
Provision 29 of the UK Corporate Governance Code 2024 marks one of the most significant shifts in board accountability in a generation. For financial years beginning on or after 1 January 2026, boards of UK premium-listed companies must formally declare whether their material controls were effective at the balance sheet date. This is not a disclosure update. It is a change in the standard of evidence the board is expected to hold before it can sign the annual report.
This article explains what Provision 29 requires, how it differs from what came before, and what boards need to do to meet the obligation with confidence.
Provision 29 of the UK Corporate Governance Code 2024 requires the board to monitor the company's risk management and internal control framework and carry out a review of its effectiveness at least annually. That monitoring and review must cover all material controls, including financial, operational, reporting, and compliance controls.
The full text of the provision reads:
The board should monitor the company's risk management and internal control framework and, at least annually, carry out a review of its effectiveness. The monitoring and review should cover all material controls, including financial, operational, reporting and compliance controls.
The board should provide in the annual report:
The key word in that list is declaration. Before the 2024 Code, boards were expected to show they had conducted a review. Now they are expected to state a conclusion. That is a meaningfully higher bar.
The 2024 UK Corporate Governance Code applied from 1 January 2025 for most provisions. Provision 29 was given a one-year deferral to allow boards sufficient time to build their internal control frameworks and testing processes. It applies to financial years beginning on or after 1 January 2026.
As a result, the first annual reports containing the new Provision 29 declaration are expected to appear from 2027 onwards, covering the 2026 financial year. The Financial Reporting Council has confirmed it does not require or expect early adoption before this timeline.
January 2024: FRC publishes the revised UK Corporate Governance Code 2024
1 January 2025: Most provisions of the 2024 Code come into force
1 January 2026: Provision 29 declaration requirement comes into force
From 2027: First annual reports containing Provision 29 declarations expected
Basis: Comply or explain (applicable to all UK premium-listed companies)
Under the 2018 UK Corporate Governance Code, Provision 26 (which covered similar ground) required boards to monitor and review the effectiveness of risk management and internal control systems and to report on that review in the annual report. Companies were expected to confirm that monitoring had been carried out, but there was no requirement to state whether controls had actually been effective.
The 2024 Code makes three significant changes:
The practical implication is that boards can no longer rely on process language in the annual report. The declaration requires a conclusion backed by evidence, and any weakness identified during the year needs to be surfaced and addressed.
The Financial Reporting Council has deliberately chosen not to define material controls in the code or to publish a standard list of what they should include. This is an intentional policy choice, not an oversight. The FRC does not want companies working from a template and treating compliance as a tick-box exercise.
Instead, each board is responsible for determining which controls are material, based on the company's own principal risks, operating model, strategy, size, and complexity. A useful working principle is to ask whether the failure of a given control could reasonably be expected to have a material adverse impact on the company's financial position, operations, regulatory standing, or long-term sustainability.
Ask whether the failure of a control would be significant enough that investors need to know quickly.
Consider risks that threaten the business model, solvency, or reputation.
Look at impact holistically : on and off the balance sheet, including effects on shareholder sentiment, consumer trust, and public profile.
The FRC will not comment on whether the controls a company has chosen are the right ones, or whether the number is appropriate.
Source: FRC Provision 29 Mythbuster, January 2026
Based on early engagement with companies preparing for Provision 29, the FRC has noted that most companies are identifying somewhere between 30 and 50 material controls. Companies in the financial services sector, or those with more complex operating models, may identify more. There is no minimum or maximum. The number should reflect the genuine risk profile of the business.
Importantly, companies are not required to publish a list of their material controls in the annual report. The reporting should describe the governance process that led to the selection of those controls and the oversight the board has maintained. Commercially sensitive details about specific control failures, such as technical cyber security measures, do not need to be disclosed.
Provision 29 covers a broader control landscape than many boards initially assume. It is not limited to financial controls. The review must span all four categories:
This four-category scope means that companies reporting under the US Sarbanes-Oxley Act (SOX) will need to go beyond their existing SOX framework. SOX focuses primarily on financial reporting controls. Provision 29 requires the board to extend its coverage to operational, reporting, and compliance controls in a way that SOX does not.
Provision 29 requires three distinct elements in the annual report. These are not optional disclosures or narrative additions. They are the minimum standard for compliance:
An explanation of how the board has monitored and reviewed the effectiveness of the risk management and internal control framework throughout the year. This should describe who was involved, what evidence was examined, what oversight committees reviewed, and how conclusions were reached. General statements that monitoring occurred will not be sufficient.
A clear, formal declaration by the board stating whether material controls were effective as at the balance sheet date. The FRC has not prescribed standard wording for this declaration, so boards have flexibility in how they frame it. What matters is that the declaration is clearly signposted in the annual report and reflects genuine board-level confidence based on the monitoring process.
A description of any material controls that did not operate effectively at the balance sheet date, along with the actions taken or proposed to improve them. Where issues have previously been reported, an update on progress is also expected. There is no requirement to restate the declaration if something comes to light after the balance sheet date, but issues that existed at the balance sheet date must be disclosed.
The FRC has indicated that, in most cases, this reporting should be no longer than two pages in the annual report. Proportionality is important. The declaration is not an opportunity to produce a comprehensive audit manual. It is an evidence-backed conclusion from the board about the state of controls at year end.
The UK Corporate Governance Code applies on a comply-or-explain basis to all companies with a premium listing on the London Stock Exchange. This includes FTSE 350 companies, closed-ended investment funds, and commercial companies listed under the UK Listing Rules.
The comply-or-explain approach means that companies can depart from the provision, but must provide a meaningful explanation of why they have done so and how they have otherwise addressed the underlying governance objective. The FRC has been clear that boilerplate explanations are not acceptable. Any decision to depart from the Code must be reconsidered and justified in each reporting year.
Companies not subject to the UK Corporate Governance Code, such as AIM-listed companies or private companies, are not directly required to comply with Provision 29. However, many are reviewing its requirements as a governance benchmark and considering voluntary adoption or alignment.
Provision 29 compliance is not a year-end reporting exercise. The declaration can only be made credibly if the board has maintained genuine oversight throughout the year. The following steps reflect the approach that emerging market practice supports.
Start by identifying which controls meet the materiality threshold for your organisation. Work from the board's principal risk register. For each principal risk, identify the controls that are most critical to preventing or mitigating that risk. Cross-check against the four categories: financial, operational, reporting, and compliance. Document the rationale for why each control has been classified as material. This process should be board-sponsored, typically with the Audit Committee Chair leading and the CFO, Chief Risk Officer, Head of Internal Audit, and Company Secretary involved. In practice, most companies are arriving at between 30 and 50 controls, though the right number depends entirely on the risk profile of the business.
Each material control should have a named owner who is accountable for its operation and for raising issues when it is not functioning as intended. The Audit Committee should have a defined role in overseeing the monitoring process and reviewing evidence before the board reaches its conclusion. The governance structure should be documented so that the annual report can describe it clearly. The board's oversight role is not to manage the controls themselves but to receive credible evidence from those who do.
Evidence of effectiveness needs to be gathered across the reporting period, not reconstructed at year end. Controls should be tested through a combination of management self-assessment, second-line risk and compliance reviews, and internal audit. The testing approach for each material control should reflect its nature and risk level. People-dependent controls, such as policy attestations, approval workflows, mandatory training completion, and conflict of interest disclosures, are often the most difficult to evidence because activity happens across many individuals and systems. These controls need structured, repeatable tracking rather than manual follow-up at year end.
The board's declaration rests on the quality of the evidence the organisation has collected. System records, workflow logs, testing results, audit findings, and control owner sign-offs are defensible forms of evidence. Emails, spreadsheets, and manual summaries reconstructed after the fact are not. For each material control, there should be a clear record showing: that the control ran when required; that it covered the full population it was intended to cover; whether it operated without exceptions or what exceptions arose; and what remediation took place where it did not operate effectively.
Before the board signs the declaration, the Audit Committee should review the full picture of evidence, exception rates, and remediation status across the material controls population. Any control that did not operate effectively at the balance sheet date must be captured in the declaration. The board should satisfy itself that the monitoring process has been robust enough to support a credible conclusion, not merely that a review has taken place. The declaration itself should be clearly located in the annual report and written in language that reflects genuine board-level confidence.
Material controls population defined, documented, and linked to principal risks
Board-level sponsor and Audit Committee ownership confirmed
Named control owners assigned for all material controls
Monitoring and testing activity carried out across the reporting period
Evidence captured in structured, defensible form (not email chains or manual logs)
Exceptions identified, escalated, and remediation status tracked
Audit Committee reviewed evidence and summary before board declaration
Annual report includes all three required Provision 29 elements
Disclosure of any controls not operating effectively, with remediation detail
The requirements of Provision 29 align closely with the six domains of a GRC framework: Governance and Oversight, Risk Management, Regulatory Compliance, Information Security, Operational Resilience, and Third-Party Risk. Each of these domains generates controls, and the material controls that boards need to declare on will typically draw from several of them.
For organisations that have invested in a GRC framework, Provision 29 is an opportunity to put that framework to work in a board-visible way. The risk register provides the starting point for identifying material controls. The compliance monitoring programme provides the testing evidence. Internal audit provides independent assurance. The GRC score across domains gives the board a structured basis for reaching and documenting its conclusion.
For organisations that have not yet built a connected GRC framework, Provision 29 makes the case for doing so. Managing the declaration requirement through disconnected tools, shared drives, and manual follow-up is both inefficient and risky. The board's conclusion needs to be supported by an evidence chain that can be produced quickly, reviewed consistently, and updated throughout the year.
The Financial Reporting Council has been explicit that Provision 29 is not intended to create a UK equivalent of the US Sarbanes-Oxley regime. There is no requirement for external audit attestation, no prescribed control framework, and no mandated evidence format. The Code places the judgment with the board, which is precisely why the board needs a structured, defensible process behind the declaration it signs.
Provision 29 of the 2024 UK Corporate Governance Code requires boards of premium-listed companies to monitor and review their risk management and internal control framework and, from financial years beginning on or after 1 January 2026, to provide a formal declaration in the annual report on whether material controls were effective at the balance sheet date.
Provision 29 applies to financial years beginning on or after 1 January 2026. The first annual reports containing the new declaration are therefore expected from 2027 onwards. The 2024 Code as a whole applied from 1 January 2025, but Provision 29 was deferred by one year to give boards time to prepare.
Material controls are those whose failure could reasonably be expected to have a material adverse impact on the company. Each board defines its own material controls based on its principal risks, business model, size, and complexity. The FRC does not provide a standard list. In practice, companies are identifying between 30 and 50 material controls across financial, operational, reporting, and compliance categories.
No. The FRC does not expect companies to list their material controls in the annual report, nor to describe the specific testing they have carried out. The annual report should instead explain the governance process the board followed in reaching its conclusion and the oversight it maintained throughout the year.
No. The UK Corporate Governance Code does not require external assurance over material controls. Whether to commission external assurance, and over which areas, is a decision for the individual board. Some boards may choose it for higher-risk or more complex control areas; others may rely solely on internal audit and management testing.
The 2018 Code required boards to monitor and review internal controls but did not require a formal declaration of effectiveness. The 2024 Code adds that specific declaration, extends the scope to include reporting controls such as narrative and ESG reporting, and requires disclosure of any material controls that did not operate effectively along with remediation actions.
If a material control has not operated effectively as at the balance sheet date, the board must disclose this in the annual report and describe the action taken or proposed to improve it. There is no requirement to restate the declaration if a failure comes to light after the balance sheet date. However, if an issue existed at the balance sheet date and was known at the time of reporting, it must be included.
The FRC expects the reporting to be proportionate and concise. In most cases, the full Provision 29 disclosure, covering the monitoring description, the declaration, and any control failure disclosures, is expected to be no longer than two pages.
© 2025 GRC Index. All rights reserved.