For most company secretaries, the headline question about the UK Corporate Governance Code 2024 is deceptively simple: what do I actually need to do differently, and by when? The honest answer is that the Code itself changed less than the volume of commentary suggested — but one provision, the new internal-controls declaration in Provision 29, asks boards to stand behind something they have rarely had to formally attest to before. This guide walks through what changed, the staggered timeline, and how to prepare a declaration you can defend rather than one you have to caveat into meaninglessness.
What changed in the UK Corporate Governance Code 2024, and when
The Financial Reporting Council deliberately kept the 2024 revision tight. Compared with the 2018 Code, the changes are evolutionary, with one structurally significant exception. The Code retains its five sections and its long-standing "comply or explain" basis, so the framework your board already operates within is intact.
The substantive changes worth flagging to your directors are:
- A sharper expectation on outcomes. A revised emphasis (reflected in the Code's principles) asks boards to report on the outcomes of governance activity in the context of strategy, not simply to describe process.
- Culture as something to be embedded, not just stated. Provision 2 now expects the board to "assess and monitor culture and how the desired culture has been embedded" — a small wording change with real reporting consequences.
- Greater transparency on malus and clawback. Directors' contracts should set out malus and clawback provisions and the circumstances in which they apply, with the remuneration report describing them and any use in the period.
- The internal-controls declaration in Provision 29 — the change that warrants its own programme of work, covered below.
The timing matters because it is staggered, and this is where diaries go wrong. The 2024 Code applies to financial years beginning on or after 1 January 2025. Provision 29's internal-controls declaration, however, applies only to financial years beginning on or after 1 January 2026. For a company with a December year-end, that means the first formal declaration appears in the annual report published in early 2027 — which makes 2026 the year you build and test the evidence, not the year you write the words. You can confirm both dates against the FRC's Corporate Governance Code page.
Provision 29 explained: the internal controls declaration
Provision 29 already required boards to monitor the risk management and internal controls framework and review its effectiveness at least annually. What the 2024 Code adds is a declaration: from 2026 financial years, the board must state in the annual report whether it considers its material internal controls to have been effective as at the balance sheet date, and explain how it monitored and reviewed the framework to reach that view.
Three features of the design are easy to misread, so they are worth stating plainly:
- It covers material controls only — but not only financial ones. Directors do not declare on every control. They declare on those the board deems material, and the scope expressly extends beyond financial controls to operational, reporting (including narrative and ESG/sustainability reporting) and compliance controls.
- The board decides what "material" means. The FRC has not defined materiality for this purpose. Material controls will be company-specific — shaped by size, business model, strategy, structure and complexity — and identifying them is a board judgement you will need to evidence.
- External assurance is not mandated. The Code does not require external assurance over material controls. The board may rely on internally generated evidence; whether to seek external assurance, and to what extent, is for each board to decide. There is also no FRC template framework — you are not being handed a checklist to complete.
This combination is liberating and exposing in equal measure. There is no prescribed form, but there is also nowhere to hide behind one. The KPMG and Chartered IIA practitioner notes that emerged through 2025 are consistent on the practical implication: the declaration is only as credible as the monitoring evidence sitting behind it.
From process- to outcomes-based reporting
The connective tissue across the 2024 changes is a shift the FRC has signalled repeatedly: away from boilerplate, towards explanation. The Code wants reporting that focuses on board decisions and their outcomes, and where a company departs from a provision, it wants a clear, specific explanation rather than a generic statement of intent. The FRC's November 2025 Annual Review of Corporate Governance Reporting reinforced this, highlighting the value of meaningful explanations over compliance language.
For Provision 29 this is the whole point. A defensible declaration is not "the board confirms its internal controls are effective." It is a short, evidenced account of which controls the board treats as material, how it monitored them through the year, what it found, and how it satisfied itself the controls operated as intended at the balance sheet date. That is the difference between an outcome you can stand behind and a box you have ticked. The same logic already runs through the annual board effectiveness review: evidence of how the board worked, not an assertion that it did.
The chair, SID and company secretary's responsibilities
The Code is clear that the board may use committees — audit, risk, remuneration, nomination — to do the detailed work, but it retains responsibility for and endorses material decisions in each area. Provision 29 sits with the board as a whole, even where the audit and/or risk committee does the heavy lifting on monitoring.
In practice the responsibilities divide along familiar lines:
- The chair ensures the board has enough time to consider committee reports properly — including the nature of discussions, recommendations and actions — so the declaration is a considered board judgement, not a nod to a paper tabled late in the agenda.
- The audit and/or risk committee typically owns the monitoring and review of the framework and brings the board a recommendation, supported by evidence, on the effectiveness of material controls.
- The senior independent director (SID) provides the independent challenge that makes the declaration robust — testing whether "material" has been defined honestly and whether the evidence genuinely supports the conclusion.
- The company secretary is the architect of the process: ensuring the board has identified material controls, that monitoring is documented through the year, that the right papers reach the board at the right time, and that the disclosure is consistent with the evidence. This is squarely a governance-quality task, and it benefits from the same rigour you would apply to a skills audit or an individual director appraisal.
A readiness checklist for your next governance round
Use the 2025 and 2026 governance rounds to build the evidence base before the declaration is ever drafted. A workable sequence:
- Map material controls. Agree, at board level, which controls are material and why — and minute the rationale. Include reporting and compliance controls, not just financial ones.
- Confirm ownership. For each material control, name an owner and the monitoring cadence. Gaps here become caveats later.
- Schedule monitoring through the year. The balance-sheet-date judgement should rest on a year of evidence, not a December scramble.
- Decide the assurance question deliberately. Document whether external assurance is sought over any material controls, and the board's reasoning either way.
- Bring culture and reporting controls into scope. Provision 2's embedding test and the expansion to ESG/narrative reporting controls both feed the same monitoring framework. If your board is maturing its sustainability and diversity disclosures, align that work — see our board diversity and ESG reporting guide.
- Dry-run the declaration for the 2026 year-end. Draft the wording a full cycle early, identify where the evidence is thin, and remediate before it counts.
Read alongside the FRC's accompanying Guidance, which is non-mandatory but a useful reference point for what "good" monitoring looks like.
How a structured questionnaire de-risks the declaration
The recurring failure mode for Provision 29 will be a declaration that outruns its evidence — a confident statement with no documented trail of how the board reached it. A structured questionnaire, run as part of your governance round, closes that gap. Asking control owners and committee members consistent, attributable questions about each material control — is it operating, who monitors it, what exceptions arose, how were they resolved — produces exactly the audit trail the FRC's outcomes-based reporting expects, and it does so in a form the chair, SID and auditors can interrogate.
It also keeps the work proportionate. Time-constrained directors answer focused questions rather than reviewing raw control inventories, and the company secretary gets a defensible, board-ready summary rather than a December reconstruction. Where reporting controls touch emerging areas — AI-assisted disclosures, for instance — the same approach supports parallel obligations under frameworks such as ISO/IEC 42001 and the EU AI Act.
The 2024 Code does not ask boards to manufacture certainty. It asks them to show their working. If you want to see how a structured governance round and questionnaire can underpin a Provision 29 declaration you can defend, get in touch and we can walk through it against your reporting calendar.