Provision 29 Explained: Is Your Business Ready for UK SOX?
LegalFinance

Provision 29 Explained: Is Your Business Ready for UK SOX?

RegTech Analyst
RegTech AnalystJun 9, 2026

Companies Mentioned

Vixio

Vixio

London Stock Exchange

London Stock Exchange

LSE

Why It Matters

Provision 29 raises governance standards for the UK’s biggest firms, influencing investor confidence and creating a new compliance frontier that rivals US SOX in scope. Early adoption will differentiate resilient companies from those scrambling to meet undefined expectations.

Key Takeaways

  • Applies to premium‑listed firms and private companies >750 staff or £750m turnover
  • Boards must personally attest internal‑control effectiveness in the annual report
  • Control ownership assigned to individuals, not just departments, to avoid gaps
  • Testing should be continuous year‑round, not a year‑end sprint
  • Explain any deficiencies publicly; vague explanations trigger regulator and investor scrutiny

Pulse Analysis

The 2024 overhaul of the UK Corporate Governance Code introduces Provision 29, a board‑level internal‑control mandate that mirrors the intent of the US Sarbanes‑Oxley Act but grants far more flexibility. Effective from the 2026 accounting year, the rule obliges directors of premium‑listed companies and large private entities—those with over 750 employees or roughly $938 million in revenue—to certify that their financial reporting, operational processes, and cyber‑security controls are robust. By shifting responsibility from auditors to the board, the UK framework emphasizes accountability while retaining a "comply or explain" stance, meaning firms can diverge from the norm as long as they provide transparent rationales.

For compliance officers, the practical rollout centers on seven pillars: board ownership of the control review, cross‑functional scope, individual control owners, year‑round testing, evidence of policy adherence, candid disclosure of deficiencies with remediation plans, and a documented audit trail. These elements force organisations to move beyond a static controls manual toward a dynamic, evidence‑driven governance engine. The broader remit—covering operational risk and cyber resilience—demands coordination across finance, IT, legal and risk teams, turning internal‑control assurance into a company‑wide initiative rather than a finance‑only exercise.

The biggest hurdle remains the absence of established benchmarks. With no enforcement history and limited peer reporting, firms must craft bespoke frameworks while anticipating future regulator guidance. This uncertainty creates a competitive advantage for early adopters who can demonstrate rigorous, transparent controls to investors and rating agencies. As the first wave of declarations hits the market in 2027, the pressure will intensify, pushing the UK market toward a governance standard that, while less prescriptive than US SOX, could become the new global reference for integrated risk oversight.

Provision 29 explained: is your business ready for UK SOX?

Read Original Article

Comments

Want to join the conversation?

Loading comments...