"SOX" Compliance in the UK (Provision 29): How to Prepare

If you’ve been hearing more about SOX compliance in the UK lately, the timing isn’t a coincidence. The updated Corporate Governance Code 2024 is one of the most significant governance reforms in recent years, and has drawn comparisons to the US Sarbanes-Oxley (SOX) Act. This applies to accounting periods starting on or after January 1, 2026, with first declarations expected in early 2027.

That said, “UK SOX” is technically a misnomer. Unlike the US, the United Kingdom hasn’t introduced a standalone SOX law. Instead, the requirements sit within the updated Corporate Governance Code 2024, specifically Provision 29. The “UK SOX” nickname has stuck because the underlying goals of both are similar: to strengthen accountability, build investor trust, and improve corporate reporting.

Because 2026 is the first year businesses are expected to operate under the updated framework, expectations and best practices are still evolving. For compliance, legal, risk, CFOs and finance teams, that uncertainty is one of the biggest challenges. 

Whether your organisation is expected to comply or wants to get ahead of requirements, this guide covers the essentials.

In this article:

• What you need to know about SOX compliance in the UK
  
• How to stay “SOX compliant” in the UK
• Top challenges of staying SOX compliant
• How Vixio supports UK SOX compliance from monitoring to evidence

Vixio is a regulatory change management platform that helps compliance teams track evolving guidance in real time, extract actionable obligations from complex regulatory text, and build the audit trail they'll need when reporting time comes. Book a demo to see Vixio in action.

What you need to know about "SOX" compliance in the UK

The term "UK SOX" points specifically to Provision 29 of the UK Corporate Governance Code 2024, published by the Financial Reporting Council (FRC).

The FRC was set to be renamed to the Audit, Reporting and Governance Authority (ARGA) but this plan has been shelved.

Like its American counterpart, the provision is rooted in the idea that leadership – not just auditors – should be responsible for overseeing and attesting to the strength of their internal controls.

What does Provision 29 require? 

Aimed at public companies with a premium listing on the London Stock Exchange and larger, private companies with over 750 employees or over £750 million in annual turnover, the provision requires the board to confirm in the company's annual report that internal controls over financial reporting, operational processes, and compliance are effective.

In practice, that means the board needs to:

• Regularly conduct risk assessments and evaluate its risk management frameworks
• Transparently report on risk and control deficiencies
• Show how it is identifying and mitigating emerging risks

That scope is notably broader than US SOX, which is tightly focused on financial reporting. It's also less prescriptive, with no requirement for external auditors to sign off on controls.

With the UK Code operating on a principle of "comply or explain,” there are no automatic fines for non-compliance of Provision 29. If your approach deviates from what the Code expects, the board has the opportunity to explain why. If that explanation doesn't hold up, it can attract scrutiny from regulators, investors, and auditors.

What exactly is expected, however, is still being established. Guidance and examples of good and bad practice are emerging in real time, and greater clarity should follow as firms begin submitting their reports.

How does Provision 29 differ from US SOX compliance?

While both US and UK SOX share similar goals, the way each country approaches compliance differs.

The 2002 US Sarbanes-Oxley Act is specific, prescriptive, and built around hard financial reporting requirements and accurate financial disclosure, to prevent the kind of accounting manipulation that defined scandals like Enron. It mandates that companies:

• Implement specific controls to protect the integrity of financial data
• File regular reports with the SEC on the effectiveness of those controls
• Pass annual independent external audits of their financial statements

The UK's approach is broader in scope but less prescriptive. Rather than specifying exactly what controls a company must implement, Provision 29 leaves it up to the organisation to determine what robust oversight looks like, with the board standing behind that determination publicly. There’s no external audit requirement for the internal controls review.

As a result, UK SOX gives you greater flexibility to tailor the approach to your industry and organisation, but also no checklist to follow. UK companies will have to build their own frameworks and be ready to defend them.

How to stay “SOX compliant” in the UK

With the first reporting year now underway, here are seven elements boards and compliance teams should have in place:

1. Board-level ownership of the internal controls review. Directors are responsible for confirming in writing in the annual report that the company's internal controls framework is effective. This isn't a task that can be delegated away from the board, so directors should have direct visibility into how controls are functioning.
2. Coverage across all material controls. The review must span financial reporting, operational compliance, and cyber security controls. Companies should be mapping risks across all three areas and ensuring their controls address each.
3. Individual accountability over team-level ownership. A common red flag in reports is assigning control ownership to teams rather than named individuals. If a control belongs to a department of 50 people, in practice, it may belong to no one. Effective compliance requires specificity: this person is responsible for this control, by this date.
4. A year-round testing programme, not a year-end sprint. Regulators want to see controls genuinely reviewed throughout the year, not compressed into a single month before the deadline. Testing crammed into a short window makes it nearly impossible to identify an issue, fix it, and verify the outcome in time. A continuous cycle with documented outcomes at each stage is more defensible.
5. Evidence that policies are followed. A well-drafted controls manual is not the same as demonstrating your controls work. You want to be able to present hard evidence that what's written down is what's actually being done, including records of tests carried out, exceptions flagged, and actions taken.
6. Transparency about gaps and deficiencies. If a control gap has been identified, the board's report should acknowledge it and explain what action is being taken. A candid report with a clear remediation plan will typically land better than one that glosses over weaknesses.
7. A clear audit trail. When reporting time arrives, boards need to be able to show their efforts. That means documentation of the review process, evidence of testing, records of decisions made, and visibility into how issues were escalated and resolved. 

These seven areas provide a solid starting point. Still, there are some practical hurdles that companies will need to work through.

Top challenges of staying compliant with Provision 29

Even with a clear framework and strong board commitment, staying compliant will be challenging. Here’s why:

1. Guidance is still developing

Because 2026 is the first reporting year under the updated framework, there’s no settled picture of what “good” looks like in practice. Companies don’t have a body of FRC enforcement decisions, established market norms, or years of peer reporting to benchmark against.

That will change over time. Regulators are expected to provide more examples of good and bad practice, along with clearer signals about how they view certain approaches as the first wave of reports comes in.

For compliance teams, that creates an ongoing challenge. An approach that feels reasonable today may need to evolve quickly as expectations become clearer. Companies will need to keep tracking new guidance and stay on top of regulatory requirements: it’s not a one-and-done exercise.

2. There's no standard framework to follow

Unlike more prescriptive regimes, the UK approach leaves room for interpretation. Companies are expected to decide what robust internal controls look like for their organisation and then explain that reasoning publicly.

That flexibility is useful because it means UK businesses can tailor controls to their sector, structure, and risk profile. The downside is that there’s no checklist or tried-and-tested methodology to follow.

As a result, compliance teams are effectively building their approach as they go, balancing regulatory expectations with operational realities and building out a compliance process without a definitive playbook to rely on.

3. Translating obligations into documented action is harder than it sounds

One of the biggest challenges is turning broad governance expectations into day-to-day financial processes that can stand up to scrutiny. Boards can’t simply say controls exist; they need to show how those controls were reviewed, tested, and maintained throughout the reporting period.

In practice, that means assigning controls to named individuals rather than departments, carrying out testing continuously across the year instead of rushing it before reporting deadlines, and keeping evidence that policies are being followed consistently.

For large organisations operating across multiple teams, units, or jurisdictions, coordinating and tracking compliance can quickly become a major operational task.

How Vixio supports "UK SOX" compliance from monitoring to evidence

Vixio is a regulatory change management platform built for compliance teams in gambling, payments, and financial services that need to not only monitor regulatory updates, but also act on them in a provable, documented way. Here’s what our platform lets you do:

Stay ahead of evolving guidance, even before they hit headlines

Because UK SOX is in its first real year of reporting, the guidance landscape will keep shifting. Good practice examples, FRC signals, regulatory clarifications, and new requirements will likely continue to emerge throughout 2026 and beyond, which presents a monitoring challenge.

Vixio tracks developments across 1,400+ regulatory authorities in over 200 jurisdictions, using AI and automation to process and organise updates at a scale no compliance team could manage manually. Every update is validated by our team of analysts, who also bring their own intelligence built from long-standing relationships with regulators, lawmakers, and journalists across the industry. That means you’ll often receive relevant intelligence before it appears in the news.

With Vixio, your team can get targeted alerts based on specific jurisdiction, product area, and regulatory topics. Each user has their own triage inbox, so updates land with the right person rather than getting buried in a shared inbox or lost in a content dump.

As the FRC issues further guidance on what it wants (and doesn’t want) to see, Vixio’s automated regulatory intelligence puts you in a position to respond quickly and adapt your programme accordingly.

Make sense of a principles-based framework with expert guidance

Without a prescriptive playbook to refer to, organisations are ultimately responsible for determining what appropriate controls look like and defending that interpretation. That requires understanding how regulators and peers approach compliance.

Vixio provides expert analysis alongside regulatory updates, giving you context on how enforcers are approaching requirements and how others in the industry are interpreting them. That intelligence is particularly useful when a principles-based framework leaves significant room for interpretation.

You can also use Vixio's Requirements Extraction Tool to translate complex regulatory text into clear, actionable obligations. Instead of manually reading through dense guidance documents and figuring out what they mean for your business, you get a structured view of what's required and why it matters.

Turn obligations into documented, defensible controls

Being compliant with Provision 29 requires producing evidence that makes your board's year-end declaration credible.

The Vixio platform is built for this. When a regulatory update or obligation comes in, it can be assigned to a named individual, given a due date, and tracked through to completion on collaborative boards. The result is a complete, time-stamped audit trail that shows not just what your controls are, but that they're being carried out. 

A built-in audit trail not only supports Provision 29 reporting but also applies across every regulation your team is responsible for. Whether it's tracking the finalised PSD3 text or responding to changes in the Senior Managers and Certification Regime, Vixio gives you one place to monitor what's changing, understand what it means for your business, and make sure the right people are acting on it.

How a global payments provider uses Vixio to scale compliance across 170+ jurisdictions

More than 500 organisations trust Vixio to manage regulatory change across their business.

For instance, before using Vixio, a global digital payments provider operating across 30 sending countries and 170 receiving nations had a compliance operation that had hit its limits. A small team was spending the majority of its time manually scanning fragmented sources for regulatory updates, relying on expensive external counsel for basic information, and managing horizon scanning across a patchwork of spreadsheets. 

With Vixio, the team replaced that manual process with automated, targeted intelligence across all relevant jurisdictions. Instead of searching for updates, they were analysing them. And instead of reacting to regulatory change, they were anticipating it with enough lead time to shape product decisions before new rules took effect.

The regulatory compliance challenges your organisation faces around UK SOX won't look identical to theirs. But the underlying problem – too much regulatory noise, not enough time, and real consequences for falling behind – is one that Vixio is built to solve.

SOX compliance in the UK: Vixio helps you stay current, stay organised, and stay ahead

UK SOX asks a lot of compliance teams: stay current on evolving guidance, build a compliant programme without a clear playbook, and produce documentation that holds up under scrutiny.

Vixio gives you the intelligence, workflow tools, and audit trail to meet that challenge without the manual overhead. Book a demo to see how it can work for your organisation.

FAQs on SOX compliance in the UK

Is SOX compliance mandatory in the UK?

"UK SOX" actually refers to Provision 29 of the UK Corporate Governance Code 2024. It’s often referred to as UK SOX because, like the US Sarbanes-Oxley (SOX) Act, its goal is to strengthen accountability and restore trust in corporate reporting. Compliance is mandatory for premium-listed companies and larger private firms, requiring boards to confirm in their annual report that their internal controls are effective.

What is the difference between US SOX and UK SOX compliance?

US SOX is more prescriptive. It specifies what controls companies must implement, requires regular SEC filings, and mandates independent external audits. UK SOX is broader in scope, covering financial, operational, and compliance controls, but far less prescriptive. There's no external audit requirement, and companies are expected to determine what robust oversight looks like for their own organisation.

Who does UK SOX compliance apply to?

The UK Corporate Governance Code applies to premium-listed public companies on the London Stock Exchange, and larger private companies with either more than 750 employees or more than £750 million in annual turnover.

When is the deadline for UK SOX compliance reporting?

The updated Corporate Governance Code applies to accounting periods starting on or after January 1, 2026, making 2026 the first reporting year for most organisations. That means first declarations are expected in early 2027, when companies submit their annual reports.

How do companies demonstrate UK SOX compliance to regulators?

Through documentation. Boards need to show that controls were reviewed, tested, and maintained throughout the year. That means records of testing carried out, exceptions flagged, actions taken, and a clear audit trail showing how issues were escalated and resolved.