Audit & Assurance · Internal & Operational Audits
Compliance Audit
A UAE business today answers to more regulatory regimes at once than at any point in its history — VAT and Corporate Tax filings with the Federal Tax Authority, WPS payroll discipline with MOHRE, AML/CFT obligations under Cabinet Decision No.
Chartered Accountants · Dubai · Since 1986
A compliance audit is an independent examination of whether an organisation's policies, records, and day-to-day operating practices actually satisfy the specific laws, regulations, licence conditions, and contractual obligations that apply to it. It differs from a statutory financial audit, which opines on whether the financial statements present a true and fair view, and from a broader internal audit, which covers the full spectrum of operational and financial controls. A compliance audit is narrower and more targeted: it takes a defined set of regulatory or contractual obligations — VAT filing accuracy under Federal Decree-Law No. 8 of 2017, Corporate Tax positions under Federal Decree-Law No. 47 of 2022, WPS payroll compliance with MOHRE, AML/CFT programme adequacy under Cabinet Decision No. 10 of 2019, free zone authority licence conditions, or a specific regulator's rulebook — and tests, obligation by obligation, whether the business can produce evidence that it is meeting each one.
In the UAE, the compliance landscape a business must navigate depends heavily on its licensing jurisdiction and sector. A DMCC or JAFZA trading company faces FTA obligations (VAT registration and filing, Corporate Tax registration and, where applicable, filing), MOHRE and WPS payroll rules, and its free zone authority's own licence renewal and reporting conditions. A DIFC or ADGM entity regulated by the DFSA or FSRA carries additional prudential, conduct, and reporting obligations under that regulator's rulebook. A Designated Non-Financial Business or Profession — real estate brokers and agents, dealers in precious metals and stones, and independent legal or accounting professionals providing specified services, among others — carries AML/CFT obligations including customer due diligence, suspicious transaction reporting, and registration on the goAML platform maintained by the UAE Financial Intelligence Unit. A compliance audit is scoped to the specific combination of obligations that actually apply to the entity under review, rather than a generic checklist copied across every client regardless of licence type or sector.
The obligation set a compliance audit tests also depends heavily on whether the entity is licensed on the mainland or in a free zone, and that distinction runs through almost every category of obligation, not just Corporate Tax. A mainland business trading directly with UAE-based customers or importing goods carries VAT and customs-linked reporting nuances that a free zone entity dealing only with parties outside the UAE may not carry in the same way. A JAFZA or DMCC company relying on the 0% Corporate Tax rate on qualifying income as a Qualifying Free Zone Person under Federal Decree-Law No. 47 of 2022 must be able to evidence, on an ongoing transactional basis, that its qualifying activities and de minimis thresholds are actually being tracked — not simply assumed to hold because the original free zone licence category once qualified. A mainland company has no equivalent qualifying-income test to satisfy, but sits inside the standard Corporate Tax regime without a free zone carve-out to manage, so the documentation a compliance audit expects to see differs meaningfully between the two structures even within the same group.
Economic Substance Regulations (ESR) notification and report filing obligations, introduced under Cabinet Decision No. 57 of 2020, applied to UAE mainland and free zone entities carrying out defined 'relevant activities' for financial years ending before 1 January 2023; ESR requirements were discontinued for financial years starting on or after that date under Cabinet Decision No. 98 of 2024. A compliance audit covering a historical period before the cut-off may still need to test ESR filing evidence, but for current and future financial years it is a closed compliance chapter rather than a live obligation, and PNPC flags this distinction at scoping stage so budget is not spent testing something that has already lapsed.
Where scope extends into workforce compliance beyond WPS payroll timing, a compliance audit can also test visa administration against General Directorate of Residency and Foreign Affairs (GDRFA) and Federal Authority for Identity, Citizenship, Customs & Port Security (ICP) requirements, and, where relevant to the entity's size, whether Emiratisation obligations administered through MOHRE's Nafis programme are being monitored on schedule. For UAE Central Bank-regulated entities — exchange houses, finance companies, payment service providers — the obligation set expands further to the Central Bank's own prudential and conduct rulebook, tested alongside the FTA, MOHRE, and AML/CFT obligations most UAE businesses carry.
The distinguishing feature of a proper compliance audit is that it tests evidence, not assertions. A VAT compliance audit does not stop at confirming a VAT registration certificate exists — it reconciles filed EmaraTax returns against the general ledger, tests input VAT recoverability decisions on a sample of transactions, and checks whether reverse-charge and zero-rating positions are documented and defensible. An AML/CFT compliance audit does not stop at confirming a policy document exists — it samples actual customer files for evidence that due diligence was performed and documented at onboarding, tests whether the risk-based approach is genuinely being applied, and checks whether any suspicious activity indicators were escalated and reported through the correct channel rather than quietly ignored. A WPS compliance audit reconciles the payroll register against actual WPS submission records and salary transfer timing, not just the existence of a payroll policy.
Compliance audits are typically commissioned for one of several reasons: as a proactive, board-driven health check ahead of a licence renewal, bank facility renewal, or investor due diligence process; in response to a specific trigger such as an FTA query, a regulator's information request, or a near-miss compliance incident; as a periodic exercise for entities in higher-risk categories (DNFBPs, DIFC/ADGM regulated firms); or as a condition written into a bank covenant, franchise agreement, or investor term sheet. Unlike a one-off internal controls health check, a compliance audit is anchored specifically to named legal and regulatory obligations, which means the findings map directly to identifiable exposure — a missed WPS deadline, an under-documented related-party transaction, a customer file with no evidenced due diligence — rather than a general commentary on control maturity.
The output is a findings report that identifies each tested obligation, the evidence reviewed, whether the obligation is being met, and — where it is not — the specific gap, its risk rating, and a recommended remediation step with an owner and target date. Because compliance gaps often carry direct penalty or licence-renewal exposure rather than purely reputational risk, PNPC prioritises findings by regulatory exposure first and operational inconvenience second, and flags any gap serious enough to warrant an immediate voluntary disclosure or corrective filing rather than waiting for the final report to be issued.
When a compliance audit adds real value
A licence renewal, bank facility renewal, or investor due diligence process is approaching and management wants independent assurance that VAT, Corporate Tax, WPS, and free zone licence conditions are all genuinely current before an external party's review surfaces a gap
The business is a Designated Non-Financial Business or Profession under Cabinet Decision No. 10 of 2019 and has not had its AML/CFT programme independently tested against actual customer files and transaction records
A DIFC or ADGM regulated entity needs evidence that it is meeting DFSA or FSRA rulebook obligations ahead of the regulator's own periodic review or a routine supervisory visit
The company has received an information request, query, or notice from the Federal Tax Authority, MOHRE, or a free zone authority and wants an independent read on its full compliance position before responding
A first UAE Corporate Tax return is approaching and the board wants confirmation that related-party documentation, transfer pricing support, and any Qualifying Free Zone Person conditions can withstand scrutiny before filing
Rapid headcount growth or new visa quotas have outpaced the payroll team's WPS discipline, and management wants confirmation that salary transfers are timely and correctly structured before a MOHRE penalty or work-permit restriction materialises
A group has recently registered for VAT, Corporate Tax, or a new free zone activity, and management wants confirmation the new obligations are being correctly discharged in the first filing cycles rather than only finding out at year-end
An acquirer or investor's due diligence team has requested evidence of the target's compliance posture across tax, payroll, and AML/CFT obligations as a condition of closing
A franchise, agency, or distribution agreement contains specific compliance reporting obligations to a principal or licensor that the local UAE entity has not independently verified it is meeting
The business operates across multiple free zones or a mainland-plus-free-zone structure and management wants confirmation that Qualifying Free Zone Person conditions are being tracked separately and correctly for each licensed entity rather than assumed uniformly across the group
A UAE Central Bank-regulated entity — an exchange house, finance company, or payment service provider — wants independent testing of its compliance position ahead of the Central Bank's own periodic supervisory review
Employee headcount or visa quota utilisation has grown quickly and management wants assurance that GDRFA/ICP visa administration and, where relevant, Emiratisation tracking are keeping pace with the business rather than lagging behind WPS payroll compliance alone
When compliance audit is not the right engagement
You need an opinion on whether your financial statements are true and fair for filing with your licensing authority or bank — that is statutory (external) audit, a separate and distinct engagement
You need day-to-day VAT return preparation, Corporate Tax filing, or payroll processing — that is a compliance retainer service, not an independent audit of an existing compliance position
You need a broad review of operational controls, governance, and risk management across the whole business — that is internal audit, which is wider in scope than a compliance audit anchored to specific named obligations
You already know exactly which regulation was breached and need a forensic investigation into a specific incident for litigation or criminal referral purposes — that calls for a dedicated forensic and fraud investigation engagement with a different evidentiary standard
The business has no live UAE VAT registration, Corporate Tax exposure, DNFBP designation, or free zone/regulator-specific obligations to test — in that unusual case there may be very little for a compliance audit to meaningfully examine
Management wants a compliance certificate issued without underlying evidence testing, simply to satisfy a lender or investor checkbox — PNPC will not issue assurance that is not backed by actual sample testing of records
You are looking for legal advice on how to structure a transaction to reduce tax or regulatory exposure going forward — that is tax or legal advisory work; a compliance audit tests the current state, it does not design the future one
The finance and compliance teams are unwilling to grant access to filed returns, payroll records, customer due diligence files, or correspondence with regulators — without that evidence, a compliance audit becomes an unsupported opinion rather than assurance
The only open question relates to a historical Economic Substance Regulations filing period before 1 January 2023, with no current live ESR obligation — that calls for a narrow, historical-period review rather than a full current-state compliance audit
You need a one-time visa quota or Emiratisation check with no broader tax, payroll, or AML/CFT dimension to it — a narrower, single-obligation review may be more proportionate than a multi-obligation compliance audit
Compliance audit vs related assurance engagements in the UAE
| Feature | Compliance Audit | Internal Audit | Statutory (External) Audit | Forensic/Fraud Investigation |
|---|---|---|---|---|
| Primary purpose | Test whether specific named legal/regulatory obligations are being met, with evidence | Independent assurance on risk management, controls and governance broadly | Opinion on true and fair view of financial statements | Investigate a specific suspected irregularity for evidentiary/legal use |
| Scope anchor | Named laws, regulator rulebooks, licence conditions, or contractual obligations | Risk-ranked audit universe across financial, operational, IT and compliance processes | Financial statements and supporting records | The specific transaction, individual, or process in question |
| Who it reports to | Management, audit committee, or board depending on trigger | Audit committee / board | Shareholders (via signed audit report) | Board / legal counsel / regulator, often under privilege |
| Mandatory under UAE law | Not generally mandatory as a standalone exercise, though the underlying obligations tested (VAT, WPS, AML/CFT for DNFBPs) are themselves mandatory | Not generally mandatory for mainland/most free zone entities; often required for DIFC/ADGM regulated firms and bank covenants | Yes — annual filing typically required by DED/free zone authority licence conditions | No — triggered by a specific event |
| Typical trigger | Licence/facility renewal, DNFBP status, regulator query, new tax registration, M&A due diligence | Board decision, investor/lender condition, regulatory expectation | Annual licence renewal condition | Whistleblower report, unexplained loss, suspicious transaction |
| Typical output | Obligation-by-obligation findings report with risk rating and remediation plan | Findings report with risk ratings, root cause and management action plan across a broader control universe | Signed audit opinion and financial statements | Investigation report, evidence file, possible referral to authorities |
| Relevant UAE bodies | FTA, MOHRE, free zone authority, DFSA/FSRA, UAE FIU (goAML) | DFSA (DIFC), FSRA (ADGM), free zone authority governance codes, bank covenants | DED / free zone licensing authority, FTA (for tax-linked disclosures) | Dubai Courts / DIFC Courts / ADGM Courts if litigation follows; goAML if AML-related |
| Frequency | Periodic, proportionate to risk profile — often aligned to licence renewal or governance calendar | Annual cycle, quarterly reviews, or continuous co-sourced function | Annual, tied to financial year end | Ad hoc, triggered by an incident |
| Independence requirement | Independent of the function/obligation being tested; reports outside the team responsible for the obligation | Independent of the function being reviewed; ideally independent of the external auditor | Independent registered auditor, distinct from internal audit | Fully independent, often litigation-ready methodology |
Compliance audit and internal audit frequently overlap in practice — many PNPC engagements combine a compliance-obligation review with a broader controls assessment in a single scoping exercise. The right structure depends on whether the driver is a specific regulatory obligation set or a broader governance question; a scoping conversation with a PNPC partner clarifies which framing fits your situation.
| Stage | What Happens | Who Acts | Typical Output |
|---|---|---|---|
| 1. Obligation Mapping | Identify every regulatory and contractual obligation genuinely applicable to the entity — licence type, tax registrations, DNFBP status, regulator category, contractual reporting duties | PNPC partner, with management input on licences and registrations held | A scoped obligation universe specific to this entity, not a generic checklist |
| 2. Risk Prioritisation | Rank obligations by exposure — penalty risk, licence-renewal risk, reputational risk — and by evidence of recent change (new registration, new hires, new activity) | PNPC engagement lead | A risk-ranked scope for fieldwork, agreed with management or the audit committee |
| 3. Engagement Letter & Access Arrangements | Formalise scope, fee, timeline, and confidentiality terms; agree what records, filings, and system access will be provided | PNPC and client signatory | Signed engagement letter and an access/document request list |
| 4. Document & Filing Review | Collect and review filed returns (VAT, Corporate Tax), WPS records, AML/CFT policy and customer files, licence and registration certificates, and prior regulator correspondence | PNPC fieldwork team, supported by client finance/compliance staff | A populated evidence file mapped against each obligation tested |
| 5. Sample Testing | Test a sample of transactions, customer files, or payroll runs against the underlying obligation — not just confirm a policy exists | PNPC fieldwork team | Testing workpapers evidencing whether each obligation is met in practice |
| 6. Gap Identification & Root Cause | Where testing reveals a gap, determine whether it is a one-off error or a systemic process weakness, and rate the risk | PNPC engagement lead | Draft findings list with risk ratings and preliminary root cause |
| 7. Management Discussion | Walk draft findings through with process owners to correct factual errors and agree realistic remediation timelines | PNPC and named process owners | Agreed factual findings and draft remediation commitments |
| 8. Final Report | Issue the obligation-by-obligation findings report with risk ratings, evidence summary, and recommended remediation actions | PNPC partner presents to management or the board | Final compliance audit report with a management action plan |
| 9. Urgent Escalation Where Needed | Any gap serious enough to warrant an immediate voluntary disclosure or corrective filing is flagged and escalated before the final report is finished, not held until the end | PNPC partner and client's tax/legal advisor | Immediate notification memo where applicable |
| 10. Remediation Follow-Up | Track agreed remediation actions and, where appropriate, re-test previously flagged obligations after a defined period | PNPC, reporting to management or audit committee | Follow-up confirmation of remediation status |
| 11. Coordination with Statutory Auditor / Tax Advisor | Where useful and with management's consent, share relevant compliance audit findings with the client's external auditor or tax advisor to avoid duplicated testing and align on any filing implications | PNPC engagement lead and client's existing advisors | Reduced duplication of effort and consistent messaging across advisors |
| 12. Cycle Refresh for Structural Change | Where the entity adds a new registration, jurisdiction, DNFBP designation, or regulator category, refresh the obligation map ahead of the next compliance audit cycle | PNPC engagement lead, with management input | An updated obligation universe reflecting the business as it stands today |
A single-obligation compliance audit (for example, a focused VAT or WPS compliance review) can often be completed in a few weeks once records are made available. A multi-obligation review spanning tax, payroll, and AML/CFT for a DNFBP, or a review across a multi-entity group, typically takes longer given the volume of filings and customer files to sample. PNPC agrees a specific timeline in the engagement letter once scope is confirmed.
Trade licence(s) for each UAE entity in scope — mainland DED licence and/or free zone authority licence (JAFZA, DMCC, RAKEZ, IFZA, Meydan, ADGM, DIFC, RAK ICC, Ajman)
Certificate of incorporation, Memorandum/Articles of Association, and shareholder register
Any franchise, agency, distribution, or facility agreement containing specific compliance reporting obligations to a third party
Correspondence log with the licensing authority, FTA, MOHRE, or sector regulator over the past 12–24 months
VAT registration certificate (Tax Registration Number) and filed VAT returns for the review period, with supporting reconciliations
UAE Corporate Tax registration and, where applicable, the Corporate Tax return, related-party transaction schedules, and Qualifying Free Zone Person qualifying-income analysis
EmaraTax portal filing confirmations and any FTA correspondence, queries, or assessment notices
Records supporting reverse-charge, zero-rating, or exemption positions taken on VAT returns, where relevant to the entity's activity
Payroll register and Wage Protection System (WPS) submission records for the review period
Employment contracts sample, visa/work-permit records, and MOHRE correspondence including any prior penalties or restrictions
Salary transfer timing evidence reconciled against WPS submission and payment records
AML/CFT policy and procedures manual, and evidence of board or senior management approval
goAML registration confirmation and any suspicious transaction reports filed
Sample of customer due diligence files evidencing onboarding checks, risk rating, and periodic review
AML/CFT training records for relevant staff
DFSA or FSRA licence and category confirmation, and the applicable rulebook provisions relevant to the entity's category
Prudential or conduct reporting submissions made to the regulator over the review period
Any regulator supervisory visit findings, correspondence, or open action items
Signed engagement letter defining scope, obligations tested, fee, and confidentiality terms
Access arrangements — read-only system access, filing portal access where relevant, and named liaison contacts for each obligation area
Confirmation of who receives the final report and owns the resulting management action plan
Employee visa status listing and quota utilisation records against GDRFA/ICP requirements for the review period
Emiratisation quota tracking and reporting evidence through MOHRE's Nafis programme, where applicable to the entity's size and sector
Visa renewal and cancellation processing logs, showing timing against permit expiry dates
Group structure chart showing all UAE and non-UAE entities in scope, ownership percentages, and intercompany relationships
Intercompany agreements (management fees, cost-sharing, loans) and supporting transfer pricing documentation
Related-party transaction schedules as disclosed or supporting the Corporate Tax related-party position for each entity in scope
| Phase | Triggered By | PNPC Compliance Audit Approach | Risk If Ignored |
|---|---|---|---|
| Initial Obligation Mapping | Board decision, licence renewal, or a specific trigger event | Build the obligation universe specific to the entity's licence type, registrations, and sector, and agree the scope with management | Testing against a generic checklist instead of the entity's actual obligations wastes budget and can miss the obligation that matters most |
| First Compliance Audit Cycle | Scope agreed | Test the highest-risk obligations first — typically VAT/Corporate Tax filing accuracy, WPS compliance, and AML/CFT programme adequacy where DNFBP-relevant | Deferring the review until a regulator query arrives removes the opportunity to self-correct before enforcement attention |
| Findings & Remediation Agreement | Fieldwork complete | Discuss draft findings with process owners, agree risk ratings and root cause, and set remediation owners and dates | Findings not discussed and agreed with process owners are more easily disputed or ignored during remediation |
| Urgent Gap Escalation | A serious compliance gap is identified during fieldwork | Escalate immediately to management and, where appropriate, recommend a voluntary disclosure to the FTA via EmaraTax rather than waiting for the final report | Sitting on a known filing error until the final report is issued delays a voluntary disclosure that is typically viewed more favourably the sooner it is made |
| Remediation Tracking | Final report issued | Track agreed remediation actions against committed dates and escalate overdue items to management or the audit committee | Findings reported but never followed up leave the underlying regulatory exposure live |
| Follow-Up Testing | After remediation deadlines pass | Re-test the specific obligations previously flagged to confirm remediation actually occurred, not just that a policy was updated | Unverified remediation frequently turns out to be partial when re-tested |
| Regulatory or Structural Change | New tax registration, new DNFBP designation, new regulator category, new jurisdiction added to group | Refresh the obligation map and re-scope the next compliance audit cycle to reflect the change | An obligation map that does not evolve with the business tests yesterday's requirements while missing new ones just taken on |
| Annual or Periodic Cycle Renewal | Licence renewal date, regulator's own review cycle, or board decision | Repeat the compliance audit on a periodic basis proportionate to the entity's risk profile, refreshing scope each cycle | Treating compliance audit as a one-off exercise loses the year-on-year comparability that shows whether remediation is holding |
| Group or Licensing Structural Change | New free zone entity added, new Central Bank or DFSA/FSRA licence category, new jurisdiction added to the group | Refresh the obligation map for the affected entity and re-scope the next compliance audit cycle to reflect the new licence-specific conditions | An obligation map that does not track a new entity or licence category tests yesterday's structure while missing the new obligations just taken on |
| Cross-Border Group Consolidation | A UAE entity's related-party transactions with an overseas parent or subsidiary grow in volume or complexity | Extend related-party and transfer pricing documentation testing across the cross-border relationship, coordinating with any overseas advisor involved | Related-party documentation reviewed only on the UAE side can miss inconsistencies with how the same transaction is recorded overseas |
Testing against a generic obligation checklist instead of the entity's actual licence type, registrations, and sector — missing the obligation that matters most while wasting budget on ones that don't apply
Treating Economic Substance Regulations as a still-live current-period obligation when notification and reporting requirements were discontinued for financial years starting on or after 1 January 2023
Assuming Qualifying Free Zone Person status holds because the original free zone licence category once qualified, without evidencing qualifying income and de minimis thresholds each period
Scoping a mainland-plus-free-zone group under one uniform obligation set rather than mapping each licensed entity's distinct VAT, Corporate Tax, and licence-specific conditions separately
Starting fieldwork before the engagement letter and access arrangements are agreed, leading to disputes later over what records were meant to be provided
Accepting that an AML/CFT policy document exists as proof of compliance, without sampling actual customer due diligence files for evidenced onboarding and periodic review
Reconciling WPS submissions to the payroll policy rather than to actual salary transfer timing records, which is what MOHRE ultimately tests
Relying on a related-party transaction being described consistently across entities without checking the underlying intercompany agreements and transfer pricing documentation actually match
Treating a filed VAT or Corporate Tax return as self-evidencing, without reconciling it back to the general ledger and underlying transaction records
Overlooking contractual compliance obligations owed to a franchise principal, licensor, or lender because the review focused only on statutory and regulatory obligations
Holding a serious filing error or AML/CFT gap for the final report instead of escalating it immediately, losing the benefit of an earlier voluntary disclosure or corrective filing
Issuing findings with no named remediation owner or committed date, so agreed actions never get tracked to completion
Never re-testing previously flagged obligations after the remediation deadline, so a control 'closed' on paper can quietly reopen without anyone noticing
Treating a compliance audit as a one-off exercise rather than a periodic cycle, losing the year-on-year comparability that shows whether remediation actually held
Is a compliance audit a legal requirement for UAE companies?
There is no single federal law mandating a standalone 'compliance audit' for every UAE company. What is mandatory are the underlying obligations a compliance audit tests — VAT and Corporate Tax filing where registered, WPS payroll compliance, and AML/CFT programme requirements for Designated Non-Financial Businesses and Professions. DIFC and ADGM regulated entities may face additional DFSA or FSRA reporting expectations. The compliance audit itself is typically a voluntary, proactive exercise commissioned by the board or driven by a lender, investor, or licence-renewal requirement.
How is a compliance audit different from a statutory (external) audit?
Statutory audit expresses an opinion on whether the financial statements present a true and fair view, for shareholders and the licensing authority. A compliance audit is narrower and obligation-specific — it tests whether named regulatory requirements (VAT accuracy, WPS timeliness, AML/CFT programme adequacy) are being met in practice, independent of whether the financial statements as a whole are fairly presented. A company can pass its statutory audit and still have live compliance gaps a compliance audit would surface.
How is a compliance audit different from an internal audit?
Internal audit is broader — it covers financial, operational, IT, and compliance risk across a risk-ranked universe of processes, reporting to the audit committee or board on the overall control environment. A compliance audit is anchored specifically to named legal, regulatory, or contractual obligations and tests whether each is being met, obligation by obligation. In practice the two often overlap, and many PNPC engagements combine elements of both depending on what the client actually needs.
What obligations does a typical UAE VAT compliance audit test?
A VAT compliance audit reconciles filed EmaraTax VAT returns against the general ledger, tests a sample of input VAT recovery decisions for correct classification, checks that output VAT has been correctly charged and reported on relevant supplies, and reviews the documentation supporting any zero-rated, exempt, or reverse-charge positions taken. It is testing under Federal Decree-Law No. 8 of 2017 and current FTA guidance, applied to the entity's actual transaction records rather than a general commentary on VAT awareness.
Does a compliance audit cover Corporate Tax under Federal Decree-Law No. 47 of 2022?
Yes, where the entity is registered for Corporate Tax. We test whether the Tax Registration Number is current, whether related-party transactions are properly documented and priced on an arm's-length basis where the related-party rules apply, and — for free zone entities claiming the 0% rate on qualifying income — whether the conditions for Qualifying Free Zone Person status are being tracked and evidenced on an ongoing basis rather than assumed. Corporate Tax applies at 0% on taxable income up to AED 375,000 and 9% above that threshold for standard taxpayers, effective for financial years starting on or after 1 June 2023.
What is WPS and why is it a compliance audit focus area?
The Wage Protection System (WPS) is the electronic salary transfer system mandated by the Ministry of Human Resources and Emiratisation (MOHRE) to track timely, accurate payment of wages through registered UAE banks or exchange houses. A compliance audit reconciles the payroll register against actual WPS submission records and salary transfer timing, since non-compliance can trigger MOHRE penalties and, in serious or repeated cases, restrictions on a company's ability to process new work permits.
Who needs an AML/CFT compliance audit as a Designated Non-Financial Business or Profession (DNFBP)?
Certain UAE businesses — including real estate brokers and agents, dealers in precious metals and stones, and independent legal or accounting professionals providing specified services, among others — fall within the DNFBP category under Cabinet Decision No. 10 of 2019 and must maintain AML/CFT policies, perform customer due diligence, and register on the goAML platform maintained by the UAE Financial Intelligence Unit. A compliance audit tests whether these controls are genuinely operating — sampling actual customer files for evidenced due diligence, not just confirming the policy document exists.
Can a compliance audit help before a bank facility or licence renewal?
Yes. Lenders increasingly build compliance representations into facility agreements, and free zone authorities require current licence and filing status for renewal. A compliance audit run ahead of the renewal date identifies and helps remediate gaps — a lapsed filing, an outdated registration detail, an unresolved MOHRE query — before the renewal process itself surfaces them and creates delay or additional scrutiny.
Does a compliance audit cover DIFC or ADGM regulatory obligations specifically?
Yes, for entities regulated by the DFSA (DIFC) or FSRA (ADGM), a compliance audit can be scoped to test the specific rulebook provisions applicable to that firm's licence category — prudential reporting, conduct requirements, and any client-money or capital-adequacy conditions relevant to the category held. This is scoped in close coordination with the client's existing regulatory advisor where one exists, to avoid duplicating specialist regulatory compliance work already underway.
What happens if a compliance audit finds a filing error already submitted to the FTA?
We flag this immediately rather than waiting for the final report, and recommend the client's tax advisor assess whether a voluntary disclosure via the EmaraTax portal is the appropriate corrective step, given that timely voluntary disclosure is generally treated more favourably than an error later identified through an FTA audit or enforcement action.
How long does a UAE compliance audit take?
A focused single-obligation review — for example, WPS compliance alone, or a VAT filing accuracy review — can often be completed within a few weeks once records are made available. A multi-obligation review spanning tax, payroll, and AML/CFT for a DNFBP, or a review across several legal entities in a group, takes longer given the volume of filings and customer files that need to be sampled. PNPC confirms a specific timeline in the engagement letter once scope is agreed rather than quoting a generic figure.
Is the fee for a compliance audit fixed or variable?
PNPC agrees a fixed fee for each defined compliance audit engagement, confirmed in writing before fieldwork begins. Fee depends on the number of obligations in scope, the number of legal entities under review, and the volume of records and customer files that need to be sampled — a single-obligation review costs meaningfully less than a multi-obligation review across a group structure.
Can compliance audit findings trigger a broader internal audit or forensic review?
Yes. A compliance audit occasionally surfaces a finding that points to a broader control weakness beyond the specific obligation tested — for example, a pattern of vendor master changes surfacing during a VAT input-recovery sample that suggests a wider procurement control gap, or a customer due diligence gap that raises a fraud-risk concern. Where that happens, we recommend escalating to a broader internal audit or, where a specific irregularity is suspected, a dedicated forensic investigation with a different evidentiary standard.
Does PNPC coordinate with our existing tax advisor or auditor during a compliance audit?
Yes, with management's consent. Where a client already has a tax advisor handling VAT and Corporate Tax filings, or an external statutory auditor, we coordinate to avoid duplicated testing and to make sure any compliance audit finding relevant to an upcoming filing or audit is flagged to the right advisor promptly.
Can PNPC run a compliance audit across both our UAE and Indian entities?
Yes. PNPC operates from offices in the UAE (Dubai) and India (Chennai, Bangalore, Hyderabad), and for groups with cross-border structures we run compliance audits that specifically test related-party transaction documentation and transfer pricing consistency across both jurisdictions under one coordinated engagement, rather than splitting the review between two disconnected advisors.
Why engage PNPC rather than a generic compliance-checklist provider?
PNPC scopes every compliance audit from an obligation map specific to the entity's actual licence type, registrations, and sector — not a templated checklist applied regardless of what genuinely applies. Our findings are backed by sample testing against actual filings, payroll records, and customer files, not assertions that a policy exists. We escalate serious gaps immediately rather than holding them for a final report, and we track remediation to completion rather than treating the report as the end of the engagement.
Can a compliance audit be scoped to just one obligation, like WPS alone?
Yes. A compliance audit does not have to cover every obligation category at once — a single-obligation review focused only on WPS payroll compliance, or only on VAT filing accuracy, is a common and proportionate scope where management has a specific concern rather than a full-spectrum review need. The obligation-mapping step at the start of any engagement is what determines whether a narrow or broad scope is the right fit.
Does a compliance audit test Qualifying Free Zone Person conditions specifically?
Where a free zone entity claims the 0% Corporate Tax rate on qualifying income as a Qualifying Free Zone Person under Federal Decree-Law No. 47 of 2022, a compliance audit tests whether qualifying activities and any applicable de minimis thresholds are being tracked on an ongoing transactional basis and evidenced, rather than assumed to hold simply because the entity's original free zone licence category once qualified.
How does a compliance audit differ for a mainland company versus a free zone company?
The obligations tested differ in emphasis, not just detail. A mainland business trading directly with UAE-based customers or importing goods carries VAT and customs-linked reporting nuances a free zone entity dealing only with parties outside the UAE may not carry in the same way, while a free zone entity claiming Qualifying Free Zone Person status carries an ongoing qualifying-income tracking obligation a mainland company does not have. A compliance audit scoped for a mainland-plus-free-zone group tests both profiles separately rather than applying one generic obligation set across every entity.
Does a compliance audit cover Economic Substance Regulations (ESR)?
ESR notification and report filing obligations were discontinued for financial years starting on or after 1 January 2023, under Cabinet Decision No. 98 of 2024. For current and future financial years, ESR is not a live, ongoing obligation for a compliance audit to test. Where an engagement covers a historical period before that date, ESR compliance for those earlier financial years — including any outstanding notices or penalties — may still be relevant and is scoped in explicitly where that history matters.
Does a compliance audit review visa and GDRFA/ICP work-permit administration?
Where scoped to include workforce compliance beyond WPS payroll timing, yes — a compliance audit can test whether employee visa status and quota utilisation are being tracked and evidenced against GDRFA and ICP requirements, and whether renewals and cancellations are processed on schedule rather than left to lapse.
Does a compliance audit test Emiratisation obligations under MOHRE's Nafis programme?
Where relevant to the entity's size and sector, a compliance audit can test whether Emiratisation quota tracking and reporting through MOHRE's Nafis programme is being monitored and evidenced on schedule, in the same way WPS payroll timing is tested, rather than assuming compliance because a notification was filed once.
How does a compliance audit work for a UAE Central Bank-regulated entity such as an exchange house or finance company?
For entities regulated by the UAE Central Bank — exchange houses, finance companies, payment service providers — a compliance audit is scoped to test the Central Bank's own prudential and conduct rulebook obligations alongside the standard FTA, MOHRE, and AML/CFT obligations most UAE businesses carry. This is coordinated closely with the client's existing regulatory or compliance function to avoid duplicating specialist supervisory work already underway.
Does a compliance audit test related-party transactions and transfer pricing documentation?
Yes, where the entity is registered for Corporate Tax. We test whether related-party transactions are properly documented and priced on an arm's-length basis where the related-party rules under Federal Decree-Law No. 47 of 2022 apply, since inadequate related-party documentation is one of the more common gaps a Corporate Tax compliance audit line uncovers.
What happens if AML/CFT testing during a compliance audit surfaces something that looks like it needs a goAML suspicious transaction report?
We escalate this to management immediately rather than waiting for the final report, and recommend the client's designated Money Laundering Reporting Officer or AML/CFT advisor assess whether a suspicious transaction report through the goAML platform is required, given the reporting obligations DNFBPs carry under Cabinet Decision No. 10 of 2019.
How is a compliance audit different from a due diligence audit for M&A?
A due diligence audit is transaction-specific — commissioned by a buyer, investor, or lender to assess a target company's financial, tax, and compliance position ahead of a specific deal, typically with a compressed timeline tied to the transaction schedule. A compliance audit is not transaction-driven; it is an independent, standing check of whether an entity's ongoing regulatory obligations are being met, whether or not a deal is in progress. In practice, compliance audit findings often feed directly into a due diligence exercise when a transaction does arise.
Does a compliance audit review import VAT and customs-linked positions?
For mainland and free zone entities that import goods, a compliance audit can test whether import VAT positions, customs declarations, and any related reverse-charge treatment are being correctly applied and reconciled against the general ledger, since these are common areas where the documentation supporting a VAT position is weaker than the return itself suggests.
How often should a compliance audit be repeated?
There is no fixed statutory frequency. PNPC generally recommends a periodic cycle proportionate to the entity's risk profile — more frequent for DNFBPs and DIFC/ADGM regulated entities carrying ongoing AML/CFT or rulebook obligations, and less frequent for lower-risk mainland or free zone entities without a specific trigger. Many clients align the cycle with a licence renewal date or an annual governance calendar rather than running it purely reactively.
What access does PNPC need to customer due diligence files for an AML/CFT compliance audit?
We need read access to a sample of actual customer onboarding files — identification and verification records, risk rating documentation, and any periodic review evidence — rather than just the policy document describing what onboarding should involve. Without access to the underlying files, an AML/CFT compliance audit line becomes an unsupported opinion rather than tested assurance.
Can a compliance audit be run remotely, or does PNPC need to be on-site?
Much of a compliance audit — document and filing review, sample testing against records, and draft findings discussion — can be conducted remotely where the client can provide read-only system access or clean record extracts. Certain elements, such as observing physical document custody or the final report presentation to the board, are often more effective delivered in person, and the split is agreed explicitly at scoping stage.
Does PNPC issue a formal compliance certificate at the end of the engagement?
PNPC issues a findings report — an obligation-by-obligation assessment with evidence summary, risk ratings, and remediation recommendations — rather than a standalone compliance certificate. We will not issue a certificate of compliance that is not backed by the underlying evidence testing the findings report documents, since a certificate without testing would not represent genuine assurance.
What happens if a compliance audit finds a trade licence or free zone condition has lapsed?
We flag this as an urgent finding, since an expired or non-compliant licence condition can carry immediate operational consequences — restrictions on visa processing, banking relationships, or contract eligibility — beyond the financial exposure a tax or payroll gap typically carries. This is escalated to management the moment it is identified, not held for the final report.
How does a compliance audit handle a group spanning several UAE free zones plus a mainland entity?
We map obligations entity-by-entity across the group rather than applying a single obligation set uniformly, since each licensed entity's Corporate Tax treatment, VAT position, and licence-specific conditions can differ even within the same group. Intercompany transactions and related-party documentation consistency across the entities are tested as a distinct line item given their direct relevance to each entity's Corporate Tax position.
Is a compliance audit useful for a business that has only just registered for VAT or Corporate Tax?
Yes — arguably more useful early than after several filing cycles have already embedded a wrong approach. A compliance audit run after the first one or two filing cycles confirms the new registration's obligations are being correctly discharged from the outset, rather than only discovering an error once it has been repeated across several returns.
Does a compliance audit coordinate with a bank's own compliance or covenant review?
Where a bank facility includes compliance representations or covenant conditions, PNPC can scope a compliance audit specifically to test those named conditions, and — with management's consent — share relevant findings with the client's relationship bank ahead of a facility review or renewal, reducing the risk of a covenant breach surfacing unexpectedly.
Can a compliance audit be combined with an internal control over financial reporting (ICFR) review?
Yes, where useful. A compliance audit's obligation testing and an ICFR review's control-design and operating-effectiveness testing are complementary — many PNPC engagements scope both together for a client preparing for a listing, a significant financing round, or a first-time consolidated audit, since the underlying evidence (filed returns, reconciliations, approval records) overlaps substantially.
What if the finance team disagrees with a compliance audit finding?
We discuss draft findings with process owners before finalising the report, specifically to correct any factual errors and to reach an agreed, realistic remediation timeline. Where a genuine disagreement over the risk rating or interpretation remains, it is documented transparently in the final report rather than quietly softened or removed.
Does a compliance audit review contractual compliance obligations, not just regulatory ones?
Yes, where the entity has franchise, agency, distribution, or facility agreements containing specific compliance reporting duties to a principal, licensor, or lender, a compliance audit can test whether those contractual obligations are being met and evidenced, in addition to the statutory and regulatory obligations that form the core of most engagements.
PNPC compliance audit vs a typical generic provider
| Dimension | PNPC Global | Typical Generic Provider |
|---|---|---|
| Scope | Obligation map built from the entity's actual licence type, registrations, and sector | Fixed checklist applied regardless of what genuinely applies to the client |
| Evidence standard | Sample testing against filed returns, payroll records, and customer due diligence files | Confirmation that a policy document exists, without testing underlying evidence |
| Urgent findings | Escalated immediately, with a recommendation on voluntary disclosure where relevant | Held until the final report, delaying any corrective filing |
| Cross-border capability | Coordinated UAE-India compliance review for group structures under one engagement team | Separate, disconnected advisors in each jurisdiction with limited context-sharing |
| Regulatory currency | Findings grounded in current FTA, MOHRE, and DFSA/FSRA guidance, refreshed each cycle | Static templates that can lag behind current regulatory guidance |
| Remediation tracking | Agreed action plan tracked to completion, with follow-up testing where warranted | Report delivered with no structured follow-up on whether gaps were actually closed |
| Team continuity | Partner-led scoping and reporting, with senior team members on fieldwork | Engagement frequently delegated to junior staff with limited partner oversight |
| Free zone / mainland nuance | Obligations mapped entity-by-entity, recognising Qualifying Free Zone Person and mainland VAT/customs distinctions | Same generic obligation set applied across mainland and free zone entities regardless of licence type |
| Workforce & Emiratisation testing | GDRFA/ICP visa administration and MOHRE Nafis Emiratisation tracking tested alongside WPS, where relevant | Workforce compliance narrowed to WPS payroll timing alone, missing visa and Emiratisation exposure |
| Central Bank / regulated-entity experience | Compliance audits for exchange houses, finance companies, and payment service providers scoped to the Central Bank's own rulebook obligations | Generalist scope that does not account for sector-specific prudential or conduct requirements |
- 01
Obligation mapping specific to the entity's licence type, tax registrations, DNFBP status, and regulator category
- 02
Risk-ranked scoping so the highest-exposure obligations are tested first
- 03
VAT filing accuracy testing against Federal Decree-Law No. 8 of 2017 and current FTA guidance via EmaraTax records
- 04
Corporate Tax position review under Federal Decree-Law No. 47 of 2022, including related-party documentation and Qualifying Free Zone Person evidence where claimed
- 05
WPS payroll compliance reconciliation against MOHRE requirements
- 06
AML/CFT programme testing for DNFBPs, including sampled customer due diligence file review and goAML registration confirmation
- 07
DFSA/FSRA rulebook obligation testing for DIFC/ADGM regulated entities, scoped to the specific licence category
- 08
Sample-based evidence testing, not policy-existence confirmation alone
- 09
Immediate escalation of any gap serious enough to warrant urgent corrective action or voluntary disclosure
- 10
Obligation-by-obligation findings report with risk ratings and named remediation owners
- 11
Coordination with the client's existing tax advisor or statutory auditor, with management's consent
- 12
Cross-border UAE-India compliance review capability for group structures
- 13
Agreed management action plan with committed remediation dates
- 14
Follow-up testing of previously flagged obligations where warranted
Talk to a PNPC partner about scoping a compliance audit around the obligations that genuinely apply to your UAE entity — before a regulator, lender, or auditor finds the gap first.
Jurisdiction
Free zone, mainland & offshore
Ready to get started?
Tell us about your requirement — a UAE specialist responds within 24 hours.