hombach is responsible for the IT Assurance & Consulting sub-segment at the ARC Institute as a management assessor, director, and trainer. Since 1998, he has been a consultant for IT service management and IT governance with a focus on practical implementation. Prior to this position, Nikolai Hombach was a management consultant and member of the management board of a systems and consulting company in Frankfurt am Main, where he was responsible for 60 employees. He studied computer engineering at the University of Siegen. Mr. Hombach works continuously for various DAX 30 organizations, among others. His references include Sandoz in Austria, SBB, Volkswagen, DZ BANK, RTL Television, Bayerische Landesbank in Luxembourg, and Noventum.