UAEServicesAudit & AssuranceInternal & Operational AuditsInternal Audit (UAE)

Audit & Assurance · Internal & Operational Audits

Internal Audit (UAE)

Internal audit in the UAE is no longer a discretionary governance nicety — it is an expectation woven into DIFC and ADGM corporate governance codes, free zone authority requirements, bank covenant conditions, and increasingly into the risk appetite of boards operating under UAE Corporate Tax and AML/CFT scrutiny.

Chartered Accountants · Dubai · Since 1986

What Internal Audit (UAE) is

Internal audit is an independent, objective assurance and consulting activity designed to add value to an organisation by evaluating and improving the effectiveness of its risk management, internal control, and governance processes. Unlike statutory (external) audit — which expresses an opinion on whether the financial statements present a true and fair view for shareholders and regulators — internal audit is management- and board-facing. It looks forward and sideways as much as backward: are controls designed correctly, are they operating as designed, are risks being identified and managed, and is the organisation's governance structure fit for the risks it actually carries. In the UAE, internal audit sits alongside (and is distinct from) the mandatory statutory audit that virtually every mainland LLC and free zone company must file annually with its licensing authority.

For DIFC and ADGM-registered entities, internal audit expectations are shaped by the corporate governance principles embedded in DIFC Company Regulations and the ADGM Companies Regulations, alongside sector-specific requirements from the DFSA (DIFC) and FSRA (ADGM) for regulated financial services entities — many of which explicitly require an internal audit function or an outsourced equivalent, particularly for licensed banks, insurers, and larger category firms. Mainland companies under DED licensing and most free zone entities (JAFZA, DMCC, RAK ICC, Ajman Free Zone, SHAMS and others) have no blanket statutory obligation to maintain an internal audit function, but internal audit is frequently a condition of bank lending covenants, a requirement from institutional or private equity investors, a best-practice expectation embedded in family business governance charters, and — since the introduction of Federal Decree-Law No. 47 of 2022 on Corporate Tax — an increasingly important control layer given the exposure created by transfer pricing documentation, related-party transaction disclosure, and Free Zone Qualifying Income conditions under the Corporate Tax regime.

A well-scoped internal audit in the UAE typically covers financial controls (procurement-to-pay, order-to-cash, payroll and WPS compliance, treasury and bank reconciliations), operational processes (inventory, logistics, project costing, contract management), compliance risk (VAT under Federal Decree-Law No. 8 of 2017, Corporate Tax positions, AML/CFT obligations under Federal Decree-Law No. 20 of 2018 and Cabinet Decision No. 10 of 2019 for designated non-financial businesses and professions, and labour law/MOHRE/WPS compliance), IT general controls, and fraud risk indicators. The output is not a pass/fail opinion — it is a structured, prioritised set of findings and recommendations delivered to the audit committee or board, with agreed management action plans and follow-up review of remediation.

Internal audit engagements can be structured as a fully outsourced internal audit function (PNPC acts as the client's internal audit department on a recurring cycle), co-sourced (PNPC supplements an existing in-house internal audit team with specialist skills — IT audit, forensic techniques, treasury), or project-based (a single scoped review — for example, a pre-acquisition operational due diligence, a fraud-risk review following a specific incident, or a one-time controls review ahead of a bank facility renewal or investor round). The right model depends on company size, risk profile, group structure, and whether the board is establishing internal audit as an ongoing governance function or responding to a specific, immediate need.

The reason internal audit matters more in the UAE now than it did five years ago is that three separate stakeholders have started asking to see it at once. Lenders write internal audit clauses into facility agreements; institutional and PE investors treat a functioning control environment as a diligence gate; and the Corporate Tax regime has made the quality of related-party documentation, transfer pricing support, and Free Zone Qualifying Income evidence a live financial exposure rather than a governance nicety. A business that has grown from twenty to two hundred staff, or from one licence to a multi-entity group spanning a free zone and the mainland, has almost always outrun its original approval limits, segregation-of-duties design, and ERP access controls — and the failure usually only surfaces when the year-end statutory auditor, a lender's diligence team, or an FTA query forces it into the open. Internal audit is the mechanism for finding it first, on your own timetable, when it is cheap to fix.

What separates a real internal audit from a checklist is the distinction between design and operating effectiveness. A control can be well designed on paper — a three-way match, a dual approval on payments above a threshold — and still fail in practice because it is routinely skipped under time pressure or overridden by someone with system rights they should not have. PNPC tests both: whether the control is adequate by design, and whether the evidence of the actual cycle shows it operating. A policy document, an ERP configuration screen, or a delegation matrix is not proof the control works; the transaction sample is. That is the discipline that makes a finding defensible to a board, a lender, or a regulator rather than an assertion.

The deliverable is a report written for a governance audience — an executive summary, a risk heat-map, findings that are each risk-rated and root-caused (design deficiency versus operating deficiency, with the different remediation each demands), and an agreed management action plan with named owners and committed dates. But the report is not the end of the engagement: PNPC tracks agreed actions to the next audit committee cycle and re-tests previously flagged controls three to six months later to confirm remediation actually held rather than accepting a verbal 'it's fixed'. Findings without follow-up are the single biggest reason internal audit programmes lose credibility with boards, and we build the follow-up in from the outset. Fee and timeline are confirmed in the engagement letter after we understand the entity structure and risk profile — the range across a single-process pilot, a first-cycle programme, and an ongoing outsourced function is too wide for a meaningful generic figure.

When an internal audit engagement adds real value

The board or audit committee needs independent assurance over risk management and controls that goes beyond what the statutory external auditor is scoped to provide

A bank facility, investor, or private equity term sheet includes a covenant or condition requiring an internal audit function or periodic internal audit reporting

The company is a DIFC or ADGM regulated entity (or a category of licensed financial services firm) where the DFSA or FSRA rulebook expects an internal audit function proportionate to the firm's size and risk profile

A group structure spans multiple UAE free zones, mainland entities, and often an Indian or other overseas parent/subsidiary, creating intercompany transactions, transfer pricing exposure, and consolidation risk that no single external auditor is scoped to review operationally

Rapid headcount or revenue growth has outpaced the maturity of financial controls, procurement authorisation limits, or IT access controls — and management wants an independent health check before problems surface at year-end audit

A family business is professionalising governance ahead of succession, bringing in external directors, or preparing for its first institutional investment round

There has been a specific trigger — a suspected fraud, a whistleblower complaint, an unexplained variance, or a failed bank reconciliation — that warrants a targeted, independent operational review

The company wants to strengthen its AML/CFT control environment ahead of a goAML-related regulatory review or because it falls within a Designated Non-Financial Business and Profession (DNFBP) category under Cabinet Decision No. 10 of 2019

A first UAE Corporate Tax return is approaching and the board wants assurance that related-party documentation, transfer pricing support, and any Qualifying Free Zone Person analysis can actually withstand FTA scrutiny before the return is filed

The finance function relies substantially on spreadsheets rather than a system-enforced ERP, so procedural discipline — not access controls — is doing all the work of preventing an overwritten formula or a competing file version from distorting a board or bank number

The business holds client money (real estate escrow under RERA, law-firm client accounts, or similar fiduciary balances) and needs independent evidence that client funds are segregated and reconciled to the relevant regulator's client-money rules, not merely assumed to be

When internal audit is not the right engagement

You need an opinion on whether your financial statements are true and fair for filing with your licensing authority or bank — that is statutory (external) audit, a separate, independent engagement from internal audit and one PNPC scopes and delivers distinctly

You need day-to-day bookkeeping, VAT return preparation, or monthly management accounts — that is an accounting and compliance retainer, not an internal audit function

You are a very small owner-managed business with a handful of transactions a month and no bank covenant, investor, or regulatory driver requiring independent assurance — a lighter-touch periodic controls review may be more proportionate than a full internal audit cycle

You need forensic investigation into a specific, already-identified fraud with a view to litigation or criminal referral — that calls for a dedicated forensic and fraud investigation engagement with a different evidentiary standard, though PNPC's internal audit findings frequently trigger exactly this escalation

You are looking for tax advisory or Corporate Tax return filing — internal audit may test the controls around your tax positions, but does not replace dedicated Corporate Tax compliance and advisory work

The company has no board or audit committee structure at all and no near-term plan to establish one — internal audit reports to a governance body; without one, the reporting line and value of the exercise is diminished until that structure exists

Management wants the internal auditor to report solely to the CFO whose own department is being reviewed, and to soften or bury findings that reach the board — that request defeats the independence the Internal Audit Charter exists to protect, and we would decline rather than lend our name to it

You want a governance document produced quickly to satisfy a lender or investor checkbox, with no intention of testing actual transactions or changing the approval and recordkeeping habits the review would flag

The finance team is unwilling to grant the read-only system access, transaction extracts, approval logs, and reconciliations that control testing requires — without evidence from the actual cycle, an internal audit becomes an unsupported opinion rather than assurance

Structure Comparison

Internal audit vs related assurance engagements in the UAE

FeatureInternal AuditStatutory (External) AuditForensic/Fraud InvestigationInternal Controls Health Check
Primary purposeIndependent assurance on risk management, controls and governanceOpinion on true and fair view of financial statementsInvestigate a specific suspected irregularity for evidentiary/legal useLighter-touch review of key control gaps, typically one-off
Who it reports toAudit committee / boardShareholders (via signed audit report)Board / legal counsel / regulator, often under privilegeManagement or owner
Mandatory under UAE lawNot generally mandatory for mainland/most free zone entities; often required for DIFC/ADGM regulated firms and bank covenantsYes — annual filing typically required by DED/free zone authority licence conditionsNo — triggered by a specific eventNo — voluntary
ScopeBroad — financial, operational, compliance, IT, fraud-risk controlsFinancial statements and supporting recordsNarrow and deep — the specific transaction, individual, or process in questionNarrow — a handful of high-risk processes
FrequencyAnnual cycle, quarterly reviews, or continuous co-sourced functionAnnual, tied to financial year endAd hoc, triggered by an incidentOne-off or periodic (e.g. pre-renewal)
Independence requirementIndependent of the function being reviewed; ideally independent of the external auditorIndependent registered auditor, distinct from internal auditFully independent, often litigation-ready methodologyCan be performed by the same advisor doing other work
Typical outputFindings report with risk ratings, root cause and management action planSigned audit opinion and financial statementsInvestigation report, evidence file, possible referral to authoritiesShort-form gap-analysis memo
Relevant UAE bodiesDFSA (DIFC), FSRA (ADGM), free zone authority governance codes, bank covenantsDED / free zone licensing authority, FTA (for tax-linked disclosures)Dubai Courts / DIFC Courts / ADGM Courts if litigation follows; goAML if AML-relatedNone specifically — internal governance driven
Typical triggerBoard decision, investor/lender condition, regulatory expectationAnnual licence renewal conditionWhistleblower report, unexplained loss, suspicious transactionGrowth, new CFO, upcoming external audit or funding round

These engagement types are complementary, not interchangeable — many PNPC clients run an annual internal audit cycle alongside their statutory audit, with forensic or targeted reviews commissioned only when a specific red flag emerges. The right combination depends on your licence type, regulator, group structure, and risk appetite; this table is directional and a scoping conversation with a PNPC partner is the right starting point.

How it works
#Stage & What PNPC DoesWhat Generic Providers MissTimeline
1Initial Scoping Discussion — understand the entity, group structure and driver for the engagementWe ask the questions that determine everything downstream: is this DIFC/ADGM regulated (and therefore subject to DFSA/FSRA expectations), is there a bank covenant with a specific internal audit clause, is there an Indian or other overseas parent creating intercompany/transfer-pricing exposure, has there been a specific trigger event. Generic 'internal audit' proposals skip this and hand over a templated scope regardless of your actual risk profile.Week 1
2Risk Assessment & Audit Universe Mapping — build the full inventory of auditable processes and rank by riskA proper internal audit starts from a risk-ranked universe — procurement, payroll/WPS, treasury, revenue recognition, related-party transactions, IT access controls, AML/CFT (if DNFBP-relevant), Corporate Tax positions — not a fixed checklist copied from a previous client. We rank based on materiality, fraud susceptibility, regulatory exposure and management's own risk register where one exists.Week 1–2
3Audit Charter & Terms of Reference — formal document defining independence, reporting line and authorityThe Internal Audit Charter establishes that the function reports to the audit committee or board — not to the CFO whose department is being reviewed. Without this documented independently, findings can be diluted or buried before they reach the people who need to see them. We draft this collaboratively with the board or ultimate owner.Week 2
4Annual Audit Plan — the specific engagements to be delivered across the cycleA credible internal audit plan covers the highest-risk areas first and is realistic about the hours and skills required — not an aspirational list that ends up half-delivered. We size the plan to the entity's actual risk profile and the board's appetite for assurance versus cost.Week 2–3
5Fieldwork — Process Walkthroughs & Control TestingWalkthroughs of each in-scope process — procurement-to-pay, order-to-cash, payroll/WPS run, bank reconciliation, month-end close — documented against the control objective, not just 'does a control exist'. We test operating effectiveness with actual sample transactions, not just design adequacy on paper.Week 3–6 per engagement, depending on scope
6Data Analytics & Exception TestingWhere the client's systems support it, we run analytics across the full population of transactions (duplicate payments, unusual vendor master changes, weekend/after-hours postings, round-sum invoices, segregation-of-duties conflicts in the ERP) rather than relying only on small manual samples — this catches patterns manual sampling alone would miss.Concurrent with fieldwork
7Draft Findings & Root Cause Discussion with ManagementEvery finding is risk-rated (high/medium/low) and includes root cause — not just symptom — because a recommendation that fixes a symptom without addressing the cause recurs at the next review. We discuss draft findings with process owners before finalising, to correct factual errors and agree realistic remediation timelines.Week 6–7
8Final Report to Audit Committee / BoardThe final report is written for a governance audience — executive summary, risk heat-map, prioritised findings, agreed management action plan with named owners and dates. We present this in person or via video to the audit committee or board, not just email a PDF.Week 7–8
9Management Action Plan TrackingFindings without follow-up are a wasted exercise. We track agreed remediation actions against their committed dates and report status at the next audit committee cycle — closing the loop that many one-off review providers never revisit.Ongoing through the cycle
10Follow-Up Review of RemediationA dedicated follow-up procedure — re-testing the specific controls previously flagged — confirms whether remediation actually occurred and was effective, rather than accepting management's word that 'it's fixed'.Typically 3–6 months after final report
11Coordination with Statutory (External) AuditorWhere useful and permitted, we share relevant internal audit findings with the client's external auditor (with management's consent) to avoid duplicated effort and to flag matters relevant to the year-end statutory audit — reducing overall audit fatigue on the finance team.At year-end audit cycle
12Annual Plan Refresh & Cycle RenewalRisk profiles shift — a new bank facility, a new jurisdiction, a Corporate Tax filing position, an AML/CFT designation change. We refresh the audit universe and risk ranking annually so the next cycle's plan reflects the business as it is today, not as it was a year ago.Start of each new cycle

A first-cycle internal audit engagement (charter, risk assessment, 2–3 process reviews, and reporting to the board) typically runs 8–10 weeks from initial scoping to final report. An ongoing co-sourced or outsourced internal audit function is usually structured as an annual retainer with quarterly reporting cycles rather than a single project. Timelines vary meaningfully with group complexity, number of legal entities in scope, and data/system access.

Document Checklist
Corporate & Governance Documents

Trade licence(s) for each UAE entity in scope — mainland DED licence and/or free zone authority licence (JAFZA, DMCC, DIFC, ADGM, RAK ICC, Ajman, SHAMS etc.)

Memorandum/Articles of Association and shareholder register for each entity in the group structure

Board and audit committee terms of reference, meeting minutes for the past 12–24 months, and any existing risk register or governance framework

Organisation chart showing reporting lines, segregation of duties, and any related-party relationships between entities or with shareholders/directors

Group structure chart showing all UAE and non-UAE entities, ownership percentages, and intercompany relationships

Financial & Accounting Records

Latest audited financial statements and management accounts for the current and prior period

General ledger and trial balance access (read-only, where system access is being granted for analytics)

Bank statements and bank reconciliation working papers for the review period

Chart of accounts and the accounting policies manual, if one exists

Fixed asset register and depreciation schedules where fixed assets are in scope

Process & Control Documentation

Delegation of authority matrix / approval limits for procurement, payments, and contract signing

Procurement policy, vendor master list, and purchase order/goods-receipt/invoice matching records (three-way match documentation)

Payroll register, WPS (Wage Protection System) submission records, and employment contracts sample for payroll testing

Sales/revenue recognition policy, customer master list, and credit control/collections procedures

IT systems access-control listing — who has access to what modules of the ERP/accounting system, and evidence of periodic access reviews

Tax & Regulatory Compliance Records

VAT registration certificate and recent VAT return filings and reconciliations (Federal Tax Authority / FTA, filed via the EmaraTax portal)

UAE Corporate Tax registration (Tax Registration Number) and, where applicable, the Corporate Tax return, transfer pricing documentation, and Qualifying Free Zone Person analysis

Economic Substance Regulations documentation for financial years prior to 1 January 2023 (ESR notification/report filing obligations under Cabinet Decision No. 98 of 2024 no longer apply to financial years starting on or after that date, but historical filings may still be relevant to a review covering earlier periods)

AML/CFT policy, customer due diligence records, and goAML registration evidence, where the entity falls within a Designated Non-Financial Business and Profession (DNFBP) category under Cabinet Decision No. 10 of 2019

MOHRE-related employment records and any labour dispute history relevant to the entity's HR/payroll control environment

Prior Reviews & Incident History

Any prior internal audit reports, external auditor management letters, or regulator correspondence (DFSA/FSRA if applicable) from the past 2–3 years

Details of any known control incidents, fraud attempts, or whistleblower reports in the review period, even if resolved internally

Insurance claims history relevant to operational risk (e.g. inventory loss, cyber incidents, professional indemnity claims)

IT security incident log and any penetration testing or vulnerability assessment reports, where IT general controls are in scope

Engagement Administration

Signed engagement letter defining scope, fee, timeline, and confidentiality/independence terms

Access arrangements — read-only system logins, office access, and named management liaison for each in-scope process

List of key management and process-owner contacts for walkthrough scheduling

Confirmation of the audit committee/board contact who will receive the final report and own the management action plan tracking

Ongoing obligations
PhaseTriggered ByPNPC Internal Audit ApproachRisk If Ignored
Charter & First-Cycle ScopingBoard decision to establish internal audit, or a covenant/regulatory triggerDraft an Internal Audit Charter establishing independence and reporting line to the audit committee/board. Build the risk-ranked audit universe covering financial, operational, compliance and IT processes across all in-scope UAE entities.Internal audit performed without a charter risks being treated as an extension of finance rather than an independent function — findings get diluted or the exercise loses credibility with the board and any external stakeholder relying on it.
Annual Plan & First EngagementsCharter approvedAgree the annual plan with the audit committee — typically 2–4 process reviews in year one, prioritised by risk. Begin fieldwork on the highest-risk area first (commonly procurement, payroll/WPS, or treasury).A plan that tries to cover everything in year one is rarely delivered to depth — better to do fewer areas thoroughly than many superficially.
Fieldwork & Reporting CycleOngoing through the yearWalkthroughs, control testing, data analytics, draft findings discussion with process owners, final report to the audit committee with a risk heat-map and agreed management action plan.Findings not risk-rated or root-caused properly lead to recommendations that fix symptoms, not causes — the same issue resurfaces at the next review or, worse, at year-end statutory audit.
Remediation TrackingFinal report issuedTrack agreed management actions against committed dates; escalate overdue items to the audit committee; report status at each subsequent board cycle.Findings that are reported but never followed up become a compliance box-tick rather than a genuine control improvement — the underlying risk remains live.
Follow-Up Review3–6 months after final report, or per audit committee directionRe-test the specific controls previously flagged as high or medium risk to confirm remediation was implemented and is operating effectively — not just that a policy was updated on paper.Unverified remediation frequently turns out to be partial or paper-only when tested — a control 'closed' without follow-up testing can quietly reopen.
Regulatory & Structural ChangeNew Corporate Tax filing position, AML/CFT DNFBP designation, new bank facility, new jurisdiction added to groupRefresh the risk assessment and audit universe to reflect the change — for example, adding transfer pricing and related-party transaction testing following a Corporate Tax registration, or adding AML/CFT control testing if a DNFBP designation now applies.An audit plan that does not evolve with the business tests yesterday's risks while missing the ones the business has just taken on — for example, a new intercompany flow with an Indian parent that creates untested transfer pricing exposure.
Trigger Event (Fraud Suspicion, Whistleblower Report)A specific red flag surfacesScope a targeted, independent review — potentially escalating to a dedicated forensic investigation with a different evidentiary standard if the initial review substantiates a serious concern.A slow or informal response to a credible red flag allows further loss, compromises evidence, and — in AML/CFT-relevant scenarios — can create separate regulatory exposure for the entity itself for failing to act on a known concern.
Annual Cycle RenewalStart of each new financial year or audit cycleRefresh the annual plan, re-rank the risk universe, and formally report cumulative progress and residual risk to the board for the year completed.Treating internal audit as a one-off exercise rather than a recurring governance function undermines the credibility of the assurance it is meant to provide to lenders, investors, and regulators over time.
Frequently asked
Is internal audit legally mandatory for a UAE mainland or free zone company?

There is no blanket federal law requiring every mainland or free zone company to maintain an internal audit function. The position differs for DIFC and ADGM entities, particularly those regulated by the DFSA or FSRA — the applicable rulebook for licensed financial services firms in those jurisdictions typically expects an internal audit function proportionate to the firm's size, complexity, and risk profile. For most mainland and other free zone companies (JAFZA, DMCC, RAK ICC, and similar), internal audit is voluntary but frequently driven by bank covenants, investor conditions, or board-level governance decisions rather than statutory obligation.

Practitioner noteWe always confirm the client's specific licensing authority and regulator status before scoping — a DIFC-regulated Category 3C firm and a DMCC trading company have very different internal audit expectations, and a one-size-scope proposal is a red flag from any provider.
What is the difference between internal audit and the statutory (external) audit my company already files annually?

Statutory audit expresses an independent opinion on whether your financial statements present a true and fair view, for the benefit of shareholders and your licensing authority. Internal audit is a broader, board-facing function that assesses whether risk management, internal controls, and governance processes are designed well and operating effectively — covering financial, operational, compliance, and IT risk, not just the year-end numbers. Most companies with a mature governance structure run both, and they complement rather than duplicate each other.

Practitioner noteWe frequently coordinate with a client's existing external auditor (with management's consent) to share relevant findings and avoid the finance team being asked the same questions twice during audit season.
Who does the internal auditor report to?

For the engagement to have real value, internal audit should report to the audit committee or the board — not to the CFO or finance director whose department and controls are being reviewed. This independence is formally documented in the Internal Audit Charter that PNPC drafts at the start of the engagement, and it is the single most important structural decision in the entire exercise.

Practitioner noteWhere a client insists the internal auditor report solely to the CFO, we flag this directly — it undermines the independence that gives the exercise its credibility with lenders, investors, and (where relevant) regulators.
How long does a first-cycle internal audit engagement take?

A typical first cycle — charter, risk assessment, 2–3 prioritised process reviews, and a final report to the board — runs approximately 8–10 weeks from initial scoping conversation to final report. This varies with group complexity, the number of legal entities in scope, and the readiness of the client's data and system access.

Practitioner noteWe are cautious about proposals that promise a full internal audit cycle in 2 weeks — proper walkthroughs, sample testing, and root-cause discussion with process owners take real time; compressing it too far usually means the depth suffers.
Can PNPC act as our fully outsourced internal audit function rather than us hiring in-house?

Yes. Many UAE companies — particularly those below the size where a dedicated in-house internal audit department is cost-justified — outsource the entire function to an external firm on a recurring annual cycle with quarterly reporting to the audit committee. PNPC structures this as an ongoing retainer rather than a single project, which allows the audit plan to build year-on-year institutional knowledge of the business.

Practitioner noteFor groups with an India-UAE structure, an outsourced internal audit function run by a firm already familiar with both jurisdictions avoids the loss of context that happens when separate, unconnected advisors are engaged in each country.
What is a co-sourced internal audit arrangement, and when does it make sense?

Co-sourcing means the client has an in-house internal audit team or function, and engages PNPC to supplement it — typically for specialist skills the in-house team does not have, such as IT general controls testing, forensic techniques, treasury risk review, or additional capacity during a busy reporting period. It is common for larger groups that want to retain institutional knowledge in-house while accessing specialist external expertise for specific engagements.

Practitioner noteWe scope co-sourced engagements narrowly and explicitly to avoid overlap with the in-house team's existing plan — duplicated coverage wastes budget and creates confusion over who owns which finding.
What processes are typically covered in a UAE internal audit?

The specific scope depends on the risk assessment, but common areas include procurement-to-pay, order-to-cash and revenue recognition, payroll and WPS compliance, treasury and bank reconciliations, inventory and logistics (for trading and manufacturing businesses), contract management, IT general controls and access management, related-party transactions and intercompany flows, and compliance controls around VAT, Corporate Tax positions, and — where relevant — AML/CFT obligations.

Practitioner noteWe push back on clients who want to skip the risk assessment and jump straight to a fixed checklist — the highest-value engagements are scoped to the entity's actual risk profile, not a generic template copied across every client regardless of industry.
Does internal audit cover VAT and Corporate Tax compliance?

Internal audit tests the controls around your VAT and Corporate Tax positions — for example, whether input VAT is being correctly classified, whether related-party transactions are properly documented for transfer pricing purposes, and whether the conditions for any Qualifying Free Zone Person 0% Corporate Tax treatment are being monitored and evidenced on an ongoing basis. It does not replace dedicated VAT return preparation or Corporate Tax compliance and advisory work, which are separate engagements, though findings from an internal audit frequently identify gaps that then feed into that tax advisory work.

Practitioner noteWe increasingly see Corporate Tax-related control gaps — particularly around related-party transaction documentation and Free Zone qualifying income conditions — surface as a leading finding category in internal audit work since the Corporate Tax regime came into effect.
What is EmaraTax and why does it come up in an internal audit?

EmaraTax is the Federal Tax Authority's current digital portal for VAT and Corporate Tax registration, filing, and correspondence, live since December 2022. During an internal audit, we check that the client's FTA filings and reconciliations are being maintained through EmaraTax correctly and that access to the portal is properly controlled — an outdated reference to an older FTA filing reference in a client's internal procedures is itself a minor finding, since that portal has been superseded.

Practitioner noteWe occasionally find internal procedure documents at client sites still referencing the legacy FTA platform — a small but telling sign that internal documentation has not been refreshed since the EmaraTax transition.
Are Economic Substance Regulations (ESR) still something internal audit needs to check?

ESR notification and report filing obligations were discontinued for financial years starting on or after 1 January 2023, under Cabinet Decision No. 98 of 2024. For current and future financial years, ESR is not a live, ongoing filing obligation to test. Where an internal audit engagement covers historical periods before that date, ESR compliance for those earlier financial years may still be relevant, including any outstanding penalties or unresolved notices from that period.

Practitioner noteWe specifically flag to clients that ESR is a historical compliance matter now, not a current annual obligation — some management teams are still budgeting time and cost for an obligation that no longer applies going forward.
How does internal audit help with AML/CFT compliance for Designated Non-Financial Businesses and Professions (DNFBPs)?

Certain UAE businesses — including real estate brokers/agents, dealers in precious metals and stones, and independent legal/accounting professionals providing specified services, among others — fall within the DNFBP category under Cabinet Decision No. 10 of 2019 and must maintain AML/CFT policies, conduct customer due diligence, and register on the goAML platform. Internal audit tests whether these controls are actually operating — customer due diligence completeness, suspicious transaction reporting discipline, and staff training records — rather than simply confirming a policy document exists.

Practitioner noteA policy sitting in a drawer that nobody follows is one of the most common AML/CFT findings we identify — the gap between documented policy and actual practice is exactly what internal audit is designed to surface.
What is WPS and why does internal audit test it?

The Wage Protection System (WPS) is the electronic salary transfer system mandated by the Ministry of Human Resources and Emiratisation (MOHRE) for tracking timely payment of wages to employees through registered UAE banks or exchange houses. Internal audit tests whether payroll processing and WPS submissions are timely, accurate, and properly authorised, since WPS non-compliance can trigger MOHRE penalties and, in serious or repeated cases, restrictions on a company's ability to process new work permits.

Practitioner notePayroll and WPS testing is one of the highest-value quick wins in a first-cycle internal audit — errors here are common, correctable, and carry real regulatory exposure if left unaddressed.
Can internal audit uncover fraud, and what happens if it does?

Internal audit procedures — particularly data analytics, segregation-of-duties testing, and exception testing — are designed to identify red flags and control weaknesses that could enable fraud, and can and do uncover suspected irregularities. However, internal audit is not itself a forensic investigation. Where a credible fraud indicator is identified, we recommend escalating to a dedicated forensic investigation engagement with a different evidentiary standard, methodology, and (where appropriate) legal counsel involvement, rather than continuing under the standard internal audit scope.

Practitioner noteWe are explicit with clients about this distinction upfront — continuing to treat a fraud-suspicion finding as a routine internal audit matter, rather than escalating it, can compromise the evidentiary value of what is later needed if the matter proceeds to litigation or a police/regulatory referral.
Does PNPC use data analytics in its internal audit work, or only manual sample testing?

Where the client's systems support it, we run data analytics across the full population of relevant transactions — for example, testing for duplicate payments, unusual vendor master changes, weekend or after-hours system postings, round-sum invoices, and segregation-of-duties conflicts within the ERP access profile — in addition to traditional manual sample testing of walkthroughs and control operation.

Practitioner noteFull-population analytics catch patterns that a 25-transaction manual sample simply cannot — we treat analytics as a standard component of scope wherever system access allows it, not as a premium add-on.
How are internal audit findings rated, and what does 'high risk' actually mean in a report?

PNPC rates each finding by risk level (typically high, medium, or low) based on the likelihood of the control failure occurring again and the potential financial, regulatory, or reputational impact if it does. A high-risk finding is one where a material control is missing or not operating, with meaningful potential impact — for example, no segregation of duties between vendor master creation and payment approval. Ratings drive prioritisation of both the audit committee's attention and management's remediation timeline.

Practitioner noteWe resist rating everything 'high risk' to appear thorough — an inflated risk rating dilutes the credibility of the genuinely high-risk findings that need immediate board attention.
What happens after the final internal audit report is issued — does PNPC just move on to the next engagement?

No. Every final report includes an agreed management action plan with named owners and committed remediation dates. PNPC tracks these actions and reports status at each subsequent audit committee cycle, and typically conducts a formal follow-up review 3–6 months later to re-test whether the previously flagged controls have actually been remediated and are operating effectively.

Practitioner noteFindings without follow-up are, in our experience, the single biggest reason internal audit programmes lose credibility with boards over time — we build follow-up into the engagement from the outset rather than treating it as optional.
Our group has entities in both the UAE and India. Does PNPC handle internal audit across both jurisdictions?

Yes. PNPC operates from offices in the UAE (Dubai) and India (Chennai, Bangalore, Hyderabad), and for groups with cross-border structures we run internal audit engagements that specifically test intercompany transactions, transfer pricing documentation, and related-party disclosure consistency across both jurisdictions under one coordinated engagement — rather than splitting the work between two disconnected advisors who lose context in the handoff.

Practitioner noteCross-border related-party transactions are one of the most common areas where UAE Corporate Tax and Indian transfer pricing rules interact, and reviewing them in isolation on either side alone misses the full picture.
How does internal audit interact with our external (statutory) auditor's work?

With management's consent, PNPC shares relevant internal audit findings with the client's external auditor to avoid duplicated testing effort and to flag matters relevant to the year-end statutory audit — for example, a control weakness in revenue recognition that the external auditor would want to factor into their own audit risk assessment. This coordination typically reduces the overall burden on the finance team during year-end audit season.

Practitioner noteWe always confirm scope boundaries with the external auditor directly rather than relying on management to relay technical findings accurately between the two teams.
Is internal audit relevant for a small, owner-managed UAE company with no external investors?

It can be, but a full internal audit cycle may not be proportionate for a very small business with limited transaction volume and no bank covenant, investor, or regulatory driver. In these cases, a lighter-touch internal controls health check — a focused, one-off review of the highest-risk processes such as cash handling, procurement authorisation, and payroll — is often a more proportionate and cost-effective starting point than establishing a recurring internal audit function.

Practitioner noteWe scope down honestly for smaller clients rather than selling a disproportionately large internal audit programme — the right-sized engagement builds trust and often leads naturally into a full programme as the business grows.
What qualifications does PNPC's internal audit team hold?

PNPC's internal audit engagements are led by Chartered Accountants with practising experience across statutory audit, internal audit, and forensic engagements in both the UAE and India since 1986. Where an engagement requires specialist IT audit or data analytics skills, we bring in the relevant specialist as part of the engagement team rather than stretching a generalist auditor beyond their expertise.

Practitioner noteWe are candid with clients about which specific team members hold which specialisation — IT general controls testing and treasury risk review call for different skill sets than a standard procure-to-pay walkthrough, and we staff accordingly.
How is the fee for an internal audit engagement structured?

PNPC agrees a fixed fee for each defined engagement — whether that is a first-cycle scoping and 2-3 process reviews, an ongoing outsourced internal audit retainer, or a targeted single-process review — confirmed in writing before work begins. Fee depends on the number of legal entities in scope, the complexity and risk profile of the processes under review, and whether data analytics and specialist IT audit skills are required.

Practitioner noteWe provide a written scope and fee letter for every engagement before any fieldwork starts — a provider unwilling to commit fee and scope in writing upfront is worth being cautious about.
Can internal audit findings affect our UAE Corporate Tax position?

Indirectly, yes. Internal audit may identify weaknesses in how related-party transactions are documented, how a Qualifying Free Zone Person's income is tracked and evidenced against the qualifying conditions, or how transfer pricing policies are actually being applied in practice versus how they are documented on paper — all of which are directly relevant to a company's Corporate Tax position under Federal Decree-Law No. 47 of 2022. Where such gaps are found, we recommend they feed into a dedicated Corporate Tax advisory review rather than being left as an internal audit finding alone.

Practitioner noteWe treat Corporate Tax-linked control findings as a priority escalation item for the audit committee given the direct financial exposure involved, rather than filing them alongside lower-stakes operational findings.
What is a risk heat-map and why is it in our final internal audit report?

A risk heat-map is a visual summary — typically plotting likelihood against impact — that gives the board a quick, prioritised view of where the organisation's control weaknesses sit relative to each other, before they read the detailed findings. It helps a busy audit committee focus discussion time on the highest-priority items first rather than working through every finding in the order it happened to be written up.

Practitioner noteWe build the heat-map collaboratively with the audit committee chair before the final board presentation, so the visual reflects genuine board priorities rather than just the auditor's internal ranking.
How does internal audit differ for a DIFC or ADGM regulated financial services firm versus a mainland trading company?

DIFC and ADGM regulated firms operate under the DFSA or FSRA rulebook respectively, which typically expects an internal audit function proportionate to the firm's category and risk profile, and may prescribe specific areas of focus (client money handling, prudential capital adequacy monitoring, conduct risk). A mainland trading company under DED licensing has no equivalent regulator-driven internal audit expectation, so the scope is shaped purely by the board's own risk appetite, bank covenants, or investor requirements rather than a regulatory rulebook.

Practitioner noteWe confirm the specific DFSA or FSRA category (where applicable) at scoping stage, since the prescribed areas of regulatory focus materially change what the audit plan must prioritise in year one.
What if management disagrees with an internal audit finding?

We discuss draft findings with process owners before finalising the report specifically to correct any factual errors and to reach an agreed, realistic remediation timeline. Where management genuinely disagrees with the risk rating or the recommendation itself (rather than a factual detail), the disagreement and management's rationale is documented transparently in the final report to the audit committee — the board, not the auditor or management alone, makes the final call on residual risk acceptance.

Practitioner noteDocumenting a genuine management disagreement transparently, rather than either overriding it or quietly softening the finding, is what preserves the credibility and independence of the internal audit function over time.
Does internal audit review our IT systems and cybersecurity controls?

IT general controls — user access management, segregation of duties within the ERP, change management over system configurations, and backup/business continuity arrangements — are a standard component of most internal audit scopes. A deep technical cybersecurity penetration test or vulnerability assessment is a more specialist, separate engagement, though internal audit will review whether such testing has been performed and whether its findings have been actioned.

Practitioner noteWe bring in a specialist IT audit resource for ERP access control testing rather than having a generalist financial auditor attempt technical system configuration reviews outside their expertise.
How often should an ongoing internal audit function refresh its risk assessment?

At minimum annually, at the start of each new audit cycle — but also whenever a significant structural change occurs, such as a new Corporate Tax filing position, a new AML/CFT DNFBP designation, a new bank facility with fresh covenants, or expansion into a new jurisdiction. A risk assessment that is not refreshed continues testing yesterday's risks while missing new exposures the business has taken on.

Practitioner noteWe build a short mid-cycle risk-refresh checkpoint into ongoing retainer engagements specifically to catch structural changes that happen between annual planning cycles.
What is the realistic cost range for an internal audit engagement in the UAE?

Cost varies significantly with the number of legal entities in scope, the number and complexity of processes under review, whether data analytics and specialist IT audit skills are required, and whether the engagement is a single project or an ongoing annual retainer. Rather than quoting a generic figure that would be misleading across very different engagement sizes, PNPC scopes each engagement individually and provides a fixed, written fee quote before work begins.

Practitioner noteWe are wary of any provider quoting a single flat fee for 'internal audit' without first understanding your entity structure and risk profile — the range across engagement types is simply too wide for a generic number to be meaningful.
Can internal audit help us prepare for a bank facility renewal or a new investor round?

Yes. Lenders and investors increasingly expect to see evidence of a functioning internal control environment and, in many cases, an internal audit report or management letter as part of due diligence. An internal audit review ahead of a facility renewal or funding round can identify and help remediate control gaps before an external party's due diligence team finds them — putting the company in a stronger negotiating position.

Practitioner noteWe have seen deals slow down materially when a lender's or investor's own due diligence team surfaces a control gap that internal audit would have caught and allowed management to fix months earlier — proactive review is consistently cheaper than reactive scrambling during diligence.
Does internal audit cover related-party transactions between UAE group entities?

Yes, this is frequently one of the highest-priority areas in an internal audit scope for group structures, particularly given the transfer pricing documentation and related-party disclosure requirements introduced under the UAE Corporate Tax regime. Internal audit tests whether related-party transactions are properly authorised, priced on an arm's-length basis where required, and adequately documented to support the company's Corporate Tax position.

Practitioner noteRelated-party transaction testing is one of the fastest-growing areas of internal audit demand we see since Corporate Tax came into effect — clients are increasingly proactive about this rather than waiting for an FTA query.
What is the difference between a management letter from our external auditor and an internal audit report?

A management letter from the external auditor typically flags control observations that came to light incidentally during the statutory financial statement audit — it is a by-product of that audit, not its main purpose, and is usually narrower in scope. An internal audit report is the direct output of a dedicated, independent review specifically scoped to assess risk management, controls, and governance across the areas identified in the risk assessment — broader in scope and intent than an audit by-product.

Practitioner noteWe often find that issues raised lightly in an external auditor's management letter turn out to be far more significant once tested properly through a dedicated internal audit scope and full-population data analytics.
How does PNPC ensure independence when we are also PNPC's accounting or tax client?

Where PNPC provides both internal audit and other services (accounting, tax advisory) to the same client, we structure the engagement teams separately and document the independence safeguards in the Internal Audit Charter and engagement letter — the internal audit team does not review its own work product from another service line without appropriate safeguards, and we discuss any potential conflict transparently with the client's board before accepting the engagement.

Practitioner noteFor a client where PNPC is also the statutory auditor, we are particularly careful about scope boundaries — some jurisdictions and regulators restrict a statutory auditor from also performing certain internal audit functions for the same client, and we advise clients on this explicitly rather than assuming it away.
What happens if internal audit identifies a Corporate Tax or VAT filing error that has already been submitted to the FTA?

We flag this immediately to the audit committee and recommend the client's tax advisor (PNPC or otherwise) assess whether a voluntary disclosure to the Federal Tax Authority via EmaraTax is appropriate to correct the error, given that timely voluntary disclosure is generally treated more favourably than an error later identified through an FTA audit or enforcement action.

Practitioner noteSpeed matters here — the sooner a filing error is identified and corrected voluntarily, the more favourably it is typically viewed; sitting on a known error while deciding what to do is the wrong instinct.
Is internal audit only relevant to large companies, or does it make sense for a mid-sized UAE business too?

Internal audit scales to the size and complexity of the business. A mid-sized UAE company with growing headcount, multiple free zone or mainland entities, bank facilities, or investor involvement is often exactly the profile where internal controls have not kept pace with growth — making a proportionate, risk-based internal audit review particularly valuable, well before the company reaches the scale where a large corporate would typically establish the function.

Practitioner noteSome of our most valuable internal audit engagements have been for mid-sized, fast-growing companies precisely because their controls had not caught up with their revenue growth — the gap is often widest at that stage, not at the largest scale.
Why should we engage PNPC rather than a generic internal audit provider or a Big Four firm?

PNPC brings decades of practising Chartered Accountancy experience across both the UAE and India, giving genuine cross-border coordination for group structures rather than a handoff between disconnected firms. Unlike a large network firm, our engagement teams are led by partners directly involved in scoping, fieldwork, and board reporting — not delegated substantially to junior staff with limited partner oversight. Unlike a low-cost generic provider, we scope from a genuine risk assessment specific to your business rather than a templated checklist, and we build in follow-up review as standard rather than treating the final report as the end of the engagement.

Practitioner noteAsk any prospective internal audit provider two questions: who specifically leads the fieldwork, and do they include a follow-up review as standard. The answers reveal a lot about how seriously the provider treats the engagement beyond the initial report.
How many people does PNPC typically put on a first-cycle internal audit engagement?

A first-cycle engagement is usually staffed with a partner or director for scoping, charter drafting, and the final board presentation, plus one or two seniors for fieldwork — process walkthroughs, control testing, and draft findings work. Specialist resources (IT audit, data analytics) are added only where the risk assessment identifies a genuine need for that skill set, rather than being bundled into every engagement by default.

Practitioner noteWe size the team to the actual risk-ranked scope agreed at the charter stage — over-staffing a small first-cycle engagement inflates fees without adding proportionate assurance value.
Do we need to grant PNPC live access to our accounting system for internal audit, or is a data extract enough?

Where full-population data analytics are in scope — testing for duplicate payments, unusual vendor master changes, or segregation-of-duties conflicts — a clean, complete data extract for the review period is usually sufficient and preferred over live read-only access, since it avoids any risk of the audit team inadvertently changing production data. Live read-only access is occasionally requested for walkthrough purposes, always agreed explicitly in the engagement letter and access arrangements.

Practitioner noteWe specify exactly which system access is needed at the scoping stage rather than requesting broad access 'just in case' — narrower, purpose-specific access requests also make it easier for the client's IT team to approve quickly.
What happens if our systems can't produce a clean data extract for analytics testing?

Where the client's ERP or accounting system cannot readily produce a clean transaction-level extract, PNPC falls back to structured manual sample testing based on statistically reasoned sample sizes rather than pretending full-population analytics occurred. This is flagged transparently in the final report as a scope limitation, and often becomes a recommendation in itself — poor system reporting capability is frequently a control weakness worth reporting on its own.

Practitioner noteA provider who silently substitutes a thin manual sample for promised full-population analytics without disclosing the limitation is doing the client a disservice — we always name the constraint in the report.
Will internal audit disrupt our day-to-day operations while fieldwork is happening?

Fieldwork is scheduled around process-owner availability, typically requiring a few hours of walkthrough time per process from each relevant staff member plus document/system access, rather than a continuous on-site presence. For most mid-sized UAE businesses, a first-cycle engagement's fieldwork can be completed with a handful of scheduled sessions per process rather than an extended embedded presence that disrupts daily operations.

Practitioner noteWe agree a walkthrough schedule with named process owners in advance rather than arriving unannounced — this respects the team's time and produces better-quality walkthroughs than rushed, ad hoc sessions.
Can internal audit be performed remotely, or does PNPC need to be on-site in the UAE?

Much of an internal audit engagement — document review, data analytics, draft findings discussion, and even walkthroughs where screen-sharing is practical — can be conducted remotely. Certain elements benefit materially from an on-site presence: physical inventory or asset verification, observing segregation of duties in a warehouse or retail environment, and the final board presentation, which we generally recommend delivering in person where feasible.

Practitioner noteWe agree the remote/on-site split explicitly at scoping stage based on the specific processes in scope, rather than defaulting to either extreme regardless of what the engagement actually needs.
How does internal audit treat a related-party loan between a UAE parent and an Indian subsidiary?

We test whether the loan is properly authorised under the delegation of authority matrix, documented with formal loan terms and interest treatment consistent with arm's-length pricing expectations under the UAE Corporate Tax related-party rules, and correctly reflected as a related-party transaction in both the UAE entity's and the Indian entity's books. Gaps here are flagged as a priority finding given the direct Corporate Tax and transfer pricing exposure on the UAE side.

Practitioner noteIntercompany loans between UAE and Indian group entities are one of the most under-documented transaction types we encounter — verbal understanding between family shareholders rarely survives contact with a formal transfer pricing review.
What's the difference between a 'design deficiency' and an 'operating deficiency' in an internal audit finding?

A design deficiency means the control itself is inadequate even if performed exactly as intended — for example, an approval limit that lets one person authorise both the purchase order and the payment. An operating deficiency means the control design is adequate on paper but is not actually being performed consistently in practice — for example, a required three-way match that is regularly skipped under time pressure. The two require different remediation: design deficiencies need a policy or system change, operating deficiencies need enforcement, training, or workload correction.

Practitioner noteWe classify every finding as one or the other explicitly in the report, because the two failure types call for genuinely different management responses — treating an enforcement problem as if it needs a new policy rarely fixes anything.
Does internal audit test our vendor onboarding and vendor master file controls specifically?

Yes, vendor master file integrity is a standard component of procurement-to-pay testing — we check who can create or amend a vendor record, whether new vendors require independent verification (bank account confirmation, trade licence check, sanctions screening where relevant), and whether historical vendor master changes show any unusual patterns such as changes shortly before a large payment run.

Practitioner noteVendor master manipulation is one of the more common fraud vectors we test for specifically — a single unauthorised bank-detail change on an existing vendor record is a classic precursor to a diverted payment.
Can internal audit review our cash-handling controls for a retail or F&B business with multiple outlets?

Yes, cash-handling and till reconciliation controls are a common focus area for multi-outlet retail and F&B clients — testing includes till count versus system reconciliation, manager override authority for discounts/voids, cash deposit timing and custody, and whether outlet-level exceptions are escalated and reviewed centrally rather than resolved locally without visibility.

Practitioner noteMulti-outlet cash businesses often have strong controls on paper at head office but inconsistent actual practice outlet-to-outlet — we sample across several locations rather than relying on head office's description of a single 'standard' process.
What if our internal audit review overlaps with a process our external auditor already tested this year?

We coordinate with the external auditor, with management's consent, specifically to avoid duplicating tests already performed for the statutory audit — internal audit typically goes deeper on operational effectiveness and root cause than a statutory audit's control reliance testing, so genuine overlap is usually limited, but where it exists we scope around it to reduce the burden on the finance team.

Practitioner noteWe ask the client to introduce us to the external audit engagement partner early in scoping specifically to map out where genuine duplication risk exists before fieldwork starts, not after.
How does internal audit handle a UAE free zone company that also has a branch registered on the mainland?

We treat the free zone entity and the mainland branch as related but distinct licensing and regulatory profiles — testing whether intercompany transactions between them are properly documented, whether each maintains the records its specific licensing authority requires, and whether Qualifying Free Zone Person conditions (if claimed) are being tracked with the discipline the Corporate Tax regime requires, since mixing mainland and free zone activity incorrectly can jeopardise the 0% qualifying income treatment.

Practitioner noteWe see confusion between free zone and mainland branch record-keeping surface as a Corporate Tax risk more often than clients expect — the two licences carry genuinely different compliance obligations even under one group.
Does PNPC provide a sample internal audit report or charter template before we commit to an engagement?

We can share an anonymised excerpt of a prior internal audit charter and a redacted sample findings format during the scoping conversation, so the board or owner understands what the deliverable actually looks like before signing the engagement letter. We do not, however, hand over a generic full template for self-service use, since a charter and findings report only have value when built around your specific entity structure and risk profile.

Practitioner noteSeeing a redacted real deliverable, rather than a marketing brochure, is usually what convinces a first-time board that internal audit produces something genuinely useful rather than a boilerplate document.
How does internal audit differ when the client is a holding company with no direct operations of its own?

For a pure holding company, the internal audit scope shifts toward governance of the group's investment and intercompany activity — board minute quality and authorisation for major decisions, intercompany loan and guarantee documentation, consolidation and related-party disclosure accuracy, and oversight controls over the operating subsidiaries — rather than transaction-level testing of procurement or payroll, which sits at the operating-entity level instead.

Practitioner noteHolding company internal audit is frequently under-scoped by generic providers who default to a standard operating-company checklist that simply doesn't fit a structure with no transactions of its own.
What internal audit red flags are specific to a UAE trading or import/export business?

Common red flags include inventory shrinkage not reconciled to a documented cause, customs declarations that don't tie to purchase invoices or the importer/exporter code registration, credit terms extended to related parties outside normal approval limits, and unusual patterns in freight-forwarder or customs-agent selection without a documented vendor approval process.

Practitioner noteCustoms code and import/export documentation mismatches are an area we specifically probe for trading clients — they are frequently the first thing an FTA or customs review would test, so catching gaps early through internal audit is genuinely protective.
How does internal audit handle a business that runs its accounting substantially on spreadsheets rather than an ERP?

Spreadsheet-based environments require a different testing approach — we focus heavily on version control (is there one authoritative file or several competing copies), formula integrity (are formulas being overwritten with hardcoded values), access control (who can edit versus view), and reconciliation discipline, since the absence of system-enforced controls means procedural discipline is doing all the work that an ERP's access controls would normally do.

Practitioner noteSpreadsheet risk is consistently underestimated by management until we walk through how easily a single overwritten formula or an unsaved competing file version can silently distort a number relied on for board or bank reporting.
Does internal audit review our insurance coverage adequacy, or just claims history?

Internal audit typically reviews insurance as a risk-management control point — whether coverage levels are periodically reassessed against actual asset values and operational risk, whether renewal decisions are documented and approved at an appropriate level, and whether claims history reveals a recurring operational weakness (for example, repeated inventory loss claims pointing to a warehouse security gap) — rather than assessing whether the specific policy terms themselves are commercially optimal, which is an insurance broker's role.

Practitioner noteWe frequently find claims history is treated as a closed file rather than a signal — three inventory-loss claims in two years at the same warehouse is an operational control finding, not just an insurance administration matter.
How does PNPC handle confidential or sensitive findings that involve a senior manager or family shareholder?

Findings are reported factually and risk-rated on the same basis regardless of who is involved — the Internal Audit Charter's independence provisions exist precisely to protect this. Where a finding involves a senior individual, we document it directly to the audit committee or board rather than softening it in discussion with the individual concerned, and we discuss escalation sensitivities candidly with the board chair before the finding is finalised, particularly in family-owned structures where a shareholder may also hold an operational role.

Practitioner noteThis is the single hardest test of genuine independence in a family-owned UAE business — we have walked away from continuing an engagement where a board member wanted the internal audit function to soften findings involving a related individual.
What internal audit considerations apply specifically to a business holding client money (e.g. real estate escrow, law firm client accounts)?

Where a business holds client money — real estate escrow accounts, law firm client accounts, or similar fiduciary arrangements — internal audit specifically tests segregation of client funds from company operating funds, reconciliation frequency and independence, and whether the relevant regulator's client-money rules (RERA escrow requirements for real estate, or DFSA/FSRA client-money rules for regulated firms) are being evidenced, not just assumed to be followed.

Practitioner noteClient-money segregation failures carry regulatory as well as reputational exposure, and we treat any finding in this specific area as an immediate escalation item to the audit committee rather than a routine finding awaiting the next reporting cycle.
How does internal audit adjust its approach for a business that has just completed an acquisition?

Post-acquisition, we typically prioritise testing whether the acquired entity's controls, chart of accounts, and approval matrix have actually been integrated into the group's standards — rather than left running on the target's legacy (and often less rigorous) processes — and whether opening balance sheet items and any completion accounts adjustments were properly supported and reconciled.

Practitioner noteThe most common post-acquisition control gap we see is the acquired entity quietly continuing its old, weaker approval practices for months after completion because nobody formally required the transition — internal audit is often the first function to catch this.
Does PNPC's internal audit work extend to reviewing board minute quality and governance documentation itself?

Yes — for entities where governance maturity is part of the risk assessment (family businesses professionalising ahead of investment, DIFC/ADGM regulated firms), we review whether board and audit committee minutes evidence genuine discussion and decision-making on material matters, rather than being a brief formality, and whether conflicts of interest and related-party approvals are properly disclosed and minuted.

Practitioner noteThin board minutes are themselves a governance finding worth raising — a one-line minute approving a material related-party transaction gives an external reviewer, lender, or regulator very little comfort that the decision was properly considered.
What's a realistic first step if our board wants internal audit but isn't ready to commit to a full annual programme yet?

A focused, single-process pilot review — commonly procurement-to-pay or payroll/WPS, since these are usually the highest-materiality, highest-risk processes — lets the board see the quality and format of an actual internal audit deliverable before committing to a broader annual plan or an outsourced function retainer.

Practitioner noteWe regularly recommend a single pilot engagement over a full first-year programme for boards that are internal-audit-curious but not yet convinced — it is lower commitment and, done well, tends to build its own case for the fuller programme.
Does internal audit look at customer contract terms, or only internal processes?

Where contract management is in scope, we test whether customer and supplier contracts are reviewed and approved within delegated authority limits, whether key commercial terms (payment terms, penalty clauses, termination rights) are consistently tracked against what is actually being invoiced or paid, and whether contract renewal dates are monitored so the business doesn't inadvertently auto-renew on unfavourable terms.

Practitioner noteContract renewal date tracking is a small, unglamorous control that we find missing surprisingly often — the cost of a missed renewal notice period is real and entirely avoidable with a basic tracking discipline.
How does PNPC's internal audit approach differ for a business preparing for its first UAE Corporate Tax return versus one already several filing cycles in?

For a business preparing its first Corporate Tax return, internal audit focuses on whether the underlying accounting records, related-party transaction documentation, and Qualifying Free Zone Person analysis (where relevant) are actually capable of supporting the return before it is filed. For a business several cycles in, the focus shifts to whether positions taken in prior returns have been consistently applied and whether the seven-year record retention requirement under Federal Decree-Law No. 47 of 2022 is being met in practice, not just assumed.

Practitioner noteFirst-time Corporate Tax filers benefit most from an internal audit review timed before the return is filed rather than after — it is far easier to correct a documentation gap pre-filing than to explain it to the FTA after the fact.
Can internal audit help identify whether we should be registering additional entities for VAT as a tax group?

Internal audit can flag where intercompany transactions, shared cost structures, or common control between UAE entities suggest a VAT group registration under Federal Decree-Law No. 8 of 2017 may simplify compliance and cash flow — but the decision itself, and the formal VAT group registration application via EmaraTax, sits with dedicated VAT advisory work, not internal audit itself.

Practitioner noteWe flag VAT grouping as an observation for the tax advisory team to evaluate rather than making the recommendation ourselves within the internal audit report — it is a tax structuring decision, not a controls finding.
What does PNPC do differently if a client's finance team is visibly resistant to the internal audit process?

We address resistance directly and early — reminding the finance team that internal audit exists to strengthen the control environment they operate within, not to catch individuals out, and that draft findings are always discussed with process owners before finalisation specifically so factual context isn't missed. Where resistance persists, we escalate transparently to the audit committee, since a finance team actively obstructing evidence access is itself a governance matter the board should know about.

Practitioner noteGenuine finance-team resistance to internal audit is itself a signal worth reporting — in our experience it correlates more often with fear of exposing informal workarounds than with any process flaw in the audit itself.
Does internal audit assess whether our organisation chart and delegation of authority matrix are actually followed, or just whether they exist?

Both — we confirm the documents exist and are current, and then test actual transactions against them: does the person who approved this purchase order actually hold that authority level under the matrix, does the reporting line on the org chart match who actually reviews and signs off in practice. A delegation of authority matrix that exists on paper but is routinely overridden in practice is one of the most common findings in a first-cycle review.

Practitioner noteWe have seen delegation of authority matrices that were accurate the day they were drafted and never updated through several rounds of staff turnover — testing against live transactions, not just the document, is what catches this.
How far back does internal audit typically look when reviewing transactions?

The review period is agreed at scoping and is usually the most recently completed financial year or the trailing twelve months, though specific higher-risk items — an unusual related-party arrangement, a prior control incident — may be traced back further where relevant to understanding the full pattern. We do not default to reviewing multiple years of transaction detail across every process, since that materially increases cost without proportionate additional assurance value for most engagements.

Practitioner noteWe scope the look-back period to the specific risk being tested rather than applying a blanket multi-year rule — a targeted deeper look at one flagged item is more valuable than a shallow multi-year sweep across everything.
Will PNPC tell us if internal audit finds nothing significant, or is a 'clean' report a sign the review wasn't thorough enough?

A genuinely clean report — where testing finds controls designed and operating well across the reviewed scope — is a legitimate and valuable outcome, not a sign of a weak review; it gives the board real assurance and is useful evidence for a bank, investor, or regulator. We document the specific tests performed and the sample sizes used regardless of outcome, so a clean result is demonstrably the product of real testing rather than a lack of scrutiny.

Practitioner noteWe are transparent that our fee doesn't depend on finding a target number of issues — a well-run business with genuinely sound controls should expect, and can be reassured by, a clean or largely clean first-cycle result.
How does internal audit factor in a UAE company's WPS non-compliance history when scoping the payroll review?

Where a company has a history of WPS submission delays or MOHRE penalties, payroll and WPS testing is elevated in priority within the risk-ranked audit universe, and the review specifically traces recent submissions against the underlying payroll register and bank payment records to confirm whether the root cause (system issue, cash flow timing, administrative error) has actually been addressed rather than assuming a penalty payment alone resolved the underlying control gap.

Practitioner noteA paid WPS penalty is not evidence the underlying process failure has been fixed — we specifically test the current-period submission against the payroll register to confirm the root cause, not just the symptom, has been addressed.
Does PNPC's internal audit scope typically include a review of the company's whistleblower or grievance-reporting channel?

Yes, where a whistleblower or grievance channel exists (a requirement or best practice for DIFC/ADGM regulated firms and increasingly common for larger mainland groups), internal audit tests whether reports received are logged, investigated, and closed out with a documented outcome, and whether the channel is genuinely accessible and known to staff rather than existing only in a policy document nobody has seen.

Practitioner noteAn unused whistleblower channel is not necessarily evidence nothing is wrong — we specifically check staff awareness of the channel, since a channel nobody knows exists will naturally show zero reports regardless of what is actually happening.
How does internal audit treat a UAE company's use of related-party service or management fee arrangements with an overseas parent?

We test whether management or service fee charges from an overseas (commonly Indian) parent to the UAE entity are supported by an actual service agreement, are priced consistently with an arm's-length rationale, and are recognised consistently in both entities' books — since undocumented or inconsistently applied management fees are a recurring source of both Corporate Tax related-party scrutiny and inter-company reconciliation discrepancies.

Practitioner noteA management fee that has been charged the same round figure every year regardless of actual services performed is one of the more common related-party findings we raise — the fee needs a documented basis, not just historical precedent.
Why PNPC Global

PNPC Global internal audit engagements vs typical alternatives in the UAE market

DimensionPNPC GlobalGeneric Internal Audit ProviderBig Four / Large Network Firm
Scoping approachRisk assessment built specifically for your entity structure and group risk profileTemplated checklist applied with minimal customisationThorough but often standardised methodology with premium pricing
Partner involvement in fieldworkPartner directly involved in scoping, key walkthroughs, and board reportingVariable — often junior-staff led with limited partner oversightTypically delegated substantially to seniors/associates with partner sign-off only
India-UAE cross-border coordinationSingle coordinated engagement across both jurisdictions from PNPC offices in eachRarely offered; usually requires two separate, disconnected advisorsAvailable but typically requires engaging separate country practices with handoff friction
Follow-up remediation reviewBuilt into the engagement as standard practiceFrequently offered only as a paid add-on, if at allAvailable but often a separate, re-scoped engagement
Fee structureFixed, agreed fee confirmed in writing before work beginsVariable — some providers quote low and expand scope laterGenerally premium pricing reflecting brand and global infrastructure
Continuity of relationshipSame PNPC team across internal audit, tax, and accounting engagements where applicable, since 1986Project-based; limited ongoing relationshipStrong global infrastructure but frequent staff rotation on individual engagements
Data analytics useStandard component wherever system access allowsVaries significantly by providerAvailable, often as part of a broader (and costlier) technology-enabled audit package
Design vs operating deficiency classificationEvery finding explicitly classified so remediation targets the right fix — policy change versus enforcementOften reports symptoms without distinguishing the underlying failure typeMethodology supports it, though the classification can be lost in high-level summary reporting

This comparison reflects general market patterns PNPC observes and is not a claim about any specific named competitor. Every provider — including PNPC — should be evaluated on its written scope, fee, and team composition for your specific engagement.

What the PNPC package includes

  1. 01

    Independent Internal Audit Charter drafted collaboratively with your board or audit committee, establishing clear reporting lines and authority

  2. 02

    Risk-ranked audit universe covering financial, operational, compliance, and IT processes tailored to your specific entity structure

  3. 03

    Annual audit plan agreed with the audit committee, prioritised realistically to the hours and skills actually required

  4. 04

    Fieldwork combining process walkthroughs, control testing, and — wherever system access allows — full-population data analytics

  5. 05

    Risk-rated findings with documented root cause, not just symptom-level observations

  6. 06

    Final report presented directly to your audit committee or board, including an executive summary and risk heat-map

  7. 07

    Management action plan tracking through to the next reporting cycle, with named owners and committed dates

  8. 08

    Formal follow-up review re-testing previously flagged controls, built into the engagement as standard practice

  9. 09

    Coordination with your existing external (statutory) auditor, with your consent, to avoid duplicated testing effort

  10. 10

    Cross-border internal audit coordination for groups spanning UAE and India, run from PNPC's own offices in both jurisdictions

  11. 11

    Full-population exception testing where systems allow — duplicate payments, unusual vendor-master changes, weekend/after-hours postings, round-sum invoices, and segregation-of-duties conflicts in the ERP

  12. 12

    Corporate Tax control review covering related-party transaction documentation, transfer pricing support, and Qualifying Free Zone Person condition tracking under Federal Decree-Law No. 47 of 2022

  13. 13

    Payroll and WPS testing against the underlying register and bank records, with root-cause analysis where prior MOHRE submission issues exist

  14. 14

    Named-owner engagement letter setting written scope, exclusions, system-access requirements, and a fixed fee before any fieldwork begins

Speak to a PNPC partner before your next board or audit committee meeting — a proper risk-based scope, not a templated checklist, is the difference between an internal audit that changes how your business is run and one that just produces a report nobody reads.

Jurisdiction

🇦🇪
United Arab Emirates

Free zone, mainland & offshore

Ready to get started?

Tell us about your requirement — a UAE specialist responds within 24 hours.

← Back to Internal & Operational Audits