Region

Jurisdiction

Regulator

2024-10-01

Circular Re. Internal Audit Principles for Finance Companies and Real Estate Refinance Companies

The Saudi Central Bank issued Circular No. 46020559 to enforce the Internal Audit Principles for Finance Companies and Real Estate Refinance Companies, requiring full compliance within 180 days of publication. The document establishes a comprehensive regulatory framework defining the roles of the Board of Directors, the Audit Committee, and Executive Management in ensuring the independence, objectivity, and effectiveness of the internal audit function. It mandates specific governance standards, including risk-based audit planning, annual governance and risk assessments, external evaluations every five years, and strict retention of audit records for at least ten years.

Saudi Arabia

Saudi Central Bank

==Start of PDF==

[Saudi Central Bank Logo Image]

Saudi Central Bank Saudi Central Bank

Ref: 46020559 Date: 1446/03/28 Attachments: None

Circular

Dear Sirs, Peace, mercy, and blessings of God be upon you,

Subject: Internal Audit Principles for Finance Companies and Real Estate Refinance Companies.

Based on the authorities vested in the Saudi Central Bank under the Financing Companies Control System issued by Royal Decree No. (M/5) dated 13/08/1433H, and its Executive Regulations issued by the decision of His Excellency the Governor of the Saudi Central Bank No. (2/M Sh T) dated 14/04/1434H.

We inform you of the issuance of His Excellency the Governor's Decision No. (160/M Sh T) dated 14/02/1446H, which approves the Internal Audit Principles for Finance Companies and Real Estate Refinance Companies according to the attached format. These Principles will be enforced 180 days after their publication on the Saudi Central Bank's website.

For your information and action.

Accept my regards,

[Signature] Yazid bin Ahmed Al Sheikh Deputy Governor for Supervision

Distribution List:

Finance companies operating in the Kingdom.
Real estate refinance companies operating in the Kingdom.

[Saudi Central Bank Logo Image]

Internal Audit Principles for Finance Companies and Real Estate Refinance Companies

(Rabi' al-Awwal 1446H / September 2024)

The Saudi Central Bank issued these Principles based on the authorities vested in it under the Financing Companies Control System issued by Royal Decree No. (M/5) dated 13/08/1433H, and its Executive Regulations issued by the decision of His Excellency the Governor of the Saudi Central Bank No. (2/M Sh T) dated 14/04/1434H.

Important Note: To follow updates and amendments to these Principles, the Saudi Central Bank emphasizes the necessity of always relying on the version of the Principles published on its website: www.sama.gov.sa

Table of Contents

Chapter	Page Number
Chapter One: Definitions, General Provisions, and Scope of Application	3
Chapter Two: Duties and Responsibilities of the Board, Audit Committee, and Executive Management towards the Internal Audit Function	6
Principle One: Duties and Responsibilities of the Board towards the Internal Audit Function	6
Principle Two: Duties and Responsibilities of the Audit Committee towards the Internal Audit Function	7
Principle Three: Duties and Responsibilities of Executive Management towards the Internal Audit Function	8
Chapter Three: Characteristics, Duties, and Responsibilities of Management	9
Principle Four: Key Characteristics of Management	9
Principle Five: Duties and Responsibilities of the Head of Management	10
Principle Six: Duties and Responsibilities of Management	11
Principle Seven: Internal Audit Policy	12
Principle Eight: Internal Audit Plan	13
Principle Nine: Management Reports	13
Principle Ten: Management Policies and Procedures	14
Principle Eleven: External Evaluation of Management	14
Principle Twelve: Retention of Documents and Reports	14
Principle Thirteen: Relationship of Management with First and Second Line Units	14
Chapter Four: Final Provisions	15

Chapter One Definitions, General Provisions, and Scope of Application

1. Definitions For the purpose of applying the provisions of these Principles, the following words and expressions - wherever they appear in these Principles - have the meanings indicated next to each of them, unless the context requires otherwise.

Term	Definition
The Bank	The Saudi Central Bank.
The Principles	Internal Audit Principles for Finance Companies and Real Estate Refinance Companies.
The System	The Financing Companies Control System.
The Regulation	The Executive Regulation of the Financing Companies Control System.
The Company	The Finance Company and the Real Estate Refinance Company licensed by the Bank.
The Board	The Board of Directors of the Company.
Executive Management	Persons entrusted with managing the daily affairs of the Company, proposing strategic decisions, and implementing them, and they are considered senior management.
Management	The Internal Audit Management in the Company, whose head and staff perform the duties and responsibilities of internal audit.
Head of Management	The person responsible for managing the Internal Audit in the Company.
Internal Auditors	Staff in the Management primarily responsible for performing the internal audit function.
Internal Audit Function	An independent evaluation activity that provides objective and independent assurance and consulting services on the quality and adequacy of the Company's internal control system, through a systematic and organized approach to reviewing accounting, financial, operational, and other processes, and evaluating and improving the effectiveness of governance, risk management, and control processes.
Internal Audit Policy	An official document prepared by the Head of Management and approved by the Board, containing the items set forth in Principle (Seventh) of these Principles.

Term	Definition
Independence	The absence of circumstances and events that affect the ability of Management to perform its duties and responsibilities in a professional, objective, and unbiased manner.
Objectivity	Neutral professional behavior based on facts that allows internal auditors to perform their duties in a way that ensures the quality of their work and expected results, and the absence of any significant external interference or influence from Management or influence from personal beliefs and feelings.
Conflict of Interest	The situation or situations where the Head of Management or Internal Auditors have a direct or indirect interest or relationship in the subject matter of the person or persons for the purpose of making a decision regarding it, such that this interest or relationship prevents them from expressing their opinion or making their decision independently, neutrally, and objectively without regard to this interest or relationship.
First Line	Business units responsible for identifying, assessing, and managing the risks of their activities at an early stage and continuously, and bearing those risks within permitted limits.
Second Line	Supervisory and support units such as: risk management function, compliance, finance, technology, legal, and Shariah - if any - related to business units and responsible for verifying through a comprehensive and systematic view that first-line business units have identified their business risks and managed them appropriately.
Third Line	Internal Audit Management responsible for independently and objectively evaluating and confirming the adequacy and effectiveness of governance, risk management, control, controls, policies, and procedures implemented by the first and second lines, increasing confidence in them, and providing the Audit Committee with reasonable assurance that policies and procedures align with specified expectations.
Stakeholders	Anyone with a direct or indirect interest in Management, specifically: the Board, the Audit Committee, Executive Management, business units in the Company, external auditors, external consultants, shareholders, investors, and customers.
Systems	The systems applicable to the Company and its personnel.

Term	Definition
Instructions	All that is issued by the Bank in carrying out its role as a regulatory and supervisory authority, and all that is issued by other competent authorities in the form of regulations, rules, principles, frameworks, guides, and binding circulars.

2. General Provisions 1-2 These Principles aim to: a. Enhance internal control and improve the Company's processes and operations, taking into account that the methods of applying these Principles depend on many factors, including: the size of the Company, its activity, the nature of the tasks it performs, and the degree of complexity. b. Set the minimum requirements to enable Management to perform its duties efficiently and optimally.

2-2 These Principles do not derogate from the requirements imposed on the Company under other relevant systems, regulations, and instructions, including but not limited to:

The Financing Companies Control System and its Executive Regulation.
The Real Estate Financing System and its Executive Regulation.
Rules on Delegation of Duties for Finance Companies.
Rules on Combating Fraud in Finance Companies.
Rules on Regulating Real Estate Refinance Companies.
Rules on Practicing Debt Crowdfunding Activity.
Rules on Regulating Deferred Payment Companies (BNPL).
The Core Principles of Governance in Financial Institutions Subject to the Supervision and Oversight of the Saudi Central Bank.
Principles of Conduct and Business Ethics in Financial Institutions.
Appointment Requirements for Leadership Positions in Financial Institutions Subject to the Supervision of the Saudi Central Bank.
Information Security Regulatory Guide.
IT Governance Regulatory Guide.

Whistleblowing Policy for Financial Institutions.

2-3 Best local and international standards issued by relevant authorities regarding the internal audit function should be followed, insofar as they do not conflict with these Principles and instructions issued by the Bank.

3. Scope of Application 1-3 The provisions of these Principles apply mandatorily to finance companies and real estate refinance companies. 2-3 The provisions of these Principles apply on an advisory basis to companies supporting the financing activity, and real estate lease contract registration companies, and the Bank - at any time - may mandate all or some of the provisions of these Principles.

Chapter Two Duties and Responsibilities of the Board, Audit Committee, and Executive Management towards the Internal Audit Function

Principle One: Duties and Responsibilities of the Board towards the Internal Audit Function

Subject to the duties and responsibilities of the Board set forth in relevant systems, regulations, and instructions issued by the Bank, the Board bears the following duties and responsibilities: a. Monitoring any developments in systems, regulations, and instructions related to the internal audit function from the Bank from time to time. b. Ensuring the independence of the internal and external auditor, and the accuracy and completeness of information and data to be disclosed in accordance with disclosure and transparency requirements.
Without prejudice to the independence of the Audit Committee in performing its work from the Board's work, the Board is responsible for effective supervision of the Audit Committee and monitoring its work and assigned duties.
The Board bears the following responsibilities regarding the roles and responsibilities of Executive Management towards the internal audit function: a. Full responsibility for ensuring that Executive Management establishes and maintains an appropriate, efficient, and effective internal control framework, which works to identify all risks facing the Company, measure them, monitor them, and manage them.

b. Ensuring the effectiveness and efficiency of the internal control system are reviewed based on information provided by the Audit Committee and Executive Management. 4. Subject to the duties and responsibilities of the Board set forth in instructions issued by the Bank and related instructions, the Board bears the following importance towards Management: a. Taking all necessary measures to ensure the independence and effectiveness of Management and updating its work policy periodically. b. Verifying the adequacy of human and financial resources for Management and their appropriateness to the size and nature of the Company's business based on a recommendation from the Audit Committee.

Principle Two: Duties and Responsibilities of the Audit Committee towards the Internal Audit Function

Subject to the duties and responsibilities of the Audit Committee set forth in relevant systems, regulations, and instructions, the Audit Committee bears the following duties and responsibilities: a. Recommending to the Board the approval of the Management's organizational structure, and reviewing it periodically whenever necessary. b. Recommending to the Board the appointment, reappointment, or dismissal of the Head of Management and proposing their remuneration. c. Monitoring the implementation of the human resources recruitment plan prepared by the Head of Management and evaluating its appropriateness, and ensuring the availability of appropriate human resources in Management in terms of number, qualifications, and skills according to that plan, taking into account the availability of necessary competencies to perform Management's duties among all its personnel as a whole, not just each individual. d. Reviewing and approving the internal audit plan prepared by the Head of Management or the external service provider - if any - including the scope of the plan and the budget allocated to it. e. Reviewing internal and external audit reports and submitting recommendations regarding them to the Board. f. Reviewing Management's performance to verify its ability to perform its responsibilities independently and objectively. g. Approving performance indicators for the Head of Management and evaluating their performance. h. Ensuring that the Head of Management possesses integrity, the ability to perform their duties honestly, diligently, and responsibly, and ensuring compliance with systems, regulations, and instructions, and that they have not previously been convicted of any crime involving honor and trust unless their reputation has been restored.

i. Ensuring that Executive Management takes the necessary corrective measures in a timely and appropriate manner to address control weaknesses, compliance issues with policies, systems, and instructions, and other violations, observations, and deficiencies identified and recommended by Management.

Principle Three: Duties and Responsibilities of Executive Management towards the Internal Audit Function

Subject to the duties and responsibilities of Executive Management set forth in relevant systems, regulations, and instructions, Executive Management bears the following duties and responsibilities: a. Implementing internal control and risk management systems, including implementing the conflict of interest policy, verifying the effectiveness and efficiency of those systems, and ensuring compliance with the risk level approved by the Board. b. Providing Management with full and unrestricted access to records, people, and systems, and providing them with the necessary information, data, and explanations to perform their duties in a timely and appropriate manner as outlined in the Internal Audit Policy. c. Informing Management of any updates, initiatives, projects, products, new operational changes, or any amendments to policies and procedures in the Company. d. Ensuring the identification of all related risks (known or expected to occur) and reporting them to Management at an early stage. e. Sharing their assessment of various risks with Management to enable it to plan audits based on the risk-based approach. f. Taking appropriate measures and corrective actions in a timely and appropriate manner for all results and recommendations received from Management. g. Encouraging the invitation of Management representatives to attend various management committee meetings as permanent guests, without having the right to vote on decisions. h. Adding an indicator to the performance indicators of Executive Management reflecting the extent of their interaction with observations received from Management in a timely and appropriate manner.

Chapter Three Characteristics, Duties, and Responsibilities of Management

Principle Four: Key Characteristics of Management Professional Competence

The Head of Management and Internal Auditors must possess the knowledge and skills necessary to perform Management's duties and maintain its effectiveness, and to achieve this, the following must be available: a. Obtaining academic certificates either in accounting, auditing, business administration, or other related certificates relevant to the internal audit function, preferably accompanied by one of the specialized professional certificates in the field of internal audit or accounting, including but not limited to: (CPA, CIA, SOCPA). b. Sufficient experience in the internal audit function, and possessing the necessary skills to fulfill their responsibilities. c. Obtaining appropriate and necessary continuous training to meet the technical requirements of the Company's activities.

Independence and Objectivity 2. Management is directly linked to the Audit Committee, and the Head of Management and Internal Auditors enjoy complete independence and objectivity in exercising their work, and to achieve this, the following must be done: a. The freedom to discuss views, results, evaluations, and conclusions reached by Management directly with the Audit Committee and the Board. b. Access to documents available with Executive Management or other business units in the Company. c. Not accepting assignments other than those necessary to perform the roles assigned to the internal audit function. d. Performing their duties in all areas of the Company's work and its business units without restrictions from Executive Management or any other source other than Management's functional reference. e. The right to request a meeting with the Audit Committee at any time whenever there is a need to discuss any topic Management wishes to raise.

Professional Ethics 3. Subject to what is stated in the Principles of Conduct and Business Ethics in Financial Institutions issued by the Bank and related instructions, the Head of Management and Internal Auditors, when performing Management's duties, are committed to the following: a. Exhibiting professionalism, integrity, honesty, and trustworthiness. b. Maintaining the confidentiality of information accessed during the performance of duties and not misusing it for personal purposes or engaging in harmful activities, even after leaving work at the Company. c. Avoiding conflicts of interest when performing duties, and clearly and explicitly disclosing conflicts of interest if they exist, and dealing with them in accordance with the policy approved by the Company's Board for dealing with conflicts of interest.

Principle Five: Duties and Responsibilities of the Head of Management

The following falls within the scope of duties and responsibilities of the Head of Management - at a minimum -: a. Working to complete the necessary procedures for the approval of the audit plan by the Audit Committee. b. Developing a policy for internal audit and working to complete the necessary procedures for its approval by the Board upon recommendation of the Audit Committee. c. Working to recruit human resources with appropriate qualifications and skills based on the actual need to perform work, and developing a plan to provide those needs and competencies and sharing it formally with the Audit Committee; to take over monitoring its implementation and evaluating its appropriateness. d. Working to localize Management positions as required by relevant systems and instructions. e. Continuously monitoring and evaluating employees in Management, and encouraging employees in Management to obtain professional certificates related to internal audit duties. f. Meeting with the Audit Committee separately whenever necessary. g. Monitoring the work of external service providers if some internal audit duties are outsourced to them, and verifying their compliance with relevant systems, regulations, and instructions, including these Principles and the approved Internal Audit Policy in the Company.

Principle Six: Duties and Responsibilities of Management

Subject to relevant systems, regulations, and instructions, Management's activity must include an annual evaluation of governance, risk management, and compliance processes in the Company and provide appropriate recommendations regarding them according to the approved internal audit plan.
Management must evaluate the effectiveness of governance processes and make a recommendation to the Audit Committee, based on studying the following aspects: a. The effectiveness of the Company's strategic and operational decision-making. b. The extent of the Company's compliance with the governance regulation approved by the Board. c. The effectiveness of communication between the Board and internal or external auditors. d. The effectiveness of IT governance in the Company to support its strategies and objectives.
Management must evaluate the effectiveness of risk management processes in the Company and contribute to improving them, and make recommendations regarding them to the Audit Committee - as needed - to be discussed with the Risk and Credit Management Committee, based on studying the following aspects: a. The extent to which the risk function or management identifies and assesses risks. b. The appropriateness of the risk response mechanism to the Company's risk tolerance level. c. The extent to which the risk function or management communicates risk-related information in a timely manner that allows the Board, Executive Management, and relevant departments to perform their responsibilities.
Management must investigate fraud cases during the performance of its duties, and conduct a regular evaluation to verify the effectiveness of the anti-fraud policies and procedures approved by the Board, and ensure compliance with their implementation, and verify that if fraud is suspected; the case is dealt with in a timely and appropriate manner, and that the procedures taken are documented appropriately, and include this information in the Management Report stipulated in Principle (Ninth) of these Principles.
Management must provide the necessary support to the Company to achieve the required compliance level, by evaluating the effectiveness and adequacy of compliance management procedures to avoid non-compliance risks.

Principle Seven: Internal Audit Policy

The Head of Management must prepare a policy for internal audit, and update it periodically, to be approved by the Board upon recommendation of the Audit Committee. The policy must include - at a minimum - the following items: a. The purpose of establishing Management, its scope, and methodology of work. b. The organizational structure of Management in the Company, its authorities and responsibilities, and its relationship with other business units in the Company. c. The key characteristics of Management set forth in Principle (Fourth) of these Principles. d. Management's right to communicate directly with any employees in the Company, and to inspect the activities of other departments. e. Management's right to access any records, files, data, or physical assets of the Company, insofar as it does not conflict with relevant instructions from the Bank. f. Management's right to obtain copies of records and documents supporting audit work and activities, including the right to access management information systems and records and minutes of all advisory bodies in the Company and decision-making bodies. g. Management's right to escalate to the Audit Committee without any restrictions whenever necessary. h. Management's responsibilities to the Audit Committee regarding all matters related to the performance of its duties and responsibilities. i. The responsibilities of the Head of Management, which must include - at a minimum - the duties and responsibilities set forth in Principle (Fifth) of these Principles. j. The conditions and terms for outsourcing all or some of the internal audit duties to an external service provider, taking into account what is stated in the Bank's instructions issued on this matter.
The Company may refer to the Unified Internal Audit Charter of the Institute of Internal Auditors and use it as a guideline when preparing the Internal Audit Policy.
The Internal Audit Policy must be made clearly available to all stakeholders in the Company for review.

Principle Eight: Internal Audit Plan

The Head of Management must develop a risk-based internal audit plan and its implementation schedule, to be approved by the Audit Committee and updated annually, and must include - at a minimum - the following points: a. Risk assessment and identification of necessary resources to implement the plan. b. Taking into account inputs from Executive Management and what comes from the Board during the planning process. c. Considering the expectations of Executive Management, the Board, and stakeholders in the Company regarding internal audit duties. d. Including a list of business units and activities subject to the audit process during the year, and must include - at a minimum - the review of the following units: Risk Management, Compliance Management, Collection Management, and Credit Management at least annually, and Customer Due Diligence Management semi-annually, taking into account that the review of Customer Due Diligence Management and Collection Management does not apply to a real estate refinance company. e. Accepting consultations that would improve risk management and operational processes in the Company, provided that what was taken from consultations is reflected in the audit plan.

Principle Nine: Management Reports

Management must prepare periodic reports on its audits and submit them to the Audit Committee, and these reports are divided into: a. Quarterly report: Includes an evaluation of the internal control system of the departments that were audited, the results and recommendations related to them, and the measures taken by each department regarding the results and recommendations from the previous audit process, with clarification of the status of results that have not been addressed by business units in the Company and the justifications for non-addressing. b. Annual report: Includes a comprehensive evaluation of the internal control system in the Company and audit activities performed during the financial year compared to the approved plan, and stating the reasons for any shortcomings or deviation from the plan - if any - during the quarter following the end of the financial year.

Principle Ten: Management Policies and Procedures

The Head of Management must develop policies and procedures specific to Management's work, including the mechanism for performing tasks assigned to Management, so that they include the objective, scope, timeline, and necessary resources for performing each task individually; taking into account the Company's strategic objectives and risks associated with implementing each task, and updating them periodically as needed.
Subject to instructions issued by the Bank and other regulatory authorities regarding information sharing, Management must retain documents related to its completed duties.

Principle Eleven: External Evaluation of Management

An external evaluation of the internal audit work in the Company must be conducted at least once every five years, and the Audit Committee must recommend appointing candidates to conduct the evaluation and submit it to the Board after verifying the availability of necessary qualifications and independence in candidates to perform their assigned duties.
The Head of Management must provide the necessary support to conduct the external evaluation process, and the Audit Committee must submit the evaluation results and the corrective plan for observed observations, if any, to the Board.
The Board is responsible for ensuring that the Audit Committee conducts the external evaluation.

Principle Twelve: Retention of Documents and Reports

Management must create a database for its work, and update it continuously.
All internal audit reports, results, recommendations, corrective plans, and supporting documents, as well as documents related to the work of external auditors, must be retained in electronic records for at least ten years from the date of attachment to Management's database.

Principle Thirteen: Relationship of Management with First and Second Line Units

Management represents the third and final line in the three lines framework, and is directly and continuously accountable to the Audit Committee for evaluating and confirming the adequacy and effectiveness of governance, risk management, controls, policies, and procedures implemented by the first and second lines. Second-line units are subject to independent review by Management.

Subject to relevant systems and instructions, the Company may merge the roles of the first and second lines into one line, by following the best international standards considered in this regard.

Chapter Four Final Provisions

Subject to the Rules on Delegation of Duties for Finance Companies, if some or all of what relates to the internal audit function is outsourced; the Company is responsible for verifying that the external service provider complies with the provisions of these Principles.
These Principles will be enforced 180 days after their publication on the Bank's website.

==End of PDF==