The UK Corporate Governance Code 2024 has introduced a major shift in compliance and reporting expectations for premium-listed companies. From financial years beginning on or after 1 January 2026, companies must include a formal board declaration in their annual reports on the effectiveness of their material internal controls. This new obligation under Provision 29 significantly elevates the role of internal controls and risk assurance in corporate governance.
For compliance professionals, this means a step-change in responsibility, visibility and expectations.
The updated Code applies to all companies with a premium listing on the London Stock Exchange, regardless of where they are incorporated. From 2025, this will apply to companies listed under the commercial companies or closed-ended investment funds categories.
Provision 29 applies from financial years beginning on or after 1 January 2026. For most December year-end companies, the first reports under Provision 29 will be due in early 2027.
What do companies have to declare?
Provision 29 requires three disclosures in the annual report relating to material controls:
- How the board monitored and reviewed the effectiveness of the company’s risk management and internal control framework.
- A declaration that material controls were effective as at the balance sheet date.
- A description of any material controls that failed and the steps taken (or planned) to fix them, including progress on previously identified issues.
What counts as a ‘material control’?
The FRC does not prescribe a definition, but companies should consider controls as ‘material’ if their failure could reasonably influence investor decisions. Material controls are those safeguards and procedures that are critical to maintaining the integrity, accuracy and legality of a company’s operations and reporting. These controls protect the organisation from risk, ensure it meets regulatory obligations, and provide confidence to shareholders. The UK Corporate Governance Code categorises material controls into four main types:
- Operational: M&A activity, cyber resilience, health and safety, supply chain disruption.
- Financial: Liabilities, inventories, accounts receivable/payable.
- Compliance: Bribery Act, ECCTA, GDPR, CSRD.
- Reporting: ESG disclosures, viability statements, strategic reports.
Use the IFRS materiality test: would omission, misstatement or obscuration of the information affect primary users of the financial statements?
What are operational controls?
Operational controls relate to the everyday functioning of the business and how it manages strategic and operational risks. They include:
- Controls around mergers & acquisitions, capital investments, and divestitures
- Supply chain and logistics resilience
- Business continuity and disaster recovery planning
- Cybersecurity and health & safety procedures Operational controls ensure the company runs efficiently and responds effectively to disruption.
What are financial controls?
Financial controls are procedures and checks that ensure financial statements are accurate and comply with accounting standards. They include:
- Financial statement close processes (FSCP)
- Budgeting and forecasting (FP&A)
- Controls over receivables, payables, inventory, and liabilities These controls help prevent misstatements, fraud, and ensure the company meets regulatory and investor expectations.
What are compliance controls?
These ensure adherence to laws, regulations, and corporate policies (see the full annex at the end of this article). Key compliance areas include:
- Anti-bribery and corruption (Bribery Act)
- Fraud prevention (Failure to Prevent Fraud – ECCTA)
- Data protection (GDPR)
- ESG-related regulations (e.g. CSRD, Modern Slavery) These controls help avoid legal liabilities, fines, and reputational damage.
What are reporting controls?
These refer to internal systems that ensure accurate and complete narrative disclosures. They govern:
- Strategic and directors’ reports
- ESG disclosures and climate-related financial information
- Viability and going concern statements
- Governance and risk reporting Accurate reporting is critical for maintaining investor trust and meeting legal obligations.
Comply or explain: What if controls fail?
The UK Corporate Governance Code is based on a “comply or explain” model. This recognises that one size does not fit all. While companies are expected to adhere to its provisions, the Code does not mandate rigid compliance. If a company identifies that a material control has failed or has chosen not to comply with a specific provision it is not automatically in breach. Instead, the board must provide a full and transparent explanation in the annual report.
This explanation should go well beyond a vague statement. It must clearly articulate:
- Why the control failed: Was it a one-off event, a systemic weakness, or a failure in oversight?
- How it is being fixed: What remedial steps have been taken or are in progress? Have resources, responsibilities, or processes changed as a result?
- Timeline to resolution: When will the issue be fully addressed? What milestones or indicators will be used to track progress?
- Why the chosen approach is appropriate: Boards must justify why the response represents good governance and is tailored to the company’s structure, strategy, and risk profile.
This is not a box-ticking exercise. Investors, regulators, and proxy advisers will expect detailed, credible and specific explanations that demonstrate accountability. Weak, generic, or boilerplate disclosures are likely to be challenged, especially if the same control issues appear year after year without evident improvement.
Done well, “explain” can be a strength, not a weakness. It offers companies the opportunity to demonstrate thoughtfulness, responsiveness and integrity in governance. But to meet that standard, compliance and legal teams must be prepared to collaborate closely with internal audit, risk, and the board to develop a defensible narrative backed by evidence and action.
Key risks to prioritise
Compliance teams should pay special attention to several high-impact risk areas that are likely to form the backbone of material internal controls. These risks are not only critical to business resilience but are increasingly under the microscope of regulators and investors:
Cybersecurity and AI risks
As digital transformation accelerates, cyber threats continue to evolve. From ransomware attacks to data breaches and system failures, the operational and reputational consequences are severe. Additionally, the use of AI in decision-making, financial modelling or HR screening raises risks around explainability, bias, and regulatory compliance. Boards should treat cybersecurity and AI governance as board-level issues and ensure controls are in place for monitoring, incident response, and ethical AI use.
Greenwashing and ESG reporting errors
With expanding climate and ESG disclosure requirements, especially under the UK’s TCFD, ISSB, and upcoming CSRD frameworks, companies face heightened scrutiny. The risk of greenwashing (making misleading sustainability claims) is now a regulatory red flag. Compliance teams must ensure that ESG data is accurate, auditable, and aligned with public statements. Narrative disclosures should be substantiated with evidence and reviewed as rigorously as financial statements.
Fraud, especially internal fraud and control override
The introduction of the Failure to Prevent Fraud offence under the Economic Crime and Corporate Transparency Act (ECCTA) puts internal controls front and centre. Common vulnerabilities include override of controls by senior staff, conflicts of interest, and procurement fraud. Robust anti-fraud frameworks, whistleblowing systems, segregation of duties and continuous monitoring are essential.
Disclosure failures under ECCTA or the Bribery Act
The bar for transparency continues to rise. Under both ECCTA and the Bribery Act, companies must be able to evidence adequate or reasonable procedures to prevent misconduct. Failure to disclose material risks, enforcement actions, or associated persons in breach can result in civil and criminal liability. Controls must ensure timely, accurate, and complete disclosures in both statutory and voluntary filings.
Key actions for compliance teams
- Begin risk assessments across all major business areas.
- Identify and define what constitutes “material” controls.
- Establish ownership and accountability for each control.
- Engage with internal audit and risk teams to align assurance frameworks.
- Implement or enhance documentation of key controls.
- Design effectiveness testing mechanisms (e.g. walkthroughs, sampling).
- Set up reporting templates to capture failings, mitigations, and improvements.
- Trial run internal control statements without publishing.
- Finalise assurance processes and board oversight procedures.
- Ensure board and audit committee are prepared to make a formal declaration.
- Publish first full statement in annual report for financial year ending December 2026.
Common compliance controls for UK listed companies
Below is a non-exhaustive list of typical compliance controls a UK premium-listed company may need to incorporate into its internal controls framework and annual reporting:
Financial Crime & Anti-Corruption Controls
- Bribery Act 2010 policies, procedures and training
- ECCTA (Failure to Prevent Fraud) compliance and reporting
- Anti-money laundering checks (AML), including PEP/Sanctions screening
- Fraud prevention policies and whistleblowing procedures
Data & Privacy Controls
- GDPR compliance framework and breach response
- Data mapping and processing records
- Data subject rights procedures (SARs, RTBF, etc.)
- Data Protection Impact Assessments (DPIAs)
ESG & Reporting Controls
- TCFD or ISSB-aligned climate disclosures
- Modern Slavery Act compliance
- Gender pay gap reporting
- ESG data governance and verification
Cybersecurity & Technology Controls
- Cyber risk assessments
- Access controls, encryption, and incident response planning
- Cybersecurity training for employees
- IT disaster recovery/business continuity testing
Governance & Board-Level Controls
- Board evaluation and succession planning
- Conflicts of interest register and director independence monitoring
- Disclosure of related party transactions
- Committee charters and performance reviews
Employment & Workforce Controls
- Health and safety (RIDDOR reporting, DSE assessments)
- Diversity and inclusion reporting (e.g. FTSE Women Leaders)
- Whistleblowing channels and protections
- Workforce engagement mechanisms
Market & Regulatory Reporting Controls
- Market abuse and insider trading policies
- MAR disclosures and insider lists
- Listing Rule compliance controls
- Disclosure controls for regulated news service (RNS) announcements
Sector-Specific Regulatory Compliance
- FCA/PRA compliance (for financial institutions)
- UK Corporate Governance Code compliance tracking
- CSRD/Pillar 2 (for multinationals)
- Export controls and sanctions compliance (for international trade)
Each of these areas should have defined control owners, documented procedures, risk assessments, and effectiveness testing in place.
