UK Corporate Governance Code 2024 – Provision 29 (UK SOX) FAQ

UK Corporate Governance Code (2024) — Provision 29 (UK SOX) FAQs

This set of frequently asked questions (FAQs) is designed to help organisations understand and apply the revised UK Corporate Governance Code 2024 and the supporting guidance issued by the FRC. The FAQs offer practical pointers to assist companies in interpreting the changes, but they are not comprehensive. They should be considered alongside the full text of the Code, the FRC’s official guidance, and additional resources such as our Restoring Trust in Risk Management and Internal Control guide, which we reference throughout.

Timing and application of the revised Code

What is the UK Corporate Governance Code?

The UK Corporate Governance Code, issued by the FRC, is a principles-based framework designed to uphold strong standards of governance for UK-listed companies. It sets out clear expectations for boards on leadership, accountability, remuneration, stakeholder engagement, and—most importantly—risk management and internal controls.

Who does the revised Code apply to, and what’s the biggest change?
All premium-listed companies must report against the UK Corporate Governance Code. Some large private companies may be indirectly affected via The Companies (Miscellaneous Reporting) Regulations 2018, which require disclosure of governance arrangements and whether a recognised code is followed (many choose the Wates Principles; some may opt to follow the Code on a voluntary, flexible basis). Certain public-sector or licensed entities should check their sectoral rulebooks where these reference the Code.
The headline change: boards must include in the annual report a specific declaration that all material controls operated effectively at the balance-sheet date, explain how risk management and internal control were monitored and reviewed, and describe any material controls that did not operate effectively at that date, together with actions taken or planned.

When does the revised Code take effect?
Most changes apply to financial periods beginning on or after 1 January 2025. Provision 29 (the new board declaration on risk management and internal control) applies to periods beginning on or after 1 January 2026. Existing Code provisions remain in force until then.

What else has changed?
The most substantive updates are in Section 4: Audit, Risk and Internal Control. Other sections were refined but less extensively. The FRC’s “Key Changes” summary provides a useful overview.

Material controls

What are “material controls”?
In practice, a material control is one that, individually or in combination, addresses a material risk. Examples often include controls over risks to the business model, solvency and liquidity, fraud controls, certain IT and access controls, and controls over reporting that could be price-sensitive.

How do we decide which controls are material?
Start with material risks (e.g., those disclosed as principal risks) and identify the controls that mitigate them. These controls may fall into “financial, operational, reporting, or compliance” categories—but the focus of the Code is on all material controls, not the labels. Expect to drill down from high-level risks (e.g., your risk register) to the specific control activities that prevent, detect, or correct failures.

What counts as “reporting” for material reporting controls?
Think publicly issued, material information. While this will often align with the annual report and half-year results, it can extend to other material public reporting. The key test is materiality to investors and the market.

Are ESG reporting controls likely to be material?
Often, yes, facts and circumstances matter, but investor focus on ESG is growing while many sustainability control frameworks are still maturing. For many companies, controls over ESG reporting will warrant treatment as material.

Control failures

Must every deficiency in a material control be disclosed? Is there a severity scale (à la US SOX)?
The Code requires disclosure of material controls that did not operate effectively at the balance-sheet date, plus remediation plans. It does not prescribe US-style terminology (control deficiency / significant deficiency / material weakness). Boards should still consider significance and potential material impact when deciding disclosure, and many use an internal severity framework to support consistent judgement.

If a control failed but was remediated by the balance-sheet date, must we still disclose it?
Judgement applies. If the issue was sufficiently significant for users to understand, boards may still choose to disclose it—and doing so can demonstrate an effective monitor–review–remediate cycle.

Are failures assessed individually or in aggregate?
Both. A set of controls might collectively address a material risk. If one element fails, the board should judge whether that failure, alone or together with others, could have a material effect, and disclose accordingly. Transparent narrative around the reasoning is helpful to readers.

Approach to assurance

Do we need external assurance over the board’s declaration?
Not mandated. The FRC guidance leaves it to the board to determine whether external assurance is appropriate, and of what type. Investors’ views may be considered. Many boards use assurance mapping to decide where internal and/or external assurance adds most value.

How can the second line support the Code’s objectives?
The second line (risk & compliance) helps design, challenge and oversee the control environment and first-line self-assessments. It should provide independent review and monitoring calibrated to risk, coverage needs, and maturity—complementing first-line activity and informing the board’s declaration.

What about Internal Audit, should it perform independent testing?
An effective Internal Audit function often provides objective assurance over the design and operating effectiveness of risk management and internal controls. A risk-based plan, including targeted independent testing (and, where relevant, cycle testing), typically supports the board’s monitoring and review.

Is assurance just about controls that affect the financial statements?
No. Provision 29 covers all material controls, financial, operational, reporting and compliance, so assurance should span non-financial as well as financial risks and controls.

Is an Audit & Assurance Policy (AAP) still required?
The government’s draft secondary legislation (including the AAP) was withdrawn in October 2023. That said, many boards still see value in AAP-style assurance mapping and are adopting elements voluntarily. Where an AAP or equivalent process exists, it can efficiently align scoping for Provision 29 with assurance priorities across financial and non-financial reporting, principal risks, resilience, and fraud.

Scope and content of the declaration

How much detail should we include about the monitoring and review process?
Be clear and specific. Useful disclosures often cover:

• Information reviewed by the board and committees,

• Units/roles consulted,

• Internal/external assurance considered, and

• Any frameworks/standards used to assess effectiveness.
  Also explain how scoping and materiality decisions were made. A transparent, logical approach tends to withstand challenge.

What does “operating effectively at the balance-sheet date” actually mean?
Evidence is typically built throughout the period, refreshed to the balance-sheet date. Regular monitoring at sensible intervals (e.g., monthly/quarterly controls) provides early warning and supports remediation before year-end. Many companies use an interim testing phase with a year-end update to confirm that remediations are effective.

Enforcement and accountability

Will the FRC enforce the Code?
The FRC does not currently enforce the Code against directors; the Code remains a comply-or-explain regime. The FRC monitors reporting quality (e.g., sample reviews across FTSE cohorts). If ARGA replaces the FRC via future primary legislation, it may have enhanced powers, though how these would interact with comply-or-explain remains to be seen. Regardless, expect greater stakeholder scrutiny of risk and control reporting.

Ownership of the process

Who should lead the monitoring and review of risk management and internal control?
The board (often via the audit committee) is ultimately accountable for establishing, maintaining, monitoring and reporting on the framework. Day-to-day design, operation and self-assessment typically sit with management (first line), complemented by second-line oversight and Internal Audit assurance, with external audit/assurance providers where appropriate.
A clearly articulated vision and strategy for risk, control and assurance, aligned to business objectives and the three lines model—helps coordinate effort, target resources, and deliver a coherent basis for the Provision 29 declaration.

When should companies start preparing for Provision 29?

Although Provision 29 applies to financial periods beginning on or after 1 January 2026, organisations should start preparing well in advance—ideally by mid-2025. Boards will need a full year of evidence to support their first declaration, which means 2025 is effectively the rehearsal year.

Preparation should include:

• Defining and documenting material controls across financial, operational, compliance, and reporting areas.

• Implementing structured testing and monitoring cycles to generate consistent evidence.

• Remediating weaknesses early, ensuring issues are addressed before year-end.

Boards will be expected to provide real-time, auditable evidence of control effectiveness, not just retrospective reviews.