Integrating Enterprise Risk Management and Risk-Oriented Internal Audit in Saudi Arabia: An Institutional perspective

Integrating Enterprise Risk Management and Risk-Oriented Internal Audit in Saudi Arabia: An Institutional perspective

Ezzat, Amr

Almohandseen, Giza, Egypt

DOI: https://dx.doi.org/10.47772/IJRISS.2025.914MG00138

Received: 03 August 2025; Accepted: 09 August 2025; Published: 08 September 2025

ABSTRACT

Effective governance systems have grown more and more important as Saudi Arabia moves toward Vision 2030, which calls for a knowledge-based, diversified economy. The integration of risk-oriented internal auditing (RIA) and enterprise risk management (ERM) in Saudi enterprises is examined in this study, with an emphasis on how these approaches might improve resilience, accountability, and strategic alignment. Internal audit functions are still underrepresented in strategic risk assessment, despite the growth in ERM adoption, according to this study, which uses a mixed-methods approach that includes expert interviews, document analysis, and a quantitative survey across multiple industries. The study identifies significant gaps in skill development, technology integration, and regulatory uniformity. The study suggests a hybrid strategy in which RIA actively participates in the ERM lifecycle to promote strategic insight in addition to ensuring compliance. This research advances the practical development of governance structures in emerging economies as well as the theoretical foundation of integrated assurance.

Keywords: enterprise risk management, risk-oriented internal audit, Saudi Arabia, governance, Vision 2030

JEL Codes: G32, M42, O53

INTRODUCTION

Strong institutional frameworks that can handle volatility, regulatory changes, and sectoral diversification are essential to Saudi Arabia’s economic transition under Vision 2030. Internal auditing procedures and enterprise risk management (ERM) are becoming more widely acknowledged as complementing foundations of good governance (Frigo & Anderson, 2011). Risk-oriented internal audit (RIA) allows for bottom-up feedback on compliance, performance, and developing risks, whereas ERM provides a top-down, strategic view of risks (IIA, 2020). However, the confluence of these two systems is still in its infancy in the Saudi environment. This research aims to assess the level of ERM-RIA integration in Saudi institutions, pinpoint regulatory and organizational obstacles, and suggest a framework that supports risk-informed decision-making.

Growing global competition, elevated stakeholder expectations, and the urgent need for long-term risk management techniques are all influencing the development of corporate governance frameworks in the Kingdom. Saudi businesses frequently lack an integrated approach that balances strategic risk supervision with compliance assurance, even in the face of global frameworks like COSO and ISO 31000 and developments in governance standards. Instead of being proactive collaborators in strategic decision-making, internal audit departments are usually viewed as reactive entities.

Saudi regulatory agencies and business executives are increasingly in agreement that comprehensive risk governance is necessary in the wake of previous financial scandals, operational disruptions, and cybersecurity breaches. A special chance to meet this requirement is presented by the convergence of RIA and ERM, which combines evaluative supervision with strategic vision.

By examining how ERM and RIA can be more closely aligned throughout the public and private sectors of the Kingdom, this article adds to the current conversation. Based on empirical data gathered via surveys, document reviews, and interviews, the study identifies systemic factors that facilitate and hinder this integration. Thus, it establishes the foundation for a dynamic, scalable framework that is in line with the governance goals of Vision 2030 and the larger trend toward institutional resilience in emerging economies.

Vision 2030’s economic revolution Saudi Arabia necessitates strong institutional frameworks that can handle sectoral diversity, regulatory changes, and volatility. The complementary foundations of good governance, enterprise risk management (ERM) and internal auditing, are becoming more widely acknowledged (Frigo & Anderson, 2011). ERM provides a strategic, top-down perspective on risks, but risk-oriented internal audit (RIA) allows for bottom-up feedback on performance, compliance, and new risks (IIA, 2020). These two systems’ confluence is still in its infancy in the Saudi context, though. Assessing the level of ERM-RIA integration in Saudi institutions, identifying organizational and regulatory obstacles, and putting forward a framework that supports risk-informed decision-making are the goals of this study.

REVIEW OF LITERATURE

The goal of enterprise risk management (ERM), a strategic governance instrument, is to incorporate risk awareness into an organization’s decision-making process. ERM offers a framework that improves risk visibility and permits more effective resource allocation, claims COSO (2017). In contrast to compartmentalized, department-specific risk management techniques, it is an enterprise-wide, holistic approach. The advent of risk-oriented internal audit (RIA), which prioritizes value creation and risk foresight, has caused a paradigm shift in internal audit, which was previously concentrated on financial and compliance audits (Spira & Page, 2003).

There has been a lot of professional and scholarly interest in the relationship between internal audit and ERM. According to Beasley et al. (2015), an organization’s capacity to identify and reduce strategic risks can be strengthened by coordinating internal auditing activities with ERM procedures. By offering advisory input in strategy creation, operational resilience, and fraud detection, RIA goes beyond assurance when included into the ERM framework. (Arena & Azzone, 2009)

This integration is frequently hampered by the institutional context in emerging markets like Saudi Arabia. Effective ERM implementation is hampered by fragmented regulatory guidance, insufficient governance frameworks, and low organizational readiness, according to Al-Shammari et al. (2018). Furthermore, according to Al-Qahtani and Elgharbawy (2022), internal auditing in Saudi firms is still primarily driven by compliance and lacks the strategic perspective necessary for ERM integration.

Recent research has explored the institutional drivers of ERM adoption in the Middle East, identifying board independence, regulatory pressure, and market volatility as key factors (Almutairi et al., 2021). However, the literature remains underdeveloped in terms of how these factors interact with internal audit practices to shape risk governance outcomes. Studies by Frigo and Anderson (2011) and IIA (2020) advocate for a dynamic integration model where internal audit serves as both a control mechanism and a strategic advisor within ERM frameworks.

Furthermore, there are advantages and disadvantages to the digital revolution that is sweeping through auditing and governance. The lack of interoperable technologies might worsen risk silos, even while integrated digital dashboards can improve openness and data sharing (COSO, 2017). In order to investigate how ERM and RIA methods might be concurrently operationalized in Saudi enterprises, our study draws on institutional theory and integrated assurance models. An empirical layer is added to the theoretical underpinnings through the use of NVivo coding for qualitative analysis, which offers well-founded insights into the organizational reality of ERM-RIA integration.

This review of the literature lays the groundwork for our methodological investigation and suggested framework that is suited to Saudi Arabia’s Vision 2030 transformation by highlighting the theoretical requirements, empirical gaps, and contextual difficulties pertinent to ERM-RIA integration. seeks to offer a comprehensive understanding of enterprise-level risks, supporting organizational resilience, resource optimization, and strategic decision-making (COSO, 2017). Traditional internal audits, on the other hand, have usually concentrated on operational controls and compliance. However, the shift to RIA aligns internal audits with ERM goals by redefining them as proactive and forward-looking. (Spira & Page, 2003)

Integrating ERM and RIA has been shown to increase early-warning capabilities, foster interdepartmental collaboration, and improve transparency (Beasley et al., 2015; Arena & Azzone, 2009). However, ERM frameworks in emerging economies frequently face challenges such as fragmented information flows, low risk maturity, and insufficient regulatory guidance. (Al-Shammari et al., 2018)

Internal audit in Saudi Arabia is still mostly reactive and compliance-driven, despite earlier study showing increased awareness of ERM, particularly in the banking, oil, and construction industries (Al-Qahtani & Elgharbawy, 2022). In order to investigate the ERM-RIA interaction, this research expands upon the theoretical foundations of integrated assurance and institutional theory.

METHODOLOGY

A mixed-methods strategy is used in this study. First, the qualitative method is used to show how the 15 semi-structured interviews with board audit committee members, chief risk officers (CROs), and heads of internal audit (HIAs) from significant Saudi companies in the manufacturing, energy, and financial sectors were conducted. Second, review of documents is used to examined Vision 2030 white papers, ERM policies, and regulatory guidelines from the Capital Market Authority (CMA), Saudi Central Bank (SAMA), and internal audit reports. Finally, the quantitative method is used to investigate the 93 risk and audit professionals were surveyed using a 5-point Likert scale to assess perceived hurdles, audit integration, and ERM maturity.

Iterative coding cycles were used to identify “technological fragmentation,” “regulatory ambiguity,” and “strategic alignment.” Both inductive themes that emerged from participant narratives and deductive categories from the interview guide served as the basis for the creation of nodes. “Skill gaps” and “regulatory ambiguity” were the most commonly mentioned issues throughout the interviews, according to coding density. Tree maps and mind maps were used to visually portray theme co-occurrence patterns, which were further supported by word frequency queries and cluster analysis in NVivo (see Figure 1: NVivo Tree Map of Thematic Density and Figure 2: Coding Hierarchy Tree, Figure 3 for further details).

Figure 1: Nvivo Coding – Tree Map of Thematic Density

Figure 2: Coding Hierarchy Tree

Figure 3: Coding sheet

RESULTS AND DISCUSSION

ERM Maturity and Internal Audit Role

According to the results, just 31% of the firms examined had internal audit functions actively participating in strategic risk planning, even though 68% of them have adopted some kind of ERM. With little consideration for the future, internal audits are mostly concerned with operational controls. This misalignment leads to disjointed risk management.

Key Barriers to Integration

The successful integration of Enterprise Risk Management (ERM) and Risk-Oriented Internal Audit (RIA) in Saudi firms is hindered by three main types of hurdles, according to this study. Both survey analysis and NVivo-coded qualitative interview data revealed these obstacles.

• Regulatory Ambiguity: The lack of a unified regulatory framework directing the integration of ERM and RIA was frequently mentioned by interviewees. Although there are sector-specific recommendations, such as those published by the Capital Market Authority (CMA) and the Saudi Central Bank (SAMA), they sometimes lack interoperability. Organizations create ad hoc risk management strategies devoid of cross-functional cohesiveness as a result of this regulatory fragmentation, which also leads to misunderstanding. “We are navigating a fragmented map of rules, which makes integrated risk governance impractical,” as one Chief Risk Officer put it.
• Skill Gaps: Serious shortcomings in cross-disciplinary abilities were mentioned by risk managers and internal auditors. Risk managers admitted to having little exposure to audit processes, while internal auditors complained about receiving insufficient training in strategic risk analysis. According to NVivo’s coding analysis, 73% of interview transcripts contained references to “skill development,” frequently in expressions of annoyance about fragmented training initiatives. Due to a lack of executive support and cultural resistance, organizations that have tried to implement dual-skilling projects reported only moderate success.
• Technological Fragmentation: Information sharing between audit and risk functions is hampered by the absence of integrated digital platforms. Even though audit management tools and ERM software are used by many firms, these systems frequently function independently. Missed insights, uneven dashboards, and redundant risk assessments are the outcome. Terms like “system duplication,” “manual reporting,” and “data inconsistency” frequently appeared together, according to NVivo cluster analysis, underscoring the operational cost of dispersed IT infrastructure.

All of these obstacles point to the necessity of extensive institutional and technological changes to close the gap between RIA and ERM in the Saudi environment.

Three main obstacles surfaced:

1. Regulatory Ambiguity: Absence of national standards for the integration of RIA and ERM.
2. Skill Gaps: Lack of cross-functional knowledge in audits and risk management.
3. Lack of connected platforms for exchanging risk and audit insights is an example of technological fragmentation.

These are consistent with research on institutional fragmentation in Saudi corporate governance conducted by Almutairi et al. in 2021.

• The proposed ERM-RIA Integration Framework

In Saudi enterprises, the suggested ERM-RIA integration framework aims to close the operational and institutional gaps between internal assurance and strategic risk governance. The framework is organized around five interconnected pillars, each of which tackles a significant obstacle found in the research and is backed by both qualitative data and international best practices.

• Strategic Alignment: Risk-based internal auditing needs to change from being a compliance-focused role to becoming a strategic planning partner. This means including the Head of Internal Audit (HIA) in risk workshops and enterprise-level strategy conversations. The internal audit function can more effectively match its evaluations with business goals by taking part in the creation of organizational Key Risk Indicators (KRIs). Early-stage inclusion is crucial, as evidenced by the high frequency of co-occurrence between “strategic planning” and “audit exclusion,” according to NVivo coding of interviews.
• Joint Risk Assessment: Through quarterly risk forums, the framework formally establishes consistent cooperation between HIA and the Chief Risk Officer (CRO). These meetings make it easier to validate residual risk assessments, design scenarios cooperatively, and share ownership of risk registers. One of the main causes of misaligned reporting systems, according to interviewees, is the absence of such contacts.
• Integrated Reporting Dashboards: To combine internal audit insights (such as control effectiveness ratings and audit recommendations) with ERM outputs (such as heat maps and risk indicators), a single digital dashboard should be created. This will make it possible to track risk exposure and control gaps in real time. Both dynamic visualization features and role-based access should be supported by the suggested system. The common NVivo-coded issue of “system fragmentation” is addressed by this digital integration, which also facilitates coordinated decision-making.
• Audit Committee Governance Oversight: Integrated ERM-RIA performance assessments ought to be sent to board-level audit committees. This necessitates amending committee charters to specifically mention risk management process monitoring in addition to standard audit evaluations. Financial institution interviewees pointed out that information silos resulting from overlapping reporting lines frequently erode oversight.
• Ongoing Training and Cross-Skilling: Create dual-skilling certification programs that are approved by risk management (like IRM) and audit (like IIA) organizations. Data analytics, control testing, and risk modeling should all be covered in training sessions. Words like “competency mismatch” and “capacity building” were identified as prevalent themes by NVivo word frequency analysis. These programs can be used by organizations to develop hybrid talent pools that can perform integrated assurance responsibilities.

This framework is scalable and iterative, making it suitable for both private and public sector organizations. It highlights digital enablement, dynamic role distribution, and ongoing feedback as key elements for long-term ERM-RIA convergence in Saudi Arabia.

CONCLUSION

A crucial development in Saudi Arabia’s governance architecture, especially in light of Vision 2030, is the integration of ERM and risk-oriented internal audit (RIA) tasks. According to the research findings, internal audit’s potential as a strategic partner is still largely underutilized, despite the fact that many Saudi firms have started implementing ERM frameworks. Our mixed-methods approach has revealed important operational and structural obstacles to integration, including technological fragmentation, talent gaps, and regulatory ambiguity.

By placing a strong emphasis on strategy alignment, collaborative risk assessments, uniform digital reporting, and board-level monitoring, the suggested ERM-RIA integration architecture offers a road map for institutional reform. Organizations can break through functional barriers and transition to a more proactive, insight-driven governance model by supporting dual-skilling programs and data-driven collaboration.

From a policy standpoint, regulatory organizations like the Capital Market Authority (CMA) and the Saudi Central Bank (SAMA) need to facilitate integrated practices by providing incentives and unified standards. To guarantee successful implementation, companies must also make investments in cross-functional teams, compatible technologies, and training initiatives.

Future studies might examine the long-term effects of ERM-RIA integration, with a focus on how digital innovations—like blockchain-based audit trails or AI-enabled risk analytics—reshape governance in emerging economies. Additionally, the creation of regulatory sandboxes may offer a regulated setting for evaluating integration models prior to their wider implementation.

In summary, integrating internal audit and ERM not only supports global best practices but also enhances Saudi Arabia’s institutional ability to expand sustainably, be accountable, and make risk-informed decisions in a world that is becoming more complex by the day. An important next stage in Saudi Arabia’s institutional growth under Vision 2030 is the implementation of ERM and risk-oriented internal auditing functions. This integration improves strategy resilience as well as risk visibility. The suggested hybrid framework fills in institutional inadequacies unique to Saudi Arabia while adhering to international governance principles. Future research should examine how regulatory sandboxes and automation technologies facilitate further integration.

REFERENCES

1. Almutairi, A., Al-Qahtani, F. & Alshahrani, M., (2021). Institutional fragmentation and risk governance in Saudi Arabia: A critical analysis. Middle East Journal of Governance, 9(2), pp.73–94.
2. Al-Qahtani, F. & Elgharbawy, A., (2022). The status of internal audit in Saudi listed companies: Challenges and opportunities. Arabian Journal of Accounting, 26(1), pp.15–39.
3. Al-Shammari, B., Brown, P. & Tarca, A., (2018). Governance effectiveness and enterprise risk management adoption: Evidence from emerging markets. Emerging Markets Review, 37, pp.110–125.
4. Arena, M. & Azzone, G., (2009). Identifying organizational drivers of internal audit effectiveness. International Journal of Auditing, 13(1), pp.43–60.
5. Beasley, M.S., Branson, B.C. & Hancock, B.V., (2015). The state of risk oversight: An overview of enterprise risk management practices. Raleigh, NC: ERM Initiative.
6. COSO, (2017). Enterprise Risk Management—Integrating with Strategy and Performance. Durham, NC: Committee of Sponsoring Organizations of the Treadway Commission.
7. Frigo, M.L. & Anderson, R.J., (2011). Strategic risk management: A foundation for improving enterprise risk management and governance. Journal of Corporate Accounting & Finance, 22(3), pp.81–88.
8. IIA (Institute of Internal Auditors), (2020). The Role of Internal Audit in Risk Management. Altamonte Springs, FL: IIA.
9. Spira, L.F. & Page, M., (2003). Risk management: The reinvention of internal control and the changing role of internal audit. Accounting, Auditing & Accountability Journal, 16(4), pp.640–661.
10. Vision 2030. (2020). Kingdom of Saudi Arabia Vision 2030: Strategic Objectives and Programs. Riyadh:Government of Saudi Arabia.