Provision 29: How Boards can prepare for the changes

InsightsGovernance and risk insights

Provision 29: Board preparation

1 May 2026
Tags Consulting Risk consulting Insights
Provision 29 of the revised 2024 UK Corporate Governance Code is one of the most significant changes to internal controls reporting in more than a decade.

Provision 29 raises the bar from oversight to evidenced assurance, asking boards to be clear about which controls are material, how effectiveness has been assessed, and what the board is declaring.

Effective for periods beginning on or after 1 January 2026, Provision 29 increases scrutiny and expectations from regulators, investors and wider stakeholders, particularly around the quality and specificity of reporting.

What is Provision 29?

In practical terms, Provision 29 requires boards to:

  • Monitor and review the effectiveness of the organisation’s risk management and internal control framework
  • Assess and declare whether material controls are designed and operating effectively
  • Provide transparent disclosures explaining how the assessment was performed and what it covered

This is a shift from a largely process-driven approach (“a review took place”) to an outcomes-based expectation. Boards must be able to provide evidence supporting their view that material controls were effective across the financial period.

Many companies have already started mapping principal risks and identifying key control areas. The next and more demanding phase is ensuring controls operate consistently, assurance is reliable, and reporting meets the market’s expectations.

 

Why Provision 29 matters for Boards

Provision 29 elevates Board accountability. It calls for a clearer “line of sight” between:

  1. The company’s most significant risks
  2. The controls that mitigate them
  3. The assurance the board relies on to make its declaration

It also increases the importance of high-quality narrative reporting. In its Annual Review of Corporate Governance Reporting (Nov 2025), the Financial Reporting Council (FRC) highlighted that many companies still provide minimal disclosure, with only 40% giving meaningful detail on what the review covered or who conducted it.

For boards, this creates both a risk and an opportunity:

  • Risk, because weak or generic disclosure can undermine confidence and invite scrutiny.
  • Opportunity, because a well-structured approach can strengthen governance, improve resilience, and enhance stakeholder trust.

The four biggest challenges boards face under Provision 29

1. Defining what makes a control “material”

The code and guidance do not prescribe a single definition of material controls. In practice, material controls are those that mitigate risks capable of threatening the organisation’s business model, solvency, liquidity, or the integrity of financial and regulatory reporting, often including fraud-related controls and key IT/cyber controls.

A common challenge is moving beyond a long list of controls to a defensible, board-ready rationale for why specific controls are classed as material and how they link to principal (and other critical) risks.

What good looks like in practice

  • Many companies are adopting a pillar-based approach to group and rationalise controls across risk domains.
  • Market trends often show 15–20 focus areas and 50–60 material controls (varying by size, complexity and sector).
  • Material controls are typically a mix of entity-level oversight, framework-based controls (e.g., ICFR and cyber), and transaction-level controls.

2. Gaining appropriate and reliable assurance

Provision 29 requires boards to demonstrate how they know controls are effective, not simply that controls exist. 

That often means clarifying:

  • Who provides assurance (management, second line, internal audit, external assurance)
  • Where boards can place reliance
  • How duplication and gaps are avoided

A practical approach many companies are adopting

Building an assurance map that consolidates multiple assurance sources and aligns them to the different types of material controls, recognising that not all controls require the same depth of testing or assurance. This helps boards see whether coverage is proportionate and complete, and it strengthens the audit trail behind the declaration.

3. Demonstrating high-quality reporting and disclosure

A core expectation under Provision 29 is that disclosures are clear, specific and useful, avoiding vague “tick-box” statements. The FRC’s review noted that many companies still provide limited detail and encourages companies to be explicit about whether weaknesses were found, how significant they were, and what action was taken. 

What boards should be ready to explain

 A strong disclosure typically outlines:

  • What the review covered and the period it relates to
  • Which controls were considered material (including finance, operational, reporting, compliance and IT/cyber)
  • What evidence and reporting reached the board (e.g., self‑assessments, internal audit findings, remediation tracking)
  • How the board formed its conclusion

4. Leveraging existing frameworks to drive efficiency (and avoiding duplication)

One of the biggest risks is treating Provision 29 as a standalone compliance project. Done in isolation, it can create extra layers of documentation, testing and reporting, increase cost and disrupt the business.

Many companies are therefore mapping Provision 29 to existing frameworks such as Internal Control over Financial Reporting (ICFR), Economic Crime and Corporate Transparency Act (ECCTA) and other governance and compliance regimes, to create one coherent “source of truth” for risks, controls, testing and assurance.

Benefits of integration can include a shared control taxonomy, combined testing cycles, consistent documentation standards, and streamlined remediation, all while strengthening board oversight.

What boards can do now: practical next steps

To move from planning into execution, boards and executive teams can focus on four practical actions:

  1. Confirm the scope and definition of material controls
    Agree a methodology (and rationale) that links material controls to principal and critical risks.
  2. Build a proportionate assurance model
    Create an assurance map that shows coverage, reliance and evidence by control type and risk level.
  3. Run a “dry run” of testing and reporting
    Identify gaps in evidence, inconsistencies in documentation, and areas needing remediation before the formal declaration period.
  4. Align with existing frameworks and tooling
    Integrate with ICFR and other governance frameworks to minimise duplication and improve consistency.

How we can help

Provision 29 is ultimately about building confidence for boards and stakeholders that material controls are working effectively. For many companies, the biggest challenge is not intent, but creating a robust, repeatable approach to defining materiality, collecting evidence, aligning assurance and producing board-ready disclosure.

Forvis Mazars can support boards and executive teams with:

  • Material controls scoping and rationalisation (including pillar-based approaches)
  • Designing assurance maps and testing strategies aligned to board expectations
  • Readiness assessments, dry runs and remediation planning
  • Reporting support to strengthen clarity, structure and evidence trails

Get in touch

12 Jan 2026

Preparing for the Declaration under Provision 29

In 2024, the Financial Reporting Council (FRC) revised the UK Corporate Governance Code (the “new Code”). While this is mandatory for UK-listed companies, building societies are encouraged to disclose their corporate governance arrangements in their annual reports, although they are not subject to specific statutory requirements.

Read more
Risk management header

Risk Management

Do you have the necessary systems in place to identify and manage threats to your business and maximise opportunities as they arise? Whether you are putting a risk management framework in place for regulatory reasons or to comply with best practice, the benefits of drawing upon our experience are manifold.

Read more

Key contacts

Contact us

+44 20 7063 4000
Meet our local team
Discover our offices
Or use our contact form