By January 2026, boards of UK-listed companies will need to make an explicit annual declaration on the effectiveness of their internal controls under Provision 29 of the revised UK Corporate Governance Code.

The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members. 

This is more than a formality. It’s a governance tipping point, shifting the conversation from whether controls exist to whether they actually work, how they are monitored, and what evidence supports that claim.

The change, sometimes called “UK SOX”, brings controls management out of the finance silo and places it firmly on the boardroom agenda.

Why boards need to act now

Provision 29 applies to accounting periods beginning on or after 1 January 2026. That means 2025 is the dress rehearsal. Forward-looking boards are already:

  • Defining what counts as a material control
  • Mapping these controls to top risks and ownership
  • Establishing structured assurance plans
  • Stress-testing board-level reporting formats
  • Running mock declarations to identify and close gaps

Leaving this until late 2026 is a gamble. By then, the opportunity to collect a year of reliable assurance evidence will have passed.

From assessment to implementation

Provision 29 raises the bar across the entire control lifecycle:

  • Risk and control design: Review how precisely controls are mapped to their relevant risks and inventory
  • Implementation and remediation: Support remediation plans for areas requiring technical intervention
  • Assurance, reporting and MI: Develop a roadmap for ongoing assurance mapping and reporting

This means managing principal risk mitigations, key business process and IT controls, reporting controls, and compliance controls in a consistent, integrated framework.

The “approach on a page” for board confidence

Boards need clear, concise oversight, not a deluge of disconnected reports. The ideal outcome is a single view “approach on a page”, combining data from:

  • Material risks: Aggregated from business unit to enterprise level, linked to risk appetites
  • Material controls: Distinct from key controls, tested for effectiveness, with assurance evidence
  • Assurance activity: Coverage mapped across the three lines of defence
  • Issues & actions: High-risk issues and remediation tasks tied to material controls
  • Risk appetite monitoring: Showing where risks sit relative to agreed tolerances

Controls taxonomy to assurance and remediation

The diagram below distils an integrated Provision 29 methodology into a single, board-ready view. 

It shows how key governance data sources feed into a structured controls taxonomy. From there, controls are filtered for materiality, tested periodically, and the results are channelled into two possible pathways – assurance and remediation.

This streamlined flow makes it clear where each control stands, what action is required, and how that contributes to the board’s readiness for the year-end declaration. 

Why technology matters

Manual, spreadsheet-driven methods are slow, error-prone, and lack transparency.
GRC software allows you to:

  • Catalogue and link material controls to risks, obligations, and objectives
  • Automate testing and remediation workflows with built-in accountability
  • Provide real-time dashboards for board and committee oversight
  • Streamline audits, self-assessments, and incident-related control reviews

The result: a sustainable, evidence-based control environment that stands up to stakeholder scrutiny.

Conclusions and next steps for your organisation

Provision 29 sets a new benchmark for UK corporate governance: one where control effectiveness is evidenced, traceable, and defensible.

With the right framework and technology in place, you can move beyond simply “being compliant” to building a transparent, data-driven control environment:

  • Maintain a structured, centralised control library aligned to recognised frameworks such as COSO and ISO 31000
  • Link controls to principal risks, obligations, and policies for full traceability and reduced duplication
  • Simplify testing and remediation across the three lines of defence, ensuring accountability and timely closure of gaps
  • Deliver real-time, board-ready dashboards and reports that clearly show control status, assurance coverage, and open issues

The organisations that start now will not only meet Provision 29’s first declaration with confidence; they’ll establish themselves as leaders in transparent, well-governed business practice.

Ready to assess your control maturity? Book your personalised demo of Protecht's Provision 29 solution now.

Area of expertise:
Commercial finance Payments, innovation & resilience Prudential risk, reporting and tax
Preparing for Provision 29: From policy to proof

15.09.25

Blog

Written By
Gary Lynam

Gary Lynam, Managing Director, EMEA, Protecht

Related news and insight

FCA transaction reporting update: key changes in CP25/32

23.01.26

Blog

FCA transaction reporting update: key changes in CP25/32

The Financial Conduct Authority’s (FCA) recent Discussion Paper and Consultation Paper on improving the UK transaction reporting regime signal more than a technical rule change.
90 per cent of mortgage lending now covered by UK Finance’s Financial Abuse Code

21.01.26

Press release

90 per cent of mortgage lending now covered by UK Finance’s Financial Abuse Code

UK Finance’s Financial Abuse Code now covers 90% of UK mortgage lending, strengthening lender support for customers experiencing economic abuse.
Timeo rhetores et technologiam ferentes

22.01.26

Blog

Timeo rhetores et technologiam ferentes

“Timeo rhetores et technologiam ferentes?”: secured loan portfolio, sales and due diligence, why there’s nothing to fear and much to be gained “when lawyers come bearing tech” – as long as the lawyer stays engaged.