What is new

News & updates

back

SCA Extends the ICFR Transition — and Raises the Bar

SCA Extends the ICFR Transition — and Raises the Bar

The SCA’s latest circular represents the most significant policy update since the introduction of mandatory Internal Control over Financial Reporting (ICFR) requirements earlier this year.

While the ICFR framework had already reshaped governance expectations for UAE listed companies, this new circular broadens its scope, introducing an integrated Internal Control and Risk Management Framework that will gradually become a cornerstone of corporate oversight in the UAE capital markets.

Extension of the ICFR Trial Phase

Under the circular, the SCA formally extends the first (trial) phase of ICFR implementation until 31 December 2026. During this period, listed companies are expected to:

  • Conduct internal evaluations of their control systems;
  • Prepare internal (non-public) reports for the 2026 financial year; and
  • Obtain an external auditor’s opinion on the effectiveness of their internal controls, again without public disclosure.

This extension effectively gives companies a two-year window to refine internal processes, train staff, and address control deficiencies before moving to public reporting.

The SCA’s approach signals pragmatism, recognizing that robust internal control cannot be achieved through compliance box-ticking, but requires time, resources, and an embedded governance culture.

Mandatory Disclosure from 2027

Beginning 1 January 2027, ICFR implementation transitions from trial to full mandatory application and disclosure. Companies will need to:

  • Undertake a comprehensive internal assessment;
  • Issue a formal Internal Control Report incorporating the external auditor’s opinion on ICFR effectiveness; and
  • Disclose this report publicly within their integrated annual reports, ahead of the annual General Assembly.

This is a significant milestone — 2027 will mark the first time UAE listed companies will publicly report on the effectiveness of their internal financial controls, aligning with international best practices seen in advanced markets.

From 2028: Integrating Risk Management

Importantly, the SCA circular pushes the agenda beyond financial reporting controls. From 2028 onwards, internal control reporting will formally include risk management as part of the assessment scope.

This shift recognizes that financial integrity cannot be viewed in isolation from broader business risks — operational, strategic, technological, and compliance-related.

By embedding risk management into the ICFR structure, the SCA is positioning the UAE among jurisdictions that have adopted enterprise risk governance as an integral component of corporate accountability.

Frameworks and Standards

To ensure uniformity and international consistency, the circular mandates adoption of:

  • The COSO Framework — for designing, implementing, and evaluating the effectiveness of internal control systems; and
  • ISAE 3000 — as the assurance standard guiding external auditors in reviewing ICFR reports and providing reasonable assurance on control effectiveness.

This dual-framework approach enhances credibility and aligns the UAE’s governance model with global audit and assurance practices.

Board and Auditor Responsibilities

The SCA reiterates that the Board of Directors holds ultimate responsibility for ensuring an effective internal control system and must issue the internal control report itself.

This requirement elevates the board’s accountability from oversight to ownership — boards can no longer delegate or dilute responsibility for internal control effectiveness.

Simultaneously, the external auditor plays a critical validation role. The auditor appointed to audit the 2026 financial statements will also be required to issue a separate opinion on management’s ICFR evaluation.

Companies must ensure that this ICFR assessment forms an explicit part of the auditor’s engagement contract, beginning with the 2026 audit cycle.

Disclosure Timing and Early Adopters

The SCA circular aligns the timing of ICFR disclosure with the publication of the integrated report.

However, companies that already operate a mature internal control framework may choose to voluntarily publish their ICFR reports for 2025, alongside their integrated reports — an option that early-adopting issuers are likely to use to demonstrate market leadership.

Flexibility and Exemptions

Recognizing the practical realities of implementation, the SCA provides targeted flexibility:

  • Recently acquired entities may be excluded from ICFR scope for one year.
  • Newly listed or newly incorporated companies receive a one-year grace period after listing.
  • Foreign subsidiaries may be excluded for one year during the trial phase, provided such exclusion is disclosed.
  • Foreign listed companies, private joint-stock companies, and free-zone issuers remain exempt from mandatory application.

These exemptions maintain a balance between regulatory ambition and pragmatic transition.

Why This Matters

The new circular underscores the UAE’s regulatory maturity and its commitment to aligning with global corporate governance standards.

The move from internal control over financial reporting to a broader risk-based governance regime reinforces the SCA’s vision of building a transparent, investor-trustworthy, and well-regulated capital market.

As we observed in our earlier coverage of the SCA’s ICFR framework, 2025 marked the beginning of a governance transformation.

This new circular is Phase 2 of that transformation — shifting from compliance preparation to strategic integration.

Companies that embrace these requirements early, building real, embedded internal control and risk management cultures, will not only ensure compliance but also gain market credibility, strengthen investor confidence, and enhance long-term enterprise value.

By:
Ahmed Ibrahim
Managing Partner

For more information, please contact [email protected]

WHAT IS NEW

MORE NEWS & UPDATES