What do auditors look for under DORA?

Typically documentation that ICT risk management actually runs: a current overview of ICT assets, evidence of monitoring and controls, a documented risk assessment and management of third-party risk. The key point is that control can be shown continuously — not just described in a policy.

How do certificates fit into a DORA audit?

TLS certificates are ICT assets and cryptographic controls. A complete certificate inventory, documented TLS configuration, alert history and an audit log are concrete evidence that part of ICT risk management is in place and works over time.

DORA Audit Requirements: What Auditors and Supervisors Expect

DORA moves ICT security from "something the IT department handles" to something that must be documented and audited. For many financial entities, that means internal audit, external auditors and supervisors will increasingly ask for evidence — not descriptions. For the overarching framework, see our DORA page.

What DORA means for audit

A recurring theme in DORA is documentable control. The regulation requires ICT risk management to be in place, working and demonstrable. That shifts the focus of an audit: it is not enough to have a policy describing how things ought to be. The auditor will want to see that the process actually runs — and that there are traces that prove it.

What auditors and supervisors typically ask for

Across ICT audits, some questions recur. For the part that concerns assets and cryptography, it is often:

A current overview of ICT assets. Which systems and assets do you have, and is the list complete and up to date?
Evidence that controls run. Are things actually monitored, and are there traces — logs, alerts, reports — that show it over time?
A documented risk assessment. Have you addressed the concrete risks, with controls and residual risk described?
Management of third-party risk. Can you show that suppliers' systems are part of the risk picture?

The common thread: the auditor wants evidence that was produced continuously — not assembled the week before the visit.

Certificates in an audit context

TLS certificates are a good example of how concrete the requirement becomes. Certificates are both ICT assets and cryptographic controls, and they are relatively simple to audit against — either you have a complete inventory, or you do not. An inventory you can pull with a date on it, together with documented TLS configuration and an alert history, is exactly the kind of evidence an auditor can work with. For a broader look at what auditors check, see the certificate audit checklist.

How CertControl delivers audit-ready certificate documentation

CertControl is built to produce the ongoing evidence a DORA audit values. It maintains a complete certificate inventory — the asset overview auditors ask for — documents TLS and cipher grading as proof of the cryptographic controls, keeps an audit log and alert history showing that monitoring genuinely runs over time, and generates executive and operational reports continuously rather than reactively.

DORA: requirements, pillars and certificate management → DORA requirements: the five pillars explained → DORA for banks: what compliance requires →

See the DORA overview Book a walkthrough