The phrase 'UK SOX' has been circulating with growing urgency in compliance and finance circles, and the timing is no accident.

According to Vixio, the updated UK Corporate Governance Code 2024 - widely compared to the US Sarbanes-Oxley (SOX) Act - came into force for accounting periods beginning on or after 1 January 2026, with the first declarations from boards expected in early 2027. For compliance officers, chief financial officers, legal teams, and risk functions, the clock is already ticking.

Vixio recently provided a detailed description of 'SOX' Compliance in the UK (Provision 29) and how firms can prepare.

The term 'UK SOX' is, technically speaking, a misnomer. Unlike the US, the UK has not enacted a standalone SOX statute. The obligations in question sit within Provision 29 of the updated Corporate Governance Code 2024, published by the Financial Reporting Council (FRC) - an organisation that was previously set to be renamed the Audit, Reporting and Governance Authority (ARGA), though those plans have since been shelved. The nickname has stuck because both regimes share the same underlying intent: strengthening accountability, rebuilding investor trust, and improving the quality of corporate reporting.

Because 2026 represents the first operational year under the new framework, best practice is still being defined in real time. For the compliance, legal, and finance professionals tasked with meeting the requirements, that ambiguity is itself one of the most pressing challenges.

What Provision 29 actually requires

Provision 29 applies primarily to public companies with a premium listing on the London Stock Exchange, as well as larger private companies with more than 750 employees or annual turnover exceeding £750m. It requires boards to confirm in their annual report that internal controls covering financial reporting, operational processes, and compliance are genuinely effective.

In practice, boards must regularly conduct and document risk assessments, report transparently on any control deficiencies, and demonstrate how emerging risks are being identified and mitigated. The scope here is notably wider than US SOX, which is tightly focused on financial reporting accuracy. The UK regime is also deliberately less prescriptive: there is no requirement for external auditors to sign off on internal controls.

The UK Code operates on a 'comply or explain' basis, meaning there are no automatic penalties for non-compliance with Provision 29. If a board's approach deviates from the Code's expectations, it must explain why - and if that explanation fails to satisfy regulators, investors, or auditors, scrutiny will follow. What precisely constitutes an acceptable explanation is, for now, still being established.

How the UK approach differs from US SOX

The 2002 Sarbanes-Oxley Act in the US was designed to prevent the kind of systemic accounting manipulation that brought down Enron and others. It is specific and prescriptive: companies must implement defined controls to protect financial data integrity, file regular reports with the SEC on the effectiveness of those controls, and submit to annual independent audits of their financial statements.

The UK framework shares the same broad ambition but takes a markedly different path. Rather than mandating specific controls, Provision 29 leaves it to each organisation to determine what robust oversight looks like - and to stand behind that determination publicly in its annual report. There is no external audit requirement for the internal controls review. The trade-off is flexibility on one side and the absence of any definitive checklist on the other. UK companies must build their own frameworks from scratch and be prepared to defend them if questioned.

Seven things boards should have in place

With the first reporting year now under way, there are seven areas that compliance teams and boards should prioritise. First, ownership of the internal controls review must sit at board level - directors are personally responsible for the written confirmation in the annual report, and that cannot simply be delegated downwards. Second, the review must cover all material controls, including financial reporting, operational compliance, and cyber security.

Third, accountability should be individual, not collective. Assigning control ownership to a department of 50 people is functionally the same as assigning it to no one. Compliance requires named individuals, specific controls, and clear deadlines. Fourth, testing must be a year-round programme rather than a last-minute rush before reporting deadlines - compressed testing windows make it nearly impossible to identify problems, implement fixes, and verify outcomes in time.

Fifth, evidence matters as much as policy. A well-written controls manual does not demonstrate that controls are actually working; boards need records of tests carried out, exceptions flagged, and remedial actions taken. Sixth, gaps should be disclosed rather than glossed over. A candid report that identifies a deficiency and sets out a clear remediation plan will typically attract less scrutiny than one that presents a misleadingly clean picture. Seventh, the entire process must be supported by a clear, time-stamped audit trail showing how the review was conducted, what decisions were made, and how issues were escalated and resolved.

The compliance challenges that will define 2026

Even organisations with strong frameworks in place will face real-world obstacles. With no settled body of FRC enforcement decisions and no established market norms to benchmark against, compliance teams are operating in unfamiliar territory. That will change as the first wave of reports comes in and regulators issue further guidance, but for now, an approach that appears reasonable today may need rapid adjustment as expectations are clarified.

The absence of a prescriptive framework also means there is no tried-and-tested methodology to follow. Companies are, in effect, building their compliance approach as they go - balancing evolving regulatory expectations with operational realities and doing so without a definitive playbook. For large organisations operating across multiple teams, business units, or jurisdictions, the task of coordinating, tracking, and evidencing compliance activity can quickly become a substantial operational burden in its own right.

How regulatory intelligence platforms can help

Regulatory change management platforms designed for compliance teams in financial services, payments, and related sectors are increasingly positioned to support Provision 29 obligations. Tools that monitor updates across hundreds of regulatory authorities - using AI and analyst expertise to process, validate, and contextualise developments - can give compliance teams early sight of FRC guidance before it reaches the headlines. Targeted alerts by jurisdiction, product area, and regulatory topic ensure updates reach the right person rather than disappearing into a shared inbox.

Where the UK framework leaves room for interpretation, expert analysis of how regulators are approaching requirements - and how peers in the industry are responding - can be particularly valuable. Requirements extraction tools that translate dense regulatory text into clearly scoped, actionable obligations help teams move from monitoring to action more efficiently.

Critically, Provision 29 compliance ultimately depends on the ability to produce documented, defensible evidence of what controls exist and how they were reviewed. Platforms that allow obligations to be assigned to named individuals, tracked through to completion, and supported by a complete audit trail address precisely this challenge - and the audit trail principle extends well beyond Provision 29 to every regulation a compliance function is responsible for.