Internal Audit Principles for Finance Companies and Real Estate Refinance Companies

1 Internal Audit Principles for Finance Companies and Real Estate Refinance Companies (September 2024 / Rabi’l 1446H) The Saudi Central Bank (SAMA) issued these Principles based on the powers vested in SAMA under the Finance Companies Control Law issued by Royal Decree No. (M/51) dated 13/08/1433H and its Implementing Regulations issued by the Decision of SAMA Governor No. (2/MFC) dated 04/14/1434H. Important note: For the updated and amended Principles, SAMA advises you to always refer to the version published on its website: www.sama.gov.sa

2 Table of Contents Section Page No. Section One: Definitions, General Provisions and Scope of Application 3 6 Section Two: Duties and Responsibilities of the Board, Audit Committee and Executive Management toward Internal Audit 6 Principle 1: Duties and Responsibilities of the Board toward Internal Audit Function 7 Principle 2: Duties and Responsibilities of the Audit Committee toward Internal Audit Function 8 Principle 3: Duties and Responsibilities of the Executive Management toward Internal Audit Function Section Three: Department Features, Duties and Responsibilities 9 Principle 4: Key Department Features 9 Principle 5: Duties and Responsibilities of the Department Director 10 Principle 6: Duties and Responsibilities of the Department 11 Principle 7: Internal Audit Policy 12 Principle 8: Internal Audit Plan 13 Principle 9: Department Reports 13 Principle 10: Department Policies and Work Procedures 14 Principle 11: External Evaluation of the Department 14 Principle 12: Documentation of Documents and Reports 14 14 Principle 13: Department Relationship with First and Second Line Units Section Four: Concluding Provisions 15

3 Section One Definitions, General Provisions and Scope of Application

1. Definitions For the purpose of applying the provisions of these Principles, the following terms and phrases, wherever mentioned in this document, shall have the meanings assigned to them unless the context otherwise requires. Term Definition SAMA The Saudi Central Bank. Principles The Internal Audit Principles for Finance Companies and Real Estate Refinance Companies. Law The Finance Companies Control Law. Regulations The Implementing Regulation of the Finance Companies Control Law. Company The finance companies and the real estate refinance companies licensed by SAMA. Board The Company’s board of directors. Executive Management Individuals who run the Company’s daily business, propose and implement strategic decisions, and are considered senior management. Department The internal audit department whose director and employees assume internal audit duties and responsibilities in the Company. Department Director The person in charge of the internal audit department in the Company. Internal Auditors The employees in the Department who are primarily in charge of internal auditing. Internal Audit Function An independent function that provides assurance and objective consulting on the quality, adequacy and effectiveness of the Company’s internal control system. This is achieved by following a systematic and disciplined approach to review the accounting, financial and operational processes, among others, and evaluate and improve the effectiveness of governance, risk management and control processes.

4 Internal Audit Policy A formal document prepared by the Department Director and approved by the Board. It contains the items mentioned in Principle 7. Independence The freedom from conditions that threaten the ability of the Department to carry out its duties and responsibilities in a professional, objective and unbiased manner. Objectivity The unbiased, fact-based professional attitude that allows Internal Auditors to perform their duties in such a manner that they believe in their work product. Additionally, the freedom from material interference or influence from outside the Department or from one’s ideology and personal feelings. Conflict of Interest The situation(s) in which the Department Director/Internal Auditor directly or indirectly has an interest or relation in a subject under consideration where they have to make a decision. Such interest or relation may affect the objectivity, independence or impartiality of their decision. First Line Business units in charge of identifying, assessing and managing their activity risks in early stages and on an ongoing basis, and take such risks within permissible limits. Second Line control and support units, such as risk management, compliance, legal and Sharia (if any), financial and IT departments related to business units that are responsible for comprehensively and systematically ensuring that the business units in the First Line have identified and are effectively managing their business risks. Third Line The internal audit department that is responsible for providing independent and objective assurance and advice on the adequacy and effectiveness of governance, risk management, oversight, controls, policies and procedures implemented by the First and Second Lines and boosting confidence in them as well as providing the Audit Committee with reasonable assurance that the policies and procedures are in line with established expectations.

5 Stakeholders Anyone who has a direct or indirect interest in the Department, in particular: the Board, Audit Committee, Executive Management, business units, external auditors, external consultants, shareholders, investors and customers. Laws The laws that apply to the Company and its employees. Instructions All binding regulations, rules, principles, frameworks, guidelines and circulars issued by SAMA, in exercise of its role as a regulatory and supervisory authority, and other competent entities. 2. General Provisions 2.1 These Principles are aimed at: a. Enhancing internal control and improving the Company's operations and business, taking into account that the methods by which these Principles are applied depend on many factors, including the Company’s size, type, and nature and complexity of business. b. Setting the minimum requirements to enable the Department to perform its tasks efficiently and optimally. 2.2 These Principles shall not prejudice the requirements imposed on the Company under relevant laws, regulations and instructions, including but not limited to the following: • The Finance Companies Control Law and its Implementing Regulations. • The Real Estate Finance Law and its Implementing Regulations. • The Rules on Outsourcing for Finance Companies. • The Anti-Fraud Rules for Finance Companies. • The Rules Governing Real Estate Refinance Companies. • The Rules for Engaging in Debt-Based Crowdfunding. • The Rules for Regulating Buy-Now-Pay-Later (BNPL) Companies. • The Key Principles of Governance in Financial Institutions under the Control and Supervision of SAMA. • The Code of Conduct and Work Ethics in Financial Institutions. • The Requirements for Appointments to Senior Positions in Financial Institutions Supervised by SAMA. • The Cyber Security Framework. • The Information Technology Governance Framework. • The Whistle Blowing Policy for Financial Institutions.

6 2.3 Best local and international internal audit standards issued by relevant entities must be followed in a manner that does not contradict these Principles and the instructions issued by SAMA. 3. Scope of Application 3.1 The provisions of these Principles shall apply to finance companies and real estate refinance companies. 3.2 The Provisions of these Principles shall serve as a guide to finance support companies and financial lease contract registration companies. SAMA may, at any time, require applying all or some of these Principles. Section Two Duties and Responsibilities of the Board, Audit Committee and Executive Management toward Internal Audit Principle 1: Duties and Responsibilities of the Board toward Internal Audit Function

1. Taking into account the Board’s duties and responsibilities contained in SAMA’s instructions and the relevant laws and regulations, the Board shall be responsible for the following: a. Following up on any developments in SAMA’s internal audit laws, regulations and instructions. b. Ensuring the independence of the internal and external auditors and the accuracy and integrity of the information and data to be disclosed in line with disclosure and transparency requirements.
2. Without prejudice to the Audit Committee's independence in performing its work separately from the Board’s work, the Board shall be responsible for the effective supervision of the Audit Committee and the follow-up on its work and duties.
3. In relation to the duties and responsibilities of the Executive Management toward internal audit, the Board shall be responsible for the following: a. Ensuring that the Executive Management has established and maintained an appropriate, efficient and effective internal control framework that is able to identify, measure, monitor and manage all risks to which the company is exposed.

7 b. Reviewing the effectiveness and efficiency of the internal controls based on the information provided by the Audit Committee and Executive Management. 4. Taking into account the Board’s duties and responsibilities contained in SAMA’ instructions and other relevant instructions, the Board’s responsibilities toward the Department include ensuring the following on an ongoing basis: a. All necessary measures are taken to ensure the independence and effectiveness of the Department and that its policy is regularly updated. b. The Department’s human and financial resources are adequate and proportionate to the size and nature of the Company’s business based on the recommendation of the Audit Committee. Principle 2: Duties and Responsibilities of the Audit Committee toward Internal Audit Function

1. Taking into account its duties and responsibilities contained in the relevant laws and instructions, the Audit Committee shall be responsible for the following: a. Making recommendations to the Board on approving the Department’s organizational structure and reviewing it regularly as needed. b. Making recommendations to the Board on the appointment, reappointment or dismissal of the Department Director and proposing their remuneration. c. Following up on the implementation of the Department Director’s plan to attract human resources and evaluate its suitability, and ensuring the Department is appropriately staffed in terms of numbers, qualifications and skills according to the plan, taking into account that all employees of the Department as a whole have the necessary competencies to perform its tasks. d. Reviewing and approving the internal audit plan prepared by the Department Director or the outsourced service provider, if any, including the scope of the plan and the allocated budget. e. Reviewing internal and external audit reports and submitting recommendations in their regard to the Board.

8 f. Reviewing the Department's performance to verify its ability to perform its responsibilities independently and objectively. g. Adopting KPIs for the Department Director and evaluating their performance. h. Ensuring the Department Director’s integrity; ability to perform duties honestly, diligently, and responsibly; adherence to the laws, regulations, and instructions; and freedom from conviction of crimes that impinge on honor or integrity, unless they have been rehabilitated. i. Ensuring that the Executive Management takes the necessary corrective measures in a timely and appropriate manner to address weaknesses in control and issues of compliance with policies, laws, instructions, and other violations, observations, and shortcomings that the Department identifies and makes recommendations on. Principle 3: Duties and Responsibilities of the Executive Management toward Internal Audit Function

1. Taking into account its duties and responsibilities contained in the relevant laws and instructions, the Executive Management shall be responsible for the following: a. Implementing internal control and risk management systems, including the conflict of interest policy, in addition to ensuring the effectiveness and efficiency of such systems and compliance with the risk level approved by the Board. b. Granting the Department complete and exclusive authority to access records, reach individuals and systems, and be provided with information, data and clarifications necessary to perform its tasks timely and appropriately as described in the Internal Audit Policy. c. Informing the Department of any developments, initiatives, projects, products, new operational changes, and any amendments to the Company's policies and procedures. d. Ensuring that all relevant risks (known or expected) are identified and reported to the Department at an early stage. e. Sharing its assessment of various risks with the Department to allow it to plan the audit according to the risk-based approach.

9 f. Taking appropriate measures and corrective actions in a timely and appropriate manner regarding all findings and recommendations received from the Department. g. Encouraging the invitation of the Department representatives to attend the meetings of various administrative committees as a standing invitee without having the right to vote on decisions. h. Adding an indicator to the performance indicators of the Executive Management that reflects its interaction with the Department’s feedback in the appropriate time and manner. Section Three Department Features, Duties and Responsibilities Principle 4: Key Department Features Professional Competence

1. The Department Director and the Internal Auditors shall have the necessary knowledge and skills to perform the Department’s duties and maintain its effectiveness. To this end, they shall: a. Obtain academic certificates in accounting, auditing, business administration, or other areas related to internal audit, and preferably internal audit or accounting professional certificates, including but not limited to: CPA, CIA, SOCPA. b. Have sufficient internal audit experience and the necessary skills to fulfill their responsibilities. c. Receive adequate and necessary training on an ongoing basis to meet the technical requirements of the Company's activities. Independence and Objectivity
2. The Department shall report directly to the Audit Committee, and the Department Director and Internal Auditors shall be fully independent and objective in performing their work. To this end, they shall: a. Have the freedom to directly discuss the Department’s views, findings, evaluations and conclusions with the Audit Committee and the Board. b. Examine documents available to the Executive Management or other business units in the Company. c. Reject any tasks not related to the internal audit function.

10 d. Perform their duties in all business areas and units of the Company without any restrictions from the Executive Management or any unit other than the Department. e. Have the right to summon a meeting with the Audit Committee at any time, whenever needed, to discuss any topic the Department wishes to address. Professional Ethics 3. Taking into account the Code of Conduct and Work Ethics in Financial Institutions issued by SAMA and other relevant instructions, the Department Director and the Internal Auditors, when carrying out the Department tasks, shall: a. Be professional, honest, and trustworthy. b. Maintain the confidentiality of information obtained while performing their tasks and not misuse it for personal purposes or carry out harmful activities, even after leaving the Company. c. Avoid conflicts of interest when performing tasks, clearly and explicitly disclose conflicts of interest (if any), and deal with them according to the policy approved by the Company’s Board for dealing with conflicts of interest. Principle 5: Duties and Responsibilities of the Department Director

1. The scope of duties and responsibilities of the Department Director must include the following, as a minimum: a. Completing the necessary procedures for the audit plan to be approved by the Audit Committee. b. Developing an internal audit policy and completing the procedures necessary for its approval by the Board upon the recommendation of the Audit Committee. c. Recruiting human resources with appropriate qualifications and skills based on the actual needs of the business, developing a plan to provide such competent human resources, and sharing it formally with the Audit Committee to follow up on its implementation and assess its suitability. d. Nationalizing jobs in the Department according to the relevant laws and instructions.

11 e. Monitoring, evaluating, and developing the performance of the Department employees continuously and encouraging them to obtain professional certificates related to internal audit. f. Holding meetings with the Audit Committee individually as needed. g. Monitoring the work of outsourced service providers when assigned to perform certain internal audit tasks, and ensuring their compliance with the relevant laws, regulations, and instructions, including these Principles and the internal audit policy adopted by the Company. Principle 6: Duties and Responsibilities of the Department

1. Subject to the relevant laws, regulations, and instructions, the Department's activity must include evaluating the Company’s governance, risk management, and compliance processes annually and submitting appropriate recommendations according to the approved internal audit plan.
2. The Department shall evaluate the effectiveness of governance processes and make recommendations to the Audit Committee based on studying the following aspects: a. The effectiveness of the Company’s strategic and operational decisions. b. The Company’s compliance with the governance regulations approved by the Board. c. The effectiveness of communication between the Board and internal or external auditors. d. The effectiveness of IT governance in the Company in supporting its strategies and objectives.
3. The Department shall evaluate the effectiveness of the Company’s risk management processes and contribute to their improvement. It shall also make recommendations in this regard to the Audit Committee, which in turn discusses them with the risk and credit management committee (as needed) based on studying the following aspects: a. The ability of the risk management function or department to identify and evaluate risks. b. The suitability of the risk response mechanism with the Company's level of risk appetite. c. The ability of the risk management function or department to deliver risk-related information on a timely manner that enables the Board,

12 Executive Management, and relevant departments to carry out their responsibilities. 4. The Department shall investigate cases of fraud during the performance of its duties and conduct a regular assessment to verify the effectiveness of and compliance with anti-fraud policies and procedures approved by the Board. It shall also ensure appropriate and timely handling of suspicious cases of fraud, proper documentation of actions taken, and inclusion of such information in the Department’s report mentioned in Principle (9) of these Principles. 5. The Department shall provide the Company with the necessary support to achieve the required level of compliance by evaluating the effectiveness and adequacy of the Company's compliance department procedures to avoid the risk of non-compliance. Principle 7: Internal Audit Policy

1. The Department Director shall prepare an internal audit policy and update it periodically, provided that it is approved by the Board upon the recommendation of the Audit Committee. This policy must include, as a minimum, the following: a. The purpose of establishing the Department and the scope and methodology of its work. b. The Department’s organizational structure in the Company as well as its powers, responsibilities, and relationship with other units in the Company. c. The Department’s main characteristics described in Principle (4) of these Principles. d. The Department's right to communicate directly with any of the Company's employees and to examine the activity of other departments. e. The Department's right to access any records, files, data, or tangible property of the Company, in a manner consistent with the relevant instructions of SAMA. f. The Department's right to obtain copies of the records and documents supporting audit work and activities, including the right to access administrative information systems, records, and minutes of all consultants in the Company and decision makers.

13 g. The Department's right to escalate to the Audit Committee without any restrictions whenever the need arises. h. The Department's responsibility before the Audit Committee for all matters related to the performance of its duties and obligations. i. The Department Director responsibility, including, as a minimum, the tasks and responsibilities mentioned in Principle (5) of these Principles. j. The terms and conditions for outsourcing all or some of the internal audit tasks, taking into account the instructions of SAMA issued in this regard. 2. The Company may refer to the Internal Audit Charter of the Institute of Internal Auditors to use it as a guide when preparing the Company’s internal audit policy. 3. The internal audit policy must be clearly available to all Stakeholders in the Company for perusal. Principle 8: Internal Audit Plan

1. The Department Director shall develop a risk-based internal audit plan and the timetable for its implementation. The plan must be approved by the Audit Committee and updated annually, provided that it includes the following, as a minimum: a. It provides risk assessment and identifies the resources needed to implement the plan. b. It takes into account the inputs of the Executive Management and what is received from the Board during the development of the plan. c. It considers the expectations of the Executive Management, the Board, and Stakeholders in the Company relating to internal audit functions. d. It provides a list of business units and activities that are subject to audit during the year, which must include as a minimum: the risk management, compliance, collection, and credit departments (at least annually) and the customer care department (semi-annually), taking into account that the audit of the customer care department and the collection department does not apply to real estate refinance companies. e. It accepts advice aimed at improving risk management and operational processes in the Company, and it reflects the advice taken.

14 Principle 9: Department Reports

1. The Department shall prepare periodic reports on its audits and submit these reports to the Audit Committee. These reports must be divided into: a. Quarterly reports: They include an evaluation of the internal control system of the audited departments, the results and recommendations related to their audits, and the actions taken by each department regarding these results and recommendations. They also indicate the status of the results that were not handled by the Company’s business units and the reasons for not handling them. b. Annual reports: They include a comprehensive evaluation of the Company's internal control system and the audit activities carried out during the fiscal year as compared to the approved plan. They also indicate the reasons for any deficiency or deviation from the plan (if any) during the quarter following the end of the fiscal year. Principle 10: Department Policies and Work Procedures
2. The Department Director shall develop policies and procedures for the Department’s work that include the mechanism for performing the tasks entrusted to it as well as the objective, scope, timeline, and resources required for each task separately. The Company's strategic objectives and the risks associated with implementing each task must be taken into account. Moreover, these policies and procedures must be updated periodically as needed.
3. Taking into consideration the instructions issued by SAMA and other regulatory bodies regarding information sharing, the Department shall keep and periodically update the documents related to its completed tasks. Principle 11: External Evaluation of the Department
4. An external evaluation of the internal audit work in the Company must be conducted at least once every five years. The Audit Committee shall recommend to the Board the appointment of candidates to conduct the evaluation after verifying their necessary qualifications and independence to carry out the tasks entrusted to them.
5. The Department Director shall provide the necessary support for performing the external evaluation, and the Audit Committee shall

15 submit the results of the evaluation and the corrective action plan for the observations made (if any) to the Board. 3. The Board shall be responsible for ensuring that the Audit Committee has properly conducted the external evaluation. Principle 12: Documentation of Documents and Reports

1. The Department shall establish a database for its work and update it regularly.
2. All internal audit reports, results, recommendations, corrective action plans, and supporting documents in addition to documents related to the work of external auditors must be kept in electronic records for at least (10) years from the date of their attachment to the Department database. Principle 13: Department Relationship with First and Second Line Units
3. The Department represents the Third Line, which is the last one among the three line units. It shall be directly and constantly responsible before the Audit Committee for evaluating and confirming the adequacy and effectiveness of governance, risk management, regulatory controls, policies and procedures implemented by the First and Second Line units. The Second Line units shall be subjected to an independent audit by the Department.
4. Taking into account the relevant laws and instructions, the Company may combine the roles of the First and Second Lines into one line by following the best recognized international standards in this regard. Section Four Concluding Provisions
5. Taking into consideration the Rules on Outsourcing for Finance Companies, if some or all tasks related to the internal audit function are assigned, it is the Company's responsibility to ensure that the outsourced service provider complies with the provisions of these Principles.
6. These Principles shall enter into force (180) days after the date of its publication on SAMA’s website.