SOX vs Provision 29: What UK Companies Can Learn from the US Approach

Following the Financial Reporting Council’s (FRC) 2024 update to the UK Corporate Governance Code, attention has turned to Provision 29 – the new requirement for boards to report on the effectiveness of internal controls.
The reform marks a significant shift toward greater accountability and transparency, echoing many of the principles first introduced by the US Sarbanes–Oxley Act (SOX) more than two decades ago.

Both frameworks share the same goal: building and strengthening trust in corporate reporting through stronger internal control systems. Yet their approaches diverge. While SOX is a prescriptive, legally binding framework, the UK Code favors a more flexible, principles-based approach.

In this article, we explore how SOX and Provision 29 compare, what the UK can learn from the US experience, and how organizations can begin preparing today.

A quick recap: SOX and Provision 29 explained

The Sarbanes–Oxley Act (SOX) was enacted in 2002 after high-profile corporate scandals undermined investor confidence. It introduced strict requirements for internal controls over financial reporting, executive accountability, and auditor independence.

Under SOX, CEOs and CFOs must personally certify the accuracy and integrity of financial statements, while external auditors independently assess and test internal control effectiveness. Non-compliance carries serious civil and criminal penalties.

Provision 29, part of the revised UK Corporate Governance Code, takes a different approach. Boards must “make a declaration on the effectiveness of the company’s risk management and internal control framework,” supported by evidence and regular review.
‍
Unlike SOX, the UK Code follows the “comply or explain” principle, giving organizations flexibility in how they meet expectations while still demanding transparency and board-level accountability.

A shared goal: Building trust in corporate reporting

Despite their differences, both frameworks aim to strengthen trust in financial reporting.

Where SOX rebuilt confidence through strict accountability and standardized testing, Provision 29 focuses on embedding good governance and oversight directly within the board’s responsibilities.

In practice, this means:

• Boards must demonstrate how they know their internal controls are effective.
• Assurance will increasingly depend on consistent documentation, risk-based reviews, and clear accountability lines.
• The annual declaration will become a central feature of corporate governance reporting.

Because of the lighter requirements, UK companies already operating under the COSO Internal Control–Integrated Framework – a global standard also used under SOX – are likely to be well within compliance once the reforms take effect.
COSO’s top-down, risk-based methodology provides a practical bridge between the two regimes, helping organizations strengthen control design, testing, and governance in a way that satisfies both regulatory environments.

What the UK can learn from SOX

Two decades of SOX enforcement have yielded valuable lessons:

1. Documentation and testing drive maturity.
   The discipline of documenting and testing controls leads to clearer processes, stronger governance, and better collaboration between finance, risk, and audit teams.

2. Over-complexity can add cost.
   Early SOX compliance introduced heavy documentation burdens. The UK Code’s principle-based model can avoid these pitfalls by focusing on outcomes rather than exhaustive checklists.

3. Tone from the top matters.
   SOX underscored that accountability starts at the top. Provision 29 reinforces the same message – placing the board at the center of control oversight and cultural tone.

Ultimately, both frameworks show that the value of internal controls extends beyond compliance; effective controls build organizational resilience and stakeholder trust.

How to prepare for Provision 29

Here’s how organizations can start aligning with the upcoming expectations:

• Map your existing control environment.
  Identify where financial, operational, and compliance controls sit, and who owns them.
• Adopt a top-down, risk-based approach.
  Focus on key risks that could impact financial integrity, then design and test controls around them.
• Engage your board early.
  Boards will need evidence to support their annual declaration. Regular control reporting and clear audit trails provide that assurance.
• Automate evidence collection and control testing.
  Manual spreadsheets and emails slow down the process. With Impero, you can automate control execution, assign accountability, and centralize documentation – creating a clear audit trail that supports the board’s annual statement.
• Gain visibility across entities and processes.
  Impero’s dashboards provide real-time oversight of control performance, enabling management and boards to identify issues early and demonstrate continuous review – a core principle of Provision 29.
• Connect compliance and assurance.
  Impero integrates testing, certification, and reporting across departments so that risk and compliance teams can work from one source of truth, giving boards confidence when making their annual declarations.

For a practical guide, see 5 ways Impero helps you prove Provision 29 compliance.

Conclusion: Same goal, different playbook

SOX and Provision 29 may differ in enforcement style, but their purpose is the same: to strengthen trust in how companies report and govern themselves.

While SOX relies on strict legal mandates, the UK’s reform gives boards greater flexibility – and greater responsibility – to embed transparency from within.

By adopting a structured, risk-based approach supported by technology, UK organizations can transform compliance into a governance advantage and be ready when the new Code takes effect.

Want to learn more?
Explore our UK Corporate Governance Code glossary for a detailed breakdown of the 2024 update, or read our Sarbanes–Oxley (SOX) glossary to understand how the US framework shaped modern internal control standards.