Service 01 - Assurance & Audit
Internal Audit.
Independent assurance over the controls, processes, and compliance your business depends on - delivered to SOCPA and IIA standards, with recommendations you can actually implement.
What we do
Risk-based assurance,
scaled to your business.
- Full outsourced internal audit End-to-end function delivery - risk assessment, annual plan, execution, reporting to audit committee. For businesses without an internal audit function.
- Co-sourced internal audit Partnering with your existing team on specialist reviews, peak workloads, or subject-matter areas where you need depth you don't want to hire.
-
Process & control reviews
Targeted reviews of specific cycles - procure-to-pay, order-to-cash, payroll, treasury - with documented controls and testable procedures.
-
Compliance & regulatory audit
Reviews against ZATCA, SAMA, GOSI, and sector-specific regulatory requirements — structured to anticipate regulatory findings.
Why it matters
The controls you can't see are the ones that cost you.
Every mature business accumulates control gaps: an approval workflow that no longer matches the org chart, a segregation rule quietly overridden during COVID, a vendor master that nobody's cleaned in four years. Individually, they are small. Collectively, they are how losses happen - through fraud, error, regulatory breach, or simple inefficiency. Internal audit exists to find them before they find you.
Good internal audit is also strategic, not just defensive. It gives the board and senior management a credible, independent view of how the business is actually running - where it's strong, where it's fragile, and where investment in people or systems would pay for itself. Done well, it's one of the most valuable hours your leadership spends each quarter.
Our approach
Four phases.
Aligned with IIA and SOCPA standards.
Risk assess
We build a business-wide risk universe with your leadership team - rating likelihood and impact, mapping to existing controls. The output is a board-ready heatmap that drives the audit plan.
Plan
An annual audit plan prioritised by risk, agreed with the audit committee. Individual engagement scopes, timelines and resourcing.
Execute
Walkthroughs, control testing, substantive procedures, and analytics - all senior-supervised, evidenced, and documented in workpapers that would stand up to external review.
Report & follow-up
Clear, prioritised findings with management action plans - followed up quarter by quarter until closure. No report gets filed and forgotten on our watch.
Deliverables
What you receive.
Annual audit plan
A board-approved calendar of reviews linked to the risk heatmap - covering the right areas at the right frequency.
Individual audit reports
Clear, prioritised findings with root cause, impact, and management action plan - signed off by management.
Audit committee reporting
Quarterly dashboard to the audit committee - plan progress, key findings, open actions, escalations.
Follow-up tracker
Ongoing tracking of management actions to closure - because an open finding is not assurance.
Who this is for
Four profiles we serve best.
Small and Mid-sized companies without IA
Employees without an internal audit function, needing professional-grade external capability.
Boards wanting independent assurance
Audit committees needing a credible, independent view of the control environment - to sit alongside management reports.
SAMA-regulated entities
Banks, insurers, and financial institutions where robust internal audit is a regulatory expectation, not optional.
Pre-IPO companies
Businesses preparing for Tadawul or Nomu listing - internal audit is both a CMA expectation and a genuine readiness test.
Regulatory context
The frameworks we audit against.
IIA International Standards
All engagements are delivered in accordance with the International Standards of the Institute of Internal Auditors (IIA) — independence, due professional care, and quality assurance as the foundation.
SOCPA assurance standards
Saudi-specific auditing and assurance framework - we apply the relevant SOCPA pronouncements across our engagements.
SAMA circulars & CMA rules
For regulated entities: structured reviews aligned with SAMA circulars, CMA corporate governance rules, and sector-specific supervisory expectations.
Related insights
From our desks.
Partner notes on internal audit topics most relevant to Saudi businesses - control frameworks, cyber audits, audit committee practice.
Insights coming soon - a library of technical notes on Saudi internal audit practice is in preparation.
Need an independent view?
Tell us briefly about your business, any specific concerns, and whether you have an existing IA function. A senior partner will respond within one working day.
Request a consultation