Introduction
Independent assurance — before the external auditor finds what you missed
Boards and senior management are expected by regulators, banks, and investors to demonstrate that risks are identified, controls are functioning, and governance frameworks are operating as designed. That expectation has sharpened since UAE corporate tax came into effect in June 2023.
Internal audit is the mechanism that provides that assurance — independently, objectively, and before the external auditor finds what you missed. Federal Decree-Law No. 32 of 2021 on Commercial Companies requires UAE businesses to maintain adequate internal controls proportionate to their size and risk profile. At scale, adequacy requires more than a year-end finance review.
This practice has 21 years of UAE advisory experience and has supported more than 11,000 companies across mainland and free zone jurisdictions. Internal audit engagements cover manufacturing, trading, financial services, real estate, and professional services across Dubai, Abu Dhabi, and the wider UAE.
“In 21 years of UAE audit practice, the control gaps I find most often are not the ones no one thought of — they are the ones everyone assumed someone else was checking.”
What is internal audit in the UAE?
Internal audit is an independent, objective assurance and consulting function. Its purpose is to evaluate and improve the effectiveness of an organisation’s risk management, internal controls, and governance processes. It operates inside the business — but independently of the operations it reviews.
Internal audit is distinct from external or statutory audit. An external auditor expresses an opinion on the financial statements. An internal auditor examines the processes, controls, and systems that produce those financial statements — and everything else that affects how the business manages risk. The external auditor looks backward at a completed period. The internal auditor operates continuously, identifying issues while they can still be corrected.
The global professional standard is the International Standards for the Professional Practice of Internal Auditing, published by the Institute of Internal Auditors (IIA). These define independence requirements, audit methodology, reporting obligations, and quality assurance.
Federal Decree-Law No. 32 of 2021 on Commercial Companies requires UAE companies to maintain adequate internal controls proportionate to their size, activities, and risk profile. For UAE licensed financial institutions, UAE Central Bank circulars impose a specific requirement for an independent internal audit function reporting directly to the board audit committee — subject to supervisory review.
Why internal audit matters in the UAE
Corporate Tax controls requirement
Federal Decree-Law No. 47 of 2022 introduced a 9% CT rate on taxable income above AED 375,000 from financial years beginning on or after 1 June 2023. The CT regime requires accurate financial records and transfer pricing evidence available to the FTA on request. Internal audit verifies these controls are in place — and that the records the CT return is based on have been produced by a controlled process. A business that cannot demonstrate process integrity faces adjustment risk on its CT position. Verify current CT record-keeping requirements at tax.gov.ae.
Listed companies — SCA requirement
The Securities and Commodities Authority mandates that UAE listed companies establish audit committees with board-level oversight and independent internal audit functions. This is a regulatory requirement, not a corporate governance recommendation. Non-compliance affects the listing status and the company's relationship with the SCA.
DIFC, ADGM, and free zone requirements
DIFC-licensed firms must maintain governance frameworks including internal audit or equivalent oversight mechanisms under DFSA rules at difc.ae. ADGM-licensed firms face equivalent requirements from the FSRA at adgm.com. Firms without documented internal audit processes face greater scrutiny at regulatory inspections and licensing renewals.
The cost of not having it
Companies without an internal audit function consistently pay higher external audit fees — external auditors must compensate with additional substantive testing when they cannot rely on internal controls. The premium can range from AED 15,000 to AED 60,000 per engagement above what a well-controlled company of equivalent size would pay (indicative, based on practitioner experience — individual engagements vary). The absence of internal audit is not a cost saving — it is a cost transfer to a more expensive function.
Who needs internal audit services?
UAE mainland companies with 50 or more employees
Any company operating at scale — 50+ employees, multiple departments, or revenues above AED 5M — has a control environment complex enough to generate material gaps without a systematic review process. FDL No. 32/2021 requires adequate internal controls; at this scale, adequacy requires more than a year-end finance review.
Important note: The 50-employee threshold is a risk indicator, not a legal number. Companies below this threshold with complex procurement, inventory, or cash handling carry equivalent control risk.
Free zone entities preparing for external audit or regulatory inspection
Free zone companies in DMCC, JAFZA, Dubai Silicon Oasis, and equivalent zones are subject to external audit requirements and periodic authority inspections. A first-time or post-gap external audit is materially faster and less expensive when the internal control environment has been reviewed and documented in advance.
Important note: Free zone authorities are increasingly requesting evidence of internal governance frameworks at licence renewal — not merely audited financial statements.
DIFC and ADGM licensed firms
Financial services firms, fund managers, asset managers, and regulated entities within the DIFC and ADGM face specific internal audit requirements from the DFSA and FSRA respectively. These are ongoing, reportable obligations. Verify current requirements at difc.ae and adgm.com.
Important note: An outsourced provider for a DIFC or ADGM firm must meet the regulator's independence and qualification standards.
UAE banks and licensed financial institutions
The UAE Central Bank requires all licensed financial institutions to maintain an independent internal audit function reporting directly to the board audit committee, free from management interference. The function must cover credit risk, operational risk, compliance, and IT controls at minimum frequency intervals. Verify at cbuae.gov.ae.
Important note: The Central Bank's supervisory examination programme includes review of internal audit reports — they are not for internal use only.
Family businesses preparing for succession or sale
A business approaching ownership transition requires a clean, documented control environment. A prospective buyer conducting due diligence will identify control gaps the family had not previously quantified. Addressing them through internal audit before the transaction process begins is materially cheaper than discovering them during due diligence.
Important note: Buyers routinely reduce offer prices or insert indemnities for control failures identified post-LOI — internal audit before the sale process starts protects valuation.
Companies implementing UAE Corporate Tax for the first time
Businesses in their first or second UAE CT filing year frequently have gaps between the controls their CT return assumes are in place and the controls that actually exist. An audit scoped to CT-relevant processes — revenue recognition, related-party transactions, transfer pricing documentation — identifies those gaps before the FTA does.
Important note: A voluntary disclosure to correct a prior-period CT position is always preferable to an FTA-initiated adjustment — internal audit is the mechanism that identifies which approach is needed.
Key benefits of internal audit
Independent risk identification before the external auditor
Internal audit identifies control gaps and fraud indicators during the year — not after the financial statements are finalised. Issues found internally are correctable. Issues found by the external auditor are reportable.
Control gap remediation on your timeline
When internal audit identifies a weakness, you have time to remediate it before the external audit begins. External audit findings generate formal management letters, regulatory reporting obligations, and external audit premium increases.
Board-level assurance on governance
A properly structured internal audit function reports to the board or audit committee — not to management. This gives the board independent confirmation that controls management reports as functioning are actually functioning.
Regulatory compliance readiness
Internal audit aligned to FTA, SCA, Central Bank, DFSA, or FSRA requirements provides documented evidence of compliance readiness. Scrambling to produce documentation at the point of a regulatory request is more expensive and less credible.
External audit fee reduction
External auditors price engagements based on internal control quality. A company with a functioning internal audit function consistently pays lower external audit fees than an equivalent company without one. The saving is real and recurring.
Fraud deterrence and early detection
The presence of a functioning internal audit programme changes the risk calculus for internal fraud. Detection risk increases. The most effective deterrence is not a policy — it is a programme that tests whether the policy is followed.
Not sure where your control gaps are?
A 45-minute scoping call maps your highest-risk areas and outlines exactly what a structured audit programme would cover.
Required documents and information
Corporate Documents
- Trade licence(s) for all entities in scope
- Memorandum and Articles of Association
- Current organisational chart with reporting lines
- Board and audit committee terms of reference
- Prior internal or external audit reports (last 3 years)
- Management letters received from external auditor
Financial Records
- Chart of accounts and trial balance — current and prior year
- Bank reconciliations for all accounts
- Aged accounts receivable and payable listings
- Fixed asset register with depreciation schedules
- Details of all related-party transactions
- Transfer pricing documentation prepared to date
Process Documentation
- Procurement policy and approval authority matrix
- Inventory management procedures and cycle count records
- Payroll processing procedures and authorisation controls
- Revenue recognition policy and supporting contracts
- Expense and reimbursement policy
- Standard operating procedures for key financial processes
IT Systems Access
- Chart of system access rights by user role
- ERP or accounting system configuration documentation
- IT general controls documentation (if any)
- Details of recent system changes or migrations
- Cybersecurity and data access policy documentation
Internal audit process — 6 steps
Week 1
Audit universe mapping & risk assessment
Map all business processes, entities, and functions. Score each for inherent risk — financial materiality, regulatory exposure, operational criticality, and control complexity. Output: risk register and prioritised audit universe for board approval.
Week 2
Audit plan approval by board or management
Present the risk-prioritised plan for formal approval. Establish scope, timeline, resources, and independence of the audit function. Where an audit committee exists, approval is sought at that level — not management.
Weeks 3–6
Fieldwork — control testing and evidence gathering
Process walkthroughs, control design and operating effectiveness testing, transaction sampling, and IT access review. Every finding is documented with evidence reference and the control standard it is measured against.
Week 7
Draft findings and management responses
Draft findings presented to management: control gap, evidence, risk consequence, recommended remediation, and proposed timeline. Management confirms, adds context, or proposes alternatives. Responses included verbatim in the final report.
Week 8
Final audit report issuance
Final report issued to the board or audit committee — findings rated by severity, remediation owners assigned, timelines agreed. Critical findings are communicated verbally before the draft is finalised. Report retained in the audit file.
Ongoing / 90 days
Follow-up and remediation tracking
Within 90 days, confirm whether each agreed remediation action has been implemented and re-test closed controls. Partially implemented or re-opened findings are escalated to the board. The follow-up report feeds the next year's risk assessment.
Processing times are indicative based on standard engagements. Individual timelines vary by entity size, scope complexity, and document readiness.
Week-by-week timeline
| Phase | Timeframe | Activity |
|---|---|---|
| Engagement kick-off | Day 1–3 | Introductory meeting; document request issued; access confirmed |
| Audit universe mapping | Week 1 | All processes, entities, and functions inventoried and risk-scored |
| Audit planning | Week 2 | Scope, methodology, and resource plan finalised; board approval obtained |
| Fieldwork — Phase 1 | Weeks 3–4 | Process walkthroughs; control design testing; initial transaction sampling |
| Fieldwork — Phase 2 | Weeks 5–6 | Control effectiveness testing; IT access review; evidence gathering completed |
| Draft report & responses | Week 7 | Draft findings issued to management; responses received and incorporated |
| Final report issuance | Week 8 | Final report issued to board or audit committee |
| Remediation tracking | Weeks 9–20 | Follow-up on agreed actions; re-testing closed controls; escalation of overdue items |
Risk assessment: how we prioritise the audit universe
Every internal audit engagement begins with a risk heat matrix — plotting each business process by likelihood of control failure and potential impact. High-likelihood, high-impact areas are prioritised for fieldwork. Low-risk areas are scheduled for lighter-touch or deferred review.
Internal audit vs external audit vs management review
The three oversight mechanisms serve different purposes and are not substitutes for one another. A company with a strong internal audit function typically pays less for its external audit because the external auditor can place reliance on internal controls.
| Criterion | Internal Audit | External / Statutory Audit | Management Review |
|---|---|---|---|
| Purpose | Evaluate and improve controls, risk management, and governance on an ongoing basis | Express an independent opinion on the truth and fairness of the financial statements | Management's own assessment of performance and process effectiveness |
| Who performs it | In-house team or outsourced specialist — reports to board or audit committee | Licensed external audit firm — reports to shareholders | Management or business unit heads — not independent |
| Frequency | Continuous or annual programme; follow-up quarterly | Annual (year-end); statutory requirement | Ad hoc or periodic; no regulatory standard |
| Regulatory basis | IIA Standards; FDL No. 32/2021; Central Bank / DFSA / FSRA / SCA | FDL No. 32/2021; free zone authority requirements | No regulatory standard; no mandatory format |
| Output | Audit report to board — findings rated by severity; remediation tracker | Auditor's report on financial statements; management letter on control observations | Internal management report; no prescribed format |
| Independence | Independent of operations reviewed; reports to board, not management | Fully independent of the company | Not independent — management reviews its own processes |
| Indicative cost | AED 45,000–180,000 per year (outsourced) | AED 15,000–300,000+ per year (size-dependent) | No direct cost; significant management time |
Cost breakdown
The cost of outsourced internal audit depends on entity size, number of audit areas, regulatory requirements, and the engagement model chosen.
| Service model | Indicative fee |
|---|---|
| Annual internal audit retainer — outsourced | AED 45,000–120,000 / year |
| Project-based — single function audit | AED 15,000–40,000 |
| Co-sourced — specialist supplement | AED 25,000–80,000 / year |
| DIFC / ADGM licensed firm — annual programme | AED 60,000–180,000 / year |
Fees are indicative as of 2026 based on standard engagement scopes. Subject to change. Fees do not include out-of-pocket travel expenses where site visits outside the UAE are required. Verify at a consultation before proceeding.
Estimate your internal audit costs before you commit.
Use the UAE Business Cost Calculator to model your compliance and advisory spend.
Case study
Anonymised — UAE Mainland Manufacturing Company, 120 Employees
AED 1.4M
Unapproved purchase orders
19
Inventory control gaps found
3
Former employees with active ERP access
AED 38K
External audit fee saving (following year)
A UAE mainland manufacturing company with 120 employees engaged us after their external auditor identified material weaknesses in procurement controls — three years after the company’s last internal audit exercise.
Our fieldwork — completed over six weeks — identified AED 1.4 million in unapproved purchase orders processed outside the authorisation matrix, 19 control gaps in inventory management including undocumented write-offs, and a complete absence of IT access controls for the ERP system. Three former employees retained active system access following resignation.
We delivered a 12-week remediation plan with action owners, timelines, and a follow-up testing schedule. The following year’s external audit — conducted against a materially improved control environment — was completed in 9 days rather than 16, and the external audit fee was AED 38,000 lower than the prior year.
Audit findings severity ratings
Every finding in an internal audit report is rated by severity. The rating determines the reporting urgency, the remediation timeline, and whether board notification is required before the draft report is issued.
Material financial or regulatory consequence. Requires immediate verbal board notification before draft report. Remediation plan within 7 days.
Significant risk to operations, compliance, or financial reporting. Formal remediation plan required within 30 days with named owner.
Moderate control gap with contained risk consequence. Remediation plan and agreed owner within 60–90 days.
Improvement opportunity. Minor gap, limited risk consequence. Remediate within 6 months or accept and document management rationale.
Five internal audit mistakes UAE businesses make
Treating internal audit as a one-off exercise before external audit
Internal audit conducted once — in response to a specific trigger — is crisis management, not a control function. The value is continuous: risk assessment updated annually, findings remediated within agreed timelines, control effectiveness re-tested. A one-off exercise gives a point-in-time picture with no mechanism to ensure the situation improves.
Scoping internal audit too narrowly — finance only
Procurement, inventory, IT general controls, HR, and payroll are all material risk areas that financial-only audit leaves untested. The control failures that generate the largest financial losses — procurement fraud, inventory manipulation, unauthorised system access — typically sit outside the finance function. An audit scope that excludes them is not protecting the business.
Compromising auditor independence by mixing roles
An internal auditor who prepares the financial records they are reviewing is not independent. A firm that performs both external and internal audit for the same client in the same period faces an independence conflict under IIA standards and, in regulated entities, under regulator requirements. The person testing the control cannot be the person who designed or operates it.
Failing to track remediation of prior findings
The FTA, the Central Bank, the DFSA, and the FSRA all examine whether control weaknesses identified in prior periods have been remediated. A finding that recurs after it was identified internally is treated as a more serious governance failure than the original finding. An audit programme without a board-reported remediation tracker is producing observations, not improvement.
Selecting internal auditors without IIA qualification or UAE knowledge
Internal audit without IIA Standards produces inconsistent, unverifiable work that external auditors and regulators do not rely on. In DIFC and ADGM firms, the DFSA and FSRA examine auditor qualifications during supervisory review. An auditor who is not CIA, ACA, ACCA, or equivalent — and unfamiliar with UAE regulatory requirements — produces a report that has the form of internal audit without the substance.
Renewal and ongoing obligations
Annual audit plan refresh — update universe and risk assessment for new entities, activities, regulations, and prior-year findings.
Board or audit committee reporting on plan status, findings by severity, remediation progress, and emerging risks.
For Central Bank, DFSA, and FSRA regulated firms — internal audit progress report to the board or regulator.
Update UBO registers, restructuring reviews, and CT compliance audit following any material ownership or business change.
External quality assessment of the internal audit function required under IIA standards — confirms methodology and independence.
Follow-up remediation tracking — 90-day cycle per report; escalation to board for overdue or recurring findings.
