“UK SOX” is a misnomer. The statutory director-attestation regime once proposed for the United Kingdom was withdrawn, and what arrived instead is Provision 29 of the 2024 UK Corporate Governance Code: a non-statutory, comply-or-explain board declaration that requires no external auditor attestation and reaches beyond financial reporting into operational and compliance controls. That broader scope is precisely why controls over physical assets matter more here than under Sarbanes-Oxley section 404.
Search “UK SOX” and you will find finance teams bracing for an American-style internal controls regime that never actually landed. The phrase is useful shorthand, but it points in the wrong direction. Understanding what the UK genuinely adopted — and how it differs from SOX 404 — is the difference between over-engineering a compliance programme and building the evidence a UK board really needs. This article makes the comparison precisely, then draws the line to where it matters most for asset-intensive companies.
Why people search “UK SOX” — and why it is a misnomer
The label stuck for a reason. For several years UK policymakers openly discussed importing a version of Sarbanes-Oxley’s internal controls discipline, and the shorthand “UK SOX” took hold in the professional press. But the term implies a statutory, auditor-attested regime over internal control over financial reporting. What the UK actually implemented is a Code provision — governance, not statute; comply-or-explain, not mandate; broad scope, not financial-reporting only. Using “UK SOX” as a planning frame leads teams to build the wrong thing.
The road to Provision 29: from “Restoring trust” to the FRC’s Code route
The trajectory is worth recounting because it explains the shape of the final regime. In 2021 the Department for Business, Energy & Industrial Strategy published the white paper “Restoring trust in audit and corporate governance”, which proposed, among much else, a statutory director attestation on internal control over financial reporting for public interest entities — the closest the UK came to a genuine statutory “UK SOX”. On the reported trajectory, the draft regulations were withdrawn in 2023, and the Financial Reporting Council pivoted to delivering the reform through the UK Corporate Governance Code. The result was the strengthened Provision 29 in the 2024 Code. We flag the withdrawal as the reported trajectory rather than assert it as settled fact, because the primary-source trail on that step is thinner than the rest.
Side by side: SOX 404 vs Provision 29
| Dimension | SOX 404 | Provision 29 |
|---|---|---|
| Legal basis | Statutory (US federal law) | Non-statutory Code, comply-or-explain |
| Enforcement | SEC and PCAOB; restatements, sanctions | Market discipline, FRC thematic reviews |
| Who attests | Management (CEO and CFO) | The board (collective) |
| External auditor attestation | Required under section 404(b) for larger filers | Not required |
| Scope | Internal control over financial reporting only | Financial, operational, reporting and compliance |
| Prescription | Prescriptive; mandates a framework such as COSO | Principles-based; no prescribed framework |
Statutory vs comply-or-explain: sanctions vs market discipline
The enforcement contrast is the most consequential practical difference. SOX 404 sits within a statutory enforcement machine: the Securities and Exchange Commission and the Public Company Accounting Oversight Board can pursue restatements and sanctions, and a material weakness is a reportable, market-moving event. Provision 29 is comply-or-explain. Its discipline comes from investor scrutiny, the reputational cost of a poor explanation, and the FRC’s power to conduct thematic reviews of how companies apply the provision. It is a softer enforcement mechanism, but for a premium-listed board the market and reputational consequences of a weak declaration are real.
Management certification vs the board’s collective declaration
Under SOX, responsibility is individualised: the CEO and CFO certify, and personal exposure concentrates the mind. Provision 29 makes the declaration a collective act of the board. That changes the internal dynamics. The whole board — not just two officers — must be satisfied that the material controls were effective, which raises the audit committee’s role in assembling and challenging the evidence, and makes the quality of the underlying evidence base a board-level concern rather than a finance-function one.
ICFR-only scope vs the broader financial, operational, reporting and compliance scope
SOX 404 is confined to internal control over financial reporting. Provision 29 deliberately reaches wider, covering operational, reporting and compliance controls as well as financial ones. For most companies the practical effect is a larger material-controls inventory and a harder scoping exercise, because a control can now be “material” for operational or compliance reasons even where its financial-reporting impact is modest. This is where the UK regime stops being a lighter SOX and becomes a genuinely different exercise. We work through the scoping and inventory step in the guide to building the board’s evidence base.
Why the broader scope is a more direct governance hook for physical-asset controls
Consider a control over the existence and location of a large fleet of production assets. Under SOX 404 that control is relevant only insofar as it affects the financial statements — the existence assertion over the PP&E balance. Under Provision 29 the same control is relevant three times over: financially (the balance), operationally (the assets are available and used efficiently) and for compliance (health, safety and environmental obligations attached to the assets). The broader scope gives physical-asset controls a more direct governance hook than they have under section 404. The full argument sits in the pillar on Provision 29 and fixed assets as a material internal control.
What US-listed groups can reuse — and the UK gaps that remain
Groups already running a SOX 404 programme are not starting from zero. Their ICFR risk assessment, their control testing cadence, and — importantly for asset-intensive businesses — their PP&E existence controls transfer directly into the UK material-controls inventory. The existence assertion work that supports SOX is the same physical-verification discipline a UK board will lean on; see the detail in the fixed-asset existence assertion under SOX 404. The gaps are the operational and compliance controls that SOX never touched, and the board-level declaration mechanics — assurance mapping, dry runs and proportionate disclosure — that have no SOX equivalent.
Where independent physical verification fits under each regime
The boundary we hold: under both regimes the control system and any declaration or certification remain the responsibility of the company, its board and its management. CPCON provides independent physical fixed-asset verification evidence — existence, location, tagging and reconciliation — that boards and their assurance functions can rely on. We do not issue audit opinions or assurance attestations.
Under SOX, independent physical verification supports the existence assertion and the ICFR control over recorded PP&E. Under Provision 29, the same evidence feeds a broader material-controls declaration that also engages operational and compliance dimensions. In both cases the value of independence is the same: it strengthens the credibility of the evidence base and reduces self-review concerns, without displacing the board’s own judgement.
Frequently Asked Questions
Is Provision 29 the same as UK SOX?
No. As advisers have put it, this is not UK SOX: it requires no external auditor attestation, and its scope goes beyond financial reporting. Provision 29 is a non-statutory, comply-or-explain provision of the UK Corporate Governance Code that rests on the board’s collective responsibility, not on a statute modelled on Sarbanes-Oxley.
Did the UK ever introduce a statutory “UK SOX”?
The 2021 BEIS white paper “Restoring trust in audit and corporate governance” proposed a statutory director attestation on internal controls over financial reporting for public interest entities. On the reported trajectory, the draft regulations were withdrawn in 2023 and the FRC pivoted to the Code route that became Provision 29. So no statutory “UK SOX” was enacted.
Who signs the internal-controls statement under Provision 29 vs SOX?
Under SOX section 404 the assessment rests on management, through the CEO and CFO certifications. Under Provision 29 the declaration is made by the board collectively. The UK regime is a board-level governance statement rather than an individual management certification.
Does Provision 29 cover more than financial reporting?
Yes. SOX section 404 is limited to internal control over financial reporting. Provision 29 covers financial, operational, reporting and compliance controls. That broader scope is why physical-asset controls have a wider governance relevance under Provision 29 than under SOX 404, whose focus is narrower.
Is external auditor attestation required under Provision 29?
No, unlike SOX section 404(b) for larger US filers. Boards may still draw on internal audit, external audit and independent specialists for evidence. CPCON supplies independent physical-verification evidence for asset controls, not an attestation or assurance opinion.
How does Provision 29 enforcement compare to SOX?
SOX carries SEC and PCAOB enforcement, restatements and sanctions. Provision 29 relies on comply-or-explain, investor scrutiny and FRC thematic reviews. Directors also retain their separate statutory duties under the Companies Act 2006, which sit alongside the Code.
If we already comply with SOX 404, are we ready for Provision 29?
Only partially. Existing ICFR testing and PP&E existence controls transfer directly, but Provision 29’s broader operational and compliance scope, and its board-level declaration, require additional mapping and evidence. US-listed groups should map their SOX programme onto the wider material-controls inventory rather than assume equivalence.
Why does the broader scope favour physical-asset controls?
Because a control over the existence, safeguarding or location of property, plant and equipment is financial, operational and compliance-relevant at once. SOX 404 only engages the financial-reporting dimension; Provision 29 engages all three, giving physical-asset controls a more direct governance hook than they have under section 404.
Independent verification evidence for the board declaration
Whether you report under SOX 404, prepare for Provision 29, or both, CPCON supplies the independent physical fixed-asset verification evidence — existence, location, tagging and reconciliation — that supports the board’s material-controls evidence base. We feed the board’s conclusion; we do not issue audit or assurance opinions. 25+ years of asset verification, 2,500+ organisations across four continents.
Explore CPCON’s fixed-asset count & tagging services


