| 24- | The head of the unit must prepare and periodically update an internal audit policy, and have it approved by the board based on the recommendation of the audit committee. |
| 25- | The key items of the policy must include, at a minimum: |
| | | 25-1 | The purpose of establishing the unit, and its scope and methodology of work. |
| | | 25-2 | Its organizational position within the bank, its authorities, responsibilities, and its relationships with other control units. |
| | | 25-3 | The key characteristics of the unit as outlined in these principles. |
| | | 25-4 | Ensuring what enhances its role and performance of its duties and responsibilities. |
| | | 25-5 | The right to communicate directly with any bank employees, and to examine the activities of any bank unit or its affiliated entity, if the affiliated entities do not have independent review units or committees, without breaching related regulations and instructions. |
| | | 25-6 | The right to access any records, files, data, or physical assets of the bank, without conflicting with relevant SAMA instructions. |
| | | 25-7 | The right to obtain copies of records and supporting documents for audit activities, including access to administrative information systems, records, and minutes of all advisory bodies in the bank and decision-making entities. |
| | | 25-8 | The right to enable the unit to perform its role and achieve its responsibilities for reviewing all activities of the bank's units and its affiliated entities internally and externally, if the affiliated entities do not have independent review units or committees, without breaching related regulations and instructions. |
| | | 25-9 | The right to escalate to the audit committee without any restrictions when needed. |
| | | 25-10 | The obligation to communicate the results of internal auditors derived from their work, clarify the method of doing so, and specify the receiving entities - administrative dependencies - for these reports. |
| | | 25-11 | The unit's responsibility to the audit committee for all matters related to its performance of duties and responsibilities. |
| | | 25-12 | The responsibility of the head of the unit. |
| | | 25-13 | The conditions and terms for coordination and follow-up of work between the unit and external auditors. |
| | | 25-14 | The conditions and terms under which advisory or consulting services can be requested from the unit or assigned special tasks, without violating relevant instructions. |
| | | 25-15 | The commitment to conduct an independent external assessment of the unit's work quality and adherence to ethical conduct and compliance with internal audit principles for local banks in the country, at least once every five years. |
| | | 25-16 | In accordance with SAMA's instructions on Rules on Outsourcing tasks to third parties, the conditions and terms that determine the method, timing, and circumstances of outsourcing any of the unit's specialized limited tasks to external service providers, ensuring the primary basis and minimum requirement is the lack of specialized expertise within the unit for such tasks (e.g., information security), with the board being primarily responsible and the unit for proper oversight, performance under a non-disclosure agreement, achieving knowledge transfer and experience gain to unit staff, not affecting the unit's ability to work independently and objectively, and not contracting with a provider previously contracted for the same task unless at least three years have passed, and ensuring that the service provider is not a current external auditor of the bank, and does not impede the effectiveness of SAMA oversight, and obtaining its prior approval for the outsourcing. |
| | | 25-17 | The requirements and mechanisms for reviewing the bank's affiliated entities that do not have independent review units or committees. |
| | | 25-18 | The commitment to international standards for internal audit relevant to the field. |
| | | 25-19 | The scope and contents of the periodic report of the unit submitted to the board. |
| | | 25-20 | The authority to refer to the Unified Internal Audit Charter of the Institute of Internal Auditors and use the standards specified therein as a guideline when preparing the internal audit policy. Banks may add what they deem important, as necessary, without violating relevant regulations, policies, and procedures. |
| 26- | The policy should focus on the guiding principles for internal audit and control areas, including high-level guidance for each activity of the audit unit, and provide a formally documented mechanism to resolve any discrepancies in viewpoints that may arise with the unit, for example, regarding the classification of findings, general report classification, contents, prominent risks, etc. |
| 27- | This policy should be made available to all bank stakeholders for review through the appropriate mechanism followed by the bank.
|
