The content on this page has been converted from PDF to HTML format using an artificial intelligence (AI) tool as part of our ongoing efforts to improve accessibility and usability of our publications. Note:
- No human verification has been conducted of the converted content.
- While we strive for accuracy errors or omissions may exist.
- This content is provided for informational purposes only and should not be relied upon as a definitive or authoritative source.
- For the official and verified version of the publication, refer to the original PDF document.
If you identify any inaccuracies or have concerns about the content, please contact us at [email protected].
Mythbuster: the auditor's responsibilities in respect of the provision 29 statement required by the UK Corporate Governance Code 2024 (June 2026)

- Introduction
- Does the auditor's opinion on the financial statements cover the Provision 29 statement?
- What are the auditor's responsibilities in respect of the Provision 29 statement?
- Do the material controls identified by the Board to comply with Provision 29 correspond to the controls that the auditor identifies as part of the audit as being relevant to the preparation of the financial statements?
- Is the auditor required to test the design, implementation and operating effectiveness of material controls identified by the Board to comply with Provision 29?
- What are the auditor's responsibilities if they identify a significant deficiency in internal control as part of their audit of the financial statements in an area that includes a material control?
- What is the impact on the audit when the Provision 29 statement identifies an ineffective material control?
- Are there other auditor's responsibilities under law or regulation for the Provision 29 statement?
Introduction
Effective for periods commencing on or after 1 January 2026, companies reporting under The UK Corporate Governance Code 2024, are required to include a Board declaration of the effectiveness of the company's material controls in the annual report (the “Provision 29 statement").
This Mythbuster sets out information for stakeholders that may assist in determining the auditor's responsibilities under ISAs (UK) in audits of financial statements where the accompanying annual report contains the Provision 29 statement.
The Corporate Governance Code 2024, Provision 29: The Board should monitor the Company's risk management and internal control framework and, at least annually, carry out a review of its effectiveness. The monitoring and review should cover all material controls, including financial, operational, reporting and compliance controls.
The Board should provide in the annual report:
- a description of how the Board has monitored and reviewed the effectiveness of the framework;
- a declaration of effectiveness of the material controls as at the balance sheet date; and
- a description of any material controls which have not operated effectively as at the balance sheet date, the action taken, or proposed, to improve.
Does the auditor's opinion on the financial statements cover the Provision 29 statement?
No. The auditor's opinion on the financial statements does not cover the Provision 29 statement.
The requirements of the relevant UK auditing standards have not been changed or extended in response to changes to the UK Corporate Governance Code.
What are the auditor's responsibilities in respect of the Provision 29 statement?
The Provision 29 statement is other information for the auditor's purposes. ISA (UK) 7201 deals with the auditor's responsibilities relating to other information included in an entity's annual report.
Other information – Financial or non-financial information (other than financial statements and the auditor's report thereon) included in an entity's annual report.
As part of their responsibilities under ISA (UK) 720, the auditor reads and considers the Provision 29 statement, alongside the other information. The auditor's objective in respect of other information is to consider whether there is a material inconsistency between the other information and the financial statements or the auditor's knowledge obtained in the audit.2 The auditor applies professional judgement to determine what procedures, if any, are needed in their consideration of the Provision 29 statement.3 Performance of those procedures does not represent an assurance engagement.
Do the material controls identified by the Board to comply with Provision 29 correspond to the controls that the auditor identifies as part of the audit as being relevant to the preparation of the financial statements?
Not necessarily. Whilst there may be some overlap, the controls identified by the Board under Provision 29 and those identified by the auditor for the financial statement audit are not identical and serve different purposes.
Under the UK Corporate Governance Code, the Board is required to monitor the company's risk management and internal control framework and carry out a review of its effectiveness, covering all material controls, including financial, operational, reporting and compliance controls.
By contrast, the auditor is required to obtain an understanding of the entity's system of internal control sufficient to identify and assess the risks of material misstatement of the financial statements. The scope of the auditor's work in respect of controls is therefore much narrower as it is relevant to the preparation of the financial statements.
Is the auditor required to test the design, implementation and operating effectiveness of material controls identified by the Board to comply with Provision 29?
No, the auditor is not required to test the design, implementation and operating effectiveness of the material controls identified by the Board for the Provision 29 statement. As set out in ISA (UK) 720,4 the auditor's responsibilities in respect of the Provision 29 statement are limited to reading and considering the Provision 29 statement, as it forms part of the other information, and do not extend to testing the design, implementation and operating effectiveness of the material controls identified in the Provision 29 statement. The auditor may, however, choose to test the operating effectiveness of controls as part of their response to assessed risks in the audit. This may include controls which are also material controls under Provision 29.5
What are the auditor's responsibilities if they identify a significant deficiency in internal control as part of their audit of the financial statements in an area that includes a material control?
When performing the audit of the financial statements, any significant deficiency, or combination of deficiencies, in internal control identified in the audit forms part of the auditor's knowledge obtained in the audit. The auditor takes this knowledge into account when considering whether a material inconsistency exists between the Provision 29 statement and the auditor's knowledge obtained in the audit. In doing so, the auditor also considers their overall understanding of the significant deficiency, including the results of management's remedial actions prior to the balance sheet date and the outcome of any communications with management or those charged with governance under ISA (UK) 2606 and ISA (UK) 265.7 A significant deficiency in internal control identified during the audit, even when it arises in the same overall area as a material control, does not necessarily contradict the Board concluding that material controls are effective for the purpose of the Provision 29 statement.8 The auditor uses professional judgment to consider whether there is a material inconsistency between the Board's disclosures in the Provision 29 statement and the auditor's knowledge obtained in the audit. Where the auditor concludes that the significant deficiency in internal control does not undermine the Board's Provision 29 statement, no further action under ISA (UK) 720 may be required. However, if the deficiency calls into question statements made in the other information, the auditor must evaluate whether this gives rise to a material misstatement of the other information and respond in accordance with ISA (UK) 720.
What is the impact on the audit when the Provision 29 statement identifies an ineffective material control?
Where the Board discloses an ineffective material control in accordance with the Provision 29 statement in an area relevant to the auditor's risk assessment and performance of the audit, the auditor considers whether this is new information which is inconsistent with the audit evidence on which the auditor originally based the identification or assessments of the risks of material misstatement. The auditor may need to undertake additional audit procedures to obtain an understanding of the nature and impact of the ineffectiveness of the material control and how it may impact the auditor's risk assessment.
The auditor applies professional judgement to determine the appropriate audit procedures, if any, to address the impact of the ineffective material control on the audit.9
Are there other auditor's responsibilities under law or regulation for the Provision 29 statement?
For those entities that are required to make a statement of how they have applied the principles of the UK Corporate Governance Code, the Financial Conduct Authority's (FCA's) UK Listing Rules require that the entity ensures that the auditor reviews certain statements made by those charged with governance in the annual report before the annual report is published.10 The requirements in ISA (UK) 720 assist the auditor in meeting these additional obligations required by the FCA's UK Listing Rules.11 The FCA's UK Listing Rules do not require the auditor to make reference to these responsibilities or the outcome of the auditor's review in the auditor's report.
Get in touch
London office:
13th Floor,
1 Harbour Exchange Square,
London, E14 9GE
Birmingham office:
5th Floor, 3 Arena Central,
Bridge Street,
Birmingham, B1 2AX
+44 (0)20 7492 2300
Follow us on LinkedIn
-
ISA (UK) 720 (Revised May 2026), The Auditor's Responsibilities Relating to Other Information ↩
-
ISA (UK) 720 (Revised May 2026), paragraph 14 ↩
-
ISA (UK) 720 (Revised May 2026), paragraphs 14-1, A36-6-A36-12 ↩
-
ISA (UK) 720 (Revised May 2026), paragraph A36-8 provides further information on the auditor's responsibilities ↩
-
ISA (UK) 330 (Revised July 2017), The Auditor's Responses to Assessed Risks ↩
-
ISA (UK) 260 (Revised November 2019), Communication with Those Charged with Governance ↩
-
ISA (UK) 265, Communicating Deficiencies in Internal Control to Those Charged with Governance and Management ↩
-
ISA (UK) 720 (Revised May 2026), paragraph A36-9 provides further application material on this situation ↩
-
ISA (UK) 315 (Revised July 2020), paragraph 37 ↩
-
6.6.20R of the Financial Conduct Authority's UK Listing Rules ↩
-
ISA (UK) 720 (Revised May 2026), paragraph A36-11 provides further application material ↩