Q1: What are the main audit requirements under the Financial Oversight Law?

The law introduces mandatory external audit oversight for public-sector entities, SOEs, regulated financial institutions and qualifying private companies. Auditors must test internal controls, retain working papers for the prescribed minimum period, communicate material issues directly to the relevant oversight authority before finalising the report and file audit documentation in prescribed digital formats.

Q2: Which companies are in scope and what are the deadlines?

Public-sector bodies and SOEs are in scope immediately from 11 April 2026. Regulated financial institutions must comply in coordination with SAMA’s implementing notices. Private companies that exceed the revenue, total-asset or employee-count thresholds set out in Ministerial Decision No. 929/1447 become subject to mandatory statutory audit on their next reporting cycle after the law’s effective date. Detailed thresholds are available in the implementing regulations.

Q3: How have auditors' reporting responsibilities changed?

Auditors now have an explicit duty to evaluate and report on internal controls, notify the regulator of material weaknesses and suspected fraud before signing the audit report, and include a compliance paragraph in the auditor’s report confirming fulfilment of Financial Oversight Law obligations. Model report wording is provided in the templates section of this guide.

Q4: How long must auditors retain working papers under the new law?

The implementing regulations prescribe a minimum retention period for audit working papers and supporting evidence from the date the auditor’s report is signed. Early indications from the Ministry of Finance framework and related regulatory guidance align this period with international practice at seven years. Firms should confirm the exact period against the final text of the implementing regulations once issued.

Q5: Where can I find the implementing regulations and ministerial decisions?

The Financial Oversight Law text is available on the Ministry of Finance portal. Ministerial Decision No. 929/1447 is published on Lexis Middle East. Financial-institution-specific implementing rules are available through the SAMA rulebook. Links to each source are provided in the Sources section of this article.

Q6: Do auditors need to notify regulators of material weaknesses before signing the report?

Yes. The law requires auditors to communicate material weaknesses, significant control deficiencies and suspected fraud to the relevant oversight authority before the audit report is finalised. The notification must follow the prescribed format set out in the implementing regulations and Ministerial Decision No. 929/1447. Audit firms should prepare notification templates in advance and maintain a decision log documenting the assessment of each identified issue.

Q7: Are template auditor-report and management-letter paragraphs available?

Yes. This guide includes model wording for unmodified and modified auditor-report paragraphs, as well as a management-letter template covering control deficiencies, regulator-notification status, remediation responses and prior-period follow-up. The templates are designed to be adapted to each engagement’s specific facts and should be reviewed against the final implementing regulations once issued.

Financial Oversight Law Saudi Arabia

The Financial Oversight Law Saudi Arabia entered into force on 11 April 2026, replacing the previous General Auditing Bureau framework and fundamentally reshaping how statutory audits are planned, executed and reported across the Kingdom. For CFOs, audit partners and audit committees, the immediate challenge is practical: which entities now fall within scope, what new auditor responsibilities apply, and what must change in engagement letters, working-paper policies and report wording before the first affected reporting cycle closes. This guide delivers a step-by-step audit compliance checklist, model report language and an implementation timeline drawn directly from the law, its implementing regulations and Ministerial Decision No. 929/1447, the resources practitioners need to act now rather than react later.

Executive Summary, What Changed and What This Means for Auditors & CFOs

The Financial Oversight Law was published in the Official Gazette and took effect on 11 April 2026, as confirmed by the Saudi Ministry of Finance. Ministerial Decision No. 929/1447 supplements the law with detailed implementing regulations, and the relevant minister is required to issue further operational rules within 120 days of the law’s effective date. Industry observers expect those secondary rules to be finalised no later than August 2026.

At a glance, six changes every auditor and CFO must know:

Broader scope. Public-sector bodies, state-owned enterprises (SOEs), regulated financial institutions and private companies meeting specified size thresholds now face mandatory statutory audit obligations under a single legislative framework.
Expanded internal-control duties. Auditors must test and report on the design and operating effectiveness of internal controls, not merely rely on them for purposes of the financial-statement audit.
Mandatory regulator communication. Auditors are required to escalate material irregularities, suspected fraud and significant control deficiencies directly to the relevant oversight authority, before finalising the audit report.
Working-paper retention. The law introduces a minimum retention period for audit evidence and working papers, aligning Saudi Arabia with international best practice and giving regulators an extended inspection window.
Digital reporting formats. Entities within scope must submit financial statements and related audit documentation in prescribed digital formats, replacing legacy paper-based filing.
Enhanced penalties. Non-compliance, including late filing, obstruction of oversight activities and failure to retain records, now carries explicit financial and administrative sanctions.

Who Is in Scope, Entities, Thresholds & Exemptions Under the Financial Oversight Law Saudi Arabia

The law applies to four broad categories. Understanding which category an organisation falls into determines the audit obligation, the reporting timeline and whether transitional relief is available. The companies in scope under the Financial Oversight Law include every entity that receives, manages or disburses public funds, plus private-sector companies that cross specified size thresholds.

Public-Sector Entities & SOEs

Government ministries, agencies, public-sector funds and state-owned enterprises are the law’s primary targets. These entities must now undergo external audit oversight interaction under the new framework, submit reports in digital formats and disclose remedial plans for any internal-control deficiencies identified during the audit. For SOEs, the requirement extends to expanded internal-control testing and mandatory disclosure of management’s remediation timeline to the regulator.

Financial Institutions (SAMA-Regulated)

Banks, insurance companies, finance companies and other entities regulated by the Saudi Central Bank (SAMA) fall within the law’s scope but are also subject to SAMA’s own implementing rules. The likely practical effect will be dual compliance: auditors serving these institutions must satisfy both the Financial Oversight Law’s reporting obligations and any additional SAMA notices published under the SAMA rulebook. Practitioners should monitor SAMA’s Laws and Implementing Regulations portal for supplementary guidance.

Private Companies, Size Thresholds

Private companies that exceed prescribed revenue, total-asset or employee-count thresholds may now require a statutory audit for the first time. The specific threshold figures are set out in the implementing regulations and Ministerial Decision No. 929/1447. CFOs of mid-market companies should confirm whether their entity crosses these thresholds based on the most recent approved financial statements.

Reporting Obligations by Entity Type

Entity Type	Audit Obligation Change (2026 Law)	Key Deadlines / Timing
Public-sector entity / Ministry	Stricter oversight, mandatory external audit oversight interaction, digital reporting formats	Compliance effective 11 Apr 2026; implementing regulation deadlines per Ministerial Decision (120 days for detailed regs)
State-owned enterprise (SOE)	Expanded internal-control testing and mandatory disclosure of remedial plans to regulator	Audits covering FY 2026 must reflect new requirements; transitional relief subject to implementing regulation
Regulated financial institution	SAMA coordination, additional reporting and format harmonisation	Follow SAMA rulebook and any SAMA implementing notices (timing per SAMA notices)
Private companies (above thresholds)	New statutory audit triggers based on size, turnover and assets, may require audit where previously not required	Threshold application immediately on next reporting cycle after 11 Apr 2026 (confirm with implementing regs)

Auditors’ Responsibilities Under the Financial Oversight Law, What Has Expanded?

The financial oversight law audit obligations represent a significant expansion of auditors’ responsibilities in Saudi Arabia. Where the previous framework focused primarily on the financial-statement opinion, the 2026 law introduces duties that run from engagement planning through to post-report regulator interaction.

Internal Control Testing & Documentation

Auditors must now evaluate the design and operating effectiveness of internal controls as a stand-alone obligation, separate from the controls-reliance approach used in a traditional financial-statement audit. This means:

Walkthrough documentation. Every significant process must be walked through and documented, with evidence of testing retained in the audit file.
Deficiency classification. Control deficiencies must be classified as either significant deficiencies or material weaknesses, using criteria aligned with the implementing regulations.
Remediation tracking. The auditor must document management’s proposed remediation timeline and, where remediation is not completed before report date, include appropriate disclosure in the management letter and (where required) in the auditor’s report itself.

Evidence Retention, Minimum Duration & Format

The law establishes a minimum retention period for audit working papers, files and supporting evidence. Early indications suggest the prescribed period is seven years from the date the auditor’s report is signed, consistent with international benchmarks and aligned with the retention requirements referenced in the implementing regulations. Audit firms should update their document-retention policies immediately to reflect this requirement, including provisions for secure digital storage and access controls that allow the regulator to inspect files upon request.

Communication & Reporting Obligations to the Regulator

One of the most consequential changes for auditors’ responsibilities in Saudi Arabia is the mandatory escalation obligation. Under the law, an auditor who identifies suspected fraud, material misstatement or a material weakness in internal controls must notify the relevant oversight authority directly. This notification must occur before the audit report is finalised, giving the regulator time to request additional procedures or information. The implementing regulations set out the prescribed format and timeline for such communications, and Ministerial Decision No. 929/1447 provides additional procedural detail.

Audit firms should establish an internal escalation protocol that includes:

A designated senior partner responsible for regulator communications on every engagement within scope.
Pre-drafted notification templates aligned with the prescribed format in the implementing regulations.
A decision log documenting the firm’s assessment of whether each identified issue meets the threshold for mandatory notification.

Practical Audit Compliance Checklist Saudi Arabia & Immediate Decisions for CFOs and Audit Partners

The following timeline-based checklist translates the financial oversight law audit obligations into concrete action items, organised by urgency. Each item identifies whether the primary responsibility sits with the CFO or the audit partner (or both) and includes a recommended completion deadline.

Priority Actions: 0–30 Days

Scope determination. Confirm whether the entity falls within scope of the law based on entity type and size thresholds (CFO and audit partner, immediate).
Engagement-letter update. Draft and issue an updated engagement letter reflecting expanded audit scope, internal-control testing obligations, regulator-notification duties and revised fee estimates (audit partner, within 14 days).
Internal-control gap assessment. Commission a preliminary internal-control gap assessment to identify areas where testing will be required for the first time (CFO, within 21 days).
Retention-policy review. Review and update document-retention policies for both the entity’s financial records and the auditor’s working papers to meet the minimum retention period (CFO and audit partner, within 30 days).
Team briefing. Conduct a mandatory briefing for all engagement team members on the new law’s requirements, including escalation protocols and regulator-communication procedures (audit partner, within 14 days).

Consolidation Actions: 31–90 Days

Digital-format readiness. Assess the entity’s ability to produce financial statements and audit documentation in the prescribed digital format; engage IT resources where gaps exist (CFO, within 60 days).
Auditor independence confirmation. Re-evaluate auditor independence under the expanded scope, particularly where the audit firm also provides advisory services to the entity (audit partner, within 45 days).
Control-remediation plan. For any significant deficiencies identified in the gap assessment, develop a written remediation plan with milestones and assigned accountability (CFO, within 75 days).
Regulator-notification templates. Finalise internal templates for mandatory regulator notifications, aligned with the formats prescribed in Ministerial Decision No. 929/1447 (audit partner, within 60 days).
Audit-committee briefing. Present a summary of the law’s impact, the revised audit plan and the compliance timeline to the audit committee or board (CFO and audit partner, within 90 days).

Full Implementation: 3–6 Months

First-cycle dry run. Perform a mock internal-control test on one or two significant processes to calibrate staffing, documentation standards and timeline estimates before the first mandated reporting cycle (audit partner, month 4).
Report-wording finalisation. Prepare draft auditor-report paragraphs (unmodified and modified variants) incorporating the new reporting duties and share with the engagement quality reviewer (audit partner, month 4).
Management-letter template. Develop a standardised management-letter template that addresses the law’s specific requirements for control-deficiency reporting, remediation timelines and follow-up (audit partner, month 5).
Implementing-regulation monitoring. Assign a compliance officer or partner to monitor the Ministry of Finance and SAMA portals for any additional implementing regulations or circulars issued within the 120-day window (CFO and audit partner, ongoing).
Training programme. Roll out a formal CPD training module on the Financial Oversight Law for all audit staff and relevant client-side finance personnel (audit partner and CFO, month 6).

Immediate Decisions, Recommended Action Matrix

Decision	Who (CFO / Audit Partner)	Action & Deadline
Does the entity fall within the law’s scope?	Both	Confirm entity type and threshold status, immediate
Does the current engagement letter cover the expanded audit scope?	Audit Partner	Issue amended engagement letter, within 14 days
Are working-paper retention policies compliant?	Both	Update retention policy to minimum prescribed period, within 30 days
Is the entity ready for digital-format filing?	CFO	Conduct IT readiness assessment, within 60 days
Has the auditor confirmed independence under the expanded scope?	Audit Partner	Complete independence evaluation, within 45 days
Has the audit committee been briefed?	CFO	Schedule and deliver board-level briefing, within 90 days

Model Auditor Report & Management-Letter Language for Statutory Audits in Saudi Arabia

One of the most requested practical resources under the 2026 changes is model wording for the auditor’s report and management letter that reflects the auditor report requirements Saudi Arabia now mandates. The paragraphs below are illustrative templates; firms should adapt them to each engagement’s specific facts and consult the implementing regulations for any prescribed language.

Model Unmodified Report Paragraph

Suggested auditor-report wording (template):

“In accordance with the Financial Oversight Law (Royal Decree [number], effective 11 April 2026) and its implementing regulations, we have audited the accompanying financial statements of [Entity Name] for the year ended [date]. Our audit included an evaluation of the design and operating effectiveness of the entity’s internal controls over financial reporting. We conducted our audit in accordance with International Standards on Auditing as endorsed in the Kingdom of Saudi Arabia and the additional requirements of the Financial Oversight Law. We have fulfilled our obligation to communicate directly with the [relevant oversight authority] regarding matters required under Article [X] of the Law and Ministerial Decision No. 929/1447.”

Modified / Qualified Wording (Examples)

Suggested wording for a material weakness in internal controls:

“During our audit, we identified a material weakness in the entity’s internal controls over [describe process, e.g., procurement authorisation]. This matter has been communicated to the [relevant oversight authority] in accordance with Article [X] of the Financial Oversight Law. Management has developed a remediation plan with a target completion date of [date]. Until remediation is complete, there is a risk that [describe potential impact on financial reporting].”

Suggested wording for scope limitation arising from incomplete records:

“We were unable to obtain sufficient appropriate audit evidence regarding [describe area] due to the unavailability of records required to be retained under the Financial Oversight Law. As a result, we were unable to determine whether adjustments might have been necessary to the financial statements in respect of [describe financial-statement line item or disclosure].”

Management-Letter Template, Key Points

The management letter issued under the new framework should cover, at a minimum:

Control deficiencies identified. Each deficiency classified as significant deficiency or material weakness, with a clear description of the condition, criteria, cause and effect.
Regulator-notification status. Confirmation of which deficiencies were communicated to the relevant oversight authority and the date of communication.
Management’s remediation response. The specific actions management has committed to, assigned responsibility and target completion dates.
Follow-up on prior-period findings. Status update on deficiencies reported in the prior year’s management letter, noting whether remediation has been completed, is in progress or has not commenced.
Digital-format compliance. Any findings related to the entity’s readiness to file in the prescribed digital format.

Report-Paragraph Variants, Quick Reference

Situation	Suggested Wording Approach	When to Use
No material weaknesses; full compliance	Unmodified opinion with Financial Oversight Law compliance paragraph	Standard engagement with no exceptions
Material weakness identified; regulator notified	Emphasis-of-matter or qualified opinion paragraph referencing the weakness and regulator communication	When internal controls contain a material weakness that could affect financial reporting
Scope limitation due to missing records	Qualified opinion or disclaimer of opinion, citing the retention requirements under the law	When the entity has not retained records for the required period
Suspected fraud escalated to regulator	Other-matter paragraph disclosing that a mandatory notification has been made	When the auditor has notified the oversight authority of suspected fraud

Implementing Regulations & Ministerial Decisions, Required Reading for the Financial Oversight Law Saudi Arabia

The law itself provides the legislative framework, but the operational detail sits in the implementing regulations and ministerial decisions. For auditors and CFOs, the priority is to identify which specific articles and decisions affect their immediate obligations.

Key Articles to Review

Article / Decision	Practical Implication	Recommended Action
Article 13, Scope of oversight	Defines which entities fall under the law’s jurisdiction and establishes the criteria for mandatory external audit	Map your entity against Article 13 criteria; document the analysis in the audit file
Article 27, Implementing regulations timeline	Requires the minister to issue detailed implementing regulations within 120 days of the law’s effective date	Monitor the Ministry of Finance portal; calendar the 120-day deadline (approximately August 2026)
Article 34, Penalties and enforcement	Sets out the sanctions for non-compliance, including financial penalties, suspension of audit licences and referral for criminal investigation in cases of fraud	Brief all engagement team members on Article 34 sanctions; update risk-assessment templates
Ministerial Decision No. 929/1447	Provides detailed rules on auditor reporting formats, notification timelines and evidence-retention requirements	Obtain the full text from the Lexis Middle East portal; integrate requirements into audit methodology manuals

Practitioners working with financial institutions should also consult the SAMA rulebook for any additional notices or circulars that supplement the law’s requirements for regulated entities.

Enforcement, Penalties and Regulator Interaction, What to Expect

The enforcement architecture under the Financial Oversight Law gives regulators meaningful powers. Article 34 establishes a graduated penalty framework that ranges from financial sanctions for late or non-compliant filing through to suspension of auditor licences and criminal referral in cases involving fraud or deliberate obstruction.

Handling Regulator Requests

When the oversight authority requests access to audit files or additional information, the auditor must respond within the timeframe specified in the request. Industry observers expect the regulator to adopt a risk-based inspection model, prioritising high-profile SOEs and regulated financial institutions in the first cycle. Firms should designate a single point of contact for regulator correspondence and maintain a log of all requests and responses.

Record-Keeping and Audit-Trail Tips

Centralise the audit trail. Use a single, access-controlled digital repository for all working papers, communications and regulator notifications.
Time-stamp everything. Ensure every document is time-stamped at creation, modification and review to support the integrity of the audit trail.
Retain beyond the minimum. While the law prescribes a minimum retention period, practitioners may wish to retain files for longer where the entity is subject to ongoing disputes or regulatory investigations.
Test retrieval. Periodically test the firm’s ability to retrieve and produce archived files to simulate a regulator inspection.

Case Examples & Common Pitfalls, Practical Scenarios

The following scenarios illustrate typical compliance failures and the correct responses under the 2026 framework.

Scenario 1, SOE with incomplete internal-control documentation. A state-owned enterprise’s finance team has not documented key procurement controls. The auditor identifies the gap during fieldwork but proceeds to issue the report without notifying the regulator, reasoning that the missing documentation does not affect the financial-statement opinion. The risk: failure to classify and report a significant control deficiency violates the mandatory escalation obligation. Do this instead: classify the deficiency, notify the oversight authority in the prescribed format, include the finding in the management letter and, if material, reference it in the auditor’s report.

Scenario 2, Auditor report omission on regulator-notification language. An audit partner issues a clean report for a regulated financial institution but omits the paragraph confirming compliance with regulator-notification obligations under the Financial Oversight Law. The risk: the report does not comply with the prescribed format, exposing the firm to sanctions and the entity to filing rejection. Do this instead: include the Financial Oversight Law compliance paragraph in every audit report for in-scope entities, whether or not issues were identified during the engagement.

Scenario 3, Late digital filing by a private company above thresholds. A private company that newly falls within scope submits its audited financial statements in the traditional PDF format, missing the prescribed digital-format requirement. The filing is technically on time but in the wrong format. The risk: the regulator may treat the filing as non-compliant, triggering penalties. Do this instead: confirm the required filing format with the Ministry of Finance well before the deadline, conduct a test submission and maintain evidence of successful upload.

Conclusion, Act Now on the Financial Oversight Law Saudi Arabia

The Financial Oversight Law Saudi Arabia is not a future-dated reform, it is in force today, and the implementing regulations are expected to follow within months. For CFOs, the immediate priorities are scope confirmation, internal-control gap assessment and digital-filing readiness. For audit partners, the law demands updated engagement letters, new escalation protocols, revised report wording and extended working-paper retention. The practical audit compliance checklist and model wording provided in this guide give practitioners a structured starting point, but each entity’s circumstances will require tailored analysis. Firms and companies that move quickly to embed these requirements into their audit methodology and governance processes will be best positioned to meet the first reporting cycle with confidence.

Those seeking additional guidance or tailored advisory support can explore the Global Law Experts lawyer directory or contact the advisory team directly.

Need Legal Advice?

This article was produced by Global Law Experts. For specialist advice on this topic, contact Mustafa Aldrees at Aldrees for Profesional Consultancy, a member of the Global Law Experts network.

Home

Global Law Experts

Search

Find a Global Law Expert

Digital

Marketing & Lead Generation

Practice Areas

Top Legal Advice

Handbooks

Managements’ Guide to Lawyers

Videos

From GLE Members

Awards

The Best Of The Best

News

Articles and Updates

Testimonials

From GLE Members

Contact

Get In Touch

Mustafa Aldrees

How Saudi Arabia's Financial Oversight Law (apr 11, 2026) Changes Statutory Audit Obligations, Practical Checklist for Auditors & Cfos