Skip to content

Featured Search

By January 2026, boards of UK-listed companies will face a new level of scrutiny. Provision 29 of the revised UK Corporate Governance Code 2024 will require an explicit annual declaration from boards on the effectiveness of their internal controls.

And that’s not just another compliance management box to tick.

This change – sometimes referred to as “UK SOX” – is a governance tipping point. It brings controls management out of the finance silo and places it firmly on the boardroom agenda. Boards won’t just be asked whether controls exist. They’ll be asked whether they worked, how they were monitored, and what evidence backs that claim.

So what should your organisation be doing now, in 2025, to prepare? Here's what we’re hearing from leading governance, risk, and compliance teams, and how Protecht is helping them respond.

Find out more about how Protecht can help you comply with Provision 29 of the UK Corporate Governance Code:

Find out more

Provision 29: From policy to proof

Provision 29 comes into effect for accounting periods beginning on or after 1 January 2026. It requires companies to:

  • Monitor their entire internal control framework throughout the year.
  • Carry out an annual review of effectiveness across financial, operational, compliance, and reporting controls.
  • Disclose in the annual report:
    • How the review was conducted.
    • A board-level declaration of control effectiveness at year-end.
    • Any material control failures, with remedial actions taken or planned.

The implications are significant. This is no longer about showing intent. It’s about showing evidence.

A maturity model approach to control readiness

Many companies met the 2018 Code’s control expectations. But Provision 29 raises the bar. Now, boards need to prove controls are designed, implemented, monitored and remediated effectively.

That’s why forward-looking organisations are assessing themselves against a maturity model across four areas:

  1. Risk identification and assessment: Are principal risks documented and regularly updated?
  2. Control design and documentation: Are material controls linked to those risks, clearly documented, and owned?
  3. Control testing and assurance: Are controls tested regularly? Is assurance structured across the three lines of defence?
  4. Board oversight and reporting: Are control insights reaching the board with enough regularity and rigour to support a confident declaration?

If your board had to sign off this year, would you be ready?

Why you should start now

Provision 29 doesn’t officially kick in until 2026. But here’s the reality: if your board is expected to sign off on the effectiveness of your internal controls at the end of next year, they’ll need a full year of hard evidence, not a few hastily written lines in December.

That makes 2025 your dress rehearsal. And smart organisations are already treating it that way.

This year is your chance to build muscle memory: to establish what counts as a material control, link it to your top risks, map ownership, define assurance plans, and rehearse the oversight and reporting cycles that will ultimately give your board the confidence to sign that declaration.

It also means stress-testing your reporting formats now (dashboards, board packs, audit committee reports) so you’re not scrambling to explain controls at the eleventh hour.

Some of the most forward-looking firms are already trialling mock declarations, identifying gaps, and fixing them in-year. Why? Because waiting until 2026 to get this right is a gamble they can’t afford to take.

Boards are asking different questions now

Board members and audit chairs are increasingly focused on outcomes, not just processes. We’re seeing a shift in language:

  • “What’s our process?” is being replaced by “How do we know this is working?”
  • “Do we have controls?” is being replaced by “Can we prove they’re effective?”
  • “Who’s responsible?” is being replaced by “Do we have end-to-end accountability?”

Provision 29 doesn’t just ask the board to review a checklist. It demands that directors stand behind a public statement of effectiveness, based on robust, ongoing oversight. Not once a year. All year.

Boards want assurance. But more than that, they want no surprises.

Transparency is the new benchmark

If 2018 was about process, 2024 is about proof.

The revised Code sets a higher bar for disclosure, moving away from performative governance toward meaningful, outcome-driven reporting. And that means no more boilerplate.

Stakeholders, from investors to regulators to proxy advisers, aren’t interested in generic reassurances. They want to see what the board actually did, what changed as a result, and where challenges remain.

This means that:

  • Reporting should explain what the board did and what changed as a result.
  • Boilerplate statements won’t cut it: readers want to understand the process and the outcomes.
  • Stakeholders, from investors to regulators, expect to see how the company has managed risks and responded to control failures.

Transparency isn’t just a compliance obligation. It’s an asset. In a climate of heightened scrutiny, the ability to demonstrate real control effectiveness honestly, clearly, and confidently has become a defining feature of trusted, well-governed companies.

Conclusions and next steps for your organisation

Let’s be blunt: it’s still technically possible to manage internal controls using spreadsheets, scattered documents, and last-minute PowerPoint updates. But under Provision 29, that approach is no longer safe. Or scalable. Or smart.

Manual methods introduce gaps, delays, and blind spots: exactly the kind of weaknesses that this new board-level declaration is meant to expose.

That’s why leading organisations are shifting to technology-enabled controls management environments, using platforms like Protecht ERM to meet Provision 29 requirements.

With the right GRC system in place, you can:

  • Catalogue your material controls, link them directly to risks, obligations and objectives, and manage them in one place.
  • Assign ownership, automate testing workflows, and track remediation with built-in accountability.
  • Give your board a real-time, dashboard-level view of control status, gaps, assurance coverage, and emerging issues.
  • Streamline audits, self-assessments and incident-related control reviews, eliminating silos and duplication.

This isn’t just about checking a compliance box. It’s about giving your board confidence, clarity, and control.

The organisations that start preparing now – mapping controls, embedding accountability, and investing in transparency – won’t be scrambling when the declaration is due.

They’ll be ready. And more than that, they’ll be leading.

Ready to assess your control maturity? Book your personalised demo of Protecht's controls management solution:

Request a demo
Back to list

About the author

Gary has over 10 years’ experience consulting and providing advisory services to a wide range of clients both locally and overseas. He has a MSc in Finance and Capital Markets. Prior to Protecht, Gary spent time with three global banks consulting on risk and strategic change. He started his career in Risk Advisory at KPMG.

You may also like