UAEServicesAudit & AssuranceInformation Systems & IT AuditInformation Systems / Information Security Audit (UAE)

Audit & Assurance · Information Systems & IT Audit

Information Systems / Information Security Audit (UAE)

As UAE businesses digitise finance, operations, and customer data across cloud platforms, ERPs, and connected devices, boards and regulators increasingly expect proof that information systems are actually controlled — not just operational.

Chartered Accountants · Dubai · Since 1986

What Information Systems / Information Security Audit (UAE) is

An Information Systems (IS) Audit, often used interchangeably with an Information Security Audit in practice, is an independent examination of an organisation's IT environment — its infrastructure, applications, databases, networks, and the controls surrounding them — to assess whether information assets are adequately protected, systems operate reliably, and data is processed with integrity. In the UAE, this typically covers IT general controls (access management, change management, backup and recovery, physical and environmental security), IT application controls embedded in financial and operational systems, and increasingly, cyber security controls aligned to recognised frameworks such as ISO/IEC 27001, the NIST Cybersecurity Framework, and — for regulated financial institutions — the UAE Central Bank's information security and technology risk guidance.

The scope of an IS/IT security audit in the UAE context commonly spans: logical access controls (user provisioning, de-provisioning, privileged access, segregation of duties within ERP and financial systems), network security (firewalls, segmentation, remote access, VPN configuration), data protection and privacy controls (encryption, data classification, handling of personal data under UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, and sector-specific regimes such as the DIFC Data Protection Law or ADGM Data Protection Regulations for entities operating in those financial free zones), business continuity and disaster recovery arrangements, vendor and third-party/cloud service provider risk, and incident response readiness. For listed or regulated entities, the audit may also map findings against Securities and Commodities Authority (SCA) corporate governance expectations or Central Bank circulars on IT governance and outsourcing.

This is distinct from — but often runs alongside — a statutory financial audit. A financial statement auditor relies on IT general controls when they underpin financial reporting integrity (for example, controls over who can post journal entries or amend supplier master data in an ERP). An IS/IT security audit goes deeper: it independently tests those controls, assesses cyber security posture, and reports findings and remediation priorities directly to the Board or Audit Committee, separate from the financial audit opinion. Many UAE groups commission a stand-alone IS/security audit annually or biennially as part of enterprise risk management, in response to a regulator's expectation, ahead of a banking facility renewal, or following a security incident.

Output is typically a management report — not a statutory opinion filed with a government authority — setting out control weaknesses rated by risk, root cause analysis, and a prioritised remediation roadmap agreed with management. Where the audit is mandated by a specific regulator (for example, Central Bank-regulated banks and finance companies, or insurance companies under the Central Bank's insurance sector rules), the report format and submission expectations follow that regulator's specific circular or guideline, which PNPC tracks and applies on an engagement-by-engagement basis rather than assuming a one-size-fits-all template across every UAE entity.

When a UAE business should commission this audit

Your ERP, accounting system, or core banking/transaction platform has grown in complexity and management wants independent assurance that access controls and segregation of duties are actually working, not just documented

A bank, regulator, insurer, or major counterparty has requested evidence of information security controls as a condition of a credit facility, licence renewal, or vendor onboarding

You operate in or serve a Central Bank-regulated sector (banking, finance companies, insurance, exchange houses) where IT governance and cyber resilience expectations are part of ongoing supervisory engagement

Your entity is registered in DIFC or ADGM and needs to demonstrate compliance with the applicable financial free zone data protection regime as part of its annual compliance obligations

You have recently migrated core systems to cloud infrastructure or adopted new SaaS platforms and want assurance that data protection, access, and vendor risk controls were properly designed before scaling further

The company has experienced a security incident, near-miss, or third-party data exposure and the Board wants an independent root-cause review rather than relying solely on the internal IT team's self-assessment

Your external financial statement auditor has flagged IT general control deficiencies and management wants a dedicated, deeper review to remediate before the next audit cycle

You are preparing for ISO/IEC 27001 certification or a SOC 2-type report requested by an overseas customer and want a readiness assessment before the formal certification audit

When another engagement may fit better

You need a formal, accredited ISO/IEC 27001 certification audit — that requires engagement of an accredited certification body; PNPC can support pre-certification readiness work but does not issue ISO certificates

Your primary need is a penetration test or vulnerability scan of specific applications — a focused technical security testing engagement may be more appropriate as a first step, with a broader IS audit layered on afterward

You only need routine IT general control testing as part of the annual statutory financial audit — this is typically embedded in the financial audit scope rather than commissioned as a stand-alone engagement

The business is very early-stage with minimal IT infrastructure and no regulatory trigger — a lighter-touch IT risk assessment or advisory review may be more proportionate than a full audit

You need ongoing managed security monitoring (SOC-as-a-service, 24/7 SIEM monitoring) — that is a managed security services engagement, not a periodic audit

Your requirement is purely a data protection/privacy compliance gap assessment against UAE Federal Decree-Law No. 45 of 2021 with no IT systems testing component — a focused privacy compliance review may be the better starting point

Structure Comparison

Information Systems / Information Security Audit vs related assurance engagements in the UAE

FeatureIS/IT Security AuditStatutory Financial Audit (ITGC reliance only)ISO/IEC 27001 Certification AuditPenetration Test / Vulnerability AssessmentInternal Audit (IT-focused)
Primary objectiveIndependent assurance over IT controls, data protection and cyber resilienceSupport the financial statement audit opinionCertify conformance to ISO/IEC 27001 standardIdentify exploitable technical vulnerabilitiesOngoing risk-based assurance to management/Audit Committee
Who performs itCA firm with IT audit specialists (e.g., PNPC)Statutory auditor as part of financial auditAccredited certification bodySpecialist penetration testing firmIn-house or outsourced internal audit function
OutputManagement report with risk-rated findings and remediation roadmapInfluences audit approach; not separately reported externally in most casesCertificate of conformance (valid typically 3 years, with surveillance audits)Technical vulnerability report with exploit detailInternal audit report to Audit Committee/Board
Regulatory driver (UAE)Central Bank guidance, DIFC/ADGM data protection regimes, sector regulator expectations, contractual requirementInternational Standards on Auditing as adopted, Companies Law audit requirementVoluntary — often customer or market-drivenVoluntary — often contractual or pre-audit drivenCorporate governance codes, Board mandate, sector regulator expectations
Depth of technical testingControl design and operating effectiveness testing, sample-basedLimited to controls relevant to financial reportingFull management system audit against clause-by-clause standard requirementsDeep technical exploitation testing of defined scopeVaries by internal audit plan and maturity
Typical frequencyAnnual or biennial, or trigger-based (incident, facility renewal)Annual, alongside financial statementsInitial certification then annual surveillance, recertification every 3 yearsPeriodic — often annual or before major releasesPer approved internal audit plan, often annual cycle
Data protection law coverageExplicitly assessed — UAE Federal Decree-Law No. 45 of 2021, DIFC/ADGM regimes where applicableNot a primary focusPartially — via Annex A controls on privacy where scopedNot typically in scopeDepends on internal audit plan scope
Suitable for regulator submissionYes, where the regulator requests an independent IT/security audit reportNo — audit opinion covers financial statements onlyCertificate can be shared, but underlying report is generally confidentialNot typically shared externally in raw formGenerally internal, Board/Audit Committee only

These engagement types are complementary rather than substitutes for one another — many UAE groups run a statutory financial audit, an annual IS/security audit, and periodic penetration testing as part of a layered assurance programme. The right combination depends on your regulator, sector, group structure, and risk appetite. A scoping conversation with PNPC before the engagement begins is the right first step.

How it works
#Stage & What PNPC DoesCA/IT Audit Insight Portals and Generic Providers MissTimeline
1Scoping & Regulatory Mapping — understanding why this audit is needed and for whomWe ask what generic IT auditors often skip: is this driven by a Central Bank circular, a DIFC/ADGM annual obligation, a banking facility covenant, a customer contract, or an internal risk decision? The driver determines the report format, the framework to test against (ISO 27001, NIST CSF, Central Bank guidance, or a hybrid), and who the report is ultimately addressed to.Week 1
2Engagement Letter & Independence CheckWhere PNPC also provides other services to the same client (accounting, tax, statutory audit), we assess independence considerations before accepting the IS audit scope — consistent with professional ethics standards, avoiding self-review threats on systems we may have helped implement.Week 1
3Risk Assessment & Scope Definition — systems, locations, and data flows in scopeWe map the actual data flow — which systems touch customer personal data, financial data, and regulated data — rather than auditing every system with equal depth. A risk-based scope catches the controls that matter most and avoids wasting budget on low-risk, low-criticality systems.Week 1–2
4IT General Controls (ITGC) Walkthrough — access, change, operations, backupWe walk through actual system configuration screens — not just policy documents. A written access control policy that says quarterly access reviews happen means little if the ERP audit log shows no review was actually performed in the last three quarters. We test operating effectiveness, not just design.Week 2–3
5Application Control Testing — controls embedded in ERP/finance/operational systemsSegregation of duties conflicts (one user able to both create a vendor and approve payment to that vendor) are the most common finding in UAE mid-market ERPs. We test actual user-role combinations against a segregation-of-duties matrix specific to your business processes, not a generic template.Week 3–4
6Network & Infrastructure Security Review — firewalls, segmentation, remote accessPost-pandemic remote access sprawl is common — VPN and remote desktop access configured hastily in 2020–2021 and never revisited. We specifically test whether remote access controls (MFA enforcement, session timeout, access logging) match current policy, not just historical configuration.Week 3–4
7Cloud & Third-Party / Vendor Risk AssessmentMany UAE businesses run core systems on cloud SaaS platforms hosted outside the UAE. We assess the data residency, cross-border data transfer implications under UAE Federal Decree-Law No. 45 of 2021, and the adequacy of the vendor's own security certifications and contractual commitments (SLAs, breach notification clauses, sub-processor disclosure).Week 4–5
8Data Protection & Privacy Controls ReviewWe assess actual practice against the UAE's federal personal data protection law and, where applicable, the DIFC Data Protection Law or ADGM Data Protection Regulations — covering consent, data subject rights processes, breach notification readiness, and data classification, not merely whether a privacy policy exists on the website.Week 4–5
9Business Continuity & Disaster Recovery TestingA backup policy is not the same as a tested, working recovery process. Where feasible within scope, we review evidence of the last actual recovery test (not just the backup job logs) and assess recovery time/point objectives against what the business actually needs to survive an outage.Week 5
10Incident Response Readiness ReviewWe assess whether an incident response plan exists, has been tested (tabletop exercise or otherwise), and whether roles, escalation paths, and regulator/customer notification obligations are clearly assigned — a gap we find in the majority of first-time engagements.Week 5–6
11Findings Consolidation & Risk RatingFindings are rated by realistic business risk — likelihood and impact — not a generic severity scale copy-pasted from a template. We distinguish findings that are genuinely urgent (e.g., dormant privileged accounts still active) from lower-priority hygiene items, so management can prioritise remediation sensibly.Week 6
12Management Report & Remediation Roadmap DeliveryThe report is written for the Board/Audit Committee and management — plain findings, root cause, business risk, and a realistic remediation timeline agreed with the IT team, not a 200-page technical dump that nobody reads or actions.Week 6–7
13Board/Audit Committee PresentationPNPC's engagement lead presents findings directly to the Board or Audit Committee where requested — answering questions in real time rather than leaving management to interpret and relay a written report alone.Week 7
14Remediation Follow-Up & Re-Testing (Optional)Many clients engage PNPC for a follow-up review 3–6 months later to verify that agreed remediation actions were actually implemented — closing the loop rather than leaving findings open indefinitely.3–6 months post-report, on request

Realistic end-to-end timeline for a mid-sized single-entity engagement: 6–8 weeks from kick-off to final report, depending on the number of systems in scope, availability of client IT personnel, and whether remote or on-site testing is required. Larger groups with multiple entities, jurisdictions, or Central Bank-regulated status typically require a longer, phased engagement — scoped and quoted individually.

Document Checklist
Governance & Policy Documents

Information security policy and any supporting standards (access control policy, acceptable use policy, data classification policy)

IT governance framework or IT steering committee terms of reference, if one exists

Organisation chart for the IT function, including reporting lines to the Board or Audit Committee

Any prior IT audit, penetration test, or security assessment reports from the last 24 months

Board or Audit Committee minutes where IT risk, cyber security, or prior audit findings were discussed

System & Infrastructure Inventory

List of all in-scope systems — ERP, core operational/financial applications, databases, and their hosting environment (on-premise, cloud, hybrid)

Network architecture diagram showing segmentation, firewalls, and key infrastructure components

Cloud service provider agreements and data hosting location details for any system involving customer or financial data hosted outside the UAE

Asset register or configuration management database (CMDB), if maintained

List of third-party vendors and service providers with access to systems or data, and the nature of that access

Access & Identity Management Evidence

Current user access listing for each in-scope system, including privileged/administrator accounts

Evidence of periodic user access review — sign-off records, not just the policy stating reviews should happen

New joiner, transfer, and leaver (offboarding) process documentation and sample evidence of execution

Password policy configuration and multi-factor authentication (MFA) enforcement evidence for remote access and privileged accounts

Segregation-of-duties matrix for the ERP/finance system, if one has been documented; if not, PNPC assists in constructing one during the engagement

Change Management & Operations Evidence

Change management policy and a sample of recent change requests with approval evidence

Patch management records or evidence of a patching cadence for servers, endpoints, and critical applications

Backup schedule, retention policy, and evidence of at least one successful restore/recovery test

Incident log for the audit period, including any security incidents, near-misses, or data breaches and how they were handled

Business continuity plan (BCP) and disaster recovery plan (DRP) documentation, plus evidence of the last test or exercise

Data Protection & Privacy Documents

Data privacy policy and any data protection impact assessments performed

Record of processing activities or data inventory identifying categories of personal data held and processing purposes

Evidence of consent mechanisms and data subject rights handling process (access, correction, deletion requests), where applicable

Cross-border data transfer arrangements and any data processing agreements with cloud/SaaS vendors

For DIFC/ADGM entities — evidence of registration with, and any filings made to, the relevant data protection authority in that free zone

Regulatory & Contractual Context (Where Applicable)

Central Bank licence and any circulars or supervisory correspondence relevant to IT/cyber risk, for regulated financial institutions

Insurance sector-specific IT governance requirements, for Central Bank-regulated insurers

Customer or counterparty contracts that specify security audit, SOC report, or ISO 27001 requirements

Any regulatory findings or supervisory letters referencing IT control weaknesses that need to be tracked and addressed

Ongoing obligations
PhaseTriggered ByPNPC GuidanceRisk If Ignored
Pre-Engagement ScopingDecision to commission an IS/security auditClarify the regulatory or commercial driver, agree scope and systems in scope, confirm independence where PNPC provides other services, and set realistic timeline and reporting format expectations before fieldwork starts.Wrong scope leads to a report that does not satisfy the regulator, bank, or customer requirement that triggered the audit in the first place — requiring a costly re-scope or repeat engagement.
Fieldwork & TestingEngagement kick-offWalkthroughs, control testing, evidence gathering across access management, change management, network security, cloud/vendor risk, and data protection controls — testing operating effectiveness, not just reviewing policy documents.Superficial testing (policy review only, no evidence testing) produces a report that looks thorough but misses real control gaps — creating false assurance for the Board.
Findings & ReportingFieldwork completeFindings consolidated, risk-rated by realistic business impact, root cause identified, and a remediation roadmap agreed with the IT team before the final report is issued — avoiding surprises at presentation stage.A report full of low-value, undifferentiated findings overwhelms management, delays remediation prioritisation, and reduces the credibility of the audit function with the Board.
Board/Audit Committee ReportingReport finalisedPNPC presents findings directly, answers questions, and helps the Audit Committee frame follow-up actions and ownership — not just an emailed PDF.Findings sit unread or unactioned when there is no direct engagement with those accountable for remediation, and the audit becomes a compliance exercise rather than a risk-reduction tool.
Remediation TrackingReport accepted, actions assignedPNPC can track remediation status against agreed timelines and flag slippage, keeping the Board informed of open risk exposure between audit cycles.Findings remain open indefinitely with no visibility, and the same weaknesses reappear — sometimes as the root cause of a subsequent incident — in the next audit cycle.
Re-Testing / ValidationRemediation reported complete by managementIndependent re-testing confirms that remediation was actually implemented as described, rather than accepting management's word alone — particularly important for higher-risk findings.Findings marked 'closed' based on management assertion alone can recur or turn out to be incompletely fixed, undermining the value of the original audit and exposing the Board to unaddressed risk.
Regulatory / Contractual Renewal CycleAnnual Central Bank supervisory cycle, DIFC/ADGM annual filing, banking facility renewal, or customer contract renewalPNPC schedules the next audit cycle in advance, incorporating lessons from the prior cycle and any changes in regulation, systems, or business scale.Ad hoc, reactive commissioning of audits only when a regulator or bank asks creates time pressure, narrower scope, and a weaker negotiating position with the counterparty requesting assurance.
Incident Response (If Triggered)Actual security incident or data breachPNPC can support a focused post-incident IS review — root cause, control failure analysis, and remediation — distinct from, but informed by, the standing audit programme.Without an independent post-incident review, root causes may be misdiagnosed, remediation may be superficial, and regulator or customer confidence in the fix is harder to establish.
Frequently asked
What exactly is an Information Systems / Information Security Audit, in plain terms?

It is an independent review of how well your organisation's IT systems, data, and cyber security controls are actually working — not just what your policies say should happen. An IS/IT security auditor examines who has access to what, how changes to systems are approved and tracked, how data is protected, and how prepared the organisation is to detect and respond to a security incident. The result is a report to management and the Board setting out weaknesses, their business risk, and what to fix first.

Practitioner noteClients often expect this to be a purely technical exercise. In practice, the most valuable findings are usually about process and accountability — who reviews access, who approves changes, who owns data protection — rather than purely technical vulnerabilities.
Is an IS/IT security audit legally mandatory for all UAE businesses?

No, there is no single UAE federal law mandating a stand-alone IS/security audit for every business. The obligation, where it exists, typically comes from your specific regulator, sector, or contractual relationship: Central Bank-regulated banks, finance companies and insurers operate under supervisory expectations for IT governance and cyber resilience; DIFC and ADGM entities have their own data protection compliance obligations under the applicable free zone data protection law; and many businesses commission the audit because a bank, investor, or major customer requires evidence of security controls as a condition of doing business.

Practitioner noteWe always start by identifying who is actually asking for this audit and why — a regulator, a bank covenant, a customer contract, or an internal risk decision. That answer shapes the scope and report format far more than any generic checklist would.
Does the UAE have a general data protection law, and how does it relate to this audit?

Yes. UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data is the UAE's federal personal data protection law, establishing principles for lawful processing, data subject rights, and obligations on data controllers and processors. Separately, DIFC and ADGM — as financial free zones with their own civil and commercial law frameworks — each maintain their own data protection regime (the DIFC Data Protection Law and the ADGM Data Protection Regulations respectively) that applies to entities registered in those zones. An IS/security audit typically assesses whether your actual data handling practices align with whichever regime applies to your entity.

Practitioner noteWe see confusion between the federal law and the DIFC/ADGM regimes regularly — a company registered in DIFC is generally subject to the DIFC Data Protection Law for its DIFC operations, which has its own registration and compliance requirements distinct from the federal law. We confirm which regime(s) apply to your entity structure before assessing compliance.
How is this different from what our external financial statement auditor already does?

Your financial statement auditor tests IT general controls only to the extent they support the integrity of financial reporting — for example, who can post journal entries or change supplier bank details in the ERP. That work is embedded in the financial audit and is not usually reported separately. An IS/IT security audit goes much broader and deeper: it covers the full information security posture — network security, data protection, cloud and vendor risk, incident response readiness — and produces its own dedicated report to management and the Board, independent of the financial statement audit opinion.

Practitioner noteWhere PNPC also acts as your statutory auditor, we assess independence considerations carefully before taking on an IS/security audit scope, to avoid any self-review conflict — particularly if we were involved in designing the very controls being tested.
We are a Central Bank-regulated finance company. What should we expect from this audit?

The UAE Central Bank issues guidance and supervisory expectations around information security, technology risk management, and outsourcing arrangements for banks, finance companies, and other regulated financial institutions. An IS/security audit for a Central Bank-regulated entity is typically scoped to map findings against those specific regulatory expectations, in addition to general good-practice frameworks like ISO/IEC 27001 or the NIST Cybersecurity Framework, so the report is directly useful in your supervisory engagement.

Practitioner noteRegulatory circulars and supervisory expectations in this space are updated periodically. We confirm the current applicable guidance for your specific licence category at the start of every regulated-entity engagement rather than relying on a static checklist.
We operate in DIFC. Do we have a separate obligation for this kind of audit?

DIFC entities are subject to the DIFC Data Protection Law, administered by the DIFC Commissioner of Data Protection, which includes registration and ongoing compliance obligations around how personal data is processed and protected. While the DIFC regime does not necessarily mandate a specific 'IT security audit' by name, demonstrating adequate technical and organisational security measures is part of compliance, and many DIFC entities commission an independent review to evidence this, particularly ahead of a DIFC Commissioner inquiry or as part of good governance practice.

Practitioner noteWe treat DIFC data protection compliance and IS/security audit scope as closely linked but distinct workstreams — the audit tests the controls; separate advisory work addresses the specific DIFC registration and notification obligations.
What about ADGM entities — is there an equivalent regime?

Yes. ADGM has its own Data Protection Regulations, administered by the ADGM Registration Authority / Office of Data Protection, applicable to entities established in ADGM. As with DIFC, the regulation focuses on lawful processing and data subject protections, and an independent IS/security audit is a common way for ADGM entities to demonstrate that their technical and organisational security measures are adequate.

Practitioner noteADGM and DIFC regimes are similar in spirit but are legally distinct frameworks with their own registration authorities — we do not assume one covers the other, even for groups with entities in both free zones.
What frameworks does PNPC test against during the audit?

The framework depends on your driver and sector. Common baselines include ISO/IEC 27001 (the international information security management standard), the NIST Cybersecurity Framework, and — for regulated financial entities — the applicable UAE Central Bank information security and technology risk guidance. Where a customer contract specifies a particular standard (for example, requiring evidence broadly consistent with SOC 2 trust services criteria), we incorporate that into scope as well.

Practitioner noteWe avoid running a single fixed checklist across every client. The framework mix is agreed during scoping, based on what will actually satisfy the party requesting assurance — regulator, bank, customer, or your own Board.
How long does a typical engagement take?

For a mid-sized single-entity business, a realistic timeline is 6–8 weeks from scoping to final report, assuming reasonable availability of client IT personnel and access to systems/evidence. Larger groups, multi-entity structures, or Central Bank-regulated institutions typically require a longer, phased approach, scoped and quoted individually based on the number of systems and locations involved.

Practitioner noteThe most common cause of delay is not the audit team's pace — it is the client's IT team being slow to produce evidence (access logs, change tickets, backup test records). We flag evidence requirements upfront and provide a clear checklist so this rarely becomes a bottleneck.
What does PNPC actually test during the access management review?

We review the current user access listing for each in-scope system, test whether access levels match job roles (least-privilege principle), check for dormant or orphaned accounts belonging to former employees, examine evidence of periodic access reviews (not just the policy requiring them), and test segregation-of-duties conflicts in financial systems — for example, whether the same user can both create a vendor and approve a payment to that vendor.

Practitioner noteSegregation-of-duties conflicts in the ERP are, in our experience, one of the single most common and highest-risk findings across UAE mid-market businesses — often because access was granted for convenience during a busy period and never revisited.
Does the audit include penetration testing or vulnerability scanning?

Not by default. An IS/security audit primarily assesses control design and operating effectiveness through walkthroughs, configuration review, and evidence testing. Penetration testing and vulnerability scanning are specialised technical testing engagements that actively attempt to exploit weaknesses in specific systems. PNPC can coordinate a penetration test as a complementary engagement — either performed by our technical partners or reviewed as part of your existing test results — but it is scoped and quoted separately from the core IS audit.

Practitioner noteWe recommend clients treat penetration testing and the broader IS/security audit as complementary rather than substitutes — a clean penetration test result does not mean access governance or data protection practices are adequate, and vice versa.
Our business runs entirely on cloud SaaS platforms with no on-premise servers. Is an audit still relevant?

Yes, arguably more so. A cloud-first environment shifts some infrastructure risk to the vendor but does not eliminate your organisation's responsibility for access management, data classification, vendor due diligence, and data residency/cross-border transfer compliance. We assess your shared-responsibility understanding with each cloud vendor, review the vendor's own security certifications and contractual commitments, and test your organisation's side of the access and configuration controls within those platforms.

Practitioner noteA surprising number of businesses assume that because a major cloud provider is 'secure', their own responsibilities are minimal. The provider secures the infrastructure; your organisation is generally still responsible for configuring access, permissions, and data handling correctly within that infrastructure.
What is the difference between IT general controls (ITGCs) and application controls?

IT general controls are the foundational controls that support the reliable operation of all systems — access management, change management, backup and recovery, and physical/environmental security. Application controls are controls embedded within a specific application to ensure accurate and complete processing of transactions — for example, a three-way match control in the ERP between purchase order, goods receipt, and invoice before payment is released. Application controls depend on the underlying ITGCs being sound; weak ITGCs can undermine even well-designed application controls.

Practitioner noteWe test both layers together, because a well-designed application control can be defeated entirely by a weak ITGC — for example, an approval workflow control means little if a user with unauthorised admin access can bypass or reconfigure it directly in the database.
What happens if the audit finds a serious control weakness — do you have to report it to a regulator?

PNPC's IS/security audit report is addressed to management and the Board/Audit Committee, not automatically filed with a regulator. Whether and how findings need to be reported externally depends on your specific regulatory relationship — for example, a Central Bank-regulated entity may have its own obligation to disclose material control weaknesses to its supervisor, separate from our reporting to you. We help clients understand this distinction and, where relevant, coordinate with legal or compliance advisors on external notification obligations.

Practitioner noteWe are careful not to overstate our role — PNPC reports findings to the client. Any onward regulatory notification obligation is the client's, guided by their own regulatory relationship and legal advice, though we are glad to support that conversation with technical context.
Can PNPC perform this audit if you are also our accounting or tax advisor?

In many cases, yes, subject to an independence assessment specific to the engagement — particularly checking that PNPC has not been involved in designing or implementing the very controls being tested, which would create a self-review threat. Where such a conflict exists, we either adjust the scope, bring in an independent reviewer for the conflicted area, or decline that specific piece of work while continuing other engagements.

Practitioner noteWe flag this explicitly at the proposal stage rather than after fieldwork has started — an independence issue discovered mid-engagement is disruptive and can undermine the credibility of the final report with your Board or regulator.
What does the final report actually look like?

The report typically includes an executive summary for the Board/Audit Committee, the scope and approach taken, detailed findings organised by control area (access management, change management, network security, data protection, business continuity, incident response), a risk rating for each finding based on likelihood and business impact, root cause analysis, and an agreed remediation roadmap with target timelines and named owners from the client's IT team.

Practitioner noteWe deliberately keep the executive summary short and readable for non-technical Board members, with the detailed technical findings in an appendix for the IT team to action — the two audiences need the same facts presented very differently.
How much does an IS/Information Security Audit cost in the UAE?

Cost depends heavily on the number of systems in scope, the complexity of your IT environment, whether the engagement is single-entity or multi-entity/multi-jurisdiction, and whether specific regulatory frameworks (Central Bank guidance, DIFC/ADGM regimes) apply. PNPC provides a written scope and fixed fee proposal after an initial scoping conversation — we do not quote a generic figure before understanding your environment, because doing so either underestimates the work needed or overcharges a simpler engagement.

Practitioner noteAsk any provider for a written scope before signing — a vague 'IT security audit' quote with no defined systems list, testing approach, or deliverable format is a common source of scope disputes later.
We had a security incident recently. Should we do a full IS audit or something more focused?

Immediately after an incident, a focused post-incident review — root cause analysis of exactly what happened, how the control failed, and what needs immediate remediation — is usually the right first step, not a full-scope audit. A broader IS/security audit is valuable afterward, once immediate fixes are in place, to check whether the same weakness exists elsewhere in the environment and whether other control areas need attention.

Practitioner noteWe have seen organisations rush into a full audit immediately post-incident when what was actually needed first was rapid containment and root-cause fix. Sequencing matters — we help clients decide which comes first.
Do you test our backup and disaster recovery arrangements as part of this audit?

Yes. We review the backup policy, schedule, and retention settings, and — importantly — look for evidence that a restore or recovery test has actually been performed recently, not just that backup jobs are running. We also assess whether documented recovery time objectives (RTO) and recovery point objectives (RPO) are realistic given the business's actual tolerance for downtime and data loss.

Practitioner noteA backup that has never been test-restored is an unverified assumption, not a control. This is one of the more common gaps we find — backups run nightly for years with no one ever confirming a full restore actually works end-to-end.
What is segregation of duties, and why does it come up so often in these audits?

Segregation of duties is the principle that no single individual should control all stages of a critical transaction — for example, creating a vendor, approving a purchase order, and authorising payment to that vendor. Where one person can perform all three, the risk of fraud or error goes up significantly and is very hard to detect. UAE ERPs, especially in fast-growing mid-market businesses, often have segregation-of-duties conflicts that accumulated as access was granted informally over time.

Practitioner noteWe build a segregation-of-duties matrix specific to your business processes rather than applying a generic template — the 'critical combinations' differ meaningfully between a trading business, a services firm, and a manufacturer.
Does this audit cover our mobile apps or customer-facing digital platforms?

It can, if scoped in. Customer-facing applications introduce additional considerations — authentication design, session management, API security, and how customer personal data is collected, stored, and protected. We include these in scope where the business has a customer-facing digital platform handling meaningful data or transaction volume, and can bring in specialist application security testing where deeper technical testing is warranted.

Practitioner noteWe scope customer-facing platforms explicitly and separately from internal back-office systems, because the risk profile, regulatory exposure (particularly around personal data), and testing approach are quite different.
What is the role of the Audit Committee in this process?

Where a Board or Audit Committee exists, they are typically the ultimate recipient of the IS/security audit report, responsible for overseeing that management takes appropriate remediation action and that recurring findings are addressed structurally rather than repeatedly patched. PNPC can present findings directly to the Audit Committee and support them in framing follow-up questions to management.

Practitioner noteAudit Committees that only receive a written report — with no live discussion — often accept management's remediation timeline without probing whether it is realistic. A direct presentation changes that dynamic meaningfully.
We don't have a formal Audit Committee. Can we still commission this audit?

Yes. Many UAE SMEs and privately-held businesses commission an IS/security audit without a formal Audit Committee structure — the report is simply addressed to the owners, managing director, or senior management team responsible for IT risk oversight. The value of the exercise does not depend on having a formal committee structure in place.

Practitioner noteWe adapt the reporting format to the actual governance structure of the client — a formal Board pack for a regulated entity looks very different from a plain-language summary for an owner-managed business, even though the underlying testing is the same.
How does this relate to UAE Corporate Tax and VAT compliance?

There is an indirect but real connection: IT general controls over your accounting/ERP system directly affect the reliability of the financial data used for UAE Corporate Tax computations (9% on taxable income above AED 375,000, with a 0% regime for Qualifying Free Zone Persons meeting the conditions) and VAT filings through the Federal Tax Authority's EmaraTax portal. Weak access or change controls over the general ledger or invoicing module increase the risk of errors or unauthorised changes that could distort tax filings.

Practitioner noteWe do not treat the IS audit as a tax compliance review, but we do flag any control weakness we identify that has a direct bearing on the integrity of tax-relevant data, so management can loop in their tax team.
What is EmaraTax, and does it come up in this audit?

EmaraTax is the Federal Tax Authority's current digital tax administration portal, used for VAT and Corporate Tax registration, filing, and correspondence, live since December 2022 (replacing the FTA's earlier e-Services portal). It is not itself a system PNPC audits under an IS/security engagement, but where a business's internal systems feed data into EmaraTax filings, the integrity of those upstream systems is relevant context we consider when scoping.

Practitioner noteWe occasionally see clients or their staff still refer to the old FTA e-Services portal — that portal is no longer the FTA's live filing system; EmaraTax is the current platform for VAT and Corporate Tax matters.
Does the Economic Substance Regulations (ESR) regime have any bearing on this audit?

No, not directly, and it is worth clarifying: ESR notification and report filing obligations were discontinued for financial years starting on or after 1 January 2023, under Cabinet Decision No. 98 of 2024. For financial years before that date, historical ESR filings may still be relevant to a company's compliance record, but ESR is not an ongoing live filing obligation for current financial years and does not form part of an IS/security audit scope.

Practitioner noteWe occasionally get asked whether IT systems need to demonstrate ESR-related evidence. For current financial years this is no longer a live requirement, and we clarify this promptly rather than building irrelevant work into the audit scope.
Do you look at AML/CFT-related IT controls as part of this audit?

Where relevant to the client's sector — particularly Designated Non-Financial Businesses and Professions (DNFBPs) and financial institutions subject to AML/CFT obligations — we can assess whether IT systems supporting customer due diligence, transaction monitoring, and goAML reporting have adequate access controls and data integrity safeguards. This is scoped in specifically rather than assumed as a default component, since AML/CFT compliance itself is a distinct regulatory workstream from general IT security.

Practitioner noteWe coordinate with a client's AML compliance officer or advisor when this is in scope, rather than duplicating a separate AML compliance review — the IS audit angle is specifically the IT control layer supporting AML processes, not the AML policy itself.
What if our IT function is fully outsourced to a third-party managed service provider?

We still audit the effectiveness of controls regardless of who operates them — the fact that IT is outsourced does not remove the organisation's responsibility for oversight. We review the service provider's SLA, security certifications, and the client's own vendor management and oversight process, and, where access allows, test controls directly with the service provider's cooperation.

Practitioner noteOutsourcing IT operations is common in the UAE SME market and is not itself a weakness — but 'we outsourced it so it's someone else's problem' is a governance gap we flag whenever we see it, because ultimate accountability for data protection typically remains with your organisation as the data controller.
Can this audit help us prepare for ISO/IEC 27001 certification later?

Yes. Many of the control areas we test — access management, risk assessment, incident response, business continuity — map closely to ISO/IEC 27001's Annex A controls. An IS/security audit can serve as a useful readiness assessment before engaging an accredited certification body, helping identify and close gaps in advance rather than discovering them during the formal certification audit.

Practitioner noteWe are explicit with clients that PNPC does not issue ISO 27001 certificates — that requires an accredited certification body. Our audit can meaningfully reduce the risk of surprises during that formal process, but it is a distinct engagement.
How often should we repeat this audit?

Annually is common for regulated financial institutions or businesses with significant data sensitivity, given evolving threats and system changes. Biennially can be appropriate for lower-risk, more stable environments. Trigger-based reviews — after a major system change, security incident, or ahead of a facility renewal or major customer contract — are advisable regardless of your standing cycle.

Practitioner noteWe recommend building the audit into your annual governance calendar rather than waiting for a bank or regulator to request it reactively — a proactive posture is viewed far more favourably by both regulators and commercial counterparties.
Will the audit disrupt our day-to-day IT operations?

Fieldwork is designed to minimise disruption — most testing involves reviewing configuration screens, evidence, and logs alongside your IT team rather than making changes to live systems. Where any testing could touch production systems (for example, sampling live transactions), we coordinate timing with your IT team in advance to avoid impacting business operations.

Practitioner noteWe schedule fieldwork sessions around your IT team's availability and business-critical periods (month-end closing, peak trading periods) — an audit that disrupts operations during a critical period undermines its own credibility with management.
What is the single most common finding PNPC sees in UAE IS/security audits?

Access that was appropriate when granted but never reviewed or revoked as roles changed — former employees with active accounts, staff retaining access from a previous role after an internal transfer, and segregation-of-duties conflicts in the ERP that accumulated informally. These are process gaps, not exotic technical vulnerabilities, and are usually straightforward and low-cost to remediate once identified.

Practitioner noteThe good news is that these are almost always fixable quickly with a disciplined quarterly access review process — the hard part is establishing the discipline to keep doing it, which is exactly where we help clients build a sustainable process rather than a one-time clean-up.
How does PNPC's Dubai presence help compared to engaging a purely technical cyber security firm?

A pure technical security firm may test systems well but often lacks the regulatory and financial reporting context that a Chartered Accountancy firm brings — understanding how IT controls interact with financial statement integrity, Central Bank supervisory expectations, DIFC/ADGM compliance regimes, and Board governance reporting expectations. PNPC's Dubai team combines CA-led assurance methodology with dedicated IT audit expertise, and coordinates with our India offices for any group entities with an India presence.

Practitioner noteWe are frequently engaged after a client's purely technical vendor produced a report that was accurate but unusable by the Board — full of jargon, no risk framing, no link to financial reporting or regulatory obligations. We build the report for the audience that has to act on it.
Do you provide ongoing support after the audit report is delivered?

Yes. PNPC offers remediation tracking support and can perform a follow-up re-test 3–6 months after the report to confirm agreed actions were actually implemented, not just marked complete by management. We also remain available for ad hoc advisory questions as the IT team works through the remediation roadmap.

Practitioner noteThe audits that create the most lasting value are the ones where someone circles back months later to check the fixes actually happened. We build this follow-up into our standard engagement offering rather than treating the report delivery as the end of the relationship.
Can PNPC coordinate this audit if our group has entities in both the UAE and India?

Yes. PNPC operates from Dubai, Chennai, Bangalore, and Hyderabad, which allows us to coordinate an IS/security audit across a group with both UAE and India entities under a single engagement team — ensuring consistent methodology and a coherent group-level report, rather than two disconnected exercises run by separate local providers.

Practitioner noteGroup structures with both UAE and India entities often have data flowing between the two — intercompany financial data, shared systems, or shared vendors. A single coordinated audit catches control gaps at the interface between entities that two separate, uncoordinated audits would likely miss.
Why PNPC Global
FeatureGeneric IT Security VendorBig-4 / Large International FirmPNPC Global
Regulatory context (UAE)Often generic global checklist, limited UAE-specific regulatory mappingStrong regulatory knowledge, but engagement teams may rotate and cost is high for mid-market clientsDeep UAE regulatory grounding — Central Bank guidance, DIFC/ADGM regimes, UAE data protection law — at a scale appropriate for mid-market clients
Report usability for BoardOften heavily technical, hard for non-technical Board members to act onGenerally strong, but can be templated and less tailored for smaller entitiesWritten specifically for the audience — plain executive summary for the Board, detailed technical findings for IT
Independence handlingRarely formally assessedRigorously assessed but with long engagement lead timesIndependence assessed transparently at proposal stage — flagged upfront, not discovered mid-engagement
India-UAE group coordinationNot typically offeredAvailable but often through separate regional teams with handoff frictionSingle coordinated team across Dubai, Chennai, Bangalore, and Hyderabad offices
Remediation follow-upRarely included as standardAvailable as a separate paid engagementFollow-up re-testing built into our standard engagement offering
Fee structureCan be opaque or scope-creep pronePremium pricing, often less flexible for mid-market scopeFixed, written fee proposal agreed after scoping — no surprise charges
Direct access to engagement leadSupport ticket or account manager layerPartner access typically reserved for the largest clientsDirect phone/WhatsApp access to your engagement lead throughout and after the audit

What the PNPC package includes

  1. 01

    Regulatory scoping conversation — identifying the actual driver (Central Bank, DIFC/ADGM, bank covenant, customer contract, internal risk) before fieldwork begins

  2. 02

    Independence assessment where PNPC provides other services to the same client

  3. 03

    Risk-based scope definition across systems, locations, and data flows — not a blanket one-size-fits-all checklist

  4. 04

    IT general controls testing — access management, change management, backup and recovery, physical/environmental security

  5. 05

    Application control testing embedded in your ERP/finance systems, including segregation-of-duties analysis

  6. 06

    Network and infrastructure security review, including remote access and VPN configuration

  7. 07

    Cloud and third-party/vendor risk assessment, including data residency and cross-border transfer considerations

  8. 08

    Data protection and privacy controls review against the applicable UAE federal, DIFC, or ADGM regime

  9. 09

    Business continuity and disaster recovery testing, including evidence of actual recovery testing

  10. 10

    Incident response readiness review

  11. 11

    Risk-rated findings report with root cause analysis and a realistic, agreed remediation roadmap

  12. 12

    Direct presentation of findings to the Board or Audit Committee where requested

  13. 13

    Optional remediation follow-up and re-testing 3–6 months after report delivery

  14. 14

    Single coordinated team for groups with both UAE and India entities

Speak directly with a PNPC engagement lead who understands both the technical control testing and the UAE regulatory context your Board actually needs addressed — not a generic global checklist and not a report that sits unread. We scope, test, report, and follow up until remediation is real.

Jurisdiction

🇦🇪
United Arab Emirates

Free zone, mainland & offshore

Ready to get started?

Tell us about your requirement — a UAE specialist responds within 24 hours.

← Back to Information Systems & IT Audit