Entire Section | SAMA Rulebook

Compliance Principles and Internal Control

Principles of Internal Auditing for Local Banks Operating in Saudi Arabia
No: 43037826 Date(g): 1/12/2021 | Date(h): 26/4/1443 Status: In-Force
Translated Document

In line with the supervisory and regulatory role of SAMA, and its commitment to enhancing the systematic performance of internal audit units in independently and objectively evaluating the adequacy and effectiveness of governance processes, risk management, internal controls, and implemented policies and procedures. Based on the powers granted to it under its Law, issued by Royal Decree No. (M/36) dated 11/04/1442H, and other related regulations,
This is the first edition of the Principles of Internal Auditing for Local Banks Operating in the Kingdom.
For your information and action accordingly, effective as of 01/01/2022G.

Chapter One: Introduction, Definitions, and General Provisions

1. Introduction

1-1	SAMA has issued these principles based on its supervisory and regulatory powers as outlined in the following regulations:
		A:	The Saudi Central Bank Law, issued by Royal Decree No. (M/36) dated 11/04/1442 H.
		B:	The Banking Control Law, issued by Royal Decree No. (M/5) dated 22/02/1386 H.
1-2	These principles are structured and contextualized into three chapters: Chapter One: Clarifies the terms used and general provisions. Chapter Two: Provides an overview of the roles, responsibilities, and duties of the Board of Directors, the Audit Committee, and Executive Management in relation to internal audit, as stipulated by relevant regulations and guidelines, including the requirements for their effective implementation, Chapter Three: Includes detailed and comprehensive requirements concerning the activities, roles, and responsibilities of the internal audit function. It highlights its position as the third line of defense, complementing the first and second lines of defense. This chapter also underscores the role of internal audit as a tool for oversight and supervision within the bank, rather than a replacement for the bank's management, ensuring alignment with regulatory requirements, guidelines, and best practices, while considering the unique nature and application style of banking institutions.

2- Definitions

The following terms wherever they appear in these principles are intended to have the meanings specified next to each of them, unless the context requires otherwise:

Term	Definition
central bank	Saudi Central Bank.
Bank	Local commercial banks licensed to conduct banking operations in the Kingdom.
Board	Board of Directors of the bank.
Audit Committee	One of the committees formed by the council, established by a decision from the ordinary general assembly
Executive Management	The bank's senior management, who are responsible for managing the bank's daily operations, proposing strategic decisions, and implementing them.
Unit	The internal audit unit in the bank, which is overseen by its head and staff responsible for internal auditing tasks and responsibilities
Head of the Unit	The person responsible for managing the unit.
Internal Auditors	The staff in the unit responsible for carrying out the tasks and responsibilities of internal auditing.
Principles	Principles of internal auditing for local banks operating in the Kingdom of Saudi Arabia.
Internal Audit Function	An independent evaluation activity that provides objective assurance and consulting services on the quality, adequacy, and effectiveness of the bank's internal control system. This involves a systematic, organized approach to auditing accounting, financial, operational processes, and more, and assessing and improving governance, risk management, and control effectiveness.
Internal Audit Policy	The official document approved by the Board that defines and clarifies the unit's purpose, scope of activity, organizational position, functional and administrative references, responsibilities, authority, relationships with other units, and the principles and methodology the bank follows regarding internal control. It also grants access to records, staff, and physical assets necessary to perform its duties.
Regulations and Rules	The regulations and rules that apply to the banking sector and its members.
Instructions	All that is issued by SAMA in its supervisory and regulatory capacities over the banking sector, as well as what is issued by relevant authorities in terms of regulations, rules, principles, frameworks, guidelines, and mandatory circulars
Independence	Free from circumstances and conditions that affect the unit's ability to perform internal auditing tasks and responsibilities in a professional, objective, and unbiased manner.
Conflict of interest	The situation or situations in which the head of the unit and its staff have, or appear to have, a direct or indirect interest or relationship in a matter under consideration by this person/people: for the purpose of making a decision regarding it, such that this interest or relationship prevents or leads to the belief that it has hindered their ability to express their opinion or make their decision independently, impartially, and objectively, without regard to this interest or relationship.
Objectivity	Neutral professional behavior based on facts that enables internal auditors to perform their tasks in a way that assures them of the quality of their work and its desired outcomes, without any substantial interference or influence from outside the unit affecting its quality or being swayed by personal beliefs and emotions
Consulting services	These are the consultations carried out at the specific request of one of the units in the bank
First line of defense	Business units responsible for identifying, assessing, and managing the risks of their activities early and continuously, and accepting those risks within acceptable limits.
Second line of defense	Regulatory units and support units such as risk management, compliance, legal, Sharia (if applicable), finance, and technology related to business units, responsible for verifying through a comprehensive and systematic perspective that the business units in the first line of defense have appropriately identified and are appropriately managing their business risks.
Third line of defense	The internal audit unit – the unit- responsible for independently and objectively evaluating and confirming the adequacy and effectiveness of governance, risk management, controls, policies, and procedures implemented by the first and second lines of defense, enhancing confidence in them, and providing the executive management with reasonable assurance that the policies and procedures align with the specified expectations.
Stakeholders	All those with a direct interest in the unit, specifically: the board, the audit committee, executive management, business units in the bank, external auditors, external consultants, and others. Indirectly, this includes shareholders, investors, and customers.

3. General Provisions

3-1	The general purpose of these principles is to establish the minimum requirements necessary for the internal audit function to perform efficiently and optimally within a unified, comprehensive, and robust framework. This framework serves as a tool to enhance self-regulation and lay the foundations for performing internal audits and improving the bank's operations and activities. The methods for implementing these principles depend on various factors, including: the size of the bank, the complexity of its operations, its geographical scope, regulatory framework, and the instructions it operates within.
3-2	The primary objectives of these principles are:
		1)	To protect the bank's assets, continuously ensure the soundness, adequacy, and effectiveness of processes, and the accuracy and reliability of reports, especially financial reports prepared for various purposes and stakeholders. This includes instilling confidence in these reports, enhancing the data contained within them, and protecting the interests of stakeholders.
		2)	To enhance compliance with the requirements of regulatory and supervisory authorities, ensuring that the bank and its employees adhere to laws, regulations, and instructions.
3-3	The internal audit function represents the third and final line of defense in the three lines of defense model. It is directly accountable to the Board and Audit Committee on a continuous and ongoing basis for evaluating and confirming the adequacy and effectiveness of governance, risk management, and control processes, as well as the policies and procedures implemented by the first and second lines of defense. This line of defense enhances confidence in it and contributes to the improvement of these processes through a structured risk-based approach, optimizing resource use by directing audit activities towards the bank's most significant and high-risk areas. It performs these activities objectively, considering the defined strategies and goals. The importance of this line of defense is bolstered by its independence, which strengthens its objectivity and credibility, ensures proactive effectiveness, provides new insights, identifies future impacts, and promotes appropriate ethics and values, thereby giving executive management reasonable assurance that policies and procedures align with defined expectations.
3-4	These principles do not alter the requirements imposed on banks by other relevant regulations, laws, and instructions.
3-5	SMA has issued several instructions related to internal audit requirements, and these principles should be read alongside them, as applicable, including but not limited to:
		1)	Key Principles of Governance in Financial Institutions under SAMA's supervision and control.
		2)	Principles of conduct and Work Ethics in financial institutions.
		3)	Principles of Compliance for Commercial Banks Operating in the Kingdom of Saudi Arabia.
		4)	Anti-Money Laundering and Counter-Terrorism Financing Guide.
		5)	Rules for Bank Account.
		6)	Regulatory rules for the operation of self-regulation units and committees.
		7)	Principles of financial fraud prevention in banks operating in the Kingdom.
		8)	Shariah Governance Framework for local banks operating in Saudi Arabia.
		9)	Whistleblowing Policy for financial institutions.
		10)	Risk Management Instructions.
		11)	Rules on Outsourcing.
		12)	Cyber Security Framework.
		13)	Business Continuity Management Framework.
		14)	Information Technology Governance Framework.
3-6	The internal audit function is subject to international attention, with various international bodies and organizations issuing guidance on it. These should be referenced and consulted, including but not limited to:
		1)	Basel Committee on Banking Supervision (BCBS).
		2)	Institute of Internal Auditors (IIA).
		3)	Committee of Sponsoring Organizations of the Treadway Commission (COSO).

4. Scope of Application
These guidelines apply to all local banks working in the kingdom.

Chapter Two: Roles and Responsibilities of the Board and Executive Management Regarding Internal Audit

Principle (1): Board Responsibilities for Internal Audit

5-	To ensure the performance of the ordinary general assembly to its functions regarding the audit committee and internal auditing as specified, in accordance with the provisions of the Companies Law and its implementing regulations, the Corporate Governance Regulations issued by the Capital Market Authority, and the Key Principles of Governance in Financial Institutions issued by SAMA, the board is required to do the following:
		5-1	submitting effective proposals and recommendations that enable the ordinary general assembly to carry out its functions.
		5-2	Monitor any developments that occur in the regulations, rules, and instructions related to internal auditing from the relevant authorities from time to time.
6-	Although the audit committee operates independently from the board and executive management, this does not exempt the board—according to the key principles of governance in financial institutions—from the responsibility of effectively overseeing the audit committee and monitoring its work and assigned duties.
7-	The following responsibilities fall upon the board concerning the roles and responsibilities of executive management regarding internal auditing:
		7-1	The ultimate responsibility for ensuring that executive management establishes and maintains an appropriate internal control framework that is efficient and effective, which identifies, measures, monitors, and manages all risks faced by the bank.
		7-2	Ensuring the review of the effectiveness and efficiency of the internal control system based on information provided by the internal audit function, though not relying solely on it.
8-	Without prejudice to the powers, duties, and responsibilities of the Board according to the relevant SAMA instructions and other regulatory authorities, the Board has the responsibility to continuously ensure the following with respect to the internal audit function:
		8-1	Taking all necessary actions to ensure the existence and continued effectiveness of an independent and effective internal audit function within the bank, and periodically updating its organization and operating policies.
		8-1	Ensuring that the size of the internal audit function, the qualifications and competence of its head and staff, are appropriate to the size of the bank, its nature of operations, the automated systems in use, and the complexity of its organizational structure.
		8-3	Ensuring that the Audit Committee conducts an independent external evaluation of the quality of the internal audit function’s performance at least once every five years.

Principle (2): Responsibilities of the Audit Committee towards the Unit

9-	Without prejudice to the specific responsibilities and duties of the Audit Committee as defined by regulations and instructions issued by SAMA and other regulatory authorities, the Committee is responsible for the following requirements for effective oversight:
		9-1	Recommend the board to approve the organizational structure of the unit and review it periodically as needed.
		9-2	Recommend the board the appointment, reappointment, or dismissal of the head of the unit, or acceptance of their resignation.
		9-3	Ensure the presence of appropriate human resources in the unit in terms of quantity, qualifications, and skills, especially in specialized topics, including, for example, units for: treasury, finance, international financial reporting standards, anti-money laundering and counter-terrorism financing, technology/cybersecurity risks, governance, Basel standards, liquidity, credit, and provisions, among others.
		9-4	Review and approve the audit plan prepared by the head of the unit based on the results of the annual risk assessment, including the scope of the plan and the budget allocated for it.
		9-5	Approve the strategy of the unit prepared by its head and monitor its performance alongside the execution of the annual audit plan, in alignment with the bank's overall strategy and objectives, and after coordinating with the relevant department in the bank.
		9-6	Review and discuss internal audit reports.
		9-7	Review the unit's performance to ensure its ability to carry out its responsibilities independently and objectively.
		9-8	Approve performance measurement indicators for the head of the unit and evaluate their performance.
		9-9	Ensure that the head of the unit possesses integrity and the ability to perform their duties with honesty, diligence, and responsibility. Verify compliance with regulations and instructions and confirm that they have not been previously involved in any violations.
		9-10	Ensure that executive management takes the necessary corrective actions in a timely and appropriate manner to address weaknesses in controls, issues of compliance with policies, regulations, and instructions, as well as other violations and observations, and shortcomings identified and reported by the audit unit with recommendations.
		9-11	Conduct the required independent external assessment—according to the approved audit policy to verify the quality of the unit's work at least once every five years.

Principle (3): Roles and Responsibilities of Executive Management Regarding Internal Audit

10-	The executive management has the following responsibilities:
		10-1	Develop and apply appropriate and effective internal control systems and procedures, and maintain them.
		10-2	Fully and unconditionally enable the internal audit unit to access all records, individuals, systems, and buildings, and provide them with the necessary information and data to perform their tasks in a timely and appropriate manner.
		10-3	Provide the internal audit unit with updates on new initiatives, projects, products, operational changes, or any amendments to policies and procedures within the bank.
		10-4	Ensure that all relevant risks (both known and anticipated) are identified and reported to the internal audit unit at an early stage.
		10-5	Share their risk assessments with the internal audit unit to enable the unit to plan audits based on a risk-based approach.
		10-6	Implement appropriate measures and corrective actions in a timely and suitable manner regarding all findings and recommendations received from the internal audit unit.
		10-7	Encourage inviting representatives of the internal audit unit to attend various administrative committee meetings as permanent invitees, without granting them voting rights.
		10-8	Including a key performance indicator for the executive management that reflects the effectiveness of its handling of the observations monitored by the unit in an appropriate manner and timing.

Chapter Three: Functions, Tasks, and Responsibilities of the Unit.

Principle (4): Key Characteristics of the Unit

Independence and Objectivity

	11-	The unit must be administratively independent from all other business units with activities subject to review, as well as from the first and second lines of defense, in a complementary manner. The unit should have sufficient organizational status and authority within the bank to perform its tasks objectively. The head of the unit and its staff should not undertake or be assigned any other tasks or work in the bank that could compromise their roles, except for internal audit activities, reviewing, and evaluating the effectiveness and efficiency of the internal control system.
	12-	The unit must have the authority to perform its tasks across all areas of the bank's operations and business units, without any restrictions from the executive management or any source other than its functional reference
	13-	The unit should have the freedom to discuss its views, results, evaluations, and conclusions directly with the Audit Committee and the Board, and to submit its reports directly through a clear organizational structure - functional link - to the Audit Committee.
	14-	The unit should not be involved in the preparation (design), selection, implementation, or management of specific internal control procedures. However, its independence does not preclude the executive management from requesting internal audit inputs on matters related to risks and internal control, provided that such advisory roles are well-documented in audit procedures and guidelines and are not interpreted as conflicting with its independence.
	15-	The rotation of staff in the unit to other business units should be governed by a written policy within its operational framework to avoid conflicts of interest. This includes a mandatory cooling-off period of no less than twelve months between the employee’s time in the unit and their subsequent review of activities in the bank’s operational areas where the rotation occurred.
	16-	A performance rewards for the head of the unit and its staff - if any - should be organized in a way that ensures no conflict of interest or compromise to the unit's independence and ability to work objectively, and in accordance with the relevant instructions issued by the central bank and the bank’s reward policies and practices. Their rewards should not be linked to the financial performance of the business activities subject to internal audit, and the head of the unit’s rewards should be recommended by the Audit Committee in accordance with the bank’s reward policies and practices.
	17-	The head of the unit should confirm annually - at a minimum - the organizational and functional independence of the unit's activities, either in a dedicated section of the annual report or through a separate official written statement.
	18-	The unit should have the right to request a meeting with the Audit Committee at any time if there is a need to discuss any topic it wishes to raise.

Professional Competence and Due Diligence

19-	The head of the unit must possess leadership skills and the necessary skills to maintain the unit’s effectiveness.
20-	The head of the unit must have an academic degree in one of the following:
		20-1	Either in accounting, auditing, business administration, or other related fields to internal auditing, preferably holding a specialized professional certification in internal auditing or accounting such as (QIAI), (CIA), (SOCPA), (CPA), or an advanced degree in accounting, auditing, or business administration.
		20-2	Or in specialized technical fields such as (CISA) Certified Information Systems Auditor or (CISM) Certified Information Security Manager, in this case, they also have to hold one of the professional or advanced certifications specified in (1) above. In both options, they must have sufficient practical experience in internal auditing and possess appropriate leadership skills to fulfill their responsibilities while maintaining the unit’s independence and objectivity.
21-	The head of the unit, without conflicting with the bank’s general employment policies, procedures, and requirements, must establish standards to attract competent individuals to the unit who possess professional competence, scientific knowledge, experience, qualifications, skills, and the ability to gather and understand information, examine and evaluate evidence during the audit process, and communicate with stakeholders. This requirement also includes supporting and enabling national talents and training them.
22-	The head of the unit must assess the skills of the unit’s staff, monitor their development, and ensure they receive continuous, relevant training to meet the technical requirements of banking activities, adapt to the increasing diversity of tasks due to new products, services, and procedures, and keep up with other developments in the financial sector.

Professional Ethics for the Head of the Unit and Its Staff

23-	In accordance with the Principles of Conduct and Work Ethics in Financial Institutions issued by SAMA, and to ensure the maintenance of professional standards for the unit at all times, the bank’s code of conduct and ethics should, at a minimum, include principles of objectivity, behavior, competence, confidentiality, and integrity, and should stipulate the following:
		23-1	The necessity of demonstrating professionalism, integrity, honesty, and trustworthiness.
		23-2	Emphasis on maintaining the confidentiality of information obtained during the performance of duties, avoiding the use of such information for personal gain or harmful activities, and taking care to protect the information acquired.
		23-3	Avoidance of conflicts of interest. To this end, the head of the unit must take adequate measures to ensure that its staff consistently adhere to integrity, comply with internal audit principles, and follow the Principles of Conduct and Work Ethics in Financial Institutions issued by SAMA.

Principle (5): Internal Audit Policy

24-	The head of the unit must prepare and periodically update an internal audit policy, and have it approved by the board based on the recommendation of the audit committee.
25-	The key items of the policy must include, at a minimum:
		25-1	The purpose of establishing the unit, and its scope and methodology of work.
		25-2	Its organizational position within the bank, its authorities, responsibilities, and its relationships with other control units.
		25-3	The key characteristics of the unit as outlined in these principles.
		25-4	Ensuring what enhances its role and performance of its duties and responsibilities.
		25-5	The right to communicate directly with any bank employees, and to examine the activities of any bank unit or its affiliated entity, if the affiliated entities do not have independent review units or committees, without breaching related regulations and instructions.
		25-6	The right to access any records, files, data, or physical assets of the bank, without conflicting with relevant SAMA instructions.
		25-7	The right to obtain copies of records and supporting documents for audit activities, including access to administrative information systems, records, and minutes of all advisory bodies in the bank and decision-making entities.
		25-8	The right to enable the unit to perform its role and achieve its responsibilities for reviewing all activities of the bank's units and its affiliated entities internally and externally, if the affiliated entities do not have independent review units or committees, without breaching related regulations and instructions.
		25-9	The right to escalate to the audit committee without any restrictions when needed.
		25-10	The obligation to communicate the results of internal auditors derived from their work, clarify the method of doing so, and specify the receiving entities - administrative dependencies - for these reports.
		25-11	The unit's responsibility to the audit committee for all matters related to its performance of duties and responsibilities.
		25-12	The responsibility of the head of the unit.
		25-13	The conditions and terms for coordination and follow-up of work between the unit and external auditors.
		25-14	The conditions and terms under which advisory or consulting services can be requested from the unit or assigned special tasks, without violating relevant instructions.
		25-15	The commitment to conduct an independent external assessment of the unit's work quality and adherence to ethical conduct and compliance with internal audit principles for local banks in the country, at least once every five years.
		25-16	In accordance with SAMA's instructions on Rules on Outsourcing tasks to third parties, the conditions and terms that determine the method, timing, and circumstances of outsourcing any of the unit's specialized limited tasks to external service providers, ensuring the primary basis and minimum requirement is the lack of specialized expertise within the unit for such tasks (e.g., information security), with the board being primarily responsible and the unit for proper oversight, performance under a non-disclosure agreement, achieving knowledge transfer and experience gain to unit staff, not affecting the unit's ability to work independently and objectively, and not contracting with a provider previously contracted for the same task unless at least three years have passed, and ensuring that the service provider is not a current external auditor of the bank, and does not impede the effectiveness of SAMA oversight, and obtaining its prior approval for the outsourcing.
		25-17	The requirements and mechanisms for reviewing the bank's affiliated entities that do not have independent review units or committees.
		25-18	The commitment to international standards for internal audit relevant to the field.
		25-19	The scope and contents of the periodic report of the unit submitted to the board.
		25-20	The authority to refer to the Unified Internal Audit Charter of the Institute of Internal Auditors and use the standards specified therein as a guideline when preparing the internal audit policy. Banks may add what they deem important, as necessary, without violating relevant regulations, policies, and procedures.
26-	The policy should focus on the guiding principles for internal audit and control areas, including high-level guidance for each activity of the audit unit, and provide a formally documented mechanism to resolve any discrepancies in viewpoints that may arise with the unit, for example, regarding the classification of findings, general report classification, contents, prominent risks, etc.
27-	This policy should be made available to all bank stakeholders for review through the appropriate mechanism followed by the bank.

Principle (6): Organization, Tasks, and Responsibilities of the Unit

Organizational Structure and Reporting

28-	The unit must have a clearly defined organizational structure approved by the board, reporting functionally to the audit committee and administratively to the CEO. This structure should reflect the specialized roles within the unit and be appropriate to the size, nature, and complexity of the bank's operations.
29-	It is preferable for the unit to form a specialized team of experienced and competent senior auditors to manage and ensure the execution of all audit requests required by SAMA, continuously providing high-quality outputs.
30-	The unit should report its audit findings to the audit committee and the CEO, without the results of these reports affecting the performance evaluation and compensation of the unit’s head and its staff.
31-	The unit must inform the executive management of all significant findings related to the implementation and maintenance of an appropriate and effective internal control system and procedures, enabling the executive management to take timely and appropriate corrective actions. The unit should also follow up on the results of these corrective actions with the executive management.

Requirements and Responsibilities of the Unit Head

32-	The unit head must possess the necessary independence, objectivity, competencies, and ethics to effectively perform their role and duties.
33-	Their responsibilities must be clearly defined and should include, at a minimum, the following:
		33-1	Attracting human resources with suitable qualifications and skills, based on a formal analysis of the unit’s actual needs required to perform its activities efficiently, and comparing those needs with the available human resources and their competency levels. Develop a plan to meet these needs and competencies, and formally share it with the audit committee for monitoring and evaluation. The analysis should consider international standards, emerging risk areas, and audit experience.
		33-2	Working towards Saudization of the unit’s positions as required by relevant regulations.
		33-3	Developing teams and skills related to audit techniques with the aid of technical systems and performance analysis programs to expand the scope of their reviews and manage system-related risks more comprehensively.
		33-4	Continuously monitoring, evaluating, and developing the unit’s staff.
		33-5	Ensuring the unit's adherence to integrity and compliance with sound internal audit standards.
		33-6	Developing the internal audit plan and obtaining approval from the audit committee, and periodically reviewing and updating it.
		33-7	Developing and periodically reviewing the internal audit policy as needed and at each audit committee cycle, and submitting it along with any updates to the board for approval based on the audit committee’s recommendation.
		33-8	Formulating an internal audit strategy aligned with the bank’s strategy, obtaining approval from the audit committee, and regularly reporting the results and compliance to the committee.
		33-9	Participating in relevant committees, such as those for risk and compliance, while adhering to Key Principles of Governance in Financial Institutions.
		33-10	Meeting with the audit committee individually whenever necessary.
		33-11	Monitoring the work of external service providers when some or part of the internal audit tasks are outsourced, ensuring their adherence to the internal audit policy, and verifying that they do not affect the unit’s independence and objectivity, and that they transfer relevant knowledge and experience to the unit's staff.
		33-12	Preparing a detailed matrix listing and classifying potential risks resulting from suspending or postponing any audit activities or parts of them beyond the plan’s year, including an assessment and risk classification. This should address whether the suspension or postponement is requested by the unit or other units and submit it to the audit committee for approval of high and medium-risk cases, with reasons and considerations, ensuring that risks continue to be addressed.
		33-13	Identifying factors to consider when selecting branch samples for field audits in the targeted geographic area.
		33-14	Encouraging audit unit staff to obtain Certified Internal Auditor (CIA) certification and other professional certifications (or one of them) to enhance the competence of internal auditors in the banking sector.
		33-15	Enabling and supporting the implementation of an independent external quality assessment of the audit unit’s work at least once every five years, to ensure the quality of audit outputs, in line with the board-approved policy, based on the direction and approval of the audit committee, and selecting the independent assessment provider. The results should be presented to the committee and reported to the board.

SAMA's Non-Objection to Appointing or Changing the Unit Head

34-

Taking into account the Requirements for Appointing to Senior Positions in financial institutions under the supervision of SAMA, and the Key Principles of Governance in Financial Institutions issued by SAMA; the bank must obtain SAMA’s prior non-objection to the appointment, assignment, or extension of the term of the head of the unit. Additionally, the bank must obtain SAMA’s prior non-objection if the head of the unit leaves their position (resignation, transfer to another role, termination of service, etc.), with documentation and explanation of the reason for the change.

Internal Work Procedures for the Unit

35-	Procedural manuals should be developed for the unit (either as an independent document or as part of the audit manual) to guide its staff in performing daily activities. These manuals should cover all activities of the unit in detail, providing step-by-step instructions. Each activity should include a sequential workflow that outlines the complete cycle of each process along with descriptive guidance. The manuals should align with detailed guidelines for implementing the audit policy.
36-	Detailed work guides should also be provided for using technical audit systems to assist both current and newly joined staff in using the systems effectively and understanding their capabilities.
37-	When developing work procedures for the unit, reference should be made to the standards and guidelines from the Institute of Internal Auditors, including the "International Standards for the Professional Practice of Internal Auditing" and its updates, as well as best practices for guidance in the procedures.

Units and Entities Subject to Internal Audit and the Audit Cycle

38-	The unit must document a comprehensive list of the bank's units and its affiliated entities subject to audit, serving as a comprehensive framework for audit processes.
39-	This list should cover all operational units, products, services, systems, risks, and processes of the bank.
40-	The list should include all requirements set by SAMA for the unit and be part of the comprehensive audit framework.
41-	Ensure that the comprehensive audit programs for this list cover relevant SAMA instructions and internal policies, and that they are developed for each unit within the bank and its affiliated entities within the comprehensive audit framework.
42-	The unit should develop an official framework for assessing the risks of each unit in the bank and its affiliated entities listed separately. This framework should also identify risk factors, such as: the latest audit assessment, time elapsed since the last audit, applicable and realized risk levels, complexity, etc., as a basis for risk assessment. The frequency of audits for each unit in the bank and its affiliated entities may be based on this risk assessment (e.g., increasing the frequency for high-risk units and entities).
43-	The unit should review all units in the bank and its affiliated entities documented in the list at least annually to ensure completeness and coverage of all units, products, systems, and procedures of the bank.
44-	The unit should document an official audit cycle that covers all units in the bank and its affiliated entities listed, and execute this cycle within a defined period, which may extend from three to four years depending on the risk classification of each listed item, in accordance with the risk-based approach.

Risk Assessment Methodology

45-	The risk assessment methodology should include the following:
		45-1	Documented and detailed guidelines that outline and assist internal auditors in classifying risks when preparing each observation.
		45-2	Documented and detailed guidelines for assessing risks in the overall audit report.
		45-3	Identification of quantitative and qualitative factors necessary to facilitate understanding and consistent application by audit staff.
		45-4	Classification of internal violation reports from the bank—of which the audit unit should receive copies—based on their risk level and the extent of compliance with reaching the competent authority in the bank and their documentation.
		45-5	All instances of non-compliance with SAMA instructions should be classified as high risk unless the non-classification is supported by specific justifications approved by the compliance unit. These justifications should be based on a risk classification mechanism that includes the size and impact of the non-compliance.

Risk-Based Internal Audit Plan

46-	The head of the unit is responsible for preparing the annual internal audit plan and its implementation schedules, and for seeking approval from the Audit Committee. When preparing the plan, a thorough risk assessment should be undertaken (considering inputs from executive management). The plan can be part of a multi-year plan, in which case it should be reviewed and updated annually aiming to respond to changes in the sector and in the bank's risk profile, or more frequently, throughout the year, to enable continuous and real-time assessment of areas where significant risks may arise.
47-	The annual audit plan should include a list of business units and activities subject to audit and risk assessment, with well-prepared documentation to ensure a systematic audit approach.
48-	In implementing the annual audit plan, audit work programs must include detailed audit procedures for each business unit subject to review, with sufficient clarifications regarding the scope of its relevance, surveys, and ensure coverage of all potential key or significant risks, control elements, and regulatory supervisory instructions. It should be taken into account that the assessment and analytical skills of internal auditors are essential to ensure a high quality of internal audit.
49-	A list of all supervisory expectations from the audit units must be compiled, and this requirement should be stipulated in their policy or procedures. This list, along with the required areas in the comprehensive audit framework, should serve as sources among others, such as the audit cycle, the bank’s most significant risks, new or emerging risk areas, and so on, for developing the annual internal audit plan. The frequency of audits, wherever specified by SAMA, must exceed the internal risk assessment conducted by the audit unit.
50-	Adequate resources must be available to support the unit in performing its duties, in accordance with the annual internal audit plan.
51-	The unit should periodically conduct a self-assessment of specific requirements from SAMA and other regulatory bodies. Capabilities should be developed, and sufficient resources allocated to these areas, ensuring adequate space for them in the internal audit plan.

Information Technology for the Unit

52-	The unit should carry out its activities using appropriate technological systems to enhance the efficiency of the internal audit function.
53-	The unit should conduct a formal gap analysis using current automation tools, address and close these gaps, highlight activities currently performed manually, and develop action plans to automate all such activities—wherever feasible—and escalate these plans to the Audit Committee for monitoring purposes.

Quality Assurance and Performance Improvement Program

54-	The unit should establish an internal function reporting directly to the head of the unit, dedicated to quality assurance and performance improvement, and should be staffed with qualified and suitably experienced resources.
55-	The internal audit unit should implement a quality assurance and performance improvement program covering all aspects of internal audit activities. This program should include both internal evaluations (ongoing assessments and annual comprehensive reviews) and external evaluations (conducted at least once every five years), with the results reported to the Audit Committee.
56-	The quality assurance and performance improvement unit must review and evaluate all activities and reports of the audit unit on an ongoing basis. The head of the audit unit must submit regular reports on the review and evaluation results of that unit (both ongoing and annual) to the Audit Committee.
57-	The quality assurance and performance improvement unit should be responsible for reviewing and updating the internal policies and procedures of the internal audit unit, training and motivating its staff, and working on enhancing the quality of work and other performance improvement tasks.

Periodic Reports to the Audit Committee

58-	The internal audit unit should prepare periodic reports on its reviews and submit them to the Audit Committee. The committee, in turn, should submit these reports directly and independently to the board without any revisions from the executive management or any other source. The reports should, at a minimum, include:
		58-1	A quarterly report: This should include an assessment of the internal control system of the units reviewed, the findings and recommendations related to the work units audited, the actions taken by each unit regarding the findings and recommendations from the previous review, and an explanation of the status of findings not addressed by the executive management. It should also detail instances of failure to respond promptly to those findings and recommendations, along with the reasons for such failures.
		58-2	An annual general (comprehensive) report: This should include an assessment of the bank's internal control system and the audit activities conducted during the financial year compared to the approved plan. It should also state the reasons for any shortcomings or deviations from the plan, if any, within a deadline not exceeding the end of the following quarter after the end of the relevant financial year, or according to the dates in the approved annual plan.

Database and Document/Report Storage

59-	The audit unit must establish a database for its operations and update it continuously.
60-	In accordance with relevant central bank regulations and other regulatory bodies; all internal audit reports, findings, recommendations, corrective action plans, and supporting documents should be stored electronically in the database. This includes any results obtained by independent auditors that were previously found by audit staff, and all work-related documents, internal audit achievements, results, recommendations, and measures taken in accordance with the relevant central bank instructions.
61-	A formal manual (either independently or as part of the audit manual) for record retention and storage mechanisms should be prepared and approved. This manual should describe the methods of storage and details of all work papers and information to be retained, the minimum retention period, and the recommendations of the audit unit. This should be done considering the data and information retention regulations and instructions provided by the relevant supervisory regulatory authorities.

Principle (7): Scope of the Unit's Work

62-	The general scope of the unit includes every unit in the bank and its affiliated entities (that do not have independent audit units or committees), covering all activities, operations, products, and services of the bank, as well as the limited specialized tasks that may be outsourced to external service providers, including the review and assessment of the effectiveness of the internal control system, risk management, governance, compliance, and supervisory requirements, as well as consulting services. The unit should evaluate the entire bank, including branches and affiliated entities.
63-	The unit is responsible, independently within its scope and work plan, for evaluating the following:
		63-1	The effectiveness and adequacy of internal control functions, risk management, and governance in the context of current and potential future risks, including committees.
		63-2	The procedures established by business units and support units.
		63-3	The reliability of management information system policies and procedures, (including: data relevance, accuracy, completeness, availability, confidentiality, and comprehensiveness).
		63-4	The level of compliance with regulations, policies, and internal procedures of the bank.
		63-5	The adequacy and effectiveness of asset protection procedures.
		63-6	The adequacy and effectiveness of all reports and their preparation mechanisms.
64-	Participate, upon request, in internal investigations that do not conflict with the unit's scope, duties, and responsibilities, as deemed necessary by the head of the unit: the audit committee should be provided with reports on such investigations.
65-	With consideration to the relevant instructions and the requirements for applying the risk-based approach and its methods, the unit must, in implementing the scope of its activities, properly cover in the audit plan the requirements of topics of regulatory and supervisory importance according to the timeframes specified for each requirement, or at least annually if no timeframes are specified, unless the risk assessment of the units requires a shorter period for the following activities:

Risk Management Unit

66-	The unit should primarily include the following in its plan concerning the Risk Management Unit:
		66-1	Its organization and powers, including market, credit, liquidity, interest rate, operational risks, legal risks, and any other risks.
		66-2	Assessment of risk tolerance, escalation of issues and decisions, and reporting on them.
		66-3	The adequacy of policies and procedures for identifying, measuring, assessing, monitoring, and addressing emerging risks from the bank's activities, and reporting on them.
		66-4	The integrity of its information systems, including the accuracy, reliability, and completeness of data used.
		66-5	The approval and maintenance of risk models, this includes the process of verifying the consistency of information sources, timeliness, independence, and reliability of the sources of information used in these models.
		66-6	The degree of significant differences between its views and those of the executive management regarding the level of risks facing the bank.
		66-7	The compliance of all business units and their employees with the internal authority matrix of the bank, and ensuring no authority is exceeded.

Capital and Liquidity

67-	The unit must address all requirements of the regulatory framework for capital and liquidity within its scope of activities, particularly:
		67-1	The internal capital adequacy assessment document and the internal liquidity assessment document.
		67-2	Regulations for determining and measuring the bank's regulatory capital, assessing the adequacy of its capital resources relative to risk exposures, and the minimum indicators approved.
		67-3	The process for conducting stress tests for capital and liquidity levels, considering the frequency of such tests, their purpose, the reasonableness of hypothetical scenarios, assumptions used, and the reliability of procedures.
		67-4	The bank's instructions and procedures for measuring and monitoring liquidity conditions relative to its risk register, external environment, and minimum regulatory (supervisory) requirements.

Regulatory (Supervisory) and Internal Reporting

68-	Evaluate the effectiveness of the process through which the Risk Unit and the relevant reporting unit communicate for issuing accurate, timely, and reliable reports, whether internally or for regulatory (supervisory) purposes.

Compliance Unit

69-	Assess the scope of activities of the Compliance Unit and evaluate the effectiveness of its execution of responsibilities related to compliance risks.
70-	Cooperate with the Compliance Unit in following up on tasks, responsibilities, and activities requested by the central bank from the audit unit, as specified in terms of format and timing.

Governance

71-	Study the scope of governance activities at the bank, focusing on:
		71-1	Evaluating the effectiveness of the unit responsible for governance in executing its responsibilities.
		71-2	Reviewing all governance-related policies and procedures within the bank to ensure they align with regulations, rules, instructions, and updates, and assessing their implementation and effectiveness.
		71-3	Ensuring the bank's compliance with all regulations from local supervisory authorities related to governance.
		71-4	Ensuring the presence of an effective control system to prevent fraud within the bank.
		71-5	The process of appointing bank representatives in its subsidiaries and ensuring there are policies and procedures governing this.

Finance Unit

72-	The audit unit should include the following aspects in its scope of work:
		72-1	The organization and powers of the Finance Unit.
		72-2	The adequacy and integrity of financial data and the financial systems, instructions, and procedures, including the identification, monitoring, measurement, and reporting of key data (e.g., profit or loss, financial instrument valuations, provisions), including necessary changes in accordance with international accounting standards and international financial reporting standards.
		72-3	The approval and maintenance of pricing models, including verifying the consistency, timeliness, independence, and reliability of information sources used in these models.
		72-4	The controls in place to prevent and detect violations.
		72-5	Controls on the balance sheet, including reconciliation processes and procedures (e.g., adjustments), regulatory tasks and activities, and other ongoing activities that the audit units must review periodically, as documented in the comprehensive audit procedures and framework, along with the required compliance timing. Examples include but are not limited to information security (cybersecurity), business continuity, anti-money laundering and counter-terrorism financing, dormant accounts, and others currently and in the future.

Principle (8): The Unit's Relationship with Second Line of Defense Units and External Auditors

(A) Relationship with Second Line of Defense Units

73-

Second line of defense units are subject to independent review by the audit unit. Each of these units has areas closely related to other units in general and to the audit unit specifically. However, they are all organizationally separate from each other. Given the comprehensive coverage provided by the oversight performed by the second line of defense, particularly by the Risk Management Unit and the Compliance Unit, the audit unit relies on valuable information provided by these units. Nevertheless, the reliability of this information is subject to assessment by the Head of the Audit Unit.

(B) Relationship with External Auditors

74-

External auditors appointed by the bank play a crucial role in the continuous improvement of the bank’s internal control systems related to their scope of work. Therefore, their work should be complementary to the internal audit unit. This should be coordinated through a defined mechanism and regular meetings (based on the approved internal audit policy) to enable both parties to stay continuously informed about significant concerns. The audit committee must ensure that this coordination is in place and effectively implemented.

Principle (9): Internal Audit of the Bank’s Subsidiaries

75-	In cases where the bank has a subsidiary with its own independent audit unit and audit committee while ensuring compliance with relevant regulations and instructions—it is preferable to:
		75-1	Obtain a seat for the head of the bank’s unit or their delegate in the audit committees of the bank’s subsidiaries to monitor developments and ensure the effectiveness of internal controls within them.
		75-2	Conduct limited tests to verify the quality of the subsidiary’s audit unit operations to ensure the soundness of its activities.
76-	In cases where the bank has a subsidiary that does not have an independent audit unit and audit committee while ensuring compliance with relevant regulations and instructions—the following should be done:
		76-1	The approved audit policy should define how the audit of such entities will be conducted.
		76-2	The unit should report the results of the audit activities of these entities to the audit committee.

Principles of compliance for commercial banks operating in the Kingdom of Saudi Arabia
No: 42005223 Date(g): 15/9/2020 | Date(h): 28/1/1442 Status: In-Force
Translated Document

Based on the powers vested to SAMA under its Law issued by Royal Decree No. (23) dated 23/05/1377H, and the Banking Control Law issued by Royal Decree No. (M/5) dated 22/02/1386H, and with reference to the Compliance Manual for Banks Working in Saudi Arabia issued in the year (1429H/2008G). and in light of SAMA's supervisory and regulatory role, as well as its efforts to continuously improve and address banking regulatory issues and enhance sound practices in banking institutions.
Attached are the Principles of Commitment for Banks and Commercial Banks Operating in the Kingdom of Saudi Arabia, which aim to activate supervisory roles and enhance sound practices in banking institutions, replacing the aforementioned guide.
These principles shall apply as guiding rules until the end of 2020G, and a mandatory basis from 01/01/2021G.

Definitions

The terms and phrases below—wherever they appear in these principles—mean the definitions given next to each term, unless the context indicates otherwise:
1-	Central Bank: The Saudi Central Bank.
2-	Bank: Local commercial banks and branches of foreign banks licensed to conduct banking activities in the Kingdom in accordance with the Banking Control Law.
3-	Council: The Board of Directors of the local bank. The primary officer in a foreign bank branch assumes the tasks and responsibilities of the Board of Directors in local banks wherever referenced in these principles.
4-	Senior Management: The executive management of the local bank (CEO, Managing Director, General Manager) and senior executives responsible for managing the bank's operations, proposing and implementing strategic decisions, and the branch manager for foreign bank branches licensed to conduct banking activities in the Kingdom.
5-	Compliance Function: An independent function at the first managerial level in senior management that identifies, evaluates, advises on, monitors, and reports on non-compliance risks related to the bank's exposure to regulatory, administrative penalties, financial losses, or harm to its reputation due to non-compliance with regulations, instructions, financial crime prevention requirements, or standards of conduct and professional practice. This function is carried out by an independent compliance unit in banks.
6-	Compliance Policy: The policy approved by the Board of Directors of the bank and the head of the foreign bank branch that defines and outlines the comprehensive responsibilities of compliance, the authority of the compliance unit, and the main principles, pillars, and methodology the bank follows to manage compliance risks, including the elements outlined in Principle (1).
7-	Compliance Unit: A unit at the group, sector, or department level, depending on the structure of first managerial level units in local banks, or a department, division, or section, etc., at the first managerial level reporting to the primary officer in foreign bank branches, where the head and compliance staff are solely responsible for compliance-related tasks and responsibilities.
8-	Chief Compliance Officer: The CEO of the compliance unit in local banks and the executive in the first managerial level reporting directly to the head of the branch in foreign bank branches, whose responsibilities include coordinating the process of identifying non-compliance risks, providing advice to senior management on how to manage them, and overseeing the activities of compliance officers and staff.
9-	Compliance Staff: All individuals performing compliance duties and responsibilities within the compliance unit.
10-	Compliance Officer: An employee from other operational units, different from the compliance unit staff, designated by the Chief Compliance Officer to handle specific compliance responsibilities and tasks within their operational unit.
11-	Compliance Risks: Risks resulting in or leading to the imposition of penalties and regulatory actions against the bank or significant financial losses, or damage to its reputation due to non-compliance with relevant regulations, instructions, and standards applicable to the bank, and ethical and behavioral codes governing banking activities, collectively referred to as "non-compliance risks."
12-	Compliance Role: The description of responsibilities assigned to compliance staff within the bank.
13-	Regulations: The regulations and rules applicable to the banking sector and its personnel.
14-	Instructions: All directives issued by SAMA in its role as a supervisory and regulatory authority, and by other relevant authorities, including regulations, rules, principles, frameworks, guides, and mandatory circulars.
15-	Compliance Systems, Rules, and Standards: The regulations and instructions applicable to the banking sector and its personnel.
16-	Conflict of Interest: A situation where the Chief Compliance Officer, compliance staff, or compliance officers in other units may have a direct or indirect interest or relationship in a matter being reviewed by them for decision-making purposes; such that this interest or relationship prevents or leads to the belief that it interferes with their ability to express their opinion or make a decision independently and impartially, without considering this interest or relationship.

* The name "Saudi Central Bank" replaced "Saudi Arabian Monetary Authority" according to the Saudi Central Bank Law No. (M/36) dated 11/04/1442H.

Introduction

17-	SAMA issued these principles based on the powers granted to it and its supervisory and regulatory responsibilities as follows:
	a.	The Saudi Arabian Monetary Law, issued by Royal Decree No. (23) dated 23/05/1377H.
	b.	The Banking Control Law, issued by Royal Decree No. (M/5) dated 22/02/1386H.
	c.	The Anti-Money Laundering Law issued by Royal Decree No. M/20 dated 05/02/1439 H. and its implementing regulations issued by the State Security Presidency Decision No. (14525) dated 19/02/1439H.
	d.	The Law on Combating the Financing of Terrorism issued by Royal Decree No. (M21) dated 12/02/1439H and its Implementing Regulations issued by the Cabinet Decision No. (228) dated 02/05/1440H.
18-	SAMA issued these principles as the first update to the Compliance Manual for Banks Working in Saudi Arabia issued by Circular No. 56202/M A T/787 dated 19/12/1429H. This issuance is part of SAMA’s efforts to continuously improve and address banking regulatory issues and enhance sound practices in banking institutions. It also emphasizes that bank officials must be convinced that compliance policies and procedures are effective and applied, and that senior management has appropriate corrective actions to address any non-compliance or deficiencies when detected.
19-	Compliance with regulations and instructions starts from the top of the hierarchy, where the chairman, board members, and senior management should serve as examples in managing work and compliance.
20-	Effective compliance requires continuous affirmation from senior management that a culture based on high standards of integrity and professional ethics prevails. Compliance should be an integral part of the bank’s culture and should not be limited to the compliance unit only. Each individual in the bank carries responsibility for compliance, and this responsibility must be integrated into the bank's operations and activities, ensuring high standards are met in its operations by constantly adhering to the spirit and letter of the regulations. It must also consider the impact of actions related to shareholders, customers, employees, and the market environment that could lead to significant negative reactions affecting the bank’s reputation, even if there is no actual violation of regulations.
21-	Trust and integrity are the core values and highest priority in the relationship between the bank and its customers, forming the foundation upon which the bank builds its reputation with customers and stakeholders. Reputation protection must be a fundamental concern for managers and employees. They must exhibit a high level of trust, integrity, and professionalism in their duties and ensure their actions are always in compliance with the letter and spirit of regulations and instructions governing the banking sector.
22-	These principles establish a framework for governance of compliance within the bank, consisting of the board and its responsibility for approving the compliance policy and overseeing the management of non-compliance risks, senior management and its responsibility for managing non-compliance risks, and the compliance unit with its responsibility for overall coordination of compliance and supporting senior management.
23-	These principles begin by defining the responsibilities of the board and senior management regarding compliance as a primary importance, followed by the principles that should support the compliance unit within the bank.
24-	Compliance systems, rules, and standards cover matters such as adherence to appropriate market practices, managing conflicts of interest, treating customers fairly, ensuring the suitability of advice given to customers, and specific areas such as anti-money laundering, combating terrorism financing, preventing the spread of weapons, Know Your Customer (KYC), anti-financial fraud, anti-corruption, and handling reports of violations.
25-	Compliance systems, rules, and standards are based on multiple sources including the regulations and instructions applicable to the banking sector under the supervision of SAMA, regulations and instructions overseen by other official authorities with jurisdiction or in other countries where banks operate, prevailing banking practices, industry-supported business practices, internal conduct rules applied to bank employees, integrity and ethical behavior standards, and relevant requirements issued by international organizations and groups responsible for setting policies governing the supervision of banking and financial institutions, such as the Basel Committee on Banking Supervision, among others.
‏26-	Compliance principles require that the compliance unit be independent, adequately resourced, clearly define its responsibilities, and be subject to independent and periodic review by the internal audit unit, as detailed in principles (5) to (8) below. These principles reflect the effectiveness of the compliance unit’s work.
27-	The compliance unit and function in banks are considered one of the most important foundations and factors for their success, as they play a crucial role in maintaining their reputation and credibility, protecting shareholder and depositor interests, and providing protection from penalties. This is achieved through its activities and contributions as follows: Mitigating non-compliance risks, particularly regulatory, reputational, and financial penalty risks. Strengthening relationships with regulatory and supervisory authorities and addressing their feedback to identify and rectify deficiencies on a regular basis before they escalate. Contributing to the establishment of sound management and governance principles within banks. Ensuring compliance with regulations and instructions issued by supervisory and regulatory authorities, as well as other relevant authorities. Developing appropriate mechanisms and frameworks to combat money laundering, terrorism financing, weapons proliferation, financial fraud, and corruption, and providing insights, advice, and recommendations to address and correct deficiencies and violations. Carrying out the necessary procedures to address reports of violations submitted by bank employees and stakeholders, in alignment with the whistleblowing policy for financial institutions issued by SAMA. This ensures an objective and escalatory approach to handling the reports and devising a corrective action plan. Upholding values and professional practices in banking operations. Raising awareness among bank employees about the positives and negatives of their compliance and the risks associated with non-compliance with regulations and instructions issued by relevant regulatory and supervisory authorities.
28-	The bank must organize its compliance unit such that the priorities for managing non-compliance risks align with its risk management strategy.
29-	It should be understood that the scope of compliance frameworks and the diversity and complexity of compliance rules and their sources place the responsibility for managing non-compliance risks, verifying the level of compliance, and establishing the necessary controls to ensure compliance, whether at the level of business procedures, technical systems, or data protection, on the shoulders of senior management and all business units (groups and business sectors). This is achieved through conducting the necessary reviews and ensuring effective and continuous implementation. The role of the compliance unit is limited to compiling, communicating, and explaining the regulations and instructions to the business sectors immediately upon receiving them from supervisory and regulatory authorities or other relevant entities, obtaining confirmation from these sectors, ensuring they are included in policies and procedures, conducting continuous monitoring, and periodically identifying, detecting, and assessing non-compliance risks. It also involves reporting violations of compliance systems, rules, and standards, as well as submitting reports on non-compliance risks and violations.
30-	The compliance principles apply to all commercial banks operating in the Kingdom and their branches and offices in foreign countries where they conduct banking activities, unless they conflict with the regulations and instructions of those countries. They represent the minimum necessary to achieve overall compliance effectiveness and specifically the effectiveness of the compliance unit and function. SAMA expects adherence to higher and more sound practices.
31-	These principles should be read and applied in conjunction with several related instructions for the unit's operations, including but not limited to the following: Principles of Governance for Banks Operating in Saudi Arabia. Principles of Conduct and Work Ethics in Financial Institutions. Anti-Money Laundering and Counter-Terrorism Financing Guide. Rules for Bank Accounts. Regulatory Rules for the Operation of Self-Supervision Units and Committees. Guidelines for Combating Financial Fraud in Banks Operating in Saudi Arabia. Internal Control Guidelines. Sharia Governance Framework for Local Banks Operating in Saudi Arabia. Whistle blowing Policy for Financial Institutions. Instructions related to Risk Management. Requirements for Appointments to Senior Positions. Rules on Outsourcing.

Principles

Responsibilities of the Board of Directors Regarding Compliance.

Principle (1): Oversight of Non-Compliance Risk Management

The responsibility for effective oversight of non-compliance risk management lies with the Board of Directors in local banks and with the CEO/Branch Manager in foreign bank branches. To fulfill this responsibility, the following must be done:
32-	Approve an effective compliance policy and oversee it, which includes at a minimum: 1. Establishing a permanent and effective compliance unit and updating its organization from time to time. 2. Promoting a culture of compliance, employee responsibilities, and penalties for neglect and the levels that must be achieved. 3. Supporting and promoting values of integrity and honesty throughout the bank. 4. Comprehensive and total commitment in all of the bank's policies to comply with regulations and instructions. 5. The necessary requirements for managing non-compliance risk matters. 6. Supervising the implementation of the policy, including ensuring that compliance-related issues are addressed by senior management quickly and effectively with the help of the compliance unit. 7. Committing to providing adequate resources to the compliance unit on a continuous basis. 8. Granting the compliance unit the necessary independency as per Principle (5). 9. Precisely defining the responsibilities of the compliance unit. 10. Having the internal audit unit review the activities of the compliance unit and compliance risks periodically. 11. Continuously overseeing efforts towards implementing the compliance policy, the performance level achieved through periodic reports, assessing the compliance unit's activities, identifying weaknesses, and efforts in training and awareness.
33-	The board or a committee delegated by it must evaluate the effectiveness of non-compliance risk management in the bank at least once a year.
34-	Approve updates to the compliance policy from time to time to enhance the effectiveness and efficiency of compliance, in line with instructions from SAMA regarding policy updates.
35-	Approve the annual compliance report and provide SAMA with a copy.

Responsibilities of Senior Management Regarding Compliance

Principle (2) General Principle: Effective Management of Non-Compliance Risks
The responsibility for effective management of non-compliance risks rests with the senior management of the bank. Principles (3 and 4) outline the key elements of this principle

Principle (3) Preparation, Update, and Approval of Compliance Policy, Responsibility, Sanctions, Monitoring, and Reporting on Non-Compliance Risks

The senior management of the bank is responsible for preparing, updating, and obtaining board approval for the compliance policy, and ensuring its dissemination. They must also ensure adherence to the policy and report on non-compliance risk management to the board.
Responsibility for Preparing, Updating, and Communicating the Compliance Policy
37-	The senior management of the bank is responsible for preparing and updating the compliance policy for managing compliance matters and obtaining board approval for local banks, and the branch head for foreign bank branches, and communicating it to all bank sectors. The policy should include: The compliance principles that work units and their personnel must adhere to. An explanation of the key procedures for identifying and managing compliance risks throughout all levels of the bank's system. Enhancement of clarity and transparency by distinguishing between general standards applicable to all employees and specific standards and procedures that apply only to certain employee groups.
Responsibility for Adhering to the Compliance Policy, Taking Corrective Actions, and Applying Sanctions
38-	The senior management has the duty to ensure adherence to the compliance policy and to ensure that appropriate corrective and disciplinary actions are taken in case of policy violations.
Oversight and Reporting
39-	The senior management, with the assistance of the compliance unit, are responsible for: Identifying the principal non-compliance risks facing the bank, developing plans to manage and assess these risks at least annually. These plans should address any deficiencies in the policy, procedures, or implementation related to the effectiveness of the existing non-compliance risk management, as well as determine the need for any additional policies or procedures to address new non-compliance risks identified in the annual non-compliance risk assessment. Providing written reports to the board or its delegated committee, highlighting the bank's management of non-compliance risks at least once annually, to support board members in making informed decisions based on accurate information regarding the effectiveness of the bank’s non-compliance risk management. Reporting in writing to the board or its delegated committee immediately about any significant failures, deficiencies, or violations of non-compliance (e.g., non-compliance situations that may result in significant risks leading to legal or regulatory penalties, severe financial losses, or damage to the bank’s reputation).

Principle (4) Responsibility for Establishing and Developing the Compliance Unit

The senior management is responsible, under the compliance policy approved by the board, for establishing and developing a permanent and effective compliance unit within the bank, as follows:
Establishing, Supporting, and Developing the Compliance Unit
40-	As a fundamental requirement of compliance, senior management in local banks, according to the compliance policy approved by the board, must establish, support, and develop an independent, permanent, and effective compliance unit with sufficient powers and responsibilities to oversee compliance. This includes having an independent compliance unit or head of compliance at the senior management level reporting directly to the top executive for foreign bank branches. The role of the compliance unit should be clearly communicated to all employees, encouraging them to consult the unit on compliance matters.
Reliance on the Compliance Unit
41-	Senior management must take necessary measures to ensure that the bank relies on a permanent and effective compliance unit, which performs its duties in accordance with the "Compliance Unit Principles" mentioned later.
Coordination and Integration with Other Business Units
42-	Achieving compliance requires senior management to foster a climate of trust and integration between the compliance unit and other business units, and to take the necessary measures and coordination to facilitate this relationship.
Appointment of the Head of Compliance and Compliance Unit Staff
43-	The selection and nomination of the head of compliance and the staff of the compliance unit are subject to the Requirements for Appointments to Senior Positions issued by SAMA and any other relevant guidelines issued by SAMA. The responsibility for selecting compliance unit staff lies with the head of compliance in accordance with the bank’s internal employment and appointment requirements.

Compliance Unit Principles
The main principles from Principle (5) to Principle (8) detail the practices, requirements, and proper applications necessary for the compliance unit. However, the methods for implementing these principles depend on various factors such as the size of the bank, the nature and complexity of the bank's activities, its geographic scope, and the regulatory framework and instructions under which it operates.

Principle (5) Independence

44-	The compliance unit in the bank must be independent.
Concept of Independence for the Compliance Unit
45-	The concept of independence in this principle refers to "the independence of the compliance unit from external interference by other operational units in performing its compliance duties or influencing them." This does not mean that the compliance unit should not work closely with other business units to facilitate compliance; rather, the working relationship should be cooperative between the compliance unit and other units, supporting the early identification and management of non-compliance risks. The various elements outlined below should serve as preventive measures to help ensure the effectiveness of the compliance unit. Regardless of the close working relationship between the compliance unit and other units, the method of implementing preventive measures depends to some extent on the specific responsibilities of each compliance unit employees.
Elements of the Concept of Independence
‎46-	The concept of independence includes four interrelated elements that must be applied as follows: Element One: The Compliance Unit Must Have an Official Status in the Bank. Element Two: In local banks, the compliance unit should be headed by an executive at the first managerial level. In branches of foreign banks, the unit should be led by a senior executive at the first managerial level who reports directly to the head of the branch. This position should include the overall responsibility for coordinating the management of compliance risks within the bank. Element Three: The personnel of the compliance unit, particularly the head of compliance, should not be placed in a position that could lead to potential conflicts of interest between their compliance responsibilities and any other responsibilities associated with their role. Element Four: All personnel within the compliance unit should have the right and authority to access and review all relevant information, records, and files, and communicate with bank employees as necessary to perform their duties.
The Official Organizational Status of the Compliance Unit
47-	The Compliance Unit must have an official status within the bank that grants it appropriate recognition, authority, and independency. This should be outlined in the bank's compliance policy or in an official document related to the policy. All bank employees should be informed of the document specifying this status.
Key Items of the Compliance Unit's Organizational Document
‎48-	The organizational document for the Compliance Unit, related to the compliance policy, must include at a minimum the following requirements: ‎ The role and responsibilities of the Compliance Unit. Procedures necessary to ensure the independency of the Compliance Unit. The relationship of the Compliance Unit with other risk units within the bank, and its relationship with the internal audit unit. The method for distributing compliance responsibilities in exceptional cases where, due to technical or specialized reasons, or where there is not a significant relationship with non-compliance risks, some compliance responsibilities may be assigned to employees in other operational units such as human resources, administrative affairs, branches, etc., and must be according to specific procedures outlining the role and authority of those units and designated officials. The Compliance Unit has the right to access the necessary information, records, and data to perform its responsibilities, and the requirement for bank employees to cooperate in providing this information. The Compliance Unit has the right to conduct necessary investigations by itself or through delegated external experts for potential policy violations or shortcomings in compliance policy implementation, and its authority to appoint or request external experts if needed. The Compliance Unit has the right to freely report investigation results to senior management and, when necessary, to the board or its authorized committee. The official obligations of the Compliance Unit regarding reporting to senior management. The Compliance Unit has the right to direct access to the board or its authorized committee.
Compliance Officer Job Level
49-	Every local bank must appoint a Chief Compliance Officer, and every branch of a foreign bank must appoint a high-ranking officer at the first managerial level who reports directly to the branch’s chief officer. This role includes the overall responsibility of coordinating the identification of non-compliance risks at the bank, advising on their management, and supervising the activities of compliance officers and staff within the compliance unit.
Job Affiliation
‎50-	The compliance officer at the first managerial level in the bank should be directly linked to the chief executive only in the senior management of local banks (Managing Director/CEO/General Manager) or to the chief officer of the branch in the case of foreign bank branches (according to the highest job title in the branch). The Chief Compliance Officer should not hold any direct or indirect responsibilities related to banking activities. They must have the authority to report and notify the board or its delegated committee of any significant weaknesses, deficiencies, or violations without fear of negative repercussions from management, other business units, or bank employees. No actions should be taken against them when reporting.
Notification of Appointment and Changes to the Board
51-	For local banks, the board members must be notified when there is an appointment or change (resignation, transfer to another role, retirement, termination of service, etc.) of the Chief Compliance Officer, including documentation and reasons for the change.
SAMA's Non-Objection to Appointments and Changes
52-	The bank must obtain a non-objection letter from SAMA for the appointment of the Chief Compliance Officer, in accordance with the Requirements for Appointments to Senior Positions. SAMA's non-objection is also required if the Chief Compliance Officer leaves the position (resignation, transfer to another role, termination of service, etc.), with documentation and reasons for the change.
Notifying Regulatory Authorities in the Host Countries
53-	For banks licensed to conduct international banking activities with compliance officers from those countries, the regulatory authority in the host countries must be notified of the Chief Compliance Officer's appointment or departure if such notification is required by the host country regulations.
The Affiliation of the Compliance Officers and Staff with the Chief Compliance Officer
54-	All staff in the compliance unit must report directly to the Chief Compliance Officer, ensuring that the unit can fulfill all responsibilities independently of other business units within the bank. Compliance officers assigned to compliance tasks in other business units should have a functional reporting relationship to those units but must also have a reporting line to the Chief Compliance Officer concerning their compliance responsibilities and reports. To avoid dual hierarchy, the compliance officers' reporting path to the Chief Compliance Officer regarding non-compliance risks should be the controlling and mandatory line.
Periodic Meetings
55-	The Chief Compliance Officer should have the authority to hold regular meetings with senior management and heads of different business units to discuss compliance with regulations and instructions relevant to the operations and activities of each group, department, or sector. These meetings should be officially documented. It is preferable that senior management and heads of business units attend these meetings personally rather than sending representatives, as their active participation demonstrates: Leadership by example. Understanding of their responsibilities regarding compliance. Continuous reinforcement of compliance. Support for the compliance process.
Delegation of Responsibilities by the Chief Compliance Officer
56-	The Chief Compliance Officer may delegate some of their authority to certain employees within the bank for performing tasks related to compliance, such as those in the Treasury Unit or the bank's overseas branches and offices. Any employee delegated these tasks will act as an assistant to the Chief Compliance Officer and will be under their authority concerning non-compliance risks while maintaining full independency in other banking tasks. The size of the bank and its operational capacity should be considered. Any delegation by the Chief Compliance Officer does not exempt them from responsibility; they remain accountable for all compliance-related tasks to the relevant parties.
Conflict of Interest
57-	To ensure the independency and professionalism of the Chief Compliance Officer and the Compliance Unit staff, they should only hold responsibilities related to the Compliance Unit. For compliance officers in other business units assigned compliance oversight tasks within those units—if present—they must avoid conflicts of interest and disclose any situations that may result in a conflict of interest.
58-	To ensure the independency of the Chief Compliance Officer and compliance unit staff is not undermined, their financial rewards must not be tied to the financial performance of the business activity for which they are executing compliance responsibilities. However, financial rewards may be linked to the overall financial performance of the bank. In all cases, the final approval of the rewards for the Chief Compliance Officer and compliance unit staff must come from the Board of Directors or a committee derived from it.
Direct Access to Information and Employees
59-	To effectively manage compliance responsibilities as outlined in the compliance documentation and at all administrative levels within the bank where non-compliance risks may exist, the Compliance Unit must have the following principal rights and capabilities, without waiting for orders or instructions: The right to communicate with any employee and access any necessary information, records, and files needed to fulfill its responsibilities. The ability to carry out its responsibilities independently across all business units where non-compliance risks are present, including the right to investigate any potential violations of compliance policies and to seek assistance from internal specialists (e.g., legal affairs or internal audit) or engage external experts if necessary. The freedom to report any potential violations or transgressions uncovered during its investigations to senior management, without fear of retaliation or dissatisfaction from business units or other employees. Although the Compliance Unit should report administratively to the CEO/Managing Director/General Manager, it must also have the right to communicate directly with the board or its delegated committee, bypassing usual administrative reporting lines if necessary. The Chief Compliance Officer should meet with the board or its delegated committee at least once a year to help assess the board's evaluation of the bank's ability to manage non-compliance risks effectively. The Chief Compliance Officer must promptly and directly notify SAMA/General Directorate of Bank Supervision upon identifying strong indicators of significant or serious compliance failures or violations that impact the reputation of the banking sector and must ensure that SAMA is informed.

Principle (6): Resources

The bank must provide the Compliance Unit with the necessary resources to perform its responsibilities effectively.

Resources and Effectiveness in Achieving Tasks

60-	The resources provided to the Compliance Unit must be both sufficient and appropriate to ensure effective coordination of non-compliance risk management within the bank.
Adequacy and Appropriateness of Resources
‎61-	The Compliance Unit should have staff with the necessary qualifications, experience, and personal and professional attributes required to carry out its defined duties. Compliance Unit staff must also have a sound understanding of regulations and instructions and their actual impact on the bank's operations. Additionally, the professional skills of the Compliance Unit staff should be maintained and developed, especially in keeping up with developments in regulations, instructions, and technology, through ongoing and regular education and training.
Responsibility for Providing Resources and Its Impact
‎62-	The responsibility for providing the necessary financial, human, and technical resources and directing them towards the compliance process lies with the board according to the approved policy and with senior management during the implementation and management of non-compliance risks and their development. It should be noted that increased compliance costs (e.g., development plans) can lead to enhanced effectiveness in identifying, measuring, monitoring, and controlling risks, thereby resulting in higher profits, better coordination of activities, and improved quality. Therefore, a periodic assessment should be conducted to ensure the adequacy of human and technical resources and determine whether additional support or development is needed to ensure the effective and efficient management of the compliance process.

Principle (7) Responsibilities of the Compliance Unit

Assisting Senior Management in Compliance Implementation

63-	The responsibility for compliance and managing non-compliance risks at the bank lies with senior management. The role of the Compliance Unit is to assist senior management in effectively managing and addressing non-compliance risks (through advising, monitoring, and oversight). The Chief Compliance Officer supervises the implementation of compliance duties, which include executing the compliance program with its objectives and projects, and other approved tasks required for the effectiveness and role of compliance, aligned with the bank's risk strategy. If some of these responsibilities are carried out by employees in different business units (compliance officers), the distribution of these responsibilities must be clearly defined.
64-	The responsibility for addressing and correcting any deficiencies or violations identified by the Compliance Unit rests with senior management and the heads of business units where deficiencies or violations have been observed. The Compliance Unit's role is limited to providing advice and follow-up with the heads of business units and reporting any shortcomings in addressing and correcting issues.
Communicating Regulations and Instructions and Monitoring Compliance
‎65-	The Compliance Unit must ensure that senior management and various business units are appropriately and timely informed of regulations issued and instructions received from SAMA and other relevant official internal and external entities (such as countries and organizations related to banking regulation). These must be stored in a database and maintained continuously and accessibly, ensuring that policies, procedures, products, services, and advertising models comply with the relevant regulations and instructions. It is essential to understand the communicated instructions and seek clarifications from the Compliance Unit or SAMA if needed. The bank will not be exempt from regulatory penalties due to incorrect application of instructions.
66-	All business units within the bank must obtain the Compliance Unit's approval before submitting requests for SAMA's approval for new products and services. The request for approval or non-objection from SAMA should be submitted to SAMA only by the Chief Compliance Officer.
67-	The Compliance Unit must be involved in the decision-making process when assigning tasks to third parties to ensure there is no conflict with any instructions issued from SAMA or other relevant authorities.
Organizing Responsibilities
‎68-	Not all compliance responsibilities are executed solely by the Compliance Unit. Some compliance tasks can be carried out by employees in various bank units and its foreign branches (compliance officers), with the Chief Compliance Officer overseeing their work through an organization approved by the board or a delegated committee.
69-	Bank's organizational structures include specialized supervisory units requiring specialized expertise, such as credit risk monitoring units, information security units, and finance units. These specialized supervisory units are responsible for implementing compliance requirements related to their specialized tasks (e.g., taxation, zakat, credit risk, market risk, operational risk, information security, etc.). The Compliance Unit’s role concerning these specialized units is to obtain necessary assurances, documents, and evidence of their compliance responsibilities and required role, unless specialized expertise and competencies are assigned to the compliance unit to implement the compliance requirements related to the activities and tasks of those units, these responsibilities must be documented through a compliance policy to ensure the prevention of any overlap that may arise due to the similarity of supervisory roles between those units and the compliance unit.
70-	To ensure that the Chief Compliance Officer and the Compliance Unit staff can perform their responsibilities effectively, the Compliance Unit must have the right to request the bank's legal department to:
	Provide advice on regulations and the drafting of instructions for the Compliance Unit, and to prepare necessary guidelines for employees. The Compliance Unit will focus on monitoring compliance, instructions, policies, and procedures, and prepare and submit reports to senior management.
	Investigate deficiencies and violations related to the implementation of relevant regulations and instructions concerning the tasks and operations of all units within the Compliance Unit.
	Provide legal opinions on the results of investigations conducted by the Compliance Unit from time to time.
Consultation
71-	The Compliance Unit must provide advice to senior management regarding compliance regulations, rules, and standards, including updates on local and international developments in this area. This advisory role involves close collaboration between the Compliance Unit staff and the bank’s business units, offering support and guidance on their daily operations. The Compliance Unit is responsible for advising on compliance matters and serving as the point of contact for any compliance-related inquiries from its staff.
Guidance and Awareness
72-	Training and educating all bank staff on relevant regulations and instructions pertaining to their individual responsibilities is a fundamental aspect of senior management's efforts to instill a compliance culture and encourage reporting of any violations to the Compliance Unit. Therefore, the Compliance Unit must continuously and proactively assist senior management in:
	Raising employee awareness about compliance issues and potential violations, recognizing that they are the first line of defense, and serving as an internal contact point for compliance-related questions from bank employees.
	Developing written guidance for employees that addresses the appropriate application of relevant regulations, compliance rules, and standards through policies and procedures. This includes preparing other guidance documents such as compliance manuals, internal codes of conduct, and practical guides.
	Ensuring that the annual training and awareness program for all employees includes a plan that meets the bank’s ongoing needs and can be promptly adjusted in response to new issues, observations, significant changes, or updates in regulations, or high employee turnover. Training should be provided through available methods within or outside the bank, particularly for new employees, to familiarize them with compliance requirements related to their banking operations before starting their duties, and for those who interact directly with the public, to periodically remind them of requirements such as sales and marketing instructions, anti-money laundering and counter-terrorism financing, due diligence, reporting suspicious transactions, and internal violations.
Identifying, Measuring, and Evaluating Non-Compliance Risks Identifying Risks
73-	The Compliance Unit should proactively identify, document, and assess non-compliance risks related to the bank’s activities (regulatory, financial, reputational, or strategic risks), including new product developments, business practices, new types of business or customer relationships, or significant changes in the nature of these relationships. If the bank has a New Products Committee, representatives from the Compliance Unit should participate in this committee.
Measuring Risks
74-	The Compliance Unit should study methods for measuring non-compliance risks both quantitatively and qualitatively (e.g., performance indicators related to compliance) and use these metrics to support the assessment, reduction, and management of non-compliance risks. Techniques such as aggregating or filtering data to identify potential non-compliance risk indicators (e.g., increasing customer complaints, fraud cases, reports, penalties, and payments) can be employed.
Evaluating Risks
75-	The Compliance Unit should evaluate the adequacy of the bank's compliance policy and procedures, promptly address any identified deficiencies, and propose amendments when necessary, based on technical capability. It should also encourage and monitor the relevant departments to make necessary adjustments and corrections.
Monitoring, Testing, and Reporting
‎76-	The Compliance Unit must continuously monitor and test compliance through adequate and representative tests. The results of compliance tests should be reported according to their administrative hierarchy and in accordance with the bank’s internal risk management procedures.
77-	The chief compliance officer must submit regular written reports to senior management addressing compliance issues. These reports should include an assessment of non-compliance risks during the reporting period, note any changes in the level of non-compliance risk based on relevant metrics (e.g., performance indicators), and provide a summary of any identified violations and deficiencies, proposed corrective actions, and required correction dates, along with details of actions already taken. The reporting format should align with the bank's non-compliance risk profile and activities.
High-Risk Cases and Urgent Developments
‏78-	The board or its delegated committee overseeing compliance policy implementation should be informed immediately of any significant compliance failures or deficiencies that could lead to substantial regulatory penalties, legal actions, financial losses, or damage to reputation. If the impact is deemed significant to the banking sector's reputation, SAMA and the general administration for bank supervision should be notified directly and immediately.
Annual Compliance Report
79-	An annual compliance report should be prepared by senior management and presented to the board, covering at a minimum the requirements set forth by SAMA from time to time.
80-	SAMA should receive the board-approved version of the annual compliance report by the end of April each year, sent by the Chairman of the Board of the local bank or the Chief of the foreign bank branch, as part of the bank’s self-assessment of its compliance.
Regulatory Responsibilities and Communication
‎81-	As a regulatory basis, the Compliance Unit must undertake responsibilities and tasks directly and indirectly related to non-compliance risks, including: (1) compliance oversight (monitoring, relationship with SAMA, consultations), (2) anti-money laundering and counter-terrorism financing, (3) anti-fraud measures, (4) anti-corruption, (5) self-supervision, and (6) handling violation reports, and to take on the responsibility of developing the appropriate mechanisms and coordination for how to effectively meet the requirements of implementing the communicated security procedures within the institution.
82-	The Compliance Unit is responsible for monitoring external regulatory bodies, standard-setting entities, and external experts concerning its regulatory responsibilities, particularly in anti-money laundering, counter-terrorism financing, and non-proliferation.
Compliance Program
‎83-	The Compliance Unit should implement its responsibilities under a compliance program that outlines its planned activities, such as applying and reviewing specific policies and procedures, assessing non-compliance risks, conducting compliance tests, and raising employee awareness on compliance issues. The compliance program should be risk-based and overseen by the Chief Compliance Officer to ensure it adequately covers all activities and coordinates between the compliance units (monitoring compliance with regulations, anti-money laundering and counter-terrorism financing, anti-fraud, anti-corruption, and handling violation reports).
Compliance Unit Database
84-	The Compliance Unit should establish and continuously update a database of all compliance regulations, rules, and standards, ensuring that all bank employees can access and benefit from it at all times.
Documentation
85-	The Compliance Unit must document policies, procedures, plans, events, and work papers to fulfill its duties and responsibilities.
Warning Signs (Red Flags)
86-	The compliance program must include a principle for warning signs to alert about violations of internal and external regulations and situations exposing the bank to non-compliance risks, such as rapid bank growth, opening new branches, high employee turnover, changes in programs, and the introduction of automated systems in workflows. This principle should also protect whistleblowers and include incentives in accordance with SAMA’s whistleblowing policy.

Principle (8): Relationship Between the Compliance Unit and the Internal Audit Unit

Internal Audit Activities

87-	The activities and scope of the Compliance Unit should be subject to periodic review by the Internal Audit Unit.
Independence of Both Units
‎‎88-	The Compliance Unit and the Internal Audit Unit should be separate and independent within the bank. One of the primary responsibilities of the Compliance Unit is to monitor the bank's adherence to compliance rules. The Internal Audit Unit has a broader scope of responsibilities. Although there may be some overlap between the responsibilities of the two units in certain areas, each unit operates independently and any overlap should not impact the functioning of either unit.
Review of Compliance Unit Activities
‎89-	To assess the efficiency and effectiveness of the Compliance Unit, non-compliance risks should be included in the risk assessment methodology adopted by the Internal Audit Unit. A periodic review program of the Compliance Unit’s activities should be established, including testing controls that align with the level of potential risks, in accordance with the requirements of these principles.
Integration in Risk Assessment
‎90-	It is important to have a clear understanding within the bank regarding how the activities of risk assessment and testing are divided between the two units, and this should be documented in the bank’s compliance policy. The Internal Audit Unit should inform the head of Compliance Unit the audit results related to compliance within the bank.
Monitoring the Compliance of the Internal Audit Unit
91-	The Compliance Unit plays a crucial role in monitoring the compliance process within the bank, which includes overseeing that the Internal Audit Unit carries out the tasks, responsibilities, and activities as required by SAMA in the specified manner and timeframe.
Oversight from a Specific Perspective
‎92-	For further clarification regarding the role of both the Compliance Unit and the Internal Audit Unit as two independent entities, both the Compliance Unit and the Internal Audit Unit are responsible for overseeing the bank's activities, but each has its own perspective on oversight. The Compliance Unit focuses on identifying and clarifying the regulations, instructions, policies, and procedures that need to be implemented in the bank, ensuring that these are incorporated into the approved policies, procedures, and work programs, and continuously verifying that these policies and procedures are actually followed and effective in mitigating non-compliance risks, with regular updates. The role of the Internal Audit Unit involves conducting field and documentation audits on all bank units through sampling or comprehensive coverage, continually monitoring the internal control systems of the bank, and assessing compliance with the policies and procedures that the Compliance Unit has worked to implement and assist in preparing, based on regulations, instructions, and guidelines.

Other Matters

Principle (9) Matters Related to External Operations

Compliance with Regulations and Instructions in the Host Country

93-	Banks that choose to conduct banking activities in certain countries must adhere to the regulations, instructions, and laws applicable in those countries. The branches or offices, as well as the structure and responsibilities of the compliance function, must be aligned with the regulatory requirements and local instructions of those countries.
Higher Standards as a Basis When Regulatory Requirements Differ
‎94-	When engaging in banking operations in specific countries, whether through branches or subsidiaries, it is important to recognize that regulatory requirements and instructions may vary from one country to another. These differences might depend on the type of business the bank is conducting or the form of its presence in those countries. Therefore, particular emphasis should be placed on the requirements outlined in Paragraph (2/6) of Section Two of the Anti-Money Laundering and Counter-Terrorism Financing Guide.
Compliance Officers in Host Countries
‎95-	Banks that choose to operate in specific countries must comply with all local regulations and instructions applicable in those countries. For example, banks operating as subsidiaries must meet the regulatory and instructional requirements for companies in the host countries. Banks operating as foreign branches must fulfill the requirements specified for foreign bank branches. The bank must ensure that compliance responsibilities in host countries are carried out by employees with local knowledge and expertise, in addition to oversight by the Chief Compliance Officer in collaboration with other risk and control units in the home country.
Risk Assessment for Overseas Activities
96-	Each bank must have implemented and updated procedures to identify and assess potential or increasing risks to its reputation regarding the products and activities offered in host countries through its subsidiaries or branches that are not permitted or practiced in the Kingdom.

Principle (10) Delegation of Compliance Unit Tasks

Limited Delegation Agreement and Responsibility

‎97-	The activity of the compliance unit is considered a primary function in managing non-compliance risks within the bank. While some specific activities may be delegated to specialized entities, they must remain under the supervision and responsibility of the Chief Compliance Officer. The Chief Compliance Officer is ultimately responsible for ensuring compliance and cannot delegate their responsibility to others.
Suitability of Agreements with Tasks
98-	The bank must ensure that any agreements or arrangements for delegating some compliance tasks do not impede the effectiveness of supervision by SAMA or other regulatory and supervisory bodies. Regardless of delegating certain tasks that the bank deems necessary, the primary responsibility for ensuring compliance with all regulations and instructions remains with the board and senior management.
SAMA Approval
‎99-	The delegation of any compliance activities is subject to the instructions issued by SAMA, including obtaining its non-objection prior to entering into any delegation agreements.

Soft Launch

Compliance Principles and Internal Control

Principles of Internal Auditing for Local Banks Operating in Saudi Arabia

Chapter One: Introduction, Definitions, and General Provisions