If “UK SOX” has been cropping up in your compliance team’s conversations recently, there is good reason. The updated Corporate Governance Code 2024 — widely compared to the US Sarbanes-Oxley (SOX) Act — represents one of the most significant governance overhauls the UK has seen in years.
According to Vixio, with accounting periods starting on or after 1 January 2026 now in scope and first board declarations expected in early 2027, the clock is ticking.
Vixio recently provided a detailed description of “SOX” Compliance in the UK (Provision 29) and how firms can prepare.
It is worth clarifying the terminology upfront. The “UK SOX” label is technically a misnomer: the United Kingdom has not enacted a standalone piece of SOX-equivalent legislation. The obligations stem instead from Provision 29 of the updated UK Corporate Governance Code 2024, published by the Financial Reporting Council (FRC). The nickname has stuck because both frameworks pursue the same fundamental objectives — strengthening accountability, shoring up investor confidence, and raising the quality of corporate reporting. Notably, the FRC was at one point due to be rebranded as the Audit, Reporting and Governance Authority (ARGA), but those plans have since been shelved.
Because 2026 marks the first year that businesses are operating under the revised framework, expectations and best practice are still taking shape. For chief financial officers, compliance leads, risk teams, and in-house legal counsel, that ambiguity presents one of the more difficult challenges to navigate.
What Provision 29 actually requires
The provision applies to premium-listed public companies on the London Stock Exchange and to larger private companies with more than 750 employees or over £750m in annual turnover. At its core, it requires the board — not the auditors — to confirm in the annual report that internal controls across financial reporting, operational processes, and compliance are effective.
In practical terms, that means the board must conduct regular risk assessments, report transparently on control deficiencies, and demonstrate how emerging risks are being identified and addressed. That scope is notably wider than US SOX, which is tightly targeted at financial reporting. The UK framework is also less prescriptive: there is no requirement for external auditors to sign off on controls.
The UK Code operates on a “comply or explain” basis, meaning there are no automatic penalties for deviating from Provision 29. Boards that take a different approach are expected to explain their reasoning publicly. Where that explanation falls short, however, regulatory scrutiny, investor pressure, and auditor challenges are likely to follow.
How UK and US SOX differ in practice
The 2002 US Sarbanes-Oxley Act was forged in direct response to accounting scandals such as Enron. It is specific and prescriptive, requiring companies to implement defined controls over financial data, file regular effectiveness reports with the SEC, and submit to annual independent audits of their financial statements.
The UK approach is broader in ambition but grants organisations considerably more latitude. Rather than prescribing which controls to implement, Provision 29 asks boards to determine what robust oversight looks like for their particular business — and then stand behind that publicly. There is no external audit requirement for the internal controls review. That flexibility allows organisations to tailor their frameworks to their sector and risk profile, but it also means there is no standard checklist to follow. Boards will need to build their own approach and be prepared to defend it.
Seven things compliance teams should have in place
With the first reporting year now under way, there are seven elements boards and compliance functions should be prioritising. First, board-level ownership of the internal controls review is non-negotiable: directors must personally attest in the annual report, meaning the process cannot be entirely delegated.
Second, the review must extend across financial reporting, operational compliance, and cyber security — not just the finance function. Third, control ownership should be assigned to named individuals rather than departments; if a control belongs to a team of 50, it effectively belongs to no one.
Fourth, testing must be conducted throughout the year rather than compressed into a pre-deadline sprint: year-end rushes make it nearly impossible to identify a problem, fix it, and verify the outcome before reporting. Fifth, boards need hard evidence that written policies are being followed — not just a polished controls manual.
Sixth, where gaps or deficiencies exist, the board’s report should acknowledge them and set out a clear remediation plan; candour will serve better than glossing over weaknesses. Seventh, a documented audit trail is essential: records of the review process, test outcomes, decisions taken, and how issues were escalated and resolved.
The challenges that remain
Even with a sound framework in place, compliance will not be straightforward. The most immediate difficulty is the absence of settled norms. Because 2026 is the first reporting year, there are no FRC enforcement precedents, no established peer benchmarks, and no body of published reports to assess oneself against. That landscape will evolve as regulators issue further guidance and the first wave of declarations come in — but compliance teams will need to adapt quickly as expectations crystallise.
The principles-based nature of the framework compounds the challenge. Without a prescriptive methodology, organisations must effectively construct their compliance approach from scratch, balancing regulatory expectations with operational realities.
Translating those broad governance obligations into documented, day-to-day processes that can withstand scrutiny is harder than it may appear — particularly for large organisations operating across multiple business units or jurisdictions, where coordinating and tracking compliance activity becomes a significant operational undertaking.
Read the full Vixio post here.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
