Getting ready for the new Provision 29

Where are others on the implementation journey

We set out a framework in our publication Governance in focus: Risk, controls & assurance to provide an overview of the stages recommended to be considered in meeting the new Provision.

Our recent discussions with boards, audit committees and management teams have reinforced the validity of this approach. These are the activities we are seeing in organisations where thinking is well-progressed:

• challenging the existing list of principal risks and refining accordingly;
• considering the risk appetite for each principal risk and identifying or developing any risk indicators that are needed to identify where a risk is moving out of appetite;
• ensuring the material controls population is focused at the appropriate level, mapped to the principal risks and continuing to challenge and refine the number of material controls;
• understanding the levels and nature of assurance that exists across the three lines of defence in relation to the identified material controls;
• considering the use of self-certification and whether this will be sufficient or needs to be supplemented to meet the comfort levels required by the board;
• confirming what evidence and testing the board will want to see to support the declaration;
• planning a dry-run of the process for the declaration and engaging with all stakeholders (including the auditors); and
• preparing early drafts of the declaration to agree an appropriate and acceptable form of wording, including in relation to the threshold for reporting material controls deemed not to be operating effectively.

A less well-progressed area, which a number of boards are now turning their attention to, is how to evaluate findings in relation to the effectiveness of material controls and to determine what would constitute a material control NOT operating effectively. 
 

Undertaking an effective dry run 

Following on from the different components of the framework set out above, here we have set out what we believe are the five building blocks you should have in place before undertaking a dry run.

We strongly recommend that a dry run is scheduled into your Provision 29 programme activities. An effective dry run process should facilitate stakeholder engagement and help you confirm or identify issues with:

• The material control definition/population
• What will count as a material control not operating effectively (taking into consideration the performance of a network of supporting controls)
• Sufficiency of evidence/assurance for the board and audit committee to be comfortable making the declaration
• Sufficiency of documentation/assurance for the external auditors to be comfortable with the content of the proposed declaration under their responsibilities
• How well the proposed disclosure explains the approach and the conclusion.

To be fully reflective of the final process, the dry run should include presentation to the board and/or audit committee of the wording of the dry run declaration. Without this step, it will be hard for those making the declaration to make the connection between the outcomes of testing and the disclosure.
 

A structure for your disclosure

 We are regularly asked for a template disclosure or any early examples. In keeping with the FRC’s consistent mantra that boards need to “think for yourselves” and to reduce the risk of boilerplate disclosure, we have resisted providing an illustrative template for the declaration but we have instead recommended a structure for the disclosure for companies to tailor in line with their particular circumstances and approach. This is included on page 13 of our publication Governance in focus: Risk, controls & assurance.

In terms of early examples, we are not aware of any company planning to provide the declaration early but it is something we will be watching out for during the forthcoming reporting season.
 

Some recent messages from the FRC

In September, we were pleased to be joined by Maureen Beresford, Head of Governance & Stewardship at the FRC, at our Deloitte Academy Audit Committee Update. Here are some highlights of the messages Maureen shared in that session: 

On expectations around the reporting…

• the FRC has no expectation that companies will report in line with the new Provision 29 ahead of the December 2026 annual reports, especially the declaration
• thinking that this will be approximately a page to a page and a half of disclosure
• On situations where a material control has not operated effectively…
• where for example a material control had failed in February and it has been fixed by May, there is no requirement to report on that failure and how you fixed it but it might be that you want to do that for transparency particularly if it is something that has been the in public domain
• the FRC is not expecting companies to release details of any cyber failings beyond what they would normally do in the course of a failing On convergence of approach across the FTSE…
• the FRC is not expecting to see companies adopt the same approach, have the same number of controls or the same reporting approach
• instead it is hoping for very different approaches from companies – it is very much a “company owned” approach that is sought

On FRC oversight of the new disclosures…..

• the FRC will not be opining on whether your material controls are the right ones and whether you have the right number – the FRC does not have the powers to get into those conversations - it is very much a company decision based on internal discussion
• the FRC will not be providing wording for the declaration On the quantum of material controls….
• finding that most companies are somewhere between 30 and 60 material controls (with a peak of 35 to 40) and still being revised down as we speak
• companies in the financial sector tend to be at the top end and slightly over that number of 60 On where the heavy lifting is happening….
• generally this seems to be coming up through the audit committee, but working with other committees as appropriate and also using the first, second and third lines of defence
• it is hoped that an approach which draws on different functions within the company spreads the understanding and knowledge
   

Questions audit committees should be asking in relation to preparations:

• How does the population of material controls reconcile to the principal risks?
• Are we happy that the principal risks still reflect our risk profile in a highly volatile environment?
• Is there a clear link between our assessment of the effective operation of the material controls and our risk appetite for each principal risk?
• What material controls have been included in relation to reporting (both financial and non-financial)?
• Have we prepared an assurance map for each of the material controls?
• To what extent are we relying on self-certification for assurance over the material controls?
• What will the role of each of the three lines of defence (including internal audit) be in providing assurance?
• Are we planning to do a dry run of the entire process from identification of material controls through to a draft declaration? If so, what is the timetable?
• Can you share a draft of the proposed disclosure for discussion by the audit committee?
• Has our proposed approach been discussed with the external auditors? Did they have any concerns?
   

Some considerations for Investment Trusts

We have received a number of questions about how Investment Trust boards should be approaching Provision 29 (or Provision 34 if following the AIC Code) given the third party management relationship.

Third party investment managers will already have risk management and internal control frameworks and will be reporting on these to Investment Trust boards. In theory no new or additional activity should be required but the Investment Trust board or audit committee might want to question the manager about their assurance processes (particularly where there is no internal audit function).

Responsibility for the declaration cannot be outsourced to the investment manager, it is a board declaration and, as such, there may need to be open and frank discussions with the service provider to ensure that they have the relevant controls or that they are open to improving their processes to give the comfort necessary based on the specific circumstances and risk profile of the Investment Trust.
 

Thinking about reporting on risk & controls in your next annual report 

As part of our series of Corporate Reporting Insights, ‘Controls & assurance – laying the foundations for the new declaration on the effectiveness of internal controls’ looks at how 50 FTSE 350 December 2024 reporters explained their approach to controls and assurance. The report considers whether the disclosures provide adequate transparency of how the board is discharging its responsibilities as it gets closer to providing the new declaration. 

The full survey and recommended actions to take is available here.