Saudi Arabia, Financial Oversight Law (2026): What Auditors and Cfos Must Do Now (audit Checklist and Compliance Timelines)

The Financial Oversight Law audit Saudi Arabia framework entered into force on April 11, 2026, replacing the previous General Auditing Bureau statute and reshaping how public-sector entities, state-owned enterprises and regulated firms manage financial reporting, statutory audit obligations and internal controls. For CFOs and audit partners operating in the Kingdom, the immediate priority is an audit readiness checklist that maps every new obligation to a concrete action and deadline. This guide delivers exactly that, a structured, regulator-cited compliance playbook covering entity-specific timelines, documentation requirements and penalty exposure, so finance teams can move from awareness to implementation without delay.

Executive Summary: Immediate Actions for Auditors and CFOs

The window between the law’s effective date and the first reporting cycle is narrow. Finance leaders and statutory auditors should treat the following five steps as non-negotiable this week:

1. Preserve and freeze financial evidence. Lock down general-ledger extracts, bank reconciliations, procurement files and treasury records as at the most recent month-end. The Financial Oversight Law expands the scope of documents subject to regulatory inspection, and retroactive evidence gaps will be difficult to close.
2. Convene a governance meeting. Brief the audit committee (or equivalent oversight body) on the law’s scope and the entity-specific obligations it introduces. Minute the discussion and record assigned action owners, regulators will expect evidence that governance bodies were informed promptly.
3. Verify the entity’s registration and classification. Confirm whether the organisation falls within the law’s mandatory coverage, public ministries, government agencies, SOEs and entities receiving public funds all carry distinct obligations. Classification determines which implementing regulations and reporting deadlines apply.
4. Update auditor engagement letters. Statutory auditors should issue supplementary engagement-letter clauses referencing the Financial Oversight Law, specifying the expanded scope of the audit, additional reporting deliverables and the auditor’s obligations under the new regime.
5. Build a compliance calendar. Map every implementing-regulation deadline, quarterly reporting window and annual audit submission date into a single, shared calendar. Assign reminders at 60, 30 and 7 days before each milestone.

These steps form the foundation for everything that follows. The remainder of this guide expands each obligation, provides entity-specific timelines and supplies a detailed audit readiness checklist that CFOs can operationalise immediately.

Law Snapshot: What the Financial Oversight Law Is and Key Dates

Effective Date and Implementing Regulations

The Financial Oversight Law (also referred to in official translations as the Financial Control Law) was published by Royal Decree and took effect on April 11, 2026, as confirmed by the Ministry of Finance media release. The law replaces the former General Auditing Bureau Law and restructures the Kingdom’s framework for financial oversight of public funds and government-linked entities. According to legal analysis published by Latham & Watkins, the competent authority is required to issue implementing regulations within 180 days of the law’s effective date, placing the deadline for detailed executive regulations at approximately October 8, 2026.

Until those implementing regulations are finalised, entities are expected to comply with the law’s substantive provisions directly and to treat existing Ministry of Finance circulars as interim guidance.

Scope, Which Entities Are Covered

The Financial Oversight Law applies broadly across the public and quasi-public sectors. Industry observers expect the practical effect to extend the statutory audit obligations to a wider set of entities than the previous regime covered. Based on the law text, the following entities fall within its mandatory scope:

• Government ministries and agencies, all entities funded wholly or partially from the state budget.
• State-owned enterprises (SOEs), including entities in which the government holds a controlling interest or exercises significant influence.
• Entities receiving public funds, organisations that receive grants, subsidies or direct financial support from the government treasury.
• Regulated financial institutions, banks, insurance companies and other entities supervised by the Saudi Central Bank (SAMA), to the extent that public-fund usage or government capital is involved.

Key Audit Obligations Introduced by the Financial Oversight Law in Saudi Arabia

The Financial Oversight Law introduces a materially expanded set of statutory audit obligations that go beyond the previous regime’s focus on retrospective financial reporting. The law’s provisions, drawn from the official text, establish obligations in six core areas that auditors and CFOs must address systematically.

Auditor Reporting Requirements

Statutory auditors engaged by covered entities are now required to deliver reporting outputs that extend well beyond the traditional audit opinion on financial statements. The new requirements include:

• Enhanced audit reports. Audit opinions must address the entity’s compliance with financial oversight regulations, not merely adherence to Saudi accounting standards 2026 or IFRS. The auditor’s report should explicitly reference the Financial Oversight Law and state whether the entity’s financial controls and reporting processes meet its requirements.
• Internal control attestation. Auditors must evaluate and report on the design and operating effectiveness of internal controls over financial reporting. This mirrors international best practice but is now a statutory obligation rather than a voluntary exercise for many entities covered by the law.
• Digital reporting compliance. Where implementing regulations require electronic or digital submission of financial data, the auditor must verify that the entity’s digital reporting systems produce accurate and complete outputs. Early indications suggest that the Ministry of Finance will mandate standardised digital formats for certain public-entity reports.
• Independence declarations. The law reinforces auditor independence requirements. Statutory auditors must provide written independence declarations at engagement commencement and at the date of the audit opinion, confirming no conflicts of interest with the audited entity or its officials.

Documentation and Evidence, What Auditors Must Collect and Retain

The Financial Oversight Law significantly raises the bar for audit evidence and documentation. Auditors and the finance teams supporting them should ensure the following items are assembled, current and accessible:

• Signed bank reconciliations, for every active account, reconciled to the general ledger as at each reporting period end.
• Procurement and contract files, complete documentation for all material procurement transactions, including tender records, evaluation memoranda and signed contracts.
• Budget-to-actual variance analyses, entities must maintain and auditors must test reconciliations between approved budgets and actual expenditures, with documented explanations for material variances.
• Personnel and payroll records, evidence supporting headcount, salary scales, end-of-service benefits and any discretionary payments or allowances.
• IT system access logs, where financial data is processed electronically, entities must retain access logs, change-management records and system administrator activity trails for the period under audit.
• Governance and committee minutes, minutes of audit committee meetings, board resolutions on financial matters and any regulatory correspondence.
• Revenue and receivable confirmations, third-party confirmations for material revenue streams and receivable balances, particularly where government grants or inter-entity transfers are involved.
• Fixed-asset verification schedules, physical verification records for significant asset categories, cross-referenced to the fixed-asset register.

Auditors should communicate these evidence requirements to CFOs at the earliest opportunity, ideally through a formal audit planning letter, so that finance teams can begin assembling documentation well before fieldwork commences.

Audit Readiness Checklist for CFOs

This audit readiness checklist is designed for CFOs and finance directors at entities covered by the Financial Oversight Law. It divides compliance tasks into three phases: Now (0–30 days), Near (30–90 days) and Audit Season (next 6 months). Each item is mapped to a specific obligation under the new regime.

Phase 1, Now (0–30 Days)

• Systems and access review. Confirm that all financial systems (ERP, treasury management, procurement platforms) are producing complete audit trails. Verify that user-access controls are current and that dormant accounts have been deactivated.
• Bank and treasury evidence. Obtain bank confirmation letters for all active accounts. Ensure month-end bank reconciliations are signed off by authorised personnel and filed centrally.
• Governance documentation. Compile audit committee charters, recent meeting minutes and any board resolutions related to financial oversight. If the entity lacks a formal audit committee, escalate this gap to the board immediately, the Financial Oversight Law expects governance structures to be in place.
• Engagement letter update. Coordinate with the statutory auditor to issue an amended or supplementary engagement letter reflecting the expanded scope under the new law.

Phase 2, Near (30–90 Days)

• Procurement file standardisation. Conduct a sample review of procurement files for the current fiscal year. Ensure each file contains the complete chain: requisition, tender documentation, evaluation report, purchase order, goods-receipt note and invoice. Flag incomplete files for remediation.
• VAT and Zakat reconciliations. Reconcile VAT returns filed with ZATCA to the general ledger. Prepare Zakat-base computation working papers and cross-reference these to the audited financial statements. ZATCA compliance is increasingly inspected during statutory audits, and discrepancies between filed returns and book records will attract scrutiny.
• Contract file audit. Review all material contracts (above a threshold set by management) for completeness, signed copies, amendment records, performance guarantees and correspondence. Store digital copies in a centralised, access-controlled repository.
• IT log retention. Confirm with the IT department that system access logs, change-management logs and data-backup records are being retained for the period required by the law and any applicable implementing regulations.

Phase 3, Audit Season (Next 6 Months)

• Personnel and payroll evidence. Prepare a headcount reconciliation between HR records and the payroll system. Verify that end-of-service benefit provisions are calculated in accordance with Saudi labour law and are supported by actuarial or arithmetical working papers.
• Fixed-asset verification. Schedule a physical verification of significant fixed assets and reconcile results to the asset register. Tag and photograph high-value items for the audit file.
• Digital reporting dry run. If the Ministry of Finance has issued digital reporting templates or specifications by this stage, conduct a dry run to ensure the entity’s systems can produce compliant outputs. Identify and resolve data-mapping issues before the submission deadline.
• Auditor access arrangements. Confirm physical and system access for the audit team. Designate a finance-team liaison and establish a secure document-sharing protocol.

CFOs who complete this checklist systematically will enter Audit Season 2026 with substantially reduced risk of adverse findings, qualification or regulatory sanction.

ZATCA, VAT and Tax Intersection with Financial Oversight Law Audits in Saudi Arabia

The Zakat, Tax and Customs Authority (ZATCA) has intensified enforcement activity throughout 2026, and the practical effect for statutory auditors is a broader audit scope. Under the Financial Oversight Law, the integrity of an entity’s financial reporting cannot be assessed in isolation from its tax compliance posture. Auditors are increasingly expected to test the accuracy and completeness of VAT filings, Zakat declarations and withholding-tax obligations as part of the statutory audit, not as a separate, optional engagement.

For entities subject to both the Financial Oversight Law and ZATCA’s enforcement regime, the following intersections are critical:

• VAT return-to-ledger reconciliation. Auditors should obtain and test a reconciliation between periodic VAT returns filed with ZATCA and the underlying general-ledger entries. Discrepancies, particularly in input-tax deduction claims, are a frequent area of ZATCA challenge and will raise questions during financial oversight reviews.
• Zakat base computation. For entities subject to Zakat, the computation of the Zakat base must be reconciled to the audited balance sheet. Adjustments for non-deductible items, inter-company balances and foreign-branch treatment should be documented and supported by working papers available for both the statutory auditor and ZATCA inspectors.
• Withholding-tax compliance. Payments to non-resident service providers, royalty arrangements and technical-service fees all carry withholding-tax obligations. Auditors should verify that the correct rates have been applied and that withholding-tax certificates have been issued and filed.

Example Documentation List for Tax and Zakat Proof

• Copies of all VAT returns filed during the audit period, with ZATCA submission receipts
• Zakat declaration and supporting schedules, reconciled to audited financials
• Withholding-tax payment receipts and certificates issued to payees
• Transfer-pricing documentation (where applicable) supporting related-party transactions
• Correspondence with ZATCA, including any assessment notices, queries or penalty notifications

Sector-Specific Guidance: SAMA, Banks, SOEs and Listed Entities

Banks and Financial Institutions, Internal Audit SAMA Guidance

Entities regulated by the Saudi Central Bank (SAMA) face layered obligations. In addition to the Financial Oversight Law’s requirements, SAMA’s rulebook mandates quarterly submission of audited or assurance-reviewed financial packs, internal audit reports and risk-management attestations. According to the SAMA rulebook, regulated institutions must submit quarterly reports within 20 working days of each quarter end. Statutory auditors engaged by SAMA-regulated entities should plan interim audit procedures on a quarterly cycle, not merely at year-end, to accommodate these deadlines. The internal audit SAMA guidance further requires that banks maintain independent internal audit functions with direct reporting lines to the audit committee, a requirement that the Financial Oversight Law now reinforces at a statutory level for public-sector entities as well.

SOEs and Public Entities

State-owned enterprises and public bodies are subject to the highest level of scrutiny under the new law. Industry observers expect the implementing regulations to mandate standardised digital financial reporting formats for SOEs, with submission through a central Ministry of Finance portal. Enhanced internal-control attestations, signed by both the CFO and the head of internal audit, are anticipated as a mandatory filing alongside audited financial statements.

Timelines, Penalties and Enforcement Risk Under the Financial Oversight Law

The Financial Oversight Law establishes a penalty framework that applies to both entities and individuals (including officers and auditors) who fail to meet their obligations. While the detailed penalty schedules will be specified in the implementing regulations expected by October 2026, the law itself provides the statutory basis for sanctions. Based on the law text and legal analysis, the following penalty categories apply:

The practical message for audit timelines in Saudi Arabia is clear: entities cannot afford to wait for the implementing regulations before taking action. The substantive obligations are in force now, and regulators have the authority to enforce them. Early compliance significantly reduces penalty exposure and demonstrates good faith in the event of any regulatory inquiry.

Auditor Technical Considerations: Audit Procedures and Sampling Under the New Law

The Financial Oversight Law’s emphasis on comprehensive financial controls and digital reporting creates specific technical implications for audit procedures. Statutory auditors should consider the following adjustments to their audit methodology for engagements falling under the new regime:

• Risk assessment refresh. Audit plans developed before April 11, 2026 should be revisited to incorporate the new legal and regulatory risks. The risk of material misstatement due to non-compliance with the Financial Oversight Law is now a standalone risk factor that must be assessed and documented.
• Sampling methodology. Given the expanded documentation requirements, auditors may need to increase sample sizes for procurement testing, payroll verification and revenue confirmation procedures. Stratified sampling that prioritises high-value and high-risk transactions is recommended.
• Digital evidence verification. Where entities submit financial data electronically, auditors should perform independent verification of the data extraction and transformation processes. This includes testing automated controls, reviewing system-generated exception reports and confirming that digital outputs reconcile to the underlying accounting records.
• Evidence retention periods. Auditors should retain working papers and supporting evidence for a minimum of seven years from the date of the audit report, subject to any longer retention period specified in the implementing regulations or the terms of the audit engagement.
• Audit opinion wording. Where the audit scope has been expanded to cover Financial Oversight Law compliance, the auditor’s report should include a separate section or paragraph addressing the entity’s adherence to the law’s requirements. Industry observers expect the Saudi Organisation for Chartered and Professional Accountants (SOCPA) to issue guidance on recommended report wording in due course.

Template Items and Appendices

To support immediate implementation of the obligations described in this guide, the following template items have been prepared as companion resources:

• Appendix A, One-Page Audit Readiness Checklist (PDF). A printable summary of all Phase 1, Phase 2 and Phase 3 checklist items from this guide, formatted for distribution to finance-team members and audit committee participants. This audit readiness checklist condenses the full compliance programme into a single-page action document.
• Appendix B, Audit Evidence Index Template. A structured Excel workbook listing every evidence category required under the Financial Oversight Law, with columns for: document description, responsible preparer, due date, completion status and auditor sign-off. Designed to serve as the master tracking file throughout the audit cycle.
• Appendix C, Engagement Letter Amendment Template. A model supplementary clause for statutory audit engagement letters, referencing the Financial Oversight Law, specifying the expanded audit scope and documenting the auditor’s additional reporting obligations. This template should be adapted to each engagement’s specific circumstances and reviewed by legal counsel before issuance.

These resources are designed to be used alongside the detailed guidance in this article. Entities seeking customised templates tailored to their specific classification and regulatory obligations can request these through the GLE Lawyer Directory.

Next Steps

The Financial Oversight Law audit Saudi Arabia framework is not a future obligation, it is in force now, and the implementing regulations will only add procedural detail to requirements that already carry legal weight. CFOs and audit partners who delay action risk entering Audit Season 2026 with incomplete evidence, unresolved governance gaps and avoidable penalty exposure.

The practical path forward is to treat the three-phase audit readiness checklist in this guide as a minimum programme of work, assign clear ownership for each action item and set calendar deadlines that allow time for remediation before the statutory auditor commences fieldwork. For entities with complex structures, cross-border operations or SAMA-regulated subsidiaries, a scoped audit readiness review conducted by a specialist adviser will identify gaps that internal teams may not surface on their own.

Qualified professionals with deep expertise in Saudi Arabia’s financial oversight, Zakat, VAT and statutory audit requirements are available through the GLE Lawyer Directory. Begin your compliance programme today, the regulatory clock is already running.

Sources

1. Ministry of Finance (KSA), Media release on entry into force
2. Financial Oversight Law / Financial Control Law text (official translation via Qanoniah)
3. Latham & Watkins, legal analysis
4. Argaam, business reporting on enforcement
5. SAMA Rulebook / Finance sector circulars
6. ZATCA (Zakat, Tax and Customs Authority), official guidance
7. Grant Thornton Saudi Arabia, IFRS and accounting updates
8. Tamimi & Company, legal briefing
9. AHYSP, local law firm overview