Safeguarding of assets — protecting them from loss, theft and misuse through access controls, security tagging, custody records and movement monitoring — is one of the least discussed but most tangible candidate material controls under Provision 29. Where asset loss could have a significant financial or operational impact, safeguarding controls plausibly qualify, and they are unusual in being financial, operational and compliance controls at once. This is our reasoned professional position, not FRC guidance, and boards still need evidence that these controls actually operate. Provision 29 applies for financial years beginning on or after 1 January 2026, with the first declarations in annual reports published from 2027.
The Provision 29 conversation gravitates to existence and reconciliation, because those map neatly onto the balance sheet. Safeguarding is quieter, but for many asset-intensive organisations it is where the real risk lives. An asset that is recorded correctly can still be walked out of the door. This article sets out what safeguarding means as a control, why it sits across three control categories at once, and how a board evidences that it works.
What “safeguarding of assets” means in a control context
In a control context, safeguarding is the set of controls that protect assets from loss, theft, damage and unauthorised use, and that help ensure assets are used only in accordance with management’s authorisation. It is preventive where existence controls are detective: an existence control finds a missing asset after the fact, while a safeguarding control aims to stop the asset going missing in the first place. In practice the two work together — you verify existence to detect failures and safeguard to prevent them — but they answer different questions.
Internal control “encompasses controls over safeguarding of assets”
The clearest articulation of safeguarding as an internal-control concept comes from the PCAOB, which frames internal control as encompassing controls over the safeguarding of assets from inappropriate use or loss. We cite that framing as an illustrative articulation of the concept, not as UK regulatory guidance — the Financial Reporting Council does not prescribe a safeguarding control or name PP&E. But the idea travels: whatever the regime, protecting assets from loss and misuse is a recognised object of internal control, and Provision 29’s broad scope readily accommodates it.
The safeguarding control set: access, tagging, custody, movement monitoring
- Physical access controls — restricting who can reach high-value or sensitive assets.
- Security tagging — durable identification that deters removal and enables detection.
- Custody records — a clear chain of responsibility for who holds which asset.
- Movement monitoring — recording and reviewing transfers so movements are authorised and traceable.
None of these is exotic; the difficulty is operating them consistently across many locations and demonstrating that they do. Tagging and custody in particular depend on an accurate register — you cannot safeguard what you cannot identify — which is why safeguarding controls sit on top of the register controls examined in fixed asset register controls for the board declaration.
Where safeguarding is a financial, operational AND compliance control at once
Safeguarding is a textbook example of Provision 29’s broad scope in action. A control that protects a fleet of assets is a financial control, because loss or unrecorded disposal misstates the PP&E balance. It is an operationalcontrol, because the organisation depends on those assets being available and usable. And it is a compliance control wherever health, safety, environmental or security-of-supply obligations attach to the assets. That tri-category quality is exactly why the broad Provision 29 scope gives physical-asset controls a more direct governance hook than a purely financial-reporting regime would — the argument developed in the Provision 29 material-controls pillar.
Location accuracy as a safeguarding dimension
Knowing where an asset is, is part of protecting it. Location-accuracy controls — RFID or GPS tracking and the systematic reconciliation of asset locations to the register — reinforce safeguarding by making unexplained movement visible. They matter most across multiple sites and in higher-risk jurisdictions, where security exposure is greater and where regulatory or insurance obligations may turn on where an asset is held. Location accuracy also feeds depreciation and compliance, so a single location control can serve several material-control purposes simultaneously.
When safeguarding failures become material
A safeguarding failure becomes a material-control concern when its consequences could reasonably influence stakeholder decisions or affect principal risks and obligations. The typical routes are theft and loss, unrecorded disposals that overstate the balance, and operational disruption where a critical asset goes missing. The financial impact of unmanaged and unprotected assets is easy to underestimate; we set out the mechanics in the analysis of the cost of unmanaged fixed assets.
Evidencing safeguarding for the declaration
Evidence is where safeguarding controls are often weakest, because much of the activity is preventive and leaves no natural paper trail. A board declaring on a safeguarding control needs custody records, access logs, security-tag and RFID movement data, reconciliation of movements to the register, and documented investigation of exceptions. Ghost assets are a telling signal here too: an asset recorded but absent is, among other things, a safeguarding failure that verification has surfaced. Our detection treatment is in ghost asset detection.
How independent verification tests whether safeguarding controls operate
The boundary we hold: safeguarding controls, and the Provision 29 declaration on them, are the responsibility of the company and its board. CPCON provides independent physical verification — existence, location, tagging and reconciliation evidence — that tests whether safeguarding controls operate. We do not issue audit opinions or assurance attestations.
Independent verification is a practical test of safeguarding: by attempting to locate every recorded asset, confirming its tag and custody, and reconciling movements to the register, it reveals whether the safeguarding controls are actually holding. Where assets cannot be located, or where movements are unrecorded, the verification exposes the control weakness and gives the board something concrete to remediate before it declares. That is evidence the board can rely on — not an opinion on the control, and not a guarantee of compliance.
Frequently Asked Questions
What does “safeguarding of assets” mean as an internal control?
Safeguarding controls protect assets from loss, theft or misuse and help ensure they are used only in accordance with management’s authorisation — physical access controls, security tagging, custody records and movement monitoring. The PCAOB frames internal control as encompassing controls over safeguarding of assets from inappropriate use or loss; that framing is illustrative, not UK guidance.
Is safeguarding of assets a material control under Provision 29?
This is a reasoned professional position, not FRC guidance. Where asset loss or misuse could have a significant financial or operational impact, safeguarding controls plausibly qualify as material controls — and they can be financial, operational and compliance controls at once. The FRC does not name safeguarding of PP&E; each board judges materiality for its own business.
How is safeguarding different from asset existence controls?
Existence controls confirm that recorded assets are there and correctly recorded. Safeguarding controls prevent those assets being lost, stolen or misused in the first place. The two overlap but answer different risks: existence is about accuracy of the record, safeguarding is about protection of the asset.
What evidence shows safeguarding controls are effective?
Custody records, physical access logs, security-tag and RFID movement data, reconciliation of asset movements to the register, and the investigation of exceptions. Independent physical verification tests whether these controls operate in practice, giving the board evidence rather than assertion.
Does asset location accuracy matter for safeguarding?
Yes. Location-accuracy controls — RFID or GPS tracking and systematic reconciliation of asset locations to the register — underpin safeguarding, depreciation and compliance, especially across multiple sites or high-risk jurisdictions where heightened security and regulatory obligations apply.
How do unmanaged assets increase safeguarding risk?
Poor registers and weak custody controls let assets drift, disappear or be double-counted, inflating both loss and misstatement risk. An asset nobody can locate is an asset nobody is safeguarding, which is why register decay and safeguarding weakness tend to travel together.
Evidence that your safeguarding controls operate
CPCON’s independent physical verification tests custody, tagging and location accuracy in the field, giving boards the evidence that safeguarding controls actually hold — for the material-controls evidence base, not as an audit opinion. 25+ years of asset verification, 2,500+ organisations across four continents.
Explore CPCON’s fixed-asset count & tagging services


