Regulatory Alerts2021-12-01
Circular Re. Principles of Internal Auditing for Local Banks Operating in Saudi Arabia
The Saudi Central Bank issued the first edition of the Principles of Internal Auditing for local banks, effective January 1, 2022, to establish a unified framework for internal audit functions. The document mandates that internal audit units operate as the third line of defense, ensuring strict independence, objectivity, and professional competence while reporting directly to the Board of Directors and the Audit Committee. It outlines specific responsibilities for the Board, Executive Management, and the Audit Committee to support the internal audit function and requires adherence to international standards and regulatory guidelines.
Principles of Internal Auditing for Local Banks Operating in Saudi Arabia
(First Edition - Rabi' al-Thani 1443 AH / December 2021 CE)
Important Note: To keep pace with updates and amendments regarding instructions issued by the Saudi Central Bank, the Bank emphasizes the necessity of always relying on the versions published on its website: www.sama.gov.sa
Contents
| Chapter/Principle | Page Number |
|---|---|
| Chapter One: Introduction, Definitions, and General Provisions, Scope of Application | 3 |
| Introduction | 3 |
| Definitions | 3 |
| General Provisions | 5 |
| Scope of Application | 6 |
| Chapter Two: Competencies and Responsibilities of the Board and Executive Management towards Internal Auditing | 7 |
| Principle (1): Tasks and Responsibilities of the Board towards Internal Auditing | 7 |
| Principle (2): Tasks and Responsibilities of the Audit Committee towards the Unit | 7 |
| Principle (3): Tasks and Responsibilities of Executive Management towards Internal Auditing | 8 |
| Chapter Three: Competencies, Tasks, and Responsibilities of the Unit | 9 |
| Principle (4): Key Characteristics of the Unit | 9 |
| Independence and Objectivity | 9 |
| Professional Competence and Due Care | 10 |
| Professional Ethics of the Unit Head and Staff | 11 |
| Principle (5): Internal Auditing Policy | 11 |
| Principle (6): Organization of the Unit, its Tasks, and Responsibilities | 13 |
| Organizational Structure and Reporting Lines | 13 |
| Requirements and Responsibilities of the Unit Head | 13 |
| No Objection from the Saudi Central Bank on the Appointment and Change of the Unit Head | 14 |
| Internal Work Procedures of the Unit | 14 |
| List of Units and Entities Subject to Internal Auditing and the Audit Cycle | 15 |
| Risk Assessment Methodology | 15 |
| Risk-Based Audit Plan | 16 |
| Information Technology for the Auditing Unit | 16 |
| Quality Assurance and Improvement Program | 17 |
| Periodic Reports to the Audit Committee | 17 |
| Database, Document Retention, and Reports | 17 |
| Principle (7): Scope of the Unit's Work | 18 |
| Principle (8): Relationship of the Unit with Second Line of Defense Units and External Auditors | 20 |
| Principle (9): Internal Auditing of Activities of Entities Subsidiary to the Bank | 21 |
Chapter One Introduction, Definitions, and General Provisions
1 - Introduction 1-1 The Saudi Central Bank issued these Principles based on the supervisory and regulatory authorities vested in it under the following systems: a. The Saudi Central Bank System, issued by Royal Decree No. (M/36) dated 1442/04/11 AH. b. The Banking Control System, issued by Royal Decree No. (M/5) dated 1386/02/22 AH.
2-1 These Principles consist of three chapters in their content and context: Chapter One clarifies the terms used and general provisions; Chapter Two includes the competencies, roles, and responsibilities of the Board, the Audit Committee, and Executive Management towards internal auditing - as per relevant systems and regulations - and brief requirements for their activation; and Chapter Three includes detailed, comprehensive, and extensive requirements regarding the activity, work, roles, tasks, and responsibilities of the Unit and its relationship as the first and second lines of defense, as a tool for supervision and oversight of the Bank's management and not as a substitute for it. In a manner that aligns with and helps comply with the provisions of systems, regulations, instructions, and best practices, taking into account the specific nature of banks and the method of application therein.
2 - Definitions The following terms, wherever they appear in these Principles, have the meanings indicated opposite each of them, unless the context dictates otherwise:
| Term | Definition |
|---|---|
| Saudi Central Bank | The Saudi Central Bank. |
| Bank | Banks and commercial banks licensed to conduct banking business in the Kingdom. |
| Board | The Bank's Board of Directors. |
| Audit Committee | One of the committees emanating from the Board, formed by a resolution of the Ordinary General Assembly. |
| Executive Management | The Bank's senior management, being the persons entrusted with managing the Bank's daily affairs, proposing strategic decisions, and implementing them. |
| Unit | The Bank's Internal Audit Unit, in which its Head and staff perform the tasks and responsibilities of internal auditing. |
| Unit Head | The person responsible for managing the Unit. |
| Internal Auditors | Staff in the Unit responsible for performing the tasks and responsibilities of internal auditing. |
| Term | Definition |
|---|---|
| Principles | Principles of Internal Auditing for Local Banks Operating in Saudi Arabia. |
| Internal Auditing Function | An independent evaluation activity that provides objective and independent assurances and consulting services regarding the quality, adequacy, and effectiveness of the Bank's internal control system, by following an organized and systematic methodology to review accounting, financial, operational, and other processes, and to evaluate and improve the effectiveness of governance, risk management, and control processes. |
| Internal Auditing Policy | The official document approved by the Board, which specifies and clarifies the purpose of the Unit, the scope of its activity, its position in the organizational structure, its functional and administrative reporting lines, its responsibilities and comprehensive authorities, its characteristics and relationship with other work units, the pillars and methodology the Bank follows regarding internal control, as well as authorizing it the right to access records and communicate with employees, and access physical property to enable it to perform its tasks. |
| Systems and Regulations | The systems and regulations applicable to the banking sector and its personnel. |
| Instructions | All that is issued by the Saudi Central Bank with its regulatory and supervisory authorities over the banking sector, as well as what is issued by competent authorities of regulations, rules, principles, frameworks, guides, and binding circulars. |
| Independence | The absence of conditions and circumstances that affect the Unit's ability to perform its tasks and responsibilities of internal auditing in a professional, objective, and unbiased manner. |
| Conflict of Interest | The situation or situations in which the Unit Head and its staff have or appear to have a direct or indirect interest or relationship in a matter that is the subject of this person(s)'s consideration for the purpose of making a decision regarding it, such that this interest or relationship prevents, or leads to the belief that it stands between them and expressing their opinion or making their decision independently, neutrally, and objectively, without regard to this interest or relationship. |
| Objectivity | Neutral behavior based on facts that allows internal auditors to perform their tasks in a manner that makes them certain of the quality of their work and its desired results, and the absence of any significant external intervention or influence in its quality or being affected by personal beliefs and feelings. |
| Consulting Services | Consultations performed upon specific request from one of the units in the Bank. |
| Term | Definition |
|---|---|
| First Line of Defense | Business units responsible for identifying, assessing, and managing the risks of their activities at early stages and continuously, and bearing those risks within permitted limits. |
| Second Line of Defense | Supervisory units and support units such as: Risk Management, Compliance, Legal, Shariah (if available), Finance, and Technology related to business units, responsible for verifying through a comprehensive and methodical view that business units in the first line of defense have identified their business risks and managed them appropriately. |
| Third Line of Defense | The Internal Audit Unit - The Unit - responsible for independently and objectively evaluating and confirming the adequacy and effectiveness of governance, risk management, control, controls, policies, and procedures implemented by the first and second lines of defense, increasing confidence in them, and providing Executive Management with reasonable assurance that policies and procedures align with specified expectations. |
| Stakeholders | Anyone with a direct interest in the Unit, specifically: the Board, the Audit Committee, Executive Management, work units in the Bank, external auditors, external consultants, and others, and indirectly, such as: shareholders, investors, and customers. |
3 - General Provisions 1-3 The general purpose of these Principles is to set the minimum requirements for the Unit to perform its activity efficiently and optimally under a unified, broad, and robust framework as a tool for enhancing self-supervision, and to lay the foundations for the performance of internal auditing, and improve the Bank's processes and operations. Taking into account that the methods by which these Principles are implemented depend on many factors, such as: the size of the Bank, the nature and complexity of its operations, its geographical scope, the regulatory scope, and the instructions it operates within. 2-3 The main purpose of these Principles is to achieve the following main objectives:
- Protecting the Bank's assets, and continuously ensuring the integrity, adequacy, and effectiveness of operations, and the accuracy and reliability of reports in general and financial reports in particular, which are prepared for various purposes and parties, and instilling confidence in them, and enhancing the data contained therein, thereby enabling the protection of stakeholders' interests.
- Enhancing compliance with the requirements of regulatory and supervisory authorities, and the Bank's and its employees' commitment to systems, regulations, and instructions.
3-3 The Unit represents the third and final line of defense in the three lines of defense framework, and is directly and continuously accountable to the Board and the Audit Committee for evaluating and confirming the adequacy and effectiveness of governance, risk management, supervisory controls, policies, and procedures implemented by the first and second lines of defense, increasing confidence in them, and contributing to their improvement according to an organized, risk-based methodology, through which the optimal use of resources is achieved, by directing financial, administrative, and operational audit activities towards the most risky and important activities and operations for the Bank, and implementing them in an objective manner that takes into account specified strategies and objectives. The importance of this line of defense is enhanced by independence, which enhances its objectivity, and enhances ethics and appropriate values. By providing Executive Management with reasonable assurance that policies and procedures align with specified expectations. 4-3 These Principles do not derogate from the requirements imposed on banks under other relevant systems, regulations, and instructions. 5-3 The Saudi Central Bank has issued several instructions some of their requirements relate to internal auditing, and these Principles should be read alongside them - as appropriate - by way of example, including but not limited to:
- Principles of Governance for Financial Institutions under the supervision and oversight of the Saudi Central Bank.
- Principles of Conduct and Business Ethics in Financial Institutions.
- Compliance Principles for Banks and Commercial Banks Operating in Saudi Arabia.
- Guide on Combating Money Laundering and Financing of Terrorism.
- Bank Account Rules.
- Regulatory Rules for the Work of Self-Supervision Units and Committees.
- Principles of Combating Financial Fraud in Banks and Banks Operating in the Kingdom.
- Shariah Governance Framework for Local Banks and Banks Operating in the Kingdom.
- Internal Whistleblowing Policy for Financial Institutions.
- Instructions issued regarding Risk Management.
- Instructions on Outsourcing Tasks to Third Parties.
- Regulatory Guide for Information Security.
- Regulatory Guide for Business Continuity.
- Regulatory Guide for IT Governance. 6-3 The internal auditing function receives international attention; as a number of international bodies and organizations have issued guiding instructions for it, and reference should be made to them and guided by them, including the following bodies and organizations:
- Basel Committee on Banking Supervision (BCBS).
- Institute of Internal Auditors (IIA).
- Committee of Sponsoring Organizations of the Treadway Commission (COSO).
4 - Scope of Application These Principles apply to local banks operating in the Kingdom.
Chapter Two Competencies and Responsibilities of the Board and Executive Management towards Internal Auditing
Principle (1): Tasks and Responsibilities of the Board towards Internal Auditing 5- To ensure that the Ordinary General Assembly performs its competencies towards the Audit Committee and internal auditing as specified, in accordance with the provisions of the Companies System and its executive regulations, the listing company governance regulations issued by the Capital Market Authority, and the main governance principles for financial institutions issued by the Saudi Central Bank; the Board must: 1-5 Submit effective proposals and recommendations that enable the Ordinary General Assembly to perform its competencies. 2-5 Monitor any developments that occur in systems, regulations, and instructions related to internal auditing by competent authorities from time to time. 6- Although the Audit Committee is independent in performing its work from the work of the Board and Executive Management, this does not exempt the Board - according to the main governance principles for financial institutions - from the responsibility of effective supervision of the Audit Committee and monitoring its work and duties assigned to it. 7- The Board bears the following responsibilities regarding the roles and responsibilities of Executive Management towards internal auditing: 1-7 Ultimate responsibility for ensuring that Executive Management establishes and maintains an appropriate, efficient, and effective supervisory framework, which works to identify all risks to which the Bank is exposed, measure them, monitor them, and manage them. 2-7 Ensuring the review of the effectiveness and efficiency of the internal control system based on information provided by the Internal Audit Unit, but not limited to it alone. 8- Without prejudice to the competencies, tasks, and responsibilities of the Board, according to relevant instructions of the Saudi Central Bank and other regulatory authorities; it falls upon it towards the Internal Audit Unit to continuously ensure the following: 1-8 Taking all necessary measures; to ensure the existence and continuity of a permanent, independent, and effective internal audit unit in the Bank, and updating its organization and work policy periodically. 2-8 Ensuring the appropriateness of the Unit's size and the efficiency of its Head and staff with the size of the Bank, the nature of its operations, the automated systems in use, and the level of complexity of its organizational structure. 3-8 Ensuring that the Audit Committee conducts an independent external evaluation of the Unit's performance quality at least once every five years.
Principle (2): Tasks and Responsibilities of the Audit Committee towards the Unit 9- Without prejudice to the competencies, tasks, and responsibilities of the Audit Committee specified, according to relevant systems and instructions issued by the Saudi Central Bank and other regulatory authorities; it bears the following in requirements for effective supervision: 1-9 Recommending to the Board to approve the organizational structure of the Unit, and reviewing it periodically whenever necessary.
2-9 Recommending to the Board the appointment or reappointment or dismissal of the Unit Head or accepting his resignation. 3-9 Ensuring the availability of appropriate human resources in the Unit in terms of number, qualifications, and skills, especially in specialized topics, including but not limited to units such as: Treasury, Finance, International Financial Reporting Standards, Combating Money Laundering and Financing of Terrorism, Technology/Cybersecurity Risks, Governance, Basel Standards, Liquidity, Credit, and Provisioning, among others. 4-9 Studying and approving the audit plan prepared by the Unit Head based on the results of the annual risk assessment, including the scope of the plan and the budget allocated to it. 5-9 Approving the Unit's strategy prepared by its Head and monitoring its performance alongside the performance of the annual audit plan, in alignment with the Bank's general strategy and objectives, after coordination with the competent authority in the Bank. 6-9 Studying and discussing internal audit reports. 7-9 Reviewing the Unit's performance to ensure its ability to perform its responsibilities independently and objectively. 8-9 Approving the Unit Head's performance indicators, and evaluating his performance. 9-9 Ensuring that the Unit Head possesses integrity, and the ability to perform his duties with honesty, diligence, and responsibility, and ensuring his compliance with systems and instructions, and that he has not been involved in any violating activities. 10-9 Ensuring that Executive Management takes the necessary corrective measures in a timely and appropriate manner; to address control weaknesses, compliance issues with policies, systems, and instructions, and other violations and observations, and aspects of deficiency identified by the Internal Audit Unit and reported and recommended by it. 11-9 Conducting the independent external evaluation - according to the approved auditing policy - to verify the quality of the Unit's work at least once every five years.
Principle (3): Tasks and Responsibilities of Executive Management towards Internal Auditing 10- Executive Management bears the following responsibilities: 1-10 Establishing, applying, and maintaining appropriate and effective internal control systems and procedures. 2-10 Enabling the Unit fully and unrestrictedly to access all records, reach people, systems, and buildings, and providing them with the necessary information, data, and clarifications to perform their tasks in a timely and appropriate manner. 3-10 Informing the Unit of any updates, initiatives, projects, products, new operational changes, or any amendments to policies and procedures in the Bank's units. 4-10 Ensuring the identification of all related risks (known or expected to occur), and reporting them to the Unit at an early stage. 5-10 Sharing its assessment of various risks with the Unit; to enable it to plan auditing according to the risk-based methodology.
6-10 Taking appropriate measures and corrective actions in a timely and appropriate manner regarding all results and recommendations received from the Unit. 7-10 Encouraging the invitation of Unit representatives to attend various administrative committee meetings as permanent invitees, without granting them the right to vote on their decisions. 8-10 Including in Executive Management's key performance indicators an indicator regarding the effectiveness of their handling of observations monitored by the Unit in the appropriate manner and at the appropriate time.
Chapter Three Competencies, Tasks, and Responsibilities of the Unit
Principle (4): Key Characteristics of the Unit Independence and Objectivity 11- The Unit must be administratively independent from all other work units with activities subject to auditing, and independent from the first and second lines of defense in an integrated manner, where the Unit can use their risk assessments, which requires that it be granted sufficient organizational status and authorities within the Bank's units to enable it to perform its tasks objectively. The Unit Head and its staff must not be assigned or tasked with any other tasks and works in the Bank that would negate their roles, except for internal auditing activities, and reviewing and evaluating the effectiveness and efficiency of applying the internal control system. 12- The Unit must have the authority to perform its tasks in all areas of the Bank's work and its work units, without any restriction from Executive Management, or any source other than its functional reporting line. 13- The Unit must have the freedom to discuss views, results, assessments, and conclusions it reaches with the Audit Committee and the Board directly and provide them with reports directly through a clear organizational structure - functional reporting - to the Audit Committee. 14- The Unit must not be involved in the process of preparing (designing) specific internal control procedures, or selecting, applying, or managing them. However, its independence does not prevent Executive Management from requesting its internal audit inputs on matters related to risk and internal control if its consulting role for Executive Management is documented in detail in auditing procedures and guides, and this will not be interpreted as conflicting with its independence. 15- Job rotation for Unit staff to other work units must be subject to a sound written job rotation policy within its framework; to avoid conflicts of interest. This includes considering a cooling-off period of no less than twelve months between the employee practicing his work in the Unit and enabling him to review activities in the Bank's work area where job rotation occurred.
16- The performance rewards of the Unit Head and its staff - if any - must be organized in a manner that ensures the non-emergence of conflicts of interest or undermining the Unit's independence and its ability to work objectively, in accordance with relevant instructions issued by the Saudi Central Bank, and with the Bank's reward policies and practices. Their rewards must not be linked to the financial performance of activities subject to internal auditing, and the Unit Head's rewards must be recommended by the Audit Committee according to the Bank's reward policies and practices. 17- The Unit Head must confirm to the Audit Committee annually - at least - the organizational and functional independence of the Unit's activity, either in a dedicated item in the annual report or by an independent official letter. 18- The Unit must have the right to request a meeting with the Audit Committee at any time whenever there is a need to discuss any topic it wishes to raise.
Professional Competence and Due Care 19- The Unit Head must possess leadership skills and the necessary skills to maintain the effectiveness of the Unit. 20- The Unit Head must hold an academic degree as follows: 1-20 Either in Accounting, Auditing, Business Administration, or other certificates related to internal auditing, preferably holding one of the specialized professional certificates in the field of internal auditing or accounting such as: (QIAI) or (CIA) or (SOCPA) or (CPA) or one of the specialized higher certificates in Accounting or Business Administration. 2-20 Or in the field of specialized technical business such as: (Certified Information Systems Auditor CISA) or (Certified Information Security Manager CISM); in which case he must additionally hold one of the professional certificates or higher certificates specified in (1) above. In both options, he must have sufficient practical experience in the field of internal auditing, and possess appropriate leadership skills to fulfill his responsibilities, and maintain the independence and objectivity of the Unit. 21- The Unit Head must - in a manner that does not conflict with the Bank's general employment policies, procedures, and requirements - set standards that ensure attracting competencies to the Unit that possess professional competence, scientific knowledge, experience, qualifications, sufficient skills, and the ability to collect and understand information, and examine and evaluate the necessary evidence/documents during the auditing process, and communicate with stakeholders. This requirement must support and enable national cadres and qualify them. 22- The Unit Head must evaluate the skills of Unit staff and follow up on their development, and ensure they receive continuous and necessary training to meet the technical requirements of banking activities and the increasing diversity of tasks required to be performed due to the provision of new products, services, and procedures, and to keep pace with other developments in the financial sector.
Professional Ethics of the Unit Head and Staff 23- In accordance with the Principles of Conduct and Business Ethics in Financial Institutions issued by the Saudi Central Bank, and to ensure maintaining professional standards for the Unit at all times; the Bank's Code of Conduct and Business Ethics policy must include, at a minimum, the principles of objectivity, conduct, competence, confidentiality, and integrity, and stipulate the following: 1-23 The necessity of exhibiting professionalism, integrity, honesty, and trustworthiness. 2-23 Emphasizing the confidentiality of information obtained during the performance of duties, and not exploiting that information for personal gain or to carry out harmful activities, and exercising caution in protecting the information obtained. 3-23 Avoiding conflicts of interest, and in this regard, the Unit Head must take adequate measures to continuously ensure that its staff exhibit integrity, and adhere to the Principles of Internal Auditing, and the Principles of Conduct and Business Ethics in Financial Institutions issued by the Saudi Central Bank.
Principle (5): Internal Auditing Policy 24- The Unit Head must prepare the Internal Auditing Policy and update it periodically, and approve it by the Board upon recommendation of the Audit Committee. 25- The main items of the policy must include, at a minimum, the following: 1-25 The purpose of establishing the Unit and the scope and methodology of its work. 2-25 Its organizational position in the Bank, its authorities, responsibilities, and relationships with other supervisory units. 3-25 The key characteristics of the Unit specified in these Principles at a minimum. 4-25 Ensuring what enhances its role and performance in performing its tasks and responsibilities. 5-25 The right to communicate directly with any employee in the Bank, and examine the activity of any unit in the Bank or a subsidiary entity, in the case where subsidiary entities do not have independent audit units and committees, without prejudice to relevant systems and instructions. 6-25 The right to access any records, files, data, or physical property of the Bank, without prejudice to relevant instructions of the Saudi Central Bank. 7-25 The right to obtain copies of records and documents supporting auditing works and activities, including the right to access administrative information systems and records and minutes of all advisory bodies in the Bank and decision-making bodies. 8-25 The right to enable the Unit to perform its role and fulfill its responsibilities towards reviewing all activities of the Bank's units and its subsidiaries internally and externally, in the case where its subsidiaries do not have independent audit units and committees, without prejudice to relevant systems and instructions issued.
9-25 The right to escalate to the Audit Committee without any restrictions whenever necessary. 10-25 Commitment to convey the results derived by internal auditors from their work, and clarify the method of doing so, and specify the receiving bodies - administrative reporting - for that work. 11-25 The Unit's responsibility to the Audit Committee for all matters related to its performance of its tasks and responsibilities. 12-25 The Unit Head's responsibility. 13-25 The terms and conditions for coordination and follow-up of work between the Unit and external auditors. 14-25 The terms and conditions under which consulting or advisory services are requested from the Unit or it is assigned other special tasks, and do not conflict with relevant instructions. 15-25 Commitment to conduct an independent external evaluation of the quality of the Unit's work and its adherence to conduct and business ethics and its compliance with the requirements of the Principles of Internal Auditing for Local Banks in the Kingdom, at least once every five years. 16-25 In accordance with the instructions on outsourcing tasks to third parties issued by the Saudi Central Bank; the terms and conditions that determine the method, time, and circumstances of assigning the Unit's limited specialized tasks to external service providers, such that the basis and minimum for them is the non-availability of specialized expertise and competencies in the Unit for the specialized task such as information security and other specialized works, and its performance under a non-disclosure agreement, and achieving knowledge transfer and experience acquisition to Unit staff, and not affecting the Unit's ability to work independently and objectively, and not contracting with an entity that has previously contracted for the same task unless a period of no less than three years has passed, and the service provider is not the Bank's current auditors, and outsourcing does not hinder the effectiveness of the Saudi Central Bank's supervision, and obtaining its prior non-objection to outsourcing it. 17-25 The requirements and mechanisms for subsidiary entities of the Bank that do not have independent audit units and audit committees. 18-25 Commitment to the relevant approved International Standards for the Professional Practice of Internal Auditing. 19-25 The scope and contents of the periodic report of the Unit submitted to the Board. 20-25 The right to refer to the unified Internal Auditing Charter of the Institute of Internal Auditors,