The FTSE 350 boardroom conversation shifted on 1 January 2026. From that date, Provision 29 of the revised UK Corporate Governance Code 2024 requires boards to make an explicit, public declaration on the effectiveness of their material internal controls — including cyber, operational, and reporting controls. No more vague assurances buried in the annual report. A named, board-level statement, signed off and published.
This is the Financial Reporting Council's answer to years of corporate failures where directors claimed ignorance after the fact. The expectation now: boards must know, must test, and must say so on the record. For audit committees who treated internal controls as a finance-team exercise, the reckoning has arrived.
Our consultants have spent the last eighteen months preparing FTSE-listed clients for this disclosure. The gap between what boards think they can sign off and what evidence actually supports that signature is, in most cases, substantial.
What Provision 29 Actually Requires
The revised UK Corporate Governance Code, published by the Financial Reporting Council in January 2024, replaced the previous loose reference to risk management with something far more pointed. Provision 29 requires the board to provide a declaration in the annual report covering:
- The effectiveness of the company's material internal controls as at the balance sheet date
- The basis for that declaration, including how effectiveness was monitored and reviewed
- A description of any material controls that have not operated effectively, the action taken, and any further action required
"Material" is the operative word. The FRC deliberately avoided prescribing a control framework. Boards must define which controls are material to their business — financial reporting, operational, compliance, and cyber — and justify that scope. The first reporting period covers financial years beginning on or after 1 January 2026, with disclosures landing in 2027 annual reports.
This is the closest the UK has come to a Sarbanes-Oxley-style attestation regime, without going the full SOX 404 route. The FRC has been explicit that proportionality applies, but the obligation is real and the disclosure is public.
Why Cyber Controls Now Live in the Board Declaration
The FRC guidance accompanying the Code makes clear that material controls extend beyond financial reporting. Cyber and information security controls — particularly those protecting revenue-generating systems, customer data, and reporting integrity — sit firmly within scope for most listed entities.
Three pressures converge here. First, the Cyber Security and Resilience Bill, currently progressing through Parliament, will expand incident reporting duties for managed service providers and critical suppliers. Second, the ICO has continued to enforce UK GDPR Article 32 with public reprimands and fines throughout 2024 and 2025. Third, the FCA's Operational Resilience rules (PS21/3) require regulated firms to map important business services and test severe-but-plausible disruption scenarios by March 2025 — and FTSE-listed financial services firms must now reconcile that work with the Provision 29 board internal controls declaration.
Boards that previously delegated cyber assurance entirely to the CISO must now own it personally. The chair of the audit committee will sign a statement asserting controls work. That signature carries weight.
Practical Steps to Be Ready
The work splits into four streams. Get them moving now, because the first reporting cycle is closer than it looks.
1. Define materiality with evidence, not opinion
Run a structured materiality assessment that maps controls to revenue, regulatory exposure, and stakeholder impact. Document the rationale. Auditors and regulators will ask why a given control was — or was not — declared material. "The CFO felt it wasn't significant" is not an answer.
2. Build a control testing programme, not a control register
A spreadsheet listing controls is not assurance. Each material control needs an owner, a frequency, a testing method, and documented evidence of operation. Internal audit, second-line risk, and external assurance providers should all play a role. For cyber controls, this means mapping to a recognised framework — ISO 27001:2022, NIST CSF 2.0, or NCSC Cyber Assessment Framework — and producing evidence trails that survive challenge.
3. Run a dress rehearsal in 2026
Treat the 2026 financial year as a parallel run. Produce the declaration internally, even though it will not be published. Identify the gaps. Fix them before they become a public disclosure.
4. Brief the board properly
Non-executive directors need training on what they are signing. The audit committee chair, in particular, must understand the testing methodology and the limitations of the assurance received. Generic governance training will not cut it.
Common Mistakes We See
The same patterns recur across the FTSE 350 readiness work our team has delivered.
Treating it as a finance exercise. Internal controls over financial reporting are one slice. Operational and cyber controls are the larger surface area for most listed businesses, and they are where boards have the least visibility.
Confusing policy with control. A documented policy that nobody tests is not a control. The FRC guidance is unambiguous on this point.
Over-scoping. Declaring every control material creates an unmanageable testing burden and dilutes the meaning of the declaration. Be deliberate.
Late engagement with external auditors. While Provision 29 does not currently require auditor attestation on the declaration itself, auditors will form a view on the consistency of disclosures. Get them in the room early.
How Pyralink Supports Provision 29 Readiness
Pyralink Innovation Ltd, led by Founder and Managing Director Michael Adedeji (CISM, CISA, CC, MSc Data Science), works with FTSE-listed and large private UK organisations on internal controls programmes that hold up under board and auditor scrutiny. We bring CISM/CISA-qualified consultants who have built and tested controls in production environments, not just on paper.
Our Provision 29 readiness work typically combines a materiality assessment, control mapping against ISO 27001:2022 and NIST CSF 2.0, a testing programme design, and fractional vCISO support to brief the audit committee. CloudAuditX, our multi-cloud auditing platform, provides continuous evidence collection across AWS, Azure, and Google Cloud — turning point-in-time assertions into ongoing assurance. We carry £5M professional indemnity insurance and stand behind every deliverable.
If your audit committee is signing a Provision 29 declaration in 2027, the work starts now.