ImplementationNIS2DORAISO 27001

A Guide to Conducting an Internal Compliance Audit

13 minUpdated 2026-03-18

Practical guide to internal compliance auditing covering audit fundamentals, planning and scope definition, NIS2 and DORA audit requirements, audit methodology, findings classification, remediation tracking, and the relationship between internal and external audits.

Key Takeaways

1
Internal compliance auditing is a regulatory expectation under DORA Article 6(6), ISO 27001 Clause 9.2, and implicitly under NIS2 Article 21(2)(f). It is not an optional best practice for EU-regulated entities.
2
Use risk-based prioritisation to define audit scope: audit the highest-risk domains annually and achieve complete audit universe coverage over a three-year cycle.
3
Structure multi-framework audits around controls rather than frameworks. Audit a control once and map findings to all applicable framework requirements to eliminate redundant testing.
4
DORA requires ICT risk management auditors to have sufficient ICT knowledge, skills, and expertise. General compliance auditors without ICT competence do not satisfy Article 6(6).
5
Close audit findings only after independent verification that remediation was implemented and the control now operates effectively. Self-reported remediation without verification produces phantom compliance.

1. Internal Audit Fundamentals for EU Compliance

An internal compliance audit is a systematic, independent examination of an organisation's compliance posture conducted by personnel within the organisation (or contracted specialists acting on its behalf) to assess whether regulatory obligations are being met, controls are operating effectively, and the compliance programme is fit for purpose. Internal audits serve a fundamentally different purpose from external audits: where external audits provide assurance to third parties (regulators, certification bodies, customers), internal audits provide assurance to the organisation's own management body that the compliance programme is working as intended.

In the EU regulatory context, internal auditing is not optional. DORA Article 6(6) explicitly requires financial entities to have their ICT risk management framework audited on a regular basis by ICT auditors possessing sufficient knowledge, skills, and expertise. ISO 27001 Clause 9.2 mandates internal audits at planned intervals to determine whether the ISMS conforms to requirements and is effectively implemented. NIS2 does not prescribe internal audit directly, but Article 21(2)(f) — requiring policies and procedures to assess the effectiveness of cybersecurity risk-management measures — implies an internal assurance function. Supervisory authorities examining NIS2 compliance under Articles 32-33 will expect to see evidence that the entity has tested its own controls before the regulator arrives.

The internal audit function must be organisationally independent from the activities it audits. This does not necessarily mean a standalone internal audit department — for mid-sized organisations, independence can be achieved through clear reporting lines (the audit function reports to the management body or audit committee, not to the CISO or compliance officer whose work it examines), defined objectivity requirements, and prohibition on auditors evaluating their own work. Where the organisation lacks internal audit resources, engaging an external firm to perform the internal audit function is acceptable under all three frameworks, provided the engagement is structured to serve the organisation's assurance needs rather than the external firm's commercial interests.

DORA Article 6(6) explicitly requires regular ICT risk management framework audits by qualified auditors. ISO 27001 Clause 9.2 mandates planned internal audits. NIS2 Article 21(2)(f) implies an internal assurance capability. Internal auditing is a regulatory expectation, not a best practice.

2. Audit Planning, Scope, and Risk-Based Prioritisation

Effective audit planning starts with scope definition, which is itself a risk-based exercise. You cannot audit everything every year — and you should not try. Define the audit universe: the complete set of compliance domains, processes, controls, and organisational units that could be subject to internal audit. Then apply risk-based prioritisation to determine which elements of the audit universe are included in the current audit cycle. Factors driving prioritisation include: regulatory materiality (obligations with the highest penalty exposure or supervisory attention), control criticality (controls protecting the most sensitive assets or highest-impact processes), time since last audit (areas not audited recently carry inherent assurance decay), and change impact (areas affected by significant organisational, technological, or regulatory changes since the last audit).

Develop a multi-year audit plan that ensures complete coverage of the audit universe over a defined cycle — typically three years. Within each year, prioritise the highest-risk domains while ensuring every domain receives attention within the cycle. The annual audit plan should be approved by the management body or audit committee to provide governance oversight and ensure alignment between audit priorities and organisational risk appetite. For the first internal audit cycle following NIS2 or DORA entry into force, prioritise the areas supervisory authorities have signalled as Year 1 examination targets: management body governance, incident reporting capability, supply chain security, and the completeness of risk-management measures.

For each audit engagement, produce a formal audit plan documenting the audit objectives, scope boundaries (what is included and explicitly what is excluded), audit criteria (the specific regulatory requirements, standards, or policies against which compliance will be assessed), methodology (interviews, document review, testing, data analytics), timeline, resource requirements, and the responsible audit team. Distribute the audit plan to the audited area's management in advance — internal audit should not be an ambush. Giving stakeholders advance notice allows them to prepare evidence and allocate time for interviews, which improves audit efficiency and the quality of findings.

3. NIS2 and DORA Audit Requirements

Auditing NIS2 compliance requires mapping your assessment against the ten measure categories in Article 21(2)(a)-(j) and the governance obligations in Article 20. For each measure category, evaluate three dimensions: design effectiveness (is the control designed to achieve the regulatory objective?), implementation completeness (is the control implemented across all applicable systems, processes, and organisational units?), and operational effectiveness (is the control operating as designed, producing the expected outcomes?). A policy that exists but is not enforced fails implementation completeness. A control that is implemented but produces inconsistent results fails operational effectiveness. Both represent compliance gaps that require remediation.

DORA audit requirements are more prescriptive than NIS2. Article 6(6) requires the ICT risk management framework audit to be conducted by auditors who possess sufficient knowledge, skills, and expertise in ICT risk — a general compliance auditor without ICT competence does not satisfy this requirement. The audit must assess the entire framework: ICT risk identification and classification (Article 8), protection and prevention measures (Article 9), detection capabilities (Article 10), response and recovery procedures (Articles 11-12), and the learning and evolving mechanisms that feed incident and testing lessons back into the framework (Article 13). For entities subject to DORA's advanced resilience testing requirements (Article 26), the internal audit should also assess the entity's threat-led penetration testing programme and its integration with the broader resilience testing programme.

When auditing multi-framework environments, structure the audit around controls rather than frameworks to avoid redundant testing. If a single access control mechanism satisfies NIS2 Article 21(2)(i), DORA Article 9(4)(c), and ISO 27001 Annex A 8.2, audit that control once and map the findings to all three frameworks. This control-centric approach reduces audit effort, produces consistent findings, and provides a more accurate picture of actual compliance posture than three separate framework-specific audits that might evaluate the same control differently.

DORA Article 6(6) requires ICT risk management framework auditors to possess sufficient knowledge, skills, and expertise in ICT risk. A general compliance or financial auditor without ICT competence does not satisfy this requirement.

4. Audit Methodology and Evidence Collection

Internal compliance audit methodology combines several evidence-gathering techniques: document review, interviews, observation, re-performance, and data analytics. Document review assesses the existence and adequacy of policies, procedures, and records — does the entity have an incident response plan, does it cover Article 23/Article 19 requirements, and was it reviewed within the required cycle? Interviews with control owners and operational staff assess understanding and implementation — do personnel know their responsibilities, can they describe the process they follow, and does their description match the documented procedure? Observation and re-performance test operational effectiveness — watch an access review being conducted, or independently repeat a control activity to verify it produces the expected result.

Data analytics has become an increasingly powerful audit technique for EU compliance. Rather than sampling a handful of access rights for manual review, query the identity platform's logs to assess all privilege changes over the audit period. Rather than reviewing a sample of incident records for reporting compliance, analyse the complete incident dataset against the 24-hour/72-hour/1-month timeline requirements. Rather than asking whether vulnerability scans run weekly, query the scanner's execution logs to verify frequency and coverage. Data analytics transforms audit from a sample-based exercise into a population-based assessment, dramatically improving the reliability of audit conclusions and reducing the risk that significant exceptions escape detection through sampling limitations.

Document audit evidence meticulously. For each audit finding — both positive (control operating effectively) and negative (control gap or deficiency) — record the specific evidence that supports the conclusion: the document reviewed, the interview conducted, the data analysed, the test performed, and the result observed. Evidence documentation serves two purposes: it supports the credibility of audit findings during management review and remediation discussions, and it creates an audit trail that demonstrates the rigour of the internal audit function to supervisory authorities. If a competent authority questions a compliance assertion, the internal audit evidence should be available to substantiate it.

5. Findings Classification and Remediation Tracking

Classify audit findings using a severity scale that drives remediation urgency and escalation. A common four-tier classification works well for EU compliance audits: critical (a control gap that creates immediate regulatory non-compliance or material risk exposure — for example, no incident reporting capability in place despite NIS2 Article 23 obligations), high (a significant deficiency in a control that materially weakens compliance posture — for example, incident reporting exists but has not been tested and key personnel are unaware of timelines), medium (a control weakness that does not create immediate non-compliance but increases risk — for example, policy review is overdue by three months), and low (a minor deficiency or improvement opportunity — for example, documentation formatting inconsistencies or non-material evidence gaps).

Each finding should be documented in a structured format: finding title, description of the gap or deficiency, the regulatory requirement or control objective not being met, the evidence supporting the finding, the assessed severity, a recommended remediation action, and a target remediation date. Assign each finding to a remediation owner — the person accountable for implementing the corrective action — and track remediation progress through a formal process. Critical and high findings should have management body visibility and compressed remediation timelines (30 days for critical, 90 days for high). Medium and low findings can follow standard remediation cycles (180 days for medium, next audit cycle for low).

Remediation tracking is the mechanism that transforms audit findings from a report into operational improvement. Implement a tracking process that monitors remediation status, escalates overdue items, and validates remediation effectiveness through follow-up testing. A finding is not closed when the remediation owner reports it complete — it is closed when the audit function verifies that the corrective action has been implemented and the control now operates effectively. This verification step prevents the common failure mode where remediation is claimed but not substantively delivered. Report remediation tracking metrics to the management body: total findings by severity, percentage remediated on schedule, overdue items with age analysis, and trend over successive audit cycles. A declining finding count and high on-time remediation rate are strong indicators of programme maturity.

A finding is not closed when the remediation owner reports it complete — it is closed when the audit function independently verifies the corrective action was implemented and the control now operates effectively. Skip verification and you risk accumulating phantom remediation.

6. Relationship to External and Regulatory Audits

Internal audits and external audits serve complementary purposes. Internal audits provide management assurance and drive improvement; external audits provide independent assurance to third parties. For ISO 27001, the external certification audit (conducted by an accredited certification body) assesses ISMS conformity with the standard. For DORA, the competent authority may conduct or commission examinations and inspections under Article 50. For NIS2, competent authorities conduct audits and inspections under Articles 32-33 for essential and important entities respectively. A mature internal audit programme improves external audit outcomes by identifying and remediating issues before external auditors discover them.

Coordinate internal and external audit activities to maximise coverage and minimise disruption. Share the internal audit plan with external auditors (where appropriate) so they can rely on internal audit work where it meets their standards for scope and quality, reducing the extent of their own testing. ISO 27001 certification auditors routinely review internal audit results and may place reliance on internal audit findings, provided the internal audit function demonstrates competence, independence, and methodological rigour. NIS2 and DORA supervisory authorities similarly assess the entity's internal assurance capability as part of their examination — a well-functioning internal audit programme signals mature compliance management.

Prepare for supervisory examinations by maintaining a standing evidence package that can be produced on demand. This package should include: the compliance programme charter, the current internal audit plan, completed internal audit reports from the current and prior cycle, the findings and remediation tracker with current status, policy documents with version history, control testing results, incident records and reporting evidence, training completion records, and management body meeting minutes demonstrating oversight. Organise the evidence package by regulatory requirement (Article 21 categories for NIS2, the five pillars for DORA, ISMS clauses for ISO 27001) so that supervisory staff can navigate it without requiring explanation. The faster you can produce comprehensive, well-organised evidence, the smoother the supervisory examination will proceed.

Frequently Asked Questions

How often should internal compliance audits be conducted?

ISO 27001 Clause 9.2 requires audits at planned intervals. DORA Article 6(6) requires regular audits without specifying frequency, though the ESA RTS implies at least annual audit planning. Best practice for EU-regulated entities is an annual risk-based audit plan that covers the highest-risk domains each year, with complete audit universe coverage over a three-year cycle. High-risk areas (incident management, access control, supply chain security) should be audited annually. Medium-risk areas can follow a biennial cycle. The audit plan should be flexible enough to accommodate unplanned audits triggered by significant incidents, regulatory changes, or supervisory requests.

Can the compliance officer or CISO conduct internal audits?

The compliance officer or CISO should not audit their own work, as this violates the independence requirement fundamental to internal audit. ISO 27001 Clause 9.2 requires auditors who are objective and impartial, and who do not audit their own work. DORA Article 6(6) requires sufficient knowledge and expertise but does not waive independence. In practice, the compliance officer may manage the internal audit programme but should not personally audit compliance programme components they own. Options for mid-sized organisations include: cross-functional audit teams (the IT team audits compliance activities while the compliance team audits IT controls), co-sourced arrangements with external specialists, or a fully outsourced internal audit function reporting to the management body.

What qualifications should internal compliance auditors have?

DORA Article 6(6) requires auditors with sufficient knowledge, skills, and expertise in ICT risk — this is a substantive competence requirement. For NIS2 and ISO 27001 audits, auditor competence should include: understanding of the regulatory framework being audited, audit methodology training (CISA, CIA, or ISO 27001 Lead Auditor certifications are relevant), familiarity with the organisation's technology environment, and practical experience conducting compliance assessments. For DORA-specific audits, auditors should additionally have ICT risk management expertise covering network security, incident management, business continuity, and third-party risk. Where internal staff lack these qualifications, co-sourcing with specialist audit firms is appropriate.

How do internal audit findings affect regulatory examination outcomes?

Internal audit findings, when properly managed, strengthen rather than weaken your position in regulatory examinations. Supervisory authorities expect to see findings — an internal audit with zero findings suggests insufficient rigour rather than perfect compliance. What supervisors evaluate is whether findings are classified appropriately, addressed within reasonable timelines, and verified as remediated. An organisation that identifies a critical gap through internal audit, remediates it within 30 days, and verifies the remediation demonstrates a functioning compliance programme. An organisation that has not conducted an internal audit, or that has unresolved critical findings ageing beyond their target dates, signals systemic weakness.

Should internal audit reports be shared with supervisory authorities?

Internal audit reports may be requested by competent authorities during supervisory examinations under NIS2 Articles 32-33 and DORA Article 50. Entities should be prepared to produce them. However, proactive sharing is a strategic decision. In some jurisdictions, sharing internal audit reports voluntarily can demonstrate transparency and programme maturity. In others, it may create expectations of ongoing disclosure. Consult legal counsel on your jurisdiction's specific supervisory practices. Regardless of the sharing decision, ensure internal audit reports are factual, balanced, and defensible — they should accurately represent the compliance posture and remediation trajectory, not minimise or exaggerate findings.

Related Guides

Checklist

Ready to Operationalise This?

Turn this guide into working compliance workflows. Create an account or schedule a personalised demo.

Create Account Schedule Demo