Unlocking pooled audits: 5 top takeaways

How do you gain deeper supplier assurance across the supply chain without increasing duplication?

That’s the challenge we tackled in our recent webinar with guest speakers from PwC. The session explored how pooled audits are helping organisations rethink third-party assurance through a model that is both comprehensive and, importantly, scalable.

From regulatory pressure and operational resilience to supplier experience and efficiency, here are five key takeaways from the discussion.

Catch up on the full webinar here.

1. Pooled audits are solving a growing efficiency problem

One of the clearest themes from the webinar was the sheer scale of duplicated assurance activity happening across financial services supply chains.

As regulatory expectations increase, buyers are asking suppliers for more evidence, more testing and more oversight than ever before. The problem? Suppliers are often responding to the same requests repeatedly for multiple customers.

The pooled audit model is designed to change that.

Instead of every organisation conducting separate assessments, suppliers complete a single in-depth Stage 3 assessment that can then be shared across multiple FSQS buyer members.

The impact is significant.

During the session, Hellios shared examples where buyers saved thousands of hours by consuming reports “off the shelf”, while suppliers dramatically reduced the burden of repeated audits from multiple customers.

As Paul Huggett explained:

“One supplier through one Stage 3 review had a report which was taken by
14 different buying organisations and saved themselves 7,000 hours.” (35:28)

The takeaway was clear: pooled audits are not about reducing insight - they are about reducing duplication.

2. The industry is entering a new era of regulatory scrutiny

Another major theme throughout the webinar was regulation.

Ian Trinder from PwC described the current market as a “critical juncture” for third-party risk management, with increasing expectations coming from regulators across the UK and Europe.

DORA, the updated PRA SS2/21 guidance, operational resilience requirements and emerging cyber legislation are all pushing firms toward deeper supplier oversight and stronger evidence of assurance activity.

Importantly, regulators are also recognising that firms cannot manage this challenge entirely in isolation.

As Ian noted:

“Firms are now being asked to do more explicitly… and regulators expect there will be a cost associated with doing extra work in this space.” (12:27)

At the same time, financial services continue to be viewed as the benchmark industry for third-party risk management maturity.

“There is a maturity in financial services which other markets look to emulate where they possibly can.” (11:30)

The pooled audit approach reflects this shift toward a more joined-up and scalable assurance model - one that helps firms increase oversight while using resources more effectively.

3. Stage 3 moves assurance beyond self-attestation

A recurring point throughout the session was the difference between suppliers saying controls exist and actually testing whether they operate effectively in practice.

Stage 3 assessments are designed to provide independent, evidence-based assurance across critical risk domains including:

• Cybersecurity
• Information security
• Business continuity
• Data privacy
• Supply chain risk
• Technology resilience
• Records management
• Physical security

The process builds on existing assurance activity through detailed testing of governance, controls, evidence and remediation activity.

As Sneha Das, from PwC, explained:

“It provides independent assurance allowing you to move beyond what third parties say they do.” (28:04)

The resulting reports are designed to give buyers practical, decision-grade insight - including findings, risk categorisation, remediation plans and timelines.

This is particularly important as organisations increasingly need to demonstrate not just that supplier assurance exists, but that it is risk-based, repeatable and actionable.

4. Community collaboration is what makes the model work

One of the strongest messages from the webinar was that pooled audits only work when they are community-led.

The Stage 3 framework was not built in isolation by Hellios or PwC. Instead, the question set and testing criteria were developed collaboratively with the FSQS buyer community itself.

And that makes the difference.

It means the assessment framework reflects the real-world priorities and expectations of financial services firms - rather than a generic audit checklist.

As Paul Huggett, from Hellios, put it:

“It’s built by the peer group that are on this call.” (16:50)

Ian Trinder reinforced this point by describing pooled audits as:

“A shared opportunity.” (15:43)

That collaborative model helps create consistency across the market while still allowing organisations to focus additional attention on supplier-specific or service-specific risks where required.

5. Suppliers are seeing the value too

There is often an assumption that suppliers will resist more in-depth assurance processes. But one of the clearest themes from the discussion was that suppliers are increasingly supportive of pooled audit models when compared with traditional one-to-one audit approaches. Particularly, when they see the impact of their efforts.

As, Audit Manager, Sophie Atlas, from Hellios noted during the webinar:

“Suppliers love it when the buyers follow up on these assessments.” (45:36)

Suppliers want to know the time invested into evidence gathering and remediation is delivering meaningful value.

And because the framework has been built collaboratively across the FSQS community, suppliers have greater confidence that the information they are providing reflects genuine industry priorities - making it relevant, recognised and genuinely useful to their customers.

Final thoughts

The webinar highlighted a broader shift happening across financial services.

As regulatory pressure grows and supply chains become more complex, organisations are looking for ways to gain deeper assurance without creating more work for themselves or their suppliers.

Pooled audits offer a practical way forward:

• Increasing visibility
• Reducing duplication
• Strengthening supplier relationships
• Focusing resources where they matter most

Or, as Sneha Das summarised during the session:

“The structured and pooled approach to Stage 3 reporting turns assessment activity into decision-grade insight.” (29:29)