2021-12-01
Added · Updated
The Saudi Central Bank (SAMA) issued these principles to establish a unified framework for internal audit functions within local banks operating in Saudi Arabia. The document mandates that the Board of Directors and Executive Management maintain effective oversight, ensuring the internal audit unit operates as an independent third line of defense with adequate resources and authority. It defines specific roles for the Board, Audit Committee, and management while outlining detailed requirements for the unit's independence, objectivity, risk-based planning, and reporting structures.
(First Edition – Rabi' al-Thani 1443H / December 2021G)
Important Note: To keep pace with updates and amendments regarding instructions issued by the Saudi Central Bank, the Bank emphasizes the necessity of always relying on the versions published on its website: www.sama.gov.sa
| Page Number | Chapter/Principle |
|---|---|
| 3 | Chapter One: Introduction, Definitions, and General Provisions - Scope of Application |
| 3 | Introduction |
| 3 | Definitions |
| 5 | General Provisions |
| 6 | Scope of Application |
| 7 | Chapter Two: Competencies and Responsibilities of the Board and Executive Management towards Internal Audit |
| 7 | Principle (1): Tasks and Responsibilities of the Board towards Internal Audit |
| 7 | Principle (2): Tasks and Responsibilities of the Audit Committee towards the Unit |
| 8 | Principle (3): Tasks and Responsibilities of Executive Management towards Internal Audit |
| 9 | Chapter Three: Competencies, Tasks, and Responsibilities of the Unit |
| 9 | Principle (4): Key Characteristics of the Unit |
| 9 | Independence and Objectivity |
| 10 | Professional Competence and Due Care |
| 11 | Professional Ethics of the Unit Head and Staff |
| 11 | Principle (5): Internal Audit Policy |
| 13 | Principle (6): Unit Organization, Tasks, and Responsibilities |
| 13 | Organizational Structure and Reporting Lines |
| 13 | Requirements and Responsibilities of the Unit Head |
| 14 | No Objection from the Saudi Central Bank on the Appointment and Change of the Unit Head |
| 14 | Internal Work Procedures of the Unit |
| 15 | List of Units and Entities Subject to Internal Audit and Audit Cycle |
| 15 | Risk Assessment Methodology |
| 17 | Risk-Based Internal Audit Plan |
| 17 | Information Technology for the Audit Unit |
| 17 | Quality Assurance and Improvement Program |
| 17 | Periodic Reports to the Audit Committee |
| 17 | Database, Document Retention, and Reports |
| 18 | Principle (7): Scope of the Unit's Work |
| 20 | Principle (8): Relationship of the Unit with Second Line of Defense Units and External Auditors |
| 21 | Principle (9): Internal Audit of Activities of Bank Subsidiary Entities |
A. The Saudi Central Bank issued these Principles based on the supervisory and regulatory authorities entrusted to it under the following systems:
B. These Principles consist of three chapters in their content and context: Chapter One clarifies the terminology used and general provisions; Chapter Two includes reference to the competencies, roles, and responsibilities of the Board, the Audit Committee, and Executive Management towards internal audit - as stated in related systems and regulations - and brief requirements for their activation; and Chapter Three includes comprehensive and detailed requirements regarding the activity, work, roles, tasks, and responsibilities of the unit and its relationship as a third line of defense with the first and second lines of defense, as a tool for bank management control and supervision, not a substitute for them. They form a basis and help align with and comply with the provisions of systems, regulations, instructions, and best practices, in a manner that considers the special nature of banks and their application methods.
The following terms - wherever they appear in these Principles - have the meanings indicated next to each of them, unless the context dictates otherwise:
| Term | Definition |
|---|---|
| Central Bank | The Saudi Central Bank. |
| Bank | Local commercial banks licensed to conduct banking business in the Kingdom. |
| Board | The Bank's Board of Directors. |
| Audit Committee | One of the committees emanating from the Board, formed by a resolution of the Ordinary General Assembly. |
| Executive Management | The Bank's senior management, consisting of persons entrusted with managing the Bank's daily operations, proposing strategic decisions, and implementing them. |
| Unit | The Internal Audit Unit, in which its head and staff perform the tasks and responsibilities of internal audit. |
| Unit Head | The person responsible for managing the Unit. |
| Internal Auditors | Staff working in the Unit responsible for performing the tasks and responsibilities of internal audit. |
| Term | Definition |
|---|---|
| Principles | Principles of Internal Auditing for Local Banks Operating in Saudi Arabia. |
| Internal Audit Function | An independent evaluation activity that provides objective and independent assurances and consulting services regarding the quality, assurance, and effectiveness of the Bank's internal control system, by following organized methodologies and styles to review accounting, financial, operational, and other processes, and to evaluate and improve the effectiveness of governance, risk management, and control processes. |
| Internal Audit Policy | The official document approved by the Board, which defines and clarifies the purpose of the Unit, the scope of its activity, its position in the organizational structure, its functional and administrative reporting lines, its comprehensive responsibilities and authorities, its characteristics and relationship with other work units, the pillars and methodology the Bank follows regarding internal control, as well as its right to access records, communicate with staff, and access physical property to enable it to perform its tasks. |
| Systems and Regulations | Systems and regulations applicable to the banking sector and its personnel. |
| Instructions | All that is issued by the Saudi Central Bank with its regulatory and supervisory authorities over the banking sector, as well as what is issued by competent authorities in the form of binding regulations, rules, principles, frameworks, and circulars. |
| Independence | The absence of conditions and factors that affect the Unit's ability to perform its internal audit tasks and responsibilities in a professional, objective, and unbiased manner. |
| Conflict of Interest | The situation or situations where the Unit Head and its staff have or appear to have a direct or indirect interest or relationship in a matter that is the subject of this person(s)'s attention: for the purpose of making a decision regarding it, such that this interest or relationship prevents, or leads to the belief that it stands between them and expressing their opinion or making their decision independently, neutrally, and objectively, without regard to this interest or relationship. |
| Objectivity | Neutral professional behavior based on facts that allows internal auditors to perform their tasks in a way that makes them confident in the quality of their work and results, and the absence of any significant external interference or influence from outside the Unit on its quality or being affected by personal beliefs and feelings. |
| Consulting Services | Consultations performed upon request from one of the units in the Bank. |
| Term | Definition |
|---|---|
| First Line of Defense | Business units responsible for identifying, assessing, and managing the risks of their activities at early stages and continuously, and bearing those risks within permitted limits. |
| Second Line of Defense | Supervisory and support units, such as: Risk Management, Compliance, Legal, Sharia (if available), Finance, and Technology related to business units, responsible for verifying through a comprehensive and methodical view that business units in the first line of defense have appropriately identified and estimated their business risks. |
| Third Line of Defense | The Internal Audit Unit - the Unit - responsible for independently and objectively evaluating and confirming the adequacy and effectiveness of governance, risk management, control, and the controls, policies, and procedures implemented by the first and second lines of defense, increasing confidence in them, and providing Executive Management with reasonable assurance that policies and procedures align with specified expectations. |
| Stakeholders | Anyone with a direct interest in the Unit, specifically: the Board, the Audit Committee, Executive Management, business units in the Bank, external auditors, external investors, and others, and indirectly, such as: shareholders, investors, and customers. |
The general purpose of issuing these Principles is to establish the minimum requirements that enable the Unit to perform its activity efficiently and optimally under a unified, broad, and robust framework as a tool for enhancing self-control, and to lay the foundations for performing internal audit, and improving the Bank's processes and operations. Taking into account that the reasons for implementing these Principles depend on many factors, such as: the size of the Bank, the nature and complexity of its operations, its geographical scope, its regulatory structure, and the instructions under which it operates.
The main purpose of these Principles is to achieve the following key objectives:
3-2 The Unit represents the third line of defense and the final line of defense within the three lines of defense framework. It is directly and permanently responsible to the Board and the Audit Committee for evaluating and confirming the adequacy and effectiveness of governance processes, risk management, supervisory controls, policies, and procedures implemented by the first and second lines of defense, increasing confidence in them, and contributing to their improvement. According to an organized methodological approach based on risk, through which the optimal use of resources is achieved, directing financial, administrative, and operational audit work towards the most risky and important activities and operations for the Bank, and implementing them in an objective manner that takes into account specified strategies and objectives. The importance of this defense is enhanced by independence, which strengthens its objectivity and credibility, and achieves proactive effectiveness, and clarifies new insights and identifies future impacts. And enhancing appropriate ethics and values, thereby providing Executive Management with reasonable assurance that policies and procedures align with specified expectations.
3-3 These Principles do not derogate from the requirements imposed on banks under other related systems, regulations, and instructions.
3-4 The Saudi Central Bank has issued several instructions detailing some of the requirements for internal audits, and these Principles should be read alongside them - as appropriate - including, but not limited to:
3-5 The internal audit function receives international attention; as several international bodies and organizations have issued guiding instructions for it, and reference should be made to them and guided by them, including the following bodies and organizations:
These Principles apply to local banks operating in the Kingdom.
5-1 Assuming the Ordinary General Assembly performs its competencies, the Audit Committee and Internal Audit are defined, according to the provisions of the Companies System and its executive regulations, the Corporate Governance Regulations issued by the Capital Market Authority, and the Key Governance Principles for Financial Institutions issued by the Saudi Central Bank: The Board must:
5-2 Monitor any developments that occur in systems, regulations, and instructions related to internal audit from competent authorities from time to time.
6-1 Although the Audit Committee is independent in performing its work from the work of the Board and Executive Management, this does not exempt the Board - according to the Key Governance Principles for Financial Institutions - from the responsibility of effective supervision of the Audit Committee and monitoring its work and duties entrusted to it.
7-1 The Board bears the following responsibilities regarding the roles and responsibilities of Executive Management towards internal audit: