What does "good" look like under Provision 29?

Good practice under Provision 29 is defined by coherence, not completeness. Strong organisations show a clear line of sight from principal risks to a defined set of material controls, rely on evidence-based assurance rather than management assertion, integrate that evidence into consolidated board-level reporting, and maintain documentation that lets directors interrogate and defend their declaration on control effectiveness.

What evidence do boards need to support a Provision 29 declaration?

Boards need evidence-based assurance rather than assertions that "controls are in place." That means targeted testing focused on material controls (for example, sample transaction reviews and data analysis for a revenue recognition control), supported by a layered assurance model drawing on internal audit, second-line functions and external assurance, with identified issues documented transparently and tracked through to remediation.

Is the goal of Provision 29 to build the most comprehensive control framework?

No. The shift is away from building the most comprehensive framework and towards a control environment that is credible, proportionate and capable of withstanding challenge. "Good" is the ability to demonstrate, with evidence, that key risks are understood, critical controls are working, and weaknesses are visible and managed.

What "Good" Looks Like Under Provision 29 (2026)

Guest article. Views are the author's own and do not necessarily represent Initia Risk.

As UK-based organisations move beyond understanding Provision 29 to implementing it, a challenging question emerges: what does "good" actually look like in practice?

Provision 29 moves from describing frameworks to defending their effectiveness. In that context, "good" is not defined by the number of policies or the existence of processes, but by whether a board can stand behind its declaration with clear, credible evidence.

In practice, organisations that are responding well to Provision 29 share a small number of consistent characteristics.

At a glance

Under Provision 29, "good" is defined by coherence, not completeness - whether a board can stand behind its declaration with credible evidence. Organisations responding well share four characteristics:

Clear line of sight from risk to control - a defined set of material controls, each owned and linked to a principal risk.
Evidence-based assurance, not assertions - targeted testing of material controls, supported by a layered assurance model.
Integrated board-level reporting - consolidated assurance packs, not fragmented function-by-function updates.
Documentation that supports accountability - directors can interrogate and defend their conclusion, with weaknesses made visible.

They have a clear line of sight from risk to control

Strong organisations demonstrate a clear and disciplined linkage between principal risks and the controls that mitigate them. Rather than maintaining extensive control inventories, they focus on a defined set of material controls aligned to their areas of most significant risk exposures.

For example, a company identifying cyber risk as a principal risk will typically articulate a small number of key controls, such as privileged access management, patching, and incident response, rather than referencing a broad IT control landscape. Each control is clearly described, owned, and linked back to the underlying risk in a way that can be readily explained.

Ownership is equally explicit. It is clear who is accountable for the control, who performs it, and how issues are escalated. This clarity ensures that controls are embedded into operational activities.

They look for evidence-based assurance, not assertions

A defining feature of good practice is the shift from reliance on management assertion to evidence-based assurance. Organisations no longer depend on statements such as "controls are in place" or "controls are operating effectively." Instead, they can demonstrate how those controls have been tested and what the results show.

In practice, this means targeted testing, focused on material controls. For example, a revenue recognition control might be tested through sample transaction reviews, supported by data analysis over a defined period. An end-of-period confirmation is no longer sufficient.

This testing is complemented by a layered assurance model. Internal audit, "second-line" functions, and external assurance providers contribute to a balanced evidence base. Where issues are identified, such as inconsistent control execution across business units, they are documented in a transparent manner, with remediation actions tracked through to completion.

Board-level reporting is integrated

Less mature organisations often struggle with fragmented reporting. Evidence exists, but it is dispersed across functions, making it difficult for the Board to form a coherent view.

By contrast, organisations demonstrating good practice integrate this information into consolidated, Board-level reporting. Audit committees are provided with structured assurance packs that bring together testing results, independent assurance findings, and management information into a single narrative.

For example, rather than separate updates from compliance, risk, and internal audit, a Board pack might present a consolidated view of a material control, showing its design assessment, testing results, any incidents or breaches, and the current remediation status. This allows directors to understand not only whether a control exists, but how reliably it operates and whether any residual risk remains.

They have documentation that supports Board accountability

Ultimately, "good" under Provision 29 is defined by the quality of the information available to the Board. Directors must be able to interrogate and defend their conclusion on control effectiveness.

This requires documentation that is designed to support that judgement directly. Boards can see what has been tested, how it has been tested, what issues have been identified, and how those issues are being addressed. They can see where judgements have been made, where trade-offs exist, and where residual risks remain. Importantly, weaknesses are highlighted. Transparency is treated as a strength, not a risk.

For example, where a control has failed, such as a breakdown in third-party due diligence, the documentation will set out the root cause, the impact, and the remediation plan, alongside a clear statement of whether this constitutes a material weakness.

This transparency is critical. It allows the Board to make informed, defensible judgements, rather than relying on management comfort or committee summaries. Instead, directors rely on a structured, evidence-based view of effectiveness that it can challenge, interrogate, and ultimately stand behind.

The underlying shift

The common theme across all of these elements is a shift in mindset. Organisations that are responding effectively are focusing on whether their control environment is credible, proportionate, and capable of withstanding challenge. They are not trying to build the most comprehensive framework.

"Good" under Provision 29 is therefore not about completeness. It is about coherence. It is the ability to demonstrate, with evidence, that key risks are understood, critical controls are working, and weaknesses are visible and managed.

In simple terms, the move is from saying "we have controls" to showing, clearly and convincingly, "these controls work, and where they do not, we know why and what we are doing about it."

Resources

GRC Catalyst has developed a short, focused training course for Boards and Executives covering Provision 29. The course takes 10-15 minutes and uses scenario-based learning to challenge judgement, not just knowledge: Provision 29: Board Accountability for Internal Controls in UK Governance.

Access the free course

For related reading on Initia Risk, see our Provision 29 end-to-end compliance guide, our methodology for identifying material internal controls under Provision 29, and how Provision 29 compares to SOX.