After boards approve the framework for matching principal risks to material controls for Provision 29, their next step is defining the assurance structures to give them confidence that those controls are working effectively.
In the third article of this Corporate Governance Faculty Provision 29 series, which draws on the experiences of FTSE 350 audit committee chairs, we’ll examine how boards are planning to get assurance, and what debates are still underway at board level.
Questions facing boards
Assurance frameworks cover the testing of material controls, the first line (operational), second line (internal control) and third line (internal audit) of defence, the involvement of external auditors and third-party experts, and the board review process.
It seems there is more debate about how to get this right than any other stage of Provision 29 preparation. “Will we get assurance over every single control, every single year? Probably not, but it may be that we look more deeply at some areas in the first couple of years,” says one audit committee chair.
It’s hardly the only question facing boards looking at assurance frameworks. Others include:
- "What’s too much and what’s not enough?” There comes a point where too many layers of controls become expensive and burdensome.
- "Do we need 100% assurance for any material controls? If not, what percentage would we be comfortable with?” Complete assurance may be impossible, but some risks are more critical than others.
- "What happens when a control is found to be ineffective?” And at what point does the board need to know?
- "Who should do the assurance? If it’s a third party, what is their remit and are they competent?” An effective framework has clarity about who does what and when.
In most cases, the answers to these questions will emerge only as firms develop their assurance frameworks over the coming year, with input and oversight from the board.
The role of people: competence and ownership
Matthew Lester, Board Chair of Kier Group and Audit Committee Chair of ICG, says a board’s confidence comes from people as well as frameworks.
“It starts with a cold, hard-eyed view of your CFO and finance team. We can spend lots of time designing controls, but they won’t operate effectively without the right, competent people in place,” Lester says.
Another audit committee chair says that for the board to have confidence it is vital for every material control to have a single owner among senior management: “Each owner will certify, in writing, that the control is in place and operating effectively. It’s a wet signature too, not a Docusign, which concentrates the mind. There’s no plausible deniability.”
This senior management certification is being incorporated into an existing, twice-annual cycle that involves self-assessment for first-line control owners throughout the business, and control certification from the second line. “You've got to drive that culture that says, we're going to test it, we're going to audit it, and you're responsible,” the chair adds.
Jock Lennox, Board Chair at Johnson Service Group, instead stresses the importance of individual senior managers being accountable for specific principal risks: “Ownership of risks is key, because it means that whenever you reorganise anything, you know how it affects your control environment, so you enable the organisation to be more confident.”
For Kari Hale, who chairs the audit committee at Close Brothers Group, ownership needs to be embedded throughout the business, not just at senior management level. The goal should be to encourage those on the first and second lines to think for themselves about whether or not a control is effective, or even needed. The risk otherwise is that the assurance process becomes unwieldy and ultimately counterproductive for all concerned.
“My challenge to management is that we don’t want to end up with a process requiring annual assurance over a matrix of 500 or more controls, with perhaps ten level two or three controls for each material control,” Hale says. “In three years, we’d end up with a lot of people testing a lot of controls, without understanding why it’s being tested or how it mitigates the risk. We’d end up at board level being fed papers with a percentage pass rate but zero real insight into whether risks are controlled efficiently or effectively.”
It starts with a cold, hard-eyed view of your CFO and finance team. We can spend lots of time designing controls, but they won’t operate effectively without the right, competent people in place.
The role of external assurance
Third-party auditors and specialist experts will play some role in most assurance frameworks, but the extent of external involvement is a matter of active discussion.
"This is not just who assures it, but how much of the total resource base do they assure? When do they do it? What are the standards they assure against? How is their assurance report mapped against our own internal assurance and who's got oversight of it?” says Simon Henry, Non-Executive Director at BP and former audit committee chair at Rio Tinto.
Henry anticipates that many firms will lean on the Big Four, as they combine both expertise in risk and control frameworks as auditors, and in non-financial functions in their consulting capacity.
This raises a further question. “Can they use their auditor for assurance in non-financial areas without breaching rules on independence? Because the cost of bringing in another third party is much higher than using your own auditor, who has more understanding of what's going on in your company,” Henry says.
Several interviewees suggested using an auditor to sense-check their process and employing third parties for certain controls when needed but warned against over-reliance on outside support at the expense of ensuring robust internal audit capabilities.
Provision 29
Provision 29 came into effect on 1 January 2026. Find out how it is affecting boards and auditors, and hear from audit committee chairs.
