➤ Introduction

Most boards assume that because an internal audit function exists, it is working. That assumption is one of the most consequential governance blind spots in UAE business today. Having an internal audit team on the org chart is not the same as having an effective one. Having reports submitted quarterly is not the same as having the right risks examined. And having an audit committee is not the same as having a board that exercises genuine oversight of its internal audit function — one that can distinguish between a function that is performing and one that is simply occupying a governance box.

The benchmark for internal audit effectiveness has shifted decisively since January 9, 2025, when the IIA's 2024 Global Internal Audit Standards became mandatory — replacing the 2017 framework with five domains, 15 principles, and 52 standards. AuditBoard research found at least one in three organisations globally were not ready at that deadline. In the UAE, the regulatory expectations for the internal audit function have risen in parallel: SCA (Securities and Commodities Authority, now Capital Markets Authority — CMA) Decision No. 2/R.M of 2024 mandates structural independence for listed PJSCs; the CBUAE requires banks and insurance entities to maintain an effective internal audit function under Article 11; and the audit committee is now expected to meet quarterly at minimum across all regulated entity types.

What follows is a board-level assessment framework — six dimensions of internal audit function performance that separate genuine assurance from administrative compliance. Each dimension identifies the gap that most commonly exists in practice, the standard that defines what good looks like, and the specific obligation that falls on the board and audit committee to address it.

1.  Charter Currency — The Foundation That Most UAE Boards Have Not Reviewed

In many UAE organisations, the internal audit charter was drafted at the point of function establishment and has not been formally reviewed since. It describes a scope, reporting line, and mandate that may bear little resemblance to how the function actually operates today. Boards are often unaware the charter exists in any detail — let alone that they, not management, are responsible for approving it.

Under IIA Standard 6.2 (2024), the charter must include the function's mandate, organisational position, reporting relationships, scope of work, and types of services — and must be reviewed periodically with the board, not with management. When a charter is stale or management-held, the function's independence is a formality rather than a structural reality. The SCA (now CMA)'s Decision No. 2/R.M of 2024 reinforces this for listed PJSCs: the internal audit function must remain structurally distinct and cannot be merged with any other function — a requirement that depends entirely on an enforceable, current charter to give it meaning.

Board Responsibility:  The audit committee should formally approve the internal audit charter annually and confirm it has been reviewed whenever material organisational changes occur. If the board cannot produce the current, signed, board-approved charter — or if it has not been reviewed in the past 12 months — that is the first structural gap requiring closure.

2.  Risk-Based Audit Planning — Why Last Year's Plan Is This Year's Liability

The most common failure mode of an internal audit function is not that it produces poor findings. It is that it examines the wrong things. Annual audit plans built by repeating prior-year coverage, with minor adjustments and no independent risk assessment, are one of the most persistent governance weaknesses across UAE businesses of all sizes and sectors.

This is especially acute in the current environment. The UAE regulatory risk landscape has shifted substantially since 2022 — corporate tax under Federal Decree-Law No. 47 of 2022, SCA (now CMA) governance amendments, AML regulatory tightening under Federal Decree-Law No. 10 of 2025, and accelerating cybersecurity threats. An audit plan anchored to a 2022 risk universe is not a risk-based plan. It is a historical document being used as a current assurance instrument.

IIA Standard 9.4 (2024) requires that the audit plan be based on a documented risk assessment of the organisation's strategies, objectives, and risks — conducted at least annually and independently of management's own risk views unless the Chief Audit Executive (CAE) has separately concluded that the organisation's risk management processes are effective. A risk-based internal audit plan also adjusts during the year when new material risks emerge — it does not wait for the next annual cycle.

Board Responsibility:  The board should request the documented risk assessment methodology underpinning the current audit plan — not the plan itself, but the evidence of how risks were identified, scored, and translated into coverage decisions. If that methodology does not exist in documented form, the plan is not genuinely risk-based, regardless of what it is called.

3.  CAE Independence — The Difference Between Structural and Ceremonial

Across many UAE organisations — family-owned businesses, closely held conglomerates, and even some listed entities — the Chief Audit Executive reports to the Chief Financial Officer (CFO) or Chief Executive Officer (CEO) for day-to-day purposes and only interacts with the audit committee in the presence of senior management. This arrangement is rarely designed to suppress information. But it consistently produces that result. The progressive filtering of what reaches the board — incomplete disclosures of whistleblower findings, downplayed control deficiencies, softened risk escalations — is the most common information failure in UAE corporate governance, and it stems directly from a compromised CAE reporting line.

IIA Standard 7.1 on Organisational Independence (2024) requires the CAE to have a direct reporting relationship to the board with unrestricted access and the ability to communicate independently — without management's involvement or prior approval. Standard 8.1 (Board Interaction) further requires that the board and CAE interact regularly and directly. The SCA (now CMA) Corporate Governance Code mandates quarterly audit committee meetings at minimum. Best practice, and the IIA Standard, require the CAE to have private access to the board at every one of those sessions.

Board Responsibility:  The audit committee should schedule a private session with the CAE — without management present, without management-prepared briefing materials — at every quarterly meeting. If this has not occurred in the past six months, treat it as a structural independence gap requiring immediate remedy, not a scheduling oversight.

4.  Findings Remediation — Where Governance Value Is Either Realised or Lost

An internal audit function that identifies control weaknesses, reports them formally, and then watches management delay, defer, or silently close them without resolution is not adding governance value. It is documenting the organisation's tolerance for risk. Yet in practice, findings remediation tracking is one of the weakest links in the UAE internal audit lifecycle — and one of the areas boards engage with least.

The pattern is consistent across organisations of all sizes. A high-priority finding is raised. Management accepts the recommendation and commits to a remediation date. That date passes. A follow-up report notes the finding is 'in progress.' Eighteen months later, the same finding surfaces in a subsequent audit. The board has received each report in isolation but has never been presented with a cumulative picture of remediation failure across the full findings universe.

IIA Standard 15.2 (2024) requires the CAE to establish a formal process for confirming the implementation of recommendations — and to escalate to senior management and the board when management has accepted a level of risk the CAE considers unacceptable. This is not optional escalation. It is a Standards requirement. A CAE who is not escalating unacceptable risk acceptance is operating outside the Standards, regardless of the quality of the underlying audit work.

Board Responsibility:  Request a findings aging report — a consolidated view of all open findings from the past 24 months, categorised by risk rating, responsible owner, original due date, and current status. This single report is more revealing about internal audit function effectiveness than any individual audit deliverable. If findings rated 'high' have been open for more than 90 days without board-level escalation, the governance mechanism has failed at the follow-through stage.

5.  External Quality Assessment — The Evidence of Effectiveness That Most UAE Functions Cannot Produce

The IIA's requirement for an External Quality Assessment every five years is one of the least enforced governance standards in the UAE market. Many internal audit functions — including those of substantial, well-governed organisations — have never received an EQA, or have received one that was not conducted by a team with the required qualifications. A function that cannot produce evidence of an independent conformance assessment is, by definition, unable to substantiate any claim that it operates to professional standards.

Under IIA Standard 8.4 (2024), an EQA must be conducted at least every five years. The assessment team must include at least one member holding an active Certified Internal Auditor (CIA) designation. Assessments conducted without this qualification are not compliant EQAs. A self-assessment with independent validation is permissible — but only if the validator holds appropriate credentials and the process meets Standards requirements.

For UAE organisations, where regulators are increasingly examining the robustness of internal control frameworks — in financial sector supervision, governance inspections, and M&A due diligence — an EQA conducted against the 2024 IIA Standards produces documented evidence that the function is fit for purpose. That evidence has direct commercial and regulatory value.

Board Responsibility:  Confirm when the last EQA was conducted, by whom, and whether the assessment team included a qualified CIA. If the answer is 'more than five years ago', 'never', or 'we have not formally confirmed this', commission one. The absence of an EQA is an assurance gap the board is carrying on behalf of the organisation.

6.  Resource Adequacy — Capacity Without Capability Is Not Assurance

Internal audit resourcing is the dimension that boards engage with least, and the one that most directly determines whether the function can cover the risks that actually matter. The typical conversation stops at headcount and annual budget — two metrics that capture capacity but not capability fit. A function with three auditors spending the majority of its time on cycle-driven financial controls, in a UAE business where cybersecurity risk, corporate tax compliance, AML obligations, and ESG reporting are all rapidly evolving, is not resourced to provide meaningful assurance. It is resourced to replicate last year.

The IIA and Internal Audit Foundation's Risk in Focus 2025 report — drawing on 3,544 internal audit leaders globally — places cybersecurity, business continuity, and human capital at the top three positions in the global risk ranking. AuditBoard's 2025 survey data reveals a persistent and measurable gap: changing economic conditions ranked as the second-highest global risk but only eleventh in terms of actual audit effort deployed. This misalignment between the risk landscape and internal audit coverage is not an operational matter. It is a board accountability issue.

IIA Standard 10.1 on Resource Management requires the CAE to ensure the internal audit function has sufficient, appropriate resources — including the right skills, experience, and technical capabilities — to execute its mandate. In a UAE context in 2026, that means auditors with demonstrated competency across cybersecurity risk, corporate tax compliance under Federal Decree-Law No. 47 of 2022, AML/CFT frameworks under Federal Decree-Law No. 10 of 2025, ESG reporting obligations, and data analytics. Generalist financial auditing experience alone no longer constitutes an adequate resource base for the risk environment UAE organisations are operating in.

Board Responsibility:  Request a resource adequacy assessment from the CAE: does current headcount and skill composition align with the top risks in the audit plan? Are there material risk areas that the internal team cannot cover without co-sourcing or specialist engagement? If the answer reveals a gap, the remedy is not reduced audit coverage — it is sourcing the right capabilities to close it.

➤ Conclusion 

The internal audit function is the board's primary independent assurance mechanism — the one function in the organisation whose entire purpose is to tell the board what management may not. When that function operates with an outdated charter, conducts audits based on last year's risk universe, communicates through management rather than directly to the board, or lacks the technical capability to cover the risks that actually matter, it does not cease to exist. It continues to produce reports and occupy governance space. It simply stops being useful.

The 2024 IIA Global Internal Audit Standards have raised the professional benchmark for what effectiveness requires. The SCA (now CMA)'s governance amendments and the CBUAE's requirements have raised the regulatory floor for what UAE regulated entities must maintain. Across all of these frameworks, the board's obligation is the same: to know — with evidence, not assumption — whether the internal audit function it oversees is genuinely working.

The six dimensions above are where that evidence is found, or not found.

➤ Frequently Asked Questions

Q1. What are the IIA's 2024 Global Internal Audit Standards and when did they become mandatory?

The IIA's 2024 Global Internal Audit Standards were released on January 9, 2024, and became mandatory for all internal audit functions globally on January 9, 2025, replacing the 2017 framework. The 2024 framework is organised into five domains, 15 guiding principles, and 52 standards. Internal audit functions that do not conform with the new Standards must remove any reference to IIA Standards conformance from their audit deliverables.

Q2. Is internal audit legally required for all companies in the UAE?

The requirement depends on entity type. For public joint stock companies listed on the DFM or ADX, SCA (now CMA) Decision No. 2/R.M of 2024 requires an independent internal audit function reporting to the audit committee, with the committee meeting at least quarterly. For banks and insurance companies, CBUAE governance standards under Article 11 mandate an effective internal audit function providing independent evaluation to the board. Private LLCs and most free zone entities face no legal mandate, but internal audit is increasingly expected by lenders, institutional investors, and regulators — and strongly recommended for any entity with material operational complexity.

Q3. What is a risk-based internal audit plan and how does it differ from a standard audit plan?

A risk-based internal audit plan is built from a documented, independently conducted assessment of the organisation's current strategic objectives, risks, and control environment — and translates that assessment into coverage priorities. Under IIA Standard 9.4 (2024), a risk-based plan is a mandatory requirement, not a best practice. A standard audit plan — one that repeats prior-year coverage with incremental adjustments, without an independent risk assessment — is non-conformant with the 2024 Standards and provides the board with false assurance about the adequacy of internal audit coverage.

Q4. What is an External Quality Assessment and who should conduct it?

An External Quality Assessment is an independent review of the internal audit function against IIA Standards — evaluating whether the function conforms with professional standards, operates with appropriate independence, produces quality findings, and delivers value to stakeholders. Under IIA Standard 8.4, an EQA must be conducted at least every five years. The assessment team must include at least one individual holding an active Certified Internal Auditor (CIA) designation. The output is a formal conformance opinion and remediation roadmap delivered directly to the board.

Q5. What should UAE boards do if they discover their internal audit function is non-conformant with the 2024 IIA Standards?

The first step is a gap assessment comparing the current function's structure, resources, audit plan, reporting lines, and governance documentation against the 2024 IIA Standards. This produces a prioritised remediation roadmap. Boards should then agree a time-bound implementation plan with the CAE and monitor progress at each audit committee meeting. For functions with material gaps — particularly in independence, charter currency, or risk-based planning — supplementing the in-house team with an experienced external provider while remediation is underway ensures governance coverage is not interrupted. ASC Group's Risk Advisory practice provides both gap assessments and full internal audit co-sourcing services for UAE organisations across all sectors and entity types.

ASC Group UAE  |  One by Omniyat, Business Bay, Dubai  |  www.ascglobal.ae  |  info@ascglobal.ae  |  +971 50 328 7722  |  https://wa.me/971503287722

© 2026 ASC Group. All rights reserved. This content is for informational purposes only and does not constitute legal or professional advice.