The content on this page has been converted from PDF to HTML format using an artificial intelligence (AI) tool as part of our ongoing efforts to improve accessibility and usability of our publications. Note:
- No human verification has been conducted of the converted content.
- While we strive for accuracy errors or omissions may exist.
- This content is provided for informational purposes only and should not be relied upon as a definitive or authoritative source.
- For the official and verified version of the publication, refer to the original PDF document.
If you identify any inaccuracies or have concerns about the content, please contact us at [email protected].
Provision 29 Mythbuster
Under the 2024 Corporate Governance Code, the revised Provision 29 introduces an additional requirement for the board to provide a declaration of the effectiveness of the company's material controls. Reporting on material controls should be proportionate, consider the risk appetite of the individual organisation, and avoid unnecessary duplication and disclosure of immaterial information.
With Provision 29 effective as of 1 January 2026, this mythbuster answers some of the key questions on stakeholders' minds as companies prepare to report in 2027.
The board should monitor the company's risk management and internal control framework and, at least annually, carry out a review of its effectiveness. The monitoring and review should cover all material controls, including financial, operational, reporting and compliance controls.
The board should provide in the annual report:
- A description of how the board has monitored and reviewed the effectiveness of the framework;
- a declaration of effectiveness of the material controls as at the balance sheet date; and
- a description of any material controls which have not operated effectively as at the balance sheet date, the action taken, or proposed, to improve.
How many material controls should we have?
The FRC will not suggest a number of material controls that companies should aim for. As part of our engagement with companies and their representatives, we believe that the majority of companies are suggesting that they have identified somewhere between 30 and 50 material controls with some companies, particularly those in the financial sector, having more. Companies need only satisfy themselves that the number of material controls they have is right for them. There is no requirement to compare with other similar companies.
Do we need to state our material controls and the testing carried out in our annual report?
We do not expect companies to list their material controls, nor state the specific testing that has been carried out. The reporting should set out the governance that led to the decision on the material controls and the oversight that the board has undertaken. The FRC will not give opinions on what material controls you should have, whether those you have chosen are the right ones, or whether you have the right number - this is very much a company decision based on internal discussions.
If a control fails, for example around cyber, do we have to report how we have technically improved our controls?
We would not expect companies to include anything commercially sensitive in their reporting.
Will boards have to seek external assurance over controls?
The Code does not state that the testing of the material controls should be supported by external assurance; this is a decision for the board and management. These decisions may be different year on year or a board may decide to have external assurance over one element of the framework.
How should the declaration be worded?
The FRC will not be providing any wording for declarations, as companies will choose to approach this in different ways. As long as the declaration is clearly signposted in your annual report and the board demonstrates oversight and confidence in the material controls, this would constitute compliance with the second bullet of the Provision.
If the Regulator finds an error in your financial statements that leads to a restatement of your accounts does this make your internal controls declaration null and void?
No – companies are expected to state the effectiveness of their material controls as per the balance sheet date. There is no requirement to revise your declaration if something later comes to light, nor any expectation that companies report on a material control failure if it has been rectified by the balance sheet date. If there is still a material control issue as per the balance sheet date, we would expect to see reporting on this. Similarly, we would expect to see reporting against publicised issues from across the course of the year, as shareholders and stakeholders would already be aware of the issue.
How long should reporting under Provision 29 be?
The declaration is only one element of the reporting, and so the report should also include commentary on the monitoring and review process, as well as an explanation of how the board reached its decision. In most cases, we expect the report to be no longer than two pages. It is essential that the reporting remains proportionate and concise.
Do you expect to see reporting on the new Provision 29 in 2026?
No - while the new Provision 29 came into force as of 1 January 2026, this applies to accounting periods beginning on or after that date. We therefore expect to see reporting against the new Provision in the following year, and we do not require early adoption, nor any declarations to be made before this time.
Will the FRC continue to provide examples of good practice?
While we expect to see the first annual reports produced under the new 2024 Code in 2026, reporting on the new Provision 29 will commence from 2027 onwards. The FRC will continue its annual review of corporate governance reporting in 2026 pulling out examples of good practice reporting.
Are companies that report under SOX required to have a different approach to meet the requirements of Provision 29?
We understand that companies that report under the US Sarbanes Oxley Act (SOX) are using their current approach and building on it to meet the requirements of Provision 29, as Provision 29 goes beyond the financial controls reporting expected under SOX.
Financial Reporting Council
13th Floor, 1 Harbour Exchange Square, London, E14 9GE +44 (0)20 7492 2300 www.frc.org.uk
Follow us on Linked in