Compliance Audit in Saudi Arabia: A Practical Playbook for SAMA, NCA & PDPL

A compliance audit in Saudi Arabia in 2026 is a different exercise from one performed in Europe or North America. The frameworks are different, the regulators are different, the evidence expectations are different, and the operational tempo of an inspection by SAMA or the National Cybersecurity Authority does not match the rhythm of a typical SOC 2 examination. Compliance audit teams operating in the Kingdom — internal auditors, external auditors, and the compliance functions that support them — need a playbook that is built for the Saudi context, not adapted from a generic global template.

This post is that playbook. It walks through the audit lifecycle as it actually runs in the Kingdom, with the practical detail teams need to scope, plan, fieldwork, evidence and report a compliance audit against SAMA CSF, NCA ECC, PDPL and ISO 27001.

What "compliance audit" means in the Saudi context

The phrase compliance audit covers two distinct activities in Saudi practice, and conflating them is the most common cause of avoidable confusion.

The first is the regulatory inspection — when SAMA or the NCA assess the organisation directly against a mandatory framework. SAMA inspections sample CSF controls against the maturity model and produce findings the regulated entity must remediate. NCA assessments collect evidence against ECC sub-controls and rate compliance. These inspections are not led by the organisation's own audit function; they are led by the regulator.

The second is the internal compliance audit — when the organisation's own internal audit function (or an external assurance provider) performs an independent review of compliance posture against one or more frameworks. This is the audit the organisation owns, plans, scopes and reports internally. Its purpose is to give management and the audit committee assurance that the regulatory inspection, when it comes, will not produce surprises.

Both activities rely on the same underlying control library and the same evidence. The difference is the audience and the methodology. This playbook is written for the second activity — the internal compliance audit — but the discipline it builds is exactly what survives the first.

Step 1 — Scoping the audit

A compliance audit's success is decided in the scoping conversation. Get scope wrong and the rest of the engagement is rework.

For a Saudi compliance audit the scope statement should answer five questions:

1. Which legal entities are in scope? A single Saudi entity, a group, a branch of a foreign bank?
2. Which frameworks are being assessed? A single framework (SAMA CSF), a combination (SAMA CSF + NCA ECC + ISO 27001), or a sample of controls across frameworks?
3. Which business units, products and services are in scope? The full estate, a regulated product, a recently-launched service?
4. Which control population is being tested? Every control, a risk-based sample, or controls associated with a specific finding from the previous audit?
5. What is the assessment period? A point-in-time review or a coverage period (typically 6–12 months)?

Document the scope, get it approved by the audit sponsor (typically the audit committee chair or chief audit executive), and circulate it to control owners before fieldwork begins. Disagreements about scope discovered during fieldwork are findings the audit could have avoided.

Step 2 — Build the audit programme

The audit programme is the working document that lists every control to be tested, the test objective, the test procedure, the evidence requirements and the assigned auditor. For Saudi compliance audits the programme should be built directly from the framework control population — not from a generic checklist — and should reference the specific control IDs the auditor and the auditee will both use in their working papers.

A practical Saudi audit programme has these columns:

• Framework reference (e.g. SAMA CSF 3.3.5, NCA ECC 2-2-3, ISO 27001 Annex A 8.2).
• Plain-English control statement.
• Test objective.
• Test procedure (inspection, observation, re-performance, inquiry, recalculation).
• Evidence required.
• Sampling approach.
• Assigned auditor.
• Owner (auditee contact).
• Status (planned, in progress, complete, exception).
• Working paper reference.

When the same control satisfies multiple frameworks, the programme should treat it as one test with multiple framework references — not as three separate tests. This is the single biggest efficiency lever in a multi-framework Saudi audit.

Step 3 — Plan the evidence

Evidence is the audit. Without evidence, every control test is an opinion. The Saudi regulators are explicit about this — SAMA inspectors and NCA assessors both ask for evidence first and discussion second.

Evidence types typically requested in a Saudi compliance audit include:

• Policies and procedures — current versions, with approval dates and approvers.
• Configuration screenshots — system settings, identity provider configurations, MFA enforcement.
• Logs and reports — access logs, change logs, vulnerability scan reports, penetration test reports.
• Tickets and records — joiners-movers-leavers tickets, change management tickets, incident tickets.
• Training records — completion data, role-based training tracking.
• Meeting minutes — risk committee, audit committee, management review.
• Contracts and DPAs — for third-party and vendor controls.
• Test results — control self-tests, internal audit reports from prior cycles.

The evidence list should be agreed with control owners before fieldwork, with clear deadlines. Audits that rely on chasing evidence during fieldwork run late and produce frustrated auditors and frustrated auditees in equal measure.

Step 4 — Fieldwork

Fieldwork in a Saudi compliance audit is more efficient when it follows a structured cadence rather than an ad-hoc model.

A typical structure: a kick-off meeting with each control owner to walk through the scope and evidence list; an evidence-collection window (one to two weeks per business unit) during which the auditee uploads evidence to a shared workspace; a testing window during which the auditor performs the test procedures and records results in working papers; and an exit meeting at which preliminary findings are discussed before they are written up.

Three practical tips that consistently improve fieldwork in the Kingdom:

• Use a single evidence workspace. Email attachments and ad-hoc file shares produce evidence that cannot be re-found six months later when the regulator asks the same question.
• Separate the auditor's working paper from the auditee's evidence. Working papers are the auditor's record of test performance and conclusions; they should not be edited by the auditee.
• Run regular status meetings. Short, frequent (twice weekly is often right) check-ins surface problems before they become findings.

Step 5 — Findings and recommendations

Every finding should have four elements: condition (what was observed), criteria (what the framework expects), cause (why the condition exists) and effect (what the risk is). Recommendations should be specific, owned and dated.

For Saudi compliance audits, findings should additionally be tagged with the framework references they touch. A single finding may be a SAMA CSF gap, an NCA ECC gap, an ISO 27001 nonconformity and a PDPL exposure all at once. Tagging the finding to all four allows management to prioritise across frameworks rather than treating them as separate problems.

Findings should be rated. The rating scale should be defined in the audit charter and applied consistently. Common scales include high / medium / low, or critical / major / moderate / minor. Regulators do not require a specific scale, but they do require consistency.

Step 6 — Reporting

The compliance audit report is read by three audiences: the audit committee, executive management, and the control owners themselves. A good report serves all three.

The audit committee wants the headline assurance opinion, the rating profile, the trend versus the previous audit, and the open findings register. Executive management wants the cause analysis, the remediation plan, the resource implications and the regulatory exposure. Control owners want the detailed findings, the recommendations and the agreed actions.

A practical Saudi compliance audit report includes:

• Executive summary (one to two pages).
• Scope, methodology, period.
• Assurance opinion.
• Findings register, rated, with framework tags.
• Trend analysis against the previous audit.
• Management responses and agreed actions with owners and dates.
• Appendix with the control population tested and the testing approach.

Reports should be issued promptly. A compliance audit that takes six weeks to write up after fieldwork ends is a compliance audit whose findings are stale before they are read.

Step 7 — Follow-up and closure

Findings are not closed when management agrees a remediation action. They are closed when the action is implemented, the implementation is evidenced, and an auditor has tested that the implementation actually addressed the original cause.

A credible follow-up programme tracks every finding to closure, retests on a defined cadence, and reports the trailing finding population to the audit committee. Open findings older than 90 days should be on the audit committee's standing agenda.

Common pitfalls and how to avoid them

A handful of pitfalls account for the majority of avoidable compliance audit problems in the Kingdom:

• Scoping by framework rather than by control. Frameworks overlap; if the audit programme is structured by framework rather than by unified control, the same control gets tested three times.
• Treating SAMA CSF as binary. CSF is assessed against a maturity model. An audit that rates controls as compliant / non-compliant misses the maturity dimension and tells the audit committee less than it needs to know.
• Testing existence rather than operation. A documented policy that nobody follows is a finding, not a pass. Test operation, not just existence.
• Ignoring third-party controls. SAMA and NCA both expect third-party cyber security to be managed and evidenced. Audits that scope out vendor controls miss the area regulators care about most.
• Running the audit in spreadsheets. Spreadsheets cannot maintain control-evidence linkage across cycles. Findings get lost between audits and the same issue gets re-discovered annually.

How GRC Vantage supports Saudi compliance audits

GRC Vantage's audit module is purpose-built for Saudi compliance audit teams. It runs the audit universe, audit planning, fieldwork, working papers, findings and follow-up — all on the same control library that the compliance and risk modules use. SAMA CSF, NCA ECC, PDPL and ISO 27001 ship pre-mapped on day one. Evidence is collected once and inherited by every framework view, so a single audit cycle produces SAMA, NCA and ISO outputs without re-keying. The platform can be deployed inside Saudi Arabia for data residency, and our delivery teams in Riyadh and Dammam regularly support both internal audit functions and external assurance providers.

For the wider regulatory context that compliance audits in the Kingdom must satisfy, read our SAMA frameworks guide and our NCA frameworks guide. When you are ready to see how a unified Saudi compliance audit runs end to end, book a demo.