Unprecedented circumstances are forcing the insurance industry to dramatically evolve and rethink the way business is being conducted globally. Volatile markets, dependency on technology, enhanced compliance requirements, among other factors, are leaving organizations little choice but to adapt. Accordingly, opportunities to lead and reshape the insurance industry have never been greater.

The Insurance Authority (IA) in the United Arab Emirates (UAE) recently published a circular with respect to new reporting requirements. Insurance companies are now required to obtain an independent auditors’ opinion on the effectiveness of internal controls over financial reporting (ICOFR).

The requirements, as per the IA’s Circular No. (21) of 2019 and its subsequent circular, endeavor to strengthen internal controls within insurance companies in the UAE.

KPMG understands the importance of these new requirements. Our objective is to assist you in navigating and implementing a robust internal control framework

Key objectives of the ICOFR requirement include:

  • Improve the quality of financial reporting and compliance Enhance the operating model of companies to ensure efficiency
  • Assist companies in integrating with the dynamic environment
  • Uplift the UAE insurance sector up to the standard of global best practices
  • Increase reliability of financial information, boost investor and policyholder confidence
  • Protect the interests of all the stakeholders

ICOFR implementation steps

  1. Establish an ICOFR framework and review the design and operating effectiveness of ICOFR controls for the year 2020
  2. Provide a report to the Insurance Authority including the results of the ICOFR assessment by 30 April 2021
  3. Remediate control gaps/failures and test the operating effectiveness of implemented ICOFR during 2021
  4. Obtain a separate opinion from external auditors on operating effectiveness of ICOFR controls from 2021 onwards

How KPMG can help?

Road map to implement an internal controls framework


  • Finalize scope and develop project plan
  • Engage with process/control owners and key stakeholders, including external auditors
  • Review existing policies and procedures, risk control matrices (RCM) and conduct walkthroughs to determine the level of existing internal financial control compliance
  • Identify key controls and agree with external auditors to drive more efficiency


  • Evaluate ELCs against the COSO 2013 requirements
  • Conduct walkthroughs to confirm control design
  • Document the ELCs
  • Independent design review and validation of ELCs
  • Report ELC design effectiveness gaps


  • Document process flows/narratives to demonstrate the existing control environment
  • Identify broad categories and sources of risks for each business process, including fraud and IT risks
  • Develop RCMs to ensure coverage of all financial reporting assertions


  • Identify design and operating effectiveness control gaps
  • Evaluate the root cause for identified deficiencies
  • Recommend mitigation plan for remediation
  • Discuss exceptions identified with the management and external auditors
  • Agree on a remediation plan and support management in remediating the gaps


  • Continuously monitor and update the RCMs
  • Improve the effectiveness of internal control
  • Keep a tab on continuous improvements needed in the framework, processes, leading practices and changes in laws and regulations