New requirements are about to kick in for companies subject to or applying the Financial Reporting Council’s (FRC’s) Revised UK Corporate Governance Code (the Code). Provision 29 of the Code has longstanding requirements for companies to describe how the board has monitored and reviewed the effectiveness of the internal control framework. 

The revised requirements of Provision 29 apply to 2026 financial years – meaning that work needs to start soon – require a: 

• description of how the board has monitored and reviewed the effectiveness of the risk management and internal control framework – as before;

• declaration by the board of effectiveness of material controls as at the balance sheet date; and 

• description by the board of any material controls that have not operated effectively, together with the relevant action taken or proposed to improve them, and any action taken to address previously reported issues.

UK SOX? 

A ‘declaration of effectiveness’ is a far cry from the extant description of how the board is managing effectiveness, but this is not intended to be a UK SOX. The Code does not have the force of law as it does in the US, and it works on a comply or explain basis. 

Furthermore, the Code covers operating and compliance controls, as well as internal controls over financial and non-financial reporting. The SOX regime only covers internal controls over financial reporting. And there is no specific auditor assurance requirement in the UK attached to the declaration, whereas in the US, the mandatory auditor reporting requirement is supported by a specific auditing standard and the related work is performed as part of an ‘integrated audit’. 

In the US, there is a substantial body of guidance for companies on the COSO Framework, which is used by most reporting entities. The FRC has made it clear that it does not currently intend to provide further guidance for companies on the Provision 29 requirements, although the November 2024 press release issued with its 2024 Annual Review of Corporate Governance Reporting states that the FRC is committed to supporting companies with ‘various tools and resources’ to enable effective implementation of the new Code more widely. 

ISA 720

In the UK, no change has been made by the FRC to ISA 720 ‘The Auditor’s Responsibilities Relating to Other Information’ to reflect the new requirements. The extant standard already makes specific reference to the Provision 29 disclosure requirements. 

We understand that the FRC does not currently intend to substantively change ISA 720 or to provide further significant guidance for auditors on the application of ISA 720 in this context. The basic requirement is for auditors to ‘read’ the ‘other information’ presented with the audited financial statements, and to consider any material inconsistency between the other information and: 

• the auditor's knowledge obtained during the audit; and 
• the audited financial statements.

We will explore the views of audit firms on ISA 720 and Provision 29 in a future article.