+Audit findings
|
1. Overview
Audit findings
Establish a follow-up process for audit findings, including rules for timely verification and remediation of critical findings. Maintain a continuous learning and improvement process based on risk assessment results, resilience testing, (cyber) incidents, and testing of business continuity plans. The results of this process shall be reported to the management body and is input for the yearly “Report on the ICT risk management framework review” as stated in Chapter 5 (Article 27) of RTS RM.
1.1 References
1.2 Identified Requirements
1.2 Related Regulation
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Regulations
Regulations
| Source |
Regulation |
|
DORA
|
DORA Ch. II Sec. II Art. 6 6.
6. The ICT risk management framework of financial entities, other than microenterprises, shall be subject to internal audit by auditors on a regular basis in line with the financial entities’ audit plan. Those auditors shall possess sufficient knowledge, skills and expertise in ICT risk, as well as appropriate independence. The frequency and focus of ICT audits shall be commensurate to the ICT risk of the financial entity.
|
|
DORA
|
DORA Ch. II Sec. II Art. 11 3.
3. As part of the ICT risk management framework referred to in Article 6(1), financial entities shall implement associated ICT response and recovery plans which, in the case of financial entities other than microenterprises, shall be subject to independent internal audit reviews.
|
|
DORA
|
DORA Ch. II Sec. II Art. 13 7.
7. Financial entities, other than microenterprises, shall monitor relevant technological developments on a continuous basis, also with a view to understanding the possible impact of the deployment of such new technologies on ICT security requirements and digital operational resilience. They shall keep uptodate with the latest ICT risk management processes, in order to effectively combat current or new forms of cyber-attacks.
|
|
DORA
|
DORA Ch. V Sec. I Art. 28 6.
6. In exercising access, inspection and audit rights over the ICT third-party service provider, financial entities shall, on the basis of a risk-based approach, pre-determine the frequency of audits and inspections as well as the areas to be audited through adhering to commonly accepted audit standards in line with any supervisory instruction on the use and incorporation of such audit standards.
Where contractual arrangements concluded with ICT third-party service providers on the use of ICT services entail high technical complexity, the financial entity shall verify that auditors, whether internal or external, or a pool of auditors, possess appropriate skills and knowledge to effectively perform the relevant audits and assessments.
|
|