UAEServicesAudit & AssuranceSpecialised Audit & CertificationInternal Control Over Financial Reporting (ICFR) Review

Audit & Assurance · Specialised Audit & Certification

Internal Control Over Financial Reporting (ICFR) Review

An independent, evidence-based assessment of the controls that stand between your financial statements and a material misstatement — designed and reduced to writing, walked through, and tested by chartered accountants who know the difference between a control that exists on paper and a control that actually operates every month, for boards, audit committees, lenders, and group finance functions across the UAE.

Chartered Accountants · Dubai · Since 1986

What Internal Control Over Financial Reporting (ICFR) Review is

An Internal Control over Financial Reporting (ICFR) review is an independent assessment of the design and operating effectiveness of the controls a business relies on to produce financial statements that are complete, accurate, and free from material misstatement — whether caused by error or fraud. It examines the control environment around each significant financial statement line (revenue, payroll, procurement-to-pay, treasury, fixed assets, journal entries, financial close) and asks two distinct questions for each: is the control designed properly to prevent or detect a misstatement, and is it actually operating as designed, consistently, by the people responsible for it. A control that exists in a policy manual but is routinely bypassed under deadline pressure is a design that works on paper and fails in substance — an ICFR review is built to catch exactly that gap.

In the UAE, demand for a standalone ICFR review comes from several directions at once. Group finance functions of multinational or India-UAE cross-border groups increasingly apply parent-company control frameworks (often modelled on COSO's Internal Control – Integrated Framework, the internationally recognised benchmark most auditors and audit committees reference) to their UAE subsidiaries, and want independent confirmation the local entity meets that bar before consolidation. Boards and audit committees preparing for a listing, a private equity investment, or a banking facility renewal commission an ICFR review to surface control weaknesses before an external party finds them first. Statutory auditors performing the annual financial statement audit under International Standards on Auditing (ISA) evaluate internal control as part of their risk assessment (principally ISA 315 and ISA 330), and a dedicated pre-audit ICFR review reduces the number of control deficiencies the statutory auditor otherwise discovers mid-fieldwork — which is invariably more disruptive and more expensive to remediate against a live audit timeline. Companies that have experienced a fraud incident, a restatement, or a near-miss commission an ICFR review to establish what broke and to rebuild the control structure with evidence, not assumption.

An ICFR review is not itself a UAE statutory requirement — there is no dedicated federal law mandating a standalone ICFR opinion for UAE mainland or free zone companies, unlike jurisdictions such as the United States where Sarbanes-Oxley Section 404 imposes a formal ICFR attestation regime on listed companies. What UAE law does require, for most mainland LLCs under Federal Decree-Law No. 32 of 2021 (the Commercial Companies Law) and for the majority of free zone entities, is an annual audited financial statement — and the reliability of that audit rests substantially on the quality of the underlying internal controls. Increasingly, UAE-listed and DIFC/ADGM-regulated entities, and companies preparing for one of those pathways, treat a documented ICFR framework as a practical necessity even where no single statute compels it, because both the Federal Tax Authority's expectations around Corporate Tax record-keeping under Federal Decree-Law No. 47 of 2022 and a bank's own credit risk assessment increasingly assume the numbers behind a facility application or a tax return were produced under a control environment that can withstand scrutiny.

The engagement combines several distinct techniques applied consistently across in-scope processes: control identification and documentation (walkthroughs, narratives, and RCMs — risk and control matrices — mapping each significant risk to the control that mitigates it); design effectiveness assessment (does the control, as designed, actually address the risk it is meant to cover, and is it positioned at the right point in the process); operating effectiveness testing (sample-based testing of whether the control actually operated as designed over the period under review, not just on the day of the walkthrough); and a gap and remediation report that ranks findings by the materiality of the risk they leave exposed, not merely by how easy they are to fix. PNPC structures every UAE ICFR review to produce a report a board, an incoming statutory auditor, or a parent-company internal audit function can act on directly — not a generic maturity-model score with no path to remediation.

What commonly goes undetected without an ICFR review is not usually a single catastrophic control failure — it is an accumulation of smaller gaps that compound. A journal entry approval workflow that exists in the ERP but where the approver role is shared with the preparer; a bank reconciliation performed monthly but never independently reviewed; segregation of duties that looked adequate at incorporation but eroded as the finance team grew informally; a month-end close checklist that nobody actually follows once deadlines slip. Each is individually survivable. Together, across a full financial statement cycle, they are exactly the pattern that produces a restatement, a qualified audit opinion, or a fraud that runs undetected for longer than it should.

The real scoping decisions on this engagement are the framework to benchmark against (COSO's five components — control environment, risk assessment, control activities, information and communication, and monitoring — is the most commonly used reference point, though a parent group's own framework or a bank's specific expectations sometimes take precedence), the processes and locations in scope (a full-entity review versus a targeted review of the highest-risk cycles such as revenue recognition or procurement), and the testing period (a point-in-time design assessment versus operating effectiveness testing over a full financial year, which requires a longer sample period and more evidence). Get these three agreed in writing at scoping, and the review runs cleanly; leave them ambiguous, and the findings get disputed as being out of scope or insufficiently evidenced.

The output is a structured ICFR review report — control environment assessment, process-level risk and control matrices, design and operating effectiveness conclusions by control, a ranked deficiency register (control deficiency, significant deficiency, or material weakness, using standard audit terminology), and a remediation roadmap with named owners and target dates. PNPC keeps every finding traceable to the specific walkthrough, test sample, or document reviewed, so the report withstands scrutiny from a statutory auditor, a parent-company internal audit team, or a bank credit committee months after issuance.

When an ICFR review makes sense

A UAE subsidiary of an international or India-UAE group needs to demonstrate its control environment meets the parent group's framework (typically COSO-based) ahead of consolidation or group audit sign-off

The board or audit committee wants an independent assessment of financial reporting controls ahead of a listing, private equity investment, or significant banking facility, before an external party finds the gaps first

Your statutory auditor flagged control deficiencies during the annual audit and management wants a structured, independent review to close them properly rather than patch them ad hoc

A recent fraud incident, restatement, or near-miss has raised the question of what control actually failed, and management wants an evidence-based answer rather than an assumption

Your finance team has grown quickly and informal controls that worked when three people ran finance have not been re-designed for a team of fifteen across multiple entities or locations

You are implementing a new ERP or finance system and want the control framework re-mapped and tested against the new process flows before go-live embeds any gaps

A bank or investor has specifically asked for evidence of internal control maturity as part of due diligence, separate from the audited financial statements themselves

You want a pre-audit control review timed to run ahead of year-end fieldwork, so control deficiencies are identified and where possible remediated before the statutory auditor's testing begins

Group finance wants a consistent, comparable ICFR maturity assessment across multiple UAE and India entities using one methodology rather than ad hoc, inconsistent local reviews

When another engagement fits better

You need the annual statutory financial statement audit itself — an ICFR review assesses controls, it does not express an opinion on the financial statements as a whole

You are looking for a forensic investigation to identify a specific perpetrator of suspected fraud — that is a scoped forensic engagement with a different evidentiary standard, though an ICFR review can surface the indicators that justify commissioning one

Your business is very small with a handful of transactions a month and formal segregation of duties is genuinely impractical — a lighter compensating-controls review or basic bookkeeping oversight may be more proportionate than a full ICFR framework exercise

You need day-to-day process documentation or SOP (standard operating procedure) drafting with no independent testing component — that is a process design engagement, not an assurance review

You are seeking a formal Sarbanes-Oxley Section 404 attestation for a US-listed parent — that is a specific US regulatory regime with its own methodology and applies only where the group's US listing status actually requires it, though the underlying UAE-entity fieldwork overlaps substantially with a standard ICFR review

The requirement is really for general internal audit covering operational and compliance risk across the business, not specifically financial reporting controls

You want a report that confirms controls are adequate regardless of what testing shows — an independent review reports what the evidence supports, and findings cannot be pre-determined to satisfy a parent company or bank

The business has no financial statements or ERP data yet (pre-revenue or pre-launch) — there is no operating control environment to test until transactions are actually flowing through the business

You need IT general controls (ITGC) or cybersecurity-specific assurance as the primary deliverable — that sits with a dedicated IT/ERP controls or cybersecurity audit, though ITGC is typically referenced within a full ICFR scope where financially relevant systems are in play

Structure Comparison

ICFR review vs. related UAE assurance and controls engagements

FeatureICFR ReviewStatutory Financial AuditInternal AuditSOX 404 Attestation (US-listed parent only)Forensic / Fraud Investigation
Primary purposeAssess design and operating effectiveness of controls over financial reportingOpinion on whether financial statements as a whole are fairly presentedOngoing review of processes, risk, and controls across the whole businessFormal management assertion and (where applicable) auditor attestation on ICFR effectiveness under US securities lawEstablish facts around a specific suspected fraud or irregularity
Typical commissioning partyBoard, audit committee, group finance, or managementShareholders/board (mandatory for most mainland LLCs, many free zones)Board/audit committeeGroup CFO/audit committee of the listed parentBoard, shareholders, or legal counsel
Independence requiredRecommended — external CA firm gives more credibility to the reportYes — licensed UAE auditorPreferably independent, can be in-houseYes, plus external auditor attestation for accelerated filersYes, especially where findings may be relied on in a dispute
ScopeControls over significant financial statement processes and accountsFull financial statements; controls tested only as needed to support audit risk assessmentVaries by mandate — operational, compliance, and financial controlsEntity-level and process-level ICFR under a formal COSO-based framework, US SEC rulesSpecific transactions, individuals, or allegations under investigation
Regulatory basis in the UAENo dedicated UAE statute; governed by engagement terms, COSO or group framework, and professional standardsUAE Commercial Companies Law (Federal Decree-Law No. 32 of 2021) and free zone regulations require audited accounts for most entitiesNo specific UAE federal mandate; driven by governance policyUS Sarbanes-Oxley Act Section 404, not a UAE requirement — relevant only via a US-listed parentNo single statute; scope set by instructing party or court
OutputICFR review report: RCMs, design/operating effectiveness conclusions, ranked deficiency register, remediation roadmapAuditor's report and opinion on financial statementsInternal audit report to management/audit committeeManagement's ICFR assertion plus auditor's attestation report (where required)Findings of fact report, often with recommendations on further action
Reliance by third partiesBoards, group finance, incoming statutory auditors, and sometimes banks rely on itRegulators, banks, investors, tax authorities all rely on itGenerally internal use, occasionally shared with lendersSEC, external auditors, and public markets rely on the attestationInstructing party and, where relevant, legal counsel or a court
Typical trigger in UAE contextGroup consolidation requirement, pre-listing prep, post-incident review, pre-audit readinessAnnual licence renewal / shareholder requirementBoard/audit committee mandate for ongoing assuranceOnly where the UAE entity's parent is US-listed and in scope of SOXSuspected fraud, whistleblower report, unexplained variance

Businesses preparing for a listing or a parent-group consolidation frequently commission an ICFR review and then use its findings to brief the statutory auditor — the two engagements are complementary, not substitutes for each other. Where a US-listed parent is in scope of SOX Section 404, the UAE subsidiary's ICFR review fieldwork typically forms the local building block for the group's formal attestation, but the review itself remains a UAE-scoped assurance engagement rather than a SOX filing.

How a PNPC Global UAE ICFR review engagement runs, start to finish

How a PNPC Global UAE ICFR review engagement runs, start to finish

#Stage & What PNPC DoesWhat Boards/Group Finance Actually Check ForTypical Timeline
1Scoping call — confirm trigger (group consolidation, pre-listing, pre-audit, post-incident), entities/processes in scope, and the framework to benchmark against (COSO, parent-group framework, or bank-specific expectations)Whether scope matches exactly what the board, group finance, or the incoming statutory auditor actually needs — mismatched scope is the most common cause of rework2-3 working days
2Engagement letter issued defining processes in scope, testing period (design-only versus operating effectiveness over a defined period), and reporting formatClear, written scope so there is no dispute later about what was and was not tested1-2 working days
3Entity-level control assessment — tone at the top, governance structure, whistleblower/reporting channels, and management's own risk assessment processWhether entity-level controls are strong enough to give comfort that process-level controls will be taken seriously and maintained, not just documented once3-5 working days
4Process walkthroughs — revenue, procurement-to-pay, payroll, treasury/cash, fixed assets, journal entries, and financial close, mapped into risk and control matrices (RCMs)Whether the walkthrough reflects how the process actually runs day-to-day, not the idealised version in the policy manual1-2 weeks depending on number of processes and locations in scope
5Design effectiveness assessment — for each control identified, confirm it is positioned to actually address the risk it is meant to mitigateWhether controls exist at the right point in the process (preventive, where possible, not purely detective after the fact)3-5 working days
6Sample selection and operating effectiveness testing — test whether controls actually operated as designed across the review period, not just on the walkthrough dateSample sizes and selection methodology defensible to a statutory auditor or group internal audit function reviewing the work1-2 weeks depending on sample sizes and evidence availability
7Segregation of duties analysis across ERP/system roles for financially significant processes, including journal entry preparer/approver conflictsWhether access rights were ever formally reviewed, or have simply accumulated as staff changed roles over time3-5 working days
8IT general controls (ITGC) review to the extent financially relevant — access management, change management, and backup/recovery for systems feeding the financial statementsWhether the underlying system environment is stable enough for process-level controls to be relied upon at all3-5 working days
9Deficiency evaluation and classification — each finding ranked as a control deficiency, significant deficiency, or material weakness based on the materiality of the risk left exposedWhether findings are risk-ranked with quantified or reasoned impact, not just listed as observations3-5 working days
10Draft ICFR review report circulated with RCMs, testing results, deficiency register, and preliminary remediation recommendationsWhether findings are evidenced and cross-referenced to specific walkthroughs, samples, or documents reviewed1 week
11Management response sought on each finding before finalisation, including proposed remediation timelinesWhether management accepts, disputes, or provides additional evidence for each finding3-5 working days
12Final report issued to the board, audit committee, group finance function, or statutory auditor, with a closing discussion if requiredWhether the report format and terminology align with what the incoming statutory auditor or group internal audit team expects to see2-3 working days
13Remediation roadmap agreed with named owners and target dates for each open finding, ranked by risk priorityWhether high-risk findings have an owner and a realistic date, not an open-ended commitment to 'look into it'At report issue
14Statutory auditor briefing — where requested, PNPC walks the incoming or existing statutory auditor through the ICFR findings to reduce duplicated control testing during the year-end auditWhether the review genuinely reduces statutory audit control-testing effort, or just adds another document to the fileAs required
15Remediation verification cycle scheduled — follow-up review of the highest-risk findings at an agreed interval to confirm remediation actually happenedWhether 'closed' findings were verified as remediated, not just marked closed on management's wordSet at handover

A single-entity, moderate-complexity ICFR review covering the core financial statement cycles typically runs 4-6 weeks from scoping to final report. Multi-entity group reviews, or reviews requiring a full-year operating effectiveness testing period rather than a point-in-time design assessment, run longer. Reviews timed ahead of year-end statutory audit fieldwork should be scoped with enough lead time to allow remediation before the auditor's own testing begins.

Document Checklist
Entity & engagement documents

Trade licence and Memorandum/Articles of Association or free zone registration certificate for each entity in scope

Group control framework document or parent-company ICFR policy, where the review is benchmarked against a group standard

Board resolution or audit committee minutes commissioning the review, or the bank/investor request specifying the requirement

Prior internal audit or ICFR review reports for the same entity, if any

Engagement letter signed by both parties setting out scope, framework, and testing period

Process documentation

Existing SOPs, process narratives, or flowcharts for revenue, procurement-to-pay, payroll, treasury, fixed assets, and financial close

Organisation chart identifying process owners, approvers, and reviewers for each significant financial cycle

Delegation of authority matrix or approval-limits policy currently in force

Chart of accounts and month-end close checklist currently used by the finance team

ERP or accounting system module list and workflow configuration for financially significant processes

Financial & transactional evidence

Trial balance, general ledger extracts, and journal entry listing for the period under review

Bank reconciliation working papers for all operating accounts over the sample period

Sample of purchase orders, invoices, and payment approvals for procurement-to-pay testing

Payroll registers and WPS (Wage Protection System) submission records for payroll control testing

Fixed asset register and capitalisation/disposal approval documentation

Systems, access & IT controls

ERP/finance system user access rights listing, including journal entry preparer and approver roles

Change management log for financially significant system configuration changes during the review period

IT policy documents covering access provisioning, de-provisioning, and periodic access review

Backup and disaster recovery documentation for systems feeding the financial statements

Governance & oversight evidence

Audit committee or board finance-committee meeting minutes for the review period

Whistleblower or ethics-hotline policy and any reports logged during the period

Management's own risk assessment or control self-assessment documentation, if performed

Statutory auditor's prior-year management letter or control-deficiency communications, if available

Authority and registry evidence

Authority, registrar, free zone, bank, or property records relevant to internal control over financial reporting review.

Current licence, certificate, permit, title, visa, or filing status evidence where applicable.

Open queries, rejected applications, expired records, or pending amendments that may affect scope.

Controls, approvals and assumptions

Management sign-off for assumptions, exceptions, and risk tolerance used in the ICFR review.

Approval trails, resolutions, meeting notes, or stakeholder instructions supporting the requested outcome.

Named client-side owner for each unresolved item after handover.

Reporting and handover requirements

Preferred recipient and use of the final ICFR review output, because a board, group finance function, statutory auditor, or bank may need different framing.

Prior reports, applications, renewals, certificates, or correspondence to preserve continuity.

Post-completion calendar for remediation verification, renewals, or authority follow-up.

Ongoing ICFR lifecycle for UAE businesses with recurring or evolving control requirements

Ongoing ICFR lifecycle for UAE businesses with recurring or evolving control requirements

PhaseTriggered ByPNPC GuidanceRisk If Ignored
Baseline ICFR reviewFirst-time group consolidation requirement, pre-listing preparation, or board requestEstablish a clean process-by-process risk and control matrix and a documented deficiency register from day oneThe entity enters a listing process, audit, or facility renewal with no evidence base for its own control maturity
Annual or periodic re-reviewGroup policy, board mandate, or bank covenant requiring recurring ICFR assuranceKeep RCMs and testing evidence updated between cycles so each review builds on the last rather than starting freshRecurring reviews get progressively harder and more expensive if documentation and evidence trails are not maintained
Post-incident reviewA fraud event, restatement, or near-miss reveals a control gapCommission a targeted, evidence-based review of the specific process that failed, not just a general reassurance exerciseRoot cause is never established, and the same gap resurfaces under different circumstances
Pre-audit readiness reviewYear-end statutory audit approaching and management wants to reduce audit-fieldwork surprisesTime the ICFR review to complete with enough lead time for remediation before the statutory auditor's own control testing beginsStatutory auditor finds control deficiencies mid-fieldwork, disrupting the audit timeline and often triggering additional audit procedures and cost
ERP or system migrationNew finance system go-live or major module changeRe-map RCMs against the new process flows and retest before go-live embeds untested controls into daily operationMigration carries forward undocumented workarounds that become permanent, undetected control gaps
Rapid finance team growthHeadcount in finance doubles or the team spans multiple entities/locationsFormalise segregation of duties and approval hierarchies before informal practices calcify into inconsistent, undocumented habitsControls that worked for a three-person finance team fail silently once the team and transaction volume scale
Remediation follow-upPrior ICFR review identified material control weaknessesTrack management's corrective actions and independently verify at the next review that they were actually implemented, not just marked closedUnresolved control weaknesses recur and erode the board's or group finance function's confidence in subsequent reports
Group framework changeParent company adopts a new or updated control framework, or acquires the UAE entity into an existing group structureRe-benchmark the local entity's RCMs against the new framework promptly rather than reporting against a superseded standardGroup consolidation of control assurance becomes inconsistent, and the UAE entity's report is rejected by group internal audit as non-comparable
Access rights review cyclePeriodic (commonly annual) review of ERP/system access rights falls dueIndependently verify access rights match current roles, particularly journal entry preparer/approver segregationAccess creep from staff role changes silently erodes segregation-of-duties controls between reviews
Facility renewal or capital raiseBank or investor requests updated evidence of control maturity as part of renewal or investment due diligenceProvide a current, clean ICFR review trail as part of the renewal or fundraising packageWeak or outdated control assurance evidence weakens the negotiating position with the bank or investor

Businesses that treat ICFR as a maintained control framework rather than a one-off compliance exercise consistently get faster, cheaper subsequent reviews and stronger standing with statutory auditors, banks, and group internal audit functions.

Frequently asked
What exactly is an ICFR review in the UAE context?

It is an independent assessment of the controls a business relies on to produce accurate, complete financial statements — examining both whether each control is properly designed to address a specific risk and whether it actually operated as designed over the review period. It is commonly commissioned by boards, group finance functions, or ahead of a listing, investment, or major banking facility.

Practitioner noteClients sometimes assume an ICFR review is a statutory filing requirement. It is not — there is no dedicated UAE law mandating a standalone ICFR opinion. It exists because a board, group parent, or counterparty wants independent comfort on control quality, and the terms of that request define the scope.
Is an ICFR review legally required in the UAE?

No single UAE statute mandates a stand-alone ICFR review for mainland or free zone companies. It becomes necessary contractually or operationally — most commonly because a parent group's consolidation framework requires it, a board or audit committee wants pre-listing assurance, or a bank or investor specifically asks for evidence of control maturity.

Practitioner noteAlways check whether the requirement originates from a group policy, a bank covenant, or an internal board decision — the source of the requirement usually dictates the framework and reporting format expected.
How is an ICFR review different from the annual statutory audit?

The statutory audit gives an opinion on the financial statements as a whole, and evaluates internal control only to the extent needed to plan and perform that audit efficiently under ISA 315 and ISA 330. An ICFR review is a dedicated, deeper examination of the control environment itself — walkthroughs, risk and control matrices, design assessment, and operating effectiveness testing across each significant financial reporting process.

Practitioner noteAn ICFR review does not replace the statutory audit, and the statutory audit's incidental control observations do not substitute for a dedicated ICFR review — they serve different purposes, though a well-timed ICFR review can materially reduce statutory audit control-testing effort.
What framework does PNPC benchmark against for a UAE ICFR review?

Most commonly the COSO Internal Control – Integrated Framework (control environment, risk assessment, control activities, information and communication, and monitoring activities), which is the internationally recognised reference point most auditors and audit committees use. Where a parent group has its own control framework, or a bank has specific expectations, we benchmark against that instead, agreed explicitly at scoping.

Practitioner noteWe confirm the exact framework in writing before fieldwork starts — reviewing against the wrong framework produces a report that group internal audit or the parent company will not accept as comparable to its own standard.
What is the difference between design effectiveness and operating effectiveness?

Design effectiveness asks whether a control, as designed, would actually prevent or detect the risk it is meant to address if it operated as intended. Operating effectiveness asks whether the control actually did operate that way, consistently, over the period under review — tested through a sample of transactions or instances, not just a single walkthrough observation.

Practitioner noteA control can be well designed and still fail operating effectiveness testing because it was skipped under deadline pressure — this distinction is exactly why a walkthrough alone is not sufficient assurance and sample-based testing matters.
What is a risk and control matrix (RCM) and why does it matter?

An RCM maps each significant financial reporting risk in a process (for example, revenue being recorded in the wrong period) to the specific control that mitigates it, who performs the control, how often, and what evidence demonstrates it happened. It is the structural backbone of the entire review — every finding traces back to a specific cell in the RCM.

Practitioner noteWe build the RCM collaboratively with process owners during the walkthrough stage rather than presenting a pre-built generic template — a matrix that does not reflect how the process actually runs produces findings nobody trusts.
How long does an ICFR review take in the UAE?

For a single-entity, moderate-complexity business covering the core financial statement cycles, a typical engagement runs four to six weeks from scoping to final report. Multi-entity group reviews, or reviews requiring a full financial year of operating effectiveness testing rather than a point-in-time design assessment, take longer.

Practitioner noteIf the review is timed ahead of year-end statutory audit fieldwork, build in enough lead time for remediation of high-priority findings before the auditor's own testing begins — running the review too close to year-end defeats its purpose.
How does a UAE subsidiary's ICFR review relate to a US-listed parent's SOX Section 404 requirements?

SOX Section 404 is a US securities law requirement applying to the listed parent, not a UAE obligation in its own right. Where the UAE entity is material to the group's consolidated financial statements, its ICFR fieldwork typically forms a local building block feeding the group's overall SOX attestation, but the UAE-scoped review itself remains a standard ICFR engagement rather than a SOX filing.

Practitioner noteWe are explicit with clients that PNPC's UAE-scoped ICFR review supports the group's SOX process but is not itself the formal SOX attestation — that determination and filing responsibility sits with the parent's US-facing auditors and management.
What is the difference between a control deficiency, a significant deficiency, and a material weakness?

A control deficiency is a gap in design or operation that could allow a misstatement, however small the likely impact. A significant deficiency is a deficiency (or combination) important enough to merit attention from those charged with governance. A material weakness is a deficiency (or combination) creating a reasonable possibility that a material misstatement of the financial statements would not be prevented or detected in a timely manner. Findings are classified using this hierarchy so the board understands relative severity.

Practitioner noteWe resist the temptation to soften classification language for a client who wants every finding called a 'minor observation' — the classification has to reflect the actual materiality of the risk left exposed, since that is what a statutory auditor or group internal audit will independently assess against.
Does an ICFR review cover IT controls?

To the extent financially relevant — access management, change management, and backup/recovery for systems that feed the financial statements are reviewed as IT general controls (ITGC) within the overall ICFR scope, since a strong process-level control loses its value if the underlying system environment is not itself controlled. A dedicated, deeper IT or cybersecurity audit is a separate, broader engagement if that is the primary need.

Practitioner noteJournal entry preparer/approver role conflicts inside the ERP are one of the most common ITGC-adjacent findings we identify — access rights accumulate as staff change roles and are rarely reviewed unless someone specifically asks for the listing.
Can an ICFR review be limited to specific processes rather than the whole entity?

Yes. A targeted review of the highest-risk cycles — commonly revenue recognition, procurement-to-pay, payroll, or financial close — is a legitimate and common scope, particularly for a first review or where budget and timeline are constrained. We agree the in-scope processes explicitly at the scoping call so there is no ambiguity later about what was and was not covered.

Practitioner noteWe recommend starting with revenue and procurement-to-pay for most first-time reviews, since these two cycles typically carry the highest financial statement risk and the most transaction volume.
What evidence does PNPC need to test operating effectiveness, not just design?

A sample of actual transactions or control instances over the review period — approved purchase orders, reviewed bank reconciliations, signed-off journal entries — evidenced with dates, approver identities, and supporting documentation, not a verbal confirmation that the control 'is usually followed'.

Practitioner noteThe single biggest cause of an inconclusive operating effectiveness test is missing or undated evidence — we flag this risk at scoping so clients understand why 'we do this control' is not sufficient without a retained evidence trail.
How does PNPC handle findings management disagrees with?

We seek management's response on every finding before finalising the report and document their explanation alongside our own conclusion. Where management provides credible supporting evidence, findings are revised; where they do not, the finding stands with both perspectives recorded in the final report.

Practitioner noteA defensible report needs to show the disagreement was considered, not ignored — this protects both the client and PNPC if the report is later reviewed by a statutory auditor, group internal audit, or a bank.
Does the ICFR review result feed into the statutory audit?

Where the client authorises it, PNPC can brief the incoming or existing statutory auditor on the ICFR review's findings, which typically reduces the extent of the auditor's own control testing during year-end fieldwork, since much of the risk assessment groundwork has already been independently performed.

Practitioner noteThis coordination works best when the ICFR review completes with enough lead time before year-end fieldwork starts — briefing the auditor after fieldwork is already underway captures less of the potential efficiency.
What happens if the review finds a material weakness close to a listing or major transaction deadline?

We communicate material findings to the board or audit committee immediately, rather than holding them for the final polished report, since a material weakness close to a listing, investment, or facility deadline needs to be addressed — or at minimum disclosed and understood by the relevant stakeholders — before that deadline, not discovered afterward.

Practitioner noteDelaying bad news to a final report format serves no one in a time-sensitive scenario — urgent, material findings go to the client as soon as they are confirmed, with a candid assessment of what remediation is realistically achievable before the deadline.
Is an ICFR review relevant to UAE Corporate Tax compliance?

An ICFR review is not itself a Corporate Tax filing requirement, but the control environment around revenue recognition, expense recording, and journal entries directly affects the reliability of the taxable income figure reported to the Federal Tax Authority under Federal Decree-Law No. 47 of 2022 (9% on taxable income above AED 375,000, effective for financial years starting on or after 1 June 2023), and record-keeping quality supports the record-retention obligations that regime imposes.

Practitioner noteWe flag any control weaknesses around journal entries or revenue cut-off to the client's tax team specifically, since these are exactly the areas an FTA audit or Corporate Tax review would also scrutinise.
Does an ICFR review touch VAT controls?

Where VAT-relevant processes (sales invoicing, input VAT recovery, and the accuracy of VAT return preparation under Federal Decree-Law No. 8 of 2017) sit within the financial reporting cycles being reviewed, the controls around them are assessed as part of the relevant process — for example, revenue or procurement-to-pay — though a dedicated VAT process review is a narrower, VAT-specific engagement if that is the primary concern.

Practitioner noteWe note any VAT-relevant control gap identified during the review — for example, inconsistent invoice sequencing or unreconciled output VAT — so the client's VAT advisor can assess it separately against current FTA guidance.
What if our finance function is too small for full segregation of duties?

This is common in smaller UAE entities, and the review does not simply mark it as a failure — instead we assess what compensating controls exist (independent management review, dual sign-off on high-risk transactions, periodic reconciliation by someone outside the process) and whether they realistically offset the segregation gap given the entity's size and risk profile.

Practitioner noteWe are explicit in the report about where a compensating control is genuinely adequate versus where it is a stopgap that will not scale — a growing business needs to know which gaps to plan around now, not just which ones currently pass.
Can PNPC run the ICFR review alongside the statutory audit to avoid duplicated work?

Yes, and where both are needed we coordinate timing and, with the client's consent, share relevant control-testing workpapers between the two engagements to avoid duplicating walkthrough and evidence-gathering effort, while keeping the two reports' conclusions consistent.

Practitioner noteRunning both engagements through the same firm, with shared underlying control evidence, avoids the situation where two independent reviews reach different conclusions about the same control for the same period.
How does PNPC prioritise which findings to remediate first?

Findings are ranked by the materiality of the financial reporting risk left exposed — a material weakness in revenue recognition controls is prioritised well ahead of a minor documentation gap in a low-value process — and each ranked finding is paired with a named owner and a realistic target remediation date in the roadmap.

Practitioner noteWe push back on the instinct to fix the easiest findings first just because they are quick wins — the remediation roadmap is sequenced by risk reduction, not by ease of closure, though we flag genuine quick wins separately so they can be closed in parallel.
Does PNPC verify that remediation actually happened, or just record management's commitment?

We schedule a follow-up verification cycle for the highest-risk findings, independently confirming the remediating action was actually implemented — not simply accepting management's assertion that an item is closed — and report residual weaknesses if remediation fell short.

Practitioner noteUnverified 'closed' findings are one of the most common reasons a board or group internal audit loses confidence in a control framework — we build verification into the engagement from the outset rather than treating it as an optional add-on.
What deliverables do we receive at the end of the engagement?

A final ICFR review report covering the entity-level control assessment, process-level risk and control matrices, design and operating effectiveness testing results, a ranked deficiency register, and a remediation roadmap with named owners and target dates — formatted to the board's, group finance function's, or statutory auditor's requirements where specified.

Practitioner noteWe also retain the underlying walkthrough notes, RCMs, and test samples so that, if a question arises months later from a statutory auditor or group internal audit, the basis for every conclusion can be traced.
Why choose PNPC Global for a UAE ICFR review over a smaller local firm or a large international firm?

PNPC Global has run internal control, risk advisory, and audit-adjacent engagements since 1986 across India and the UAE, combining rigorous evidence-based testing methodology with practical, hands-on process experience across the trading, distribution, manufacturing, and services sectors common in the UAE market — at a cost and turnaround suited to UAE SME and mid-market businesses rather than large-firm minimum fee structures.

Practitioner noteClients with cross-border India-UAE group structures particularly value having one firm run a consistent ICFR methodology across both jurisdictions, rather than reconciling two separately commissioned, differently scoped reviews.
How much does an ICFR review cost in the UAE?

Cost depends primarily on the number of entities and processes in scope, whether operating effectiveness testing covers a full financial year or a shorter period, and the condition of existing process documentation. Single-entity, core-cycle reviews are priced modestly; multi-entity group reviews or full-year operating effectiveness testing are priced as a more substantial, structured engagement.

Practitioner noteWe give a firm, scoped quote after the initial scoping call rather than a generic price list — ICFR review cost genuinely varies too much by entity complexity and process count to quote blind.
Can the review be combined with a due diligence engagement for an investment or acquisition?

Yes. Where an ICFR review is commissioned as part of buy-side or sell-side due diligence, we scope the walkthroughs and testing to align with the transaction's specific due diligence timetable and the investor's or acquirer's particular control-quality questions.

Practitioner noteTransaction timelines are usually tighter than a routine board-mandated review — flag the deal timetable early so we can resource the fieldwork and reporting accordingly.
What happens to the engagement file and workpapers after the final report is issued?

PNPC retains walkthrough notes, RCMs, testing evidence, and correspondence underlying the report so that, if a question arises later — from group internal audit, the statutory auditor, or a subsequent transaction — the basis for every finding can be traced and re-verified. Because control evidence often underpins figures that feed the Corporate Tax return, the underlying records also fall within the UAE Corporate Tax record-retention regime, which requires Taxable Persons to keep relevant records for at least seven years after the end of the relevant tax period.

Practitioner noteWe keep engagement workpapers indexed to the final report's sections, so a query raised months later can be answered by reference to a specific RCM cell or test sample, not a general search through old correspondence.
Why PNPC Global

PNPC Global vs. typical UAE ICFR review providers

FactorPNPC GlobalTypical Small Local FirmBig-4/Large International Firm
Depth of engagement scopingScoping call to precisely match group framework, board requirement, or bank expectation before quotingOften a generic maturity-model checklist with limited scoping discussionThorough but with high minimum fees regardless of entity size
Framework flexibilityBenchmarks against COSO, a parent-group framework, or bank-specific expectations as agreed at scopingFrequently applies a single fixed template regardless of client contextRigorous COSO-based methodology but less adaptable to a smaller entity's actual process maturity
Evidence disciplineTraces every finding to a specific RCM cell, walkthrough note, or test sampleOften accepts management assertion at face value without sample testingRigorous, but with high minimum fees regardless of engagement size
Cross-border India-UAE capabilitySingle firm applies one consistent ICFR methodology across both jurisdictions for group companiesRarely availableAvailable but typically at a much higher fee structure
Deficiency classification rigourFindings ranked control deficiency / significant deficiency / material weakness using standard audit terminologyOften presented as an unranked list of observationsRigorous classification, generally with slower internal sign-off cycles
Statutory auditor coordinationDirect briefing to the incoming or existing statutory auditor on request, reducing duplicated control testingRarely proactively coordinatedAvailable but coordination often slower for lower-fee engagements
Remediation verificationScheduled follow-up cycle independently verifying remediation, not just recording management's commitmentRarely built into the standard engagementAvailable, typically as a separate paid engagement
Cost structure for SME/mid-market clientsScoped, transparent pricing suited to UAE SME and mid-market entity complexityCan be inconsistent or ad hocOften cost-prohibitive for SME-scale entities
Responsiveness to urgent findingsImmediate communication of material weaknesses, not held back for the final reportVaries by firm disciplineGenerally rigorous but slower due to internal escalation protocols
ContinuityCreates a remediation roadmap and follow-up verification calendar after handoverStops once the document or report is deliveredAvailable, but continuity support is typically a separate paid engagement

PNPC Global positions itself between the informality of very small local providers and the process-heavy overhead of the largest international firms — rigorous, evidence-based ICFR methodology at a cost and turnaround suited to UAE SME and mid-market businesses and cross-border India-UAE groups.

What the PNPC package includes

  1. 01

    Initial scoping call fixing the benchmark framework (COSO, parent-group standard, or bank-specific expectation), entities/processes in scope, and testing period

  2. 02

    Entity-level control assessment covering governance, tone at the top, and whistleblower/reporting channels

  3. 03

    Process walkthroughs across revenue, procurement-to-pay, payroll, treasury, fixed assets, journal entries, and financial close

  4. 04

    Risk and control matrices (RCMs) mapping each significant risk to the control that mitigates it

  5. 05

    Design effectiveness assessment for every identified control

  6. 06

    Sample-based operating effectiveness testing over the agreed review period

  7. 07

    Segregation of duties analysis across ERP/system roles, including journal entry preparer/approver conflicts

  8. 08

    IT general controls (ITGC) review to the extent financially relevant — access, change management, and backup/recovery

  9. 09

    Ranked deficiency register classifying each finding as a control deficiency, significant deficiency, or material weakness

  10. 10

    Remediation roadmap with named owners and realistic target dates, sequenced by risk priority

  11. 11

    Management response meeting on material findings before the report is finalised

  12. 12

    Statutory auditor briefing on request, to reduce duplicated control testing during year-end fieldwork

  13. 13

    Report formatted to your board's, group finance function's, or bank's specific requirements

  14. 14

    Follow-up remediation verification cycle for the highest-risk findings

  15. 15

    Cross-border coordination for India-UAE group companies applying one consistent methodology

  16. 16

    Seven-year-compliant retention of RCMs, walkthrough notes, and test evidence where findings feed the Corporate Tax return

Talk to PNPC Global before your next group consolidation, listing readiness milestone, or year-end audit — we scope the ICFR review to what your board, parent company, or bank actually needs to see, so the findings hold up under scrutiny the first time.

Jurisdiction

🇦🇪
United Arab Emirates

Free zone, mainland & offshore

Ready to get started?

Tell us about your requirement — a UAE specialist responds within 24 hours.

← Back to Specialised Audit & Certification