Provision 29 and non-legislative progress towards audit and corporate governance reform

Stakeholders – whether audit firms, investor groups, governance commentators or accountancy bodies – expressed their frustration that long-awaited government action on audit and corporate governance had been de-prioritised once again.

In our own analysis of the decision, we’ve noted that a failure to pass a comprehensive bill carries risk. There remains uncertainty around the refinement of the Public Interest Entity (PIE) framework, changes to director accountability, and the regulator’s resourcing and powers. A lack of legislative action also risks a growing divergence between the scrutiny of listed companies and some of their private counterparts. And it will now be harder to knit the various strands of UK audit and corporate governance reform together.

That said, legislation is not the only means by which reform can be driven forward.

A key example can be found on board accountability – one of the core themes of the Government’s original audit and corporate governance consultation work, and a feature in the preceding 2018 Kingman and 2019 Brydon reviews. Although the prospects of primary legislation have receded, some significant changes have instead been made through the UK’s Corporate Governance Code, and one of the most notable proposals considered by the Government in 2021-22 is now in force.

Provision 29 – Improvements to listed companies’ internal controls

For financial years beginning on or after 1 January 2026, company boards are now required to make a declaration on the effectiveness of all their material controls – including ‘financial, operational, reporting and compliance controls’ – in their annual reports. Additional detail also needs to be provided on steps taken to rectify any material controls which have not operated effectively.

These requirements stem from an updated Provision 29 in the Corporate Governance Code (‘the Code’). The 2018 version of this provision committed boards to a simpler requirement: reporting annually on their review of the effectiveness of their risk management and internal control systems. Criticism of this earlier approach was highlighted in the Brydon review which, quoting an earlier EY paper, noted that the approach taken by boards “varies and usually does not involve detailed testing of the effectiveness of controls.”

In short, whereas there was previously no explicit reporting format for detailing the internal controls in place, boards are now required to make an explicit declaration on their effectiveness. While there may be a debate about the value to report users of the information on internal controls provided and attested to – even the 2018 version of the provision raised questions about the cost of compliance and usefulness to end users – the introduction of a clear attestation marks an obvious change in the nature of board accountability.

The rationale behind the change to Provision 29 was set out in the Government’s original 2021 consultation on audit and corporate governance reform: weak internal controls and risk management had been key factors in a series of corporate failures. And earlier this month, Business & Trade minister Baroness Lloyd responded to a Lords question on governance reform by noting that “almost all corporate collapses can be linked to governance deficiencies… audit deficiencies tend to exacerbate problems rather than being the cause of a company’s collapse.”

A revised Provision 29 is intended to enhance companies’ internal controls and reduce the chances of disorderly failures at systemically important entities.

Early impact

The impact of the update to the provision has already been felt, with UK listed companies embarking on wide-ranging projects to identify – and review – the controls that need to be covered by their attestation. Although the Code was updated in January 2024, companies were given until reporting periods beginning this January (and beyond) to begin compliance with Provision 29 given the amount of work involved.

According to the FRC, while companies felt their financial controls were well developed, non-financial controls needed additional attention. Other feedback shared with CPIA suggests the changes have prompted a particular acceleration in companies’ thinking on material controls over sustainability information – UK companies with EU links will have already been carrying out work for compliance with the Corporate Sustainability Reporting Directive (CSRD; large non-EU parent companies must comply for financial years starting 1 January 2028 and beyond), which will have been brought forward to ensure compliance with Provision 29.

Per a July 2025 analysis by EY, listed companies are tracking anywhere between 20 and 120 material controls, with a mid-range of 30-45. Similarly, September 2025 analysis by PwC found that half of the companies it surveyed had identified between 21 and 40 material controls (with just under one-in-ten companies identifying over 100).

What difference will Provision 29 make?

Strengthening UK companies’ internal controls frameworks was a core theme within the Government’s audit and corporate governance reform process. Regardless of the Government’s approach to legislation, changes have now been introduced that are already having an impact on UK companies’ approaches to their internal controls. The absence of a Bill is far from the end of the road for the wider audit and corporate governance reform project

In the words of the Government, the Code is a “tried and tested” means of strengthening UK corporate governance. And the FRC has argued that its approach “provides improved accountability and transparency, while avoiding disproportionate burdens on business and allowing flexibility for companies to tailor their arrangements to their own circumstances.”

But, as we’ve highlighted elsewhere, the Government’s switch to an incremental approach to corporate governance and audit reform – pursuing reform through the Code rather than legislative change, for example – carries risks.

As noted at the outset of this piece, the Code applies to listed companies, but not to others. One of the key ideas within the wider reform package was a refinement of the definition of a PIE, a move which could have brought more systematically important entities within the bounds of the Code (or any other statutory changes that may have been introduced). Without accompanying changes to the PIE definition, there is no guarantee that all systemically important private companies will follow the new internal controls requirements set out in the 2024 Code.

Moreover, one key test for Provision 29 will be the extent to which it is adopted even among those companies to which it applies. The Code operates on a ‘comply or explain’ basis and, while this might feed into the flexibility cited by the FRC, it also risks an uneven take-up of the new Provision 29’s requirements among the companies it is supposed to cover. The investor and stakeholder reaction to those companies opting to ‘explain’ rather than ‘comply’ will be critical.

And, ultimately, there is a question over enforcement and what impact the new Provision 29 attestation will have on the next corporate governance scandal to occur. The requirements within Provision 29 are, of course, fundamentally preventative – hopefully, they will play a role in preventing unexpected and disorderly corporate failures. But failures may well still happen, and it is likely that deficient internal controls will play a role.

If this were to be the case, and the failed company’s board were to have previously provided a Provision 29 attestation, it remains to be seen what consequences the board will face. Providing an attestation when controls are later shown to be ineffective, and then escaping censure, may undermine confidence in the value of the Code’s new requirements.

Please do get in touch on info@cpia.org.uk if you have questions or want to discuss future research on audit and corporate governance reform. 

Download the paper