Risk-Based Internal Audit in Saudi Arabia: 2026 Guide

The expectation that internal audit functions in Saudi Arabia should be risk-based is now universal — the Institute of Internal Auditors' standards require it, the Saudi Audit Bureau expects it from public-sector functions, SAMA expects it from member organisations, and audit committees increasingly ask their Heads of Internal Audit to defend the annual audit plan in risk terms before they will approve it. Yet many Saudi internal audit functions still build their plans around historical coverage, regulator expectations or cyclical schedules rather than from a structured risk model.

This post is a practitioner guide to building and running a genuine risk-based internal audit programme in the Kingdom — IIA-aligned, defensible, and operationally sustainable.

What "risk-based" actually means

The IIA's International Standards for the Professional Practice of Internal Auditing (the IPPF Standards) require, in Standard 2010, that the Chief Audit Executive establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organisation's goals. Standard 2010.A1 is more specific: the plan must be based on a documented risk assessment, undertaken at least annually, with input from senior management and the board.

The phrase "risk-based" therefore has three components, all of which the audit function must evidence:

1. A documented risk assessment of the auditable population.
2. A plan derived from the assessment, with audit days allocated in proportion to risk.
3. Annual review with senior management and the board (in Saudi practice, the audit committee).

A plan that is built from "what we audited last year" plus "what the regulator might ask about" is not risk-based, no matter what it is called.

Step 1 — Define the audit universe

The audit universe is the structured inventory of every auditable unit in the organisation. It is the foundation of risk-based planning and the artefact most commonly examined in external quality assessments of Saudi internal audit functions.

A practical Saudi audit universe is built across multiple dimensions:

• Business processes — order-to-cash, procure-to-pay, customer onboarding, credit decisioning, claims handling, etc.
• Business units and legal entities — operating divisions, subsidiaries, branches, joint ventures.
• Products and services — major product lines, regulated products, new launches.
• IT systems and infrastructure — core banking, payment switches, identity, cloud workloads, OT environments.
• Functions — finance, HR, IT, security, compliance, legal, procurement.
• Geographies — Riyadh, Dammam, Jeddah, branch network, international.
• Regulatory exposure — SAMA CSF, NCA ECC, PDPL, ISO 27001, sectoral regulators.

Each auditable unit in the universe should carry a stable identifier, an owner, a description and the dimensional tags that connect it to processes, systems, products and frameworks. The universe should be reviewed at least annually and updated whenever the organisation's structure materially changes.

Step 2 — Risk rating each auditable unit

Risk-based planning depends on a defensible risk rating for every auditable unit. The rating should be derived from a structured methodology, not from the auditor's intuition.

A practical Saudi risk rating model considers:

• Inherent risk — the gross risk before controls. Driven by transaction value, volume, complexity, regulatory exposure, public visibility, recent change.
• Control environment — the assessed maturity of the control framework. Pulled from the unit's most recent compliance assessment, the most recent audit result and any recent self-assessment.
• Recent change — new systems, new leadership, recent reorganisation, recent incident history.
• Time since last audit — units not audited for several cycles carry implicit risk.
• Stakeholder concern — explicit concerns raised by senior management, the audit committee or the regulator.

Each input should be scored on a defined scale and combined into an overall risk rating per unit. The rating model should be documented, approved by the Chief Audit Executive, and applied consistently across the universe.

The output is a ranked list of auditable units, from highest to lowest risk, that becomes the input to the annual planning exercise.

Step 3 — Build the annual plan

The annual audit plan allocates the function's available capacity to auditable units in proportion to risk. The mechanics are deceptively simple:

1. Sum the available audit days for the year (auditors × working days, less leave, training, administration).
2. Allocate audit days to units in descending order of risk rating.
3. Adjust for stakeholder priorities, mandatory regulatory audits, and constraints (auditor specialisation, system access windows, business cycles).
4. Reserve a percentage of capacity for unplanned work (typically 10–20%) to handle special requests and emerging issues.
5. Present the plan to the audit committee for approval.

The plan should be defendable on three counts: every audit on the plan should be on it because the risk rating warranted it; the high-risk units should not be unaudited; and the unallocated capacity should be explicit and reserved.

A common Saudi practice is to operate a multi-year plan (typically three years) under which every auditable unit will be audited at a frequency proportional to its risk rating. High-risk units annually, medium-risk every two years, low-risk every three years. The annual plan is then a slice of the multi-year plan.

Step 4 — Engagement scoping

For each engagement, the scoping document should answer five questions:

1. What is the engagement objective? What assurance is the audit committee being asked to give?
2. What is in scope? Which processes, systems, locations, controls, time period?
3. What is the criteria? Which framework, standard or policy is the unit being assessed against?
4. What is the risk and control matrix? Which key risks does the unit face and which key controls mitigate them?
5. What is the test plan? Which tests will be performed, on what samples, with what evidence?

Scoping should be discussed with management before fieldwork begins and recorded in the working paper file.

Step 5 — Fieldwork

Fieldwork on a risk-based engagement focuses testing effort on the controls that matter most to the rated risks — not on every control in the unit. The auditor's working papers should evidence the test performed, the sample selected, the evidence reviewed, the observation and the conclusion. The IPPF Standard 2330 (Documenting Information) requires sufficient, reliable, relevant and useful information to support engagement results.

Two practical disciplines that consistently improve fieldwork quality in the Kingdom:

• Use a single working paper template across the function. Inconsistent working paper structures make supervision and review harder, and external quality assessors notice.
• Sign off working papers as you complete them. Working papers signed off in batches at the end of the engagement carry less credibility than working papers signed off as the testing was performed.

Step 6 — Findings and reporting

Findings should follow the standard structure: condition, criteria, cause, effect, recommendation. Each finding should be rated against a defined scale (typically high, medium, low) and tagged with the framework references it touches so that management can see the regulatory exposure.

The engagement report should present the assurance opinion, the rated findings, the management response with agreed actions and dates, and the evidence the auditor relied on. Reports should be issued promptly — Saudi audit committees increasingly track report cycle time as a function performance indicator.

Step 7 — Follow-up and closure

A risk-based audit programme is incomplete without disciplined follow-up. Findings are closed when the agreed action is implemented, evidenced and re-tested by the auditor — not when management asserts that the action is complete. Open findings should age explicitly, and any finding aging beyond its target closure date should be on the audit committee's standing agenda.

The number and aging of open findings is itself a key indicator of programme effectiveness. A function with hundreds of open findings, many aged past target, is signalling either that its findings are being ignored or that its findings are not credible — both are problems the function should address before the next external quality assessment.

Step 8 — QAIP

The IPPF Standard 1300 requires an internal audit function to maintain a Quality Assurance and Improvement Programme. Components include:

• Ongoing internal monitoring of every engagement (typically by the engagement supervisor).
• Periodic self-assessment against the IPPF Standards.
• External quality assessment at least once every five years by a qualified independent reviewer.

A risk-based audit programme makes the QAIP easier because the underlying methodology is documented, the risk assessment is repeatable, and the working papers follow a consistent structure. Functions running on ad-hoc methodologies struggle through external quality assessments.

Common pitfalls

A handful of pitfalls account for most of the problems Saudi internal audit functions encounter when moving to a risk-based model:

• A risk model that scores everything as high risk. Useless for prioritisation.
• A risk model nobody outside the audit function understands. The audit committee cannot defend it on the function's behalf.
• Plans built without explicit unallocated capacity. Special requests then displace planned audits and the plan loses meaning.
• Findings that are tracked but never re-tested. Closed in name only.
• A QAIP that exists on paper but is not actually running. The first external quality assessment finds it.

How GRC Vantage supports risk-based internal audit in Saudi Arabia

GRC Vantage's audit module is built around IIA / IPPF concepts and supports the full risk-based audit lifecycle — universe, risk rating, planning, engagement scoping, working papers, findings, follow-up and QAIP — on the same control library that the compliance and risk modules use. The risk rating model is configurable to your methodology, the audit universe is hierarchical and dimensionally tagged, and the audit committee report is produced from live data. The platform can be deployed inside Saudi Arabia, fully on-premise or air-gapped, and is supported from our Riyadh and Dammam offices.

For the wider regulatory context that Saudi internal audit functions operate within, read our SAMA frameworks guide and NCA frameworks guide. When you are ready to see a unified Saudi internal audit function running on a single platform, book a demo.