Governance Briefing — January 1, 2025

Executive briefing: Provision 29 of the UK Corporate Governance Code enters the spotlight for accounting periods beginning on or after 1 January 2025. Premium-listed issuers must publish an internal controls declaration covering financial, operational, compliance, and reporting controls from 2026 onward, but the groundwork must be laid during the 2025 reporting cycle. Boards need complete inventories of material controls, governance blueprints tying committees to assurance providers, and universal opt-out policies that protect stakeholder data embedded in control analytics. The Financial Reporting Council (FRC) has urged companies to produce credible evidence packs before they sign the first declaration; the transition year should therefore be treated as a rigorous pilot.

Control framework mobilisation

Boards must define the scope of “material controls” beyond financial reporting. The FRC’s May 2024 Guidance on Internal Controls emphasises risk assessment, control activities, monitoring, information, and communication. Directors should require management to map controls against strategic, operational, and compliance risks—including climate, cyber, supply chain, and conduct. The mapping exercise should reveal ownership gaps, outdated documentation, and reliance on manual processes. Boards ought to insist on refreshed control descriptions, evidence expectations, and testing cadences aligned to risk severity.

A central controls register should include control objectives, associated risks, control owners, frequency, evidence artefacts, testing schedules, and remediation logs. When universal opt-out requests affect data inputs—for example, when employees or customers withdraw consent for monitoring programmes—control owners must assess whether controls remain effective. Documenting these assessments will help boards explain any limitations in the 2025 annual report and show regulators that privacy obligations do not undermine control reliability.

Governance architecture

• Board oversight. Establish a calendar where the full board reviews control effectiveness at least twice in 2025, supplemented by audit committee deep dives each quarter. Minutes should show how directors challenged management, requested additional evidence, and evaluated whether opt-out trends affect controls reliant on personal data.
• Audit committee mandate. Update the audit committee charter to explicitly include oversight of Provision 29 preparations, internal audit coordination, and external assurance planning. The committee should maintain a tracker of control deficiencies, remediation commitments, and deadlines. It must also confirm that universal opt-out processes are embedded in finance, IT, and operational systems feeding control analytics.
• Management accountability. Assign senior executives to categories of controls—finance, operations, compliance, sustainability—and require signed quarterly attestations describing testing completed, issues found, opt-out impacts, and corrective actions. These attestations become part of the evidence package underpinning the 2026 declaration.

Universal opt-out integration

Internal control systems increasingly ingest personal data to detect anomalies, monitor conduct, or validate sustainability metrics. Boards must ensure universal opt-out mechanisms mandated by GDPR, UK DPA 2018, and global privacy statutes are respected without compromising control effectiveness. Practical steps include:

• Data segregation. Architect systems so opted-out data subjects are excluded from analytics while control objectives are maintained using aggregated or anonymised datasets. For example, if employees opt out of wearable safety devices, the company should deploy alternative controls such as equipment inspections and aggregated incident reports.
• Opt-out governance log. Maintain a ledger capturing opt-out rates by control process (e.g., transaction monitoring, whistleblowing hotlines, sustainability data collection). Boards should receive dashboards showing how opt-out volumes trend, which controls are most affected, and what compensating measures are in place.
• Supplier enforcement. Many controls rely on third-party data—outsourced payroll, logistics telematics, or cloud service logs. Contracts must compel vendors to honour universal opt-outs and to notify the company when opt-out rates threaten control integrity. Vendor management committees should review evidence of compliance at least semi-annually.

Evidence management

Provision 29 requires directors to state whether material controls were effective throughout the period and up to the approval date. The declaration must be backed by defensible evidence:

• Testing workpapers. Internal audit and management testing teams should document methodology, sampling, exceptions, and remediation plans. Boards should ensure all exceptions are tracked to closure, with evidence of retesting and approvals captured in a secure repository.
• Management certifications. Implement quarterly sub-certification processes where functional leaders attest to control performance. Include disclosures about opt-out challenges, data limitations, and compensating controls. Escalate unresolved issues to the audit committee with clear timelines for remediation.
• Continuous monitoring dashboards. Deploy dashboards that visualise control performance indicators—such as incident counts, system downtime, and policy breaches—alongside opt-out metrics. Retain dashboard snapshots and underlying data exports to demonstrate ongoing monitoring.

Assurance strategy

The FRC expects boards to describe the assurance underpinning the declaration. Companies should combine internal audit, management testing, external advisors, and potentially voluntary external assurance:

• Internal audit alignment. Update the internal audit plan to cover high-risk controls, including those affected by opt-out restrictions. Internal audit should assess control design, operational effectiveness, and data integrity. Reports must address whether privacy obligations impede testing and what compensating evidence is available.
• External assurance pilots. Consider engaging external firms to perform agreed-upon procedures on critical controls (e.g., revenue recognition, ESG metrics). Use 2025 to evaluate scope, cost, and readiness ahead of potential future mandates. Document engagement rationales, findings, and management responses.
• Assurance register. Maintain a consolidated log of assurance activities, including scope, provider, timing, findings, and follow-up. Boards should review the register quarterly to confirm coverage is proportionate and opt-out compliance is tested.

Reporting and narrative development

Preparing for the 2026 declaration means drafting narrative disclosures during 2025. Annual reports should explain methodology, governance, and outcomes, even while the declaration remains voluntary. Directors should ensure the narrative covers:

• Scope and definitions. Define “material controls” and explain how the board determined the scope, including consideration of opt-out impacts and third-party dependencies.
• Testing approach. Describe the combination of management self-assessments, internal audit reviews, and external assurance. Mention how the company handled data limitations, including cases where opt-outs required alternative evidence.
• Findings and remediation. Summarise significant deficiencies, remediation timelines, and how progress is monitored. Provide transparency on issues linked to privacy or data governance.

Technology enablement

Modernising control infrastructure reduces manual burden and improves audit trails:

• Controls management platforms. Deploy technology that centralises control documentation, testing results, and remediation workflows. Ensure the platform integrates with identity and access management tools so role changes automatically trigger control reassignment.
• Data lineage tooling. Implement metadata catalogues that trace data sources feeding control analytics. This is crucial when opt-out requests require data removal; lineage documentation proves that remaining datasets remain complete and accurate.
• Automated evidence capture. Use robotic process automation or system-generated logs to collect evidence (e.g., segregation-of-duties reports, access recertification approvals). Store outputs in tamper-evident repositories with retention policies aligned to Companies Act requirements.

Board action plan

• Commission a Provision 29 readiness assessment by the end of Q2 2025, covering control documentation, testing maturity, opt-out governance, and evidence management. Present the findings to the board with resource and timeline implications.
• Establish a cross-functional steering committee (finance, risk, compliance, IT, sustainability, HR) that meets monthly to track control remediation, opt-out metrics, and assurance progress. Provide minutes and dashboards to the audit committee.
• Develop communication materials for investors and regulators explaining the company’s approach, including how universal opt-out requirements are balanced with control effectiveness. Prepare Q&A scripts for earnings calls and annual general meeting discussions.

By treating 2025 as an intensive build year, boards will enter the first declaration cycle with confidence. Robust governance, universal opt-out compliance, and meticulously curated evidence will demonstrate that directors understand their responsibilities and can attest to control effectiveness without qualification. Failing to prepare risks reputational damage, regulatory scrutiny, and potential restatements that could erode market confidence.

Related briefings

Curated signals from the same pillar or overlapping topics.

Governance · Credibility 92/100 · May 24, 2023

Governance Briefing — May 24, 2023

The UK Financial Reporting Council launched a consultation on revisions to the UK Corporate Governance Code on May 24, 2023, proposing new internal control, audit committee, and ESG reporting expectations for…

Governance · Credibility 93/100 · January 1, 2025

Governance Briefing — January 1, 2025

UK premium-listed boards face the 2024 Corporate Governance Code from January 2025, demanding internal control declarations, universal opt-out stewardship, and audit-ready evidence across internal controls, assurance…

Governance · Credibility 40/100 · December 16, 2024

Governance Briefing — December 16, 2024

The UK Cabinet Office refreshed its Corporate Governance Code for central government departments, strengthening board composition, audit and risk committees, and public accountability reporting.

Governance · Credibility 40/100 · February 14, 2025

Governance Briefing — February 14, 2025

HKEX board diversity compliance guide detailing 2025 Listing Rule expectations, universal opt-out controls for director data, and evidence packages for ESG reporting.

Governance · Credibility 40/100 · April 30, 2025

Governance Briefing — April 30, 2025

Large EU public-interest entities with 31 December year-ends publish their first CSRD sustainability statements alongside management reports, requiring board sign-off on EU sustainability reporting standards and…

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Public-Sector Governance Alignment Playbook — Zeph Tech

  Align OMB Circular A-123, GAO Green Book, OMB M-24-10 AI guidance, EU public sector directives, and UK Orange Book with digital accountability, risk management, and service…

• Third-Party Governance Control Blueprint — Zeph Tech

  Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.

• Governance, Risk, and Oversight Playbook — Zeph Tech

  Operationalise board-level governance, risk oversight, and resilience reporting aligned with Basel Committee principles, ECB supervisory expectations, U.S. SR 21-3, and OCC…