What does the Provision 29 internal control declaration require?

To comply with Provision 29, boards must disclose in their annual report: How they monitored and reviewed the effectiveness of internal controls Whether they consider the material controls to be effective as of the balance sheet date Any material control weaknesses, with details of remediation or improvement plans This must apply to all material controls, not just financial ones. Aligning with COSO or ISO-style control frameworks is strongly recommended

What are the internal control expectations under the 2024 UK Corporate Governance Code?

The UK Corporate Governance Code 2024 sets out expectations for boards to establish, monitor and annually assess a risk management and internal control framework. This includes: Assigning control ownership and responsibilities Embedding risk management into strategy and operations Testing and improving control effectiveness Reporting transparently on governance outcomes, not just structures.Provision 29 builds on these by requiring formal board-level assurance on the effectiveness of internal controls

How can Protecht ERM help meet Provision 29 requirements?

Protecht ERM provides a structured, integrated system to help you: Document and map material controls to principal risks Track control testing, remediation and assurance activities Provide board-ready dashboards for the annual effectiveness declaration Centralise risks, obligations, issues and incidents to create a single source of truth Align with COSO, ISO 31000 and the FRC’s expectations for board accountability and transparency.

When should companies start preparing for Provision 29 compliance?

Although Provision 29 applies to periods starting from 1 January 2026, preparation should begin well in advance, ideally by mid-2025. Companies need time to: Define and document material controls Implement structured testing and monitoring cycles Remediate any weaknesses ahead of the reporting date. Boards will need real-time, auditable evidence by year-end not just retrospective reviews

UK Corporate Governance Code Provision 29

Controls you can trust. Evidence the board can sign.

The UK Corporate Governance Code's upcoming Provision 29 requires the board to declare internal control effectiveness. This requires more than process. Protecht's GRC software solution gives you the tested controls, mapped risks, and clear assurance pathways your board needs to declare effectiveness.

Monitor and evidence internal control effectiveness.

Give your board the evidence it needs to declare that controls are effective.

Document all material controls in a structured control library using consistent attributes aligned to COSO and ISO 31000 best practices
Link each control to relevant principal risks, obligations and policies to demonstrate top-down alignment and reduce duplication
Assign and simplify testing workflows using control self-assessments, internal audit test plans and structured assurance templates
Track control failures and remediation actions in real time, with visibility into open items before year-end
Enable the board to make its Provision 29 declaration with supporting evidence that is timely, traceable and complete

Streamline assurance across the three lines.

Clarify roles, eliminate duplication and prove coverage across the business.

Map assurance responsibilities using the three lines of defence model and define who owns, tests and oversees each control
Schedule regular testing across all three lines and consolidate the results in a single view
Automate follow-ups and reminders for overdue remediation, ensuring issues are addressed before the balance sheet date
Use real-time dashboards to demonstrate how assurance activities cover the full scope of financial, operational, compliance and reporting controls
Provide internal and external auditors with a transparent view of what’s tested, by whom, how often, and with what result

Create a single source of truth for risk and control.

Unify fragmented processes into a connected, organisation-wide framework.

Maintain connected registers for risks, controls, obligations, incidents, and issues, all mapped and cross-referenced
Apply a common taxonomy across business units for easier aggregation and risk reporting
Ensure traceability from strategic objectives to control effectiveness
Log and monitor real-time incidents that impact control design or effectiveness
Replace spreadsheets and standalone systems with a scalable, auditable platform that supports ongoing control improvement

Enable confident, board-level reporting.

Deliver data-driven, board-ready assurance for Provision 28 and Provision 29 compliance.

Use real-time dashboards to visualise control effectiveness, open issues, assurance coverage and testing progress
Track effectiveness of controls at the level required for annual reporting across financial, operational, compliance and reporting domains
Export dashboards and reports directly into board packs and disclosures, with commentary on weaknesses and remediation actions
Align reports to the UK Corporate Governance Code 2024’s expectations on outcomes-focused governance and monitoring
Give your board, risk committee and auditors full visibility of how internal controls are governed, tested, and remediated

In-person workshop with Michael Rasmussen

Navigating provision 29 of the UK Corporate Governance Code.

Thursday 4 September 2025, London SW1, 10am–4pm BST

The most significant change to UK corporate governance in a decade is here. From 2026, boards must demonstrate their risk and control frameworks are not just designed, but effective, agile, and embedded.

Join global GRC authority Michael Rasmussen for a deep dive into Provision 29. Walk away with practical strategies to align risk and control with business objectives, deliver board confidence, and satisfy regulators.

Register now to save your place!

Downloadable checklist

Provision 29 internal controls maturity checklist.

Is your organisation ready to stand behind its controls?

Provision 29 requires boards to declare the effectiveness of internal controls—confidence starts with knowing where you stand.

Download Protecht’s Provision 29 Internal Controls Maturity Checklist to:

Identify gaps across risk, control design, and assurance
Strengthen governance, oversight, and reporting
Benchmark your readiness for the board’s declaration

Your first step to better controls management: get the checklist now.

How Protecht ERM helps you meet Consumer Duty requirements.

Visualisation of the customer journey

Visualise your end-to-end customer service process via embedded process mapping. Identify where weak operational resources are contributing to customer detriment and infringing on customer rights.

Expert reviews

Templates for tactical and strategic reviews. Integration with control assurance activities enables deep understanding of the operational control environment. Deep-dive templates to support comprehensive product assessment and service reviews.

Testing and assurance

Enable management of issues identified through the fair value test process. Testing templates which enable evidence collection to support documentation management and the attestation process.

Continuous improvements

Interface for action management. Remedial actions and space to link actions coming from independent assurance reviews.

Governance

Governance templates for annual board attestations and reports. Underpinned by workflow alert tool which provisions for the dependency on accuracy and timely completeness of data.

Compliance monitoring

Templates to support ongoing testing and assurance of customer outcomes. Adherence to customer collateral and contracts. Link compliance rules and obligations to assessments to support attestation process. Management reports providing comparative analysis on revenue generation KPIs vs customer KPIs over time.

Analytics

Designing product insights to demonstrate good outcomes. Ability to reconcile customer outcomes vs risk appetite. Integration of external data points (e.g. use open banking data to identify where customers' money not working hard for them). Informed decision making based on research and information.

Learn more

4 Sept | Register now

In-person workshop with Michael Rasmussen

Navigating provision 29 of the UK Corporate Governance Code.

Join global GRC authority Michael Rasmussen for a deep dive into Provision 29. Walk away with practical strategies to align risk and control with business objectives, deliver board confidence, and satisfy regulators.
Learn more
Watch on demand

Expert panel webinar

Beyond the deadline: Navigating the next phase of regulatory change.

Financial services organisations must ensure they are not only meeting compliance deadlines but also preparing for long-term resilience. This webinar on the regulatory change agenda will help you understand how to achieve both of these goals:
Register now

Compliance brochure.

Find out how Protecht helps you to achieve compliance objectives, improve resilience and manage risk.

Operational resilience brochure.

Ensure that your operational resilience and business continuity management processes are able to support your customers and meet your regulatory requirements.

Information security and cyber brochure.

Safer, smarter information security, allowing you to better protect your organisation.

Vendor risk management brochure.

Find out how our vendor risk management solution allows you to manage vendor risk and avoid disruption.

Trusted by well known organisations

UK Consumer Governance Code FAQ

Provision 29 is a new requirement in the UK Corporate Governance Code 2024 that mandates boards of premium-listed companies to provide an explicit annual declaration that their internal controls are effective. This applies to controls covering financial, operational, compliance and reporting risks, and takes effect for financial years beginning on or after 1 January 2026.

To comply with Provision 29, boards must disclose in their annual report:

How they monitored and reviewed the effectiveness of internal controls
Whether they consider the material controls to be effective as of the balance sheet date
Any material control weaknesses, with details of remediation or improvement plans
This must apply to all material controls, not just financial ones. Aligning with COSO or ISO-style control frameworks is strongly recommended

Provision 29 applies to premium-listed companies on the London Stock Exchange. However, many subsidiaries, private firms, and foreign-listed companies voluntarily adopt the UK Code to demonstrate strong governance to investors, parent companies or regulators, especially in financial services and regulated sectors.

The UK Corporate Governance Code 2024 sets out expectations for boards to establish, monitor and annually assess a risk management and internal control framework. This includes:

Assigning control ownership and responsibilities
Embedding risk management into strategy and operations
Testing and improving control effectiveness

Reporting transparently on governance outcomes, not just structures.
Provision 29 builds on these by requiring formal board-level assurance on the effectiveness of internal controls

Protecht ERM provides a structured, integrated system to help you:

Document and map material controls to principal risks
Track control testing, remediation and assurance activities
Provide board-ready dashboards for the annual effectiveness declaration
Centralise risks, obligations, issues and incidents to create a single source of truth
Align with COSO, ISO 31000 and the FRC’s expectations for board accountability and transparency.

Although Provision 29 applies to periods starting from 1 January 2026, preparation should begin well in advance, ideally by mid-2025. Companies need time to: