Guide Contents
Provision 29 Compliance: Board Controls Checklist
Guide Contents
In Summary
Provision 29 of the UK Corporate Governance Code (2024), published by the Financial Reporting Council (FRC), requires the boards of UK premium-listed companies to make a formal declaration in their Annual Report on the effectiveness of their material internal controls. The provision applies to financial years beginning on or after 1 January 2026, meaning the first board declarations will appear in Annual Reports published in 2027. This is the most significant change to board accountability for internal controls in UK listed company governance in more than a decade. This checklist covers the governance structure, risk assessment, control design, testing, and reporting requirements needed to support a compliant board declaration, and identifies the most common gaps companies encounter in preparing one for the first time.
- Provision 29 applies from 1 January 2026: financial years starting on or after that date are in scope. For calendar-year reporters, 2026 is the evidence-building year and the first declarations appear in 2027 Annual Reports.
- The scope goes beyond financial reporting: material controls include ICFR, operational, reporting, and compliance controls. Companies that interpret "material controls" as financial reporting controls only will face scrutiny.
- The board declaration must be evidence-based: assertion without a documented testing programme, methodology, and deficiency log will not satisfy the FRC or investors. Evidence must be contemporaneous: collected during control operation, not assembled after the fact.
- Five areas require documented readiness: governance framework, risk and materiality assessment, control design and documentation, control testing and monitoring, and board declaration and reporting.
- A GRC platform is the practical answer to the evidence challenge: centralised control inventories, automated testing workflows, and real-time Audit Committee dashboards eliminate the coordination failures that manual processes produce.
Start the governance framework and materiality assessment now. Testing programmes that begin in the final quarter leave no time to remediate deficiencies before the declaration date.
Expert View
|
Matt Davies
Chief Product Officer, SureCloud |
What our experts say about preparing a credible Provision 29 declaration
"The companies that will struggle with Provision 29 aren't the ones with weak controls. They're the ones with adequate controls and no documented evidence that those controls are working. The FRC isn't asking boards to be perfect. It's asking them to know their controls environment well enough to stand behind a declaration in public." |
What Provision 29 Requires
The scope of the declaration is broader than financial reporting controls alone. It covers four categories: internal controls over financial reporting (ICFR), operational controls relevant to material risks, reporting controls covering non-financial disclosures, and compliance controls relevant to material legal, regulatory, and contractual obligations. Companies that read 'material controls' as a proxy for ICFR will find themselves exposed when the FRC or investors ask about cyber, operational resilience, or third-party controls.
The board declaration must identify whether controls are effective, effective with specified exceptions, or not effective. Where exceptions or ineffectiveness are identified, the Annual Report must explain the nature of the weakness and the remedial actions taken or planned.
Provision 29 operates on a Comply or Explain basis. Boards that cannot declare effectiveness are expected to explain the position honestly. But a declaration of ineffectiveness without evidence of a documented assessment process will draw scrutiny from investors, the FRC, and regulators. The FRC's internal controls guidance makes clear that the declaration must be based on evidence: boards are expected to have a documented methodology for assessing controls, a testing programme that's been executed, and a reporting chain that gives them genuine visibility of control effectiveness before they sign off.
How Provision 29 Differs from SOX 404
The context for Provision 29 is a decade of debate about whether UK governance standards adequately held boards to account for the quality of their internal controls. The Kingman Review (2018) and the Brydon Review (2019) both called for stronger board accountability. BEIS consulted on a UK equivalent to the US Sarbanes-Oxley Act (SOX) Section 404 requirement. The final Provision 29 is less prescriptive than SOX 404: it's a principles-based board declaration rather than an externally attested statement, and it applies to material controls rather than financial reporting controls only.
|
Dimension |
US Sarbanes-Oxley Section 404 |
UK Provision 29 |
|
Scope of controls |
Internal controls over financial reporting (ICFR) only |
Material controls: ICFR, operational, reporting, and compliance |
|
External auditor role |
External auditor must attest to management's ICFR assessment |
No mandatory external auditor attestation |
|
Prescriptiveness |
Prescriptive framework (COSO, PCAOB standards) |
Principles-based; FRC guidance rather than mandatory methodology |
|
Applicable companies |
All US-listed public companies (Section 302/404) |
UK premium-listed companies only |
|
Consequence of weakness |
Material weakness disclosed; auditor report qualified |
Explain weakness in Annual Report; comply or explain basis |
The practical implication is that Provision 29 doesn't require companies to adopt a specific control framework, whether COSO, ISO 27001:2022, or another. It does require a methodology the board can stand behind. In practice, the FRC expects companies to document their control identification process, explain how they've determined materiality, and provide evidence that controls have been tested.
Who Is in Scope for Provision 29
Provision 29 applies to all companies with a UK premium listing on the London Stock Exchange, for financial years beginning on or after 1 January 2026. Companies with a standard listing or those listed on AIM are not mandatorily subject to the UK Corporate Governance Code, though investor expectations may encourage voluntary alignment.
For financial services firms regulated by the FCA and PRA, Provision 29 intersects with existing regulatory obligations. FCA-regulated firms that are premium-listed must satisfy both the UK Corporate Governance Code and their regulatory requirements, including the FCA's Handbook requirements on systems and controls (SYSC), PRA supervisory statements, and, for dual-regulated firms, operational resilience requirements. The Provision 29 declaration process provides an opportunity to align governance of internal controls across these overlapping obligations rather than running parallel programmes.
What Constitutes Material Controls
Determining which controls are 'material' is the first substantive challenge in Provision 29 compliance. The FRC guidance doesn't prescribe a universe of controls. Instead, it sets out a risk-based approach: material controls are those that address risks that could, if they crystallised, cause significant harm to financial performance, operational continuity, regulatory standing, or the reliability of the company's reporting.
In practice, determining materiality requires working through three questions. First, what are the material risks the company faces? Second, for each material risk, what controls exist that are designed to prevent or detect it? Third, is the design and operation of those controls adequate to give the board reasonable assurance that the risk is being managed?
|
Control Category |
Typical Material Risks |
Key Evidence Types |
|
Internal controls over financial reporting |
Financial misstatement; fraud in financial reporting; revenue recognition errors |
Control test results; reconciliation logs; segregation of duties matrices; journal entry monitoring |
|
Operational controls |
Business service disruption; process failures causing client harm; model risk; data quality |
Business continuity test results; operational KRI dashboards; incident logs; resilience self-assessments |
|
Reporting controls |
Inaccurate or misleading non-financial reporting; price-sensitive disclosures |
Disclosure committee sign-off; regulatory reporting reconciliations; ESG assurance outputs |
|
Compliance controls |
Regulatory breach; market abuse; data protection failures; outsourcing non-compliance |
Breach and near-miss registers; compliance monitoring results; FCA SUP reporting; audit committee papers |
|
Cyber security controls |
Material data breach; ransomware impacting operations; third-party compromise |
Penetration test results; vulnerability management reports; CISO board reporting; ISO 27001 audit outcomes |
|
Third-party / outsourcing controls |
Critical supplier failure; concentration risk; sub-outsourcing without oversight |
Due diligence records; contract compliance reviews; exit plan tests; Register of Information (DORA in-scope firms) |
For financial services firms, the intersection between Provision 29 and FCA operational resilience requirements under PS21/3 is direct. The important business services identified under operational resilience obligations are, by definition, material operational processes. The impact tolerances, mapping, and testing evidence produced for FCA purposes can feed directly into the Provision 29 evidence framework, reducing duplication across overlapping compliance obligations.
Provision 29 Compliance Checklist
This checklist covers the five areas that a Provision 29 compliance programme must address. It's designed for use by internal audit, compliance, and risk functions preparing for the first declaration cycle. Each item requires documented evidence, not assertion.
1. Governance Framework
-
Board has formally designated accountability for overseeing the internal controls assessment (the Audit Committee in most cases).
-
Audit Committee terms of reference updated to include Provision 29 oversight responsibilities.
-
A named executive holds responsibility for the internal controls framework (CFO, CRO, or CISO for relevant control categories).
-
A cross-functional controls working group is established, with representation from Finance, Risk, Legal, IT/Cyber, and Compliance.
-
A documented methodology for Provision 29 assessment has been approved by the Audit Committee.
-
The FRC guidance on Provision 29 has been reviewed and the company's approach aligned to it.
-
The assessment methodology and timeline have been communicated to all control owners.
2. Risk and Materiality Assessment
-
A complete list of material risks facing the company has been identified and documented, drawing on the enterprise risk register.
-
For each material risk, relevant controls have been identified and mapped.
-
A materiality threshold has been defined and documented: what level of control failure would be reportable under Provision 29?
-
The materiality determination has been reviewed and approved by the Audit Committee.
-
Controls associated with FCA and PRA regulatory obligations and FCA PS21/3 operational resilience requirements have been included where applicable.
-
Third-party and ICT outsourcing controls have been assessed for materiality, particularly for DORA in-scope entities or firms with material outsourcing under SS2/21.
3. Control Design and Documentation
-
Each material control has a documented description covering: what it does, who is responsible, how often it operates, and what evidence it produces.
-
Control designs have been assessed for adequacy: is the control, if operating as designed, sufficient to address the risk?
-
Control owners have confirmed their understanding of and responsibility for each control.
-
The controls inventory is held in a system of record (GRC platform, not spreadsheet) that supports version history and evidence linkage.
-
Gaps in the control universe (risks identified without adequate controls) have been documented and escalated.
-
Compensating controls for known design weaknesses have been identified and documented.
4. Control Testing and Monitoring
-
A risk-based testing programme has been designed and approved, covering all material controls.
-
Testing frequency reflects control risk: higher-risk controls tested more frequently, automated controls tested for continued operation.
-
Testing has been carried out by teams independent of control owners (internal audit or second-line risk functions).
-
Test results have been documented with evidence, including any exceptions or deficiencies identified.
-
Deficiencies identified during testing have been rated by severity (control deficiency, significant deficiency, or material weakness equivalent).
-
Remediation actions for deficiencies have been assigned, tracked, and closed within defined timelines.
-
An ongoing monitoring process is in place between formal testing cycles (key risk indicators, automated control monitoring, exception reporting).
-
Evidence from regulatory inspections, external audits, and internal audit reviews has been incorporated into the controls assessment.
5. Board Declaration and Reporting
-
The Audit Committee has reviewed the consolidated output of the controls assessment, including all deficiencies and their disposition.
-
The board has received a summary of the controls assessment with sufficient detail to support an informed declaration.
-
The declaration position (effective, effective with exceptions, or not effective) has been determined and documented.
-
Where exceptions are identified, the nature of the weakness, its financial or operational impact, and the remedial actions taken are documented for inclusion in the Annual Report.
-
The Provision 29 disclosure in the Annual Report has been reviewed by Legal and the Audit Committee before publication.
-
The controls assessment documentation is retained and accessible for a minimum of six years, consistent with general company records retention requirements.
Common Failure Points in the First Provision 29 Cycle
Companies approaching Provision 29 for the first time encounter the same set of problems. Understanding them in advance reduces the risk of the board being unable to make a credible declaration.
- Insufficient evidence from control owners. The most common gap: control owners who understand their responsibilities but haven't been maintaining contemporaneous evidence of control operation. Where evidence exists only in individuals' memory or in informal communications, it can't support a board declaration. Control owners need to produce dated, documented evidence at the time controls operate, not at year-end.
- Materiality determined too narrowly. Companies that interpret 'material controls' as synonymous with 'financial reporting controls' find themselves exposed when regulators or investors ask about cyber, operational resilience, or outsourcing controls. The FRC guidance is explicit: materiality extends beyond ICFR.
- Testing too close to reporting. Companies that begin their testing programme in the final quarter of the financial year leave no time to remediate deficiencies before the declaration must be made. A rolling testing programme, designed to surface and address deficiencies throughout the year, is the only approach that makes remediation before declaration achievable.
- Audit Committee insufficiently engaged. A board declaration requires genuine board understanding of the controls environment. Audit Committees that receive a one-page summary without discussion of the underlying methodology or key deficiencies can't make an informed declaration. Regular, substantive Audit Committee engagement throughout the year is what turns a controls programme into a defensible declaration.
Technology and the Provision 29 Evidence Framework
A Provision 29 compliance programme generates a substantial volume of documentation: risk assessments, control inventories, test results, deficiency logs, remediation tracking, Audit Committee papers. Spreadsheet-based tracking breaks down when multiple control owners update their sections independently, when testing evidence is held across different systems, and when the Audit Committee needs a consolidated view ahead of the board declaration.
A GRC platform addresses these problems structurally. Centralised control inventories with linked evidence give a single view of control status across the business. Automated testing workflows notify control owners and escalate overdue items. Real-time dashboards give the Audit Committee and board visibility of the controls environment without manual report consolidation.
A full audit trail of decisions, exceptions, and remediation actions provides the documented record that a credible Provision 29 declaration requires. Without it, the controls programme may be running; it just can't be demonstrated.
Gracie AI Agents with Personas and Skills performs activities across controls testing and evidence collection, cutting audit preparation time by up to 75%. That means the board gets its consolidated controls assessment faster, with less manual reconciliation behind it. When the Audit Committee needs to stand behind a declaration, the evidence is already assembled, audited, and traceable.
For financial services firms, the additional value of a GRC platform is cross-framework integration. Provision 29 controls evidence overlaps substantially with what's required for FCA operational resilience (PS21/3 self-assessments), DORA compliance (ICT risk management framework evidence), and ISO 27001:2022 surveillance audits. A platform that maps controls once and uses them across frameworks removes the duplication that makes Provision 29 a standalone compliance burden.
For guidance on how compliance automation supports continuous controls monitoring and evidence collection throughout the year, see our guide to compliance vs continuous assurance. For an overview of compliance automation approaches available to UK-listed and regulated financial services firms, see compliance automation in the UK.
Build Your Provision 29 Evidence Framework with SureCloud
Regulatory Compliance FAQ's
What does Provision 29 of the UK Corporate Governance Code require?
Provision 29 requires the boards of UK premium-listed companies to make a formal declaration in their Annual Report on the effectiveness of their material internal controls. Material controls cover ICFR, operational, reporting, and compliance controls. The declaration must state whether controls are effective, effective with specified exceptions, or not effective.
Where weaknesses are identified, the Annual Report must describe them and the remedial actions taken or planned. The provision applies to financial years beginning on or after 1 January 2026.
Who does Provision 29 apply to?
Provision 29 applies to companies with a UK premium listing on the London Stock Exchange. Companies with a standard listing or listed on AIM aren't mandatorily subject to the UK Corporate Governance Code, though investor expectations may encourage alignment. For financial services firms, Provision 29 adds a governance layer on top of existing FCA and PRA requirements on systems and controls: FCA-regulated firms that are premium-listed must satisfy both. The provision doesn't apply to private companies, though the FRC has indicated it may develop separate guidance for non-listed organisations.
How is Provision 29 different from a SOX 404 requirement?
SOX Section 404 requires management to assess and an external auditor to attest to the effectiveness of ICFR only. Provision 29 covers a broader universe of controls but doesn't require external auditor attestation. It operates on a Comply or Explain basis rather than a prescriptive mandate. In practice, Provision 29 is less burdensome procedurally than SOX 404 but covers a wider range of controls and places direct accountability on the board rather than management alone.
What evidence does the board need to support a Provision 29 declaration?
The board needs documented evidence of: the methodology used to identify material controls; the risk and materiality assessment underpinning the controls universe; testing results for each material control showing whether it operated as designed; a log of deficiencies identified, their severity, and remedial actions taken; and the Audit Committee's review of the consolidated assessment. Evidence must be contemporaneous, collected during the testing period rather than reconstructed after the fact.
What happens if the board cannot declare that controls are effective?
Provision 29 operates on a Comply or Explain basis. If the board can't declare that material controls are effective, it must explain the position in the Annual Report: describing the nature of the weakness or exception, its impact, and the actions taken or planned to remediate it. An honest declaration of ineffectiveness, with a credible remediation plan, is likely to be received better by the FRC and investors than a declaration that later lacks supporting evidence. What the FRC scrutinises is the quality of the assessment process, not solely the outcome.
When do first Provision 29 declarations need to appear?
Provision 29 applies to financial years beginning on or after 1 January 2026. For calendar-year reporters, 2026 is the year in which controls must be documented, tested, and deficiencies remediated. The first board declarations will appear in Annual Reports published in 2027.
The ICAEW confirmed this timeline following the FRC's January 2024 code publication. Companies shouldn't wait for the final quarter of 2026 to begin: testing programmes launched late leave no time to address what they find.
Platform +
Frameworks +
Products +
Industries +
Resources +
Company +
London Office
1 Sherwood Street, London, W1F 7BL, United Kingdom
US Headquarters
6010 W. Spring Creek Pkwy., Plano, TX 75024, United States of America
© SureCloud 2026. All rights reserved.
