Principle (4): Key Characteristics of the Unit
Independence and Objectivity
11- The unit must be administratively independent from all other business units with activities subject to review, as well as from the first and second lines of defense, in a complementary manner. The unit should have sufficient organizational status and authority within the bank to perform its tasks objectively. The head of the unit and its staff should not undertake or be assigned any other tasks or work in the bank that could compromise their roles, except for internal audit activities, reviewing, and evaluating the effectiveness and efficiency of the internal control system.
12- The unit must have the authority to perform its tasks across all areas of the bank's operations and business units, without any restrictions from the executive management or any source other than its functional reference 13- The unit should have the freedom to discuss its views, results, evaluations, and conclusions directly with the Audit Committee and the Board, and to submit its reports directly through a clear organizational structure - functional link - to the Audit Committee.
14- The unit should not be involved in the preparation (design), selection, implementation, or management of specific internal control procedures. However, its independence does not preclude the executive management from requesting internal audit inputs on matters related to risks and internal control, provided that such advisory roles are well-documented in audit procedures and guidelines and are not interpreted as conflicting with its independence.
15- The rotation of staff in the unit to other business units should be governed by a written policy within its operational framework to avoid conflicts of interest. This includes a mandatory cooling-off period of no less than twelve months between the employee’s time in the unit and their subsequent review of activities in the bank’s operational areas where the rotation occurred.
16- A performance rewards for the head of the unit and its staff - if any - should be organized in a way that ensures no conflict of interest or compromise to the unit's independence and ability to work objectively, and in accordance with the relevant instructions issued by the central bank and the bank’s reward policies and practices. Their rewards should not be linked to the financial performance of the business activities subject to internal audit, and the head of the unit’s rewards should be recommended by the Audit Committee in accordance with the bank’s reward policies and practices.
17- The head of the unit should confirm annually - at a minimum - the organizational and functional independence of the unit's activities, either in a dedicated section of the annual report or through a separate official written statement.
18- The unit should have the right to request a meeting with the Audit Committee at any time if there is a need to discuss any topic it wishes to raise.
Professional Competence and Due Diligence
19- The head of the unit must possess leadership skills and the necessary skills to maintain the unit’s effectiveness. 20- The head of the unit must have an academic degree in one of the following: 20-1 Either in accounting, auditing, business administration, or other related fields to internal auditing, preferably holding a specialized professional certification in internal auditing or accounting such as (QIAI), (CIA), (SOCPA), (CPA), or an advanced degree in accounting, auditing, or business administration. 20-2 Or in specialized technical fields such as (CISA) Certified Information Systems Auditor or (CISM) Certified Information Security Manager, in this case, they also have to hold one of the professional or advanced certifications specified in (1) above. In both options, they must have sufficient practical experience in internal auditing and possess appropriate leadership skills to fulfill their responsibilities while maintaining the unit’s independence and objectivity. 21- The head of the unit, without conflicting with the bank’s general employment policies, procedures, and requirements, must establish standards to attract competent individuals to the unit who possess professional competence, scientific knowledge, experience, qualifications, skills, and the ability to gather and understand information, examine and evaluate evidence during the audit process, and communicate with stakeholders. This requirement also includes supporting and enabling national talents and training them. 22- The head of the unit must assess the skills of the unit’s staff, monitor their development, and ensure they receive continuous, relevant training to meet the technical requirements of banking activities, adapt to the increasing diversity of tasks due to new products, services, and procedures, and keep up with other developments in the financial sector. Professional Ethics for the Head of the Unit and Its Staff
23- In accordance with the Principles of Conduct and Work Ethics in Financial Institutions issued by SAMA, and to ensure the maintenance of professional standards for the unit at all times, the bank’s code of conduct and ethics should, at a minimum, include principles of objectivity, behavior, competence, confidentiality, and integrity, and should stipulate the following: 23-1 The necessity of demonstrating professionalism, integrity, honesty, and trustworthiness. 23-2 Emphasis on maintaining the confidentiality of information obtained during the performance of duties, avoiding the use of such information for personal gain or harmful activities, and taking care to protect the information acquired. 23-3 Avoidance of conflicts of interest. To this end, the head of the unit must take adequate measures to ensure that its staff consistently adhere to integrity, comply with internal audit principles, and follow the Principles of Conduct and Work Ethics in Financial Institutions issued by SAMA.