Tim Le Mare

Solutions Sales Director

Provision 29: A practical guide to board declarations on internal controls

Provision 29 of the UK Corporate Governance Code asks boards to do something that used to sit in the background. It asks you to make a clear statement on whether your material controls were effective at the balance sheet date, and to explain how you monitored and reviewed the control framework across the year. Whether you’re preparing for your first declaration or refining your approach after the first cycle, this guide breaks down what the rule means in practice and how to keep disclosures clear, credible and useful for investors.

What provision 29 requires

While framed by the Financial Reporting Council (FRC) as an evolution rather than a major change, the reality for most in-scope organisations is that Provision 29 requires considerable work across several domains.

Boards should monitor the company’s risk management and internal control framework, complete an annual review of effectiveness, then report four things in the annual report:

Many in-scope companies are now strengthening year-round monitoring with AI-enabled continuous control testing, so the board’s year-end opinion is grounded in full-population evidence across financial, operational, reporting and compliance controls.

This is not UK SOX. Provision 29 introduces a board declaration but does not require external auditor attestation, and the scope goes beyond financial reporting to include operational, reporting and compliance controls.

Why this feels like a big shift

In boardrooms I work with, historic reporting focused on describing monitoring activity. Provision 29 raises the bar. You are now making an outcome statement with evidence that can stand up to investor scrutiny. Leading practice is to avoid boilerplate statements, explain how the board reached its view, and connect control outcomes to strategy and risk appetite.

Modern board tech can also help avoid boilerplate: AI tools summarise large packs into decision-ready insights and surface risky language so directors focus on the evidence that matters.

What does “boilerplate” look like — and how do you avoid it?

Boilerplate statements are generic and vague, failing to show how the board reached its conclusion. This undermines investor confidence and falls short of Provision 29’s intent.

Examples of boilerplate wording:

• “The board has reviewed the system of internal controls and considers it effective.”
• “Processes are in place to monitor risk and compliance.”

What to do instead:

Use specific, outcome-focused language that shows the basis for your opinion:

“The board reviewed quarterly assurance reports, internal audit findings and management attestations covering 18 material controls linked to principal risks. Based on this evidence, the board concluded that controls were effective at the balance sheet date, except for two areas where remediation is in progress.”

What counts as “material controls”

The board decides what is material, proportionate to your risks, strategy and stakeholders. A practical test I see work well: include controls that, if they fail, could reasonably affect price-sensitive reporting, principal risks or legal and regulatory obligations. Keep the set focused yet complete and agree your evidence standard up front.

Tip: Benchmark your risk/control scope against peer disclosures and industry risks to calibrate “material”— AI-powered libraries can speed this early scoping.

Roles and lines of assurance

• Board and audit committee set scope and evidence expectations, oversee monitoring and approve the declaration
• Management confirms design and operation of controls and owns remediation
• Internal audit provides independent assurance with risk-based testing across material controls
• Second line risk and compliance monitors frameworks and facilitates attestations

Independent guidance emphasises the contribution of internal audit and the need to integrate assurance across first, second and third lines so coverage is complete without duplication. Linking the assurance map to automated analytics reduces duplication and makes exception trends visible to the audit committee in real time.

A phased approach for the 2026 reporting cycle

Here is the approach I recommend, whether you are preparing for your first declaration or improving your second. Think of the year in four repeating phases:

Here’s a practical way to structure the year so your declaration is evidence-backed and stress-free:

• Phase 1 (early year): Confirm the definition of material controls, agree evidence standards, and map assurance lines.
• Phase 2 (spring): Perform targeted testing on material controls, prioritise principal risks, and start remediation.
• Phase 3 (mid-year): Run a dry-run declaration with the audit committee, refine wording and evidence pack.
• Phase 4 (year-end): Finalise disclosure, close remediation, and align investor messaging.

Detailed steps:

1. Define scope and materiality
   Document criteria, link each control to risks and reporting duties, confirm ownership and cadence.
2. Agree an evidence standard
   Be specific on sufficiency: testing coverage, attestation frequency, exception thresholds and issue closure criteria.
3. Map and integrate assurance
   Build an assurance map that brings first-line attestations, second-line monitoring and internal audit together.
4. Test and remediate
   Prioritise price-sensitive reporting and principal risks. Run targeted testing, fix issues quickly, track retesting.
5. Run a dry-run declaration
   Socialise draft wording and the evidence pack with the audit committee, then refine controls and disclosure.
6. Disclose with clarity
   Explain how monitoring was performed, state the declaration plainly, and describe ineffective controls with actions and status. Avoid boilerplate.

Benchmark your maturity

Use your Control Framework Maturity Curve to assess where you are and set goals for year-on-year improvement. Aim to move from a consistent, integrated approach to an optimised state where control results inform board agendas, strategy and decision-making.

See this maturity curve to benchmark where you stand and set goals for improvement:

How Diligent supports Provision 29

Provision 29 asks for a declaration that is clear and defensible. Diligent connects risk, compliance and audit assurance with board reporting so your disclosure is backed by consistent evidence across the year.

With Diligent, you can:

• Maintain a control inventory linked to principal risks, reporting obligations and ownership
• Orchestrate first-line attestations with workflow, reminders and exception handling
• Consolidate second- and third-line assurance into a single assurance map for visibility across lines
• Track issues and remediation with due dates, status and retesting records
• Produce board-ready reporting that shows the status of material controls, exceptions and actions
• Use analytics that surface anomalies and connect findings directly to audits so evidence quality improves without noise
• Keep entity records accurate and ownership clear across all legal entities with AI-driven data hygiene
• Use AI confidently with built-in safeguards: opt-in controls, no default data training, and clear labelling of AI-generated content

Final thought

If I had to boil Provision 29 down to one habit, it would be this: agree scope and evidence early, then keep assurance integrated and visible right through the year. It makes the year-end declaration simpler, and the conversation at the board table more grounded.

Advance from compliance to confidence.

Provision 29 FAQ

Boards often ask the same practical questions about Provision 29. Here are the answers to the top ten I hear.

1. What will challenge boards most?
   Calibrating “material controls” and agreeing an evidence standard that is proportionate, defensible and repeatable across the year. Pair first-line attestations with analytics and full-population tests in high-impact areas to avoid noise.
2. Is external auditor attestation required?
   No. Provision 29 introduces a board declaration and does not require external auditor attestation; scope extends beyond financial reporting to operational, reporting and compliance controls.
3. How do we decide what’s “material”?
   Start from principal risks, price-sensitive reporting and regulatory duties, then benchmark risk/control themes against your sector to avoid gaps. AI-powered risk libraries can accelerate this early scoping.
4. What does a good evidence standard look like?
   Define coverage (which controls, how often), exception thresholds, and closure criteria. For automated controls, use continuous monitoring; for manual controls, use attestations plus targeted tests. Keep an audit trail with dates, owners, results and retest status.
5. How can AI help without adding risk?
   Use AI where it reduces manual work and increases coverage (e.g., summarising board packs, testing full datasets, anomaly detection). Diligent AI is opt-in, does not train on your data by default, and clearly labels AI-generated content to preserve oversight.
6. Will this create “boilerplate” disclosures?
   The opposite—analytics and board AI make it easier to tie conclusions to specific evidence (what was tested, exception rates, remediation). Summaries help directors challenge and refine wording.
7. What can we deliver this quarter?
   - Run one continuous test in a high-impact process (e.g., P2P duplicates, access anomalies) to evidence full-population coverage.
   - Do a dry-run declaration with AI-generated prep questions and a minutes draft to test clarity and gaps.
   - Clean control ownership across entities so responsibilities are unambiguous.
8. How does this fit with our existing systems?
   Connect analytics to your common data sources (ERP, HR, Concur, Salesforce) and feed results into your assurance map and audit dashboards—no need to rip and replace.
9. How should we word the declaration?
   Be plain and specific:
   “Based on quarterly assurance reports, internal audit testing and management attestations covering X material controls linked to principal risks, the board concluded that controls were effective at the balance sheet date, except for [areas] where remediation is in progress.” Then disclose actions and status.
10. How do we keep directors focused on the right issues?
    Provide board-ready summaries, risky-language alerts, and exception trends by risk to guide the discussion—then capture actions and owners in minutes.

Keep exploring

Blog

The UK Corporate Governance Code: Key provisions and updates

Gain a better understanding of the UK Corporate Governance Code. Discover what it is and how your organization can comply for more effective governance.

Read more

Guide

What's next for UK corporate governance after reform disruption?

In the wake of reform disruption, what should governance professionals do now?

Read more

Research

AI Board Readiness

AI Board Readiness

Read more