From January 2026, boards of UK premium-listed companies will have to state, explicitly, whether their material internal controls are effective.
Boards will not be asked whether controls are improving or whether management believes they are broadly sound. They will be required to state, clearly, whether those controls are effective.
This requirement sits at the heart of Provision 29 of the 2024 UK Corporate Governance Code, which applies to financial years beginning on or after 1 January 2026. This is the most significant governance change in a decade because it turns what was previously a process-focused obligation into an outcomes-based declaration.
For compliance, risk, and internal control teams, this requires some thought and action.
What Provision 29 actually requires
Provision 29 does not ask boards to design new controls or adopt a prescribed framework. It asks them to do three things and to report on them clearly:
- Monitor the company’s risk management and internal control framework.
- Carry out at least an annual review of its effectiveness.
- Declare whether the company’s material controls were effective as at the balance sheet date.
The scope is deliberately broad. Material controls are not limited to financial controls. They include operational, compliance, and reporting controls, including narrative and ESG reporting where relevant.
Crucially, the Code leaves the definition of “material” to the board’s judgement. That judgement must be defensible, documented, and grounded in the company’s risks, strategy, and risk appetite.
The Financial Reporting Council has been explicit that boilerplate disclosures are not the goal, and that boards should be able to explain how they reached their conclusions, what evidence they relied on, and how weaknesses are being addressed.
Why this feels harder than it looks
Most large organisations already have controls. Many have very good ones. What they often lack is a single, coherent view of those controls that can support a board-level declaration.
Across the market, controls tend to be:
- Spread across functions and business units
- Documented in inconsistent formats
- Owned locally rather than centrally
- Tested for different purposes at different times
- Evidenced in spreadsheets, emails, SharePoint folders, and local tools
Individually, the controls exist. Collectively, no one can confidently say which ones are material, who owns them globally, whether they operate consistently across entities, and what evidence supports their effectiveness.
This is why many organisations are discovering that Provision 29 is less about fixing broken controls and more about fixing visibility, ownership, and evidence.
What “material controls” look like in practice
In general, most organisations are identifying somewhere between 20 and 40 material controls, with some landing higher depending on complexity and sector. These sit across risk, compliance, internal audit, and finance.
Importantly, there is a clear trend away from hundreds of granular transactional controls and towards a smaller number of higher-level controls that genuinely matter. These often include:
- Entity-level or framework controls
- Oversight and governance controls at board or committee level
- Controls whose failure would significantly affect the business model, solvency, reputation, or investor decisions
One way to assess whether a control is material is to consider “Jenga controls”, meaning controls that, if removed, would cause the structure to collapse. This approach aligns closely with FRC guidance, which emphasises proportionality and material impact rather than volume.
Effectiveness means evidence, not comfort
The most uncomfortable part of Provision 29 is the word “effective”. Effectiveness is not defined by the absence of incidents. Nor is it defined by good intentions or mature policies. Boards are expected to rely on evidence gathered through monitoring and review.
In practice, organisations are using a mix of indicators, including:
- Whether the control is properly designed
- Whether it operates consistently across the group
- Completion and timeliness metrics
- Quality of documentation
- Results of testing, self-assessments, or assurance
- Real-world outcomes, including incidents, near misses, or remediation history
There is broad consensus that a single control failure does not automatically mean a material control is ineffective. Context matters. Severity, recurrence, and impact matter. Professional judgement still applies, though it must now be recorded and explained.
The board cannot delegate the conclusion
Provision 29 is explicit on one point. This is a board declaration. Management, risk functions, and internal audit can provide information, analysis, and assurance. External advisers can support. None of them can make the declaration.
Boards are expected to understand the basis on which effectiveness is being asserted, to challenge where necessary, and to own both the conclusion and the disclosure.
This has practical implications. Boards need reporting that is clear, consistent, and decision-useful. They need to see how controls map to principal risks, how issues are tracked, and how remediation is progressing over time.
Comply or explain still applies
The UK Corporate Governance Code remains a comply or explain regime. Boards can conclude that material controls are not fully effective.
Where controls are not effective, the annual report must describe:
- Which controls were affected
- Why they were not effective
- What actions have been taken or are planned
- How previously reported issues have progressed
A weak explanation will attract scrutiny. A clear explanation, grounded in evidence and accompanied by credible remediation, is entirely consistent with the Code’s intent.
Turning Provision 29 into something workable
To prepare for Provision 29, organisations should stop treating this as a year-end disclosure exercise and start treating it as a control lifecycle issue. The focus now should be on building a clear, repeatable approach to how controls are identified, owned, assessed, evidenced, and reported. That means:
- Defining material controls centrally
- Assigning clear ownership
- Deploying controls consistently across entities
- Assessing effectiveness using agreed criteria
- Capturing evidence in a structured way
- Tracking gaps and remediation over time
- Producing reporting that boards can rely on
When this is done well, boards gain confidence. Risk teams gain leverage. Control owners understand expectations. The organisation moves away from reactive assurance towards continuous oversight.
