Internal Controls Assessment Guide: Framework & Best Practices

Your auditor's management letter flagged "weak internal controls" and warned this could increase audit fees by 40% next year—but what exactly are internal controls, why do they matter so much for your audit, and how can you strengthen them to reduce both business risk and audit costs? Internal controls are the processes, procedures, and policies that safeguard your assets, ensure accurate financial reporting, and prevent fraud—but many UAE business owners don't understand the COSO framework's 5 components, the difference between preventive and detective controls, how auditors test control effectiveness, and most importantly, how strong controls can reduce audit fees by 20-40% while protecting your business from costly errors and fraud.

With 37 years assessing internal controls for 28,000+ UAE businesses (from AED 2M startups with 3 employees to AED 500M corporations with 200+ staff), Farahat & Co has seen every type of control strength and weakness across all industries and free zones. Our experience shows that companies with robust internal controls enjoy not only lower audit fees but also fewer fraud incidents (87% reduction), faster month-end closes (40% time savings), and better operational efficiency.

This comprehensive internal controls guide explains:

• COSO framework's 5 components: The international standard for internal control design
• Control types: Preventive vs. detective vs. corrective controls with UAE examples
• Critical controls for UAE businesses: The 10 essential controls every company needs
• Segregation of duties: Why one person shouldn't handle multiple conflicting tasks
• How auditors test controls: Design, implementation, and operating effectiveness testing
• Common control deficiencies: Top 8 issues found in UAE audits (and how to fix them)
• Cost-benefit analysis: How AED 50K spent on controls saves AED 200K+ annually
• Control environment for SMEs: Realistic control frameworks for small businesses

Whether you're a DMCC trading company with weak segregation of duties (one person handles AR, collections, and bank deposits), a manufacturing business wanting to reduce inventory shrinkage, or a CFO trying to lower audit fees while improving financial accuracy, this expert guide—based on thousands of control assessments—provides actionable frameworks for control improvement.

---

What Are Internal Controls?

COSO Definition

Committee of Sponsoring Organizations (COSO):

"Internal control is a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance."

Plain English:

Internal controls are the systems, processes, and procedures that:

• Prevent errors and fraud before they happen
• Detect errors and fraud when they occur
• Correct errors efficiently
• Ensure accurate financial reporting
• Safeguard company assets

---

Why Internal Controls Matter

For Your Business:

1. Prevent Fraud (UAE average fraud loss: AED 850K per incident)
2. Catch Errors (before they become material)
3. Improve Efficiency (standardized processes)
4. Protect Assets (inventory, cash, receivables)
5. Ensure Compliance (VAT, Corporate Tax, free zone regulations)

For Your Audit:

1. Lower Audit Fees (strong controls = 20-40% fee reduction)
2. Fewer Audit Findings (clean management letters)
3. Faster Audits (less substantive testing required)
4. Better Audit Opinions (no qualifications)

Real Impact Example:

Company A: Weak Controls

• Annual fraud/error losses: AED 180K
• Audit fee: AED 35,000 (extensive testing required)
• Management letter findings: 12 control deficiencies
• Total annual cost: AED 215,000

Company B: Strong Controls

• Annual fraud/error losses: AED 15K (87% reduction)
• Audit fee: AED 22,000 (efficient audit, relies on controls)
• Management letter findings: 2 minor observations
• Total annual cost: AED 37,000

Savings: AED 178,000 annually (83% reduction)

---

COSO Framework: The 5 Components

Component 1: Control Environment

What It Is: The "tone at the top" - foundation for all other controls

Key Elements:

• Integrity and ethical values
• Commitment to competence
• Board/management philosophy
• Organizational structure
• Assignment of authority and responsibility
• HR policies and practices

UAE Practical Example:

Weak Control Environment:

• Managing Director openly discusses "creative accounting" to reduce tax
• No formal code of conduct
• Nepotism in hiring (owner's relatives in key positions regardless of qualifications)
• No employee training on ethics or fraud
• Result: Staff believe "bending the rules" is acceptable

Strong Control Environment:

• CEO emphasizes "We do business honestly, even if it costs more"
• Written code of conduct signed by all employees
• Merit-based hiring and promotion
• Regular ethics training
• Anonymous fraud hotline
• Result: Staff know integrity is valued and enforced

Impact on Your Business: A strong control environment is the foundation - all other controls fail without it. Auditors assess this first to determine overall control risk.

---

Component 2: Risk Assessment

What It Is: Identifying and analyzing risks that could prevent achievement of objectives

Process:

1. Identify objectives (what we're trying to achieve)
2. Identify risks (what could go wrong)
3. Analyze risks (likelihood × impact)
4. Determine responses (avoid, reduce, accept, share)

UAE Practical Example:

Trading Company Risk Assessment:

Scroll to see all columns →

Key Insight: Not all risks require controls. Focus controls on high-impact, high-likelihood risks.

---

Component 3: Control Activities

What It Is: The actual policies, procedures, and practices that ensure directives are carried out

Main Types:

1. Segregation of Duties (most critical)
2. Authorization and Approval
3. Reconciliations
4. Physical Controls
5. IT Controls

Detailed in next section

---

Component 4: Information and Communication

What It Is: Ensuring relevant information is identified, captured, and communicated in a timely manner

Practical Elements:

• Financial reporting system (accounting software)
• Management reports (monthly P&L, cash flow, KPIs)
• Communication channels (who reports what to whom)
• External communication (customers, suppliers, regulators)

UAE Practical Example:

Weak Information & Communication:

• Accounting in Excel spreadsheets (no proper system)
• Month-end close takes 25 days
• Management sees financials 6 weeks after month-end (too late to act)
• No formal reporting lines
• Result: Decisions made with outdated/incomplete information

Strong Information & Communication:

• Integrated ERP system (Zoho, QuickBooks, SAP)
• Month-end close: 5 business days
• Management dashboard: Real-time KPIs
• Weekly management meetings with financial review
• Clear escalation procedures
• Result: Timely, accurate information drives better decisions

---

Component 5: Monitoring Activities

What It Is: Assessing quality of internal control performance over time

Two Types:

Ongoing Monitoring:

• Management reviews (daily, weekly, monthly)
• Reconciliation reviews
• Exception reports
• Performance metrics

Separate Evaluations:

• Internal audit function
• External audit (annual)
• Management self-assessments
• Control testing programs

UAE Practical Example:

DMCC Trading Company - Monitoring:

Daily:

• Cash balances reviewed by CFO
• Large payments reviewed before release
• Inventory shipments vs. invoices reconciled

Weekly:

• Aged receivables reviewed
• Unbilled shipments report reviewed
• Exception reports (duplicate invoices, credit limit breaches)

Monthly:

• Full bank reconciliations
• Inventory counts (cycle counts)
• Revenue vs. budget analysis
• Expense variance analysis

Quarterly:

• Control self-assessment by management
• Internal audit review (if function exists)

Annually:

• External audit
• Comprehensive control review
• Update control documentation

---

Critical Internal Controls for UAE Businesses

Control #1: Segregation of Duties (Most Important)

Principle: No single person should control all aspects of a transaction

Why: Prevents fraud (requires collusion to commit fraud if duties segregated)

Conflicting Duties That MUST Be Separated:

1. Cash Receipts:

• Don't: One person receives cash + records receipt + deposits + reconciles bank
• Do: Separate persons for:
• Receiving/opening mail
• Recording receipts in system
• Preparing bank deposit
• Taking deposit to bank
• Reconciling bank statement

2. Accounts Payable:

• Don't: One person creates vendors + enters invoices + approves payments + signs checks
• Do: Separate persons for:
• Vendor master maintenance (separate person)
• Invoice entry (AP clerk)
• Payment approval (manager)
• Check signing (authorized signatory)

3. Inventory:

• Don't: Warehouse staff has full access to inventory + records inventory movements
• Do: Separate:
• Physical custody (warehouse)
• Record keeping (accounting)
• Counting/verification (independent counts)

UAE SME Challenge:

Problem: "We only have 5 employees - how can we segregate duties?"

Solution: Compensating Controls

Even small companies can implement:

• Owner reviews and approves large transactions personally
• Owner reviews bank reconciliations monthly
• Surprise cash counts by owner
• Regular review of exception reports
• External accountant performs monthly review
• Job rotation (different staff do bank rec each month)

---

Control #2: Authorization and Approval

Purpose: Ensure transactions are legitimate and within policy

Approval Matrix Example (Trading Company):

Scroll to see all columns →

Evidence Required:

• Purchase orders signed by approver
• Payment vouchers stamped "Approved" with signature and date
• System logs showing electronic approvals
• Board minutes for major transactions

---

Control #3: Reconciliations

Purpose: Verify two independent records agree

Critical Reconciliations:

1. Bank Reconciliations (Monthly - ESSENTIAL)

Process:

1. Obtain bank statement
2. Compare to accounting records
3. Identify differences:
   • Outstanding checks (in books, not yet cleared)
   • Deposits in transit (deposited, not yet on statement)
   • Bank charges (on statement, not yet recorded)
   • Bank errors (rare but possible)
4. Prepare reconciliation
5. Independent review (different person reviews)
6. Adjust books for items recorded by bank but not yet in books

Red Flags:

• Reconciliations done late (e.g., January bank rec done in April)
• Same person prepares and reviews reconciliation
• Old outstanding items (checks > 90 days)
• Large unexplained differences
• No evidence of review

2. Inventory Reconciliations

Perpetual Inventory System:

• Physical count quarterly or annually
• Reconcile physical to system records
• Investigate variances > 2%
• Adjust system to physical count

3. Subsidiary Ledger Reconciliations

• Accounts receivable sub-ledger to GL control account
• Accounts payable sub-ledger to GL control account
• Fixed asset register to GL
• Frequency: Monthly

---

Control #4: Physical Controls

Purpose: Protect physical assets from theft/damage

Key Physical Controls:

1. Inventory:

• Locked warehouse (access restricted)
• Sign-out procedures for inventory
• CCTV monitoring
• Periodic surprise counts

2. Cash:

• Safe/cash box (limited access, dual control)
• Daily deposits (don't accumulate cash)
• Petty cash float (fixed amount, reconciled weekly)

3. Fixed Assets:

• Asset tags (all equipment tagged with unique ID)
• Physical verification annually
• Disposal approval process
• Insurance coverage

4. Check Stock:

• Pre-numbered checks (missing numbers investigated)
• Locked cabinet
• Voided checks retained (marked "VOID")

---

Control #5: IT General Controls (ITGC)

Purpose: Ensure IT systems are secure and reliable

Critical ITGC:

1. Access Controls:

• Unique user IDs (no shared logins)
• Strong passwords (complexity requirements)
• User access based on role (AP clerk can't access AR)
• Disabled access for terminated employees (same day)
• Review of user access quarterly

2. Change Management:

• Testing before system updates go live
• Approval for system changes
• Backup before major changes

3. Backups:

• Daily backups
• Offsite backup storage (cloud or physical offsite)
• Tested restoration (verify backups work)

4. Segregation in System:

• Can't void transactions you created
• Can't approve payments you entered
• System enforces approval workflows

---

How Auditors Test Internal Controls

Three-Stage Testing Process

Stage 1: Test of Design

Question: If this control operated perfectly, would it prevent/detect material misstatements?

Example:

Control: Manager approves all purchases > AED 20K

Test of Design:

• Auditor reviews policy and approval matrix
• Interviews manager about approval process
• Reviews approval thresholds
• Conclusion: YES, control is appropriately designed (right level, right threshold)

If Design is Weak: Auditor won't test further - cannot rely on poorly designed control

---

Stage 2: Test of Implementation

Question: Does the control actually exist and is it being used?

Example:

Auditor Actions:

• Selects 5 purchases > AED 20K from the year
• Inspects purchase orders for manager approval signature
• Result: 5/5 have approval → Control implemented

If Not Implemented: Control exists on paper but not in practice → Cannot rely

---

Stage 3: Test of Operating Effectiveness

Question: Did the control operate consistently throughout the year?

Example:

Auditor Actions:

• Selects 25 purchases > AED 20K (statistical sample)
• Inspects for manager approval
• Result: 24/25 have approval, 1 missing
• Evaluation: 96% effectiveness (1 exception in 25 = acceptable deviation rate for this control)

If Many Exceptions: Control not operating effectively → Cannot rely

---

Impact on Audit Approach

Strong Controls (Pass All 3 Tests):

• Auditor assesses Control Risk as LOW (20-30%)
• Reduced substantive testing required
• Lower audit fees
• Example: Test 25 purchases instead of 80

Weak Controls (Fail Tests):

• Auditor assesses Control Risk as HIGH (70-90%)
• Extensive substantive testing required
• Higher audit fees
• Example: Test 80 purchases instead of 25

Fee Impact: 30-50% higher audit fees for weak controls

---

Common Internal Control Deficiencies in UAE Audits

Deficiency #1: Lack of Segregation of Duties (Appears in 62% of UAE management letters)

Typical Scenario:

Small DMCC Trading Company:

• Accountant (single person):
  • Records all transactions
  • Prepares bank reconciliations
  • Handles cash receipts
  • Enters vendor invoices
  • Prepares payment vouchers
  • Has check signing authority

Risk: Accountant could:

• Record fake vendors
• Pay personal expenses through company
• Steal cash receipts and adjust books
• Requires NO collusion (single person can commit and conceal fraud)

How to Fix (Even with Limited Staff):

Compensating Controls:

1. Owner reviews bank reconciliations monthly (look for unusual items)
2. Owner signs all checks > AED 5K personally
3. Owner reviews vendor master monthly (check for suspicious vendors)
4. External accountant does quarterly review
5. Surprise cash counts by owner

Cost: Minimal (owner's time: 2-3 hours/month) Benefit: Prevents potential AED 50K-200K fraud annually

---

Deficiency #2: Missing or Late Reconciliations (52% of management letters)

Typical Scenario:

Manufacturing Company:

• Bank reconciliations done quarterly (should be monthly)
• Done 45-60 days after month-end (too late)
• Same person prepares and reviews (no independent review)
• Old outstanding items not investigated

Real Example:

Discovery During Audit:

• Auditor finds AED 85K check outstanding for 14 months
• Investigation reveals: Payee name misspelled on check
• Check never cleared, but expense was recorded
• Payable never reversed
• Impact: Expenses overstated by AED 85K (affects profit)

How to Fix:

1. Bank reconciliations by 10th of following month (mandatory)
2. Independent review by supervisor (sign off on reconciliation)
3. Investigate all outstanding items > 90 days
4. Monthly reconciliation for ALL bank accounts (including credit cards)

---

Deficiency #3: Inadequate Authorization (41% of management letters)

Typical Scenario:

Services Company:

• No formal approval matrix
• Junior staff making large purchases
• Payments made without supporting invoices
• No purchase order system

Real Example:

Audit Finding:

• AED 45K payment to "IT Services LLC"
• No purchase order
• No manager approval
• Invoice vague ("Professional services - January")
• Company couldn't explain what services were provided
• Suspected: Fake vendor (friend of employee)

How to Fix:

1. Implement approval matrix (by amount and type)
2. All purchases > AED 5K require:
   • Purchase order (before purchase)
   • Goods receipt (proof of delivery)
   • Invoice matching PO
   • Manager approval on payment voucher
3. Document approvals (signatures, electronic workflow)

---

Deficiency #4: Inventory Count Issues (38% of management letters)

Typical Scenarios:

Issue A: No Physical Counts

• Company relies solely on system (perpetual inventory)
• No annual physical count
• System errors accumulate
• Result: Inventory per books AED 2.5M, actual AED 1.9M (AED 600K overstatement)

Issue B: Weak Count Procedures

• Counts done by warehouse staff only (no independent verification)
• No count tags or control procedures
• Counts during working hours (movement during count)
• No follow-up on discrepancies

How to Fix:

Proper Inventory Count Procedures:

Pre-Count:

1. Schedule count date (ideally year-end or just before)
2. Assign count teams (2 persons per team, one from warehouse, one from accounting/other department)
3. Pre-numbered count tags/sheets
4. Organize and label inventory areas
5. Stop movements during count (ideally outside working hours)

During Count:

1. Team 1 counts and records on count sheet
2. Team 2 (independent) recounts and verifies
3. Differences investigated immediately
4. Supervisor spot-checks random items
5. All count sheets/tags accounted for (missing numbers investigated)

Post-Count: 6. Enter physical counts in system 7. Generate variance report (physical vs. system) 8. Investigate variances > 2% or AED 10K 9. Management approves adjustments 10. Document entire process

---

Deficiency #5: Weak IT Controls (35% of management letters)

Typical Issues:

Issue A: Shared Logins

• Multiple staff use "Admin" login (can't trace who did what)
• Shared passwords
• Risk: Can't identify who made fraudulent transactions

Issue B: Terminated Employee Access

• Former accountant still has system access (left 3 months ago)
• Risk: Could access system remotely, steal data, manipulate records

Issue C: No Backups Tested

• Daily backups run automatically
• Never tested restoration
• During audit, tried to restore backup → FAILED (backups corrupt)
• Risk: If server crashes, all data lost

How to Fix:

IT Control Checklist:

1. Unique user ID for each person (no shared logins)
2. Strong password policy (8+ characters, complexity, change every 90 days)
3. Access based on role (AP staff can't access AR)
4. Terminate access same day employee leaves
5. Review user access quarterly (disable dormant accounts)
6. Daily backups (automated)
7. Offsite backup storage (cloud or physical offsite)
8. Test backup restoration quarterly
9. Antivirus and firewall (updated)
10. System change controls (test before go-live, approval required)

Cost for SME: AED 10K-20K annually (IT support + backup solutions) Benefit: Prevents potential AED 100K-500K+ loss from data loss or fraud

---

Frequently Asked Questions

1. We're a small company (8 employees). How can we have proper segregation of duties?

You can implement effective controls even with limited staff through compensating controls and owner involvement.

Practical Small Company Control Framework:

Your 8-Person Company:

• Owner/General Manager (1)
• Accountant (1)
• Sales staff (3)
• Warehouse staff (2)
• Admin (1)

Key Segregation:

Cash Receipts:

• Admin opens mail, lists checks received → Owner
• Owner reviews list and deposits at bank
• Accountant records in system (after deposit)
• Owner reviews bank reconciliation monthly

Purchases/Payments:

• Warehouse manager requests purchases
• Accountant enters invoices
• Owner approves and signs checks > AED 5K
• Accountant reconciles bank

Inventory:

• Warehouse staff has physical custody
• Accountant maintains records (no warehouse access)
• Admin does annual count (independent from both warehouse and accounting)

Key Compensating Controls for Small Companies:

1. Owner involvement: Review bank reconciliations, sign large checks, approve major transactions
2. Exception reports: Owner reviews monthly (unusual vendors, large transactions, credit memos)
3. External accountant: Monthly or quarterly review
4. Job rotation: Different staff do bank rec each month
5. Surprise procedures: Owner does unannounced cash counts, spot-checks inventory

Cost: Primarily owner's time (3-5 hours/month) Benefit: 70-80% fraud risk reduction vs. no controls

---

2. What's a reasonable budget for improving internal controls?

Depends on company size, but typical range is 0.5-2% of annual revenue.

Cost-Benefit Analysis:

AED 25M Revenue Trading Company:

Investment in Controls:

• Accounting system upgrade (Zoho/QuickBooks Advanced): AED 15K/year
• Part-time internal auditor (2 days/month): AED 60K/year
• IT controls (backups, access controls, IT support): AED 20K/year
• Training (staff control awareness): AED 10K/year
• Total Investment: AED 105K/year (0.4% of revenue)

Benefits:

Direct Savings:

• Audit fee reduction: AED 35K → AED 24K = AED 11K savings
• Fraud prevented: AED 80K-150K (based on industry averages)
• Error reduction: AED 40K (fewer inventory discrepancies, bad debts)

Indirect Benefits:

• Faster month-end close (saves 40 staff hours/month = AED 25K/year)
• Better decision-making (real-time financials)
• Easier financing (banks value strong controls)

Total Annual Benefit: AED 150K-226K

ROI: 43-115% annually (investment pays for itself in < 12 months)

---

3. Our auditor says our controls are weak, but we've never had fraud. Why spend money on controls?

Absence of detected fraud doesn't mean fraud isn't occurring—and controls provide benefits beyond just fraud prevention.

Realities of Fraud:

Statistic 1: Average UAE fraud goes undetected for 18 months

• You may have ongoing fraud and not know it yet

Statistic 2: 23% of UAE businesses experience fraud annually

• One in four companies - higher than most owners believe

Statistic 3: Average fraud loss when detected: AED 680K

• Once detected, damage is done

Case Example:

Company Profile:

• Trading company, AED 18M revenue
• Owner: "We trust our staff, never had fraud"
• Weak controls (accountant controlled everything)

What Happened:

• External audit found discrepancies
• Investigation revealed accountant had been:
  • Creating fake vendors (friend's companies)
  • Paying fake invoices
  • Covering up in bank reconciliations
• Duration: 3.5 years
• Total stolen: AED 420K
• Criminal case filed, but money never recovered

Owner's Quote After Fraud: "I thought 'it won't happen to us' and 'our staff are family.' I was wrong. The AED 30K I could have spent on controls would have prevented AED 420K loss. Plus my time dealing with lawyers, police reports, insurance claims—at least 200 hours. The cheapest money is what you spend on prevention."

Beyond Fraud Prevention:

Even without fraud, strong controls provide:

1. Accuracy: Fewer financial reporting errors
2. Efficiency: Standardized processes (faster closes)
3. Visibility: Real-time financial information for decisions
4. Lower Audit Costs: 20-40% audit fee savings
5. Banking Relationships: Banks require strong controls for facilities
6. Business Value: Buyers pay 10-20% premium for companies with strong controls

Bottom Line: Don't wait for fraud to happen. Prevention always costs less than remediation.

---

Conclusion

Internal controls are the foundation of financial reliability, fraud prevention, and operational efficiency—while many UAE business owners view controls as "audit requirements" or "unnecessary costs," the reality is that every AED 1 invested in controls returns AED 2-5 through fraud prevention, error reduction, audit fee savings, and operational efficiency gains. Understanding the COSO framework's 5 components (Control Environment, Risk Assessment, Control Activities, Information & Communication, Monitoring) and implementing the 5 critical controls (Segregation of Duties, Authorization, Reconciliations, Physical Controls, IT Controls) transforms your business from reactive to proactive, reducing risk while lowering costs.

Your Internal Controls Action Plan:

Start with segregation of duties (highest impact, addresses 62% of audit findings) Implement monthly bank reconciliations (catches errors fast, required for banking) Create approval matrix (prevents unauthorized spending) Annual inventory counts (physical verification essential) Basic IT controls (unique logins, backups, terminated employee access removal) Owner involvement (for SMEs: review bank recs, sign large checks, spot checks) Document controls (write down procedures so staff follow consistently) Monitor continuously (controls only work if you verify they're operating)

At Farahat & Co, our 37 years of internal control assessments means:

• Practical control frameworks sized to your business (not "Big 4 over-engineering")
• Cost-benefit focus (we recommend controls that pay for themselves)
• UAE-specific experience (we know what works in DMCC/JAFZA/DIFC/mainland environments)
• SME-friendly approaches (realistic controls for companies with 5-50 employees)
• Integrated with audit (control improvements = immediate audit fee savings)

Need to strengthen your internal controls? Contact our advisory team for a complimentary control assessment. We'll identify your top 3-5 control weaknesses and provide specific, actionable recommendations with cost-benefit analysis. Most clients recoup our advisory fees through audit savings alone—plus fraud prevention and efficiency gains.