Provision 29: How will internal audit be affected by updates to the UK Corporate Governance Code?

Provision 29 of the Corporate Governance Code takes effect in January 2026. This new requirement establishes direct access between internal audit leadership and the board, fundamentally changing the dynamics of audit independence and governance oversight. 

Understanding Provision 29: what's changing? 

Provision 29 introduces three critical requirements that will reshape how internal audit functions operate: 

• Direct access to the board chair: The Head of Internal Audit must have direct access to the board chair, creating an independent communication channel that bypasses executive management when necessary. 
• Annual private meeting: The Head of Internal Audit should meet with the board (or board chair) at least once annually without management present, ensuring concerns can be raised freely. 
• Enhanced independence: These provisions collectively strengthen internal audit's independence and ability to fulfill oversight responsibilities without undue management influence. 

While these changes may appear procedural on the surface, they represent a fundamental shift in how internal audit positions itself within organizational governance structures. 

Why this matters: the independence imperative 

Internal audit often walks a delicate line - reporting administratively to management while maintaining professional independence. Provision 29 acknowledges what governance experts have long recognized: true independence requires more than organizational charts and dotted reporting lines. It requires direct, unfettered access to those charged with governance. 

This isn't just about creating another meeting on the calendar. It's about ensuring internal audit can fulfill its fundamental purpose: providing objective assurance and insight without fear of management interference or retaliation. 

Consider the practical implications. When internal audit identifies significant control deficiencies, ethical concerns or strategic risks that may reflect poorly on executive leadership, the ability to escalate directly to the board chair becomes essential. Provision 29 formalizes this pathway, removing ambiguity about whether such access is appropriate or available. 

The strategic implications of provision 20 for internal audit teams  

The provision elevates internal audit from a function that reports through committees to one with direct board-level relationships. This creates both opportunities and obligations for internal audit leaders. 

Building board-level relationships 

Heads of Internal Audit will need to develop working relationships with board chairs and board members that go beyond formal reporting. This requires understanding board priorities, governance concerns and the broader strategic context in which the organization operates. The annual private meeting isn't merely a compliance exercise - it's an opportunity to provide unfiltered perspective on organizational health, risk culture and control effectiveness. 

Communicating at the governance level 

Direct board access demands a different communication approach than audit committee reporting. Internal audit leaders must be prepared to discuss findings and concerns in the context of governance responsibilities, fiduciary duties and strategic implications. Technical audit language gives way to conversations about organizational integrity, risk appetite alignment and whether management is creating the culture and systems necessary for sustainable success. 

Exercising professional judgment 

With direct access comes the responsibility to use it judiciously. Heads of Internal Audit will need to exercise careful judgment about when to engage the board chair directly versus working through established channels. Overuse could diminish the impact of the access; underuse could leave the board without critical information. Finding this balance will be essential. 

Practical challenges of Provision 29 that internal auditors will face 

While Provision 29 strengthens internal audit's position, it also introduces practical challenges that teams must navigate. 

Capacity and resource constraints 

Many internal audit teams are already stretched thin, struggling to complete planned audits while responding to emerging risks and ad-hoc requests. Adding the demands of enhanced board engagement, including preparation for annual private meetings and maintaining board-level relationships, requires capacity that many teams lack. 

Relationship dynamics and politics 

Direct board access can create complex relationship dynamics. Executive management may view private board meetings with suspicion or as undermining their authority. Internal audit leaders will need diplomatic skills to maintain productive working relationships with management while exercising their independent access to the board when warranted. 

Skill and experience gaps 

Not all internal audit leaders have experience operating at the board level. Some may be highly skilled technical auditors who lack exposure to governance discussions, board dynamics or the broader business context that informs board-level conversations. Professional development in these areas becomes essential. 

Preparing your internal audit function for success 

Internal audit leaders should begin preparing now to ensure smooth implementation when Provision 29 takes effect. Here's what effective preparation entails: 

Establish clear protocols and expectations 

Work with your board chair and audit committee to establish clear expectations around how direct access will function. When should the Head of Internal Audit reach out directly? What topics warrant private discussion? How will annual private meetings be scheduled and structured? Clarifying these details in advance prevents awkwardness and ensures the provision's intent is realized. 

Streamline operations to create capacity 

Meeting Provision 29's requirements demands time and mental bandwidth that many audit leaders don't currently have. Investing in modern audit management infrastructure becomes increasingly important. This could be a good time to review how effective your processes are when it comes to tracking projects, allocating resources and accessing data. 

Build a framework for board-level reporting 

Create frameworks specifically for board-level discussions that focus on governance concerns, organizational culture, risk appetite and control environment health. These conversations differ from audit committee meetings, which often involve more detailed technical discussions. Board-level reporting emphasizes themes, trends and strategic implications rather than individual audit findings. 

Strengthen your position within the organization 

Use the lead-up to Provision 29 implementation to strengthen internal audit's position more broadly. This includes deepening relationships across the organization, enhancing your understanding of business strategy and operations, and demonstrating value through insightful, forward-looking audit work. The stronger your foundation, the more effective your board-level engagement will be. 

Enhance board-level communication skills 

If your Head of Internal Audit lacks experience at the board level, invest in developing those capabilities now. This might include executive coaching, participation in governance forums, or shadowing other board-level interactions. The annual private meeting shouldn't be the first time your audit leader engages with board members in this capacity. 

The broader governance context 

Provision 29 doesn't exist in isolation. It's part of broader updates to the UK Corporate Governance Code that strengthen oversight, enhance transparency and reinforce accountability. Internal audit plays a central role in this governance ecosystem, and Provision 29 formally recognizes that role by ensuring audit leadership has the independence and access necessary to fulfill it effectively. 

Organizations should view Provision 29 as part of a holistic approach to governance rather than a standalone compliance requirement. How does internal audit's enhanced independence complement other governance mechanisms? How does direct board access strengthen the three lines model? How can the organization create a culture where internal audit's independence is respected and valued at all levels? 

The opportunity within the change 

While Provision 29 introduces new requirements, it also validates the critical importance of internal audit to organizational governance. This formal recognition of internal audit's need for board-level independence and access should strengthen the function's position and influence. 

For internal audit leaders who have struggled to gain executive support or resources, Provision 29 provides leverage. The requirement for direct board access signals that internal audit isn't merely a compliance function - it's a governance imperative that warrants appropriate investment and positioning. 

Organizations that embrace this perspective will find their internal audit functions become more effective, more strategic and better positioned to protect organizational interests.