UAEServicesAudit & AssuranceInternal & Operational AuditsCompliance Audit

Audit & Assurance · Internal & Operational Audits

Compliance Audit

A UAE business today answers to more regulatory regimes at once than at any point in its history — VAT and Corporate Tax filings with the Federal Tax Authority, WPS payroll discipline with MOHRE, AML/CFT obligations under Cabinet Decision No.

Speak with a specialist →Chat on WhatsApp

Chartered Accountants · Dubai · Since 1986

What Compliance Audit is

A compliance audit is an independent examination of whether an organisation's policies, records, and day-to-day operating practices actually satisfy the specific laws, regulations, licence conditions, and contractual obligations that apply to it. It differs from a statutory financial audit, which opines on whether the financial statements present a true and fair view, and from a broader internal audit, which covers the full spectrum of operational and financial controls. A compliance audit is narrower and more targeted: it takes a defined set of regulatory or contractual obligations — VAT filing accuracy under Federal Decree-Law No. 8 of 2017, Corporate Tax positions under Federal Decree-Law No. 47 of 2022, WPS payroll compliance with MOHRE, AML/CFT programme adequacy under Cabinet Decision No. 10 of 2019, free zone authority licence conditions, or a specific regulator's rulebook — and tests, obligation by obligation, whether the business can produce evidence that it is meeting each one.

In the UAE, the compliance landscape a business must navigate depends heavily on its licensing jurisdiction and sector. A DMCC or JAFZA trading company faces FTA obligations (VAT registration and filing, Corporate Tax registration and, where applicable, filing), MOHRE and WPS payroll rules, and its free zone authority's own licence renewal and reporting conditions. A DIFC or ADGM entity regulated by the DFSA or FSRA carries additional prudential, conduct, and reporting obligations under that regulator's rulebook. A Designated Non-Financial Business or Profession — real estate brokers and agents, dealers in precious metals and stones, and independent legal or accounting professionals providing specified services, among others — carries AML/CFT obligations including customer due diligence, suspicious transaction reporting, and registration on the goAML platform maintained by the UAE Financial Intelligence Unit. A compliance audit is scoped to the specific combination of obligations that actually apply to the entity under review, rather than a generic checklist copied across every client regardless of licence type or sector.

The obligation set a compliance audit tests also depends heavily on whether the entity is licensed on the mainland or in a free zone, and that distinction runs through almost every category of obligation, not just Corporate Tax. A mainland business trading directly with UAE-based customers or importing goods carries VAT and customs-linked reporting nuances that a free zone entity dealing only with parties outside the UAE may not carry in the same way. A JAFZA or DMCC company relying on the 0% Corporate Tax rate on qualifying income as a Qualifying Free Zone Person under Federal Decree-Law No. 47 of 2022 must be able to evidence, on an ongoing transactional basis, that its qualifying activities and de minimis thresholds are actually being tracked — not simply assumed to hold because the original free zone licence category once qualified. A mainland company has no equivalent qualifying-income test to satisfy, but sits inside the standard Corporate Tax regime without a free zone carve-out to manage, so the documentation a compliance audit expects to see differs meaningfully between the two structures even within the same group.

Economic Substance Regulations (ESR) notification and report filing obligations, introduced under Cabinet Decision No. 57 of 2020, applied to UAE mainland and free zone entities carrying out defined 'relevant activities' for financial years ending before 1 January 2023; ESR requirements were discontinued for financial years starting on or after that date under Cabinet Decision No. 98 of 2024. A compliance audit covering a historical period before the cut-off may still need to test ESR filing evidence, but for current and future financial years it is a closed compliance chapter rather than a live obligation, and PNPC flags this distinction at scoping stage so budget is not spent testing something that has already lapsed.

Where scope extends into workforce compliance beyond WPS payroll timing, a compliance audit can also test visa administration against General Directorate of Residency and Foreign Affairs (GDRFA) and Federal Authority for Identity, Citizenship, Customs & Port Security (ICP) requirements, and, where relevant to the entity's size, whether Emiratisation obligations administered through MOHRE's Nafis programme are being monitored on schedule. For UAE Central Bank-regulated entities — exchange houses, finance companies, payment service providers — the obligation set expands further to the Central Bank's own prudential and conduct rulebook, tested alongside the FTA, MOHRE, and AML/CFT obligations most UAE businesses carry.

The distinguishing feature of a proper compliance audit is that it tests evidence, not assertions. A VAT compliance audit does not stop at confirming a VAT registration certificate exists — it reconciles filed EmaraTax returns against the general ledger, tests input VAT recoverability decisions on a sample of transactions, and checks whether reverse-charge and zero-rating positions are documented and defensible. An AML/CFT compliance audit does not stop at confirming a policy document exists — it samples actual customer files for evidence that due diligence was performed and documented at onboarding, tests whether the risk-based approach is genuinely being applied, and checks whether any suspicious activity indicators were escalated and reported through the correct channel rather than quietly ignored. A WPS compliance audit reconciles the payroll register against actual WPS submission records and salary transfer timing, not just the existence of a payroll policy.

Compliance audits are typically commissioned for one of several reasons: as a proactive, board-driven health check ahead of a licence renewal, bank facility renewal, or investor due diligence process; in response to a specific trigger such as an FTA query, a regulator's information request, or a near-miss compliance incident; as a periodic exercise for entities in higher-risk categories (DNFBPs, DIFC/ADGM regulated firms); or as a condition written into a bank covenant, franchise agreement, or investor term sheet. Unlike a one-off internal controls health check, a compliance audit is anchored specifically to named legal and regulatory obligations, which means the findings map directly to identifiable exposure — a missed WPS deadline, an under-documented related-party transaction, a customer file with no evidenced due diligence — rather than a general commentary on control maturity.

The output is a findings report that identifies each tested obligation, the evidence reviewed, whether the obligation is being met, and — where it is not — the specific gap, its risk rating, and a recommended remediation step with an owner and target date. Because compliance gaps often carry direct penalty or licence-renewal exposure rather than purely reputational risk, PNPC prioritises findings by regulatory exposure first and operational inconvenience second, and flags any gap serious enough to warrant an immediate voluntary disclosure or corrective filing rather than waiting for the final report to be issued.

When a compliance audit adds real value

A licence renewal, bank facility renewal, or investor due diligence process is approaching and management wants independent assurance that VAT, Corporate Tax, WPS, and free zone licence conditions are all genuinely current before an external party's review surfaces a gap

The business is a Designated Non-Financial Business or Profession under Cabinet Decision No. 10 of 2019 and has not had its AML/CFT programme independently tested against actual customer files and transaction records

A DIFC or ADGM regulated entity needs evidence that it is meeting DFSA or FSRA rulebook obligations ahead of the regulator's own periodic review or a routine supervisory visit

The company has received an information request, query, or notice from the Federal Tax Authority, MOHRE, or a free zone authority and wants an independent read on its full compliance position before responding

A first UAE Corporate Tax return is approaching and the board wants confirmation that related-party documentation, transfer pricing support, and any Qualifying Free Zone Person conditions can withstand scrutiny before filing

Rapid headcount growth or new visa quotas have outpaced the payroll team's WPS discipline, and management wants confirmation that salary transfers are timely and correctly structured before a MOHRE penalty or work-permit restriction materialises

A group has recently registered for VAT, Corporate Tax, or a new free zone activity, and management wants confirmation the new obligations are being correctly discharged in the first filing cycles rather than only finding out at year-end

An acquirer or investor's due diligence team has requested evidence of the target's compliance posture across tax, payroll, and AML/CFT obligations as a condition of closing

A franchise, agency, or distribution agreement contains specific compliance reporting obligations to a principal or licensor that the local UAE entity has not independently verified it is meeting

The business operates across multiple free zones or a mainland-plus-free-zone structure and management wants confirmation that Qualifying Free Zone Person conditions are being tracked separately and correctly for each licensed entity rather than assumed uniformly across the group

A UAE Central Bank-regulated entity — an exchange house, finance company, or payment service provider — wants independent testing of its compliance position ahead of the Central Bank's own periodic supervisory review

Employee headcount or visa quota utilisation has grown quickly and management wants assurance that GDRFA/ICP visa administration and, where relevant, Emiratisation tracking are keeping pace with the business rather than lagging behind WPS payroll compliance alone

When compliance audit is not the right engagement

You need an opinion on whether your financial statements are true and fair for filing with your licensing authority or bank — that is statutory (external) audit, a separate and distinct engagement

You need day-to-day VAT return preparation, Corporate Tax filing, or payroll processing — that is a compliance retainer service, not an independent audit of an existing compliance position

You need a broad review of operational controls, governance, and risk management across the whole business — that is internal audit, which is wider in scope than a compliance audit anchored to specific named obligations

You already know exactly which regulation was breached and need a forensic investigation into a specific incident for litigation or criminal referral purposes — that calls for a dedicated forensic and fraud investigation engagement with a different evidentiary standard

The business has no live UAE VAT registration, Corporate Tax exposure, DNFBP designation, or free zone/regulator-specific obligations to test — in that unusual case there may be very little for a compliance audit to meaningfully examine

Management wants a compliance certificate issued without underlying evidence testing, simply to satisfy a lender or investor checkbox — PNPC will not issue assurance that is not backed by actual sample testing of records

You are looking for legal advice on how to structure a transaction to reduce tax or regulatory exposure going forward — that is tax or legal advisory work; a compliance audit tests the current state, it does not design the future one

The finance and compliance teams are unwilling to grant access to filed returns, payroll records, customer due diligence files, or correspondence with regulators — without that evidence, a compliance audit becomes an unsupported opinion rather than assurance

The only open question relates to a historical Economic Substance Regulations filing period before 1 January 2023, with no current live ESR obligation — that calls for a narrow, historical-period review rather than a full current-state compliance audit

You need a one-time visa quota or Emiratisation check with no broader tax, payroll, or AML/CFT dimension to it — a narrower, single-obligation review may be more proportionate than a multi-obligation compliance audit

Structure Comparison

Compliance audit vs related assurance engagements in the UAE

FeatureCompliance AuditInternal AuditStatutory (External) AuditForensic/Fraud Investigation
Primary purposeTest whether specific named legal/regulatory obligations are being met, with evidenceIndependent assurance on risk management, controls and governance broadlyOpinion on true and fair view of financial statementsInvestigate a specific suspected irregularity for evidentiary/legal use
Scope anchorNamed laws, regulator rulebooks, licence conditions, or contractual obligationsRisk-ranked audit universe across financial, operational, IT and compliance processesFinancial statements and supporting recordsThe specific transaction, individual, or process in question
Who it reports toManagement, audit committee, or board depending on triggerAudit committee / boardShareholders (via signed audit report)Board / legal counsel / regulator, often under privilege
Mandatory under UAE lawNot generally mandatory as a standalone exercise, though the underlying obligations tested (VAT, WPS, AML/CFT for DNFBPs) are themselves mandatoryNot generally mandatory for mainland/most free zone entities; often required for DIFC/ADGM regulated firms and bank covenantsYes — annual filing typically required by DED/free zone authority licence conditionsNo — triggered by a specific event
Typical triggerLicence/facility renewal, DNFBP status, regulator query, new tax registration, M&A due diligenceBoard decision, investor/lender condition, regulatory expectationAnnual licence renewal conditionWhistleblower report, unexplained loss, suspicious transaction
Typical outputObligation-by-obligation findings report with risk rating and remediation planFindings report with risk ratings, root cause and management action plan across a broader control universeSigned audit opinion and financial statementsInvestigation report, evidence file, possible referral to authorities
Relevant UAE bodiesFTA, MOHRE, free zone authority, DFSA/FSRA, UAE FIU (goAML)DFSA (DIFC), FSRA (ADGM), free zone authority governance codes, bank covenantsDED / free zone licensing authority, FTA (for tax-linked disclosures)Dubai Courts / DIFC Courts / ADGM Courts if litigation follows; goAML if AML-related
FrequencyPeriodic, proportionate to risk profile — often aligned to licence renewal or governance calendarAnnual cycle, quarterly reviews, or continuous co-sourced functionAnnual, tied to financial year endAd hoc, triggered by an incident
Independence requirementIndependent of the function/obligation being tested; reports outside the team responsible for the obligationIndependent of the function being reviewed; ideally independent of the external auditorIndependent registered auditor, distinct from internal auditFully independent, often litigation-ready methodology

Compliance audit and internal audit frequently overlap in practice — many PNPC engagements combine a compliance-obligation review with a broader controls assessment in a single scoping exercise. The right structure depends on whether the driver is a specific regulatory obligation set or a broader governance question; a scoping conversation with a PNPC partner clarifies which framing fits your situation.

How it works
StageWhat HappensWho ActsTypical Output
1. Obligation MappingIdentify every regulatory and contractual obligation genuinely applicable to the entity — licence type, tax registrations, DNFBP status, regulator category, contractual reporting dutiesPNPC partner, with management input on licences and registrations heldA scoped obligation universe specific to this entity, not a generic checklist
2. Risk PrioritisationRank obligations by exposure — penalty risk, licence-renewal risk, reputational risk — and by evidence of recent change (new registration, new hires, new activity)PNPC engagement leadA risk-ranked scope for fieldwork, agreed with management or the audit committee
3. Engagement Letter & Access ArrangementsFormalise scope, fee, timeline, and confidentiality terms; agree what records, filings, and system access will be providedPNPC and client signatorySigned engagement letter and an access/document request list
4. Document & Filing ReviewCollect and review filed returns (VAT, Corporate Tax), WPS records, AML/CFT policy and customer files, licence and registration certificates, and prior regulator correspondencePNPC fieldwork team, supported by client finance/compliance staffA populated evidence file mapped against each obligation tested
5. Sample TestingTest a sample of transactions, customer files, or payroll runs against the underlying obligation — not just confirm a policy existsPNPC fieldwork teamTesting workpapers evidencing whether each obligation is met in practice
6. Gap Identification & Root CauseWhere testing reveals a gap, determine whether it is a one-off error or a systemic process weakness, and rate the riskPNPC engagement leadDraft findings list with risk ratings and preliminary root cause
7. Management DiscussionWalk draft findings through with process owners to correct factual errors and agree realistic remediation timelinesPNPC and named process ownersAgreed factual findings and draft remediation commitments
8. Final ReportIssue the obligation-by-obligation findings report with risk ratings, evidence summary, and recommended remediation actionsPNPC partner presents to management or the boardFinal compliance audit report with a management action plan
9. Urgent Escalation Where NeededAny gap serious enough to warrant an immediate voluntary disclosure or corrective filing is flagged and escalated before the final report is finished, not held until the endPNPC partner and client's tax/legal advisorImmediate notification memo where applicable
10. Remediation Follow-UpTrack agreed remediation actions and, where appropriate, re-test previously flagged obligations after a defined periodPNPC, reporting to management or audit committeeFollow-up confirmation of remediation status
11. Coordination with Statutory Auditor / Tax AdvisorWhere useful and with management's consent, share relevant compliance audit findings with the client's external auditor or tax advisor to avoid duplicated testing and align on any filing implicationsPNPC engagement lead and client's existing advisorsReduced duplication of effort and consistent messaging across advisors
12. Cycle Refresh for Structural ChangeWhere the entity adds a new registration, jurisdiction, DNFBP designation, or regulator category, refresh the obligation map ahead of the next compliance audit cyclePNPC engagement lead, with management inputAn updated obligation universe reflecting the business as it stands today

A single-obligation compliance audit (for example, a focused VAT or WPS compliance review) can often be completed in a few weeks once records are made available. A multi-obligation review spanning tax, payroll, and AML/CFT for a DNFBP, or a review across a multi-entity group, typically takes longer given the volume of filings and customer files to sample. PNPC agrees a specific timeline in the engagement letter once scope is confirmed.

Document Checklist
Licensing & Corporate Records

Trade licence(s) for each UAE entity in scope — mainland DED licence and/or free zone authority licence (JAFZA, DMCC, RAKEZ, IFZA, Meydan, ADGM, DIFC, RAK ICC, Ajman)

Certificate of incorporation, Memorandum/Articles of Association, and shareholder register

Any franchise, agency, distribution, or facility agreement containing specific compliance reporting obligations to a third party

Correspondence log with the licensing authority, FTA, MOHRE, or sector regulator over the past 12–24 months

Tax Compliance Records

VAT registration certificate (Tax Registration Number) and filed VAT returns for the review period, with supporting reconciliations

UAE Corporate Tax registration and, where applicable, the Corporate Tax return, related-party transaction schedules, and Qualifying Free Zone Person qualifying-income analysis

EmaraTax portal filing confirmations and any FTA correspondence, queries, or assessment notices

Records supporting reverse-charge, zero-rating, or exemption positions taken on VAT returns, where relevant to the entity's activity

Payroll & Labour Compliance Records

Payroll register and Wage Protection System (WPS) submission records for the review period

Employment contracts sample, visa/work-permit records, and MOHRE correspondence including any prior penalties or restrictions

Salary transfer timing evidence reconciled against WPS submission and payment records

AML/CFT Compliance Records (where DNFBP-relevant)

AML/CFT policy and procedures manual, and evidence of board or senior management approval

goAML registration confirmation and any suspicious transaction reports filed

Sample of customer due diligence files evidencing onboarding checks, risk rating, and periodic review

AML/CFT training records for relevant staff

Regulator-Specific Records (DIFC/ADGM entities)

DFSA or FSRA licence and category confirmation, and the applicable rulebook provisions relevant to the entity's category

Prudential or conduct reporting submissions made to the regulator over the review period

Any regulator supervisory visit findings, correspondence, or open action items

Engagement Administration

Signed engagement letter defining scope, obligations tested, fee, and confidentiality terms

Access arrangements — read-only system access, filing portal access where relevant, and named liaison contacts for each obligation area

Confirmation of who receives the final report and owns the resulting management action plan

Emiratisation & Visa/Workforce Compliance Records

Employee visa status listing and quota utilisation records against GDRFA/ICP requirements for the review period

Emiratisation quota tracking and reporting evidence through MOHRE's Nafis programme, where applicable to the entity's size and sector

Visa renewal and cancellation processing logs, showing timing against permit expiry dates

Group Structure & Related-Party Records

Group structure chart showing all UAE and non-UAE entities in scope, ownership percentages, and intercompany relationships

Intercompany agreements (management fees, cost-sharing, loans) and supporting transfer pricing documentation

Related-party transaction schedules as disclosed or supporting the Corporate Tax related-party position for each entity in scope

Ongoing obligations
PhaseTriggered ByPNPC Compliance Audit ApproachRisk If Ignored
Initial Obligation MappingBoard decision, licence renewal, or a specific trigger eventBuild the obligation universe specific to the entity's licence type, registrations, and sector, and agree the scope with managementTesting against a generic checklist instead of the entity's actual obligations wastes budget and can miss the obligation that matters most
First Compliance Audit CycleScope agreedTest the highest-risk obligations first — typically VAT/Corporate Tax filing accuracy, WPS compliance, and AML/CFT programme adequacy where DNFBP-relevantDeferring the review until a regulator query arrives removes the opportunity to self-correct before enforcement attention
Findings & Remediation AgreementFieldwork completeDiscuss draft findings with process owners, agree risk ratings and root cause, and set remediation owners and datesFindings not discussed and agreed with process owners are more easily disputed or ignored during remediation
Urgent Gap EscalationA serious compliance gap is identified during fieldworkEscalate immediately to management and, where appropriate, recommend a voluntary disclosure to the FTA via EmaraTax rather than waiting for the final reportSitting on a known filing error until the final report is issued delays a voluntary disclosure that is typically viewed more favourably the sooner it is made
Remediation TrackingFinal report issuedTrack agreed remediation actions against committed dates and escalate overdue items to management or the audit committeeFindings reported but never followed up leave the underlying regulatory exposure live
Follow-Up TestingAfter remediation deadlines passRe-test the specific obligations previously flagged to confirm remediation actually occurred, not just that a policy was updatedUnverified remediation frequently turns out to be partial when re-tested
Regulatory or Structural ChangeNew tax registration, new DNFBP designation, new regulator category, new jurisdiction added to groupRefresh the obligation map and re-scope the next compliance audit cycle to reflect the changeAn obligation map that does not evolve with the business tests yesterday's requirements while missing new ones just taken on
Annual or Periodic Cycle RenewalLicence renewal date, regulator's own review cycle, or board decisionRepeat the compliance audit on a periodic basis proportionate to the entity's risk profile, refreshing scope each cycleTreating compliance audit as a one-off exercise loses the year-on-year comparability that shows whether remediation is holding
Group or Licensing Structural ChangeNew free zone entity added, new Central Bank or DFSA/FSRA licence category, new jurisdiction added to the groupRefresh the obligation map for the affected entity and re-scope the next compliance audit cycle to reflect the new licence-specific conditionsAn obligation map that does not track a new entity or licence category tests yesterday's structure while missing the new obligations just taken on
Cross-Border Group ConsolidationA UAE entity's related-party transactions with an overseas parent or subsidiary grow in volume or complexityExtend related-party and transfer pricing documentation testing across the cross-border relationship, coordinating with any overseas advisor involvedRelated-party documentation reviewed only on the UAE side can miss inconsistencies with how the same transaction is recorded overseas
Common mistakes to avoid
Scoping & Sequencing Mistakes

Testing against a generic obligation checklist instead of the entity's actual licence type, registrations, and sector — missing the obligation that matters most while wasting budget on ones that don't apply

Treating Economic Substance Regulations as a still-live current-period obligation when notification and reporting requirements were discontinued for financial years starting on or after 1 January 2023

Assuming Qualifying Free Zone Person status holds because the original free zone licence category once qualified, without evidencing qualifying income and de minimis thresholds each period

Scoping a mainland-plus-free-zone group under one uniform obligation set rather than mapping each licensed entity's distinct VAT, Corporate Tax, and licence-specific conditions separately

Starting fieldwork before the engagement letter and access arrangements are agreed, leading to disputes later over what records were meant to be provided

Evidence & Documentation Pitfalls

Accepting that an AML/CFT policy document exists as proof of compliance, without sampling actual customer due diligence files for evidenced onboarding and periodic review

Reconciling WPS submissions to the payroll policy rather than to actual salary transfer timing records, which is what MOHRE ultimately tests

Relying on a related-party transaction being described consistently across entities without checking the underlying intercompany agreements and transfer pricing documentation actually match

Treating a filed VAT or Corporate Tax return as self-evidencing, without reconciling it back to the general ledger and underlying transaction records

Overlooking contractual compliance obligations owed to a franchise principal, licensor, or lender because the review focused only on statutory and regulatory obligations

Escalation & Follow-Through Failures

Holding a serious filing error or AML/CFT gap for the final report instead of escalating it immediately, losing the benefit of an earlier voluntary disclosure or corrective filing

Issuing findings with no named remediation owner or committed date, so agreed actions never get tracked to completion

Never re-testing previously flagged obligations after the remediation deadline, so a control 'closed' on paper can quietly reopen without anyone noticing

Treating a compliance audit as a one-off exercise rather than a periodic cycle, losing the year-on-year comparability that shows whether remediation actually held

Frequently asked
Is a compliance audit a legal requirement for UAE companies?

There is no single federal law mandating a standalone 'compliance audit' for every UAE company. What is mandatory are the underlying obligations a compliance audit tests — VAT and Corporate Tax filing where registered, WPS payroll compliance, and AML/CFT programme requirements for Designated Non-Financial Businesses and Professions. DIFC and ADGM regulated entities may face additional DFSA or FSRA reporting expectations. The compliance audit itself is typically a voluntary, proactive exercise commissioned by the board or driven by a lender, investor, or licence-renewal requirement.

Practitioner noteWe confirm exactly which obligations genuinely apply before quoting scope — a DMCC trading company and a DNFBP real estate brokerage have materially different compliance audit content even though both are UAE free zone entities.
How is a compliance audit different from a statutory (external) audit?

Statutory audit expresses an opinion on whether the financial statements present a true and fair view, for shareholders and the licensing authority. A compliance audit is narrower and obligation-specific — it tests whether named regulatory requirements (VAT accuracy, WPS timeliness, AML/CFT programme adequacy) are being met in practice, independent of whether the financial statements as a whole are fairly presented. A company can pass its statutory audit and still have live compliance gaps a compliance audit would surface.

Practitioner noteWe frequently find compliance gaps — a missed WPS deadline, an under-documented related-party transaction — that a statutory audit's materiality threshold would never have picked up, because they don't move the financial statement numbers enough to matter to that audit's opinion.
How is a compliance audit different from an internal audit?

Internal audit is broader — it covers financial, operational, IT, and compliance risk across a risk-ranked universe of processes, reporting to the audit committee or board on the overall control environment. A compliance audit is anchored specifically to named legal, regulatory, or contractual obligations and tests whether each is being met, obligation by obligation. In practice the two often overlap, and many PNPC engagements combine elements of both depending on what the client actually needs.

Practitioner noteIf a client asks for 'internal audit' but really wants confirmation their VAT and WPS filings are clean ahead of a licence renewal, we scope it as a focused compliance audit instead — narrower, faster, and cheaper than a full internal audit cycle.
What obligations does a typical UAE VAT compliance audit test?

A VAT compliance audit reconciles filed EmaraTax VAT returns against the general ledger, tests a sample of input VAT recovery decisions for correct classification, checks that output VAT has been correctly charged and reported on relevant supplies, and reviews the documentation supporting any zero-rated, exempt, or reverse-charge positions taken. It is testing under Federal Decree-Law No. 8 of 2017 and current FTA guidance, applied to the entity's actual transaction records rather than a general commentary on VAT awareness.

Practitioner noteReverse-charge treatment on imported services and cross-border transactions is one of the most common areas where we find a gap between what was actually filed and what the underlying documentation supports.
Does a compliance audit cover Corporate Tax under Federal Decree-Law No. 47 of 2022?

Yes, where the entity is registered for Corporate Tax. We test whether the Tax Registration Number is current, whether related-party transactions are properly documented and priced on an arm's-length basis where the related-party rules apply, and — for free zone entities claiming the 0% rate on qualifying income — whether the conditions for Qualifying Free Zone Person status are being tracked and evidenced on an ongoing basis rather than assumed. Corporate Tax applies at 0% on taxable income up to AED 375,000 and 9% above that threshold for standard taxpayers, effective for financial years starting on or after 1 June 2023.

Practitioner noteQualifying Free Zone Person conditions are not a one-time qualification test — they require ongoing evidence that qualifying income is being correctly tracked, and this is one of the fastest-growing gap areas we see in compliance audits since Corporate Tax came into effect.
What is WPS and why is it a compliance audit focus area?

The Wage Protection System (WPS) is the electronic salary transfer system mandated by the Ministry of Human Resources and Emiratisation (MOHRE) to track timely, accurate payment of wages through registered UAE banks or exchange houses. A compliance audit reconciles the payroll register against actual WPS submission records and salary transfer timing, since non-compliance can trigger MOHRE penalties and, in serious or repeated cases, restrictions on a company's ability to process new work permits.

Practitioner noteWPS timing gaps are often the single highest-volume finding in a compliance audit — usually correctable quickly, but carrying real regulatory exposure if left unaddressed across multiple pay cycles.
Who needs an AML/CFT compliance audit as a Designated Non-Financial Business or Profession (DNFBP)?

Certain UAE businesses — including real estate brokers and agents, dealers in precious metals and stones, and independent legal or accounting professionals providing specified services, among others — fall within the DNFBP category under Cabinet Decision No. 10 of 2019 and must maintain AML/CFT policies, perform customer due diligence, and register on the goAML platform maintained by the UAE Financial Intelligence Unit. A compliance audit tests whether these controls are genuinely operating — sampling actual customer files for evidenced due diligence, not just confirming the policy document exists.

Practitioner noteA policy sitting in a drawer that nobody actually follows at onboarding is the single most common AML/CFT compliance gap we identify — the space between documented policy and actual practice is exactly what this audit is designed to expose.
Can a compliance audit help before a bank facility or licence renewal?

Yes. Lenders increasingly build compliance representations into facility agreements, and free zone authorities require current licence and filing status for renewal. A compliance audit run ahead of the renewal date identifies and helps remediate gaps — a lapsed filing, an outdated registration detail, an unresolved MOHRE query — before the renewal process itself surfaces them and creates delay or additional scrutiny.

Practitioner noteWe've seen renewal timelines slip meaningfully when a gap surfaces during the renewal process itself rather than being caught and fixed proactively months earlier.
Does a compliance audit cover DIFC or ADGM regulatory obligations specifically?

Yes, for entities regulated by the DFSA (DIFC) or FSRA (ADGM), a compliance audit can be scoped to test the specific rulebook provisions applicable to that firm's licence category — prudential reporting, conduct requirements, and any client-money or capital-adequacy conditions relevant to the category held. This is scoped in close coordination with the client's existing regulatory advisor where one exists, to avoid duplicating specialist regulatory compliance work already underway.

Practitioner noteWe confirm the exact DFSA or FSRA category at scoping stage, since the prescribed areas of regulatory focus materially change what a compliance audit for that entity needs to prioritise.
What happens if a compliance audit finds a filing error already submitted to the FTA?

We flag this immediately rather than waiting for the final report, and recommend the client's tax advisor assess whether a voluntary disclosure via the EmaraTax portal is the appropriate corrective step, given that timely voluntary disclosure is generally treated more favourably than an error later identified through an FTA audit or enforcement action.

Practitioner noteSpeed matters — the sooner a known filing error is corrected voluntarily, the more favourably it is typically viewed; we escalate live findings, we don't hold them for the final report.
How long does a UAE compliance audit take?

A focused single-obligation review — for example, WPS compliance alone, or a VAT filing accuracy review — can often be completed within a few weeks once records are made available. A multi-obligation review spanning tax, payroll, and AML/CFT for a DNFBP, or a review across several legal entities in a group, takes longer given the volume of filings and customer files that need to be sampled. PNPC confirms a specific timeline in the engagement letter once scope is agreed rather than quoting a generic figure.

Practitioner noteWe're cautious about proposals that promise a multi-obligation compliance audit in a matter of days — proper sample testing against evidence takes real time, and compressing it too far usually means the depth suffers.
Is the fee for a compliance audit fixed or variable?

PNPC agrees a fixed fee for each defined compliance audit engagement, confirmed in writing before fieldwork begins. Fee depends on the number of obligations in scope, the number of legal entities under review, and the volume of records and customer files that need to be sampled — a single-obligation review costs meaningfully less than a multi-obligation review across a group structure.

Practitioner noteWe provide a written scope and fee letter for every engagement before fieldwork starts — a provider willing to quote a flat number before understanding your obligation universe is worth being cautious about.
Can compliance audit findings trigger a broader internal audit or forensic review?

Yes. A compliance audit occasionally surfaces a finding that points to a broader control weakness beyond the specific obligation tested — for example, a pattern of vendor master changes surfacing during a VAT input-recovery sample that suggests a wider procurement control gap, or a customer due diligence gap that raises a fraud-risk concern. Where that happens, we recommend escalating to a broader internal audit or, where a specific irregularity is suspected, a dedicated forensic investigation with a different evidentiary standard.

Practitioner noteWe're explicit with clients when a compliance audit finding looks like it's pointing at something bigger than the specific obligation being tested — treating it narrowly when it needs broader scope does the client a disservice.
Does PNPC coordinate with our existing tax advisor or auditor during a compliance audit?

Yes, with management's consent. Where a client already has a tax advisor handling VAT and Corporate Tax filings, or an external statutory auditor, we coordinate to avoid duplicated testing and to make sure any compliance audit finding relevant to an upcoming filing or audit is flagged to the right advisor promptly.

Practitioner noteWe always confirm scope boundaries with the client's existing advisors directly rather than relying on management to relay technical findings accurately between separate teams.
Can PNPC run a compliance audit across both our UAE and Indian entities?

Yes. PNPC operates from offices in the UAE (Dubai) and India (Chennai, Bangalore, Hyderabad), and for groups with cross-border structures we run compliance audits that specifically test related-party transaction documentation and transfer pricing consistency across both jurisdictions under one coordinated engagement, rather than splitting the review between two disconnected advisors.

Practitioner noteCross-border related-party transactions are one of the areas where UAE Corporate Tax and Indian transfer pricing rules interact most directly, and reviewing them in isolation on either side alone misses the full picture.
Why engage PNPC rather than a generic compliance-checklist provider?

PNPC scopes every compliance audit from an obligation map specific to the entity's actual licence type, registrations, and sector — not a templated checklist applied regardless of what genuinely applies. Our findings are backed by sample testing against actual filings, payroll records, and customer files, not assertions that a policy exists. We escalate serious gaps immediately rather than holding them for a final report, and we track remediation to completion rather than treating the report as the end of the engagement.

Practitioner noteAsk any prospective compliance audit provider whether they test actual filed returns and customer files or simply confirm policies exist — the answer reveals how much real assurance the engagement will actually deliver.
Can a compliance audit be scoped to just one obligation, like WPS alone?

Yes. A compliance audit does not have to cover every obligation category at once — a single-obligation review focused only on WPS payroll compliance, or only on VAT filing accuracy, is a common and proportionate scope where management has a specific concern rather than a full-spectrum review need. The obligation-mapping step at the start of any engagement is what determines whether a narrow or broad scope is the right fit.

Practitioner noteWe actively discourage clients from over-scoping a first engagement — a focused single-obligation review often surfaces enough to justify a broader review next cycle, without the upfront cost of testing obligations that were never a real concern.
Does a compliance audit test Qualifying Free Zone Person conditions specifically?

Where a free zone entity claims the 0% Corporate Tax rate on qualifying income as a Qualifying Free Zone Person under Federal Decree-Law No. 47 of 2022, a compliance audit tests whether qualifying activities and any applicable de minimis thresholds are being tracked on an ongoing transactional basis and evidenced, rather than assumed to hold simply because the entity's original free zone licence category once qualified.

Practitioner noteQualifying Free Zone Person status is not a one-time qualification test — it requires evidence refreshed every period, and this is one of the fastest-growing gap areas we see in free zone compliance audits.
How does a compliance audit differ for a mainland company versus a free zone company?

The obligations tested differ in emphasis, not just detail. A mainland business trading directly with UAE-based customers or importing goods carries VAT and customs-linked reporting nuances a free zone entity dealing only with parties outside the UAE may not carry in the same way, while a free zone entity claiming Qualifying Free Zone Person status carries an ongoing qualifying-income tracking obligation a mainland company does not have. A compliance audit scoped for a mainland-plus-free-zone group tests both profiles separately rather than applying one generic obligation set across every entity.

Practitioner noteWe map obligations entity-by-entity in a mixed mainland/free zone group — treating the whole group under a single obligation checklist misses exactly the distinctions that matter most.
Does a compliance audit cover Economic Substance Regulations (ESR)?

ESR notification and report filing obligations were discontinued for financial years starting on or after 1 January 2023, under Cabinet Decision No. 98 of 2024. For current and future financial years, ESR is not a live, ongoing obligation for a compliance audit to test. Where an engagement covers a historical period before that date, ESR compliance for those earlier financial years — including any outstanding notices or penalties — may still be relevant and is scoped in explicitly where that history matters.

Practitioner noteWe flag to clients when a proposed ESR testing line item is no longer relevant to current periods, rather than quoting for testing an obligation that has already lapsed.
Does a compliance audit review visa and GDRFA/ICP work-permit administration?

Where scoped to include workforce compliance beyond WPS payroll timing, yes — a compliance audit can test whether employee visa status and quota utilisation are being tracked and evidenced against GDRFA and ICP requirements, and whether renewals and cancellations are processed on schedule rather than left to lapse.

Practitioner noteVisa quota tracking often sits with HR rather than finance, and it's frequently the least-audited compliance area in a business precisely because it falls outside the finance team's usual review cycle.
Does a compliance audit test Emiratisation obligations under MOHRE's Nafis programme?

Where relevant to the entity's size and sector, a compliance audit can test whether Emiratisation quota tracking and reporting through MOHRE's Nafis programme is being monitored and evidenced on schedule, in the same way WPS payroll timing is tested, rather than assuming compliance because a notification was filed once.

Practitioner noteWe treat Emiratisation tracking as a workforce compliance obligation on the same footing as WPS — both carry MOHRE-linked exposure if left unmonitored, and both are commonly under-tracked once initial registration is complete.
How does a compliance audit work for a UAE Central Bank-regulated entity such as an exchange house or finance company?

For entities regulated by the UAE Central Bank — exchange houses, finance companies, payment service providers — a compliance audit is scoped to test the Central Bank's own prudential and conduct rulebook obligations alongside the standard FTA, MOHRE, and AML/CFT obligations most UAE businesses carry. This is coordinated closely with the client's existing regulatory or compliance function to avoid duplicating specialist supervisory work already underway.

Practitioner noteWe confirm the exact Central Bank licence category at scoping stage, since the prescribed areas of regulatory focus materially change what a compliance audit for that entity needs to prioritise.
Does a compliance audit test related-party transactions and transfer pricing documentation?

Yes, where the entity is registered for Corporate Tax. We test whether related-party transactions are properly documented and priced on an arm's-length basis where the related-party rules under Federal Decree-Law No. 47 of 2022 apply, since inadequate related-party documentation is one of the more common gaps a Corporate Tax compliance audit line uncovers.

Practitioner noteIntercompany transactions between UAE and overseas group entities are frequently the least-documented transaction type we encounter — a verbal understanding between shareholders rarely survives contact with a formal transfer pricing review.
What happens if AML/CFT testing during a compliance audit surfaces something that looks like it needs a goAML suspicious transaction report?

We escalate this to management immediately rather than waiting for the final report, and recommend the client's designated Money Laundering Reporting Officer or AML/CFT advisor assess whether a suspicious transaction report through the goAML platform is required, given the reporting obligations DNFBPs carry under Cabinet Decision No. 10 of 2019.

Practitioner noteWe do not make the STR filing decision ourselves — that sits with the client's designated MLRO — but we escalate the underlying indicator the moment it's found rather than letting it sit until the report is finalised.
How is a compliance audit different from a due diligence audit for M&A?

A due diligence audit is transaction-specific — commissioned by a buyer, investor, or lender to assess a target company's financial, tax, and compliance position ahead of a specific deal, typically with a compressed timeline tied to the transaction schedule. A compliance audit is not transaction-driven; it is an independent, standing check of whether an entity's ongoing regulatory obligations are being met, whether or not a deal is in progress. In practice, compliance audit findings often feed directly into a due diligence exercise when a transaction does arise.

Practitioner noteWhere a client already knows a transaction is coming, we often recommend running the compliance audit ahead of time on the company's own timetable, rather than for the first time under the pressure of a buyer's due diligence deadline.
Does a compliance audit review import VAT and customs-linked positions?

For mainland and free zone entities that import goods, a compliance audit can test whether import VAT positions, customs declarations, and any related reverse-charge treatment are being correctly applied and reconciled against the general ledger, since these are common areas where the documentation supporting a VAT position is weaker than the return itself suggests.

Practitioner noteImport VAT reconciliation is one of the areas most likely to reveal a gap between what a VAT return reports and what the underlying customs and shipping documentation actually supports.
How often should a compliance audit be repeated?

There is no fixed statutory frequency. PNPC generally recommends a periodic cycle proportionate to the entity's risk profile — more frequent for DNFBPs and DIFC/ADGM regulated entities carrying ongoing AML/CFT or rulebook obligations, and less frequent for lower-risk mainland or free zone entities without a specific trigger. Many clients align the cycle with a licence renewal date or an annual governance calendar rather than running it purely reactively.

Practitioner noteWe push back on running a compliance audit as a one-off exercise for a higher-risk DNFBP or regulated entity — a single point-in-time review loses most of its value if it is never repeated to confirm remediation held.
What access does PNPC need to customer due diligence files for an AML/CFT compliance audit?

We need read access to a sample of actual customer onboarding files — identification and verification records, risk rating documentation, and any periodic review evidence — rather than just the policy document describing what onboarding should involve. Without access to the underlying files, an AML/CFT compliance audit line becomes an unsupported opinion rather than tested assurance.

Practitioner noteA client reluctant to grant access to actual customer files, while happy to share the AML/CFT policy document, is itself often a signal that the gap between policy and practice is wider than management realises.
Can a compliance audit be run remotely, or does PNPC need to be on-site?

Much of a compliance audit — document and filing review, sample testing against records, and draft findings discussion — can be conducted remotely where the client can provide read-only system access or clean record extracts. Certain elements, such as observing physical document custody or the final report presentation to the board, are often more effective delivered in person, and the split is agreed explicitly at scoping stage.

Practitioner noteWe agree the remote/on-site split based on what the specific obligations in scope actually require, rather than defaulting to either extreme regardless of the engagement.
Does PNPC issue a formal compliance certificate at the end of the engagement?

PNPC issues a findings report — an obligation-by-obligation assessment with evidence summary, risk ratings, and remediation recommendations — rather than a standalone compliance certificate. We will not issue a certificate of compliance that is not backed by the underlying evidence testing the findings report documents, since a certificate without testing would not represent genuine assurance.

Practitioner noteBe cautious of any provider offering a quick compliance certificate without first conducting sample testing — a certificate is only as credible as the evidence behind it.
What happens if a compliance audit finds a trade licence or free zone condition has lapsed?

We flag this as an urgent finding, since an expired or non-compliant licence condition can carry immediate operational consequences — restrictions on visa processing, banking relationships, or contract eligibility — beyond the financial exposure a tax or payroll gap typically carries. This is escalated to management the moment it is identified, not held for the final report.

Practitioner noteLicence-condition lapses tend to have faster-moving operational consequences than tax filing gaps, which is why we treat them as an immediate escalation category rather than a standard findings-report item.
How does a compliance audit handle a group spanning several UAE free zones plus a mainland entity?

We map obligations entity-by-entity across the group rather than applying a single obligation set uniformly, since each licensed entity's Corporate Tax treatment, VAT position, and licence-specific conditions can differ even within the same group. Intercompany transactions and related-party documentation consistency across the entities are tested as a distinct line item given their direct relevance to each entity's Corporate Tax position.

Practitioner noteThe most common gap we find in multi-entity groups is inconsistent related-party documentation between entities describing the same transaction differently — a compliance audit that only looks at one entity in isolation would miss this entirely.
Is a compliance audit useful for a business that has only just registered for VAT or Corporate Tax?

Yes — arguably more useful early than after several filing cycles have already embedded a wrong approach. A compliance audit run after the first one or two filing cycles confirms the new registration's obligations are being correctly discharged from the outset, rather than only discovering an error once it has been repeated across several returns.

Practitioner noteWe specifically recommend a light-touch compliance check after a company's first VAT or Corporate Tax filing cycle — catching a wrong reverse-charge treatment or a missed related-party disclosure early is far cheaper than unwinding it after year three.
Does a compliance audit coordinate with a bank's own compliance or covenant review?

Where a bank facility includes compliance representations or covenant conditions, PNPC can scope a compliance audit specifically to test those named conditions, and — with management's consent — share relevant findings with the client's relationship bank ahead of a facility review or renewal, reducing the risk of a covenant breach surfacing unexpectedly.

Practitioner noteWe agree upfront with the client exactly what, if anything, gets shared directly with the bank — the compliance audit report belongs to the client, and any sharing with a third party is the client's decision, facilitated on request.
Can a compliance audit be combined with an internal control over financial reporting (ICFR) review?

Yes, where useful. A compliance audit's obligation testing and an ICFR review's control-design and operating-effectiveness testing are complementary — many PNPC engagements scope both together for a client preparing for a listing, a significant financing round, or a first-time consolidated audit, since the underlying evidence (filed returns, reconciliations, approval records) overlaps substantially.

Practitioner noteCombining a compliance audit obligation review with an ICFR-style control walkthrough in one engagement generally costs less than running them as two fully separate exercises months apart.
What if the finance team disagrees with a compliance audit finding?

We discuss draft findings with process owners before finalising the report, specifically to correct any factual errors and to reach an agreed, realistic remediation timeline. Where a genuine disagreement over the risk rating or interpretation remains, it is documented transparently in the final report rather than quietly softened or removed.

Practitioner noteDocumenting a genuine disagreement rather than overriding or burying it is what keeps the compliance audit's findings credible to a bank, investor, or regulator relying on the report.
Does a compliance audit review contractual compliance obligations, not just regulatory ones?

Yes, where the entity has franchise, agency, distribution, or facility agreements containing specific compliance reporting duties to a principal, licensor, or lender, a compliance audit can test whether those contractual obligations are being met and evidenced, in addition to the statutory and regulatory obligations that form the core of most engagements.

Practitioner noteContractual reporting obligations to a foreign principal or licensor are easy to overlook in a purely regulatory compliance review — we ask for the underlying agreements at scoping stage specifically to catch these.
Why PNPC Global

PNPC compliance audit vs a typical generic provider

DimensionPNPC GlobalTypical Generic Provider
ScopeObligation map built from the entity's actual licence type, registrations, and sectorFixed checklist applied regardless of what genuinely applies to the client
Evidence standardSample testing against filed returns, payroll records, and customer due diligence filesConfirmation that a policy document exists, without testing underlying evidence
Urgent findingsEscalated immediately, with a recommendation on voluntary disclosure where relevantHeld until the final report, delaying any corrective filing
Cross-border capabilityCoordinated UAE-India compliance review for group structures under one engagement teamSeparate, disconnected advisors in each jurisdiction with limited context-sharing
Regulatory currencyFindings grounded in current FTA, MOHRE, and DFSA/FSRA guidance, refreshed each cycleStatic templates that can lag behind current regulatory guidance
Remediation trackingAgreed action plan tracked to completion, with follow-up testing where warrantedReport delivered with no structured follow-up on whether gaps were actually closed
Team continuityPartner-led scoping and reporting, with senior team members on fieldworkEngagement frequently delegated to junior staff with limited partner oversight
Free zone / mainland nuanceObligations mapped entity-by-entity, recognising Qualifying Free Zone Person and mainland VAT/customs distinctionsSame generic obligation set applied across mainland and free zone entities regardless of licence type
Workforce & Emiratisation testingGDRFA/ICP visa administration and MOHRE Nafis Emiratisation tracking tested alongside WPS, where relevantWorkforce compliance narrowed to WPS payroll timing alone, missing visa and Emiratisation exposure
Central Bank / regulated-entity experienceCompliance audits for exchange houses, finance companies, and payment service providers scoped to the Central Bank's own rulebook obligationsGeneralist scope that does not account for sector-specific prudential or conduct requirements

What the PNPC package includes

  1. 01

    Obligation mapping specific to the entity's licence type, tax registrations, DNFBP status, and regulator category

  2. 02

    Risk-ranked scoping so the highest-exposure obligations are tested first

  3. 03

    VAT filing accuracy testing against Federal Decree-Law No. 8 of 2017 and current FTA guidance via EmaraTax records

  4. 04

    Corporate Tax position review under Federal Decree-Law No. 47 of 2022, including related-party documentation and Qualifying Free Zone Person evidence where claimed

  5. 05

    WPS payroll compliance reconciliation against MOHRE requirements

  6. 06

    AML/CFT programme testing for DNFBPs, including sampled customer due diligence file review and goAML registration confirmation

  7. 07

    DFSA/FSRA rulebook obligation testing for DIFC/ADGM regulated entities, scoped to the specific licence category

  8. 08

    Sample-based evidence testing, not policy-existence confirmation alone

  9. 09

    Immediate escalation of any gap serious enough to warrant urgent corrective action or voluntary disclosure

  10. 10

    Obligation-by-obligation findings report with risk ratings and named remediation owners

  11. 11

    Coordination with the client's existing tax advisor or statutory auditor, with management's consent

  12. 12

    Cross-border UAE-India compliance review capability for group structures

  13. 13

    Agreed management action plan with committed remediation dates

  14. 14

    Follow-up testing of previously flagged obligations where warranted

Talk to a PNPC partner about scoping a compliance audit around the obligations that genuinely apply to your UAE entity — before a regulator, lender, or auditor finds the gap first.

Jurisdiction

🇦🇪
United Arab Emirates

Free zone, mainland & offshore

Ready to get started?

Tell us about your requirement — a UAE specialist responds within 24 hours.

← Back to Internal & Operational Audits