Chapter One: Introduction, Definitions, and General Provisions
1. Introduction
1-1 SAMA has issued these principles based on its supervisory and regulatory powers as outlined in the following regulations:
A: The Saudi Central Bank Law, issued by Royal Decree No. (M/36) dated 11/04/1442 H.
B: The Banking Control Law, issued by Royal Decree No. (M/5) dated 22/02/1386 H.
1-2 These principles are structured and contextualized into three chapters: Chapter One: Clarifies the terms used and general provisions. Chapter Two: Provides an overview of the roles, responsibilities, and duties of the Board of Directors, the Audit Committee, and Executive Management in relation to internal audit, as stipulated by relevant regulations and guidelines, including the requirements for their effective implementation, Chapter Three: Includes detailed and comprehensive requirements concerning the activities, roles, and responsibilities of the internal audit function. It highlights its position as the third line of defense, complementing the first and second lines of defense. This chapter also underscores the role of internal audit as a tool for oversight and supervision within the bank, rather than a replacement for the bank's management, ensuring alignment with regulatory requirements, guidelines, and best practices, while considering the unique nature and application style of banking institutions.
2- Definitions
The following terms wherever they appear in these principles are intended to have the meanings specified next to each of them, unless the context requires otherwise:
Term Definition central bank Saudi Central Bank. Bank Local commercial banks licensed to conduct banking operations in the Kingdom. Board Board of Directors of the bank. Audit Committee One of the committees formed by the council, established by a decision from the ordinary general assembly Executive Management The bank's senior management, who are responsible for managing the bank's daily operations, proposing strategic decisions, and implementing them. Unit The internal audit unit in the bank, which is overseen by its head and staff responsible for internal auditing tasks and responsibilities Head of the Unit The person responsible for managing the unit. Internal Auditors The staff in the unit responsible for carrying out the tasks and responsibilities of internal auditing. Principles Principles of internal auditing for local banks operating in the Kingdom of Saudi Arabia. Internal Audit Function An independent evaluation activity that provides objective assurance and consulting services on the quality, adequacy, and effectiveness of the bank's internal control system. This involves a systematic, organized approach to auditing accounting, financial, operational processes, and more, and assessing and improving governance, risk management, and control effectiveness. Internal Audit Policy The official document approved by the Board that defines and clarifies the unit's purpose, scope of activity, organizational position, functional and administrative references, responsibilities, authority, relationships with other units, and the principles and methodology the bank follows regarding internal control. It also grants access to records, staff, and physical assets necessary to perform its duties. Regulations and Rules The regulations and rules that apply to the banking sector and its members. Instructions All that is issued by SAMA in its supervisory and regulatory capacities over the banking sector, as well as what is issued by relevant authorities in terms of regulations, rules, principles, frameworks, guidelines, and mandatory circulars Independence Free from circumstances and conditions that affect the unit's ability to perform internal auditing tasks and responsibilities in a professional, objective, and unbiased manner. Conflict of interest The situation or situations in which the head of the unit and its staff have, or appear to have, a direct or indirect interest or relationship in a matter under consideration by this person/people: for the purpose of making a decision regarding it, such that this interest or relationship prevents or leads to the belief that it has hindered their ability to express their opinion or make their decision independently, impartially, and objectively, without regard to this interest or relationship. Objectivity Neutral professional behavior based on facts that enables internal auditors to perform their tasks in a way that assures them of the quality of their work and its desired outcomes, without any substantial interference or influence from outside the unit affecting its quality or being swayed by personal beliefs and emotions Consulting services These are the consultations carried out at the specific request of one of the units in the bank First line of defense Business units responsible for identifying, assessing, and managing the risks of their activities early and continuously, and accepting those risks within acceptable limits. Second line of defense Regulatory units and support units such as risk management, compliance, legal, Sharia (if applicable), finance, and technology related to business units, responsible for verifying through a comprehensive and systematic perspective that the business units in the first line of defense have appropriately identified and are appropriately managing their business risks. Third line of defense The internal audit unit – the unit- responsible for independently and objectively evaluating and confirming the adequacy and effectiveness of governance, risk management, controls, policies, and procedures implemented by the first and second lines of defense, enhancing confidence in them, and providing the executive management with reasonable assurance that the policies and procedures align with the specified expectations. Stakeholders All those with a direct interest in the unit, specifically: the board, the audit committee, executive management, business units in the bank, external auditors, external consultants, and others. Indirectly, this includes shareholders, investors, and customers. 3. General Provisions
3-1 The general purpose of these principles is to establish the minimum requirements necessary for the internal audit function to perform efficiently and optimally within a unified, comprehensive, and robust framework. This framework serves as a tool to enhance self-regulation and lay the foundations for performing internal audits and improving the bank's operations and activities. The methods for implementing these principles depend on various factors, including: the size of the bank, the complexity of its operations, its geographical scope, regulatory framework, and the instructions it operates within. 3-2 The primary objectives of these principles are: 1) To protect the bank's assets, continuously ensure the soundness, adequacy, and effectiveness of processes, and the accuracy and reliability of reports, especially financial reports prepared for various purposes and stakeholders. This includes instilling confidence in these reports, enhancing the data contained within them, and protecting the interests of stakeholders. 2) To enhance compliance with the requirements of regulatory and supervisory authorities, ensuring that the bank and its employees adhere to laws, regulations, and instructions. 3-3 The internal audit function represents the third and final line of defense in the three lines of defense model. It is directly accountable to the Board and Audit Committee on a continuous and ongoing basis for evaluating and confirming the adequacy and effectiveness of governance, risk management, and control processes, as well as the policies and procedures implemented by the first and second lines of defense. This line of defense enhances confidence in it and contributes to the improvement of these processes through a structured risk-based approach, optimizing resource use by directing audit activities towards the bank's most significant and high-risk areas. It performs these activities objectively, considering the defined strategies and goals. The importance of this line of defense is bolstered by its independence, which strengthens its objectivity and credibility, ensures proactive effectiveness, provides new insights, identifies future impacts, and promotes appropriate ethics and values, thereby giving executive management reasonable assurance that policies and procedures align with defined expectations. 3-4 These principles do not alter the requirements imposed on banks by other relevant regulations, laws, and instructions. 3-5 SMA has issued several instructions related to internal audit requirements, and these principles should be read alongside them, as applicable, including but not limited to: 1) Key Principles of Governance in Financial Institutions under SAMA's supervision and control. 2) Principles of conduct and Work Ethics in financial institutions. 3) Principles of Compliance for Commercial Banks Operating in the Kingdom of Saudi Arabia. 4) Anti-Money Laundering and Counter-Terrorism Financing Guide. 5) Rules for Bank Account. 6) Regulatory rules for the operation of self-regulation units and committees. 7) Principles of financial fraud prevention in banks operating in the Kingdom. 8) Shariah Governance Framework for local banks operating in Saudi Arabia. 9) Whistleblowing Policy for financial institutions. 10) Risk Management Instructions. 11) Rules on Outsourcing. 12) Cyber Security Framework. 13) Business Continuity Management Framework. 14) Information Technology Governance Framework. 3-6 The internal audit function is subject to international attention, with various international bodies and organizations issuing guidance on it. These should be referenced and consulted, including but not limited to: 1) Basel Committee on Banking Supervision (BCBS). 2) Institute of Internal Auditors (IIA). 3) Committee of Sponsoring Organizations of the Treadway Commission (COSO). 4. Scope of Application
These guidelines apply to all local banks working in the kingdom.