AdEx Partners News, Industries
DORA Audit 2026: Is your organization truly audit-ready?
We make them resilient.
As of January 2025, the Digital Operational Resilience Act (DORA) is mandatory, but 2026 shows: the real challenge is only just beginning. Financial institutions are increasingly the focus of intensive DORA checks (On-Site Inspections, OSI). Many organisations have developed concepts and documentation. However, the supervisory authorities are now assessing something else: actual operational effectiveness.
Why do DORA audits lead to so many findings?
Experienced audit teams analyse IT and governance structures in detail. The focus is not solely on policies, but also, and especially, on their implementation. The result: 60 to over 100 findings per audit are not unusual.
This particularly affects:
- Critical or important functions
- ICT Third-Party Risk Management
- Operational Resilience
- Incident and Vulnerability Management
„DORA is currently failing in terms of operational effectiveness. We are currently seeing that it's not a lack of concepts that is the problem, but the lack of consistency in implementation“, explains Alexander Wolf, Partner and Industry Lead for Financial Services at AdEx Partners.
Where do the greatest DORA risks arise?
The biggest challenges currently lie in the interplay of various issues:
- Incomplete or inconsistent information associations
- Complex hyperscaler and SIEM architectures
- Poorly implemented Privileged Access Management (PAM)
- Unclear roles between IT, Risk, and Compliance
Our experience shows that auditors primarily test actual management. Therefore, OSI findings arise mainly where responsibility is not clearly established. Central to this context is demonstrable control capability throughout the entire organization.
What makes a DORA control truly audit-proof?
A resilient DORA operating model goes far beyond compliance.
Crucial are:
- Integrated governance across IT, risk, compliance, and business units
- Full and up-to-date registers
- Effective control and management mechanisms
- Demonstrable implementation in operational business
„Most DORA programmes are audit-ready but not controllable“, knows Harry Neumann, Partner and Financial Services Expert at AdEx Partners. „Clear roles, robust registers, functioning control mechanisms, and auditable governance are needed here.“
AdEx Partners supports DORA implementation by:
We
- help you to prepare for OSIs in an organised manner with our tried-and-tested script,
- are your sparring partners on an equal professional footing,
- individually tailored to your examination team 24/7 during the examination
- to help with the processing of the findings and
- communication with supervision.
So you can face your DORA review with a better feeling and more confidence.