DORA moves ICT security from "something the IT department handles" to something that must be documented and audited. For many financial entities, that means internal audit, external auditors and supervisors will increasingly ask for evidence — not descriptions. For the overarching framework, see our DORA page.
What DORA means for audit
A recurring theme in DORA is documentable control. The regulation requires ICT risk management to be in place, working and demonstrable. That shifts the focus of an audit: it is not enough to have a policy describing how things ought to be. The auditor will want to see that the process actually runs — and that there are traces that prove it.
What auditors and supervisors typically ask for
Across ICT audits, some questions recur. For the part that concerns assets and cryptography, it is often:
- A current overview of ICT assets. Which systems and assets do you have, and is the list complete and up to date?
- Evidence that controls run. Are things actually monitored, and are there traces — logs, alerts, reports — that show it over time?
- A documented risk assessment. Have you addressed the concrete risks, with controls and residual risk described?
- Management of third-party risk. Can you show that suppliers' systems are part of the risk picture?
The common thread: the auditor wants evidence that was produced continuously — not assembled the week before the visit.
Certificates in an audit context
TLS certificates are a good example of how concrete the requirement becomes. Certificates are both ICT assets and cryptographic controls, and they are relatively simple to audit against — either you have a complete inventory, or you do not. An inventory you can pull with a date on it, together with documented TLS configuration and an alert history, is exactly the kind of evidence an auditor can work with. For a broader look at what auditors check, see the certificate audit checklist.
How CertControl delivers audit-ready certificate documentation
CertControl is built to produce the ongoing evidence a DORA audit values. It maintains a complete certificate inventory — the asset overview auditors ask for — documents TLS and cipher grading as proof of the cryptographic controls, keeps an audit log and alert history showing that monitoring genuinely runs over time, and generates executive and operational reports continuously rather than reactively.
Frequently asked questions
Does a DORA audit accept policies, or does it require evidence?
DORA requires documentable control, so a policy describing how things ought to be is not enough. The auditor will want to see that the process actually runs — and that there are traces, such as logs, alerts and reports, that prove it. Crucially, that evidence should have been produced continuously, not assembled the week before the visit.
Why is a certificate inventory considered good audit evidence?
Certificates are relatively simple to audit against — either you have a complete inventory, or you do not. An inventory you can pull with a date on it, together with documented TLS configuration and an alert history, is exactly the kind of evidence an auditor can work with.