ICAEW.com works better with JavaScript enabled.
Exclusive

Breakout 1: Internal controls and risk management frameworks - getting ready for January 2026

Author: ICAEW

Published: 06 Jun 2025

Exclusive content
Access to our exclusive resources is for specific groups of students, users, members and subscribers.
Log in Find out more
Contents
This article, summarising the session at the 2025 ICAEW Corporate Governance conference, looks at key challenges in preparing for Provision 29 of the 2024 Corporate Governance Code, effective from January 2026.

This session was chaired by Mark Stock, Governance, Risk and Assurance Practitioner. Speakers were Maria Kepa, Director at EY, Tim Le Mare, GRC Solution Sales Director at Diligent and Nisha Sanghani, Partner at Ashurst Risk Advisory.

Setting the scene: the discourse around how Provision 29 differs to US SOX

Provision 29 of the 2024 edition of the Corporate Governance Code comes into force on 1 January 2026. Provision 29 requires boards of premium-listed companies to declare the effectiveness of their internal controls in their annual report, covering financial, operational, compliance and reporting controls. This declaration must be made as of the balance sheet date, and the board must also disclose how it monitored and reviewed the effectiveness of these controls, including any material control weaknesses and remediation plans. This is an extension of existing board duties under the previous iteration of the Code.

The Sarbanes-Oxley Act (SOX) is a US federal law enacted in 2002 to protect investors from fraudulent financial reporting by public companies. It mandates specific reforms to existing securities regulations, including enhanced reporting standards, internal controls, and accountability for company executives and public accounting firms. There was a UK SOX Lite narrative permeating before the 2024 Corporate Governance Code was published which created misunderstandings around what would be expected of companies listed in the UK. Provision 29 differs to provisions under the US SOX regime in that it is broader and shallower than the US SOX (Sarbanes-Oxley) regime. There is a need for companies to adopt and top-down and bottom-up approach to internal controls. Need to spend time and resources on this activity to understand and identify material controls.

The aim is to bring accountability and transparency to the boardroom. Boards must understand material risks and link risk management to strategy. Companies need to take risk to thrive but must do so knowingly and responsibly.  At present, many listed companies do not discuss risks regularly or profoundly enough (plus, not everyone is a risk expert).

A risk based and board-led approach is needed. The declaration of the effectiveness of controls aims to focus the mind of the board on these matters. Boards will find this difficult if they don’t know what their organisation’s material controls are. Consequently, risk appetite conversations need to happen on a regular basis.

Current challenges boards should be aware of when implementing internal controls and risk management frameworks

Key challenges include:

  • The need to achieve appropriate engagement across the business to correctly identify what your risks are and what your internal controls should be.
  • There is a risk that businesses are over cautious and identify too many controls which can lead to a dilution of effectiveness and some matters falling through the cracks.
  • Social, environmental and geopolitical tensions can give rise to unforeseen risks so regular monitoring and horizon scanning is required.
  • Some boards are starting from ground zero and obtaining advice will initially be costly. However, this should ultimately pay off.
  • Education is important. It is critical that the board and audit committee members understand risk and control. While there is a cost to risk management there is huge value that can help the board and management manage the business strategy if they are trained in what to do.

Where to start and tips for successfully identifying material risks and internal controls

The Corporate Governance Code operates on a comply or explain basis. This flexibility is helpful for companies executing Code duties.

The first step is to set up engagement channels between the board and other key people across the business. The second and third lines of defence need to communicate effectively with the first line. This flow of conversation allows you to identify exactly what your company’s material controls are. It is recognised that the maturity of frameworks and approaches is an important consideration.

  • Most mature companies take a framework approach to this exercise.
  • Less mature companies might start by dipping down into individual processes and elevating key controls to material control status.

From a speaker’s experience, boards typically identify between 20 and 120 controls. Within that range, the number of controls that the company will identify as being material depends, amongst other things, on the extent to which it has applied the framework approach. The most common number of internal controls identified by companies by mode appears to be around 35.

To comply with Provision 29, directors need to find disconnects and challenge management as to sources of information to ensure they can confidently sign off on the annual declaration of effectiveness. Seeking assurance can help with this exercise and the wording used is important to capture risks correctly. There are useful conversations to be had with assurance providers. Assurance is valuable in its ability to tell a company about their control environment. Identify within your business where you want positive assurance (that something is working) as opposed to negative assurance (where nothing has happened that you should be aware of).

Tips for establishing your internal controls and risk management frameworks

It is important not to neglect your risk management framework because you are paying too much attention to individual internal controls. The two go hand in hand. As a starting point, define what operational effectiveness means for your organisation.

Prevention and detection are key but also nebulous. The fact is that failures should not be surprises. These risks should be caught early and you should be able to learn from what went wrong and avoid repeats. The Post Office is a good example of low-level controls that did not operate effectively. A system risk such as Horizon was clearly a principal risk and issues ought to have been captured in a report in a timely fashion.

It can be helpful to put in place a risk taxonomy framework and ensure that everyone follows it correctly. The risk taxonomy in the COSO frameworks can be a useful starting point and the FRC has produced helpful guidance on this too. However, be careful not to get complacent because you have a framework in place. If a report cites a repeated failure, then a control clearly needs fixing. Remember that directors have statutory responsibilities and duties to fulfil.

Ensure you can collect evidence to back your board’s Provision 29 effectiveness declaration. Think about overarching risk and control frameworks as opposed to detailed controls and focus in on material key risks and controls. There will be pockets of information throughout a company and there needs to be a way to bring all this information together in a clear and cohesive way.

The panel advised not to get bogged down in technical language (risk/audit speak) – focus on what the code is trying to achieve.

Ensure you don’t get complacent about the importance of controls and Risk and Controls Assessments (RCA). Make use of available guidance that will be helpful e.g. the FRC guidance on COSO and Risk.

The importance of transparency and effective communication

Richard Moriarty, CEO of the FRC, has said that Provision 29 is the ‘transparency provision’. This declaration will sharpen focus and encourage directors to look deeper and double check before signing on the dotted line. There is a need to focus on this culturally, revamping risks and controls programmes and reposition accordingly. As such, engagement is needed across all lines of defence and with the board.

Speakers highlighted the importance of accountability back to the boardroom and how important it is that boards understand key risks and how the key risks link to the company’s strategy so that the business can knowingly take risks – while also maintaining “business safety”. To do this, there primarily needs to be effective two-way communication between the board and the audit committee.

Some have questioned whether the use of frameworks is gamifying the process rather than mitigating risk. Richard Moriarty has said we do not want to punish the virtuous. Provision 29 aims to help guide the virtuous and those who try to game the system should ultimately get caught out.

Different components of risk e.g. health and safety and performance data need to be knitted together to produce a comprehensive picture of the company’s state of affairs.

Speak a language that boards understand and decode for them what your company needs to do to fulfil its Provision 29 obligations.

  1. Corporate Governance Insights ICAEW 2025
  2. Breakout 2: The role of the Board in shaping culture and how to measure success
  3. Corporate Governance Reform are we there yet? The Audit Committee and Auditor view
  4. The future of ESG
  1. Read the latest articles from the Community
  2. Upcoming events and webinars
  3. Watch our on-demand webinars

Previous Article

Breakout 2: The role of the Board in shaping culture and how to measure success

Next Article

Breakout 3: The role of CFOs and Audit Committee in delivering the company's sustainability strategy and targets

Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.
Login

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields
Next step

Add this page to your CPD activity

Step 2 of 3
Mandatory field
Back Next step

Add activity to my record

Step 3 of 3
Mandatory field
Back Add activity to my record

Activity added

Go to my CPD record

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250
Add activity to my record