Skip to main content
Back Custom print Text Only Rich Text Print / Save as PDF
Download Original PDF

  • Section Three: Department Features, Duties and Responsibilities

    • Principle 4: Key Department Features

      Professional Competence
      1.The Department Director and the Internal Auditors shall have the necessary knowledge and skills to perform the Department’s duties and maintain its effectiveness. To this end, they shall:
       
       a.Obtain academic certificates in accounting, auditing, business administration, or other areas related to internal audit, and preferably internal audit or accounting professional certificates, including but not limited to: CPA, CIA, SOCPA.
       
       b.Have sufficient internal audit experience and the necessary skills to fulfill their responsibilities.
       
       c.Receive adequate and necessary training on an ongoing basis to meet the technical requirements of the Company's activities.
       
      Independence and Objectivity
      2.The Department shall report directly to the Audit Committee, and the Department Director and Internal Auditors shall be fully independent and objective in performing their work. To this end, they shall:
       
       a.Have the freedom to directly discuss the Department’s views, findings, evaluations and conclusions with the Audit Committee and the Board.
       
       b.Examine documents available to the Executive Management or other business units in the Company.
       
       c.Reject any tasks not related to the internal audit function.
       
       d.Perform their duties in all business areas and units of the Company without any restrictions from the Executive Management or any unit other than the Department.
       
       e.Have the right to summon a meeting with the Audit Committee at any time, whenever needed, to discuss any topic the Department wishes to address.
       
      Professional Ethics
      3.Taking into account the Code of Conduct and Work Ethics in Financial Institutions issued by SAMA and other relevant instructions, the Department Director and the Internal Auditors, when carrying out the Department tasks, shall:
       
       a.Be professional, honest, and trustworthy.
       
       b.Maintain the confidentiality of information obtained while performing their tasks and not misuse it for personal purposes or carry out harmful activities, even after leaving the Company.
       
       c.Avoid conflicts of interest when performing tasks, clearly and explicitly disclose conflicts of interest (if any), and deal with them according to the policy approved by the Company’s Board for dealing with conflicts of interest.
       

    • Principle 5: Duties and Responsibilities of the Department Director

      1.The scope of duties and responsibilities of the Department Director must include the following, as a minimum:
       
       a.Completing the necessary procedures for the audit plan to be approved by the Audit Committee.
       
       b.Developing an internal audit policy and completing the procedures necessary for its approval by the Board upon the recommendation of the Audit Committee.
       
       c.Recruiting human resources with appropriate qualifications and skills based on the actual needs of the business, developing a plan to provide such competent human resources, and sharing it formally with the Audit Committee to follow up on its implementation and assess its suitability.
       
       d.Nationalizing jobs in the Department according to the relevant laws and instructions.
       
       e.Monitoring, evaluating, and developing the performance of the Department employees continuously and encouraging them to obtain professional certificates related to internal audit.
       
       f.Holding meetings with the Audit Committee individually as needed.
       
       g.Monitoring the work of outsourced service providers when assigned to perform certain internal audit tasks, and ensuring their compliance with the relevant laws, regulations, and instructions, including these Principles and the internal audit policy adopted by the Company.
       

    • Principle 6: Duties and Responsibilities of the Department

      1.Subject to the relevant laws, regulations, and instructions, the Department's activity must include evaluating the Company’s governance, risk management, and compliance processes annually and submitting appropriate recommendations according to the approved internal audit plan.
       
      2.The Department shall evaluate the effectiveness of governance processes and make recommendations to the Audit Committee based on studying the following aspects:
       
       a.The effectiveness of the Company’s strategic and operational decisions.
       
       b.The Company’s compliance with the governance regulations approved by the Board.
       
       c.The effectiveness of communication between the Board and internal or external auditors.
       
       d.The effectiveness of IT governance in the Company in supporting its strategies and objectives.
       
      3.The Department shall evaluate the effectiveness of the Company’s risk management processes and contribute to their improvement. It shall also make recommendations in this regard to the Audit Committee, which in turn discusses them with the risk and credit management committee (as needed) based on studying the following aspects:
       
       a.The ability of the risk management function or department to identify and evaluate risks.
       
       b.The suitability of the risk response mechanism with the Company's level of risk appetite.
       
       c.The ability of the risk management function or department to deliver risk-related information on a timely manner that enables the Board, Executive Management, and relevant departments to carry out their responsibilities.
       
      4.The Department shall investigate cases of fraud during the performance of its duties and conduct a regular assessment to verify the effectiveness of and compliance with anti-fraud policies and procedures approved by the Board. It shall also ensure appropriate and timely handling of suspicious cases of fraud, proper documentation of actions taken, and inclusion of such information in the Department’s report mentioned in Principle (9) of these Principles.
       
      5.The Department shall provide the Company with the necessary support to achieve the required level of compliance by evaluating the effectiveness and adequacy of the Company's compliance department procedures to avoid the risk of non-compliance.
       

    • Principle 7: Internal Audit Policy

      1.The Department Director shall prepare an internal audit policy and update it periodically, provided that it is approved by the Board upon the recommendation of the Audit Committee. This policy must include, as a minimum, the following:
       
       a.The purpose of establishing the Department and the scope and methodology of its work.
       
       b.The Department’s organizational structure in the Company as well as its powers, responsibilities, and relationship with other units in the Company.
       
       c.The Department’s main characteristics described in Principle (4) of these Principles.
       
       d.The Department's right to communicate directly with any of the Company's employees and to examine the activity of other departments.
       
       e.The Department's right to access any records, files, data, or tangible property of the Company, in a manner consistent with the relevant instructions of SAMA.
       
       f.The Department's right to obtain copies of the records and documents supporting audit work and activities, including the right to access administrative information systems, records, and minutes of all consultants in the Company and decision makers.
       
       g.The Department's right to escalate to the Audit Committee without any restrictions whenever the need arises.
       
       h.The Department's responsibility before the Audit Committee for all matters related to the performance of its duties and obligations.
       
       i.The Department Director responsibility, including, as a minimum, the tasks and responsibilities mentioned in Principle (5) of these Principles.
       
       j.The terms and conditions for outsourcing all or some of the internal audit tasks, taking into account the instructions of SAMA issued in this regard.
       
      2.The Company may refer to the Internal Audit Charter of the Institute of Internal Auditors to use it as a guide when preparing the Company’s internal audit policy.
       
      3.The internal audit policy must be clearly available to all Stakeholders in the Company for perusal.
       

    • Principle 8: Internal Audit Plan

      1.The Department Director shall develop a risk-based internal audit plan and the timetable for its implementation. The plan must be approved by the Audit Committee and updated annually, provided that it includes the following, as a minimum:
       
       a.It provides risk assessment and identifies the resources needed to implement the plan.
       
       b.It takes into account the inputs of the Executive Management and what is received from the Board during the development of the plan.
       
       c.It considers the expectations of the Executive Management, the Board, and Stakeholders in the Company relating to internal audit functions.
       
       d.It provides a list of business units and activities that are subject to audit during the year, which must include as a minimum: the risk management, compliance, collection, and credit departments (at least annually) and the customer care department (semi-annually), taking into account that the audit of the customer care department and the collection department does not apply to real estate refinance companies.
       
       e.It accepts advice aimed at improving risk management and operational processes in the Company, and it reflects the advice taken.
       

    • Principle 9: Department Reports

      1.The Department shall prepare periodic reports on its audits and submit these reports to the Audit Committee. These reports must be divided into:
       
       a.Quarterly reports: They include an evaluation of the internal control system of the audited departments, the results and recommendations related to their audits, and the actions taken by each department regarding these results and recommendations. They also indicate the status of the results that were not handled by the Company’s business units and the reasons for not handling them.
       
       b.Annual reports: They include a comprehensive evaluation of the Company's internal control system and the audit activities carried out during the fiscal year as compared to the approved plan. They also indicate the reasons for any deficiency or deviation from the plan (if any) during the quarter following the end of the fiscal year.
       

    • Principle 10: Department Policies and Work Procedures

      1.The Department Director shall develop policies and procedures for the Department’s work that include the mechanism for performing the tasks entrusted to it as well as the objective, scope, timeline, and resources required for each task separately. The Company's strategic objectives and the risks associated with implementing each task must be taken into account. Moreover, these policies and procedures must be updated periodically as needed.
       
      2.Taking into consideration the instructions issued by SAMA and other regulatory bodies regarding information sharing, the Department shall keep and periodically update the documents related to its completed tasks.
       

    • Principle 11: External Evaluation of the Department

      1.An external evaluation of the internal audit work in the Company must be conducted at least once every five years. The Audit Committee shall recommend to the Board the appointment of candidates to conduct the evaluation after verifying their necessary qualifications and independence to carry out the tasks entrusted to them.
       
      2.The Department Director shall provide the necessary support for performing the external evaluation, and the Audit Committee shall submit the results of the evaluation and the corrective action plan for the observations made (if any) to the Board.
       
      3.The Board shall be responsible for ensuring that the Audit Committee has properly conducted the external evaluation.
       

    • Principle 12: Documentation of Documents and Reports

      1.The Department shall establish a database for its work and update it regularly.
       
      2.All internal audit reports, results, recommendations, corrective action plans, and supporting documents in addition to documents related to the work of external auditors must be kept in electronic records for at least (10) years from the date of their attachment to the Department database.
       

    • Principle 13: Department Relationship with First and Second Line Units

      1.The Department represents the Third Line, which is the last one among the three line units. It shall be directly and constantly responsible before the Audit Committee for evaluating and confirming the adequacy and effectiveness of governance, risk management, regulatory controls, policies and procedures implemented by the First and Second Line units. The Second Line units shall be subjected to an independent audit by the Department.
       
      2.Taking into account the relevant laws and instructions, the Company may combine the roles of the First and Second Lines into one line by following the best recognized international standards in this regard.