UK Corporate Governance Code Provision 29: What Compliance Leaders Need to Know
Provision 29 requires boards to confirm that internal controls are effective, not just documented. Here’s what financial institutions must do now to build evidence and support annual declarations.
A board signs off on its annual report. Controls are documented, testing was completed, and from the outside, everything looks fine. Six months later, a material weakness surfaces — one that was present at the balance sheet date but never formally identified. This isn’t negligence. It comes from a reporting standard that only asked whether controls existed, not whether they held up.
The updated UK Corporate Governance Code’s Provision 29 changes that. It requires boards to make a formal annual declaration on whether material internal controls are effective, not just present. For financial years starting on or after 1 January 2026, that declaration is mandatory. The first annual reports containing it land in 2027, but the monitoring, testing, and evidence that boards need to sign off on must be built throughout 2026.
For compliance leaders at financial institutions, that timeline is tighter than it looks. Programs need systems that connect controls, testing, and evidence in one place. The boards, investors, and regulators reviewing those declarations won’t have patience for vague assurances. They’ll want audit-ready evidence.
Here’s what compliance leaders at financial institutions need to know.
Discover Resolver's solutions.
What is Provision 29?
Provision 29 of the UK Corporate Governance Code requires boards to annually confirm whether material internal controls are effective, based on documented and tested evidence across financial, operational, compliance, and reporting areas. Readiness depends on one thing: consistent, audit-ready evidence.
That’s the question Provision 29 puts in front of every board, annually, on the record.
What counts as material is for each board to determine based on a specific question: Could a deficiency in this control harm the company, shareholders, or stakeholders? Size matters less than impact. A control managing capital adequacy carries more weight than a control managing administrative efficiency. Not because it’s bigger, but because failure carries regulatory and reputational consequences.
The scope covers financial, operational, compliance, and reporting controls — a deliberate choice by the Financial Reporting Council (FRC) to move boards beyond financial reporting and into the full picture of how the organization manages risk.
With that in mind, the annual declaration must include four things:
- How the board monitored and reviewed the risk management and control framework across the year
- A board-level conclusion on whether material controls were effective as of the balance sheet date, stated clearly and supported by evidence
- Any material control weaknesses, their causes, and remediation steps
- Progress on previously reported issues and remediation commitments
Evidence must reflect the full year, not a point-in-time review. For financial institutions, this exposes a gap: programs built on documentation, rather than control performance. It has to be embedded into how the compliance program operates year-round.
Who needs to prepare for Provision 29?
The UK Corporate Governance Code operates on a “comply or explain” basis. Deviation is permitted, but it has to be explained publicly under board, investor, and auditor scrutiny. For Provision 29, an explanation that doesn’t hold up is likely to attract more attention than the deviation itself.
If your organization is listed in the London Stock Exchange’s commercial companies category, the Code applies on a comply-or-explain basis. This includes many FTSE 100 and FTSE 250 companies, although index membership itself is not what determines whether a company is in scope.
Organizations outside the Code’s formal scope — including large private and AIM-listed companies — may nevertheless choose to align with its expectations, particularly when preparing for an IPO, seeking investment, or operating within a listed group.
Here’s where the “comply or explain” distinction matters less than it seems: weak explanations attract more scrutiny than compliance. In a sector where regulatory relationships and investor confidence are closely tied, a board declaration that doesn’t hold up creates consequences well beyond the annual report. If a material weakness surfaces after the board signs off on control effectiveness, that gap damages trust.
So the real question becomes: is your program built to support what Provision 29 asks for?

Why internal control effectiveness must be proven throughout the year
Control effectiveness testing often breaks down when evidence sits across spreadsheets, audit tools, and compliance systems.
Provision 29 isn’t a year-end exercise. Material control failures must be identified, documented, and remediated as they occur. The 2027 declaration depends on evidence built across 2026, not assembled in Q4.
For example, if a control weakness surfaces in March but isn’t formally captured until November creates exactly the kind of gap that auditors and investors will probe. The board declaration asks for a conclusion as of the balance sheet date. The work behind it has to reflect the full year.
Boards also need to distinguish between two separate activities. Ongoing monitoring — where information flows to the board throughout the year about control performance — is continuous. The annual review is different. It’s a formal, separate process where the board assesses whether the monitoring itself is working, whether it covered all material controls, and whether the evidence supports a confident declaration. Programs that skip the review of the monitoring process create exactly the gap auditors probe.
The ICAEW has flagged Provision 29 as one of the most significant preparation challenges companies and their advisors will face in 2026. That assessment reflects something compliance leaders already understand: building a defensible evidence trail takes time, and programs that aren’t structured to collect it continuously will feel the pressure when reporting season arrives.
![]() |
AI Features in Compliance Software: What GRC Teams Should Look For to be Policy-ReadyLearn how to spot the AI features that support real review, approval tracking, and audit-ready records GRC teams can stand behind. |
What compliance teams should do now
Everything starts with one conversation: getting the board to define what material means.
Material isn’t determined by how big a control is or which category it falls into. It’s determined by an important question: If this control failed, would it harm the company, shareholders, or stakeholders? If the answer’s yes, it’s material. If it’s no, it’s not. That decision has to come from the board, with risk owners and compliance in the room. Once it’s made, document the rationale. Auditors and investors will want to see how the board arrived at that list. Without that clarity, everything else crumbles.
Once materiality is locked down, the operational work follows:
- Map each material control to the risk it mitigates: A control that exists without a specific risk connection is nearly impossible to test and harder still to defend in a declaration. For institutions managing multiple risk categories, this exercise often exposes what fragmentation actually costs, controls managed separately that should be linked, or risks with no control assigned.
- Assign individual ownership, not departmental: “The compliance team owns this” is the same as saying no one owns it. Name the person. Tie them to their role. When a control fails, accountability has to be traceable.
- Build continuous monitoring into your calendar: The board needs regular information about control performance throughout the year, not a point-in-time snapshot in Q4. For teams accustomed to annual reviews, that’s an operational shift. For Provision 29 readiness, it’s required.
- Set thresholds for what gets escalated: Not every variance is material. Establish what level of underperformance triggers formal action, and tie it to your risk appetite statement. This keeps signal from drowning in noise.
- Track remediation all the way to closure: When a control fails, the response has to be as documented as the control itself. A weakness reported in 2027 stays on the board’s radar in 2028. Provision 29 requires boards to disclose progress on previously reported issues. Incomplete remediation tracking becomes a reporting problem next cycle.
The work itself isn’t new. Most institutions are already monitoring controls, testing them, and reporting findings. What changes is how connected it all needs to be. Materiality decisions inform testing scope. Testing findings flow into remediation tracking. Remediation progress feeds board reporting. Everything has to chain together without gaps. That’s where most programs break down.

Provision 29 works best as an extension of what you already do
Financial institutions don’t operate in a single regulatory lane. Capital adequacy reporting, operational risk frameworks, conduct obligations, and audit cycles all run simultaneously, each with their own evidence requirements and reporting timelines.
The monitoring, tracking, and evidence collection that Provision 29 requires is already happening in some form at most institutions. Controls tied to capital adequacy reporting are being monitored. Operational risk events are tracked. Conduct obligations generate evidence trails. What Provision 29 asks is whether all of that is consistent, connected, and documented well enough to support a board-level declaration.
One structural difference from US SOX: external auditors don’t sign off on your internal controls framework. That accountability sits entirely with the board. For GRC teams accustomed to external validation, this shifts where the pressure lands. It’s on you and the board to build defensible evidence without a third-party auditor approving the controls program.
The gap is usually in how it’s connected, maintained, and surfaced to the board. Programs that centralize control documentation, standardize testing workflows, and integrate board-ready reporting into existing cycles are the ones that make the 2027 declaration manageable. Those that don’t will find themselves reconstructing a year’s worth of evidence under pressure.
![]() |
How AI Is Being Used in GRC: 5 Practical Patterns for Risk & Compliance TeamsGet a practical look at how AI fits into real GRC workflows with the five patterns reshaping how risk and compliance teams manage regulatory change, reporting, and operational complexity. |
How Resolver supports Provision 29 readiness
The tension in Provision 29 isn’t about having controls. Most institutions have controls. The tension is proving they worked, consistently, across the full year. A control that failed in March but wasn’t formally captured until November creates a gap. The board declaration asks for a conclusion as of the balance sheet date. The work behind it has to reflect the full year.
That’s difficult when evidence sits across spreadsheets, audit tools, and compliance systems. When testing is annual or semi-annual. When findings flow upward in different formats and timelines.
Resolver’s Internal Controls Management Software brings risks, controls, and policies into a single view. Testing schedules run automatically on a cadence you set. Monitoring stays consistent throughout the year. When deficiencies surface, remediation workflows track them through to closure. Board-level reports draw from the same data compliance teams work with every day.
For financial institutions preparing for Provision 29, the gap between a program that exists and one that holds up is usually a documentation and consistency problem. Resolver closes that gap. So, when the board signs off in 2027, the evidence reflects what actually happened throughout 2026.

