Provision 29 of the 2024 UK Corporate Governance Code asks the board to monitor its risk management and internal control framework, review its effectiveness at least annually, and declare on the material controls as at the balance sheet date. Where property, plant and equipment is material, the controls over asset existence, safeguarding and location accuracy are natural candidates for the board’s material-controls inventory — and independent physical verification is one of the cleanest ways to evidence that those controls actually operate. This is our reasoned professional position, not FRC guidance, and CPCON feeds the board’s evidence base rather than issuing an audit opinion.
The 2024 UK Corporate Governance Code introduced the most consequential change to internal control reporting that premium-listed companies have faced in a generation. Provision 29 reframes the board’s relationship with its control environment: it is no longer enough to say a framework exists and is reviewed. Boards must now state, on the record, whether the material controls were effective — and disclose the ones that were not. For asset-intensive organisations, that raises a question the governance literature has largely ignored: what does it take to stand behind a declaration that your controls over physical assets work?
This guide sets out what Provision 29 requires, when it bites, and what “material controls” means under a principles-based Code. It then makes the case — clearly flagged as a reasoned professional position rather than regulatory instruction — that controls over property, plant and equipment (PP&E) belong in many boards’ material-controls inventories, and shows how independent physical verification supplies robust, proportionate evidence for the declaration without ever becoming an assurance opinion.
What Provision 29 requires: monitor, review, declare, disclose
Provision 29 sets three duties on the board. First, to monitor the company’s risk management and internal control framework. Second, to carry out, at least annually, a review of its effectiveness covering all material controls — the Code names financial, operational, reporting and compliance controls. Third, to make a declaration in the annual report about those material controls. The word the Code uses is deliberate: the review “should cover all material controls”, and the declaration is about the effectiveness of those controls, not the framework in the abstract.
The shift from a framework-exists statement to an effectiveness declaration is the heart of the reform. A board can no longer discharge its obligation by describing governance machinery. It must reach, and publish, a conclusion — and be able to show the basis for it. That basis is an evidence question, and it is where organisations with large physical asset bases have the most work to do.
The three annual-report elements
Provision 29 requires the annual report to contain three distinct elements, and it helps to keep them separate:
- A description of the process: how the board has monitored and reviewed the effectiveness of the risk management and internal control framework.
- A declaration of effectiveness: the board’s conclusion on whether the material controls were effective as at the balance sheet date.
- An ineffective-controls disclosure: a description of any material controls that did not operate effectively as at the balance sheet date, the action taken or proposed to improve them, and any action taken to address previously reported issues.
The first element is a narrative about work performed. The second and third are outcome statements about specific controls. A board that blurs the two — describing its committees and cadence and calling that a declaration — has not met the provision.
“As at the balance sheet date” — an outcome statement, not a process narrative
The declaration is anchored to a point in time: the balance sheet date. That phrasing does two things. It fixes the moment the board is speaking to, and it makes the declaration an outcome statement rather than a running commentary. The board is not saying “we have good processes”; it is saying “these material controls were effective on this date”. For controls over physical assets, the balance-sheet-date focus has a practical consequence: evidence gathered close to year end is the most directly relevant, because it speaks to the state of the controls at the very moment the declaration addresses.
Effective dates: FY beginning on or after 1 January 2026
The timeline matters for planning. The wider 2024 Code applies to financial years beginning on or after 1 January 2025. Provision 29 specifically applies to financial years beginning on or after 1 January 2026, so the first actual Provision 29 declarations appear in annual reports published from 2027. There is no early-adoption requirement. The Financial Reporting Council has indicated it expects the material-controls report to be proportionate and concise — in most cases no longer than two pages — with the robust evidence sitting behind that disclosure rather than being reproduced in it.
The gap between now and first reporting is the preparation runway. Boards that use it to inventory their material controls, agree evidence standards and rehearse the declaration are the ones that will not be caught short. We set out that process in detail in the guide to building the board’s evidence base for the Provision 29 declaration.
What “material controls” means under a principles-based Code
The Code is principles-based. Unlike the US regime, it does not prescribe a control framework such as COSO, a materiality threshold, or a list of controls the board must assess. It names four illustrative categories — financial, operational, reporting and compliance controls — and the word “including” makes clear the list is not exhaustive. What counts as “material” is a matter of board judgement.
Advisers have converged on a workable test, though it is theirs and not the FRC’s: a control is material if its failure could reasonably influence the decisions of stakeholders, or could reasonably affect price-sensitive reporting, principal risks, or legal and regulatory obligations. Responsibility for the resulting judgement, and for the declaration, sits with the board collectively — a marked contrast with the individual CEO and CFO certifications of the American system.
Why fixed-asset (PP&E) controls are natural candidates for the material-controls inventory
Here is our reasoned professional position, offered as a governance argument rather than a statement of FRC intent. In an asset-intensive company, controls over the existence, completeness, location and safeguarding of PP&E are strong candidates for the material-controls inventory. The reasoning is straightforward. These controls underpin the integrity of a balance that is frequently one of the largest on the statement of financial position; their failure can misstate PP&E, depreciation and impairment; and they touch operational resilience and regulatory compliance at the same time. The FRC does not name PP&E, and we are careful not to imply otherwise — but the four control categories, read against IAS 16 / FRS 102 recognition and measurement and the record-keeping duty in section 386 of the Companies Act 2006, make the case on their own terms.
The connection is drawn most sharply in the US-listed context, where the same physical assets sit under the existence assertion. See our companion analysis of the fixed-asset existence assertion under SOX 404 for how physical verification proves PP&E exists.
The three PP&E control types: existence, safeguarding, location accuracy
Three candidate material-control types recur across asset-intensive businesses:
| Control type | What it does | Failure risk |
|---|---|---|
| Asset existence | Periodic physical verification and reconciliation of the register to the floor and the floor to the register. | Ghost assets overstate PP&E, depreciation and impairment. |
| Safeguarding | Physical access controls, security tagging, custody records and movement monitoring. | Theft, loss and unrecorded disposals; operational disruption. |
| Location accuracy | RFID or GPS tagging and systematic reconciliation of asset locations to the register. | Mislocated assets distort depreciation, insurance and compliance obligations. |
Each is examined in depth across this cluster: existence and reconciliation through the fixed-asset register controls for the board declaration, and custody and protection through safeguarding of assets as a material control.
How PP&E controls sit across financial, operational and compliance scope simultaneously
A distinctive feature of the broader Provision 29 scope is that a single PP&E control can be financial, operational and compliance at once. It is a financial control because asset existence and valuation feed the PP&E balance. It is an operational control because the organisation depends on those assets being available and used efficiently. And it is a compliance control where health and safety, environmental or regulatory obligations attach to the assets. That tri-category quality is exactly why physical-asset controls have a more direct governance hook under Provision 29 than under the narrower financial-reporting scope of SOX 404 — a point we develop in the comparison of UK SOX and Provision 29.
The board’s evidence problem: what “robust but proportionate” evidence looks like
The FRC expects boards to explain how they monitored and reviewed effectiveness and the basis on which they reached their conclusion — a proportionate but robust evidence base. For asset controls, that base is tangible: physical verification results, reconciliation reports, tagging and RFID logs, exception registers, and the disposition of investigated differences. The discipline is to move from “we counted the assets” to “here is documented evidence that our existence and safeguarding controls operated as at the balance sheet date”. Unmanaged registers are the enemy of that discipline; we quantify why in the analysis of the cost of unmanaged fixed assets.
How independent physical verification feeds the board’s evidence base (not an audit opinion)
The boundary we hold: the internal control system and the Provision 29 declaration are the responsibility of the board and the company. CPCON is an independent physical fixed-asset verification specialist. We supply existence, location, tagging and reconciliation evidence that boards and their assurance functions can rely on. We do not issue audit opinions or assurance attestations, and we do not guarantee compliance.
Independence strengthens the credibility of the evidence base and reduces self-review concerns — the board is not relying solely on the team that operates the control to attest that it works. An independent physical verification programme, timed to year end and reconciled to the register, produces precisely the kind of proportionate, robust evidence the declaration rests on. How that evidence is assembled, and how it is turned into a two-page-friendly pack, is the subject of the guide to physical verification as evidence for the material controls declaration. The practical checklist for the fieldwork itself is the fixed asset verification checklist, and boards preparing for the year-end cycle should read our guide to preparing for a fixed asset audit in 2026.
Explore the cluster
Provision 29 is a governance change with a physical-asset dimension that most published commentary overlooks. This cluster connects the two:
- UK SOX vs Provision 29 — why “UK SOX” is a misnomer and how the board declaration differs from SOX 404.
- Fixed asset register controls for the board declaration — the register as a control, not just a ledger.
- Physical verification as board evidence — the methodology core, reframed for governance.
- Safeguarding of assets as a material control — custody, security tagging and location accuracy.
- Building the board’s evidence base — the readiness process from scope to dry-run declaration.
Frequently Asked Questions
What is Provision 29 of the 2024 UK Corporate Governance Code?
Provision 29 asks the board to monitor the risk management and internal control framework, review its effectiveness at least annually, and declare on the material controls. The annual report must then describe how the board monitored the framework, declare whether the material controls were effective as at the balance sheet date, and disclose any that were not. The declaration is the board’s collective responsibility, not management’s alone.
When does Provision 29 take effect?
Provision 29 applies to financial years beginning on or after 1 January 2026, while the wider 2024 Code applies from 1 January 2025. The first actual Provision 29 declarations therefore appear in annual reports published from 2027. No early adoption is required, and the Financial Reporting Council expects the material-controls report to be proportionate and concise.
What is a material controls declaration?
It is the board’s outcome statement on whether the company’s material controls were effective as at the balance sheet date, together with disclosure of any that were not and the action taken to remediate them. It differs from the description of the framework, which explains how the board monitored and reviewed effectiveness — a process narrative rather than a conclusion.
Which companies are in scope for Provision 29?
The primary scope is premium-listed equity on the London Stock Exchange, reached through the FCA Listing Rules and their new commercial-companies and closed-ended-investment-fund categories. Standard-listed and AIM companies are not automatically in scope, although AIM companies may adopt the Code voluntarily. Provision 29 is comply-or-explain and non-statutory.
Are fixed-asset controls material controls under Provision 29?
This is CPCON’s reasoned professional position, not FRC guidance. Where property, plant and equipment is material, controls over existence, completeness, location and safeguarding plausibly qualify as material controls, grounded in the four control categories, IAS 16 / FRS 102 recognition and the Companies Act 2006 record-keeping duty. The FRC does not name PP&E; each board judges materiality for its own business.
Does Provision 29 require external auditor attestation?
No. Unlike SOX section 404(b), Provision 29 does not require external auditor attestation of the declaration. It relies on board judgement, market discipline and FRC thematic review. CPCON provides independent physical-verification evidence that boards and their assurance functions can rely on — it is not an audit or assurance opinion.
What is the difference between the framework review and the material-controls declaration?
The framework description is about process: how the board monitored and reviewed the effectiveness of its risk management and internal control framework. The declaration is an outcome statement on the effectiveness of the material controls themselves as at the balance sheet date. One explains the work; the other states the conclusion.
Independent physical verification for your material-controls evidence base
CPCON is an independent physical fixed-asset verification specialist. We supply the existence, location, tagging and reconciliation evidence that boards and their assurance functions can fold into the Provision 29 evidence base — feeding the board’s conclusion, never issuing an audit or assurance opinion. With 25+ years of asset verification and 2,500+ organisations served across four continents, we help premium-listed companies evidence that their asset controls operate.
Explore CPCON’s fixed-asset count & tagging services


