The Internal audit department shall conduct audits on the following domains:

• Risk management framework, policies, related processes, and procedures
• ICT Response and recovery plans
• ICT Third-party service providers

Adjust audit frequency and focus based on the entity's ICT risk profile.

Ensure that the internal audit staff possess sufficient ICT risk knowledge, skills, and expertise to perform the audits. Also, ensure the independence of the audit function.

Establish a follow-up process for audit findings, including rules for timely verification and remediation of critical findings. Maintain a continuous learning and improvement process based on risk assessment results, resilience testing, (cyber) incidents, and testing of business continuity plans. The results of this process shall be reported to the management body and is input for the yearly “Report on the ICT risk management framework review” as stated in Chapter 5 (Article 27) of RTS RM.

Use, where appropriate, third-party certifications, third-party or internal audit reports made available by the ICT third-party service provider, or own audit reports to confirm adherence of contractual requirements on information access, inspection, audit, and ICT testing with the third-party. Rely on third-party certifications and audit reports from ICT third-party service providers only if the following specific conditions are met: the audit plan is aligned with contractual arrangements, the audit scope is comprehensive and covers identified systems and key controls, ongoing assessment of certification/report content are performed and validated, key systems and controls are covered in future versions of the certification or audit report, there is confidence in the certifying/auditing party's capabilities, certifications/audits adhere to recognized professional standards, the right to request scope expansion is covered in the contract, and right to perform discretionary audits is retained.