Your access and use of SAMA Regulatory Rulebook and its content is considered as an acceptance and approval of commitment by you without any limitation or condition to the following:
SAMA Regulatory Rulebook is a platform that aims to assist the regulated entities to access SAMA regulatory content adeptly and efficiently.
SAMA Regulatory Rulebook is still on its development and soft launch stage. SAMA is not liable for its contents and does not warrant or represent that (the Services related to the platform, information or material presented in the platform) is displayed free of any inaccuracies, omissions, or errors (“Faults”). SAMA accepts no liability for any loss, claim or damage resulting from any use of the platform, and any decisions made, or actions taken based on the information contained in or generated by the platform.
SAMA Regulatory Rulebook has no legal effect and it does not aim to amend or revoke any legal provisions. The Rulebook still Contains some documents under review, including translated versions. Therefore, SAMA Regulatory content circulated through SAMA official channels remains in force.
Without prejudice to the terms of use of SAMA website Hereby, you acknowledge that any illegal, unauthorized use and/or any breach of any of these provisions may result in legal actions against you.
Units and Entities Subject to Internal Audit and the Audit Cycle
No: 43037826
Date(g): 1/12/2021 | Date(h): 26/4/1443
Status: In-Force
Translated Document
38-
The unit must document a comprehensive list of the bank's units and its affiliated entities subject to audit, serving as a comprehensive framework for audit processes.
39-
This list should cover all operational units, products, services, systems, risks, and processes of the bank.
40-
The list should include all requirements set by SAMA for the unit and be part of the comprehensive audit framework.
41-
Ensure that the comprehensive audit programs for this list cover relevant SAMA instructions and internal policies, and that they are developed for each unit within the bank and its affiliated entities within the comprehensive audit framework.
42-
The unit should develop an official framework for assessing the risks of each unit in the bank and its affiliated entities listed separately. This framework should also identify risk factors, such as: the latest audit assessment, time elapsed since the last audit, applicable and realized risk levels, complexity, etc., as a basis for risk assessment. The frequency of audits for each unit in the bank and its affiliated entities may be based on this risk assessment (e.g., increasing the frequency for high-risk units and entities).
43-
The unit should review all units in the bank and its affiliated entities documented in the list at least annually to ensure completeness and coverage of all units, products, systems, and procedures of the bank.
44-
The unit should document an official audit cycle that covers all units in the bank and its affiliated entities listed, and execute this cycle within a defined period, which may extend from three to four years depending on the risk classification of each listed item, in accordance with the risk-based approach.
