Under the 2018 UK Corporate Governance Code, boards needed to monitor their risk and control systems, conduct an annual effectiveness review and report on their findings. While comprehensive in scope, this led to broad statements of assurance without much detail on the “how” and “what”.

The 2024 update maintains the same scope, but introduces three critical elements that improve accountability:

  1. Companies must explain their monitoring and review process, detailing who the board consulted, what evidence was examined and how effectiveness was assessed
  2. Directors must make a formal declaration about whether material controls were effective at the financial year-end
  3. Any material controls that failed must be disclosed, along with remediation plans and updates on previously identified issues

Boards therefore must move from general oversight statements to evidence-based declarations that ensure director accountability.

Why did the FRC extend the Provision 29 deadline?

When the Financial Reporting Council (FRC) released the 2024 Code, most provisions took effect in January 2025. Provision 29 was the exception, which took effect in January 2026 due to the complexity involved. This implementation window let companies test their approach, refine their controls framework, conduct ‘dry runs’ and build the evidence needed for real reporting in 2027. Organisations that used 2025 to conduct practice declarations, stress test their controls and iron out gaps are well-positioned, while those that deferred the work now have less margin for error.

How to disclose effectively?

The FRC’s guidance offers an expectation that reporting demonstrates genuine board engagement that provides real insight into control effectiveness. Strong reporting covers these three areas:

  • Process transparency – Companies need to explain how the annual review was conducted, including which types of controls were examined (financial, operational, reporting and compliance) and confirm that the material controls were within scope.
  • Evidence of engagement – Disclosure should show which functions fed into the board’s assessment (management teams, specialist officers including risk, compliance, cyber and tax, subsidiary leadership, internal audit and external auditors). This demonstrates that the board questioned the evidence.
  • Honest reporting – Effective controls should be communicated clearly. Similarly, deficiencies should be explained – what went wrong, what’s been done about it and what progress has been made.

According to the FRC, most companies can achieve meaningful disclosure in under two pages. There’s no requirement to catalogue every control or describe every procedure. What matters is showing that the board knows which controls matter most, understands whether they are working and can recognise and act on warning signs.

Addressing your questions

Questions on quantity and reporting

As companies work through their first reporting cycle, certain questions come up. One of the most common concerns is the number of material controls a company should identify. The FRC deliberately avoids setting thresholds. A major financial institution may identify over 50, while a less complex business may have fewer. Similarly, companies often ask if they should publish a list of their material controls in the annual report. The Code only requires that you explain the governance around how material controls are determined and how the board oversees them.

Questions on failure

Questions around control failures are also common. When it comes to commercially sensitive weaknesses, transparency is required but not at the cost of exposing competitive or sensitive information. The disclosure obligation is about accountability. Some boards might seek external assurance. This isn’t a Code requirement, and remains a judgement call for your organisation.

Questions on timing

Declarations are made final once the balance sheet has been submitted. This means that if a problem comes to light after the year-end, there’s no obligation to restate your declaration. The same principle applies in reverse. If a control weakness existed during the year but was fixed before the balance sheet date, it doesn’t need to be disclosed in your Provision 29 reporting.

For answers to more of your questions, the FRC have published a Provision 29 Mythbuster tackling common concerns.

What should be boards and audit committees’ priorities right now?

  • Define and map material controls – Identify material controls whose failure could impact reporting or regulation, map them to principal risks and strategy, focus on a concise critical set and avoid over-engineered control inventories globally.
  • Establish evidence-based assurance – Shift from policy assertions to documented evidence through testing and self-assessments, conduct an internal audit and complete dry runs to refine evidence and reporting.
  • Enhance board-level oversight – Ensure boards actively own the declaration, receive single-view decision-ready reporting, embed accountability across the business, and rigorously track remediation of weaknesses before balance sheet dates.
  • Technology and resources – Invest in integrated technology to centralise your controls, automate testing and deliver real-time visibility. All while ensuring internal audit, risk and compliance teams have sufficient capacity and expertise available.

How to use Provision 29 to create better governance?

When navigating Provision 29, it’s crucial that you build the right infrastructure, insight and support to meet requirements with confidence. At Computershare, we work with boards and company secretaries across the UK to strengthen governance frameworks and deliver the quality of reporting that investors now expect.

Whether you need help identifying your material controls, building evidence frameworks, preparing disclosure narratives or benchmarking your approach against market practice, our governance specialists bring deep expertise across the capital markets. We understand what good looks like because we see it across hundreds of organisations, which means that we also know where companies struggle.

The boards that will navigate 2026 and 2027 successfully are those treating Provision 29 as a governance opportunity, a chance to strengthen control infrastructure, deepen investor trust and demonstrate oversight quality in ways that create competitive advantage. Computershare can help you seize that opportunity.

Stay ahead of the curve: Our Governance Readout newsletter provides regular updates on the latest regulatory changes, market expectations and best practice insights to keep your board informed and prepared.

Contact us today to receive your copy and discuss how we can support your governance needs.

 

View our Privacy Policy for details on use and storage of your data
You have the ability to unsubscribe from future mailings at any time