Chapter Two: Roles and Responsibilities of the Board and Executive Management Regarding Internal Audit
Principle (1): Board Responsibilities for Internal Audit
5- To ensure the performance of the ordinary general assembly to its functions regarding the audit committee and internal auditing as specified, in accordance with the provisions of the Companies Law and its implementing regulations, the Corporate Governance Regulations issued by the Capital Market Authority, and the Key Principles of Governance in Financial Institutions issued by SAMA, the board is required to do the following: 5-1 submitting effective proposals and recommendations that enable the ordinary general assembly to carry out its functions. 5-2 Monitor any developments that occur in the regulations, rules, and instructions related to internal auditing from the relevant authorities from time to time. 6- Although the audit committee operates independently from the board and executive management, this does not exempt the board—according to the key principles of governance in financial institutions—from the responsibility of effectively overseeing the audit committee and monitoring its work and assigned duties. 7- The following responsibilities fall upon the board concerning the roles and responsibilities of executive management regarding internal auditing: 7-1 The ultimate responsibility for ensuring that executive management establishes and maintains an appropriate internal control framework that is efficient and effective, which identifies, measures, monitors, and manages all risks faced by the bank. 7-2 Ensuring the review of the effectiveness and efficiency of the internal control system based on information provided by the internal audit function, though not relying solely on it. 8- Without prejudice to the powers, duties, and responsibilities of the Board according to the relevant SAMA instructions and other regulatory authorities, the Board has the responsibility to continuously ensure the following with respect to the internal audit function: 8-1 Taking all necessary actions to ensure the existence and continued effectiveness of an independent and effective internal audit function within the bank, and periodically updating its organization and operating policies. 8-1 Ensuring that the size of the internal audit function, the qualifications and competence of its head and staff, are appropriate to the size of the bank, its nature of operations, the automated systems in use, and the complexity of its organizational structure. 8-3 Ensuring that the Audit Committee conducts an independent external evaluation of the quality of the internal audit function’s performance at least once every five years. Principle (2): Responsibilities of the Audit Committee towards the Unit
9- Without prejudice to the specific responsibilities and duties of the Audit Committee as defined by regulations and instructions issued by SAMA and other regulatory authorities, the Committee is responsible for the following requirements for effective oversight: 9-1 Recommend the board to approve the organizational structure of the unit and review it periodically as needed. 9-2 Recommend the board the appointment, reappointment, or dismissal of the head of the unit, or acceptance of their resignation. 9-3 Ensure the presence of appropriate human resources in the unit in terms of quantity, qualifications, and skills, especially in specialized topics, including, for example, units for: treasury, finance, international financial reporting standards, anti-money laundering and counter-terrorism financing, technology/cybersecurity risks, governance, Basel standards, liquidity, credit, and provisions, among others. 9-4 Review and approve the audit plan prepared by the head of the unit based on the results of the annual risk assessment, including the scope of the plan and the budget allocated for it. 9-5 Approve the strategy of the unit prepared by its head and monitor its performance alongside the execution of the annual audit plan, in alignment with the bank's overall strategy and objectives, and after coordinating with the relevant department in the bank. 9-6 Review and discuss internal audit reports. 9-7 Review the unit's performance to ensure its ability to carry out its responsibilities independently and objectively. 9-8 Approve performance measurement indicators for the head of the unit and evaluate their performance. 9-9 Ensure that the head of the unit possesses integrity and the ability to perform their duties with honesty, diligence, and responsibility. Verify compliance with regulations and instructions and confirm that they have not been previously involved in any violations. 9-10 Ensure that executive management takes the necessary corrective actions in a timely and appropriate manner to address weaknesses in controls, issues of compliance with policies, regulations, and instructions, as well as other violations and observations, and shortcomings identified and reported by the audit unit with recommendations. 9-11 Conduct the required independent external assessment—according to the approved audit policy to verify the quality of the unit's work at least once every five years. Principle (3): Roles and Responsibilities of Executive Management Regarding Internal Audit
10- The executive management has the following responsibilities: 10-1 Develop and apply appropriate and effective internal control systems and procedures, and maintain them. 10-2 Fully and unconditionally enable the internal audit unit to access all records, individuals, systems, and buildings, and provide them with the necessary information and data to perform their tasks in a timely and appropriate manner. 10-3 Provide the internal audit unit with updates on new initiatives, projects, products, operational changes, or any amendments to policies and procedures within the bank. 10-4 Ensure that all relevant risks (both known and anticipated) are identified and reported to the internal audit unit at an early stage. 10-5 Share their risk assessments with the internal audit unit to enable the unit to plan audits based on a risk-based approach. 10-6 Implement appropriate measures and corrective actions in a timely and suitable manner regarding all findings and recommendations received from the internal audit unit. 10-7 Encourage inviting representatives of the internal audit unit to attend various administrative committee meetings as permanent invitees, without granting them voting rights. 10-8 Including a key performance indicator for the executive management that reflects the effectiveness of its handling of the observations monitored by the unit in an appropriate manner and timing.