What is Provision 29? The New UK Internal-Controls Declaration is Here
Does your risk management and internal framework really work? Some companies working in the United Kingdom will need to start proving it. Starting with accounting periods that open either on or after 1 January 2026, every company in either the FCA’s commercial companies or closed-ended investment fund categories must make a statement in its annual report confirming whether its risk management and internal control framework is effective. That single line, required by Provision 29 of the January 2024 UK Corporate Governance Code, must cover financial, operational, reporting, and compliance controls, delivering data-driven compliance.
The Bottom Line? Companies Cannot Hide Behind Vague Assurances.
If any material control falls short, boards have to provide additional information. They must spell out which one, why it failed, and what they are doing to fix it. The long-standing “comply or explain” philosophy remains, but…Provision 29 turns a principle into a line in the sand, reinforcing corporate governance best practices. Boards either have to attest or explain, on the record and in public.
Who Does This Impact?
Provision 29 reaches further than geography. It touches UK issuers, overseas companies with UK listings, and the parent companies that sit above those entities. Because the rule targets listed status, not domicile, a U.S. or EU multinational with even one qualifying UK listing falls squarely inside the remit.
And while some firms already live with SOX 404 and 302 in the United States, the UK declaration drills into a wider set of controls. This adds a second layer of board-level accountability at the end of the day.
What’s Important to Know?
The annual report must do three things:
– First, it must describe how the board monitored and reviewed the control framework during the year
– Second, it must declare whether every material control (financial, operational, reporting, and compliance) was effective on the balance-sheet date
– Third, if a material control was not effective, the report must identify the gap, outline the corrective plan, and update readers on issues flagged in earlier years
What’s important to note is that nothing in the Code allows a board to skirt those steps. The only escape clause is a full and reasoned explanation for noncompliance, in other words.
Why Does This Matter Beyond the UK?
The global reach is obvious. A qualifying listing in London invites a second attestation that sits alongside SOX. Investor scrutiny rises because the declaration lands in the annual report where analysts can track it year after year.
Regulatory momentum accelerates, too. This is not a one-time signature type of situation, but is instead an ongoing, public measure of how seriously boards treat operational resilience management supported by operational resilience software.
Companies that prepare early position themselves as safe hands in an uncertain market.
What Are the Core Requirements? It’s About Mapping the Compliance Gap and the Fix.
Boards must keep sharp eyes on the entire framework throughout the year and document that vigilance. At least once a year they must step back, test the framework, and decide—without hedging—whether the material controls work. The declaration itself must appear in the annual report, set at the balance-sheet date, written in clear language, and backed by evidence.
Where controls fail, the same report must map the gap and the fix. Material controls cover every major risk vector: money, operations, regulatory exposure, and the accuracy of information that flows to shareholders and regulators.
Why Do Manual, Siloed Processes Put Companies at Risk?
Fragmented evidence forces teams to hunt for spreadsheets, emails, and ad-hoc test results each year-end.
Troubles ensue when this happens. For example, directors lose real-time visibility into open exceptions and miss the chance to remediate before sign-off. Without an immutable audit trail, proving who tested what—and when—becomes a distraction instead of a control. When new risks or products arrive, staff have to rewrite control libraries by hand while deadlines loom. Then of course, you have additional challenges when organizations that juggle SOX and Provision 29 on separate tracks end up duplicating effort and sometimes produce conflicting answers to the same question.
How Does an Integrated GRC Platform Accelerate Compliance?
A single modern GRC platform corrals every risk and control into one authoritative library, links each control to the risk it tames, and schedules testing and certification automatically.
Dashboards surface live status so boards see effectiveness scores, outstanding issues, and remediation progress before they approve the report.
Direct feeds from ERP, HR, and ticketing systems pull hard evidence into the record without manual upload. Now, things are streamlined. Every action leaves a time-stamped trail an auditor can parse in seconds.
Why does this all matter? Because the same data spine already supports SOX for many issuers, companies can repurpose financial-control evidence and marry it with operational and compliance controls, achieving operational risk management. This gives audit committees one coherent view.
Final Thoughts
Did you know that many organizations already run their entire SOX lifecycle inside the SAI360 platform? They are already mapping controls, automating tests, chasing certifications, and exporting clean evidence to auditors.
The same workflows, dashboards, and analytics carry across to Provision 29. Why? Boards can rely on a single source of truth to align SOX financial-control proof with broader operational and compliance controls, issue unified reports, and recycle test results and remediation logs rather than rerunning them.
Learn more. Book a demo today to see how SAI360 delivers Provision 29 readiness from every angle.