Provision 29 is the headline change in the 2024 update to the UK Corporate Governance Code. From accounting periods beginning on or after 1 January 2026, boards of UK premium-listed companies are expected to publicly declare the effectiveness of their material internal controls - financial, operational, reporting and compliance - at the balance sheet date.
It sounds simple. In practice, it is the most significant change to UK governance disclosure in over a decade. It moves boards from "we have an internal control framework" to "we have looked at it, tested it, and we are willing to put our names against it."
This guide walks through what Provision 29 actually requires, the four high-level control categories that sit underneath it, and a practical end-to-end roadmap to get from where most organisations are today to a defensible board declaration.
- Who: Companies with a UK premium listing - on a comply-or-explain basis. Many other UK firms are aligning voluntarily as best practice.
- When: Accounting periods beginning on or after 1 January 2026. First declarations in annual reports published in 2027.
- What: Annual board declaration on whether material controls across financial, operational, reporting and compliance are operating effectively as at the balance sheet date.
- How: Board judgement - principles-based, no prescribed control count, no mandatory external assurance.
- Disclosure: Description of monitoring, declaration of effectiveness, any material controls not operating effectively, actions taken, and updates on previously reported weaknesses.
What Provision 29 Actually Requires
Provision 29 places three connected expectations on the board:
- Monitor the company's risk management and internal control framework on an ongoing basis.
- Review the effectiveness of that framework at least annually, covering all material controls (financial, operational, reporting and compliance).
- Declare in the annual report whether the board considers material controls to have operated effectively as at the balance sheet date - and disclose any that did not, the actions being taken, and updates on previously reported material weaknesses.
The shift in language matters. Earlier versions of the Code asked boards to review the effectiveness of internal control. Provision 29 asks them to declare it. That single word changes the level of evidence boards now expect to see before they sign anything off.
The Four High-Level Control Categories
Provision 29 spans four control categories. Each one has a different population of risks, owners, and natural sources of assurance. A defensible declaration requires the board to look across all four - not just financial, where many organisations are most comfortable.
| Category | What it covers | Typical material controls |
|---|---|---|
| Financial | Controls over the integrity of the financial statements and underlying financial processes. | Journal entry approvals, revenue recognition, period-end close, reconciliations, treasury authorisations, segregation of duties. |
| Operational | Controls that protect the day-to-day operations of the business and the value chain. | Cyber and IT controls, third-party / vendor risk, business continuity and disaster recovery, change management, operational resilience. |
| Reporting | Controls over non-financial reporting - both regulatory and voluntary. | Climate / TCFD disclosures, sustainability reporting (CSRD-aligned), regulatory returns, ESG metrics, viability and going-concern statements. |
| Compliance | Controls that demonstrate adherence to laws, regulations and the company's own policies. | Anti-bribery and corruption, sanctions screening, GDPR / data protection, conduct and consumer duty, modern slavery, market abuse / insider lists. |
If you only know one thing about Provision 29, know this: it is not a financial-controls regime. Boards that treat it like UK SOX will under-disclose on operational, reporting and compliance controls - and that is exactly where regulators, auditors and shareholders will be looking hardest.
Defining "Material Controls" - The First Real Decision
The FRC has deliberately not prescribed how many material controls a company should have, or which ones. That decision sits with the board. In practice, emerging market practice clusters around 30 to 50 material controls, with the exact number driven by sector, size, complexity and risk profile.
A useful working definition: a material control is one whose failure could reasonably be expected to have a material adverse impact on the company's financial position, operations, regulatory standing, or long-term sustainability.
Three tests boards are using in practice:
- Risk linkage: Does this control mitigate one of the company's principal risks?
- Stakeholder impact: Would failure cause material harm to shareholders, customers, employees, regulators or the public?
- Strategic relevance: Is the control critical to delivering or protecting the strategy described elsewhere in the annual report?
The "Everything Is Material" Trap
Some companies are tempted to label hundreds of controls as material to look thorough. The opposite is more credible. A list of 30 to 50 well-evidenced material controls, each clearly linked to a principal risk, is far more defensible than a sprawling 400-control inventory the board could not realistically opine on. Materiality is a judgement, not a coverage statistic.
High-Level Tips Before You Start
Before any new framework gets built, a few principles save a lot of time:
- Start from principal risks, not from controls. Material controls should fall out of the principal risks the board already discloses - not the other way around.
- Use what you already have. Most organisations have an existing risk and control library. Provision 29 is a chance to rationalise, not duplicate.
- Anchor in the Three Lines model. Ownership in the first line, oversight from the second line, independent assurance from the third line. See our guide to the Three Lines of Defence.
- Design for evidence, not for elegance. Every material control needs an owner, a test, a frequency, and a place where the evidence lives. If you cannot point to it, the board cannot rely on it.
- Decide your assurance map early. Which controls are evidenced by management, which by the second line, which by internal audit, and which (if any) by external assurance.
- Avoid boilerplate. The FRC has explicitly warned against generic disclosures. Boards that say nothing distinctive will attract more scrutiny, not less.
End-to-End Compliance: A 7-Step Roadmap
There is no single FRC-mandated process for getting to a Provision 29 declaration. But the shape of a workable programme is fairly consistent across the early adopters. Below is a practical 7-step roadmap that takes a company from "we have a control framework somewhere" to "the board can sign the declaration with confidence."
| # | Step | What good looks like |
|---|---|---|
| 1 | Sponsor and scope | Board-level sponsor (often the Audit Committee Chair). Defined scope across the four categories. Clear interaction with risk, internal audit, finance and company secretariat. |
| 2 | Define materiality | Documented materiality criteria approved by the board. Consistent application across categories. A first-cut universe of candidate material controls. |
| 3 | Map risks to controls | Each principal risk linked to the controls that mitigate it. Each material control linked to one or more principal risks. Single source of truth, no parallel spreadsheets. |
| 4 | Assess design and operation | Documented control descriptions, owners, frequency and evidence. Design effectiveness reviewed; operating effectiveness tested through the year. See how to run an effective RCSA. |
| 5 | Build the assurance map | For each material control: who tests it, how often, what evidence is produced, who reviews the result. Assurance is layered - first line, second line, internal audit, external where needed. |
| 6 | Report into governance | Audit / Risk Committee receives an integrated view of risks, controls, exceptions and remediation - on a recurring cadence. See board-ready risk reporting. |
| 7 | Draft and sign the declaration | Annual report wording drafted from the underlying evidence. Material weaknesses, actions and updates on previously reported issues clearly described. Board comfort that the declaration is supportable. |
Step 1 - Sponsor and Scope
Provision 29 is a board responsibility. In most companies the Audit Committee Chair becomes the board-level sponsor, working with the CFO, Chief Risk Officer (or equivalent), Head of Internal Audit and Company Secretary. The first deliverable is not a control list - it is a clear governance map of who does what across the four categories, and how the streams will connect at year-end.
Step 2 - Define Materiality
Document the criteria the board will use to judge a control as material. Apply them consistently across financial, operational, reporting and compliance. Have the board (typically through the Audit Committee) approve the criteria before applying them - so the resulting universe is a board judgement, not a management one.
Step 3 - Map Risks to Controls
If a material control does not link to a principal risk, ask why it is material. If a principal risk does not link to any material controls, that is a finding in itself. The mapping needs to be dynamic - not a one-off PDF that ages out of date.
Step 4 - Assess Design and Operation
For every material control, the basics: what it is, who owns it, how often it operates, what evidence it produces, and how that evidence is captured. Design effectiveness asks whether, in principle, the control would prevent or detect the risk if operated as described. Operating effectiveness asks whether, in practice, it has done so over the period. Both are needed.
Test through the year, not in the last fortnight
A common (and very avoidable) mistake is to leave control testing to a panic at year-end. The FRC's expectation is continuous monitoring with structured periodic testing. A simple rhythm - quarterly tests for higher-risk controls, half-yearly or annually for lower-risk ones, with rolling evidence - means the year-end assessment is a summary, not a scramble.
Step 5 - Build the Assurance Map
For each material control, the assurance map records who provides evidence (first line), who reviews it (second line), where internal audit looks (third line), and where the board has decided external assurance is needed. The output is a single view that lets the board see, at a glance, where assurance is strong, where it is thin, and where it is missing entirely.
Step 6 - Report into Governance
By the time the year-end declaration is being drafted, the Audit and Risk Committees should have already seen multiple iterations of the underlying picture - risks, material controls, test results, exceptions, remediation plans. Provision 29 fails when the year-end declaration is the first time the board has seen a consolidated view. Embedding the picture into the regular committee cycle is the difference between confidence and surprise.
Step 7 - Draft and Sign the Declaration
The declaration itself should describe how the board has monitored and reviewed the framework, state whether material controls have operated effectively as at the balance sheet date, describe any that have not (with actions and timelines), and provide updates on previously reported material weaknesses. The text should reflect the company - not a market template.
Where Provision 29 Programmes Typically Break
Most early Provision 29 programmes do not fail because of the framework. They fail in the operating layer underneath it.
- Spreadsheet sprawl: Controls live in one workbook, risks in another, actions in email - and nothing reconciles at year-end.
- Owners on paper only: Named control owners have not reviewed the control in a year. See how to create real risk ownership.
- No audit trail: The board cannot show, in one place, when each material control was last tested, by whom, and against what evidence.
- Year-end heroics: Months of last-minute testing because nothing was being captured during the year.
- Boilerplate disclosure: A declaration that could have been written by any company in any sector. The FRC has been explicit that this is not the standard.
All of these are operational - not conceptual - failures. The frameworks are usually fine. The infrastructure underneath them is not.
How Provision 29 Connects to the Wider ERM Agenda
Provision 29 is not a standalone exercise. It pulls together work that most ERM functions are already doing - principal risk reporting, control assessments, internal audit findings, regulatory returns, board reporting - and demands that they line up. Companies that already run a credible ERM framework, with structured risk and control assessments and consistent board-level risk reporting, are already doing 70 to 80 percent of the work.
The remaining 20 to 30 percent is the joining-up: a single, current view of risks, material controls, evidence and assurance, owned by the board, that produces both the declaration and the underlying defensible record.
How Initia Supports Provision 29
Initia is built around the assumption that risks, controls, evidence and reporting belong in the same operating environment - not stitched together at year-end. For Provision 29 specifically, this means:
- Material control flagging - tag controls as material, with the criteria and approval recorded against them.
- Risk-to-control linkage - principal risks linked to material controls and back, in a live data model rather than a static map.
- Structured assessments - design and operating effectiveness assessments scheduled, owned, evidenced and tracked through the year.
- Assurance mapping - first, second and third line activity captured against each material control, with full audit trail.
- Board and committee reporting - integrated outputs for the Audit and Risk Committees, ready to support the year-end declaration without being rebuilt from scratch.
The result: when the board sits down to sign the Provision 29 declaration, the evidence is already there - current, connected, and defensible.
The Bottom Line
Provision 29 is not asking boards to build a new control universe. It is asking them to take the one they already have, decide which controls genuinely matter, evidence that those controls work, and put their names against the answer.
The companies that will find this hardest are the ones whose risk and control infrastructure lives in spreadsheets, email threads and quarterly papers. The companies that will find it easiest are the ones whose risks, controls, assessments and assurance already line up in one place - and where the year-end declaration is the natural output of a process that has been running all year.
If you are building toward your first Provision 29 declaration and want to see what that operating layer looks like in practice, we would welcome a conversation.
More on Provision 29
- How to identify material internal controls under Provision 29 - the scoping methodology, the three tests, a scoring rubric and a worked example.
- Provision 29 vs SOX: a 2026 guide for UK and US internal controls - where they overlap, where they diverge, and why "UK SOX" is the wrong frame.