The new requirements aim to improve governance, boost resilience and retain investor confidence, but they’re inherently tricky for organisations to implement. Organisations must attest to the effectiveness of their material controls, and detail how the board has monitored and reviewed the effectiveness of the risk management and control framework. They must also describe any internal controls that aren’t operating effectively and outline any relevant remedial actions.
However, the Financial Reporting Council (FRC) hasn’t been prescriptive about what underlying evidence is needed to support those assertions. As such, organisations need to build on FRC expectations to establish good practice and develop robust evidence that can stand up to board and audit committee scrutiny and inform attestations.
Most organisations already undertake a significant volume of assurance activity across the three lines of defence. But these activities are often uncoordinated, making it difficult for boards and audit committees to understand whether coverage is sufficient, proportionate and aligned to the risk appetite.
Assurance mapping addresses this by providing a consolidated view of activity against each key risk, process or control. This supports Provision 29 declarations by demonstrating that assurance over each material control is comprehensive, appropriately detailed and adequately covered. Key considerations when building the map include:
Where the process highlights weak or inconsistent coverage, organisations can take targeted action by heightening first-line monitoring, enhancing second-line oversight or reprioritising internal audit activity.
While the UK Corporate Governance Code doesn’t expect organisations to disclose detailed assurance processes or testing methodologies, boards must still be comfortable that their public statements under Provision 29 are fully supported. As such, boards and audit committees need to move from passively receiving management reports to having an informed dialogue about control effectiveness.
Effective assurance mapping is a key component in that process but, crucially, it also enables a higher quality of discussion. A board that truly understands the methodology behind control effectiveness assessments, including areas of expert judgement, is better placed to offer robust and valuable challenge to management and oversee any remediation.
As with any compliance activity, proportionality is key to realising wider strategic benefits. So, it’s important to strike the right balance and avoid approaches that are either too theoretical or overly engineered. To meet Provision 29 reporting expectations, assurance mapping should:
In other words, assurance mapping should simplify complexity, not add to it.
Some organisations may be experienced in assurance mapping, while others may be creating them for the first time to help the board meet the new expectations in the UK Corporate Governance Code. Either way, it’s essential to get wider business buy-in when developing the assurance map, as not all teams will understand the three lines of defence model, or the importance of Provision 29 expectations. When doing so, it’s essential to consider the common pitfalls below, to maximise the value of the work and realise wider business benefits.
Assurance activity is typically spread across multiple teams, functions and geographies. Gathering consistent, comparable information from first line management, second line functions and internal audit can be time-consuming, especially where roles and responsibilities have evolved organically over time. This fragmentation can make it difficult to form a clear view of where genuine assurance exists versus where reliance is assumed.
Different functions often use different language and varying levels of detail to describe the same risks, controls and assurance activity. For example, management monitoring may focus on operational performance, while internal audit focuses on control effectiveness. Without a common framework, assurance maps can become confusing rather than clarifying, limiting their usefulness for boards.
One of the most common challenges is connecting assurance activity directly to material controls, as required under Provision 29. Assurance may exist at a process or risk level, but it isn’t clearly tied back to the specific controls underpinning the board’s effectiveness conclusion. This can leave gaps that only become visible late in the reporting cycle.
Some organisations include too much detail too early, resulting in an overly complex assurance map that’s difficult to maintain and explain. This is particularly risky in the context of Provision 29, where the focus should be on material risks and controls. Without clear prioritisation, assurance mapping can create additional burden without delivering insight.
Assurance maps that are hard to read and difficult to understand will be of limited use to boards. Technical accuracy isn’t enough, and they need to be presented in a jargon-free way to help the board understand the key messages and offer effective challenge.
Risk profiles, control environments and assurance activity evolve throughout the year. Assurance maps that are treated as one-off exercises can quickly become outdated, undermining their value as a basis for ongoing monitoring and decision-making.
As companies lay the groundwork for their first-year Provision 29 reporting under the UK Corporate Governance Code, assurance mapping is no longer a ‘nice to have’. It’s an essential tool to give boards a bird’s-eye view of all three lines of defence, ensuring that internal governance, assurance activity and external reporting are aligned.
While it gives stakeholders confidence that control effectiveness declarations are grounded in coordinated assurance activity, the benefits don’t stop there. Used effectively, assurance maps can identify weaknesses in the control framework, giving organisations greater scope to improve their risk management and governance processes to support strategic growth.
For further information on Provision 29 reporting and the role of assurance mapping, contact Emma Young.
What the IIA topical requirement covers, when it applies, and the practical steps internal audit functions need to take to meet the requirements.
A practical overview of the FCA’s 2026 wholesale markets priorities, highlighting key risks in financial crime, market abuse and conflicts of interest, and what firms should do to strengthen controls and governance.
Emma Young provides a summary on what organisations need to consider in 2026 to meet provision 29 requirements for the first year reporting.
