Preparing for Provision 29: Leveraging technology to drive robust internal controls assurance
Provision 29 of the UK Corporate Governance Code is arguably the most significant change introduced as part of the Code revisions announced in January 2024. It requires boards of in-scope organisations to make an annual declaration on the effectiveness of material internal controls.
This is an expansion and refinement of the requirements of the previous Code, which required boards to monitor, review and report on financial and operational controls. Now boards must:
“Monitor the company’s risk management and internal control framework and, at least annually, carry out a review of its effectiveness. The monitoring and review should cover all material controls, including financial, operational, reporting, and compliance controls. The board should provide in the annual report:
• A description of how the board has monitored and reviewed the effectiveness of the framework;
• A declaration of effectiveness of the material controls as at the balance sheet date; and
• A description of any material controls which have not operated effectively as at the balance sheet date, the action taken, or proposed, to improve them and any action taken to address previously reported issues.”
While framed by the Financial Reporting Council (FRC) as an evolution rather than a major change, the reality for most in-scope organisations is that Provision 29 requires considerable work across several domains.
They must:
- Evaluate enterprise risk and devise a process to identify the most material controls;
- Extend scope to cover compliance and reporting controls;
- Design or expand their control monitoring and remediation environment;
- Determine how they will provide assurance to form the basis of the declaration.
Navigate U.K. governance reforms
Learn about stricter auditing standards and significant updates to the 2024 U.K. Corporate Governance Code to understand how they impact your organisation.
Download the guideCommentators have suggested that organisations need to find the “golden thread” linking company strategy and CEO priorities with underlying risks, and mapping them to the controls needed to ensure the business has the strongest chance of achieving its goals.
By determining material risks, their associated controls (which by definition will be material controls), and designing an environment that draws those threads together, they will be able to deliver oversight and assurance. However, this is not easy.
A critical planning and test period for Provision 29
Provision 29 comes into effect in January 2026, meaning 2025 is a critical period for planning, designing and testing the frameworks and processes needed. The aim should be to meet obligations without creating an unnecessarily heavy administrative burden. There are several challenges to overcome, including:
- Mapping principal risks to strategy, identifying material risks and their associated controls.
- Engaging a broad spectrum of stakeholders on enterprise risks and controls across what are typically siloed business units.
- Designing or improving the controls environment to ensure material controls are effective.
- Designing and implementing a consistent approach to monitoring, evaluating and reporting internal controls effectiveness.
- Achieving assurance that links directly and demonstrably to the controls monitoring framework.
Technology may have been used to support some of these areas in the past, but it is often applied inconsistently between departments. It is also often deployed on a standalone basis, lacking integration with wider business intelligence systems, and manual data entry can introduce inaccuracies that reduce confidence in the system’s integrity.
As the organisation prepares its response to Provision 29 requirements, now is an excellent time to explore how investing in integrated governance, risk, and compliance (GRC) technology that supports automated processes can increase control framework maturity and its associated assurance across the business.
Internal controls framework maturity: How GRC technology can help
An important early step on the road to Provision 29 assurance is to determine the organisation’s position on the control framework maturity curve below:
The business may be at different stages for different risk and control areas. For example, processes for identifying the scope and materiality of financial risk, and related material internal controls for financial reporting are likely to be more mature than those for recently identified non-financial material risks and controls. Levels of documentation and internal audit assurance may also vary between the different material risks identified. When these are all managed in different IT systems and departments, each with a different approach to monitoring and reporting, gaining a clear picture is difficult.
Furthermore, to achieve any maturity greater than the basic “undefined” level, it is crucial that processes are centrally developed and consistently applied consistently by all stakeholders – and are repeatable. This is where integrated GRC technology has considerable advantages over manual processes and standalone point solutions.
How Diligent One draws the threads of GRC together to deliver robust assurance
Diligent One GRC platform is tailor-made to help businesses identify, prioritise, and manage enterprise risk effectively, linking it to the underlying controls and internal audit procedures that provide the assurance needed by the board so directors can make a confident Provision 29 declaration. In addition to advanced governance and board management capabilities, it includes:
Enterprise Risk Management (ERM) solution: Supports the business to map principal material risks to strategy with risk identification and prioritisation workflows based on the ISO31000 risk standard. Creates repeatable processes for risk identification, scoring, tracking and remediation.
Internal Controls: Curates a single catalogue of risk and control matrices, including related control documentation such as narratives and process flows, for financial and non-financial controls. Generates automated alerts to control performers reminding them to perform the control. Provides first line control attestation workflows. Supports second line control testing workflows and includes automated control testing.
Internal Audit: Provides internal audit planning and third line risk assessment capability. Automated audit workflows to reduce team burden. Allows consolidation of risk and control ratings across the three lines of defence.
Crucially, these ERM, internal controls and internal audit capabilities are integrated into a single user-friendly dashboard giving comprehensive oversight of risk management, controls and assurance data. This can be communicated to the board whenever needed, providing an ongoing picture of performance, rather than just a point-in-time snapshot. Automation is supported throughout to reduce the burden on teams and enhance data accuracy, which in turn supports transparency and confidence.
By implementing a unified GRC tool like Diligent One platform, businesses can:
- Build a clear, comprehensive narrative around risk, control and assurance that delivers assurance to the board.
- Design a realistic, achievable action plan to increase internal controls framework maturity.
- Eliminate information siloes while building relationships between stakeholders in audit, risk and internal controls throughout the business.
- Utilise automation to reduce the administrative burden of managing risk while increasing stakeholder engagement.
- Ensure consistency and repeatability of risk collation, analysis and management.
This will create an appropriate, effective response framework for meeting the requirements of Provision 29, underpinning the final declaration with clearevidence. It also provides a strong foundation on which to base continuous improvements in internal controls maturity.
Want to learn more? Discover all the significant changes introduced in the 2024 U.K. Corporate Governance Code, focusing on director accountability, risk management, internal controls and board leadership, by downloading our U.K. Corporate Governance & Audit Reform report.
Keep exploring
The UK Corporate Governance Code: Key provisions and updates
Gain a better understanding of the UK Corporate Governance Code. Discover what it is and how your organization can comply for more effective governance.
What's next for UK corporate governance after reform disruption?
In the wake of reform disruption, what should governance professionals do now?
UK Corporate Governance Code brief: Identifying material controls
Learn about the new UK Corporate Governance Code provision requiring annual reviews of both financial and non-financial controls by boards.
