Internal Controls for UAE SMEs: Reducing Fraud and Audit Fees

Many SME owners in Dubai view "Internal Controls" as corporate bureaucracy reserved for multinationals. "We are a small team, we trust each other," is a common sentiment.

Unfortunately, "trust" is not a control. The majority of occupational fraud happens in small businesses (fewer than 100 employees) precisely because controls are missing. Furthermore, weak controls force your external auditor to do more substantive testing, directly increasing your audit fees.

This guide outlines practical, low-cost internal controls that every UAE SME should implement.

Why Controls Matter (Beyond Fraud)

1. Lower Audit Fees: If an auditor can test and rely on your controls, they can reduce the sample size of invoice testing. Strong Controls = Faster Audit = Lower Fees. Professional external audit services become more efficient with strong controls in place.
2. Accurate Reporting: Controls prevent accidental errors (typos, double payments) just as much as intentional fraud.
3. Scalability: You cannot grow if the founder has to sign every single cheque. Controls allow delegation.
4. Investor Confidence: When seeking funding, investors will ask about your control environment. Weak controls = high risk = lower valuation.
5. Regulatory Compliance: Corporate Tax and VAT audits by the FTA are easier to pass with documented controls.

The "Big 3" Controls for SMEs

If you only implement three things, make it these:

1. Segregation of Duties (SoD)

No single person should have control over a transaction from start to finish.

• The Risk: The Accountant adds a fake vendor, approves the invoice, and pays it.
• The Fix:
  • Person A (Procurement) approves the Purchase Order.
  • Person B (Warehouse) confirms receipt of goods.
  • Person C (Accountant) enters the invoice.
  • Person D (Owner/Manager) authorizes the payment.
• Small Team Hack: If you only have one accountant, the Owner MUST sign checks/authorize bank transfers and should open the bank statements/bank alerts personally.

Real-World Data: According to the ACFE (Association of Certified Fraud Examiners), frauds last 50% longer in companies without SoD.

2. Approval Matrices (Delegation of Authority)

Stop "hallway approvals."

• The Control: A written document defining who can spend what.
  • Supervisor: Up to AED 1,000.
  • Manager: Up to AED 10,000.
  • Director: Up to AED 50,000.
  • CEO/Owner: Above AED 50,000.
• Implementation: Configure your ERP (Zoho, QuickBooks, Microsoft Dynamics) to enforce these limits automatically.
• For Cheques: Define who signs what (e.g., single signature up to AED 25,000, dual signature above).

3. Monthly Bank Reconciliations (Reviewed Independently)

This is the #1 way to catch cash theft.

• The Control: The bank ledger in your software must match the actual bank statement to the penny.
• The Trick: The person doing the reconciliation shouldn't be the only one checking it. The Owner or CFO should review and sign off on the reconciliation sheet monthly, looking specifically for "unusual items" or uncleared checks.
• Red Flags to Watch: Checks to "Cash," round number transfers, payments to unknown beneficiaries.

Additional Essential Controls

4. Vendor Master File Review

• The Risk: Fake vendors added by employees to siphon payments.
• The Control: New vendor additions require approval by a manager. Quarterly review of vendor list for unusual patterns (e.g., same bank account for multiple vendors, P.O. Box addresses).

5. Customer Credit Limits

• The Risk: Sales staff giving unlimited credit to relatives or friends.
• The Control: System-enforced credit limits. Overrides require management approval documented in the system.

6. Physical Access Controls

• The Risk: Theft of inventory or cash.
• The Control: Locked storage areas. Key/code access limited to authorized personnel. CCTV in warehouses and cash handling areas.

7. Leave Policy Enforcement

• The Risk: Fraudsters resist taking leave because their scheme will be discovered.
• The Control: Mandatory one-week continuous leave annually. Another employee covers duties during this time, potentially exposing irregularities.

Digital Controls in the Modern Era

In 2025, physical lock-and-key is less important than digital security.

1. User Access Rights: The intern shouldn't have "Admin" access to delete transactions. Review ERP access rights quarterly.
2. Audit Logs: Turn on the "Audit Trail" in your accounting software. It tracks who changed an invoice amount and when.
3. Two-Factor Authentication (2FA): Mandatory for email and bank access to prevent Business Email Compromise (BEC) scams.
4. Backup Procedures: Daily automated backups, stored off-site or in cloud. Test restoration quarterly.
5. Password Policies: Enforce password changes every 90 days. Prohibit sharing of login credentials.

Case Study: The Trusted Accountant

Situation: A Dubai trading company had the same accountant for 8 years. She handled everything: POs, invoice recording, payments, and bank reconciliations.

What Happened: Over 3 years, she created 15 fake vendor accounts and paid herself AED 850,000.

How It Was Caught: She went on emergency leave for a family issue. The replacement discovered payments to vendors with no delivery notes and bank accounts in her husband's name.

Lessons:

1. SoD would have prevented this immediately.
2. Mandatory leave would have exposed it sooner.
3. Quarterly vendor reviews would have flagged duplicates.

Outcome: Criminal case filed. Partial recovery of AED 300,000. Company now has proper controls.

The COSO Framework (Simplified)

For those wanting a structured approach, we use the COSO framework lite:

1. Control Environment: Tone at the top. Does the owner take ethics seriously?
2. Risk Assessment: Where could we lose money? (Cash? Inventory? Fake employees?)
3. Control Activities: The policies (SoD, approvals) discussed above.
4. Information & Communication: Do employees know how to report suspicion?
5. Monitoring: Who checks that the controls are working? Dedicated internal audit services provide independent monitoring and assurance.

Frequently Asked Questions

How much do internal controls cost to implement?

For an SME, almost nothing. Most controls are policy-based (approvals, SoD) and require configuration of existing software, not new technology. Professional policy drafting may cost AED 5,000-15,000.

Won't controls slow down my business?

Initially, there may be minor friction. But well-designed controls are efficient. Automated ERP approvals take seconds. The time saved on fraud investigation and audit queries far exceeds any slowdown.

Do I need an internal auditor?

Most SMEs don't need a full-time internal auditor. However, an annual "Controls Health Check" by an external firm (like Farahat & Co) provides independent assurance without the overhead.

How do I get staff to follow new controls?

1. Lead by example—owners must follow the rules too.
2. Train staff on the "why" not just the "what."
3. Make it easy—automate where possible.
4. Enforce consequences for bypassing controls.

What if my accountant threatens to quit if I implement controls?

That's a red flag. Honest employees welcome controls because it protects them from false accusations.

Conclusion

Internal controls are the immune system of your business. They protect you from internal threats and errors. You don't need a 100-page manual; you just need logical checks and balances.

Free Health Check Farahat & Co offers a "Controls Health Check" for SMEs. We review your core cycles (Sales, Procurement, Treasury) and identify your biggest vulnerabilities in just 3 days.

Related Resources

• Internal Audit Services - Independent control testing and fraud risk assessment
• External Audit Services - Reduce audit fees with strong internal controls
• Understanding Audit Opinions - How weak controls lead to qualified opinions
• IFRS Implementation Guide - Control requirements for IFRS compliance
• Transfer Pricing Compliance - Controls for related party transactions
• Small Business Tax Exemption Guide - Small Business Relief and tax optimization for SMEs