Whitepaper on Internal Controls over Financial Reporting (ICoFR) in the UAE

EXECUTIVE SUMMARY

Robust Internal Controls over Financial Reporting (ICoFR) are fundamental to the integrity, accuracy, and reliability of financial statements. In an increasingly complex and globalized business environment, organizations, regardless of size or sector, are under growing pressure from regulators, investors, and stakeholders to ensure that financial reporting reflects an accurate and fair view. This whitepaper explores the evolution, implementation, and strategic importance of ICoFR frameworks in the UAE and broader GCC region, drawing comparisons with global standards such as the U.S. Sarbanes-Oxley Act (SOX 404), the COSO framework, and international practices from the UK, India, and Canada.

In recent years, the UAE has made significant strides in strengthening corporate governance and control systems. Regulatory bodies such as the Securities and Commodities Authority (SCA), Abu Dhabi Accountability Authority (ADAA), UAE Accountability Authority, and various free zone authorities have issued directives and expectations around internal controls aligned with global best practices. For instance, ADAA’s Resolution No. 1 of 2017 marked a turning point for Abu Dhabi government-linked entities, mandating independent evaluations of ICoFR. Similarly, SCA’s revised corporate governance regulations now explicitly refer to board-level responsibility for ensuring the adequacy of internal controls over financial reporting. These developments signal a shift from reactive compliance to proactive risk and performance management across the region.

Despite growing regulatory momentum, the maturity of ICoFR implementations across the UAE and GCC remains varied. Many organizations, particularly family-owned businesses, SMEs, and fast-growing startups, lack formalized control environments, relying instead on informal processes and individual oversight. Even among more established entities, challenges persist in aligning cross-functional ownership, embedding the three lines model, and ensuring the reliability of information used in controls (IUC). Through real-world case studies presented in this whitepaper, we illustrate how different types of entities – government-linked enterprises, subsidiaries of multinationals, private businesses, and post-IPO firms have approached ICOFR implementation, highlighting key lessons, enablers, and pitfalls.

To know more about this section, download PDF

INTRODUCTION

ICoFR and why it matters

ICoFR refers to the processes, controls, policies, and procedures put in place by a company to ensure that its financial statements are reliable and accurate. PCAOB’s AS 2201: An Audit of Internal Control Over Financial Reporting That is Integrated with an Audit of Financial Statements states, “Effective internal control over financial reporting provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes.” 

In other words, it’s the framework that helps a company ensure that all transactions are properly authorized and recorded, that assets are safeguarded from unauthorized use, that compliance with regulatory requirements is maintained, and that financial reports are free from material misstatements. ICoFR is essentially a subset of a company’s overall internal control system, focused specifically on producing fair financial reporting.

Relevance to the UAE economic diversification goal (UAE Vision 2030)

The emphasis on ICoFR aligns closely with the UAE’s broader economic vision and development agenda (often encapsulated in initiatives such as the UAE Vision 2030 and related Emirate-level visions). A key pillar of these visions is to create a competitive, knowledge-based economy with a strong financial market that attracts investment. Achieving this requires high standards of corporate governance, transparency, and accountability. In its Economic Vision 2030, the Government of Abu Dhabi explicitly recognizes that enabling confident deployment of financial capital is fundamental to economic growth. 

To know more about this section, download PDF

REGULATORY LANDSCAPE

The UAE’s regulatory environment for internal controls has evolved rapidly in recent years, reflecting a clear intent to strengthen financial oversight and align with global best practices. Several authorities and laws govern aspects of ICoFR in the UAE, each contributing a piece to the overall compliance puzzle. Below is an overview of the key regulatory drivers:

Securities and Commodities Authority (SCA)

The SCA, which regulates publicly listed companies in UAE markets, has introduced robust new requirements for internal controls. Notably, in January 2024, the SCA amended its Corporate Governance Code to mandate that boards establish and maintain effective internal control and risk management systems, and critically, to “enable the auditor to express an opinion on the effectiveness of Internal Control & Risk Management, including Internal Control Over Financial Reporting.”

Abu Dhabi Accountability Authority (ADAA)

ADAA is a government watchdog in Abu Dhabi that oversees state-owned enterprises and government departments (often referred to as “Subject Entities”). ADAA has been a pioneer in the region for ICOFR mandates. It issued Resolution No. 1 of 2017, which, for the first time, required Abu Dhabi government entities and government-controlled companies to assess and test their internal controls over financial reporting. Building on that, ADAA Chairman’s Resolution No. 88 of 2021 was released in August 2021 to strengthen and formalize ICOFR requirements. 

UAE Accountability Authority (UAE AA)

In late 2023, the UAE government established the UAE Accountability Authority (UAEAA), a federal-level body replacing the former State Audit Institution. The UAEAA serves as the supreme audit and financial oversight authority across federal government entities. One of its early moves has been to extend ICOFR rigor to the federal sphere. In 2024, the UAEAA issued Resolution No. 157, which mandates a “structured approach to ICOFR for federal entities and entities in which the federal government owns more than 25%”. 

Key requirements of Resolution 157:

01 Enhance audit quality and ensure effective ICoFR reporting

02 External auditor to test controls for key transactions and address fraud risks within the audit report

03 External Auditors to assess risks and control processes relating to financial reporing

04 External Auditors to provide opinions on compliance, internal controls, and financial statements

This means ministries, federal authorities, and relevant government-owned companies are now required to design and implement internal control frameworks over financial reporting, and their audits will include evaluating these controls. UAEAA’s resolution also speaks to “enhanced audit requirements to strengthen oversight”, implying external auditors (and possibly UAEAA inspectors) will closely scrutinize ICOFR compliance. The establishment of the UAEAA and its focus on ICOFR reflect a nationwide push for transparency and accountability in line with best practices. It ensures that not only commercial companies but also government finances are subject to robust control standards, thereby safeguarding public funds.

Insurance Authority (IA)

The (former) UAE Insurance Authority—now merged under the Central Bank as the Insurance Division—was one of the first financial sector regulators in the UAE to enforce ICOFR requirements. In 2019, IA issued Circular No. 21, requiring all insurance and reinsurance companies in the UAE to implement an ICOFR framework and obtain an independent auditor’s report on the effectiveness of these internal controls.

This was followed by subsequent guidance clarifying the scope of controls to cover key processes like claims, premiums, investments, etc. The IA’s initiative was driven by a need to protect policyholders and ensure the reliability of insurers’ financial statements (important for an industry managing public savings and indemnities). Insurers had to align with COSO or similar frameworks, and many underwent significant upgrades to their finance systems and control activities as a result. The Central Bank has since continued this oversight for the insurance sector, and similar expectations have been extended to banks through its governance regulations (which, for example, require bank boards to attest to internal control adequacy annually). The IA’s ICOFR mandate in 2019 was part of a regional trend, as Qatar’s and Oman’s insurance regulators also took steps to bolster internal controls in financial institutions.

UAE Commercial Companies Law 

Federal legislation, such as the UAE Commercial Companies Law (e.g., Federal Law No. 32 of 2021, which replaced earlier Company Law No. 2 of 2015), underpins corporate governance expectations for all companies (with additional provisions for public joint stock companies, PJSCs). As per the UAE Companies Law, the board of directors is responsible for applying governance rules and standards. This includes establishing controls, procedures, and practices that promote corporate discipline in line with international standards. Accordingly, it may be noted that companies not listed or regulated by the Securities and Commodities Authority (SCA) are also required to develop and implement a governance framework to ensure controls exist and operate effectively. 

While the Commercial Companies Law does not prescribe a specific ICOFR framework, it creates a legal obligation for directors to safeguard the company’s financial soundness through control mechanisms, thereby complementing the more detailed regulations of sectoral bodies. Noncompliance can expose directors to regulatory penalties and shareholder litigation, especially if control failures lead to financial losses.

Other regulations and governance codes

In addition to the above, there are other touchpoints in the UAE regulation relating to internal controls. For example, the UAE Central Bank’s Corporate Governance guidelines for banks and financial institutions emphasize the need for a sound internal control system (covering financial reporting and compliance). The Dubai Financial Services Authority (DFSA) and Abu Dhabi Global Market (ADGM) FSRA, which regulate companies in the DIFC and ADGM free zones, respectively, also require firms (especially regulated financial firms and listed companies on NASDAQ Dubai) to have internal control functions and processes. Additionally, professional bodies like the UAE Accountants & Auditors Association (AAA) and the Institute of Internal Auditors’ UAE chapters have raised awareness and trained professionals on ICOFR, complementing regulatory efforts. Overall, the patchwork of laws, resolutions, and codes is converging toward a common message: regardless of listing status or sector, UAE organizations are expected to maintain robust internal controls over financial reporting, and this expectation is increasingly enforceable through audits and regulatory inspections.

In summary, the UAE’s regulatory landscape for ICoFR is evolving rapidly. What began with targeted mandates for government entities and insurers has expanded into a broader, economy-wide focus, driven by the SCA’s revised guidelines for listed companies and federal initiatives led by the UAE Accountability Authority (UAEAA). Companies would be wise to stay ahead of these requirements, not only to remain compliant but to leverage the improvements in governance that strong internal controls can bring.

FRAMEWORK, COMPONENTS, AND OTHER ASPECTS

Implementing Internal Controls over Financial Reporting is not a hit-or-miss endeavour; it relies on well-established frameworks and structured approaches. Globally, the most prevalent framework for internal control (including ICOFR) is the COSO framework, which is also commonly used in the UAE. Additionally, clarifying the roles and responsibilities within the organization is vital – often done using the “Three Lines” model. This section outlines the key components of effective ICoFR, including the COSO principles, the three lines model, and other vital elements such as the quality of information used in controls.

Overview of the COSO framework and principles

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control – Integrated Framework is considered the gold standard for designing and evaluating internal control systems. First released in 1992 and updated in 2013, COSO provides a clear definition of internal control and a codified set of components and principles. COSO defines internal control (and by extension ICOFR) as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.” ICOFR focuses specifically on the Reporting objective – i.e., reliable financial reporting.

To know more about this section, download PDF

The Three Lines Model (Roles and Responsibilities)

Implementing and sustaining ICoFR is a team effort that spans the entire organization. A helpful conceptual model to delineate responsibilities is the “Three Lines” model, now often just called the Three Lines Model after updates by the Institute of Internal Auditors (IIA). This model provides clarity on who is responsible for what, thereby preventing gaps or overlaps in risk management and control processes. Here’s how it breaks down in the context of ICOFR:

Oversight by the Board/Audit Committee: 

Above the three lines, the governing body (Board of Directors) and specifically the Audit Committee (where one exists) play a critical oversight role. They are not a “line” per se, but they ensure that the three lines are functioning properly. The Board or Audit Committee approves the risk appetite (how much risk is acceptable) and is ultimately accountable to stakeholders for the organization’s control and risk management. They must foster a culture that values accountability and stay informed – for example, the Audit Committee should receive reports on any significant ICOFR deficiencies and remediation status. In the UAE, corporate governance codes (both SCAs and the Central Bank’s for banks) require the Board/Audit Committee to review internal controls’ effectiveness annually and address any weaknesses. With the new ICOFR audit requirements, Audit Committees will likely be even more engaged – working with management to ensure timely implementation of controls and with auditors to understand their findings. The “tone at the top” set by the Board and CEO is often cited as the number one factor in successful control environments.

Information used in controls

A special topic worth highlighting in any ICOFR framework discussion is the integrity of information used in controls. Modern financial reporting is heavily reliant on IT systems and data. Many control activities, particularly management review controls, involve using system-generated reports or spreadsheets as a basis for decision-making (for instance, reviewing an aged debtors report to identify bad debt provisions, or using a sales report from the ERP to confirm revenue completeness). If the underlying information feeding those controls is flawed, the control may be ineffective even if performed diligently.

In audit terminology, this is often referred to as IPE (Information Produced by the Entity) or IUC (Information Used in Control). In recent years, regulators and auditors have paid close attention to how companies ensure the completeness and accuracy of such information. In fact, deficiencies in IPE control have been a frequent cause of audit inspection findings globally. For example, if a company’s control is “Controller reviews a monthly expense variance report for anomalies,” the auditor will ask: How do we know the report the Controller received is complete and accurate (e.g., did it pull all transactions, are the formulas correct)? The company would need an automated control or a manual check to validate that report.

To know more about this section, download PDF

IMPLEMENTATION ROADMAP AND TIMELINE

Typical implementation journey: Planning to Monitoring

Establishing ICOFR in an organization is a project that requires careful planning, resource commitment, and change management. Whether a company is implementing ICOFR for the first time due to new regulations or overhauling its existing controls, a structured roadmap can significantly increase the likelihood of success. Below, we outline a step-by-step implementation journey for ICOFR and discuss typical timelines, success factors, and common pitfalls drawn from both UAE and international experiences.

Typical timelines and resource considerations

The timeline for implementing ICOFR can vary widely based on the size of the company, complexity of operations, and urgency (regulatory deadline or not). However, some general benchmarks:

For a mid-sized company (let’s say with a straightforward structure, one main location, perhaps operating in one industry), implementing ICOFR from scratch might take 3 to 4 months of concerted effort. This assumes the company already has basic processes that just need formalizing. If started at the beginning of a financial year, it could be ready by year-end to assert ICOFR.

For a large, diversified company (multiple business lines or geographies), it could take 7-12 months to implement fully. Often, such organizations phase the implementation – e.g., pilot in the biggest division first, then roll out to others, or focus on core financial processes first, then expand to all processes.

To know more about this section, download PDF

Success factors for implementation

From both global best practices and local insights, the following factors are often cited as critical to a successful ICOFR implementation:

• Tone at the top and governance support
• Clear roles and responsibilities
• Comprehensive training and awareness
• Phased and well-timed approach
• Use of technology and tools
• Focus on high-risk areas
• Early engagement with auditors
• Cultivating a control culture

Common pitfalls and how to avoid them

Despite the best intentions, ICOFR implementations can run into pitfalls. Being aware of these common issues can help organizations avoid or mitigate them:

• Treating ICOFR as a one-off compliance project
• Inadequate documentation and evidence
• Underestimating resource needs and change impact
• Overengineering or excessive controls
• Poor coordination and silos

In conclusion, the journey to implement ICOFR can be intensive, but with a methodical approach and keen attention to the human and technical factors, it can be achieved within a reasonable time and budget. The key is to view it not just as compliance, but as an investment in better financial management. When done right, the company emerges with a clean bill of health from auditors, deeper insights into its processes, and more confidence in its financial information. 

To know more about this section, download PDF

ADOPTION AND MATURITY OF ICOFR IN THE UAE

The adoption of Internal Controls over Financial Reporting across companies in the UAE spans a broad spectrum – from organizations that have fully integrated ICOFR into their corporate governance, to those just beginning to recognize its importance. In this section, we assess how far along UAE companies are on the ICOFR maturity curve, identify common gaps observed in practice, discuss differences between various jurisdictions within the UAE (mainland vs free zones), and highlight challenges like cost and talent that are shaping the pace of adoption.

Common gaps and weaknesses in current practice

While regulatory pressure is mounting, many companies in the UAE are still catching up on building robust ICOFR frameworks. Through audits, consulting engagements, and regulator feedback, some typical gaps have been noted:

• Overreliance on manual processes
• Inadequate documentation & process formalization
• Lack of ongoing testing/second line
• Weak Entity-Level Controls (ELCs)
• Information technology and data controls lagging

In summary, the current adoption is uneven. The most common gaps, such as manual controls, poor documentation, lack of internal testing, and weak IT controls, are being addressed gradually as companies respond to new regulations or pursue internal improvements. There is a recognition that addressing these gaps satisfies compliance and enhances business operations (e.g., automating a manual control often speeds up the process and reduces errors, a win-win).

Variations across free zones and mainland companies

The UAE’s unique economic structure – with numerous Free Zones operating alongside the mainland (onshore) regime adds an extra dimension to how corporate practices like ICOFR are adopted. We observe some differences:

Regulatory scope: Mainland listed companies are under the purview of SCA and must adhere to its governance rules (now including ICOFR audits). Free Zone companies, unless listed on a local exchange (like NASDAQ Dubai in DIFC) or fall under specific regulations, might not have an external mandate for ICOFR. 

Influence of multinationals: Free zones host many multinational corporations’ subsidiaries (since they allow 100% foreign ownership). These subsidiaries often import their parent company’s internal control frameworks, especially if the parent is subject to SOX or similar.

Challenges: cost, talent, and resources

Implementing and maintaining ICOFR is challenging, especially in a region where it’s a relatively new concept for many. The key challenges frequently cited are cost and talent constraints, among others:

1. Cost Considerations
2. Talent Shortage
3. Change management and Buy-In
4. Maintaining control effectiveness in high-growth environments

In conclusion, the adoption of ICoFR in the UAE is on an upward curve, albeit with a few bumps related to costs and capabilities. Companies that proactively tackle these challenges by budgeting appropriately, investing in people, and phasing their implementation tend to fare better and turn compliance into a competitive advantage (trust and resilience). Meanwhile, those who wait until the last minute may face higher costs (rush fees, fire-fighting fixes) and potentially more disruption. The clear message from the market is that ICoFR is becoming a standard expectation, and companies, whether in mainland or free zones, large or small, will eventually need to answer how they ensure the integrity of their financial reporting.

To know more about this section, download PDF

BENCHMARKING WITH OTHER COUNTRIES

The UAE’s journey to enhance Internal Controls over Financial Reporting (ICOFR) is taking shape at a time when global benchmarks are well-established. By observing jurisdictions such as the United States, the United Kingdom, India, Qatar, and Canada, UAE-based entities can avoid early-stage pitfalls and instead adopt tested practices, leapfrogging into a more mature implementation phase. These comparisons offer guidance on regulation, governance practices, cost-effective strategies, and cultural shifts required to embed ICOFR into the organizational fabric.

To know more about this section, download PDF

How the UAE can accelerate governance excellence

Learning from these countries, the UAE has the advantage of implementing ICOFR at a time when methodologies are well-developed and technology is advanced. Some ways the UAE can leapfrog:

Adopt a risk-based focus from day one: Unlike early SOX days in the U.S., UAE companies don’t need to figure out how to streamline by trial and error; they can start with a risk-based approach (identify key risks, key controls) immediately. Regulators and auditors in the UAE are already emphasizing this in workshops. This avoids wasted effort and focuses resources efficiently.

Leverage technology and analytics: Start using available software for control management (cloud-based solutions are even affordable for mid-sized firms now). The UAE’s push into artificial intelligence and digitization can spill into corporate governance. Real-time dashboards for control compliance, automated anomaly detection, and even blockchain for certain processes could put UAE companies at the cutting edge of ICOFR monitoring. By embracing these, they not only strengthen controls but could potentially reduce reliance on manual audits in the future.

Cultivate professional expertise: The UAE can accelerate upskilling through partnerships with global institutions and firms. For example, encouraging certifications or specific SOX/ICOFR programs among finance professionals will quickly build local capacity. Essentially, compress 20 years of global experience into a crash course for the local workforce. With its diverse expatriate population, the UAE can also bring experienced professionals from wherever they are available to train others.

Regulatory collaboration with Industry: One success factor in other countries was continuous dialogue – e.g., the PCAOB and SEC in the U.S. refined rules after industry feedback; Indian regulators extended deadlines for smaller companies when needed, etc. The UAE regulators (SCA, etc.) can maintain an open channel with companies and auditors to get feedback on implementation and be willing to adjust the approach if needed (without diluting the goal). For instance, if first-year results show a certain area is a common problem (say, IT controls), perhaps SCA could issue a guidance memo focusing on that or host a knowledge session. This agile, responsive regulation will help the UAE avoid drawn-out issues.

Promote a culture of governance as a value-add: The ultimate leapfrog is cultural. The goal is for UAE companies to move beyond viewing ICOFR as a regulatory requirement and to embrace the fact that effective controls are integral to sound business performance and long-term value creation. This took time in the U.S. and elsewhere, as early on, many saw SOX as a costly burden, but later studies showed that companies with strong ICOFR had a lower risk of scandal and often better performance. The UAE can try to instill that mindset from early in the process. 

In conclusion, benchmarking tells us that a strong internal control regime is part of the evolution of any robust capital market. The UAE is reaching that stage now while drawing on lessons from the U.S.’s rigor, Europe’s governance principles, India’s and Qatar’s broad mandate, and Canada’s balanced approach. By learning from each other, the UAE can implement ICOFR in a way that fits its environment. 

CASE STUDIES

To illustrate how Internal Controls over Financial Reporting are applied in practice, this section presents a few scenarios drawn from real-world contexts. These case studies (anonymized where necessary) reflect the diversity of applications of ICOFR in the UAE and beyond, i.e., from large organizations to smaller enterprises, and from success stories to cautionary tales. Each case highlights specific challenges and outcomes, offering insights that can be generalized to other organizations.

To know more about this section, download PDF

These case studies collectively highlight a few themes:

• The journey from weak or no controls to strong ICOFR is challenging but achievable and rewarding
• Regulatory drivers (ADAA, SCA, etc.) significantly impact internal leadership, and crises can catalyze action
• Companies big and small, new, and old, all stand to benefit from improved internal controls – be it through fraud prevention, efficiency gains, or greater investor trust
• There are different paths to success, like leveraging global practices, using technology, phasing implementation, and each organization can choose what (or a combination usually fits best, as long as the core principles of ICOFR are upheld
• Perhaps most importantly, a common thread is that support from the top (owners, boards, CEOs) and engagement of the right expertise (internal or external) make the difference in turning intention into effective operation

RECOMMENDATIONS

Drawing from the analysis and insights above, this section provides targeted recommendations for the key stakeholders in strengthening Internal Controls over Financial Reporting in the UAE. The guidance is segmented for Management Committees (Board/Audit Committee level), Company Management, and Advisors/Consultants. By following these recommendations, each group can play its part in achieving a robust ICoFR that not only meets compliance requirements but also adds value to the organization.

For Management Committees (Board of Directors and Audit Committees):

• Champion the cause and set the tone
• Ensure adequate resources and expertise
• Oversee the ICOFR process diligently
• Plan for continuous improvement

For Company Management (Executives and process owners):

• Integrate ICoFR into business-as-usual
• Adopt a proactive, risk-based approach
• Empower and educate staff
• Leverage technology and innovation
• Foster open communication and issue escalation
• Coordinate with auditors and advisors

For advisors and consultants (audit firms, consulting firms, experts):

• Provide tailored, practical guidance
• Ensure knowledge transfer and capacity building
• Stay current and contextual

Overall, these recommendations aim at creating a synergy between all parties:

• Boards set the expectation and demand excellence, thereby empowering management.
• Management executes and integrates controls, thereby making auditors’ and regulators’ jobs easier.
• Advisors facilitate and enlighten the process, thereby accelerating achievement of goals and ensuring quality.

Each has a distinct but complementary role in the ecosystem of internal control. If each party fulfils their role effectively – with commitment and competence – the outcome will be robust ICOFR systems that inspire confidence and drive better corporate performance across the UAE’s marketplace.

To know more about this section, download PDF

CONCLUSION

Summary of insights

In conclusion, establishing robust ICOFR presents a significant opportunity for UAE companies to strengthen governance and enhance business resilience in today’s dynamic environment. The analysis in this whitepaper has traversed the definition and importance of ICoFR, the evolving regulatory landscape in the UAE (mirroring global moves toward enhanced governance), frameworks and models to guide implementation, and practical insights into implementation, current maturity levels, and international benchmarks. A few key takeaways: 

ICoFR is foundational to trust and growth

Reliable financial reporting, underpinned by robust internal controls, is a cornerstone of investor confidence and corporate longevity. Whether it’s preventing fraud or avoiding errors, internal controls save companies from value-eroding incidents. As the UAE drives toward Vision 2030’s goals of a diversified, knowledge-based economy, having its companies uphold world-class financial integrity is essential. 

The UAE is making significant strides in governance

New regulations by SCA, ADAA, UAEAA, etc., signal that the country is serious about matching international standards like SOX 404. Companies must recognize this not as an optional compliance checkbox but as the new normal. Those who get ahead of the curve will find themselves better prepared and more attractive to global investors; those who lag may face regulatory and reputational repercussions.

Frameworks like COSO provide a road map

Companies do not have to start from a blank slate; the COSO framework and Three Lines model give clear guidance on what a sound internal control system looks like. Adopting these frameworks and customizing them to one’s organizational context is a proven way to achieve effective controls.

Implementation is a journey – plan, execute, monitor

A successful ICOFR implementation requires careful planning (scoping, project plan, milestones), diligent execution (documenting, fixing gaps, testing), and continuous monitoring and improvement. Pitfalls can be avoided by learning from others (e.g., emphasize documentation, avoid over-engineering, ensure IT controls aren’t neglected).

Varied starting points, common destination

Not all UAE companies are at the same maturity level, i.e., some are advanced thanks to prior initiatives, and others are just beginning. However, the destination is common: a baseline of control that ensures the integrity of financial reporting across the board. Free zone or mainland, big or small, every organization can benefit from adopting at least the basic tenets of ICoFR.

Global lessons are invaluable

The UAE can compress time by learning from decades of global experience – avoiding others’ mistakes and emulating their successes. From the rigorous discipline of SOX in the US, to the flexibility and board leadership seen in Europe, to India’s comprehensive rollout and Canada’s balanced approach – each provides insights. The UAE’s approach can indeed become a model itself, especially if it leapfrogs using technology and innovation as highlighted.

Collaboration is key

Success in ICoFR will come from collaboration – between regulators and industry, between boards and management, between management and staff, and between companies and their advisors. An aligned effort where everyone understands their role (as we detailed in the recommendations) will create an ecosystem where strong internal controls flourish naturally.

The time to act on internal controls is now. If you haven’t started, begin with an honest assessment of your financial processes and risks. Engage experts or peers, create a plan, and commit to a timeline. The call to action is clear: begin, improve, or reinforce your Internal Controls over Financial Reporting now, and contribute to a stronger, more transparent, and more prosperous business landscape in the UAE.