Sponsored Content

UK Corporate Governance Code Changes: Preparing for Provision 29

Written by Chris Sudlow, Manager, Product Solutions, AuditBoard.

After much fanfare, the 2024 updates to the UK Corporate Governance Code are finally in force. Introduced in response to high-profile corporate failures, such as BHS, Carillion, and Patisserie Valerie, and following extensive consultation and deliberation, they are the first changes since 2018.

Those expecting a kind of “UK Sarbanes Oxley (“SOX”)” may be disappointed or pleased, depending on perspective. The major distinction is the Code’s “comply or explain” principle. However, some of the understanding and approaches used to implement SOX can serve as a useful starting point. The new provisions — with the exception of Provision 29 – are applicable for UK public limited companies with a fiscal years beginning on or after 1 January 2025. Provision 29 is introduced one year later and requires boards to monitor the risk management and internal controls framework and review its effectiveness at least annually.

I was recently part of a highly informative discussion hosted by AuditBoard with risk, control, and audit experts Henry Martin (Senior Consultant, Internal Audit and Financial Advisory, Protiviti UK), Andrew Wieser (Associate Director of Internal Audit and Financial Advisory, Protiviti UK), and Carolyn Clarke (Vice President of the Chartered IIA and Founding Partner, Brave Within LLP). This article highlights insights and advice from that discussion for risk, controls and assurance professionals supporting their organisations’ preparations.

1. What are the implications of Provision 29?

Provision 29 mandates an annual declaration on the effectiveness of material controls, detailing weaknesses and actions taken to address them. Boards must also show how they go about monitoring and reviewing the risk and control framework. The aim is to enhance accountability and strengthen governance. It amounts to a shift from viewing risk management as a matter of compliance to seeing it as a core business capability. Unlike SOX, the declaration goes beyond financial reporting to encompass financial and non-financial risks. The board’s responsibility regarding risk management should be an ongoing, proactive engagement rather than a purely routine and high-level attestation.

It is tempting to draw comparisons with SOX. Understanding the differences will help companies plan and is particularly important where there are dual listings and/or members of the Board are operating in both environments. Andrew Wieser noted that, “the FRC has made it quite clear that the corporate governance code and specifically the declaration required from Provision 29 is NOT UK’s equivalent of Sarbanes Oxley.” However, Andrew also advises that “some of the structure developed for SOX programmes, including controls and process attestations and the certification process, is likely able to be leveraged for those preparing for those changes.” It’s important to note that the process of assurance is not comparable as the Financial Reporting Council (FRC) explicitly expects this to be led from an internal perspective.

Much attention has been given to understanding how “material controls” are defined within an organisation. Any control that is critical to the integrity of risk management can be considered material. The FRC highlights that the board must determine which controls are material, giving allowance for sector, resources, priorities, and other contextual factors. 

Without rules it requires Boards to give greater thought to the scope of the programme.Carolyn Clarke reminds us that “there are only so many processes that your organisation has that are material to the outcome,” she says. “And while the board is ultimately responsible, it is important to engage risk owners (the ‘first line’) in making this determination. Controls are not effective unless your first line is empowered and engaged in assessing them.”

2. How can we help directors “get on board”?

A poll taken during the discussion suggested many are not sure whether their organisation is ready or is even in the process of getting ready for Provision 29. Whatever the state of preparation, the panellists agreed that a planned and holistic approach is best. It is necessary to align the activities of risk, control, and assurance across the three lines within a single framework encompassing:

• Continuous risk identification, analysis, prioritisation, and responses.
• Control implementation, monitoring, and maintenance.
• Evaluation and assurance.
• Communication and reporting

Internal audit has a critical role to play, as Carolyn Clarke confirmed. “I would expect internal audit to be thinking about material risks. Internal auditors should play a really important role in helping navigate these requirements,” she said. However, she also offered some words of caution. “Looking through the lens of internal audit is a really good way to get an independent perspective, but we ought to be really careful that we're not using internal auditors to implement controls or perform the testing.” If this happens, we risk diluting and undermining internal auditors’ ability to provide assurance on the adequacy and effectiveness of governance, risk management, and control processes across the organisation.

A planned approach should establish a top-down and holistic view of organisational risk and control, including:

• Organisational strategy, objectives, risk appetite, and KPIs.
• Material controls for financial and non-financial risks, including emerging risks.
• Assurance mapping (including first-line attestations).
  Agreement on what constitutes “adequate and effective”.
• A model for board monitoring and review, aligning the work of relevant committees and oversight mechanisms.
• Consideration of current disclosures (including those required by regulators).
  A pilot.

3. How can technology help?

Technology should be seen as a strategic enabler for organisations preparing for Provision 29. The shift from static compliance to dynamic governance demands tools that can integrate, automate, and intelligently analyse risk and control data across the enterprise. 

As Henry Martin explained, accelerators - prebuilt analytics toolkits embedded within AuditBoard - were specifically designed to support Business Process and IT General Controls (ITGCs), focusing on common, high-impact controls. These accelerators offer a rapid starting point for organisations, requiring only minimal customisation to align with specific needs. They significantly reduce implementation time and provide boards with direct visibility into control effectiveness. Henry noted that these tools “support a shift away from static reporting of sample-based testing to more dynamic insights that are truly data-driven based on full population testing.” This evolution enables assurance teams to move beyond the limitations of traditional sampling and deliver “deeper assurance founded on a true and holistic state of the control frameworks.” By linking testing results directly to risk and impact ratings, accelerators also help organisations identify and monitor what constitutes material controls and testing results of those controls—supporting more robust and transparent board declarations.

Other examples how technology can support preparations for Provision 29 include:

1. Integrated platforms that unify governance, risk, compliance, and audit functions allow for seamless collaboration across the three lines of defence. These platforms should support:

• • End-to-end control lifecycle management - from design and implementation to monitoring and remediation.
  • Real-time dashboards that visualise control performance, risk exposure, and assurance coverage.
  • Embedded workflows that automate issue tracking, escalation, and resolution

2. Advanced analytics and automation techniques are key to moving beyond sample-based testing. These technologies enable a shift from reactive, sample-based compliance to proactive, data-driven governance. Examples include:

• • Predictive analytics leverage historical data and risk indicators to anticipate control failures and prioritise solutions, enabling faster risk management.
  • Process mining to visualise workflows, pinpoint controls, and detect deviations, offering insights to refine controls and support governance. 

3. Artificial Intelligence is rapidly reshaping how organisations manage risk, monitor controls, and prepare board-level disclosures. It offers transformative capabilities that go beyond traditional approaches by enabling deeper insight, faster decision-making, and more proactive governance:

• • Generative AI (GenAI) and Natural Language Processing(NLP) can analyse narrative disclosures, policies, and audit reports to uncover gaps in control coverage and inconsistencies in risk articulation.
  • Automated assurance mapping links control testing results to risk registers, impact ratings, and regulatory requirements.
  • AI-powered recommendation engines suggest corrective actions and simulate their impact on the control environment, helping prioritise remediation and resource allocation.
  • Sophisticated that assist users by surfacing relevant documentation, guiding assessments, and flagging anomalies to boost engagement and streamlining assurance workflows.

Whatever a business's stage of maturity, it is advisable to be clear on the new expectations set by Provision 29 and have a plan that ensures readiness. The benefits to be gained are not just compliance but tangible advantages for stakeholders arising from more effective risk management. Technology offers its own advantages that can multiply the gains to be had from a well-integrated risk and control framework.