UK Corporate Governance Code Provision 29: What Compliance Leaders Need to Know

Provision 29 requires boards to confirm that internal controls are effective, not just documented. Here’s what financial institutions must do now to build evidence and support annual declarations.

Hdr uk corporate governance code provision 29
Resolver
Resolver
6 minute read

A board signs off on its annual report. Controls are documented, testing was completed, and from the outside, everything looks fine. Six months later, a material weakness surfaces — one that was present at the balance sheet date but never formally identified. This isn’t negligence. It comes from a reporting standard that only asked whether controls existed, not whether they held up.

The updated UK Corporate Governance Code’s Provision 29 changes that. It requires boards to make a formal annual declaration on whether material internal controls are effective, not just present. For financial years starting on or after 1 January 2026, that declaration is mandatory. The first annual reports containing it land in 2027, but the monitoring, testing, and evidence that boards need to sign off on must be built throughout 2026.

For compliance leaders at financial institutions, that timeline is tighter than it looks. Programs need systems that connect controls, testing, and evidence in one place. The boards, investors, and regulators reviewing those declarations won’t have patience for vague assurances. They’ll want audit-ready evidence.

Here’s what compliance leaders at financial institutions need to know.

Confident Oversight Starts With Integrated GRC.
Discover Resolver's solutions.
Learn More

What is Provision 29?

Provision 29 of the UK Corporate Governance Code requires boards to annually confirm whether material internal controls are effective, based on documented and tested evidence across financial, operational, compliance, and reporting areas. Readiness depends on one thing: consistent, audit-ready evidence.

That’s the question Provision 29 puts in front of every board, annually, on the record.

What counts as material is for each board to determine based on a specific question: Could a deficiency in this control harm the company, shareholders, or stakeholders? Size matters less than impact. A control managing capital adequacy carries more weight than a control managing administrative efficiency. Not because it’s bigger, but because failure carries regulatory and reputational consequences.

The scope covers financial, operational, compliance, and reporting controls — a deliberate choice by the Financial Reporting Council (FRC) to move boards beyond financial reporting and into the full picture of how the organization manages risk.

With that in mind, the annual declaration must include four things:

  1. How the board monitored and reviewed the risk management and control framework across the year
  2. A board-level conclusion on whether material controls were effective as of the balance sheet date, stated clearly and supported by evidence
  3. Any material control weaknesses, their causes, and remediation steps
  4. Progress on previously reported issues and remediation commitments

Evidence must reflect the full year, not a point-in-time review. For financial institutions, this exposes a gap: programs built on documentation, rather than control performance. It has to be embedded into how the compliance program operates year-round.

Who needs to prepare for Provision 29?

The UK Corporate Governance Code operates on a “comply or explain” basis. Deviation is permitted, but it has to be explained publicly under board, investor, and auditor scrutiny. For Provision 29, an explanation that doesn’t hold up is likely to attract more attention than the deviation itself.

If your organization is listed in the London Stock Exchange’s commercial companies category, the Code applies on a comply-or-explain basis. This includes many FTSE 100 and FTSE 250 companies, although index membership itself is not what determines whether a company is in scope.

Organizations outside the Code’s formal scope — including large private and AIM-listed companies — may nevertheless choose to align with its expectations, particularly when preparing for an IPO, seeking investment, or operating within a listed group.

Here’s where the “comply or explain” distinction matters less than it seems: weak explanations attract more scrutiny than compliance. In a sector where regulatory relationships and investor confidence are closely tied, a board declaration that doesn’t hold up creates consequences well beyond the annual report. If a material weakness surfaces after the board signs off on control effectiveness, that gap damages trust.

So the real question becomes: is your program built to support what Provision 29 asks for?

Provision 29 compliance timeline infographic showing five connected milestones across a teal-to-dark-blue gradient background. A horizontal gold line links five white panels from left to right. The first panel, labeled “january 1, 2026,” states that provision 29 takes effect and boards must begin meeting new internal controls reporting requirements. The second panel, “throughout 2026,” describes evidence collection, including monitoring controls, performing testing, and gathering evidence of control effectiveness. The third panel, “year-end 2026,” outlines board assessment activities, where boards review control effectiveness, identified weaknesses, and remediation progress. The fourth panel, “2027 annual report,” explains the public declaration requirement, where organizations publish their first provision 29 effectiveness declaration. The fifth panel, “continuous process,” emphasizes ongoing assurance through continual monitoring, testing, and improvement of internal controls. A large heading at the top reads “provision 29 at a glance,” and a concluding statement at the bottom reads, “prepare in 2025. Prove effectiveness in 2026. Declare in 2027. ”

Why internal control effectiveness must be proven throughout the year

Control effectiveness testing often breaks down when evidence sits across spreadsheets, audit tools, and compliance systems.

Provision 29 isn’t a year-end exercise. Material control failures must be identified, documented, and remediated as they occur. The 2027 declaration depends on evidence built across 2026, not assembled in Q4.

For example, if a control weakness surfaces in March but isn’t formally captured until November creates exactly the kind of gap that auditors and investors will probe. The board declaration asks for a conclusion as of the balance sheet date. The work behind it has to reflect the full year.

Boards also need to distinguish between two separate activities. Ongoing monitoring — where information flows to the board throughout the year about control performance — is continuous. The annual review is different. It’s a formal, separate process where the board assesses whether the monitoring itself is working, whether it covered all material controls, and whether the evidence supports a confident declaration. Programs that skip the review of the monitoring process create exactly the gap auditors probe.

The ICAEW has flagged Provision 29 as one of the most significant preparation challenges companies and their advisors will face in 2026. That assessment reflects something compliance leaders already understand: building a defensible evidence trail takes time, and programs that aren’t structured to collect it continuously will feel the pressure when reporting season arrives.

Illustration showing ai features in compliance software on a computer screen. The monitor displays structured text blocks, automated comment suggestions, and version labels “v1, v2, v3” to represent version tracking. A verified user profile icon appears on the right, suggesting role-based review and approval workflows. Gear icons sit below the screen to show automated processing. Chat bubbles and system-generated prompts float around the page, signaling guided review and collaboration. The background includes abstract tech and data symbols to convey machine-supported compliance processes such as audit trails, workflow automation, and ai-assisted content creation.

AI Features in Compliance Software: What GRC Teams Should Look For to be Policy-Ready

 Learn how to spot the AI features that support real review, approval tracking, and audit-ready records GRC teams can stand behind.

What compliance teams should do now

Everything starts with one conversation: getting the board to define what material means.

Material isn’t determined by how big a control is or which category it falls into. It’s determined by an important question: If this control failed, would it harm the company, shareholders, or stakeholders? If the answer’s yes, it’s material. If it’s no, it’s not. That decision has to come from the board, with risk owners and compliance in the room. Once it’s made, document the rationale. Auditors and investors will want to see how the board arrived at that list. Without that clarity, everything else crumbles.

Once materiality is locked down, the operational work follows:

  • Map each material control to the risk it mitigates: A control that exists without a specific risk connection is nearly impossible to test and harder still to defend in a declaration. For institutions managing multiple risk categories, this exercise often exposes what fragmentation actually costs, controls managed separately that should be linked, or risks with no control assigned.
  • Assign individual ownership, not departmental: “The compliance team owns this” is the same as saying no one owns it. Name the person. Tie them to their role. When a control fails, accountability has to be traceable.
  • Build continuous monitoring into your calendar: The board needs regular information about control performance throughout the year, not a point-in-time snapshot in Q4. For teams accustomed to annual reviews, that’s an operational shift. For Provision 29 readiness, it’s required.
  • Set thresholds for what gets escalated: Not every variance is material. Establish what level of underperformance triggers formal action, and tie it to your risk appetite statement. This keeps signal from drowning in noise.
  • Track remediation all the way to closure: When a control fails, the response has to be as documented as the control itself. A weakness reported in 2027 stays on the board’s radar in 2028. Provision 29 requires boards to disclose progress on previously reported issues. Incomplete remediation tracking becomes a reporting problem next cycle.

The work itself isn’t new. Most institutions are already monitoring controls, testing them, and reporting findings. What changes is how connected it all needs to be. Materiality decisions inform testing scope. Testing findings flow into remediation tracking. Remediation progress feeds board reporting. Everything has to chain together without gaps. That’s where most programs break down.

Provision 29 evidence chain infographic displayed as a seven-segment circular workflow on a light gray background. At the center of the circle is a chain-link icon, representing connected evidence and control activities. Surrounding the icon are seven teal and dark-blue segments arranged clockwise. Segment one, “testing,” states that organizations validate control effectiveness throughout the year. Segment two, “evidence,” focuses on capturing and centralizing supporting documentation. Segment three, “issues,” covers identifying and recording deficiencies or gaps. Segment four, “remediation,” describes tracking corrective actions and validating completion. Segment five, “board reporting,” explains providing visibility into control performance and remediation progress. Segment six, “declaration,” refers to supporting the board’s public effectiveness declaration. Segment seven, “controls,” focuses on identifying and documenting material controls. A large heading above the diagram reads “the evidence chain for provision 29,” illustrating the continuous cycle of testing, documentation, issue management, remediation, reporting, declaration, and control management required to support provision 29 compliance and internal controls reporting.

Provision 29 works best as an extension of what you already do

Financial institutions don’t operate in a single regulatory lane. Capital adequacy reporting, operational risk frameworks, conduct obligations, and audit cycles all run simultaneously, each with their own evidence requirements and reporting timelines.

The monitoring, tracking, and evidence collection that Provision 29 requires is already happening in some form at most institutions. Controls tied to capital adequacy reporting are being monitored. Operational risk events are tracked. Conduct obligations generate evidence trails. What Provision 29 asks is whether all of that is consistent, connected, and documented well enough to support a board-level declaration.

One structural difference from US SOX: external auditors don’t sign off on your internal controls framework. That accountability sits entirely with the board. For GRC teams accustomed to external validation, this shifts where the pressure lands. It’s on you and the board to build defensible evidence without a third-party auditor approving the controls program.

The gap is usually in how it’s connected, maintained, and surfaced to the board. Programs that centralize control documentation, standardize testing workflows, and integrate board-ready reporting into existing cycles are the ones that make the 2027 declaration manageable. Those that don’t will find themselves reconstructing a year’s worth of evidence under pressure.

Illustration representing ai in compliance: a laptop sits on a teal surface with its screen glowing, symbolizing automated processing. To the left, dozens of loose paper documents scatter outward, suggesting manual, fragmented compliance work and information overload. On the right, a clean digital workflow appears, where structured folders move in an organized flow toward a secure storage unit, indicating centralized data management. The contrast shows how ai in compliance transforms disorganized, paper-based processes into streamlined, digital systems with improved accuracy and control.

How AI Is Being Used in GRC: 5 Practical Patterns for Risk & Compliance Teams

Get a practical look at how AI fits into real GRC workflows with the five patterns reshaping how risk and compliance teams manage regulatory change, reporting, and operational complexity.

How Resolver supports Provision 29 readiness

The tension in Provision 29 isn’t about having controls. Most institutions have controls. The tension is proving they worked, consistently, across the full year. A control that failed in March but wasn’t formally captured until November creates a gap. The board declaration asks for a conclusion as of the balance sheet date. The work behind it has to reflect the full year.

That’s difficult when evidence sits across spreadsheets, audit tools, and compliance systems. When testing is annual or semi-annual. When findings flow upward in different formats and timelines.

Resolver’s Internal Controls Management Software brings risks, controls, and policies into a single view. Testing schedules run automatically on a cadence you set. Monitoring stays consistent throughout the year. When deficiencies surface, remediation workflows track them through to closure. Board-level reports draw from the same data compliance teams work with every day.

For financial institutions preparing for Provision 29, the gap between a program that exists and one that holds up is usually a documentation and consistency problem. Resolver closes that gap. So, when the board signs off in 2027, the evidence reflects what actually happened throughout 2026.

Book a demo to see how it works.

Request a Demo

By clicking the button below you agree to our Terms of Service and Privacy Policy.