The Privatization and Corporatization Board (PCB) has instructed State-Owned Enterprises (SOEs) to strengthen their internal audit and risk management functions.

The decision was taken at the PCB’s 30th meeting held on 10 December 2025, which focused on enhancing internal audit and risk management frameworks within Government companies, Government holding companies and commercial Government entities.

Under the decision, companies are required to ensure the establishment of a Risk Management Function, either as a separate independent unit or within the Internal Audit Department. Companies that do not currently have such a function have been instructed to set it up as soon as possible.

The PCB has also directed companies to conduct a needs assessment to determine the appropriate number of staff required to carry out internal audit and risk management responsibilities. Companies have been asked to ensure that these functions are adequately staffed, with priority given to practical technical expertise over management-level positions where necessary.

In addition, procurement reports that are required to be submitted to the PCB under Government-owned company procurement guidelines must also be shared with the company’s internal audit function. The Board has further instructed that quarterly financial reports and related documents submitted to the PCB should likewise be shared with internal audit teams.

The PCB has also decided that company Audit Committees must be renamed as “Audit and Risk Committees”. For larger companies, a separate risk committee may be established at board level.

Companies have further been instructed to assess their compliance with notices, rules and guidelines issued by the PCB. A compliance audit or review is to be conducted at least once a year and submitted to the Board or the relevant board committee. The PCB has also stressed the need to establish mechanisms to ensure that internal audit findings and other identified issues are addressed and resolved.

The PCB has set a deadline of 31 January 2026 for companies to complete the required changes. Companies have also been asked to engage relevant internal departments to take the necessary initiatives to strengthen internal audit and risk management functions.