UK Corporate Governance Code 2024: Provision 29 Guide

The Financial Reporting Council’s (FRC) latest revision of the UK Corporate Governance Code, published in January 2024, represents a significant shift in expectations for how companies manage risk and internal control. With key provisions coming into force from 2025 and 2026, businesses—especially listed companies—need to start preparing now.

This guide focuses on Provision 29, one of the most impactful updates in the new Code, and what it means for boards, internal audit teams, and compliance leaders.

What is the UK Corporate Governance Code?

The UK Corporate Governance Code is a principles-based framework developed by the FRC to promote high standards of corporate governance among UK-listed companies. It outlines the responsibilities of company boards around leadership, accountability, remuneration, stakeholder engagement, and—critically—risk management and internal controls.

What changed in the 2024 version of the Code?

The 2024 revision introduces a more focused and practical Code, with enhanced expectations around risk, internal controls, and accountability. Key changes include:

• A new requirement to declare the effectiveness of material controls
• Stronger alignment between governance and long-term strategy
• Streamlined language to improve clarity and reduce boilerplate reporting
• An emphasis on outcomes-based reporting, not just processes

What is Provision 29 of the UK Corporate Governance Code?

Provision 29 requires boards to take greater responsibility for their company’s internal control environment. From 1 January 2026, boards must:

1. Monitor the risk management and internal control framework
2. Conduct an annual review of the framework’s effectiveness
3. Report in the annual report on:
   
   • How the review was conducted
   • Whether the material controls were effective as of the balance sheet date
   • Any ineffective controls, actions taken, and status of previously reported issues

When do the new rules come into effect?

• Principle O (risk and internal control framework): Applies from 1 January 2025
• Provision 29 (review and declaration of control effectiveness): Applies from 1 January 2026

This gives companies time in 2024 and 2025 to prepare their frameworks, documentation, and assurance processes.

Who is required to comply with the Code?

The Code applies on a “comply or explain” basis to all companies with a premium listing on the London Stock Exchange. Following updates to the FCA’s Listing Rules:

• All companies in the new commercial companies and closed-ended investment funds categories must comply
• Standard-listed companies are not automatically included and remain under voluntary compliance unless they transition to the new categories

What are “material controls” under the Code?

The Code does not prescribe a list of material controls—instead, it takes a risk-based, company-specific approach. A control is considered “material” if failure of that control could reasonably influence decisions by stakeholders, especially in financial and non-financial reporting.

Key areas where material controls are often needed include:

• Operational risks: M&A, supply chain, cybersecurity, health & safety
• Financial risks: Inventory, receivables, liabilities, forecasting
• Reporting risks: Annual reports, ESG disclosures, financial statements
• Compliance risks: Economic Crime Act, GDPR, Bribery Act, CSRD

What should companies disclose under Provision 29?

In the annual report, boards must provide:

• A description of how the board monitored and reviewed internal controls
• A declaration of effectiveness of material controls at the balance sheet date
• Details of any ineffective controls, and the actions taken (or planned) to resolve them

This level of transparency is designed to build stakeholder trust—and will likely be closely scrutinised by investors and regulators alike.

What does this mean for boards and audit committees?

Boards now carry greater direct responsibility for ensuring that control frameworks are not just in place—but are actually effective. Provision 29 shifts the focus from narrative governance reporting to tangible assurance over key risks.

Audit Committees will need to coordinate closely with internal audit, risk, finance, and compliance functions to ensure that the right controls are identified, tested, and monitored throughout the year.

What role does Internal Audit play?

Internal audit has a central role in supporting compliance with Provision 29. Depending on the company’s chosen assurance model, this may include:

• Mapping and documenting material controls
• Assessing the design and operational effectiveness of controls
• Providing an independent opinion on the internal control environment
• Supporting management or third parties in readiness assessments

Where internal audit is the primary source of assurance, audit plans and resources will need to be adjusted to include testing of all material controls ahead of the declaration deadline.

How should companies prepare for Provision 29?

Here’s a practical roadmap:

1. Identify material controls: Align with principal risks and reporting obligations
2. Document the framework: Establish clear ownership and supporting evidence
3. Develop testing procedures: Define how effectiveness will be assessed
4. Conduct dry runs in 2024–2025: Test the review and declaration process before it becomes mandatory
5. Update the board: Ensure directors understand their responsibilities and are prepared to sign off with confidence

How can software like Impero support compliance?

Complying with Provision 29 means managing a high volume of risks, controls, and documentation. Tools like Impero help companies:

• Centralise internal control frameworks
• Track ownership, testing status, and control performance
• Automate workflows for control assessments and reporting
• Provide a clear audit trail for board and regulatory assurance

By digitising and streamlining the control environment, companies can move from fragmented processes to structured, repeatable governance.

Final Thoughts

The 2024 UK Corporate Governance Code—especially Provision 29—marks a major step forward in board accountability, risk transparency, and investor confidence. While implementation will take time, companies that act early can turn compliance into a competitive advantage.

‍