DORA Article 28 Checklist: Auditor vs Engineer Perspectives

This checklist contrasts what auditors verify with what engineers must actually implement to achieve effective and defensible DORA Article 28 compliance.

1. Supplier Inventory & Criticality

Auditor checks	Engineer implements
Complete inventory of ICT third-party providers	CMDB or supplier registry including CI/CD, Git, cloud, registries
Supplier classification by criticality	Criticality tags linked to delivery systems
Alignment with business services	Mapping pipelines → services → suppliers
Inventory kept up to date	Automated or process-driven updates tied to tooling usage

Common gap: CI/CD SaaS tools not listed as suppliers.

2. Contractual Clauses & Rights

Auditor checks	Engineer implements
Audit rights defined in contracts	Platforms capable of read-only audit access
Incident notification obligations	Monitoring and alerting pipelines connected to incident workflows
Evidence retention commitments	Log and artifact retention configured to meet contract duration
Subprocessor visibility	Documented SaaS dependency chains

Common gap: Contracts exist but tooling cannot technically support audits.

3. Access Control & Segregation of Duties

Auditor checks	Engineer implements
Role separation enforced	IAM roles for dev, approver, operator
No single-user end-to-end control	Branch protection + approval workflows
Access reviews performed	Periodic access reviews supported by logs
Least privilege applied	Token scopes, runner permissions, environment separation

Common gap: Admin access shared across CI/CD roles.

4. CI/CD Enforcement Controls

Auditor checks	Engineer implements
Controls enforced automatically	Policy-as-code in pipelines
No bypass of approvals	Mandatory gates for release and deploy
Artifact integrity ensured	SBOM generation, signing, verification
Third-party tools governed	Approved runner images, restricted plugins

Common gap: Controls enforced “by convention”, not technically.

5. Monitoring & Incident Evidence

Auditor checks	Engineer implements
Continuous monitoring of suppliers	CI/CD, registry, cloud logs collected
Incident detection capability	Alerts tied to third-party services
Incident traceability	Tickets linked to logs, pipelines, artifacts
Evidence of past incidents	Retained logs, timelines, RCA documentation

Common gap: Logs exist but are not centralized or retained.

6. Subprocessor Governance

Auditor checks	Engineer implements
Visibility into subprocessors	Documentation of SaaS dependencies
Awareness of data flows	Architecture diagrams showing third-party paths
Risk awareness	Risk assessment referencing real dependencies

Common gap: “Hidden” subprocessors inside CI/CD platforms.

7. Exit Strategy & Resilience

Auditor checks	Engineer implements
Documented exit strategy	Alternative tooling identified
Exit feasibility	Artifact portability, IaC reproducibility
Exit testing evidence	DR / exit tests executed and logged
No single-vendor dependency	Reduced coupling to SaaS-specific features

Common gap: Exit plan exists only as a document.

8. Evidence Quality & Availability

Auditor checks	Engineer implements
Evidence is objective	Logs, approvals, SBOMs generated automatically
Evidence is time-bound	Timestamped and immutable records
Evidence is accessible	Centralized storage, controlled access
Evidence is consistent	Same controls across environments

Common gap: Evidence collected manually “just before audit”.

Final Auditor Reality Check

Auditors do not validate:

intentions,
explanations,
architecture slides alone.

They validate:

controls in operation,
evidence produced by systems,
consistency over time.

Final Engineer Reality Check

Engineers succeed when:

compliance is designed into CI/CD,
controls generate evidence continuously,
audits become verification, not reconstruction.

DORA Article 28 Checklist — Auditor View vs Engineer View