The Privatization and Corporatization Board (PCB) has instructed State-Owned Enterprises (SOEs) to strengthen their internal audit and risk management functions as part of wider efforts to improve governance and accountability.
The decision was taken at the PCB’s 30th meeting held on 10 December 2025, which focused on enhancing internal control frameworks across Government companies, Government holding companies and commercial Government entities.
Under the directive, companies are required to establish a Risk Management Function, either as an independent unit or within the Internal Audit Department. Entities that do not currently have such a function have been instructed to set it up as soon as possible.
The PCB has also directed companies to carry out a needs assessment to determine appropriate staffing levels for internal audit and risk management roles. Companies have been instructed to ensure these functions are adequately resourced, prioritising technical and practical expertise where necessary.
In addition, procurement reports submitted to the PCB under Government-owned company procurement guidelines must also be shared with the internal audit function. Quarterly financial reports and related documents submitted to the PCB are likewise required to be provided to internal audit teams.
The Board has further decided that company Audit Committees must be renamed as “Audit and Risk Committees”. For larger entities, a separate board-level risk committee may be established.
Companies have also been instructed to assess compliance with PCB-issued notices, rules and guidelines. A compliance audit or review must be conducted at least once a year and submitted to the Board or the relevant board committee. The PCB emphasised the importance of ensuring that internal audit findings and identified issues are addressed and resolved in a timely manner.
All required changes must be completed by 31 January 2026. Companies have been advised to engage relevant internal departments to take the necessary steps to strengthen audit and risk management systems.