UK boards must now make a formal, evidence-based declaration on the effectiveness of their material internal controls — and 2026 is the year that evidence must be built. Provision 29 of the UK Corporate Governance Code 2024 applies to financial periods beginning on or after 1 January 2026, with the first annual report disclosures due in 2027. For most premium-listed companies, that deadline is not two years away. The monitoring and testing that underpins a credible declaration must happen throughout the current financial year.

INFORMD has been tracking Provision 29 readiness across UK boardrooms since the FRC published the revised Code in January 2024. What follows is the briefing your audit committee and company secretary should already be working through — and the questions your board needs to be able to answer before December 2026.

What Does Provision 29 Actually Require Your Board to Declare?

Provision 29 is deceptively simple in its language and substantial in its demands. It requires the board to disclose three things in the annual report: how it monitored and reviewed the effectiveness of material internal controls; whether it considers those controls to be effective as at the balance sheet date; and, where material control weaknesses exist, the details of those weaknesses along with any remediation plans in progress.

This is not a tick-box exercise. The board cannot assert that controls are effective without having conducted — and documented — the substantive review that supports that conclusion. The FRC has been clear that the declaration must be evidence-based. Where a board lacks the internal processes to generate that evidence, the problem is structural, not administrative.

Critically, the scope of “material internal controls” extends well beyond financial reporting. Operational processes, compliance activities, and the controls governing narrative and non-financial reporting are all within scope. According to KPMG’s November 2025 guidance on Provision 29, boards that limit their review to financial controls alone risk producing a declaration that is both incomplete and potentially misleading to shareholders.

Executive Action

• Commission a gap analysis this quarter comparing your current internal controls framework against the full scope of Provision 29 — including operational and compliance controls, not just financial reporting.
• Ask your internal audit function to map which controls qualify as “material” under your own assessment criteria and document that determination formally at board level.
• Review your current board reporting on internal controls to determine whether it would support an evidence-based declaration — and what structural improvements are needed before year-end.

Who Decides Which Controls Are “Material” — and What Are the Risks of Getting It Wrong?

Provision 29 deliberately leaves the definition of “material controls” to each individual board. There is no prescribed list, no regulatory template. The judgment is company-specific and must reflect the organisation’s own risk profile, operating model, and strategic priorities — a point emphasised in guidance from the Chartered Institute of Internal Auditors.

In practice, a material control is one whose failure could produce a material impact on the organisation — whether financial, reputational, operational, or regulatory. For a financial services firm regulated by the FCA and PRA, material controls will include those governing client assets, regulatory reporting, and SM&CR accountability frameworks. For a technology business, data governance controls, UK GDPR compliance processes, and cybersecurity operational controls may rank highest. For a manufacturer, health and safety and supply chain integrity controls may dominate.

The risk of applying too narrow a definition is significant. Where a material control failure subsequently emerges that was not disclosed as a weakness in the Provision 29 declaration, the governance questions for the board become considerably more uncomfortable — and, under the Companies Act 2006, directors can face personal exposure for false or misleading statements in strategic and directors’ reports.

Executive Action

• Table a formal discussion at the next audit committee meeting to define your organisation’s criteria for “material controls” — and document the rationale for what is included and excluded from scope.
• Cross-reference your Provision 29 scope against the principal risks in your strategic report — any risk managed by an internal process should prompt the question of whether that control is material.
• For regulated organisations, map your Provision 29 scope alongside your SM&CR accountability framework and any DORA operational resilience obligations, to avoid gaps between overlapping governance regimes.

Why Is 2026 the Critical Year — Not 2027?

The most dangerous assumption in UK boardrooms right now is that 2026 is preparation time and 2027 is delivery time. The evidence that supports a Provision 29 declaration must be gathered continuously throughout the financial year, not assembled retrospectively before sign-off. A board that waits until Q3 or Q4 2026 to establish its controls review framework will not have twelve months of monitoring behind its declaration — at best, a few months of retrospective assessment, which is precisely the scenario the FRC’s expectations are designed to expose.

The ICAEW published guidance in October 2025 recommending that boards take six structured steps to prepare for Provision 29, beginning with scoping and ending with audit committee sign-off. That process cannot realistically be compressed into a single quarter. For companies with calendar year-ends, the first board declaration on internal controls effectiveness is due in early 2027 — making 2026 the year in which the quality of that declaration is determined, not finalised.

The stakes for inaction are compounding. The FRC is currently transitioning into the new Audit, Reporting and Governance Authority — expected to be called the Corporate Reporting Authority (CRA) — which will have expanded powers to hold directors accountable via civil regulatory sanctions for serious failures in corporate reporting duties. Provision 29 declarations sit squarely within that scope. When the CRA is formally constituted, boards that have made incomplete or unsupported declarations face scrutiny from an authority with materially greater enforcement powers than its predecessor.

Executive Action

• Confirm with your CFO and board secretary that a formal Provision 29 monitoring programme is already running for FY2026 — not planned for later in the year.
• Build Provision 29 review updates into the standing agenda for your audit committee at each meeting throughout 2026, so evidence accumulates in real time.
• Brief your external auditors on your Provision 29 approach before the half-year reporting cycle — auditors will increasingly scrutinise the quality of the controls review process, not just the declaration itself.

How Should Boards Structure the Evidence for a Credible Declaration?

Good practice is emerging from the organisations that have been most proactive. A defensible Provision 29 declaration rests on four structural elements: a formally documented scope of material controls, agreed at board level; a structured testing and monitoring programme conducted by internal audit and management continuously throughout the year; board-level reporting that translates the results of that testing into plain business risk language; and a defined escalation process for control weaknesses, with documented remediation timelines.

The question to put to management before year-end is direct: if a regulator, major shareholder, or court asked us to demonstrate how we reached our Provision 29 conclusion, could we produce a coherent, documented audit trail? If the answer is uncertain, the declaration is vulnerable — and so are the directors who signed it. Access the INFORMD executive briefing library for frameworks on building board-level controls governance, or speak to our team about how peer organisations are approaching Provision 29 compliance.

INFORMD provides intelligence briefings for senior business leaders across technology, finance, strategy, and compliance. Based in Milton Keynes, UK, we help executives stay informed and act with confidence. Explore our full library of executive briefings or speak to our team.

Frequently Asked Questions

Does Provision 29 apply to all UK-listed companies?

Provision 29 applies to companies with a premium listing on the London Stock Exchange that are subject to the UK Corporate Governance Code 2024. It does not apply to AIM-listed or private companies on a mandatory basis, though the principles are increasingly being adopted as best practice across a broader range of organisations. If your company has a financial year beginning on or after 1 January 2026 and is subject to the Code, Provision 29 applies to you in respect of that year’s annual report.

What happens if the board cannot make a clean declaration of effectiveness?

The UK Corporate Governance Code operates on a comply-or-explain basis, so a board that cannot declare full effectiveness is not automatically in breach — but it must disclose any material control weaknesses, the circumstances giving rise to them, and the remediation steps being taken. The reputational risk of disclosing a weakness is manageable where the board can demonstrate proactive identification, a credible remediation plan, and clear accountability. The far greater governance exposure arises when an undisclosed weakness subsequently comes to light — particularly once the Corporate Reporting Authority is constituted with its expanded enforcement powers.

How does Provision 29 interact with the SM&CR accountability framework?

The Senior Managers and Certification Regime maps regulatory accountability to named individuals in FCA- and PRA-regulated firms. Provision 29 operates as a corporate governance obligation applicable to the board as a whole, but the two frameworks overlap in practice: a material control weakness in a regulated firm may simultaneously constitute a Provision 29 disclosure obligation and a question of individual senior manager accountability under SM&CR. Regulated boards should treat these frameworks as complementary rather than parallel, ensuring their controls governance maps clearly to both sets of obligations.

What should non-executive directors specifically ask about Provision 29?

NEDs should require management to demonstrate — not simply assert — four things: which controls have been identified as material and the documented rationale for that determination; what testing and monitoring has been conducted and by whom; what weaknesses have been identified, and what the remediation plan and timeline are; and whether the evidence trail would withstand external scrutiny from a regulator or auditor. A non-executive director who approves a Provision 29 declaration without satisfactory answers to these questions has accepted governance accountability without adequate assurance.

Stay ahead. Subscribe to INFORMD’s executive briefing at informd.co.uk/services.