Insights Advisory
Internal Audit Checklist for a UAE SME: A Practical Guide
A practical internal audit checklist for UAE SMEs — what internal audit is, how it differs from external audit, and the controls to review across finance, VAT, tax, payroll and compliance.

Key takeaways
- Internal audit reviews controls, risk and process continuously; external audit issues an independent opinion on the financial statements for third parties
- A practical internal audit checklist for an SME covers financial controls, revenue, purchases, payroll, VAT, Corporate Tax, assets, inventory, cash, IT and statutory compliance
- The FTA generally requires records to be kept for 5 years (7+ years for real estate), so retention is a checklist item, not an afterthought
- Segregation of duties, approval limits and monthly bank reconciliations are the three controls that prevent the most damage in a small finance team
- Strong internal controls reduce VAT and Corporate Tax filing errors and shrink the year-end audit adjustment list
- Internal audit is risk-reduction that makes the external audit smoother — not a replacement for it
Most UAE SMEs first meet the word “audit” when a bank, a free zone authority or their Corporate Tax obligations demand a signed set of financial statements. That is the external audit — necessary, backward-looking, and done once a year by an approved auditor. What far fewer small businesses run is the quieter, more useful cousin: the internal audit. An internal audit is the review you run on yourself, on your own schedule, to check that the controls producing your numbers actually work. Done well, it turns the annual external audit from a stressful excavation into a tidy formality. This guide explains what an internal audit is, how it differs from the statutory audit, and gives you a practical internal audit checklist you can run across the key areas of a UAE SME.
What an internal audit actually is
An internal audit is an independent, ongoing review of a company’s internal controls, risk management and business processes. The word that matters most in that sentence is ongoing. Where the external audit is a once-a-year event, internal audit is a habit — a continuous discipline of testing whether the business is running the way management assumes it is.
It answers questions the owner should want answered before anyone outside the company does. Are the bank accounts reconciled every month, and do they tie out? Can one person raise, approve and pay an invoice on their own, or does the system force a second pair of hands? Are VAT and Corporate Tax records complete enough that the returns can be trusted? Is the fixed-asset register a real record or a fiction? Internal audit exists to find the honest answer to those questions while there is still time to fix a bad one.
Critically, internal audit is a management tool, not a statutory filing. It produces no signed opinion for outsiders and, for most SMEs, is not legally mandatory. Its entire value is internal: reducing risk, catching errors early, and building the kind of clean control environment that makes every downstream obligation — VAT, Corporate Tax, the external audit — easier.
5 years
General minimum period the FTA requires businesses to retain accounting records and supporting documents — extended to 7+ years for the real estate sector

Internal audit versus external audit
The two audits are often confused, but they serve different masters and answer different questions. Getting the distinction right is the first step to using each properly.
| Dimension | Internal Audit | External (Statutory) Audit |
|---|---|---|
| Purpose | Test that controls, risk management and processes work | Give an independent opinion on the financial statements |
| Audience | Management and owners (internal) | Banks, investors, regulators, free zone authorities (external) |
| Who performs it | Internal team or an outsourced advisory firm | A UAE-approved, licensed external auditor |
| Frequency | Ongoing — monthly, quarterly, continuous | Usually once per financial year |
| Output | Findings, recommendations, a controls action list | A signed audit report and opinion |
| Mandatory | Generally a management choice for SMEs | Required in many free zones and for various compliance purposes |
| Focus | The machinery that produces the numbers | The numbers themselves, at a point in time |
The relationship between the two is the important part. An external auditor gains comfort faster when a business has strong internal controls, because it means the underlying records are more likely to be reliable. Every control weakness the internal audit finds and fixes is one less adjustment, one less query and one less delay in the external audit. Think of internal audit as risk-reduction that makes the statutory audit smoother — not as a substitute for it. You still need the signed opinion; you just want to walk into it with clean books.
The internal audit checklist: financial controls
This is the core of any SME internal audit, because the financial controls are where small teams are most exposed. Three controls carry most of the weight.
Bank reconciliations. Every bank account should be reconciled to the ledger monthly, and the reconciliation should actually tie out — no permanent “unreconciled differences” parked for later. Test a sample: pick a month, confirm the reconciliation was prepared, reviewed by a second person, and that every reconciling item was cleared in the following period.
Segregation of duties. No single person should control a transaction from end to end. The person who raises a purchase order should not also approve it and release the payment. In a very small team perfect segregation is hard, so the internal audit tests for compensating controls: owner review of the bank feed, dual authorisation on payments above a threshold, monthly management review of the ledger.
Approval limits. There should be a documented approval matrix — who can approve what, up to what value — and evidence that it is enforced, not just written. Sample a set of payments and confirm each was approved by someone with the authority to approve it.
Revenue, receivables, purchases and payables
With the core controls tested, the checklist moves through the transaction cycles.
Revenue and receivables. Confirm that every sale is invoiced, that invoices are sequentially controlled so none go missing, and that revenue is recognised in the correct period. Review the aged receivables listing for old balances that may not be collectable, and check that credit notes are properly authorised rather than used to quietly write off awkward balances.
Purchases and payables. Test the three-way match — purchase order, goods received note, supplier invoice — before a payment is made. Confirm suppliers are legitimate and that new suppliers are subject to a basic vetting step, which reduces the risk of fictitious-vendor fraud. Review the aged payables for anything unusual, such as duplicate invoices or payments made without matching documentation.
These two cycles are where most of a business’s money moves, so they deserve a proportionate share of internal audit attention. A clean revenue and purchases cycle also feeds directly into clean accounting and bookkeeping, which in turn feeds clean VAT and Corporate Tax positions.

Payroll, VAT and Corporate Tax compliance
For a UAE SME, three compliance areas belong on every internal audit checklist because errors here carry direct penalties.
Payroll and WPS. Confirm that salaries are paid through the Wage Protection System where required, that the payroll register reconciles to the general ledger, and that end-of-service gratuity is accrued rather than ignored until an employee leaves. Check that changes to payroll — new joiners, leavers, salary changes — are properly authorised.
VAT compliance. Test that the VAT control account reconciles to the filed returns, that input VAT is only recovered where valid tax invoices exist, and that the correct VAT treatment is applied to zero-rated, exempt and out-of-scope supplies. A recurring reconciliation between the VAT return and the ledger is one of the highest-value controls a VAT-registered SME can run.
Corporate Tax readiness. Confirm that records support the Corporate Tax position — that expenses are properly documented and that any related-party or adjustment areas are identifiable. Strong bookkeeping is the foundation here; where the position is complex, structured Corporate Tax support reduces the risk of a filing error surfacing later.
Nearly every VAT or Corporate Tax filing error we see traces back to a control that was never run — a VAT account that was never reconciled, an invoice that was never matched, a record that was never kept. Internal audit is not about catching people; it is about running the controls that stop the error before it reaches the return.
Assets, inventory, cash and IT
The next block of the checklist covers the areas that are easy to overlook until something goes wrong.
Fixed assets. Confirm the fixed-asset register exists, agrees to the general ledger, and reflects reality — that assets recorded still physically exist and that disposals have been removed. Check that depreciation is applied consistently.
Inventory. Where the business holds stock, confirm that physical counts are performed periodically and reconciled to the records, that slow-moving or obsolete stock is identified, and that access to inventory is controlled.
Cash handling. For any business handling cash, test that receipts are recorded promptly, that cash is banked regularly, and that petty cash is reconciled and independently reviewed.
IT and data access. Confirm that access to the accounting system is restricted by role, that user accounts are removed promptly when staff leave, that data is backed up, and that no single unmonitored login has unrestricted power over the financial records. Weak IT access controls quietly undermine every other control on this list.
Statutory and regulatory compliance
The final block confirms the business is meeting its standing obligations — the ones that carry fines when missed.
Trade licence and registrations. Confirm the trade licence is valid and current, that the business is operating within its licensed activities, and that any required registrations are in place and up to date.
Record retention. Verify that accounting records and supporting documents are being kept for the required period — generally five years under FTA rules, and seven years or more for real estate — and that they are stored securely and retrievably. Records being deleted too early is a compliance failure that only becomes visible when an authority asks for something you no longer have.
AML and ESR where relevant. Businesses that fall within the scope of Anti-Money Laundering rules — including many designated non-financial businesses and professions — should confirm their AML compliance obligations are met, including customer due diligence and any goAML registration. Where Economic Substance Regulations apply to the activity, confirm the relevant obligations are being tracked.
Documentation. Confirm that contracts, board approvals and key correspondence are filed and retrievable — the documentation that supports the numbers is as important as the numbers themselves.
Turning the checklist into a habit
A checklist run once and forgotten changes nothing. The value comes from cadence. A practical rhythm for most SMEs is a light monthly control check — reconciliations done, approvals enforced, VAT account reconciled — combined with a deeper quarterly review that rotates through the transaction cycles, so every area is examined at least once a year. Ahead of the external audit, a focused pre-audit pass clears open items so the statutory auditor meets a tidy set of records rather than a backlog.
Small teams can run this against a checklist themselves. Where the team is stretched, or where genuine independence is valued, an outsourced firm can provide the internal audit and controls advisory function without the cost of a full-time internal auditor. The point is not who runs it, but that it gets run — consistently, honestly, and with findings that are actually fixed rather than filed.
Where this leaves your business
An internal audit is the cheapest risk management a UAE SME can buy, and one of the most neglected. It is not the statutory audit, it does not produce a signed opinion, and for most small businesses it is not legally required — which is exactly why so many skip it and then meet their control weaknesses for the first time in the middle of the external audit. Run the checklist across financial controls, the transaction cycles, payroll, VAT, Corporate Tax, assets, inventory, cash, IT and statutory compliance, run it on a monthly-and-quarterly rhythm, and fix what it finds. The external audit becomes faster and cheaper, the filing errors stop happening, and the business gets the one thing every owner actually wants: confidence that the numbers are right.
Pair a disciplined internal audit with clean accounting and bookkeeping so the controls have reliable records to test, and with audit assistance so the pre-audit clean-up and the external audit run smoothly together.
Velmont Crest is a DED-licensed UAE accounting firm providing internal controls advisory, audit assistance and compliance support for SMEs across Dubai mainland and the free zones. We help businesses build and run an internal audit checklist and prepare for the external audit — we are not the signing statutory auditor. Read more on our insights hub or get in touch via our contact page.
Disclaimer: Velmont Crest is a DED-licensed accounting firm providing advisory, preparation and compliance support services. We provide internal controls advisory and audit assistance; we are not the appointed statutory auditor who signs the independent audit opinion on your financial statements. FTA record-retention rules, AML and ESR obligations, and audit requirements change from time to time and vary by activity and free zone — verify the current rules for your specific circumstances and consult a licensed professional before acting.
References
Frequently asked questions
- What exactly is an internal audit?
- An internal audit is an independent, ongoing review of how well a company's internal controls, risk management and business processes are actually working. It is a management tool — the board or owner uses it to get assurance that the business is running the way it is supposed to, that risks are being managed, and that the numbers can be trusted before anyone outside the company relies on them. It looks at things like whether bank reconciliations are done, whether approvals are enforced, whether duties are segregated, and whether VAT and Corporate Tax records are complete. Crucially, it is not a statutory requirement for most SMEs and it does not produce a signed opinion for outsiders. Its whole purpose is to find and fix problems internally, before they cost you.
- How is internal audit different from external audit in the UAE?
- The simplest way to see the difference is to ask who the audit is for. An external — or statutory — audit exists for third parties: banks, investors, free zone authorities and regulators who need an independent opinion on whether your financial statements give a true and fair view. It is performed by a UAE-approved auditor, follows international standards, and ends in a signed audit report. An internal audit exists for you: management runs it, on your own schedule, to test whether your controls and processes work. External audit looks backward at one set of financial statements once a year; internal audit looks continuously at the machinery that produces those statements.
- Does a UAE SME legally need an internal audit?
- In most cases, no. Internal audit is generally a management choice rather than a statutory obligation for small and medium businesses, whereas an external statutory audit is required in many free zones and for various licensing, banking and Corporate Tax purposes. That said, 'not legally required' is not the same as 'not worth doing.' Even a lightweight internal audit — a quarterly walk through a controls checklist — pays for itself by catching VAT and Corporate Tax errors before filing, surfacing weak spots that could enable fraud, and reducing the adjustments your external auditor would otherwise raise. For a growing SME, building the internal audit habit early is far easier than retrofitting controls after a problem has already surfaced.
- How long do we have to keep our accounting records in the UAE?
- As a general rule, the Federal Tax Authority requires businesses to keep accounting records and supporting documents for at least five years. For businesses in the real estate sector, the retention period is longer — generally seven years or more — because of the nature of property transactions and the associated VAT treatment. These periods run from the end of the relevant tax period, and they apply to invoices, contracts, bank statements, customs documents and the records behind your VAT and Corporate Tax returns. Record retention should be an explicit line on your internal audit checklist: confirm that documents are stored securely, are retrievable, and are not being deleted before the retention window closes.
- How often should an SME run an internal audit?
- There is no single right answer, but a practical rhythm for most UAE SMEs is a light monthly control check plus a deeper quarterly review. The monthly check confirms the fundamentals are happening — bank reconciliations completed, approvals enforced, VAT control account reconciled. The quarterly review goes deeper into one or two areas at a time, rotating through revenue, purchases, payroll, fixed assets, inventory and IT access over the year so that every area is examined at least once annually. Then, ahead of the external audit, a focused pre-audit pass cleans up open items so the statutory auditor meets a tidy set of records.
Filed under: internal audit, internal audit checklist, internal audit process, internal vs external audit, UAE SME, internal controls, risk management, compliance
Published



