Mastering the UAE Corporate Governance Code: The synergy of internal audit and governance technology

The United Arab Emirates (UAE) continues its ascent as a global business powerhouse, underpinned by a strong and evolving corporate governance framework. For organizations striving for excellence in this environment, particularly Public Joint Stock Companies (PJSCs), proactively embracing the standards set by UAE regulators is fundamental. This isn't just about compliance; it's about building resilient, transparent and high-performing organizations.

At Cherry Hill Advisory, our work across Risk, Compliance, Audit & Assurance, and Technology consistently shows that effective governance thrives on the synergy between human oversight and enabling technology. This article explores the UAE Corporate Governance Code, highlighting how a strategic Internal Audit function, significantly empowered by modern governance technology, is key to navigating compliance and unlocking value.

The UAE Corporate Governance Framework: Driving higher standards

The UAE's governance framework aims to establish clear standards for corporate direction and control, enhancing transparency, protecting stakeholder interests, and boosting investor confidence. The Securities and Commodities Authority (SCA) leads this for listed companies through its Chairman of SCA Board Decision No. (3/Chairman) of 2020 concerning the Joint Stock Companies Governance Guide.

This framework is actively maintained, with notable recent developments:

February 28, 2022: Amendments refining board composition rules and shareholder meeting processes took effect, showing responsiveness to market needs. (Source)

January 2024: Significant updates came into force, placing a strong emphasis on the demonstrable effectiveness of internal controls, governance structures, and risk management processes. This signals a move towards requiring robust, verifiable systems, not just policies on paper. (Source)

These heightened expectations necessitate efficient and reliable methods for managing governance obligations.

Internal audit: Providing assurance in a complex landscape

How do boards and management gain assurance that they are meeting these evolving requirements? The Internal Audit function provides this crucial, independent perspective. Operating as an objective assurance and advisory body, internal audit evaluates and helps improve the effectiveness of risk management, internal control, and governance processes. Reporting functionally to the board's Audit Committee ensures its independence, allowing for unbiased assessments. In the context of the UAE code, internal audit validates that governance principles are effectively designed and operating as intended.

The critical role of governance technology

Meeting the demands of the UAE Corporate Governance Code in today's complex environment requires more than manual effort. Purpose-built technology is no longer a luxury but a foundational element for effective governance, risk management, and compliance (GRC).

• Enhancing board effectiveness: Secure digital platforms for board communication and materials streamline information flow, ensure directors have timely access to accurate data, facilitate better meeting preparation, and create auditable records of decisions – all crucial for meeting the code's expectations around board oversight.
• Integrating risk and control management: The SCA's focus on robust internal controls and risk management necessitates a structured approach. Integrated risk management software allows organizations to centralize their risk registers, map risks to controls, document testing, track mitigation actions, and provide real-time visibility to management and the board. This moves beyond static spreadsheets to dynamic oversight.
• Streamlining compliance and policy management: Ensuring compliance with specific articles of the code and internal policies requires organization-wide effort. Centralized platforms for policy management can automate distribution, track employee attestations, manage updates, and provide a clear audit trail, significantly improving efficiency and demonstrating compliance readiness.
• Boosting internal audit effectiveness: Internal audit itself benefits immensely from technology. Modern audit management software, often incorporating data analytics capabilities, enables auditors to automate workflows, perform more comprehensive testing across entire datasets, visualize risks, and report findings more effectively. This allows audit teams to focus their expertise on higher-risk areas and provide deeper insights.
• Improving transparency and reporting: The code mandates significant disclosures. Robust reporting tools, often integrated within broader GRC platforms, help aggregate data accurately and generate the necessary governance reports for regulators and stakeholders efficiently.

Leveraging these types of technological capabilities allows organizations to embed governance more deeply, manage risks more proactively, and demonstrate compliance more effectively. As Cherry Hill Advisory often advises clients, investing in the right technology yields significant returns in efficiency, assurance, and strategic insight.

Tactical internal audit projects: Enhanced by technology

Here’s how internal audit teams, utilizing modern tools, can tackle UAE Governance Code compliance:

1. Board & committee effectiveness review: Assess structure, independence, and processes, aided by reviewing usage logs and content within secure board portals to evaluate information accessibility and engagement.
2. Governance policy gap analysis: Utilize compliance management modules within GRC platforms to map policies against code requirements, track exceptions, and manage remediation workflows.
3. Internal control testing: Employ data analytics tools integrated with audit management software to perform continuous controls monitoring or test large populations of transactions. Focus testing on IT General Controls underpinning key business applications identified through GRC control mapping.
4. Risk management framework audit: Assess the ERM process, evaluating the configuration and usage of the organization's risk management information system for completeness and accuracy in risk identification, assessment, and reporting.
5. Disclosure controls review: Test controls over financial reporting and governance disclosures, potentially using workflow tools that manage the disclosure compilation and approval process to verify steps are followed.
6. Related party transaction audit: Leverage data analytics to systematically identify potential related parties and transactions within ERP systems, flagged for review against approvals documented possibly within an entity management solution.
7. Shareholder rights compliance check: Review the security and functionality of any digital platforms used for shareholder communications, proxy voting, or virtual meetings.
8. IT governance & cybersecurity audit: Conduct dedicated audits assessing IT risk management, cybersecurity controls (potentially using specialized assessment tools), and data governance practices, ensuring alignment with overall GRC strategy managed within integrated platforms.

Conclusion: Building a future-ready governance framework

The UAE Corporate Governance Code sets a high standard for businesses. Achieving and maintaining compliance, particularly with the increased regulatory focus on controls and risk, requires a strategic approach that combines strong internal audit practices with the power of modern governance technology.

By leveraging integrated platforms for GRC, specialized tools for board communication, audit management, and risk oversight, organizations can move beyond basic compliance. They can build truly effective, transparent, and resilient governance frameworks. As Cherry Hill Advisory (www.cherryhilladvisory.com) knows, this integration of people, process, and the right technology is key to not only meeting regulatory demands but also driving sustainable performance and stakeholder value in the UAE's thriving economy.

Disclaimer: This article reflects the expert perspectives of Cherry Hill Advisory and provides general information. Specific advice should be sought based on individual company circumstances and the latest regulatory updates.