Get 10% off GOAT RM ToolkitTM with vouchercode LINKEDIN10. Offer end 31 May

UK Corporate Governance Code 2024 – Why Provision 29 Has Been Granted an Extended Deadline

Why Provision 29 Has Been Granted an Extended Deadline

In risk and governance circles, Provision 29 marks one of the most significant updates within the 2024 UK Corporate Governance Code (commonly know as UK SOx). This newly revised code, published in January, applies to premium-listed companies, such as those in the FTSE 350.

While most changes will take effect for accounting periods beginning on or after January 1, 2025, the application of Provision 29 is delayed by an additional year.

This delay suggests that the Financial Reporting Council (FRC) anticipates companies will need extra time to ensure compliance. Given the complexity of this provision, organisations would be ill-advised to postpone planning until the last minute. Early preparation is essential to ensure smooth implementation well ahead of the reporting deadlines.

Smaller organisations, many of which voluntarily adopt the Code to demonstrate a commitment to good governance and stewardship, may also want to act proactively. By addressing Provision 29 early, they can continue to align with best practices, and avoid potential pitfalls as the compliance date approaches.

Provision 29

“The Board should monitor the company’s risk management and internal control framework and, at least annually carry out a review of its effectiveness. The monitoring and review should cover all material controls, including financial, operational, reporting and compliance controls.

The Board should provide in the annual report:

  • A description of how the board has monitored and reviewed the effectiveness of the framework,
  • A declaration of effectiveness of the material controls as at the balance sheet date; and,
  • A description of any material controls which have not operated effectively as at the balance sheet date, the actions taken, or proposed, to improve them and any action taken to address the previously reported issues.”

The Board’s Responsibilities

In this article, we focus specifically on Provision 29, which should be understood within the broader framework of Section 4 of the 2024 UK Corporate Governance Code. Section 4 addresses audit, risk, and internal control requirements, and outlines the Board’s responsibilities to:

  • Establish an effective Audit Committee.
  • Appoint external auditors, adhering to the minimum standards published in 2023.
  • Implement a robust internal audit function.
  • Define and articulate the company’s risk appetite.
  • Conduct a thorough assessment of both emerging and principal risks, and explain how these risks are managed and mitigated.
  • Foster a culture that encourages effective risk management.
  • Provide a Viability Statement in the Annual Report, incorporating stress testing or scenario analysis techniques.

Provision 29, while critical, sits within this wider framework of responsibilities. It should also be considered alongside other Board duties outlined in the remaining four sections of the 2024 Code, which will come into effect in 2025. Understanding these interconnected obligations will be essential for organisations as they work toward full compliance.

6 Steps to Assessing the Effectiveness of Material Controls

At the heart of Provision 29 (and the reason the FRC has provided an additional year for firms to comply) is the requirement for Boards to declare the effectiveness of their material controls and outline any resulting improvement actions.

Below, we present a six-step approach to help meet this requirement, which originates from a top-down principal risk assessment. We recommend firms follow these steps to ensure compliance.

6 Steps to Assessing the Effectiveness of Internal Controls

 

1. Conduct a Principal Risk Assessment

Most organisations have already undertaken principal risk assessments to identify the most significant risks that could impact their strategic objectives, performance, and long-term sustainability.

These assessments should integrate both departmental and functional risks (bottom-up) with strategic discussions at the executive level (top-down) to refine a shortlist of typically 8-12 principal risks. This process should be dynamic, with departments and functions regularly reviewing and managing their own risk profiles, while escalating emerging risks to the Executive and Board for evaluation.

It’s important to clarify that this assessment should be based on gross or inherent risk—meaning the level of risk before considering the mitigating effect of controls. This approach ensures that even risks that management considers inherently high but well-controlled are still identified. As a result, the number of principal risks may expand to approximately 20, including certain “business as usual” risks that are often overlooked, such as cash handling and financial reporting accuracy.

Principal Risk Assessment

 

2. Identify Controls Associated with Principal Risks

Controls are business activities designed to mitigate risks. In most organisations, a wide range of both formal and informal controls are implemented. To manage these effectively, it’s essential to classify and organise them within a comprehensive control framework. Leveraging a technology platform can greatly enhance clarity around accountability for each control.

The process of identifying and mapping key controls such as policies, systems, processes, training, communications, risk transfer (including insurance), and governance/reporting activities requires significant time and effort for most organisations. Taking a systematic approach will help ensure all critical areas are covered.

Control Framework

 

3. Test Control Effectiveness

Control effectiveness testing involves various assurance and testing methods, depending on the nature of the control. This can span the three lines of defence, incorporating a range of approaches, including a multi-year audit programme. The testing should assess both the design of the controls and their effective execution to ensure they are functioning as intended.

Test Control Effeciveness

 

4. Track Improvement Actions

Audits and testing are crucial in identifying control weaknesses and opportunities for enhancing both the design and execution of processes. These findings typically result in improvement actions, with clear ownership and defined due dates then being essential for accountability. Given the scale and complexity of controls and the actions required, implementing a dedicated action tracker is necessary to ensure progress and follow-through on all commitments.

Track Improvement Actions

 

5. Monitoring and Annual Re-testing

The 2024 Code mandates the Board to conduct an annual review of the effectiveness of the company’s risk management and internal control framework. To provide an accurate assessment, this review must be supported by evidence or assurance that all material controls functioned effectively throughout the reporting period. The most effective approach is to integrate and coordinate assurance efforts from various sources, such as the three lines of defence, each of which will conduct regular, recurring reviews to ensure comprehensive oversight.

Assurance Mapping

 

6. Reporting and Assurance

To support the Board’s declaration, it’s essential to present all activities in a clear, visual format. An effective tool for this could be an Assurance Map (see above), which organises principal risks in priority order across the top and maps the corresponding material controls.

Each control is marked with a traffic light indicator to show assessment results, while a white circle highlights those yet to be assessed. This visual summary enables the Board to quickly see the number of controls linked to each principal risk and review their RAG status (Red, Amber, Green) based on testing or audit outcomes.

By scanning down the rows, Board members can easily identify controls that require immediate focus, such as those lacking assurance or flagged as Red; particularly those impacting the most critical risks.

This high-level view should be complemented by detailed information on the testing regime and audit outcomes for each control, providing the Board with the comprehensive assurance needed to support its declaration on the company’s risk management and internal control framework.

Detailed Testing Regime

 

Supporting Provision 29 Compliance with GOAT Risk™

Premium listed companies have been granted an additional year to meet the new requirements, allowing time to establish and coordinate their assurance activities and address any improvement actions identified. This extended timeline provides a significant advantage by facilitating better alignment between risk management and assurance activities and enhancing coordination across all three lines of defence.

Leveraging technology can streamline reporting, data capture, and workflow reminders, enabling management to concentrate resources on critical areas such as risk assessment, control testing, and implementing improvement actions.

GOAT Risk™, a cost-effective risk management software solution, supports comprehensive compliance with Provision 29, as illustrated by the images included in this article.

Find out more about GOAT Risk™

Scale risk with confidence