Provision 29: What Boards Need to Do Right Now
CyberKainos. Reading time: 6 mins
Provision 29: What Boards Need to Do Right Now
It sounds simple. Boards of UK-listed companies must now make a formal declaration that their material internal controls are effective. One statement. In the annual report. How hard can it be?
As it turns out, quite hard. ICAEW has described Provision 29 as potentially “one of the biggest things companies and their accountants need to prepare for in 2026.” Senior governance professionals are discovering that the requirement is far more demanding than it first appeared. Not because the rule itself is complex, but because most organisations simply don’t have the infrastructure to provide the infrastructure to back up the claim.
What Changed, and Why It Matters
The 2024 UK Corporate Governance Code applies to financial years beginning on or after 1 January 2025, with Provision 29 becoming applicable from 1 January 2026. Companies with a calendar year-end are now in their first full reporting cycle, with declarations due in early 2027.
The previous Code required boards to monitor and review internal controls. What Provision 29 adds is a formal declaration of effectiveness. This is a public, board-level statement that material controls not only existed but actually worked. There is no external auditor attestation requirement, which makes the quality of the underlying evidence all the more important.
The scope is broader than many teams assume. Material controls cover financial, operational, compliance, cybersecurity, ESG, and reporting. The FRC has deliberately left the definition open-ended to avoid a tick-box culture and encourage genuine judgement.
The Evidence Problem
For boards to make a credible declaration, they need confidence. For confidence, they need evidence. The challenge isn’t designing controls, most organisations have them. The difficulty lies in demonstrating that those controls actually operated, ran consistently, and that any failures or near-misses throughout the reporting period were captured, escalated, and addressed.
A declaration grounded in scattered emails, screenshots from shared drives, or a single management attestation compiled in Q4 is not defensible. System records, workflow histories, testing results, and structured audit trails are the standard the FRC expects. These need to be gathered throughout the year, not assembled retrospectively.
GRC teams often operate across disconnected systems: risk registers in one place, control testing in another, audit findings in a third. Pulling that together into a coherent, board-ready view on a regular basis is a significant operational challenge. As an example, 53% of directors don’t receive real-time data between board meetings.
What the Declaration Must Cover
The annual report disclosure must include three things.
How the board monitored and reviewed the framework. Not a description of the framework itself, but of the board’s actual oversight activity throughout the year.
A formal declaration on whether material controls were effective. This is at the balance sheet date. This is the board’s own conclusion, not management’s, even if it draws on internal audit findings, management attestations, and audit committee assurance.
Disclosure of any ineffective controls. Along with details of remediation actions and progress. Provision 29 does not require perfection, but it does require honesty. A board that identifies a weakness, discloses it, and sets out a credible remediation plan is in a stronger position with the FRC and investors than one that produces a bland, unchallenged declaration.
The Role of Internal Audit
Provision 29 formalises something governance experts have long argued for: direct access between the Head of Internal Audit and the board, including at least one annual private meeting without management present.
For internal audit leaders, this is both an opportunity and a responsibility. Audit plans will need to be structured around material control coverage, ensuring testing across all four control domains is completed before the board needs to conclude on effectiveness.
What Good Preparation Looks Like
Define your material controls population. Link controls explicitly to principal risks and establish a consistent taxonomy across financial, operational, compliance, and reporting domains.
Agree your evidence standard before year-end. Decide what the board will accept and make sure your processes can produce that evidence consistently.
Build board-ready reporting into your regular cycle. Quarterly or more frequent, exception-focused reporting gives boards the ongoing visibility a full-year declaration requires. Annual updates are no longer sufficient.
Prioritise your highest-risk areas first. Perfect evidence across every control isn’t required. What matters is that the controls managing the risks investors care most about are well-evidenced and demonstrably effective.
The Bigger Picture
Provision 29 is sometimes described as “UK SOX.” The comparison has limits, but the cultural shift it signals is real. Controls management is no longer a finance function task or an annual audit exercise. It is a board-level governance responsibility, with public accountability.
Organisations that treat this purely as a compliance exercise will meet the letter of the requirement but miss the point. Those that use it as a catalyst for genuinely connected, evidence-driven governance i.e. linking risks to controls to assurance to outcomes will emerge with stronger boards, more confident investors, and better operational outcomes.
How CyberKainos Can Help
At CyberKainos, we work with boards, GRC teams, and internal audit functions to build the governance infrastructure that Provision 29 requires and to make sure it is genuinely useful, not just compliant.
Whether you are scoping material controls for the first time, connecting disconnected risk and control data into a board-ready view, designing an assurance framework, or stress-testing your reporting against FRC expectations, we have the governance and GRC expertise to guide you through it.
The first declaration cycle is already underway. If you’re not confident your evidence will support the board’s statement, now is the time to act. Visit CyberKainos.com to find out how we can help.