Principles of Internal Auditing for Local Banks Operating in Saudi Arabia

Principles of Internal Auditing for Local Banks Operating in Saudi Arabia
No: 43037826 Date(g): 1/12/2021 | Date(h): 26/4/1443 Status: In-Force
Translated Document

In line with the supervisory and regulatory role of SAMA, and its commitment to enhancing the systematic performance of internal audit units in independently and objectively evaluating the adequacy and effectiveness of governance processes, risk management, internal controls, and implemented policies and procedures. Based on the powers granted to it under its Law, issued by Royal Decree No. (M/36) dated 11/04/1442H, and other related regulations,
This is the first edition of the Principles of Internal Auditing for Local Banks Operating in the Kingdom.
For your information and action accordingly, effective as of 01/01/2022G.

Chapter One: Introduction, Definitions, and General Provisions

1. Introduction

1-1	SAMA has issued these principles based on its supervisory and regulatory powers as outlined in the following regulations:
		A:	The Saudi Central Bank Law, issued by Royal Decree No. (M/36) dated 11/04/1442 H.
		B:	The Banking Control Law, issued by Royal Decree No. (M/5) dated 22/02/1386 H.
1-2	These principles are structured and contextualized into three chapters: Chapter One: Clarifies the terms used and general provisions. Chapter Two: Provides an overview of the roles, responsibilities, and duties of the Board of Directors, the Audit Committee, and Executive Management in relation to internal audit, as stipulated by relevant regulations and guidelines, including the requirements for their effective implementation, Chapter Three: Includes detailed and comprehensive requirements concerning the activities, roles, and responsibilities of the internal audit function. It highlights its position as the third line of defense, complementing the first and second lines of defense. This chapter also underscores the role of internal audit as a tool for oversight and supervision within the bank, rather than a replacement for the bank's management, ensuring alignment with regulatory requirements, guidelines, and best practices, while considering the unique nature and application style of banking institutions.

2- Definitions

The following terms wherever they appear in these principles are intended to have the meanings specified next to each of them, unless the context requires otherwise:

Term	Definition
central bank	Saudi Central Bank.
Bank	Local commercial banks licensed to conduct banking operations in the Kingdom.
Board	Board of Directors of the bank.
Audit Committee	One of the committees formed by the council, established by a decision from the ordinary general assembly
Executive Management	The bank's senior management, who are responsible for managing the bank's daily operations, proposing strategic decisions, and implementing them.
Unit	The internal audit unit in the bank, which is overseen by its head and staff responsible for internal auditing tasks and responsibilities
Head of the Unit	The person responsible for managing the unit.
Internal Auditors	The staff in the unit responsible for carrying out the tasks and responsibilities of internal auditing.
Principles	Principles of internal auditing for local banks operating in the Kingdom of Saudi Arabia.
Internal Audit Function	An independent evaluation activity that provides objective assurance and consulting services on the quality, adequacy, and effectiveness of the bank's internal control system. This involves a systematic, organized approach to auditing accounting, financial, operational processes, and more, and assessing and improving governance, risk management, and control effectiveness.
Internal Audit Policy	The official document approved by the Board that defines and clarifies the unit's purpose, scope of activity, organizational position, functional and administrative references, responsibilities, authority, relationships with other units, and the principles and methodology the bank follows regarding internal control. It also grants access to records, staff, and physical assets necessary to perform its duties.
Regulations and Rules	The regulations and rules that apply to the banking sector and its members.
Instructions	All that is issued by SAMA in its supervisory and regulatory capacities over the banking sector, as well as what is issued by relevant authorities in terms of regulations, rules, principles, frameworks, guidelines, and mandatory circulars
Independence	Free from circumstances and conditions that affect the unit's ability to perform internal auditing tasks and responsibilities in a professional, objective, and unbiased manner.
Conflict of interest	The situation or situations in which the head of the unit and its staff have, or appear to have, a direct or indirect interest or relationship in a matter under consideration by this person/people: for the purpose of making a decision regarding it, such that this interest or relationship prevents or leads to the belief that it has hindered their ability to express their opinion or make their decision independently, impartially, and objectively, without regard to this interest or relationship.
Objectivity	Neutral professional behavior based on facts that enables internal auditors to perform their tasks in a way that assures them of the quality of their work and its desired outcomes, without any substantial interference or influence from outside the unit affecting its quality or being swayed by personal beliefs and emotions
Consulting services	These are the consultations carried out at the specific request of one of the units in the bank
First line of defense	Business units responsible for identifying, assessing, and managing the risks of their activities early and continuously, and accepting those risks within acceptable limits.
Second line of defense	Regulatory units and support units such as risk management, compliance, legal, Sharia (if applicable), finance, and technology related to business units, responsible for verifying through a comprehensive and systematic perspective that the business units in the first line of defense have appropriately identified and are appropriately managing their business risks.
Third line of defense	The internal audit unit – the unit- responsible for independently and objectively evaluating and confirming the adequacy and effectiveness of governance, risk management, controls, policies, and procedures implemented by the first and second lines of defense, enhancing confidence in them, and providing the executive management with reasonable assurance that the policies and procedures align with the specified expectations.
Stakeholders	All those with a direct interest in the unit, specifically: the board, the audit committee, executive management, business units in the bank, external auditors, external consultants, and others. Indirectly, this includes shareholders, investors, and customers.

3. General Provisions

3-1	The general purpose of these principles is to establish the minimum requirements necessary for the internal audit function to perform efficiently and optimally within a unified, comprehensive, and robust framework. This framework serves as a tool to enhance self-regulation and lay the foundations for performing internal audits and improving the bank's operations and activities. The methods for implementing these principles depend on various factors, including: the size of the bank, the complexity of its operations, its geographical scope, regulatory framework, and the instructions it operates within.
3-2	The primary objectives of these principles are:
		1)	To protect the bank's assets, continuously ensure the soundness, adequacy, and effectiveness of processes, and the accuracy and reliability of reports, especially financial reports prepared for various purposes and stakeholders. This includes instilling confidence in these reports, enhancing the data contained within them, and protecting the interests of stakeholders.
		2)	To enhance compliance with the requirements of regulatory and supervisory authorities, ensuring that the bank and its employees adhere to laws, regulations, and instructions.
3-3	The internal audit function represents the third and final line of defense in the three lines of defense model. It is directly accountable to the Board and Audit Committee on a continuous and ongoing basis for evaluating and confirming the adequacy and effectiveness of governance, risk management, and control processes, as well as the policies and procedures implemented by the first and second lines of defense. This line of defense enhances confidence in it and contributes to the improvement of these processes through a structured risk-based approach, optimizing resource use by directing audit activities towards the bank's most significant and high-risk areas. It performs these activities objectively, considering the defined strategies and goals. The importance of this line of defense is bolstered by its independence, which strengthens its objectivity and credibility, ensures proactive effectiveness, provides new insights, identifies future impacts, and promotes appropriate ethics and values, thereby giving executive management reasonable assurance that policies and procedures align with defined expectations.
3-4	These principles do not alter the requirements imposed on banks by other relevant regulations, laws, and instructions.
3-5	SMA has issued several instructions related to internal audit requirements, and these principles should be read alongside them, as applicable, including but not limited to:
		1)	Key Principles of Governance in Financial Institutions under SAMA's supervision and control.
		2)	Principles of conduct and Work Ethics in financial institutions.
		3)	Principles of Compliance for Commercial Banks Operating in the Kingdom of Saudi Arabia.
		4)	Anti-Money Laundering and Counter-Terrorism Financing Guide.
		5)	Rules for Bank Account.
		6)	Regulatory rules for the operation of self-regulation units and committees.
		7)	Principles of financial fraud prevention in banks operating in the Kingdom.
		8)	Shariah Governance Framework for local banks operating in Saudi Arabia.
		9)	Whistleblowing Policy for financial institutions.
		10)	Risk Management Instructions.
		11)	Rules on Outsourcing.
		12)	Cyber Security Framework.
		13)	Business Continuity Management Framework.
		14)	Information Technology Governance Framework.
3-6	The internal audit function is subject to international attention, with various international bodies and organizations issuing guidance on it. These should be referenced and consulted, including but not limited to:
		1)	Basel Committee on Banking Supervision (BCBS).
		2)	Institute of Internal Auditors (IIA).
		3)	Committee of Sponsoring Organizations of the Treadway Commission (COSO).

4. Scope of Application
These guidelines apply to all local banks working in the kingdom.

Chapter Two: Roles and Responsibilities of the Board and Executive Management Regarding Internal Audit

Principle (1): Board Responsibilities for Internal Audit

5-	To ensure the performance of the ordinary general assembly to its functions regarding the audit committee and internal auditing as specified, in accordance with the provisions of the Companies Law and its implementing regulations, the Corporate Governance Regulations issued by the Capital Market Authority, and the Key Principles of Governance in Financial Institutions issued by SAMA, the board is required to do the following:
		5-1	submitting effective proposals and recommendations that enable the ordinary general assembly to carry out its functions.
		5-2	Monitor any developments that occur in the regulations, rules, and instructions related to internal auditing from the relevant authorities from time to time.
6-	Although the audit committee operates independently from the board and executive management, this does not exempt the board—according to the key principles of governance in financial institutions—from the responsibility of effectively overseeing the audit committee and monitoring its work and assigned duties.
7-	The following responsibilities fall upon the board concerning the roles and responsibilities of executive management regarding internal auditing:
		7-1	The ultimate responsibility for ensuring that executive management establishes and maintains an appropriate internal control framework that is efficient and effective, which identifies, measures, monitors, and manages all risks faced by the bank.
		7-2	Ensuring the review of the effectiveness and efficiency of the internal control system based on information provided by the internal audit function, though not relying solely on it.
8-	Without prejudice to the powers, duties, and responsibilities of the Board according to the relevant SAMA instructions and other regulatory authorities, the Board has the responsibility to continuously ensure the following with respect to the internal audit function:
		8-1	Taking all necessary actions to ensure the existence and continued effectiveness of an independent and effective internal audit function within the bank, and periodically updating its organization and operating policies.
		8-1	Ensuring that the size of the internal audit function, the qualifications and competence of its head and staff, are appropriate to the size of the bank, its nature of operations, the automated systems in use, and the complexity of its organizational structure.
		8-3	Ensuring that the Audit Committee conducts an independent external evaluation of the quality of the internal audit function’s performance at least once every five years.

Principle (2): Responsibilities of the Audit Committee towards the Unit

9-	Without prejudice to the specific responsibilities and duties of the Audit Committee as defined by regulations and instructions issued by SAMA and other regulatory authorities, the Committee is responsible for the following requirements for effective oversight:
		9-1	Recommend the board to approve the organizational structure of the unit and review it periodically as needed.
		9-2	Recommend the board the appointment, reappointment, or dismissal of the head of the unit, or acceptance of their resignation.
		9-3	Ensure the presence of appropriate human resources in the unit in terms of quantity, qualifications, and skills, especially in specialized topics, including, for example, units for: treasury, finance, international financial reporting standards, anti-money laundering and counter-terrorism financing, technology/cybersecurity risks, governance, Basel standards, liquidity, credit, and provisions, among others.
		9-4	Review and approve the audit plan prepared by the head of the unit based on the results of the annual risk assessment, including the scope of the plan and the budget allocated for it.
		9-5	Approve the strategy of the unit prepared by its head and monitor its performance alongside the execution of the annual audit plan, in alignment with the bank's overall strategy and objectives, and after coordinating with the relevant department in the bank.
		9-6	Review and discuss internal audit reports.
		9-7	Review the unit's performance to ensure its ability to carry out its responsibilities independently and objectively.
		9-8	Approve performance measurement indicators for the head of the unit and evaluate their performance.
		9-9	Ensure that the head of the unit possesses integrity and the ability to perform their duties with honesty, diligence, and responsibility. Verify compliance with regulations and instructions and confirm that they have not been previously involved in any violations.
		9-10	Ensure that executive management takes the necessary corrective actions in a timely and appropriate manner to address weaknesses in controls, issues of compliance with policies, regulations, and instructions, as well as other violations and observations, and shortcomings identified and reported by the audit unit with recommendations.
		9-11	Conduct the required independent external assessment—according to the approved audit policy to verify the quality of the unit's work at least once every five years.

Principle (3): Roles and Responsibilities of Executive Management Regarding Internal Audit

10-	The executive management has the following responsibilities:
		10-1	Develop and apply appropriate and effective internal control systems and procedures, and maintain them.
		10-2	Fully and unconditionally enable the internal audit unit to access all records, individuals, systems, and buildings, and provide them with the necessary information and data to perform their tasks in a timely and appropriate manner.
		10-3	Provide the internal audit unit with updates on new initiatives, projects, products, operational changes, or any amendments to policies and procedures within the bank.
		10-4	Ensure that all relevant risks (both known and anticipated) are identified and reported to the internal audit unit at an early stage.
		10-5	Share their risk assessments with the internal audit unit to enable the unit to plan audits based on a risk-based approach.
		10-6	Implement appropriate measures and corrective actions in a timely and suitable manner regarding all findings and recommendations received from the internal audit unit.
		10-7	Encourage inviting representatives of the internal audit unit to attend various administrative committee meetings as permanent invitees, without granting them voting rights.
		10-8	Including a key performance indicator for the executive management that reflects the effectiveness of its handling of the observations monitored by the unit in an appropriate manner and timing.

Chapter Three: Functions, Tasks, and Responsibilities of the Unit.

Principle (4): Key Characteristics of the Unit

Independence and Objectivity

	11-	The unit must be administratively independent from all other business units with activities subject to review, as well as from the first and second lines of defense, in a complementary manner. The unit should have sufficient organizational status and authority within the bank to perform its tasks objectively. The head of the unit and its staff should not undertake or be assigned any other tasks or work in the bank that could compromise their roles, except for internal audit activities, reviewing, and evaluating the effectiveness and efficiency of the internal control system.
	12-	The unit must have the authority to perform its tasks across all areas of the bank's operations and business units, without any restrictions from the executive management or any source other than its functional reference
	13-	The unit should have the freedom to discuss its views, results, evaluations, and conclusions directly with the Audit Committee and the Board, and to submit its reports directly through a clear organizational structure - functional link - to the Audit Committee.
	14-	The unit should not be involved in the preparation (design), selection, implementation, or management of specific internal control procedures. However, its independence does not preclude the executive management from requesting internal audit inputs on matters related to risks and internal control, provided that such advisory roles are well-documented in audit procedures and guidelines and are not interpreted as conflicting with its independence.
	15-	The rotation of staff in the unit to other business units should be governed by a written policy within its operational framework to avoid conflicts of interest. This includes a mandatory cooling-off period of no less than twelve months between the employee’s time in the unit and their subsequent review of activities in the bank’s operational areas where the rotation occurred.
	16-	A performance rewards for the head of the unit and its staff - if any - should be organized in a way that ensures no conflict of interest or compromise to the unit's independence and ability to work objectively, and in accordance with the relevant instructions issued by the central bank and the bank’s reward policies and practices. Their rewards should not be linked to the financial performance of the business activities subject to internal audit, and the head of the unit’s rewards should be recommended by the Audit Committee in accordance with the bank’s reward policies and practices.
	17-	The head of the unit should confirm annually - at a minimum - the organizational and functional independence of the unit's activities, either in a dedicated section of the annual report or through a separate official written statement.
	18-	The unit should have the right to request a meeting with the Audit Committee at any time if there is a need to discuss any topic it wishes to raise.

Professional Competence and Due Diligence

19-	The head of the unit must possess leadership skills and the necessary skills to maintain the unit’s effectiveness.
20-	The head of the unit must have an academic degree in one of the following:
		20-1	Either in accounting, auditing, business administration, or other related fields to internal auditing, preferably holding a specialized professional certification in internal auditing or accounting such as (QIAI), (CIA), (SOCPA), (CPA), or an advanced degree in accounting, auditing, or business administration.
		20-2	Or in specialized technical fields such as (CISA) Certified Information Systems Auditor or (CISM) Certified Information Security Manager, in this case, they also have to hold one of the professional or advanced certifications specified in (1) above. In both options, they must have sufficient practical experience in internal auditing and possess appropriate leadership skills to fulfill their responsibilities while maintaining the unit’s independence and objectivity.
21-	The head of the unit, without conflicting with the bank’s general employment policies, procedures, and requirements, must establish standards to attract competent individuals to the unit who possess professional competence, scientific knowledge, experience, qualifications, skills, and the ability to gather and understand information, examine and evaluate evidence during the audit process, and communicate with stakeholders. This requirement also includes supporting and enabling national talents and training them.
22-	The head of the unit must assess the skills of the unit’s staff, monitor their development, and ensure they receive continuous, relevant training to meet the technical requirements of banking activities, adapt to the increasing diversity of tasks due to new products, services, and procedures, and keep up with other developments in the financial sector.

Professional Ethics for the Head of the Unit and Its Staff

23-	In accordance with the Principles of Conduct and Work Ethics in Financial Institutions issued by SAMA, and to ensure the maintenance of professional standards for the unit at all times, the bank’s code of conduct and ethics should, at a minimum, include principles of objectivity, behavior, competence, confidentiality, and integrity, and should stipulate the following:
		23-1	The necessity of demonstrating professionalism, integrity, honesty, and trustworthiness.
		23-2	Emphasis on maintaining the confidentiality of information obtained during the performance of duties, avoiding the use of such information for personal gain or harmful activities, and taking care to protect the information acquired.
		23-3	Avoidance of conflicts of interest. To this end, the head of the unit must take adequate measures to ensure that its staff consistently adhere to integrity, comply with internal audit principles, and follow the Principles of Conduct and Work Ethics in Financial Institutions issued by SAMA.

Principle (5): Internal Audit Policy

24-	The head of the unit must prepare and periodically update an internal audit policy, and have it approved by the board based on the recommendation of the audit committee.
25-	The key items of the policy must include, at a minimum:
		25-1	The purpose of establishing the unit, and its scope and methodology of work.
		25-2	Its organizational position within the bank, its authorities, responsibilities, and its relationships with other control units.
		25-3	The key characteristics of the unit as outlined in these principles.
		25-4	Ensuring what enhances its role and performance of its duties and responsibilities.
		25-5	The right to communicate directly with any bank employees, and to examine the activities of any bank unit or its affiliated entity, if the affiliated entities do not have independent review units or committees, without breaching related regulations and instructions.
		25-6	The right to access any records, files, data, or physical assets of the bank, without conflicting with relevant SAMA instructions.
		25-7	The right to obtain copies of records and supporting documents for audit activities, including access to administrative information systems, records, and minutes of all advisory bodies in the bank and decision-making entities.
		25-8	The right to enable the unit to perform its role and achieve its responsibilities for reviewing all activities of the bank's units and its affiliated entities internally and externally, if the affiliated entities do not have independent review units or committees, without breaching related regulations and instructions.
		25-9	The right to escalate to the audit committee without any restrictions when needed.
		25-10	The obligation to communicate the results of internal auditors derived from their work, clarify the method of doing so, and specify the receiving entities - administrative dependencies - for these reports.
		25-11	The unit's responsibility to the audit committee for all matters related to its performance of duties and responsibilities.
		25-12	The responsibility of the head of the unit.
		25-13	The conditions and terms for coordination and follow-up of work between the unit and external auditors.
		25-14	The conditions and terms under which advisory or consulting services can be requested from the unit or assigned special tasks, without violating relevant instructions.
		25-15	The commitment to conduct an independent external assessment of the unit's work quality and adherence to ethical conduct and compliance with internal audit principles for local banks in the country, at least once every five years.
		25-16	In accordance with SAMA's instructions on Rules on Outsourcing tasks to third parties, the conditions and terms that determine the method, timing, and circumstances of outsourcing any of the unit's specialized limited tasks to external service providers, ensuring the primary basis and minimum requirement is the lack of specialized expertise within the unit for such tasks (e.g., information security), with the board being primarily responsible and the unit for proper oversight, performance under a non-disclosure agreement, achieving knowledge transfer and experience gain to unit staff, not affecting the unit's ability to work independently and objectively, and not contracting with a provider previously contracted for the same task unless at least three years have passed, and ensuring that the service provider is not a current external auditor of the bank, and does not impede the effectiveness of SAMA oversight, and obtaining its prior approval for the outsourcing.
		25-17	The requirements and mechanisms for reviewing the bank's affiliated entities that do not have independent review units or committees.
		25-18	The commitment to international standards for internal audit relevant to the field.
		25-19	The scope and contents of the periodic report of the unit submitted to the board.
		25-20	The authority to refer to the Unified Internal Audit Charter of the Institute of Internal Auditors and use the standards specified therein as a guideline when preparing the internal audit policy. Banks may add what they deem important, as necessary, without violating relevant regulations, policies, and procedures.
26-	The policy should focus on the guiding principles for internal audit and control areas, including high-level guidance for each activity of the audit unit, and provide a formally documented mechanism to resolve any discrepancies in viewpoints that may arise with the unit, for example, regarding the classification of findings, general report classification, contents, prominent risks, etc.
27-	This policy should be made available to all bank stakeholders for review through the appropriate mechanism followed by the bank.

Principle (6): Organization, Tasks, and Responsibilities of the Unit

Organizational Structure and Reporting

28-	The unit must have a clearly defined organizational structure approved by the board, reporting functionally to the audit committee and administratively to the CEO. This structure should reflect the specialized roles within the unit and be appropriate to the size, nature, and complexity of the bank's operations.
29-	It is preferable for the unit to form a specialized team of experienced and competent senior auditors to manage and ensure the execution of all audit requests required by SAMA, continuously providing high-quality outputs.
30-	The unit should report its audit findings to the audit committee and the CEO, without the results of these reports affecting the performance evaluation and compensation of the unit’s head and its staff.
31-	The unit must inform the executive management of all significant findings related to the implementation and maintenance of an appropriate and effective internal control system and procedures, enabling the executive management to take timely and appropriate corrective actions. The unit should also follow up on the results of these corrective actions with the executive management.

Requirements and Responsibilities of the Unit Head

32-	The unit head must possess the necessary independence, objectivity, competencies, and ethics to effectively perform their role and duties.
33-	Their responsibilities must be clearly defined and should include, at a minimum, the following:
		33-1	Attracting human resources with suitable qualifications and skills, based on a formal analysis of the unit’s actual needs required to perform its activities efficiently, and comparing those needs with the available human resources and their competency levels. Develop a plan to meet these needs and competencies, and formally share it with the audit committee for monitoring and evaluation. The analysis should consider international standards, emerging risk areas, and audit experience.
		33-2	Working towards Saudization of the unit’s positions as required by relevant regulations.
		33-3	Developing teams and skills related to audit techniques with the aid of technical systems and performance analysis programs to expand the scope of their reviews and manage system-related risks more comprehensively.
		33-4	Continuously monitoring, evaluating, and developing the unit’s staff.
		33-5	Ensuring the unit's adherence to integrity and compliance with sound internal audit standards.
		33-6	Developing the internal audit plan and obtaining approval from the audit committee, and periodically reviewing and updating it.
		33-7	Developing and periodically reviewing the internal audit policy as needed and at each audit committee cycle, and submitting it along with any updates to the board for approval based on the audit committee’s recommendation.
		33-8	Formulating an internal audit strategy aligned with the bank’s strategy, obtaining approval from the audit committee, and regularly reporting the results and compliance to the committee.
		33-9	Participating in relevant committees, such as those for risk and compliance, while adhering to Key Principles of Governance in Financial Institutions.
		33-10	Meeting with the audit committee individually whenever necessary.
		33-11	Monitoring the work of external service providers when some or part of the internal audit tasks are outsourced, ensuring their adherence to the internal audit policy, and verifying that they do not affect the unit’s independence and objectivity, and that they transfer relevant knowledge and experience to the unit's staff.
		33-12	Preparing a detailed matrix listing and classifying potential risks resulting from suspending or postponing any audit activities or parts of them beyond the plan’s year, including an assessment and risk classification. This should address whether the suspension or postponement is requested by the unit or other units and submit it to the audit committee for approval of high and medium-risk cases, with reasons and considerations, ensuring that risks continue to be addressed.
		33-13	Identifying factors to consider when selecting branch samples for field audits in the targeted geographic area.
		33-14	Encouraging audit unit staff to obtain Certified Internal Auditor (CIA) certification and other professional certifications (or one of them) to enhance the competence of internal auditors in the banking sector.
		33-15	Enabling and supporting the implementation of an independent external quality assessment of the audit unit’s work at least once every five years, to ensure the quality of audit outputs, in line with the board-approved policy, based on the direction and approval of the audit committee, and selecting the independent assessment provider. The results should be presented to the committee and reported to the board.

SAMA's Non-Objection to Appointing or Changing the Unit Head

34-

Taking into account the Requirements for Appointing to Senior Positions in financial institutions under the supervision of SAMA, and the Key Principles of Governance in Financial Institutions issued by SAMA; the bank must obtain SAMA’s prior non-objection to the appointment, assignment, or extension of the term of the head of the unit. Additionally, the bank must obtain SAMA’s prior non-objection if the head of the unit leaves their position (resignation, transfer to another role, termination of service, etc.), with documentation and explanation of the reason for the change.

Internal Work Procedures for the Unit

35-	Procedural manuals should be developed for the unit (either as an independent document or as part of the audit manual) to guide its staff in performing daily activities. These manuals should cover all activities of the unit in detail, providing step-by-step instructions. Each activity should include a sequential workflow that outlines the complete cycle of each process along with descriptive guidance. The manuals should align with detailed guidelines for implementing the audit policy.
36-	Detailed work guides should also be provided for using technical audit systems to assist both current and newly joined staff in using the systems effectively and understanding their capabilities.
37-	When developing work procedures for the unit, reference should be made to the standards and guidelines from the Institute of Internal Auditors, including the "International Standards for the Professional Practice of Internal Auditing" and its updates, as well as best practices for guidance in the procedures.

Units and Entities Subject to Internal Audit and the Audit Cycle

38-	The unit must document a comprehensive list of the bank's units and its affiliated entities subject to audit, serving as a comprehensive framework for audit processes.
39-	This list should cover all operational units, products, services, systems, risks, and processes of the bank.
40-	The list should include all requirements set by SAMA for the unit and be part of the comprehensive audit framework.
41-	Ensure that the comprehensive audit programs for this list cover relevant SAMA instructions and internal policies, and that they are developed for each unit within the bank and its affiliated entities within the comprehensive audit framework.
42-	The unit should develop an official framework for assessing the risks of each unit in the bank and its affiliated entities listed separately. This framework should also identify risk factors, such as: the latest audit assessment, time elapsed since the last audit, applicable and realized risk levels, complexity, etc., as a basis for risk assessment. The frequency of audits for each unit in the bank and its affiliated entities may be based on this risk assessment (e.g., increasing the frequency for high-risk units and entities).
43-	The unit should review all units in the bank and its affiliated entities documented in the list at least annually to ensure completeness and coverage of all units, products, systems, and procedures of the bank.
44-	The unit should document an official audit cycle that covers all units in the bank and its affiliated entities listed, and execute this cycle within a defined period, which may extend from three to four years depending on the risk classification of each listed item, in accordance with the risk-based approach.

Risk Assessment Methodology

45-	The risk assessment methodology should include the following:
		45-1	Documented and detailed guidelines that outline and assist internal auditors in classifying risks when preparing each observation.
		45-2	Documented and detailed guidelines for assessing risks in the overall audit report.
		45-3	Identification of quantitative and qualitative factors necessary to facilitate understanding and consistent application by audit staff.
		45-4	Classification of internal violation reports from the bank—of which the audit unit should receive copies—based on their risk level and the extent of compliance with reaching the competent authority in the bank and their documentation.
		45-5	All instances of non-compliance with SAMA instructions should be classified as high risk unless the non-classification is supported by specific justifications approved by the compliance unit. These justifications should be based on a risk classification mechanism that includes the size and impact of the non-compliance.

Risk-Based Internal Audit Plan

46-	The head of the unit is responsible for preparing the annual internal audit plan and its implementation schedules, and for seeking approval from the Audit Committee. When preparing the plan, a thorough risk assessment should be undertaken (considering inputs from executive management). The plan can be part of a multi-year plan, in which case it should be reviewed and updated annually aiming to respond to changes in the sector and in the bank's risk profile, or more frequently, throughout the year, to enable continuous and real-time assessment of areas where significant risks may arise.
47-	The annual audit plan should include a list of business units and activities subject to audit and risk assessment, with well-prepared documentation to ensure a systematic audit approach.
48-	In implementing the annual audit plan, audit work programs must include detailed audit procedures for each business unit subject to review, with sufficient clarifications regarding the scope of its relevance, surveys, and ensure coverage of all potential key or significant risks, control elements, and regulatory supervisory instructions. It should be taken into account that the assessment and analytical skills of internal auditors are essential to ensure a high quality of internal audit.
49-	A list of all supervisory expectations from the audit units must be compiled, and this requirement should be stipulated in their policy or procedures. This list, along with the required areas in the comprehensive audit framework, should serve as sources among others, such as the audit cycle, the bank’s most significant risks, new or emerging risk areas, and so on, for developing the annual internal audit plan. The frequency of audits, wherever specified by SAMA, must exceed the internal risk assessment conducted by the audit unit.
50-	Adequate resources must be available to support the unit in performing its duties, in accordance with the annual internal audit plan.
51-	The unit should periodically conduct a self-assessment of specific requirements from SAMA and other regulatory bodies. Capabilities should be developed, and sufficient resources allocated to these areas, ensuring adequate space for them in the internal audit plan.

Information Technology for the Unit

52-	The unit should carry out its activities using appropriate technological systems to enhance the efficiency of the internal audit function.
53-	The unit should conduct a formal gap analysis using current automation tools, address and close these gaps, highlight activities currently performed manually, and develop action plans to automate all such activities—wherever feasible—and escalate these plans to the Audit Committee for monitoring purposes.

Quality Assurance and Performance Improvement Program

54-	The unit should establish an internal function reporting directly to the head of the unit, dedicated to quality assurance and performance improvement, and should be staffed with qualified and suitably experienced resources.
55-	The internal audit unit should implement a quality assurance and performance improvement program covering all aspects of internal audit activities. This program should include both internal evaluations (ongoing assessments and annual comprehensive reviews) and external evaluations (conducted at least once every five years), with the results reported to the Audit Committee.
56-	The quality assurance and performance improvement unit must review and evaluate all activities and reports of the audit unit on an ongoing basis. The head of the audit unit must submit regular reports on the review and evaluation results of that unit (both ongoing and annual) to the Audit Committee.
57-	The quality assurance and performance improvement unit should be responsible for reviewing and updating the internal policies and procedures of the internal audit unit, training and motivating its staff, and working on enhancing the quality of work and other performance improvement tasks.

Periodic Reports to the Audit Committee

58-	The internal audit unit should prepare periodic reports on its reviews and submit them to the Audit Committee. The committee, in turn, should submit these reports directly and independently to the board without any revisions from the executive management or any other source. The reports should, at a minimum, include:
		58-1	A quarterly report: This should include an assessment of the internal control system of the units reviewed, the findings and recommendations related to the work units audited, the actions taken by each unit regarding the findings and recommendations from the previous review, and an explanation of the status of findings not addressed by the executive management. It should also detail instances of failure to respond promptly to those findings and recommendations, along with the reasons for such failures.
		58-2	An annual general (comprehensive) report: This should include an assessment of the bank's internal control system and the audit activities conducted during the financial year compared to the approved plan. It should also state the reasons for any shortcomings or deviations from the plan, if any, within a deadline not exceeding the end of the following quarter after the end of the relevant financial year, or according to the dates in the approved annual plan.

Database and Document/Report Storage

59-	The audit unit must establish a database for its operations and update it continuously.
60-	In accordance with relevant central bank regulations and other regulatory bodies; all internal audit reports, findings, recommendations, corrective action plans, and supporting documents should be stored electronically in the database. This includes any results obtained by independent auditors that were previously found by audit staff, and all work-related documents, internal audit achievements, results, recommendations, and measures taken in accordance with the relevant central bank instructions.
61-	A formal manual (either independently or as part of the audit manual) for record retention and storage mechanisms should be prepared and approved. This manual should describe the methods of storage and details of all work papers and information to be retained, the minimum retention period, and the recommendations of the audit unit. This should be done considering the data and information retention regulations and instructions provided by the relevant supervisory regulatory authorities.

Principle (7): Scope of the Unit's Work

62-	The general scope of the unit includes every unit in the bank and its affiliated entities (that do not have independent audit units or committees), covering all activities, operations, products, and services of the bank, as well as the limited specialized tasks that may be outsourced to external service providers, including the review and assessment of the effectiveness of the internal control system, risk management, governance, compliance, and supervisory requirements, as well as consulting services. The unit should evaluate the entire bank, including branches and affiliated entities.
63-	The unit is responsible, independently within its scope and work plan, for evaluating the following:
		63-1	The effectiveness and adequacy of internal control functions, risk management, and governance in the context of current and potential future risks, including committees.
		63-2	The procedures established by business units and support units.
		63-3	The reliability of management information system policies and procedures, (including: data relevance, accuracy, completeness, availability, confidentiality, and comprehensiveness).
		63-4	The level of compliance with regulations, policies, and internal procedures of the bank.
		63-5	The adequacy and effectiveness of asset protection procedures.
		63-6	The adequacy and effectiveness of all reports and their preparation mechanisms.
64-	Participate, upon request, in internal investigations that do not conflict with the unit's scope, duties, and responsibilities, as deemed necessary by the head of the unit: the audit committee should be provided with reports on such investigations.
65-	With consideration to the relevant instructions and the requirements for applying the risk-based approach and its methods, the unit must, in implementing the scope of its activities, properly cover in the audit plan the requirements of topics of regulatory and supervisory importance according to the timeframes specified for each requirement, or at least annually if no timeframes are specified, unless the risk assessment of the units requires a shorter period for the following activities:

Risk Management Unit

66-	The unit should primarily include the following in its plan concerning the Risk Management Unit:
		66-1	Its organization and powers, including market, credit, liquidity, interest rate, operational risks, legal risks, and any other risks.
		66-2	Assessment of risk tolerance, escalation of issues and decisions, and reporting on them.
		66-3	The adequacy of policies and procedures for identifying, measuring, assessing, monitoring, and addressing emerging risks from the bank's activities, and reporting on them.
		66-4	The integrity of its information systems, including the accuracy, reliability, and completeness of data used.
		66-5	The approval and maintenance of risk models, this includes the process of verifying the consistency of information sources, timeliness, independence, and reliability of the sources of information used in these models.
		66-6	The degree of significant differences between its views and those of the executive management regarding the level of risks facing the bank.
		66-7	The compliance of all business units and their employees with the internal authority matrix of the bank, and ensuring no authority is exceeded.

Capital and Liquidity

67-	The unit must address all requirements of the regulatory framework for capital and liquidity within its scope of activities, particularly:
		67-1	The internal capital adequacy assessment document and the internal liquidity assessment document.
		67-2	Regulations for determining and measuring the bank's regulatory capital, assessing the adequacy of its capital resources relative to risk exposures, and the minimum indicators approved.
		67-3	The process for conducting stress tests for capital and liquidity levels, considering the frequency of such tests, their purpose, the reasonableness of hypothetical scenarios, assumptions used, and the reliability of procedures.
		67-4	The bank's instructions and procedures for measuring and monitoring liquidity conditions relative to its risk register, external environment, and minimum regulatory (supervisory) requirements.

Regulatory (Supervisory) and Internal Reporting

68-	Evaluate the effectiveness of the process through which the Risk Unit and the relevant reporting unit communicate for issuing accurate, timely, and reliable reports, whether internally or for regulatory (supervisory) purposes.

Compliance Unit

69-	Assess the scope of activities of the Compliance Unit and evaluate the effectiveness of its execution of responsibilities related to compliance risks.
70-	Cooperate with the Compliance Unit in following up on tasks, responsibilities, and activities requested by the central bank from the audit unit, as specified in terms of format and timing.

Governance

71-	Study the scope of governance activities at the bank, focusing on:
		71-1	Evaluating the effectiveness of the unit responsible for governance in executing its responsibilities.
		71-2	Reviewing all governance-related policies and procedures within the bank to ensure they align with regulations, rules, instructions, and updates, and assessing their implementation and effectiveness.
		71-3	Ensuring the bank's compliance with all regulations from local supervisory authorities related to governance.
		71-4	Ensuring the presence of an effective control system to prevent fraud within the bank.
		71-5	The process of appointing bank representatives in its subsidiaries and ensuring there are policies and procedures governing this.

Finance Unit

72-	The audit unit should include the following aspects in its scope of work:
		72-1	The organization and powers of the Finance Unit.
		72-2	The adequacy and integrity of financial data and the financial systems, instructions, and procedures, including the identification, monitoring, measurement, and reporting of key data (e.g., profit or loss, financial instrument valuations, provisions), including necessary changes in accordance with international accounting standards and international financial reporting standards.
		72-3	The approval and maintenance of pricing models, including verifying the consistency, timeliness, independence, and reliability of information sources used in these models.
		72-4	The controls in place to prevent and detect violations.
		72-5	Controls on the balance sheet, including reconciliation processes and procedures (e.g., adjustments), regulatory tasks and activities, and other ongoing activities that the audit units must review periodically, as documented in the comprehensive audit procedures and framework, along with the required compliance timing. Examples include but are not limited to information security (cybersecurity), business continuity, anti-money laundering and counter-terrorism financing, dormant accounts, and others currently and in the future.

Principle (8): The Unit's Relationship with Second Line of Defense Units and External Auditors

(A) Relationship with Second Line of Defense Units

73-

Second line of defense units are subject to independent review by the audit unit. Each of these units has areas closely related to other units in general and to the audit unit specifically. However, they are all organizationally separate from each other. Given the comprehensive coverage provided by the oversight performed by the second line of defense, particularly by the Risk Management Unit and the Compliance Unit, the audit unit relies on valuable information provided by these units. Nevertheless, the reliability of this information is subject to assessment by the Head of the Audit Unit.

(B) Relationship with External Auditors

74-

External auditors appointed by the bank play a crucial role in the continuous improvement of the bank’s internal control systems related to their scope of work. Therefore, their work should be complementary to the internal audit unit. This should be coordinated through a defined mechanism and regular meetings (based on the approved internal audit policy) to enable both parties to stay continuously informed about significant concerns. The audit committee must ensure that this coordination is in place and effectively implemented.

Principle (9): Internal Audit of the Bank’s Subsidiaries

75-	In cases where the bank has a subsidiary with its own independent audit unit and audit committee while ensuring compliance with relevant regulations and instructions—it is preferable to:
		75-1	Obtain a seat for the head of the bank’s unit or their delegate in the audit committees of the bank’s subsidiaries to monitor developments and ensure the effectiveness of internal controls within them.
		75-2	Conduct limited tests to verify the quality of the subsidiary’s audit unit operations to ensure the soundness of its activities.
76-	In cases where the bank has a subsidiary that does not have an independent audit unit and audit committee while ensuring compliance with relevant regulations and instructions—the following should be done:
		76-1	The approved audit policy should define how the audit of such entities will be conducted.
		76-2	The unit should report the results of the audit activities of these entities to the audit committee.

Soft Launch