How to get on track with material controls declaration

Find out how leading companies are preparing for the 2024 UK Corporate Governance Code's risk management and internal control changes.


In brief

  • The 2024 UK Corporate Governance Code requires company directors to make a declaration on the effectiveness of material controls for 2026.
  • Many have come to embrace the flexibility and principles-based nature of Provision 29 and a growing sense of opportunity has replaced initial uncertainty.
  • With just 18 months until the first declarations are due, understanding where companies stand and what can be learnt from early progress is crucial.

Changes to the 2024 UK Corporate Governance Code (the Code) require enhancements to both underlying governance processes and narrative reporting. The most debated and challenging of these is the new requirement in Provision 29 for directors to explicitly declare the effectiveness of material controls over price-sensitive reporting and principal risks. However, over the course of 2024 and early 2025, many have come to embrace the flexibility and principles-based nature of Provision 29, and a growing sense of opportunity has replaced the initial uncertainty. 

Download: On track for Provision 29 compliance to read the full report.

In last year’s article on risk management and internal control changes (Six steps to prepare for risk management and internal control changes), we predicted that addressing the new requirements would progress at different paces. Our conversations with companies, supported by our analysis of disclosures in 2024/25 annual reports, confirmed that those who followed our recommendations are now well progressed on their journey to compliance. For the purpose of this analysis, we categorise these companies as ‘leaders’ and those companies still in earlier stages of preparation as ‘followers’.

 

The leaders have made great strides in achieving a proportionate and practical response that leverages existing processes without creating duplication. They approached the change to the Code as a trigger, or even a mandate, to look at the risk management and internal controls process holistically, to challenge whether  controls over principal risks are indeed embedded across the business and whether more formalisation is required to reach the next step of maturity. 

 

Leaders who are furthest ahead on their journey are now ready to conduct a dry run, turning theory into practice. These dry runs will enable directors to test their approach, fine-tune underlying processes and visualise what the ultimate material controls declaration may look like before the first mandatory one is made. Followers, on the other hand, are yet to determine their initial list of material controls. The gap between early adopters and those still preparing is widening, but there is still time to catch up by learning from what has already been achieved. With just 18 months until the first declarations are due, there is no time to waste. 

Preparing for the declaration of material control effectiveness

 

Leaders have created robust implementation plans and established cross-functional teams, in the vast majority of cases reporting to the audit committee. They conducted risk workshops, which allowed them to improve the articulation of principal risks, challenge the level of aggregation of underlying risks and focus on what it means to operate within a related risk appetite. Followers should consider an accelerated approach, combining bottom-up risk workshops with material control identification. 

 

To do so, they can benefit from the principles developed by leaders on material control identification, such as the following:

 

  • Significance to achieving organisational objectives: This allows material controls to include activities and forums beyond those more traditionally associated with controls, such as executive committees, risk forums, cultural factors and decision-making frameworks.
  • Materiality thresholds that are not defined purely by reference to financial materiality: These may need to be defined specifically for individual risks: 10% customer churn, 20% employee turnover, 5% drop in share price and a financial reporting error in excess of 10% of profit before tax. 
  • Preventing not just downside risk from occurring but also opportunities from being missed: This links material controls to risk appetite and risk tolerance. 
     

This approach helped leaders refine their thinking. Soon after the Code was published, many companies sought to elevate existing key controls to material control status. The conversation has now shifted to a blended approach, which combines four main types of material controls, reflecting the maturity of the control environment. This has led to a marked reduction in the number of material controls companies initially envisaged. The four main types are:

  • Elevated key controls – key process-level controls 
  • Entity-level controls – organisation-wide controls that establish a pervasive control environment
  • Cluster controls – groupings of controls (prevent, detect, compensate), often monitored by an executive committee or risk owner
  • Single-risk frameworks – a specialised subset within the overall risk management framework, focussed on a specific principal risk

Optimising material controls depending on the maturity of the control environment

The diagram illustrates the 'pick-and-mix' model

Followers can leapfrog the initial overreliance on key controls and go straight to considering which combination of the four types of material controls is best suited for their organisation.

 

Getting the foundations right

 

Whilst material controls reflect a top-down approach by design, they require solid bottom-up foundations. Companies have been strengthening these foundations in various ways.

  • Financial reporting controls: Many companies already had ongoing programmes aimed at bolstering internal controls over financial reporting, with particular focus on IT controls linked to new system implementations.
  • Fraud prevention procedures: Some worked in parallel on embedding reasonable fraud prevention procedures in preparation for the failure to prevent fraud offence under the Economic Crime and Corporate Transparency Act, which becomes effective on 1 September 2025.
  • Employee accountability: Advanced companies enhanced and expanded existing control self-assessments, including through implementation of governance, risk and compliance tools that helped formalise and embed controls, driving greater standardisation.
  • Second line capabilities: Investment in risk and control specialist roles and expanded capacity within the risk function has been common.

Practical steps for those working towards material internal controls compliance

  • Accelerated approach is recommended: Combine bottom-up risk workshops with material control identification rather than tackling these sequentially. Use risk workshops to clarify the roles of risk and control owners and assess what capacity and capability gaps need to be addressed.
  • Learn from proven principles: Apply the material control identification principles developed by the leaders over the last year.
  • Skip the overreliance on key controls: Go straight to considering which combination of the four types of material controls best suits your organisation.
  • Target significant weaknesses comprehensively: Rather than concentrating solely on financial reporting controls, identify and target the most significant weaknesses across all aspects of the risk management process.
  • Future-proof your processes: Consider the impacts of agentic AI on the control environment as you strengthen foundations.

Even the leaders still have work left to do. In many cases 2025 will be spent documenting and formalising material controls, including training control owners regarding what evidence will need to be retained. Many companies only agreed on the lists of material controls in early 2025. Therefore, in many cases, directors still need to agree on the sources of evidence and the level of confidence they will require to sign off on the year-end declaration. Directors will also need to clarify their expectations about whether their existing, regular, in-year monitoring activities need to be supplemented to enable them to sign a declaration at year-end. This could be clarified through the performance of the dry run.


Summary

Implementation of material controls under Provision 29 of the 2024 UK Corporate Governance Code is progressing at different speeds across UK companies. Leaders are well progressed with updating their risk management and internal control process in preparation for the material control effectiveness declaration. Followers, many of whom have not yet agreed their initial list of material controls, should accelerate their efforts, moving beyond preparation to get on track before the first mandatory declarations in December 2026.

About this article

Contributors

You are visiting EY uk (en)
uk en