Listed insurance companies in the UAE must reassess their existing internal control frameworks to ensure alignment with the COSO requirements (to ensure compliance with SCA’s internal control requirements).
Since 2019, the Central Bank of UAE (CBUAE), formerly known as the Insurance Authority mandated insurance companies to report on their internal controls. This reporting has traditionally been conducted through a management assessment report submitted directly to the CBUAE. CBUAE requirements apply equally to listed insurance companies and foreign branches.
In brief:
Recently, the UAE Securities and Commodities Authority (SCA) issued a circular emphasising the Board of Directors' responsibility to establish and adopt an Internal Control and Risk Management Framework for Public Joint Stock Companies (PJSCs).
SCA clarified that for year ended 2024, auditors must issue a private review opinion on Internal Controls over Financial Reporting (ICFR). From year ending 2025, a separate, publicly disclosed audit opinion will be required, detailing internal control effectiveness, deficiencies, and corrective actions.
Additionally, all insurance entities, including foreign branches, must comply with CBUAE Insurance Reporting Requirements for 2025.
In detail:
SCA’s requirement significantly impacts listed insurance companies in the UAE, as SCA mandates a separate publicly disclosed opinion on the effectiveness of internal controls. This move underscores the importance of transparency and accountability in corporate governance, ensuring that stakeholders have a clear understanding of the company's internal control environment and the measures taken to mitigate risks.
Additionally, all insurance entities, including foreign branches, must comply with CBUAE Insurance Reporting Requirements for 2025 as follows:
The entity is required to submit a Management Assessment Report duly authorised by the CEO and CFO (or equivalents). This must be submitted on or before 30 April 2025.
The CBUAE also requires the Internal Audit Department of the company to submit a report on the operating effectiveness assessment of the existing internal controls over financial reporting framework.
Guidance on how clients can prepare
Gap assessment of existing ICFR framework
It is recommended to conduct an Internal Controls over Financial Reporting (ICFR) gap assessment to identify any gaps or possible improvement opportunities that will assist the entities to comply with SCA and CBUAE requirements (and aligning it to the COSO 2013 Internal Controls Framework as recommended by SCA). The gap assessment will encompass a review of Entity Level Controls, Process Level Controls, and Information Technology General Controls that are documented in existing risk registers (i.e. as part of entity’s existing ICFR programme).
The gap assessment could cover the following key areas:
- Governance
- Process
- People
- Documentation
Governance
ICFR departmental roles & responsibilities.
Reporting & monitoring.
CFO/CEO ICFR management sign-off.
ICFR implementation for 2025
Based on the above, incorporate the relevant recommendations identified from gap assessment in your ICFR journey for 2025, a high-level overview of the ICFR journey is included below:
The following in-scope areas should be considered at minimum for ICFR as applicable for each organisation. This could be further refined based on the materiality and scoping exercise:
As per CBUAE reporting requirements, the management assessment report should include the following:
Executive summary – Key findings and actions.
Internal control framework – Documentation of adopted control structures.
Update on previous findings – Status of unresolved and resolved issues.
Newly identified gaps – Disclosure of any control weaknesses.
Control environment overview – Entity-wide, departmental, or process-level controls.
Risk monitoring & testing methodology – Approach for assessing risks and control effectiveness.
Risk summary – Identification and assessment of key risks.
IFRS 17 implementation – Updates on IFRS 17’s impact on controls.
Internal risk rating – Summary of risk matrix ratings
Detailed results - Illustration of the severity of findings; and corrective action plan and timelines.
CBUAE encourages the entities to present in their Management Assessment Report, a condensed risk and control matrix representing the risk assessment and mitigation models implemented along with the key outcomes from the testing conducted on various controls.
The Management Assessment Report should be authorised by the CEO and CFO (or equivalents) and submitted on or before 30 April 2025.
Internal Audit of ICFR
The Internal Audit departments of insurance entities may consider the following scope of work to conduct an internal audit of ICFR and assess the operating effectiveness of the existing framework.
Internal audit reports and management assessment reports must be presented to Board / Board Committees. This enhances strategic oversight and strengthens governance at the highest level.
Key takeaways
Regulators are evolving and expect companies to continue testing and improving the design and operating effectiveness of the processes and underlying internal controls.
Management accountability is critical – requiring CEO/CFO sign-off and Board-level review.
Transparency and structured reporting will drive regulatory alignment and strategic governance improvements.
Internal audit also has a role to play to provide comfort to the CBUAE about the effectiveness of the continuous progress made by the management in regard to the internal control implementation.
How can PwC Middle East help?
As insurance companies navigate the enhancements of their respective internal control framework, PwC Middle East offers expertise in:
Conducting a gap assessment of the existing internal control framework.
Providing implementation support of the internal control framework.
Conducting internal audit of the internal control framework.
Follow us
