Why organisations need to act now on Provision 29 (UK SOX)
By January 2026, boards of UK-listed companies will face a new level of scrutiny. Provision 29 of the revised UK Corporate Governance Code 2024 requires an explicit annual declaration on the effectiveness of material internal controls. This isn’t another box-ticking exercise, it’s a structural shift in how boards must evidence governance.
Often described as UK SOX, Provision 29 moves the conversation from intent to proof. Boards will need to demonstrate how controls were designed, tested, monitored, and remediated, and they must back up their statements with auditable evidence across financial, operational, compliance, and reporting areas.
That means waiting until 2026 is no longer an option. Boards will need a full year of documented evidence to underpin their first declarations, making 2025 the year to put processes into practice.
What organisations should prioritise in 2025
Provision 29 comes into effect for accounting periods beginning on or after 1 January 2026. It requires companies to:
Define and document material controls – link them directly to principal risks and business objectives.
Implement structured monitoring and testing – create year-round cycles that provide reliable evidence.
Strengthen accountability – ensure ownership is clear across the three lines of defence.
Upgrade reporting and oversight – provide boards with real-time dashboards and audit trails, not retrospective spreadsheets.
Remediate weaknesses early – identify gaps and correct them before year-end, not after.
Why you should start preparing now for Provision 29 of the UK Corporate Governance Code ( UK SOX)
While Provision 29 of the UK Corporate Governance Code does not formally apply until 2026, boards cannot afford to wait. To sign off with confidence, directors will need a full year of auditable evidence, something that cannot be pulled together at the last minute.
This makes 2025 the critical preparation year. It is the opportunity to:
Define what qualifies as a material control.
Link controls directly to your most significant risks.
Assign clear ownership and accountability.
Establish structured assurance plans and monitoring cycles.
Rehearse reporting processes so boards are confident in both oversight and evidence.
Now is also the time to test reporting formats, from dashboards to board packs and audit committee updates, to ensure information flows clearly and consistently.
Leading organisations are already running mock declarations, identifying control gaps, and remediating them during the year. Waiting until 2026 to begin is a gamble few boards can afford. Early preparation is the only way to meet the new UK SOX standard with confidence.
Why companies need to act now
For premium-listed companies in the UK, acting now to prepare for Provision 29 (UK SOX) is critical. Although the requirement is not effective until financial years beginning on or after 1 January 2026, the preceding year, 2025, serves as a crucial rehearsal period. Boards will need a full year of evidence to support their first declaration of internal control effectiveness. Waiting until late 2025 or 2026 would leave companies without the data or assurance needed to comply.
The time-intensive nature of implementation
A full year of evidence is required – Boards must demonstrate continuous monitoring throughout the year, not just provide a year-end snapshot.
Control gaps take time to fix – Identifying, remediating, and re-testing weaknesses often spans months, particularly for large, complex organisations.
It requires an organisation-wide effort – Finance, risk, audit, and compliance must coordinate to define material controls, link them to principal risks, and assign accountability for testing and reporting.
Serious consequences of late preparation
Investor scrutiny – Weak or absent control disclosures can trigger shareholder pushback, undermine confidence, and depress valuation.
Reputational damage – Boards that cannot confidently declare control effectiveness risk damaging market trust. In practice, “comply or explain” increasingly feels like “comply or else.”
Regulatory attention – The FCA will expect robust compliance, and inadequate reporting could expose companies to costly scrutiny.
An opportunity for strategic improvement
Build a stronger foundation – Moving from spreadsheets to a centralised, structured platform improves efficiency and decision-making.
Strengthen resilience – Extending the control framework beyond financials ensures enterprise-wide coverage of operational, reporting, and compliance risks.
Enhance transparency – Transparent, evidence-based disclosures build stakeholder trust and demonstrate effective governance.
Provision 29 is more than a compliance exercise, it is a chance to embed lasting improvements in governance, resilience, and transparency. The organisations that act now will be ready not just to comply, but to lead.
Next steps and how Symbiant helps meet Provision 29 (UK SOX)
Symbiant award-winning, highly trusted Governance, Risk, Compliance (GRC) and Audit Management Software replaces fragmented spreadsheets and manual processes with an integrated, auditable platform that makes compliance with Provision 29 straightforward, transparent, and cost-effective. Unlike, manual methods which introduce gaps, delays, and blind spots, the kind of weaknesses that this new board-level declaration is meant to expose. That’s why leading organisations are proactively switching to technology-enabled control management environments to meet Provision 29 requirements.
Calculate and report control effectiveness – Symbiant automatically calculates and reports on the effectiveness of your controls, giving boards the tested, auditable assurance they need to confidently sign their Provision 29 declaration.
Provide a single source of truth – Link risks, controls, incidents, audits, and compliance monitoring in one connected system, ensuring complete traceability and accountability.
Support year-round monitoring – Implement structured testing cycles, real-time dashboards, and automated alerts so boards can see the health of internal controls at any time, not just at year-end.
Demonstrate transparency and accountability – Every action, test, and review is logged, creating a tamperproof audit trail that regulators and investors can trust.
Embed ownership across the business – From first-line control owners to the board, Symbiant makes responsibilities clear and drives engagement across all three lines of defence.
Provision 29 raises the bar on governance, but with Symbiant you can move beyond compliance to create a culture of confidence, resilience, and trust.
Ready to assess your control maturity? Book a Demo today
With Symbiant , you can easily meet Provision 29 / UK SOX requirements from just £300/month* with 5 seats.
All-in-One GRC & Audit Management Powerhouse
Risk Management Software
Reduce exposure, invest in the right controls, respond faster to incidents, and navigate change with confidence. With optional AI, reveal blind spots and safeguard your objectives.
Audit Management Software
Simplify and centralise audits from start to finish. Assign actions, track progress, and generate reports effortlessly. Integrated workflows enhance accountability and transparency.
Compliance Management Software
Stay ahead of evolving regulations. Automate testing, track compliance actions, and ensure your organisation meets industry standards with confidence and clarity.