Skip to main content
Back Custom print Text Only Rich Text Print / Save as PDF
Download Original PDF

  • Principle (6): Organization, Tasks, and Responsibilities of the Unit

    • Organizational Structure and Reporting

      28-The unit must have a clearly defined organizational structure approved by the board, reporting functionally to the audit committee and administratively to the CEO. This structure should reflect the specialized roles within the unit and be appropriate to the size, nature, and complexity of the bank's operations.
      29-It is preferable for the unit to form a specialized team of experienced and competent senior auditors to manage and ensure the execution of all audit requests required by SAMA, continuously providing high-quality outputs.
      30-The unit should report its audit findings to the audit committee and the CEO, without the results of these reports affecting the performance evaluation and compensation of the unit’s head and its staff.
      31-The unit must inform the executive management of all significant findings related to the implementation and maintenance of an appropriate and effective internal control system and procedures, enabling the executive management to take timely and appropriate corrective actions. The unit should also follow up on the results of these corrective actions with the executive management.

    • Requirements and Responsibilities of the Unit Head

      32-The unit head must possess the necessary independence, objectivity, competencies, and ethics to effectively perform their role and duties.
      33-Their responsibilities must be clearly defined and should include, at a minimum, the following:
        33-1Attracting human resources with suitable qualifications and skills, based on a formal analysis of the unit’s actual needs required to perform its activities efficiently, and comparing those needs with the available human resources and their competency levels. Develop a plan to meet these needs and competencies, and formally share it with the audit committee for monitoring and evaluation. The analysis should consider international standards, emerging risk areas, and audit experience.
        33-2Working towards Saudization of the unit’s positions as required by relevant regulations.
        33-3Developing teams and skills related to audit techniques with the aid of technical systems and performance analysis programs to expand the scope of their reviews and manage system-related risks more comprehensively.
        33-4Continuously monitoring, evaluating, and developing the unit’s staff.
        33-5Ensuring the unit's adherence to integrity and compliance with sound internal audit standards.
        33-6Developing the internal audit plan and obtaining approval from the audit committee, and periodically reviewing and updating it.
        33-7Developing and periodically reviewing the internal audit policy as needed and at each audit committee cycle, and submitting it along with any updates to the board for approval based on the audit committee’s recommendation.
        33-8Formulating an internal audit strategy aligned with the bank’s strategy, obtaining approval from the audit committee, and regularly reporting the results and compliance to the committee.
        33-9Participating in relevant committees, such as those for risk and compliance, while adhering to Key Principles of Governance in Financial Institutions.
        33-10Meeting with the audit committee individually whenever necessary.
        33-11Monitoring the work of external service providers when some or part of the internal audit tasks are outsourced, ensuring their adherence to the internal audit policy, and verifying that they do not affect the unit’s independence and objectivity, and that they transfer relevant knowledge and experience to the unit's staff.
        33-12Preparing a detailed matrix listing and classifying potential risks resulting from suspending or postponing any audit activities or parts of them beyond the plan’s year, including an assessment and risk classification. This should address whether the suspension or postponement is requested by the unit or other units and submit it to the audit committee for approval of high and medium-risk cases, with reasons and considerations, ensuring that risks continue to be addressed.
        33-13Identifying factors to consider when selecting branch samples for field audits in the targeted geographic area.
        33-14Encouraging audit unit staff to obtain Certified Internal Auditor (CIA) certification and other professional certifications (or one of them) to enhance the competence of internal auditors in the banking sector.
        33-15Enabling and supporting the implementation of an independent external quality assessment of the audit unit’s work at least once every five years, to ensure the quality of audit outputs, in line with the board-approved policy, based on the direction and approval of the audit committee, and selecting the independent assessment provider. The results should be presented to the committee and reported to the board.

    • SAMA's Non-Objection to Appointing or Changing the Unit Head

      34-Taking into account the Requirements for Appointing to Senior Positions in financial institutions under the supervision of SAMA, and the Key Principles of Governance in Financial Institutions issued by SAMA; the bank must obtain SAMA’s prior non-objection to the appointment, assignment, or extension of the term of the head of the unit. Additionally, the bank must obtain SAMA’s prior non-objection if the head of the unit leaves their position (resignation, transfer to another role, termination of service, etc.), with documentation and explanation of the reason for the change.
       

    • Internal Work Procedures for the Unit

      35-Procedural manuals should be developed for the unit (either as an independent document or as part of the audit manual) to guide its staff in performing daily activities. These manuals should cover all activities of the unit in detail, providing step-by-step instructions. Each activity should include a sequential workflow that outlines the complete cycle of each process along with descriptive guidance. The manuals should align with detailed guidelines for implementing the audit policy.
      36-Detailed work guides should also be provided for using technical audit systems to assist both current and newly joined staff in using the systems effectively and understanding their capabilities.
      37-When developing work procedures for the unit, reference should be made to the standards and guidelines from the Institute of Internal Auditors, including the "International Standards for the Professional Practice of Internal Auditing" and its updates, as well as best practices for guidance in the procedures.

    • Units and Entities Subject to Internal Audit and the Audit Cycle

      38-The unit must document a comprehensive list of the bank's units and its affiliated entities subject to audit, serving as a comprehensive framework for audit processes.
      39-This list should cover all operational units, products, services, systems, risks, and processes of the bank.
      40-The list should include all requirements set by SAMA for the unit and be part of the comprehensive audit framework.
      41-Ensure that the comprehensive audit programs for this list cover relevant SAMA instructions and internal policies, and that they are developed for each unit within the bank and its affiliated entities within the comprehensive audit framework.
      42-The unit should develop an official framework for assessing the risks of each unit in the bank and its affiliated entities listed separately. This framework should also identify risk factors, such as: the latest audit assessment, time elapsed since the last audit, applicable and realized risk levels, complexity, etc., as a basis for risk assessment. The frequency of audits for each unit in the bank and its affiliated entities may be based on this risk assessment (e.g., increasing the frequency for high-risk units and entities).
      43-The unit should review all units in the bank and its affiliated entities documented in the list at least annually to ensure completeness and coverage of all units, products, systems, and procedures of the bank.
      44-The unit should document an official audit cycle that covers all units in the bank and its affiliated entities listed, and execute this cycle within a defined period, which may extend from three to four years depending on the risk classification of each listed item, in accordance with the risk-based approach.

    • Risk Assessment Methodology

      45-The risk assessment methodology should include the following:
        45-1Documented and detailed guidelines that outline and assist internal auditors in classifying risks when preparing each observation.
        45-2Documented and detailed guidelines for assessing risks in the overall audit report.
        45-3Identification of quantitative and qualitative factors necessary to facilitate understanding and consistent application by audit staff.
        45-4Classification of internal violation reports from the bank—of which the audit unit should receive copies—based on their risk level and the extent of compliance with reaching the competent authority in the bank and their documentation.
        45-5All instances of non-compliance with SAMA instructions should be classified as high risk unless the non-classification is supported by specific justifications approved by the compliance unit. These justifications should be based on a risk classification mechanism that includes the size and impact of the non-compliance.

    • Risk-Based Internal Audit Plan

      46-The head of the unit is responsible for preparing the annual internal audit plan and its implementation schedules, and for seeking approval from the Audit Committee. When preparing the plan, a thorough risk assessment should be undertaken (considering inputs from executive management). The plan can be part of a multi-year plan, in which case it should be reviewed and updated annually aiming to respond to changes in the sector and in the bank's risk profile, or more frequently, throughout the year, to enable continuous and real-time assessment of areas where significant risks may arise.
      47-The annual audit plan should include a list of business units and activities subject to audit and risk assessment, with well-prepared documentation to ensure a systematic audit approach.
      48-In implementing the annual audit plan, audit work programs must include detailed audit procedures for each business unit subject to review, with sufficient clarifications regarding the scope of its relevance, surveys, and ensure coverage of all potential key or significant risks, control elements, and regulatory supervisory instructions. It should be taken into account that the assessment and analytical skills of internal auditors are essential to ensure a high quality of internal audit.
      49-A list of all supervisory expectations from the audit units must be compiled, and this requirement should be stipulated in their policy or procedures. This list, along with the required areas in the comprehensive audit framework, should serve as sources among others, such as the audit cycle, the bank’s most significant risks, new or emerging risk areas, and so on, for developing the annual internal audit plan. The frequency of audits, wherever specified by SAMA, must exceed the internal risk assessment conducted by the audit unit.
      50-Adequate resources must be available to support the unit in performing its duties, in accordance with the annual internal audit plan.
      51-The unit should periodically conduct a self-assessment of specific requirements from SAMA and other regulatory bodies. Capabilities should be developed, and sufficient resources allocated to these areas, ensuring adequate space for them in the internal audit plan.

    • Information Technology for the Unit

      52-The unit should carry out its activities using appropriate technological systems to enhance the efficiency of the internal audit function.
      53-The unit should conduct a formal gap analysis using current automation tools, address and close these gaps, highlight activities currently performed manually, and develop action plans to automate all such activities—wherever feasible—and escalate these plans to the Audit Committee for monitoring purposes.

    • Quality Assurance and Performance Improvement Program

      54-The unit should establish an internal function reporting directly to the head of the unit, dedicated to quality assurance and performance improvement, and should be staffed with qualified and suitably experienced resources.
      55-The internal audit unit should implement a quality assurance and performance improvement program covering all aspects of internal audit activities. This program should include both internal evaluations (ongoing assessments and annual comprehensive reviews) and external evaluations (conducted at least once every five years), with the results reported to the Audit Committee.
      56-The quality assurance and performance improvement unit must review and evaluate all activities and reports of the audit unit on an ongoing basis. The head of the audit unit must submit regular reports on the review and evaluation results of that unit (both ongoing and annual) to the Audit Committee.
      57-The quality assurance and performance improvement unit should be responsible for reviewing and updating the internal policies and procedures of the internal audit unit, training and motivating its staff, and working on enhancing the quality of work and other performance improvement tasks.

    • Periodic Reports to the Audit Committee

      58-The internal audit unit should prepare periodic reports on its reviews and submit them to the Audit Committee. The committee, in turn, should submit these reports directly and independently to the board without any revisions from the executive management or any other source. The reports should, at a minimum, include:
        58-1A quarterly report: This should include an assessment of the internal control system of the units reviewed, the findings and recommendations related to the work units audited, the actions taken by each unit regarding the findings and recommendations from the previous review, and an explanation of the status of findings not addressed by the executive management. It should also detail instances of failure to respond promptly to those findings and recommendations, along with the reasons for such failures.
        58-2An annual general (comprehensive) report: This should include an assessment of the bank's internal control system and the audit activities conducted during the financial year compared to the approved plan. It should also state the reasons for any shortcomings or deviations from the plan, if any, within a deadline not exceeding the end of the following quarter after the end of the relevant financial year, or according to the dates in the approved annual plan.

    • Database and Document/Report Storage

      59-The audit unit must establish a database for its operations and update it continuously.
      60-In accordance with relevant central bank regulations and other regulatory bodies; all internal audit reports, findings, recommendations, corrective action plans, and supporting documents should be stored electronically in the database. This includes any results obtained by independent auditors that were previously found by audit staff, and all work-related documents, internal audit achievements, results, recommendations, and measures taken in accordance with the relevant central bank instructions.
      61-A formal manual (either independently or as part of the audit manual) for record retention and storage mechanisms should be prepared and approved. This manual should describe the methods of storage and details of all work papers and information to be retained, the minimum retention period, and the recommendations of the audit unit. This should be done considering the data and information retention regulations and instructions provided by the relevant supervisory regulatory authorities.