1) Saudi Arabian Monetary Agency (SAMA) is empowered to regulate the commercial banks by its Charter issued by the Royal decree No. 23 dated 23- 5-1377H (15 December 1957G). In exercise of the powers vested upon it under its Charter and the Banking Control Law, SAMA has issued Guidelines on Internal Controls which represent minimum requirements for banks operating in Saudi Arabia.
|
2) In 1989, SAMA issued Guidelines on Internal Controls for Commercial Banks which provided details of internal controls that were to be applied by a bank for its various activities, processes and products, such as controls on cash, investments, loans, deposits, letter of credit etc. Since, the issuance of the 1989 Guidelines on Internal Controls, a number of developments have taken place. It is now widely recognized that there are no specific or prescribed controls or risk mitigants for a banking activity or process; instead the type and extent of internal control depends upon the risk appetite and risk tolerance associated to that banking activity or process and that are necessary to achieve its strategic objectives. Nevertheless, there are certain universally accepted and time tested principles which need to be followed while developing an internal control framework irrespective of the strategic objectives and associated risks, size, nature or complexity of a bank’s business or an organization.
|
3) These guidelines include a brief introduction to the Internal Controls, followed by Objectives of Internal Control System, Control Principles, Components of Internal Control System, Responsibilities of key players, Implementation of Internal Controls, Evaluation of Internal Controls, and finally, Reporting of Internal Controls. The salient features of the guidelines are as under:
|
| | a) | Objectives of internal controls can be divided into three categories - performance, information and compliance objectives. Internal controls for assets protection, operational efficiency and risk management tend to achieve performance objective; those meant for ensuring accuracy of recording and adequacy of disclosure are meant to serve information objective, and those for ensuring adherence to laws, regulations and internal polices, are meant to serve compliance objective of internal controls. |
| | b) | For establishing an internal control framework, it is important to identify and understand its different components. Major components include: Control environment; Risk assessment; Instituting Control; Accounting, information and communication systems; and Self-assessment or monitoring. |
| | c) | Regarding responsibility for putting in place an effective internal control system, all employees are ultimately responsible for operating and maintaining an efficient internal control system at their respective levels. However, the Board of Directors is responsible for ensuring the existence of an efficient internal control system. Management is responsible for appropriate design and functioning of the system, and the internal audit and compliance for continuous monitoring and evaluation of that system. Also, the external auditor is responsible for determining the adequacy of internal control and to decide on the level of reliance in making his opinion and finally, the regulator is responsible for reviewing the internal controls for ensuring compliance with relevant guidelines, laws and regulations. |
| | d) | Regarding implementation of internal controls, it should be noted that there is no universal model or design for this purpose. It depends upon the organization's strategic objectives and associated risks, size, nature, complexity, scope, etc. However, as a minimum, the implementation process should involve all functions and key players - Board, Audit Committee, Risk Management Committee, Senior Management, Risk Management, Internal Audit and Compliance function. They should compare the current best practices with the control model and identify gaps, if any; assess the business environment, organization culture and key players to ensure that the internal control system is functioning effectively. |
| | e) | Evaluation is an important activity and is meant to detect errors / discrepancies in the internal control system; to minimize deviations from policies, procedures and laws; and to recommend improvements. Evaluation is a multi-party process done by Compliance Officer, Internal Auditor, External Auditor and the Supervisor. Different parties use different techniques keeping in view the objectives of their evaluation. |
| | f) | Final part of guidelines is regarding reporting on internal controls. The reports are evidence of understanding of the Board of Directors, management and auditors regarding the robustness and effectiveness of internal controls vis-a-vis activities of the institution.
|
4) The attached guidelines are aimed at providing guidance to banks in instituting an effective internal control system. The banks are required to take necessary steps, including evaluation and documentation of their existing Internal control practices In light of SAMA's Guidelines on Internal Controls. They should act to address gaps identified as a result of the evaluation and train their staff to implement these within the timelines as stated in section 6 of attached Guidelines on Internal Controls.
|
5) These guidelines shall be applicable to locally incorporated banks as well as the branches of foreign banks (the banks). The branches of foreign banks licensed and operating in Saudi Arabia shall also follow these Guidelines and apply them to the extent practical and with such modifications as may be considered expedient keeping in view the size and complexity of their business activities. In case of foreign banks' branches, the responsibilities of Board of Directors as explained in these guidelines will rest with the Chief Executive Officer or a designated Senior Management Committee at Head Office level that is responsible for the branch.
|
6) The attached Guidelines shall come into force with immediate effect and banks are advised to take necessary steps to ensure compliance of these guidelines. In case there are any practical issues in implementation, banks should approach SAMA to seek further guidance for addressing such issues. The attached guidelines will replace the previously issued Guidelines on Internal Controls for Commercial Banks vide circular dated 9 December 1989.
|
