Once Provision 29 appeared in the 2024 update to the UK Corporate Governance Code, two phrases attached themselves to it almost immediately: "UK SOX" and "SOX-lite". Both are misleading - and getting them wrong is the difference between a Provision 29 programme that holds up at year-end and one that has to be rebuilt by 2027.
This guide compares Provision 29 of the UK Corporate Governance Code with the Sarbanes-Oxley Act of 2002 (specifically section 404 on internal control over financial reporting), shows where the two regimes genuinely overlap, where they diverge, and what that means for UK premium-listed companies, dual-listed groups, and finance and risk teams who already run a SOX programme.
In short
Provision 29 is not UK SOX. It is principles-based, board-owned, comply-or-explain, and broader than financial controls. SOX is rules-based, externally audited (s.404(b)), narrower (financial only), and carries criminal liability for false certifications.
- Scope - Provision 29 covers financial, operational, reporting and compliance. SOX 404 covers internal control over financial reporting only.
- Assurance - No mandatory external auditor opinion under Provision 29. SOX 404(b) requires one for accelerated filers.
- Materiality - Board judgement (Provision 29). Quantitative SEC concepts and PCAOB AS 2201 (SOX).
- Mechanism - Comply-or-explain under the UK Listing Rules vs federal law and SEC enforcement.
- Overlap - The financial and reporting controls populations rationalise sensibly. The operational and compliance categories under Provision 29 do not.
Why People Call Provision 29 "UK SOX"
The nickname is understandable. Both regimes ask senior leadership to attest, in writing, to the effectiveness of internal controls. Both produce a public statement in the annual report. Both expect documented evidence behind that statement. Both arrived in the wake of high-profile corporate failures - Enron and WorldCom for SOX in 2002, Carillion, Patisserie Valerie, Thomas Cook and BHS for the FRC's broader reform agenda that produced Provision 29 in 2024.
But the resemblance is surface-level. The drafters at the FRC actively rejected the SOX model. The 2023 government response to Restoring Trust in Audit and Corporate Governance walked back the original idea of a UK-specific statutory attestation regime. What landed instead was deliberately lighter, broader and more principles-based - and how it works in practice is genuinely different.
The Two Regimes Side-by-Side
| Dimension | Provision 29 (UK) | SOX 404 (US) |
|---|---|---|
| Legal basis | UK Corporate Governance Code 2024, applied via the UK Listing Rules. Comply-or-explain. | Sarbanes-Oxley Act 2002, US federal law. Mandatory for SEC registrants. |
| Who is in scope | Companies with a UK premium listing. Many AIM, mid-market and private companies aligning voluntarily as best practice. | SEC registrants. s.404(b) external auditor attestation only required for accelerated and large accelerated filers. |
| Effective from | Accounting periods beginning on or after 1 January 2026. First declarations in annual reports published in 2027. | In force since 2004 (s.404(a)) / 2007 onward for s.404(b) phase-ins. |
| Scope of controls | Material controls across four categories: financial, operational, reporting, compliance. | Internal control over financial reporting (ICFR) only. |
| Who certifies | The board as a whole, in the annual report. | CEO and CFO personally (s.302 quarterly + s.404 annually). |
| Materiality definition | Board judgement. Principles-based - typically 30-50 material controls, linked to principal risks. | PCAOB AS 2201 / AS 5 plus SEC quantitative materiality. Typically 100s of key controls in mid-cap groups. |
| External assurance | Not required. Board chooses what assurance it needs. | Mandatory external auditor opinion under s.404(b) for accelerated filers. |
| Frequency | Annual. Board declares effectiveness as at the balance sheet date. | Annual ICFR opinion (10-K) plus quarterly s.302 certifications (10-Q). |
| Disclosure if not effective | Describe material controls that have not operated effectively, actions taken, and updates on previously reported weaknesses. | Disclose any "material weakness" in ICFR. Adverse 404(b) opinion if uncorrected. |
| Enforcement | FCA listing rule consequences for failure to comply or explain. FRC oversight. Market and shareholder reaction. | SEC enforcement. PCAOB inspection of auditors. Criminal liability under s.906 for knowingly false certification. |
| Underlying philosophy | Principles-based. Board-owned. Trust-the-explanation if you cannot comply. | Rules-based. Personal management certification. Externally audited. |
Where the Two Regimes Genuinely Overlap
For groups that already run a SOX programme - or who are part of a US group with a SOX-tested control environment - there is real reuse to be had. Anything below this line is also Provision 29 material if the underlying control is material to the UK group.
- Period-end financial close controls - journal entry approvals, account reconciliations, consolidation adjustments, manual journals review. Almost all of these will appear under both regimes' financial categories.
- Revenue recognition and complex accounting controls - especially around IFRS 15 / ASC 606 judgements, which boards typically treat as material.
- Segregation of duties within financial systems and treasury authorisation.
- Financially relevant ITGCs - access management, change management and operations over the financial reporting environment. These count under SOX, and they count again under Provision 29's financial and operational categories.
- Control documentation and walk-throughs - the same descriptions, narratives and process flows used for SOX testing can serve as Provision 29 evidence with minor relabelling.
- Deficiency rating and aggregation - a SOX rating framework (significant deficiency, material weakness) maps reasonably well onto the Provision 29 disclosure of material controls that "have not operated effectively".
If you have a mature SOX environment, the financial slice of Provision 29 is probably 70 to 80 percent done. That is the easy half.
Where the Two Regimes Diverge Sharply
1. Scope - Provision 29 Is Wider
SOX 404 is unambiguously about internal control over financial reporting. Operational outages, cyber breaches, supplier failures, conduct breaches and ESG disclosure errors are not in scope unless they actually flow through the financial statements.
Provision 29 is the opposite. The whole point of the four-category model is that boards must look beyond the finance organisation. The most common areas SOX programmes do not cover, but Provision 29 explicitly does, are:
- Cyber and information security - not just IT general controls over financial systems, but the full security posture (access, vulnerability, incident, third-party).
- Third-party / vendor risk - critical outsourcing, cloud, payments, data processing.
- Operational resilience - business continuity, important business services, recovery time objectives.
- Compliance controls - anti-bribery and corruption, sanctions, GDPR, conduct, modern slavery, market abuse, insider lists.
- Non-financial reporting - climate / TCFD, sustainability disclosures (CSRD-aligned), regulatory returns, viability and going-concern.
For a SOX-only programme, this is genuinely new territory. The first line owners are different. The control populations are different. The natural sources of evidence are different. A board that signs the Provision 29 declaration on the back of SOX scope is materially under-disclosing.
2. Assurance - No Mandatory External Audit
SOX 404(b) requires the external auditor to issue a separate opinion on the effectiveness of ICFR for accelerated filers. The auditor walks the controls, tests samples, signs an opinion that is filed alongside the financial statements, and personally carries reputational risk on it.
Provision 29 does not require this. The board chooses what level of assurance it wants behind the declaration. That can include:
- First-line management self-assessment via RCSA.
- Second-line oversight by Risk, Compliance, Operational Resilience and similar functions.
- Third-line independent assurance from internal audit - testing both design and operating effectiveness of material controls on a rolling basis.
- Optional external assurance on specific control populations - cyber, financial, sustainability - where the board considers it appropriate.
In practice, most UK premium-listed boards we see settling early are landing on a layered model: heavy first-line evidence, structured second-line oversight, and a deliberate internal audit programme that rotates through all four categories over a two- or three-year cycle. External assurance is targeted, not blanket.
3. Materiality - Judgement, Not Calculation
SOX materiality flows down from quantitative concepts in the SEC and PCAOB framework. There is a financial planning materiality, a tolerable misstatement, and a deficiency severity assessment. That generally produces large key control populations - 200 to 800 controls in a mid-cap, often more.
Provision 29 materiality is explicitly a board judgement. The FRC has not set a number. Early adopters are landing on materially smaller populations - typically 30 to 50 material controls - because the population the board can credibly opine on is not the population a SOX programme is built to test.
For dual-listed companies, this difference matters. The SOX key control inventory and the Provision 29 material controls inventory are not the same list. Provision 29 is a smaller, board-curated subset for finance, plus a parallel population the SOX inventory does not contain at all (operational, compliance, non-financial reporting). For more on how to construct that subset, see our methodology for identifying material internal controls.
4. Enforcement - Listing Rules, Not Federal Law
SOX is enforced through SEC civil action and, in extreme cases, criminal penalties under section 906 for knowingly false certification. Auditors are inspected by the PCAOB. The enforcement teeth are real.
Provision 29 is enforced through the UK Listing Rules' comply-or-explain model. If you cannot comply, you must explain. Beyond that, the consequences are regulatory (FCA, FRC oversight, sectoral regulators), reputational (analysts, ratings agencies, the financial press), and shareholder-driven (proxy advisers, AGM votes, stewardship reporting). There is no equivalent of a personal criminal certification offence. The accountability is collective and reputational rather than individual and statutory.
That difference is important for tone. SOX programmes are run with the threat of an SEC enforcement action - lawyered, conservative, exhaustively documented. Provision 29 programmes will be judged by the quality of the disclosure. A boilerplate, defensive, lawyered statement that resembles a SOX certification is exactly what the FRC has explicitly said it does not want to see.
Five Myths Worth Killing Now
- Myth: "Provision 29 is UK SOX." No. It is principles-based, broader in scope, board-owned, and not externally audited. Calling it SOX is the easiest way to get the operating model wrong.
- Myth: "We just bolt it onto our SOX programme." Half right. The financial slice rationalises sensibly. The operational, compliance and non-financial reporting slices need separate scoping, owners and evidence.
- Myth: "Our external auditor will sign it." No. There is no required external opinion. The board can ask for external assurance, but the certification itself is the board's.
- Myth: "Only financial controls are material." No. The FRC has been clear that boards must look across all four categories, and that operational and compliance failures are exactly where regulators expect to see evidence.
- Myth: "We can write a generic statement and tweak each year." No. The FRC has explicitly warned against boilerplate. Generic disclosures will attract more stakeholder scrutiny, not less.
If You Are Dual-Listed: How to Rationalise
UK premium-listed groups that are also SEC registrants - cross-listed groups, IPOs that retained their UK listing, US-headquartered groups with London listings - face both regimes simultaneously. The good news: with deliberate programme design, you do not run two parallel programmes.
A practical rationalisation looks like this:
- Single financial control library. SOX key controls and Provision 29 material financial controls live in the same library, tagged for each regime. The Provision 29 set is a curated, board-approved subset.
- Single ITGC environment. ITGCs supporting financial systems serve both regimes. Treat them as one population, evidenced once.
- Separate operational, compliance and non-financial reporting populations. These are Provision 29-only. Do not try to retrofit them into a SOX taxonomy - they belong with their natural owners (CISO, Chief Compliance Officer, Head of Operational Resilience, Head of Sustainability).
- Different testing rhythms. SOX requires walk-throughs and operating effectiveness testing on a defined cycle for the auditor. Provision 29 is more flexible - test through the year on a risk-weighted cadence, not on an audit-driven sample plan.
- Different deficiency frameworks. Map them: a SOX "material weakness" will almost always be a Provision 29 disclosure trigger. The reverse is not true - operational or compliance failures may be Provision 29-disclosable without ever becoming SOX issues.
- Different reporting layers. The board and Audit Committee see the integrated Provision 29 picture; the SOX certification stays with the CEO/CFO and external auditor. Do not collapse the two governance routes into one paper.
Done well, a dual-listed group ends up with one operating environment for risks and controls, two regime-specific views over the top, and a single source of truth that produces both certifications without rebuilding either at year-end.
What This Means for Each Function
Audit Committee Chair
Owns the declaration. Needs early visibility into material controls scoping, assurance map and known weaknesses. Should not see the year-end declaration for the first time in March.
SOX background helps with discipline, but resist the urge to import SOX-style sample plans - the board paper should look like governance reporting, not a controls audit.
CFO and Finance
Owns the financial slice. Most overlap with SOX. The work is taking the existing financial control library and curating the material subset that maps to principal risks.
Note: do not let "we'll just use the SOX list" become the answer. The Provision 29 financial population is smaller, board-curated, and reported differently.
Chief Risk Officer
Owns the risk-to-control linkage and the operational and compliance categories. Most of the new work outside finance lands here.
Existing principal risk reporting and RCSA programmes are the backbone - Provision 29 forces them to align tightly with material controls and assurance evidence.
Head of Internal Audit
Becomes a structural source of assurance behind the declaration. Audit plan must be built around material control coverage, not just risk-based audit topics.
For dual-listed groups, IA and external audit need a clear demarcation - SOX testing is the auditor's; Provision 29 third-line assurance is IA's.
Company Secretariat
Owns the disclosure drafting and the link to the rest of the annual report (principal risks, viability, going concern, audit committee report).
Provision 29 wording should be company-specific, not boilerplate, and consistent with what is described elsewhere in the strategic report.
CISO / Head of Op Resilience
Often outside SOX scope, suddenly central to Provision 29. Cyber, third-party, important business service controls all need to be evidenced to a board-defensible standard.
Existing operational resilience and DORA work is largely reusable - relabel and link, do not rebuild.
Where SOX Discipline Helps
There are habits from SOX that translate well to Provision 29 - and that companies without a SOX background tend to under-do:
- Documented control descriptions - what the control is, who operates it, how often, what evidence it produces.
- Walk-throughs - confirming the control as documented matches the control as operated.
- Sample-based operating effectiveness testing with documented work papers.
- Deficiency severity frameworks - significant deficiency vs material weakness logic ports cleanly into Provision 29 disclosure thresholds.
- Defined remediation tracking with owners and dates.
Where SOX Habits Get You in Trouble
And there are habits from SOX that produce a worse Provision 29 outcome if imported wholesale:
- Volume over judgement. SOX rewards exhaustive coverage; Provision 29 rewards a curated, board-defensible subset. A 400-control Provision 29 inventory is a red flag, not a gold star.
- Lawyered, defensive language. The s.302/906 attestation is intentionally narrow; the Provision 29 declaration is intentionally communicative. Different audiences, different tone.
- Financial-only thinking. If your Provision 29 paper to the board only references finance, IT and the external audit relationship, you have written half a regime.
- Treating it as a year-end event. SOX testing has a natural year-end peak. Provision 29 is supposed to be a year-round process. Compressing the work into the last quarter is the single biggest predictor of a weak declaration.
- External-auditor-led design. Boards that delegate the design of a Provision 29 programme to their external auditor end up with a SOX-shaped programme. The board owns the declaration; the design has to belong to the company.
How Initia Supports Both Regimes
For UK-listed and dual-listed groups, Initia is built to host the underlying control environment once and serve both regimes from it. In practice that means:
- Multi-regime tagging - the same control can be flagged Provision 29 material, SOX key, both, or neither, with the criteria stored against the tag.
- Risk-to-control linkage - principal risks linked to material controls in a live data model, not a static map.
- Evidence and assessment workflows - design and operating effectiveness assessments scheduled, owned, evidenced and tracked through the year.
- Layered assurance map - first, second and third line activity captured against each material control, with full audit trail.
- Board and committee outputs - integrated views ready for both the Audit Committee Provision 29 reporting cycle and the CFO's SOX summary, without rebuilding either.
The Bottom Line
SOX and Provision 29 share a goal - giving stakeholders a defensible view that internal controls work. They get there in very different ways. SOX puts a CEO and CFO certification on the front of a financial-controls regime, externally audited, federally enforced. Provision 29 puts the board behind a broader, principles-based, comply-or-explain declaration that includes operational, compliance and non-financial reporting controls, and that no external auditor is required to sign.
For UK premium-listed companies, the right mental model is not "SOX-lite". It is "the board owns this, across all four categories, and has to be able to point at the evidence". For dual-listed groups, both regimes can run off the same operating layer - but only if the differences in scope, materiality and assurance are designed in from the start, not retrofitted in 2027.
For the structure of a Provision 29 programme end to end, see our Provision 29 compliance guide. For the methodology behind the material controls inventory itself, see how to identify material internal controls under Provision 29. If you want to see what running both regimes off one operating layer looks like in practice, we would welcome a conversation.