Of all the decisions a UK premium-listed board has to make under Provision 29, one is harder than every other one combined: which controls are material?
It is the question every other Provision 29 decision flows from. Get it right, and the rest of the programme - testing, assurance, board reporting, year-end declaration - has a stable foundation. Get it wrong, and the board ends up signing a declaration over the wrong inventory, which is worse than not signing one at all.
This guide sets out a working definition of a material internal control, the three tests that boards are using in practice, a scoring rubric you can adapt, a worked example, and the most common scoping mistakes. It is the methodology behind the brief description in our Provision 29 end-to-end compliance guide, and the natural companion to our Provision 29 vs SOX comparison.
In short
A material internal control is one whose failure could reasonably be expected to have a material adverse impact on the company's financial position, operations, regulatory standing or long-term sustainability. The judgement is the board's.
- Working number - 30 to 50 material controls for a typical UK premium-listed company. Banks and complex groups higher; simpler businesses lower.
- Three tests - risk linkage, stakeholder impact, strategic relevance. A material control passes all three.
- Direction of travel - top-down from principal risks, bottom-up from the existing control library, then meet in the middle.
- Approval - criteria approved by the Audit Committee before they are applied. The resulting universe is a board judgement, not a management one.
- Maintenance - reviewed at least annually and on material change events. A static inventory is a stale inventory.
Why "Material" Is Deliberately Hard
The FRC's drafting choice is intentional. Provision 29 does not tell you which controls are material, how many you should have, or how to test them. The Code language is principles-based: boards must monitor and review the company's risk management and internal control framework, including all material controls, and declare whether those controls have operated effectively as at the balance sheet date.
That deliberately puts the judgement on the board. The reasoning - explicit in the FRC's policy work and consultation responses - is that the board is best placed to know which controls genuinely matter to its business model, regulatory environment and risk profile. A SOX-style externally prescribed control inventory was rejected precisely because it tends to produce volume over judgement.
The result is freedom that lands as ambiguity. The first time a board sits down to scope its material controls, the conversation tends to stall on the same question: compared with what?
A Working Definition
The most useful definition we have seen, which is consistent with FRC guidance and with how early adopters are landing the question:
A material internal control is one whose failure - in design or in operation - could reasonably be expected to have a material adverse impact on the company's financial position, operations, regulatory standing, or long-term sustainability, judged from the perspective of the board and its principal stakeholders.
Three things matter in that definition:
- "Reasonably be expected" - the test is plausibility under realistic conditions, not worst-case theoretical scenarios.
- "Material adverse impact" - the consequences must be severe enough that the board would not want to discover the failure after the fact. Pure financial materiality is not enough; reputational, regulatory and operational materiality count.
- "Board and principal stakeholders" - the lens is governance and accountability, not internal management. Investors, regulators, customers, employees, suppliers - the people the annual report is written for.
The Three Tests
A practical filter most early adopters are using, in some form, is a three-test gate. A control is material if it passes all three. Anything that fails one is, at best, a "key" control - important to the business, but not at the threshold the board is prepared to opine on.
Test 1 - Risk Linkage
Does this control mitigate a principal risk that the board has disclosed?
If a control does not link clearly to a principal risk - the ones described in the strategic report, the viability statement and the risk appetite framework - it is unlikely to be material. The principal risks already represent the board's view of what could prevent the company achieving its strategy. Material controls are how those risks are managed.
Two checks:
- For each candidate material control, name the principal risk it mitigates. If you cannot, ask whether the control is genuinely material or whether the risk it manages is sub-principal.
- For each principal risk, list the material controls that mitigate it. A principal risk with no material controls behind it is itself a finding the Audit Committee should see.
Test 2 - Stakeholder Impact
Would the failure of this control cause material harm to the company's principal stakeholders?
Materiality is not just financial. The FRC has explicitly framed Provision 29 around the long-term sustainability of the business and the interests of stakeholders. A useful checklist:
| Stakeholder | Material harm looks like |
|---|---|
| Shareholders | Misstatement of the financial statements; material undisclosed exposure; loss of value not reflected in disclosed risks; failure of going-concern judgements. |
| Customers | Significant outage; data breach affecting customer information; product safety failure; conduct breach causing detriment. |
| Regulators | Non-compliance with primary regulation; failed regulatory return; sanctions or market abuse breach; loss of authorisation or licence. |
| Employees | Health and safety failure; significant whistleblowing issue not handled; conduct culture breakdown. |
| Suppliers / counterparties | Failure of critical third party; payments fraud; breach of contract that triggers wider supply-chain failure. |
| Society / public | Material environmental incident; failure of climate-related disclosures; modern slavery in supply chain; data misuse. |
If the failure of a control would not show up in any of these rows, it is unlikely to be a material control - even if it is a perfectly good control.
Test 3 - Strategic Relevance
Is this control critical to delivering or protecting the strategy described in the annual report?
This test catches controls that pass the first two but are tangential to the company's stated direction. A control over a non-core legacy product line might mitigate a principal risk and have a stakeholder impact, but if the strategy is to wind that line down, it may not be material at the group level.
Conversely, this test surfaces controls that should be material but were missed - controls protecting the new geography being entered, the platform the strategy is being built on, or the data on which the long-term thesis depends.
A Scoring Rubric You Can Adapt
The three tests work as a binary gate: a control is or is not material. In practice, boards usually want a bit more texture - a way to rank candidate controls so the marginal calls are visible. The rubric below scores each candidate on the three tests plus two practical filters, on a 0-3 scale. Anything scoring 11 or above is a likely material control; 8-10 is a candidate; below 8 is generally not.
| Dimension | Score 0 | Score 1 | Score 2 | Score 3 |
|---|---|---|---|---|
| Risk linkage | No clear principal risk linked. | Linked to a sub-principal risk. | Mitigates a principal risk in part. | Primary mitigation for a disclosed principal risk. |
| Severity of failure | Negligible impact if it fails. | Limited operational nuisance. | Significant business or financial impact. | Existential or franchise-threatening impact. |
| Stakeholder reach | No external stakeholder affected. | Internal teams or single function. | Customers, regulators, or employees affected. | Multiple external stakeholder groups, including market / public. |
| Strategic relevance | Tangential to strategy. | Adjacent to current strategy. | Supports a stated strategic priority. | Critical to a stated strategic priority. |
| Plausibility of failure | Failure mode highly remote. | Theoretically possible, no precedent. | Plausible, has happened in peers. | Plausible and has happened to us before. |
A few notes on using the rubric:
- The cut-off (11/15 in the example) is calibration, not law. Once you have scored a representative sample, plot the distribution and pick a threshold that gives you a credible material population - typically 30-50 controls.
- If two scorers disagree by more than one point on a dimension, that is a useful signal - the underlying risk or impact is not as clearly understood as the team thinks.
- Document the scoring on the controls themselves, not in a separate workbook. The board should be able to ask "why is this material?" and get the answer from the system, not from someone's memory.
Top-Down and Bottom-Up: Working in Both Directions
The most reliable way to land the inventory is to work the problem from both ends and meet in the middle.
Top-down
From principal risks
Take each principal risk in turn. Ask the risk owner: "If this risk crystallised tomorrow, which controls would the board want to know are operating effectively?"
This produces a clean, board-aligned list. The danger is that it stops at the level of disclosure - generic, plausible, not always evidenced. Pair with bottom-up.
Bottom-up
From the existing control library
Take the existing control library - SOX key controls, second-line oversight controls, regulatory return controls, RCSA controls - and run each candidate through the three tests.
This produces grounded, evidenced candidates. The danger is that it inherits the historical scoping rather than reflecting current strategy. Pair with top-down.
Where the two lists overlap, you have high confidence. Where they disagree, you have the conversations that matter: a control the principal risks suggest should exist but cannot be found in the library is a gap; a control in the library that does not link to any principal risk is either wrongly material or pointing at a missing principal risk.
A Worked Example: Mid-Cap UK Insurer
Consider a hypothetical UK premium-listed mid-cap insurer with about £1.5bn gross written premium, a UK and EEA branch network, and a digital direct-to-consumer arm. The principal risks disclosed in the strategic report:
- Underwriting and reserving risk
- Investment and credit risk
- Operational and technology resilience
- Cyber and information security
- Regulatory and conduct risk
- Climate and sustainability disclosure
- Strategic execution and talent
Working top-down through the three tests, a credible material controls inventory comes out something like this (illustrative, not prescriptive):
| Category | Principal risk(s) | Examples of material controls |
|---|---|---|
| Financial | 1, 2, 7 | Reserving committee approval; actuarial methodology change controls; investment limit monitoring; counterparty exposure controls; reinsurance cession; period-end close and consolidation; manual journal review. |
| Operational | 3, 4 | Important business service mapping and recovery testing; production change management; identity and access management for critical systems; vulnerability management; incident response process; critical third-party oversight (cloud, claims, payments). |
| Reporting | 2, 6 | Solvency II QRT preparation and review; ORSA process; TCFD / climate disclosure data lineage; sustainability KPI assurance; viability statement supporting evidence. |
| Compliance | 5 | Consumer Duty outcome monitoring; sanctions and PEP screening; SM&CR fitness and propriety; complaints handling and root cause; financial crime transaction monitoring; data protection / GDPR oversight. |
Counted out, this is roughly 35-45 material controls. Each one passes the three tests, links to at least one disclosed principal risk, and is owned by a named first-line accountable executive with second-line oversight and a defined source of third-line assurance. That is the shape of a defensible Provision 29 inventory.
The Four Categories - In Practice
The four-category model exists for a reason: each category has a different population of risks, owners and natural sources of evidence. A defensible inventory has meaningful coverage in all four. Here is what "meaningful" tends to look like.
Financial
If you have a SOX programme or a SOX-style ICFR programme, this is your starting point. Curate down, do not adopt wholesale. Typical material controls: period-end close, key reconciliations, journal entry approvals, revenue recognition judgements, treasury authorisations, segregation of duties in financial systems, ITGCs over financial reporting platforms.
A mid-cap usually lands here at 10-20 material controls.
Operational
Typically the fastest-growing category for early adopters because it is where a SOX programme has not done the work. Cyber, third-party risk, important business service resilience, change management, IT operations, physical safety where relevant. For regulated firms in the UK, much of this aligns with operational resilience and DORA-equivalent work that is already in flight.
Typical landing: 8-15 material controls.
Reporting
Non-financial reporting is where many companies have weak controls but loud disclosures. Climate / TCFD, sustainability metrics (CSRD-aligned), regulatory returns, viability and going-concern statements. The Provision 29 question is uncomfortable but useful: if your TCFD or sustainability disclosure relies on numbers nobody is contractually accountable for, is that a material control gap?
Typical landing: 5-10 material controls.
Compliance
For regulated firms, this is dense. Conduct, market abuse, anti-bribery and corruption, sanctions, GDPR, modern slavery, Consumer Duty (financial services), regulatory permissions and authorisations. Many of these have second-line owners and existing testing programmes - the Provision 29 work is curating the material subset and connecting it to the principal compliance risks the board has disclosed.
Typical landing: 7-15 material controls.
How Many Material Controls Is Right?
There is no FRC-prescribed number. Emerging market practice, across the early adopters we have seen, clusters as follows:
| Profile | Typical material controls | Notes |
|---|---|---|
| Simple business, single jurisdiction | 20-30 | Lean operations, fewer principal risks. Heavily weighted towards financial and operational. |
| Mid-cap, multi-jurisdiction | 30-50 | Modal range. Balanced spread across the four categories. |
| Large complex group | 50-80 | Multiple business lines, geographies, regulators. Compliance category often heavier. |
| Banks and large insurers | 80-150+ | Significant prudential and conduct populations. Operational resilience adds depth. |
If you end up well above these ranges, you are likely close to a key-control inventory rather than a material-control inventory. If you end up well below, you are probably under-scoping operational, reporting or compliance. The number is not the goal - but the number is informative.
Common Scoping Mistakes
- The "everything is material" trap. Producing 200-400 material controls to look thorough. The opposite is more credible. A board cannot opine on a list it could not realistically read.
- Financial-only scoping. Treating Provision 29 as ICFR + a few add-ons. Operational, reporting and compliance are explicitly in scope and exactly where regulators will look hardest.
- Material control = key control. Importing the existing key control library wholesale. Most key controls are not material; some material controls are not yet in the library.
- Top-down only. Scoping from principal risks alone, ending up with controls that are plausible but unevidenced. Pair with the existing library.
- Bottom-up only. Picking from the existing library without testing against principal risks. Inherits historical blind spots.
- Forgetting reporting. Climate, sustainability and viability disclosures are expanding fastest. Material control coverage must keep pace.
- One-off scoping. Building the inventory once, freezing it, never revisiting. Material change events - acquisitions, regulatory change, incidents - require out-of-cycle review.
- Management-only sign-off. The Audit Committee should approve the materiality criteria before they are applied. Otherwise the resulting universe is a management judgement reported to the board, not a board judgement.
Connecting Material Controls to Risks, RCSA and Reporting
A material controls inventory only works if it lives inside the wider risk and control operating layer, not next to it. The connections that matter:
- Linked to principal risks - bi-directional, dynamic, visible in the risk register. See our guide to what a risk register actually is.
- Connected to RCSA - first-line owners assess the controls they operate; the assessment evidence feeds Provision 29 directly. See what an RCSA actually is and how to run an effective RCSA.
- Mapped through the Three Lines - first-line ownership, second-line oversight, third-line assurance. See the Three Lines of Defence.
- Reported to the board - integrated into the regular Audit and Risk Committee cycle, not produced from scratch at year-end. See board-ready risk reporting.
The single biggest predictor of a Provision 29 programme that holds up at year-end is whether these connections exist in one operating environment - or whether the inventory is a separate spreadsheet that has to be reconciled against three other systems before the board paper can be drafted.
Documenting the Inventory and the Decision
Whatever scoring or rubric you use, two things need to be defensible against challenge:
- The criteria the board approved. A short paper - typically signed off by the Audit Committee - documenting how the company defines a material control and what tests apply. Generic principles plus company-specific calibration. This is the artefact the FRC, internal audit and stakeholders will ask for first.
- The application of those criteria. For each control flagged material, a record of why - which principal risk, which stakeholder impact, which strategic priority, which scoring outcome. Stored against the control itself.
Together, those two things are what makes the materiality decision a board judgement rather than an unexplained outcome of a workshop.
Maintaining the Inventory Over Time
A material controls inventory is a living artefact. Triggers for review:
- Annual cycle - reviewed in line with the principal risks review.
- Material change events - acquisitions, divestments, new product launches, new geographies, regulatory change, significant incidents, board strategy changes.
- Assurance findings - if internal audit consistently finds a control is not what it was thought to be, materiality should be re-checked.
- Disclosure feedback - shareholder, regulator and analyst questions on the prior year's declaration are a useful input to the next scoping cycle.
How Initia Supports the Methodology
Initia is built so the material controls inventory is not a spreadsheet sitting next to the risk register - it is a property of the control itself, in the same operating layer as risks, assessments, evidence and reporting. For Provision 29 specifically:
- Material flagging - any control can be tagged material with the criteria, scoring and approval recorded against it.
- Risk-to-control linkage - principal risks linked to material controls and back, in a live data model.
- Three-line assurance map - first-line owner, second-line oversight, third-line assurance and any external review captured against each material control.
- Audit trail - changes to materiality scoping, owners and scoring tracked over time so the board can see how the inventory has evolved.
- Board outputs - integrated views ready for the Audit Committee that show the inventory, the assurance behind it, and where evidence is thin.
The Bottom Line
A material internal control is one whose failure could reasonably cause material adverse impact to the company's financial position, operations, regulatory standing or long-term sustainability - judged by the board, not assumed by management. The methodology is three tests (risk linkage, stakeholder impact, strategic relevance), applied top-down from principal risks and bottom-up from the existing control library, with a scoring rubric to make marginal calls visible.
For a typical UK premium-listed mid-cap, that lands at 30-50 material controls spread across financial, operational, reporting and compliance. The inventory is a living artefact, owned by the board, evidenced in the same operating layer as risks and assessments, and reviewed at least annually.
For the wider Provision 29 roadmap that this scoping work feeds into, see our end-to-end Provision 29 compliance guide. For how the regime compares to SOX, see Provision 29 vs SOX: a 2026 guide. If you would like to see what running a board-defensible material controls inventory looks like in practice, we would welcome a conversation.