According to Article 30(3)(e)(i) of DORA, contractual arrangements between financial entities and third-party ICT service providers supporting critical or important functions must include, among other things, the right for the financial entity to monitor the performance of the ICT services on an ongoing basis through access for inspection and audit, either by the financial entity itself or by an appointed third party. This provision is further detailed in Article 8 of Commission Delegated Regulation (EU) 2024/1773, which outlines specific forms of audit and monitoring to be included in the financial entity's policy on outsourcing of critical or important ICT services. In particular, Article 8(2)(b) allows for joint audits or joint testing exercises organised by multiple financial entities using the same ICT provider, carried out by the entities themselves or by a third party appointed by them. The regulation thus appears to provide financial institutions with flexibility in choosing the method of audit, including the possibility of appointing an independent third party to conduct a regular joint audit on their behalf. However, clarity is sought on whether, in such a case, DORA requirements are fully met and whether the appointment of such a third party relieves each financial entity of the obligation to perform a separate audit, assuming that each institution retains the right to conduct its own audit in exceptional circumstances (e.g. in response to a major incident or operational disruption), especially in situation, when final selection of the audit company will be approved by the General Meeting of ICT service provider, which is composed of representatives of financial entities that are the sole owners of this ICT service provider.

DORA provides flexibility in how financial entities fulfil the audit requirements when it deals with ICT-thirdparty providers. In particular, DORA Recital (73), Articles 28(6) and 30(3)(e)(i) clarify that financial entities can fulfil the audit requirements either through audits carried out directly by themselves or by a designated third-party auditor on their behalf, and DORA Article 28(6) and Article 8 of CDR (EU) 2024/1773 allow to carry out pooled audit where appropriate and especially in situations where several entities depend on the same ICT provider. At the same time, compliance with DORA Article 6(6) requires sufficient knowledge, skills and expertise of the auditors, as well as its appropriate independence. Generally speaking, the financial entities remain responsible of the audit arrangements. More specifically, based on DORA Article 5, the Management Body of the FEs is responsible for defining, approving and overseeing the implementation of an ICT risk management framework consistent with DORA, including for the audit arrangements. That means that the Management Body of each financial entity remains ultimately responsible for approving the relevant third-party auditor (if any), the frequency, the scope and the methodology of such audits. Therefore, in order to remain fully compliant with DORA, each financial entity must retain the rights to request relevant changes regarding the audit clauses in the contractual arrangements including in case of pooled audit, and the right to conduct its own audit if it considers that it would be more appropriate to comply with DORA. The FEs involved are free to set up the relevant coordinated decision-making process to confirm the pooled audit and the third-party auditor selected to perform such pooled audit, to the extent such a coordinated decision-making process does not prevent each Management Body of the involved financial entities to ensure that their financial entity comply with the relevant audit-related DORA requirements.