Provision 29 Services: UK Governance Compliance Guide 2026
Provision 29 of the UK Corporate Governance Code requires boards to declare the effectiveness of material controls in their annual reports, effective for accounting periods beginning on or after 1 January 2026. Building societies and financial services firms must assess, test, and disclose their internal controls framework, moving from compliance documentation to tangible evidence of control effectiveness.
The regulatory landscape for UK financial services has shifted dramatically. Boards face unprecedented scrutiny over their internal controls, and the Financial Reporting Council isn’t accepting superficial compliance anymore.
Provision 29 represents a fundamental change in how organizations demonstrate governance maturity. It’s not just another checkbox exercise.
What Is Provision 29?
Provision 29 forms part of the revised UK Corporate Governance Code published by the Financial Reporting Council in 2024. While mandatory for UK-listed companies, building societies face strong encouragement to adopt these standards in their annual reporting.
The provision specifically addresses material controls—those internal mechanisms that prevent or detect significant risks to an organization’s operations, financial reporting, and compliance obligations.
Here’s the thing though—material controls extend far beyond financial reporting. They encompass operational controls, IT systems, risk management frameworks, and regulatory compliance mechanisms. The scope catches many organizations off guard.
Key Changes Under the New Code
Principle O and Provision 29 introduce mandatory disclosure requirements that boards must address. The declaration must confirm whether material controls operated effectively throughout the reporting period.
Boards can no longer rely on generic statements. The FRC expects specific, evidence-based declarations supported by robust testing and independent verification where appropriate.
This marks a departure from previous practice. Many organizations historically provided boilerplate language about having “adequate” controls without substantive backing.
Who Needs Provision 29 Services?
Building societies represent the primary focus beyond listed companies. These institutions must evaluate their corporate governance arrangements and consider voluntary adoption of the new Code provisions.
Financial services firms operating under Digital Operational Resilience Act (DORA) requirements also intersect with Provision 29 compliance. DORA enforcement became active in 2025, and the overlapping requirements create compounded compliance pressure.
According to available data, FCA fines in Q1 2026 reached £16,087,723. The regulatory clock keeps ticking, and enforcement actions demonstrate that compliance gaps carry real financial consequences.
Core Components of Provision 29 Compliance
Material controls assessment forms the foundation. Organizations must identify which controls qualify as material based on their potential impact on strategic objectives, financial reporting accuracy, and regulatory obligations.
Control effectiveness testing comes next. This isn’t a one-time audit exercise. Continuous monitoring and periodic testing demonstrate ongoing effectiveness throughout the reporting period.
Documentation requirements have intensified. Boards need clear evidence trails showing how they reached their conclusions about control effectiveness.
The Declaration Requirement
The board declaration represents the culmination of all compliance activities. Directors must state explicitly whether material controls operated effectively during the period.
If controls proved ineffective or deficiencies existed, the declaration must disclose these issues along with remediation plans. Transparency matters more than perfection in the FRC’s view.
Sound familiar? This mirrors Sarbanes-Oxley requirements in the United States, though the UK approach allows more judgment in determining materiality thresholds.
Provision 29 Services Available
Several service categories have emerged to support organizations navigating these requirements. Understanding which services address specific gaps proves crucial for efficient resource allocation.
| Service Type | Description | Typical Providers |
|---|---|---|
| Gap Assessment | Evaluate current controls against Provision 29 requirements | Consulting firms, audit specialists |
| Control Mapping | Identify and document material controls across operations | Risk consultants, internal audit teams |
| Testing Frameworks | Design and implement control effectiveness testing | Assurance providers, specialist firms |
| Technology Solutions | GRC platforms for monitoring and reporting | Software vendors, system integrators |
| Board Advisory | Support directors in declaration preparation | Governance advisors, legal counsel |
Internal vs External Facilitation
Organizations debate whether to use internal resources or external facilitators for assurance activities. No single answer fits all situations.
Internal teams bring operational knowledge and institutional understanding. They know where bodies are buried and understand the nuances of control operation in practice.
External facilitators offer objectivity and specialized expertise. Their independence adds credibility to findings, particularly when boards declare effectiveness to external stakeholders.
Many building societies currently employ hybrid approaches—internal teams conduct ongoing monitoring while external specialists provide periodic independent validation.
Preparing for Provision 29 Compliance
Start with materiality assessment. Which controls, if they failed, would create significant issues for the organization? This question drives everything else.
The FRC encourages boards to “think for yourselves” rather than following prescriptive checklists. Context matters. A control material for one organization might be routine for another.
Document the rationale behind materiality decisions. When questions arise—and they will—clear documentation explains the board’s reasoning process.
Building the Evidence Base
Evidence quality determines declaration credibility. Generic assertions won’t withstand scrutiny from auditors, regulators, or sophisticated investors.
Control testing should produce specific results. How many transactions were tested? What deficiencies emerged? How were exceptions resolved?
Technology platforms increasingly support this evidence gathering. GRC systems provide centralized repositories for test results, issue tracking, and remediation monitoring.
Get Governance and Reporting Aligned
Provision 29 raises expectations around how organisations demonstrate control over risk and financial reporting. It’s no longer enough to have policies in place – boards are expected to understand how controls operate and where weaknesses sit. Acumon is an ICAEW-registered audit firm in London with FRC authorisation, working with organisations that need to maintain clear governance, structured oversight, and reliable reporting across their operations.
Fix Internal Controls and Board Oversight
Acumon supports organisations in addressing the practical side of governance and compliance:
- Assessment of how responsibilities are defined across management and oversight functions
- Review of how financial information is prepared and presented to leadership
- Identification of gaps between documented controls and actual execution
- Support for improving transparency for boards and audit committees
Reach out to Acumon and bring your governance and reporting into line.
Challenges Organizations Face
Resource constraints top the list. Building societies and smaller financial services firms often lack dedicated governance teams with capacity for extensive control testing programs.
Scope definition creates confusion. Determining which controls qualify as material requires judgment, and reasonable people can disagree about threshold determinations.
The effectiveness standard itself poses challenges. What constitutes “effective” operation? Controls rarely function perfectly 100% of the time. Organizations must establish reasonable tolerances for exceptions.
The Intersection with DORA and Other Regulations
Financial services firms juggle multiple overlapping requirements. DORA’s focus on operational resilience shares common ground with Provision 29’s control effectiveness mandate.
Smart organizations look for synergies. Control testing for one framework often satisfies requirements under another. Integrated compliance approaches reduce duplication and resource burden.
That said, each regulation maintains distinct requirements. Mapping exercises help identify where efforts overlap and where gaps remain.
Real-World Implementation Insights
Community discussions reveal common implementation patterns. Organizations typically underestimate the time required for initial materiality assessments.
Board engagement proves crucial. Directors who understand the rationale behind material control designations provide better oversight than those viewing it as a technical exercise delegated entirely to management.
Early adopters report that the first year proves most challenging. Once frameworks exist and testing cycles complete, subsequent years require less intensive effort.
Moving Forward with Confidence
Provision 29 compliance demands serious preparation, but organizations that approach it strategically can strengthen their governance frameworks while meeting regulatory expectations.
The shift from documentation to evidence represents a maturation of corporate governance expectations. Boards that embrace this evolution position their organizations for sustainable success.
Start early. Engage the board authentically. Build evidence systematically. These principles guide effective implementation regardless of organizational size or complexity.
Organizations still developing their approach should assess current capabilities against requirements, identify gaps, and develop realistic implementation timelines. The window for preparation is narrowing, but organizations taking action now can achieve compliance without last-minute scrambling.
Frequently Asked Questions
Provision 29 applies to accounting periods beginning on or after 1 January 2026. For companies with a calendar year ending 31 December 2026, this will be their first disclosure under the new requirements.
Not technically mandatory, but the FRC strongly encourages building societies to adopt the new Corporate Governance Code provisions voluntarily. Many societies treat this as a de facto requirement given regulatory expectations and stakeholder pressure for transparency.
Material controls prevent or detect risks that could significantly affect the organization’s ability to achieve strategic objectives, maintain accurate financial reporting, or meet regulatory obligations. Materiality depends on organizational context—no universal checklist exists.
Internal audit can contribute significantly to the assurance process. However, boards should consider whether independent external validation adds credibility, particularly for the initial declaration. Many organizations use a combination approach.
The declaration must disclose control deficiencies honestly, along with their impact and remediation plans. Transparency about issues and their resolution often carries less reputational risk than attempting to hide problems that later emerge publicly.
Financial reporting controls form one subset of material controls, but Provision 29’s scope extends further. Operational controls, IT systems, risk management frameworks, and compliance mechanisms all potentially qualify as material depending on organizational circumstances.
While Provision 29 itself doesn’t carry statutory penalties for voluntary adopters, failure to maintain effective controls can lead to regulatory enforcement actions. As of early 2026, the FCA has already issued substantial fines for governance and control failures.