Having transitioned from a joint stock company to a holding company, there have been changes in corporate governance requirements at Saudi Tadawul Group, best seen in terms of renewed structural alignments, reporting lines and strategic orientation. As a matter of unwavering professional principle, we continued to determinedly follow standards applicable to a listed entity while carrying out all necessary transformations.

Among the key structural changes introduced were internal audit charters for the Group and subsidiary audit committees, each in line with governance requirements. In our renewed Group structure, four new Audit Committees have been formed (one for each subsidiary), with Internal Audit (IA) mandated to cater to the audit needs of all new committees and subsidiaries. Our total operations thus comprise five such committees, and we have updated our activity range accordingly. A minimum of four individual Audit Committee meetings are convened each year according to an annual schedule, with further meetings called when necessary. Audit dashboards are updated and shared accordingly.

Precision in planning

In order to provide an independent assurance that the organization’s risk management, governance and internal control processes are operating effectively, IA performs a structured, annual analysis to identify risks by assessing all new and existing processes, systems and functions across each subsidiary as well as the Group as a whole. This driving practice in our IA function is the Annual Audit Plan (AAP). Existing processes, systems and functions are assessed against their associated risk rating, while new processes, systems and functions are included in the subsequent year’s assessment.

Each subsidiary’s Annual Audit Plan is formulated by taking into consideration the individually expressed strategic direction of each entity, as well as new regulations that were introduced in terms of stronger governance following the formation of our Group.

Proactive and responsive

A new audit area was created for investor relations at Group level, among other similar developments across internal divisional structures, processes and systems. As risk appetite increased with such developments, and processes and controls were changed. All changes remained within our focus, and were stringently audited.

A total 29 audits were completed with many of the major systems, processes and functions of the Group and its subsidiaries successfully audited by the end of the fourth quarter of 2022. This included comprehensive technical audits of the Saudi Exchange trading platform X-Stream as well as its derivatives system following the thorough audit of derivatives operation conducted in 2021. The audit of the Issuer’s disclosure system IFSAH was also successfully completed.

Across the subsidiaries, audits were successfully carried out on both Fixed Income and Structured Products of the Saudi Exchange, the Venture Development function at WAMID, and the Sales and Client Relations function at Muqassa.

With audit findings and their resulting corrective measures leading to upgrades and improvements, all IA ecommendations are implemented by the Group and its subsidiaries. Once implemented, follow-up observations of the implementations are carried out, ensuring its adequacy. These observations are tracked centrally, with quarterly reports issued along the relevant reporting lines on the number of observations that were closed and verified, those still under verification, and observations that were reopened due to inadequacies.

Due to the evolving nature of our audit function alongside the strategic development of the Group and its subsidiaries, IA is directly focused on constantly enhancing Group-wide competencies to meet the technical needs and demands that ensure benchmarked auditing standards. The IA Division works closely with Group Human Resources, paying specific attention to bridging skill gaps according to advancing IA needs through in-house trainings as well as guest lectures by external experts in the auditing sphere.

IA also keeps in close focus the risk and control self-assessment formulated by the Enterprise Risk Management (ERM) team, and works closely with them to provide objective assurance to the Board on the effectiveness of risk management and the ERM framework as a whole.