Skip to main content
Back Custom print Text Only Rich Text Print / Save as PDF
Download Original PDF

  • Chapter Three: Functions, Tasks, and Responsibilities of the Unit.

    • Principle (4): Key Characteristics of the Unit

      • Independence and Objectivity

         11-The unit must be administratively independent from all other business units with activities subject to review, as well as from the first and second lines of defense, in a complementary manner. The unit should have sufficient organizational status and authority within the bank to perform its tasks objectively. The head of the unit and its staff should not undertake or be assigned any other tasks or work in the bank that could compromise their roles, except for internal audit activities, reviewing, and evaluating the effectiveness and efficiency of the internal control system.
         
         12-The unit must have the authority to perform its tasks across all areas of the bank's operations and business units, without any restrictions from the executive management or any source other than its functional reference
         13-The unit should have the freedom to discuss its views, results, evaluations, and conclusions directly with the Audit Committee and the Board, and to submit its reports directly through a clear organizational structure - functional link - to the Audit Committee.
         
         14-The unit should not be involved in the preparation (design), selection, implementation, or management of specific internal control procedures. However, its independence does not preclude the executive management from requesting internal audit inputs on matters related to risks and internal control, provided that such advisory roles are well-documented in audit procedures and guidelines and are not interpreted as conflicting with its independence.
         
         15-The rotation of staff in the unit to other business units should be governed by a written policy within its operational framework to avoid conflicts of interest. This includes a mandatory cooling-off period of no less than twelve months between the employee’s time in the unit and their subsequent review of activities in the bank’s operational areas where the rotation occurred.
         
         16-A performance rewards for the head of the unit and its staff - if any - should be organized in a way that ensures no conflict of interest or compromise to the unit's independence and ability to work objectively, and in accordance with the relevant instructions issued by the central bank and the bank’s reward policies and practices. Their rewards should not be linked to the financial performance of the business activities subject to internal audit, and the head of the unit’s rewards should be recommended by the Audit Committee in accordance with the bank’s reward policies and practices.
         
         17-The head of the unit should confirm annually - at a minimum - the organizational and functional independence of the unit's activities, either in a dedicated section of the annual report or through a separate official written statement.
         
         18-The unit should have the right to request a meeting with the Audit Committee at any time if there is a need to discuss any topic it wishes to raise.
         

      • Professional Competence and Due Diligence

         19-The head of the unit must possess leadership skills and the necessary skills to maintain the unit’s effectiveness.
         20-The head of the unit must have an academic degree in one of the following:
           20-1Either in accounting, auditing, business administration, or other related fields to internal auditing, preferably holding a specialized professional certification in internal auditing or accounting such as (QIAI), (CIA), (SOCPA), (CPA), or an advanced degree in accounting, auditing, or business administration.
           20-2Or in specialized technical fields such as (CISA) Certified Information Systems Auditor or (CISM) Certified Information Security Manager, in this case, they also have to hold one of the professional or advanced certifications specified in (1) above. In both options, they must have sufficient practical experience in internal auditing and possess appropriate leadership skills to fulfill their responsibilities while maintaining the unit’s independence and objectivity.
         21-The head of the unit, without conflicting with the bank’s general employment policies, procedures, and requirements, must establish standards to attract competent individuals to the unit who possess professional competence, scientific knowledge, experience, qualifications, skills, and the ability to gather and understand information, examine and evaluate evidence during the audit process, and communicate with stakeholders. This requirement also includes supporting and enabling national talents and training them.
         22-The head of the unit must assess the skills of the unit’s staff, monitor their development, and ensure they receive continuous, relevant training to meet the technical requirements of banking activities, adapt to the increasing diversity of tasks due to new products, services, and procedures, and keep up with other developments in the financial sector.

      • Professional Ethics for the Head of the Unit and Its Staff

         23-In accordance with the Principles of Conduct and Work Ethics in Financial Institutions issued by SAMA, and to ensure the maintenance of professional standards for the unit at all times, the bank’s code of conduct and ethics should, at a minimum, include principles of objectivity, behavior, competence, confidentiality, and integrity, and should stipulate the following:
           23-1The necessity of demonstrating professionalism, integrity, honesty, and trustworthiness.
           23-2Emphasis on maintaining the confidentiality of information obtained during the performance of duties, avoiding the use of such information for personal gain or harmful activities, and taking care to protect the information acquired.
           23-3Avoidance of conflicts of interest. To this end, the head of the unit must take adequate measures to ensure that its staff consistently adhere to integrity, comply with internal audit principles, and follow the Principles of Conduct and Work Ethics in Financial Institutions issued by SAMA.

    • Principle (5): Internal Audit Policy

      24-The head of the unit must prepare and periodically update an internal audit policy, and have it approved by the board based on the recommendation of the audit committee.
      25-The key items of the policy must include, at a minimum:
        25-1The purpose of establishing the unit, and its scope and methodology of work.
        25-2Its organizational position within the bank, its authorities, responsibilities, and its relationships with other control units.
        25-3The key characteristics of the unit as outlined in these principles.
        25-4Ensuring what enhances its role and performance of its duties and responsibilities.
        25-5The right to communicate directly with any bank employees, and to examine the activities of any bank unit or its affiliated entity, if the affiliated entities do not have independent review units or committees, without breaching related regulations and instructions.
        25-6The right to access any records, files, data, or physical assets of the bank, without conflicting with relevant SAMA instructions.
        25-7The right to obtain copies of records and supporting documents for audit activities, including access to administrative information systems, records, and minutes of all advisory bodies in the bank and decision-making entities.
        25-8The right to enable the unit to perform its role and achieve its responsibilities for reviewing all activities of the bank's units and its affiliated entities internally and externally, if the affiliated entities do not have independent review units or committees, without breaching related regulations and instructions.
        25-9The right to escalate to the audit committee without any restrictions when needed.
        25-10The obligation to communicate the results of internal auditors derived from their work, clarify the method of doing so, and specify the receiving entities - administrative dependencies - for these reports.
        25-11The unit's responsibility to the audit committee for all matters related to its performance of duties and responsibilities.
        25-12The responsibility of the head of the unit.
        25-13The conditions and terms for coordination and follow-up of work between the unit and external auditors.
        25-14The conditions and terms under which advisory or consulting services can be requested from the unit or assigned special tasks, without violating relevant instructions.
        25-15The commitment to conduct an independent external assessment of the unit's work quality and adherence to ethical conduct and compliance with internal audit principles for local banks in the country, at least once every five years.
        25-16In accordance with SAMA's instructions on Rules on Outsourcing tasks to third parties, the conditions and terms that determine the method, timing, and circumstances of outsourcing any of the unit's specialized limited tasks to external service providers, ensuring the primary basis and minimum requirement is the lack of specialized expertise within the unit for such tasks (e.g., information security), with the board being primarily responsible and the unit for proper oversight, performance under a non-disclosure agreement, achieving knowledge transfer and experience gain to unit staff, not affecting the unit's ability to work independently and objectively, and not contracting with a provider previously contracted for the same task unless at least three years have passed, and ensuring that the service provider is not a current external auditor of the bank, and does not impede the effectiveness of SAMA oversight, and obtaining its prior approval for the outsourcing.
        25-17The requirements and mechanisms for reviewing the bank's affiliated entities that do not have independent review units or committees.
        25-18The commitment to international standards for internal audit relevant to the field.
        25-19The scope and contents of the periodic report of the unit submitted to the board.
        25-20The authority to refer to the Unified Internal Audit Charter of the Institute of Internal Auditors and use the standards specified therein as a guideline when preparing the internal audit policy. Banks may add what they deem important, as necessary, without violating relevant regulations, policies, and procedures.
      26-The policy should focus on the guiding principles for internal audit and control areas, including high-level guidance for each activity of the audit unit, and provide a formally documented mechanism to resolve any discrepancies in viewpoints that may arise with the unit, for example, regarding the classification of findings, general report classification, contents, prominent risks, etc.
      27-This policy should be made available to all bank stakeholders for review through the appropriate mechanism followed by the bank.
       

    • Principle (6): Organization, Tasks, and Responsibilities of the Unit

      • Organizational Structure and Reporting

        28-The unit must have a clearly defined organizational structure approved by the board, reporting functionally to the audit committee and administratively to the CEO. This structure should reflect the specialized roles within the unit and be appropriate to the size, nature, and complexity of the bank's operations.
        29-It is preferable for the unit to form a specialized team of experienced and competent senior auditors to manage and ensure the execution of all audit requests required by SAMA, continuously providing high-quality outputs.
        30-The unit should report its audit findings to the audit committee and the CEO, without the results of these reports affecting the performance evaluation and compensation of the unit’s head and its staff.
        31-The unit must inform the executive management of all significant findings related to the implementation and maintenance of an appropriate and effective internal control system and procedures, enabling the executive management to take timely and appropriate corrective actions. The unit should also follow up on the results of these corrective actions with the executive management.

      • Requirements and Responsibilities of the Unit Head

        32-The unit head must possess the necessary independence, objectivity, competencies, and ethics to effectively perform their role and duties.
        33-Their responsibilities must be clearly defined and should include, at a minimum, the following:
          33-1Attracting human resources with suitable qualifications and skills, based on a formal analysis of the unit’s actual needs required to perform its activities efficiently, and comparing those needs with the available human resources and their competency levels. Develop a plan to meet these needs and competencies, and formally share it with the audit committee for monitoring and evaluation. The analysis should consider international standards, emerging risk areas, and audit experience.
          33-2Working towards Saudization of the unit’s positions as required by relevant regulations.
          33-3Developing teams and skills related to audit techniques with the aid of technical systems and performance analysis programs to expand the scope of their reviews and manage system-related risks more comprehensively.
          33-4Continuously monitoring, evaluating, and developing the unit’s staff.
          33-5Ensuring the unit's adherence to integrity and compliance with sound internal audit standards.
          33-6Developing the internal audit plan and obtaining approval from the audit committee, and periodically reviewing and updating it.
          33-7Developing and periodically reviewing the internal audit policy as needed and at each audit committee cycle, and submitting it along with any updates to the board for approval based on the audit committee’s recommendation.
          33-8Formulating an internal audit strategy aligned with the bank’s strategy, obtaining approval from the audit committee, and regularly reporting the results and compliance to the committee.
          33-9Participating in relevant committees, such as those for risk and compliance, while adhering to Key Principles of Governance in Financial Institutions.
          33-10Meeting with the audit committee individually whenever necessary.
          33-11Monitoring the work of external service providers when some or part of the internal audit tasks are outsourced, ensuring their adherence to the internal audit policy, and verifying that they do not affect the unit’s independence and objectivity, and that they transfer relevant knowledge and experience to the unit's staff.
          33-12Preparing a detailed matrix listing and classifying potential risks resulting from suspending or postponing any audit activities or parts of them beyond the plan’s year, including an assessment and risk classification. This should address whether the suspension or postponement is requested by the unit or other units and submit it to the audit committee for approval of high and medium-risk cases, with reasons and considerations, ensuring that risks continue to be addressed.
          33-13Identifying factors to consider when selecting branch samples for field audits in the targeted geographic area.
          33-14Encouraging audit unit staff to obtain Certified Internal Auditor (CIA) certification and other professional certifications (or one of them) to enhance the competence of internal auditors in the banking sector.
          33-15Enabling and supporting the implementation of an independent external quality assessment of the audit unit’s work at least once every five years, to ensure the quality of audit outputs, in line with the board-approved policy, based on the direction and approval of the audit committee, and selecting the independent assessment provider. The results should be presented to the committee and reported to the board.

      • SAMA's Non-Objection to Appointing or Changing the Unit Head

        34-Taking into account the Requirements for Appointing to Senior Positions in financial institutions under the supervision of SAMA, and the Key Principles of Governance in Financial Institutions issued by SAMA; the bank must obtain SAMA’s prior non-objection to the appointment, assignment, or extension of the term of the head of the unit. Additionally, the bank must obtain SAMA’s prior non-objection if the head of the unit leaves their position (resignation, transfer to another role, termination of service, etc.), with documentation and explanation of the reason for the change.
         

      • Internal Work Procedures for the Unit

        35-Procedural manuals should be developed for the unit (either as an independent document or as part of the audit manual) to guide its staff in performing daily activities. These manuals should cover all activities of the unit in detail, providing step-by-step instructions. Each activity should include a sequential workflow that outlines the complete cycle of each process along with descriptive guidance. The manuals should align with detailed guidelines for implementing the audit policy.
        36-Detailed work guides should also be provided for using technical audit systems to assist both current and newly joined staff in using the systems effectively and understanding their capabilities.
        37-When developing work procedures for the unit, reference should be made to the standards and guidelines from the Institute of Internal Auditors, including the "International Standards for the Professional Practice of Internal Auditing" and its updates, as well as best practices for guidance in the procedures.

      • Units and Entities Subject to Internal Audit and the Audit Cycle

        38-The unit must document a comprehensive list of the bank's units and its affiliated entities subject to audit, serving as a comprehensive framework for audit processes.
        39-This list should cover all operational units, products, services, systems, risks, and processes of the bank.
        40-The list should include all requirements set by SAMA for the unit and be part of the comprehensive audit framework.
        41-Ensure that the comprehensive audit programs for this list cover relevant SAMA instructions and internal policies, and that they are developed for each unit within the bank and its affiliated entities within the comprehensive audit framework.
        42-The unit should develop an official framework for assessing the risks of each unit in the bank and its affiliated entities listed separately. This framework should also identify risk factors, such as: the latest audit assessment, time elapsed since the last audit, applicable and realized risk levels, complexity, etc., as a basis for risk assessment. The frequency of audits for each unit in the bank and its affiliated entities may be based on this risk assessment (e.g., increasing the frequency for high-risk units and entities).
        43-The unit should review all units in the bank and its affiliated entities documented in the list at least annually to ensure completeness and coverage of all units, products, systems, and procedures of the bank.
        44-The unit should document an official audit cycle that covers all units in the bank and its affiliated entities listed, and execute this cycle within a defined period, which may extend from three to four years depending on the risk classification of each listed item, in accordance with the risk-based approach.

      • Risk Assessment Methodology

        45-The risk assessment methodology should include the following:
          45-1Documented and detailed guidelines that outline and assist internal auditors in classifying risks when preparing each observation.
          45-2Documented and detailed guidelines for assessing risks in the overall audit report.
          45-3Identification of quantitative and qualitative factors necessary to facilitate understanding and consistent application by audit staff.
          45-4Classification of internal violation reports from the bank—of which the audit unit should receive copies—based on their risk level and the extent of compliance with reaching the competent authority in the bank and their documentation.
          45-5All instances of non-compliance with SAMA instructions should be classified as high risk unless the non-classification is supported by specific justifications approved by the compliance unit. These justifications should be based on a risk classification mechanism that includes the size and impact of the non-compliance.

      • Risk-Based Internal Audit Plan

        46-The head of the unit is responsible for preparing the annual internal audit plan and its implementation schedules, and for seeking approval from the Audit Committee. When preparing the plan, a thorough risk assessment should be undertaken (considering inputs from executive management). The plan can be part of a multi-year plan, in which case it should be reviewed and updated annually aiming to respond to changes in the sector and in the bank's risk profile, or more frequently, throughout the year, to enable continuous and real-time assessment of areas where significant risks may arise.
        47-The annual audit plan should include a list of business units and activities subject to audit and risk assessment, with well-prepared documentation to ensure a systematic audit approach.
        48-In implementing the annual audit plan, audit work programs must include detailed audit procedures for each business unit subject to review, with sufficient clarifications regarding the scope of its relevance, surveys, and ensure coverage of all potential key or significant risks, control elements, and regulatory supervisory instructions. It should be taken into account that the assessment and analytical skills of internal auditors are essential to ensure a high quality of internal audit.
        49-A list of all supervisory expectations from the audit units must be compiled, and this requirement should be stipulated in their policy or procedures. This list, along with the required areas in the comprehensive audit framework, should serve as sources among others, such as the audit cycle, the bank’s most significant risks, new or emerging risk areas, and so on, for developing the annual internal audit plan. The frequency of audits, wherever specified by SAMA, must exceed the internal risk assessment conducted by the audit unit.
        50-Adequate resources must be available to support the unit in performing its duties, in accordance with the annual internal audit plan.
        51-The unit should periodically conduct a self-assessment of specific requirements from SAMA and other regulatory bodies. Capabilities should be developed, and sufficient resources allocated to these areas, ensuring adequate space for them in the internal audit plan.

      • Information Technology for the Unit

        52-The unit should carry out its activities using appropriate technological systems to enhance the efficiency of the internal audit function.
        53-The unit should conduct a formal gap analysis using current automation tools, address and close these gaps, highlight activities currently performed manually, and develop action plans to automate all such activities—wherever feasible—and escalate these plans to the Audit Committee for monitoring purposes.

      • Quality Assurance and Performance Improvement Program

        54-The unit should establish an internal function reporting directly to the head of the unit, dedicated to quality assurance and performance improvement, and should be staffed with qualified and suitably experienced resources.
        55-The internal audit unit should implement a quality assurance and performance improvement program covering all aspects of internal audit activities. This program should include both internal evaluations (ongoing assessments and annual comprehensive reviews) and external evaluations (conducted at least once every five years), with the results reported to the Audit Committee.
        56-The quality assurance and performance improvement unit must review and evaluate all activities and reports of the audit unit on an ongoing basis. The head of the audit unit must submit regular reports on the review and evaluation results of that unit (both ongoing and annual) to the Audit Committee.
        57-The quality assurance and performance improvement unit should be responsible for reviewing and updating the internal policies and procedures of the internal audit unit, training and motivating its staff, and working on enhancing the quality of work and other performance improvement tasks.

      • Periodic Reports to the Audit Committee

        58-The internal audit unit should prepare periodic reports on its reviews and submit them to the Audit Committee. The committee, in turn, should submit these reports directly and independently to the board without any revisions from the executive management or any other source. The reports should, at a minimum, include:
          58-1A quarterly report: This should include an assessment of the internal control system of the units reviewed, the findings and recommendations related to the work units audited, the actions taken by each unit regarding the findings and recommendations from the previous review, and an explanation of the status of findings not addressed by the executive management. It should also detail instances of failure to respond promptly to those findings and recommendations, along with the reasons for such failures.
          58-2An annual general (comprehensive) report: This should include an assessment of the bank's internal control system and the audit activities conducted during the financial year compared to the approved plan. It should also state the reasons for any shortcomings or deviations from the plan, if any, within a deadline not exceeding the end of the following quarter after the end of the relevant financial year, or according to the dates in the approved annual plan.

      • Database and Document/Report Storage

        59-The audit unit must establish a database for its operations and update it continuously.
        60-In accordance with relevant central bank regulations and other regulatory bodies; all internal audit reports, findings, recommendations, corrective action plans, and supporting documents should be stored electronically in the database. This includes any results obtained by independent auditors that were previously found by audit staff, and all work-related documents, internal audit achievements, results, recommendations, and measures taken in accordance with the relevant central bank instructions.
        61-A formal manual (either independently or as part of the audit manual) for record retention and storage mechanisms should be prepared and approved. This manual should describe the methods of storage and details of all work papers and information to be retained, the minimum retention period, and the recommendations of the audit unit. This should be done considering the data and information retention regulations and instructions provided by the relevant supervisory regulatory authorities.

    • Principle (7): Scope of the Unit's Work

       

      62-The general scope of the unit includes every unit in the bank and its affiliated entities (that do not have independent audit units or committees), covering all activities, operations, products, and services of the bank, as well as the limited specialized tasks that may be outsourced to external service providers, including the review and assessment of the effectiveness of the internal control system, risk management, governance, compliance, and supervisory requirements, as well as consulting services. The unit should evaluate the entire bank, including branches and affiliated entities.
      63-The unit is responsible, independently within its scope and work plan, for evaluating the following:
        63-1The effectiveness and adequacy of internal control functions, risk management, and governance in the context of current and potential future risks, including committees.
        63-2The procedures established by business units and support units.
        63-3The reliability of management information system policies and procedures, (including: data relevance, accuracy, completeness, availability, confidentiality, and comprehensiveness). 
        63-4The level of compliance with regulations, policies, and internal procedures of the bank.
        63-5The adequacy and effectiveness of asset protection procedures.
        63-6The adequacy and effectiveness of all reports and their preparation mechanisms.
      64-Participate, upon request, in internal investigations that do not conflict with the unit's scope, duties, and responsibilities, as deemed necessary by the head of the unit: the audit committee should be provided with reports on such investigations.
      65-With consideration to the relevant instructions and the requirements for applying the risk-based approach and its methods, the unit must, in implementing the scope of its activities, properly cover in the audit plan the requirements of topics of regulatory and supervisory importance according to the timeframes specified for each requirement, or at least annually if no timeframes are specified, unless the risk assessment of the units requires a shorter period for the following activities:

      Risk Management Unit

      66-The unit should primarily include the following in its plan concerning the Risk Management Unit:
        66-1Its organization and powers, including market, credit, liquidity, interest rate, operational risks, legal risks, and any other risks.
        66-2Assessment of risk tolerance, escalation of issues and decisions, and reporting on them.
        66-3The adequacy of policies and procedures for identifying, measuring, assessing, monitoring, and addressing emerging risks from the bank's activities, and reporting on them.
        66-4The integrity of its information systems, including the accuracy, reliability, and completeness of data used.
        66-5The approval and maintenance of risk models, this includes the process of verifying the consistency of information sources, timeliness, independence, and reliability of the sources of information used in these models.
        66-6The degree of significant differences between its views and those of the executive management regarding the level of risks facing the bank.
        66-7The compliance of all business units and their employees with the internal authority matrix of the bank, and ensuring no authority is exceeded.
       

      Capital and Liquidity

      67-The unit must address all requirements of the regulatory framework for capital and liquidity within its scope of activities, particularly:
        67-1The internal capital adequacy assessment document and the internal liquidity assessment document.
        67-2Regulations for determining and measuring the bank's regulatory capital, assessing the adequacy of its capital resources relative to risk exposures, and the minimum indicators approved.
        67-3The process for conducting stress tests for capital and liquidity levels, considering the frequency of such tests, their purpose, the reasonableness of hypothetical scenarios, assumptions used, and the reliability of procedures.
        67-4The bank's instructions and procedures for measuring and monitoring liquidity conditions relative to its risk register, external environment, and minimum regulatory (supervisory) requirements.

      Regulatory (Supervisory) and Internal Reporting

      68-Evaluate the effectiveness of the process through which the Risk Unit and the relevant reporting unit communicate for issuing accurate, timely, and reliable reports, whether internally or for regulatory (supervisory) purposes.

      Compliance Unit

      69-Assess the scope of activities of the Compliance Unit and evaluate the effectiveness of its execution of responsibilities related to compliance risks.
      70-Cooperate with the Compliance Unit in following up on tasks, responsibilities, and activities requested by the central bank from the audit unit, as specified in terms of format and timing.

      Governance

      71-Study the scope of governance activities at the bank, focusing on:
        71-1Evaluating the effectiveness of the unit responsible for governance in executing its responsibilities.
        71-2Reviewing all governance-related policies and procedures within the bank to ensure they align with regulations, rules, instructions, and updates, and assessing their implementation and effectiveness.
        71-3Ensuring the bank's compliance with all regulations from local supervisory authorities related to governance.
        71-4Ensuring the presence of an effective control system to prevent fraud within the bank.
        71-5The process of appointing bank representatives in its subsidiaries and ensuring there are policies and procedures governing this.

      Finance Unit

      72-The audit unit should include the following aspects in its scope of work:
        72-1The organization and powers of the Finance Unit.
        72-2The adequacy and integrity of financial data and the financial systems, instructions, and procedures, including the identification, monitoring, measurement, and reporting of key data (e.g., profit or loss, financial instrument valuations, provisions), including necessary changes in accordance with international accounting standards and international financial reporting standards.
        72-3The approval and maintenance of pricing models, including verifying the consistency, timeliness, independence, and reliability of information sources used in these models.
        72-4The controls in place to prevent and detect violations.
        72-5Controls on the balance sheet, including reconciliation processes and procedures (e.g., adjustments), regulatory tasks and activities, and other ongoing activities that the audit units must review periodically, as documented in the comprehensive audit procedures and framework, along with the required compliance timing. Examples include but are not limited to information security (cybersecurity), business continuity, anti-money laundering and counter-terrorism financing, dormant accounts, and others currently and in the future.

    • Principle (8): The Unit's Relationship with Second Line of Defense Units and External Auditors

      • (A) Relationship with Second Line of Defense Units

        73-Second line of defense units are subject to independent review by the audit unit. Each of these units has areas closely related to other units in general and to the audit unit specifically. However, they are all organizationally separate from each other. Given the comprehensive coverage provided by the oversight performed by the second line of defense, particularly by the Risk Management Unit and the Compliance Unit, the audit unit relies on valuable information provided by these units. Nevertheless, the reliability of this information is subject to assessment by the Head of the Audit Unit.

      • (B) Relationship with External Auditors

        74-External auditors appointed by the bank play a crucial role in the continuous improvement of the bank’s internal control systems related to their scope of work. Therefore, their work should be complementary to the internal audit unit. This should be coordinated through a defined mechanism and regular meetings (based on the approved internal audit policy) to enable both parties to stay continuously informed about significant concerns. The audit committee must ensure that this coordination is in place and effectively implemented.
         

    • Principle (9): Internal Audit of the Bank’s Subsidiaries

      75-In cases where the bank has a subsidiary with its own independent audit unit and audit committee while ensuring compliance with relevant regulations and instructions—it is preferable to:
        75-1Obtain a seat for the head of the bank’s unit or their delegate in the audit committees of the bank’s subsidiaries to monitor developments and ensure the effectiveness of internal controls within them.
        75-2Conduct limited tests to verify the quality of the subsidiary’s audit unit operations to ensure the soundness of its activities.
      76-In cases where the bank has a subsidiary that does not have an independent audit unit and audit committee while ensuring compliance with relevant regulations and instructions—the following should be done:
        76-1The approved audit policy should define how the audit of such entities will be conducted.
        76-2The unit should report the results of the audit activities of these entities to the audit committee.