Maximising ROI: The business case for improving internal controls
The UK Corporate Governance Code hasn’t stood still. The FRC has spent the past few years consulting on reforms, then refining them into the more focused 2024 update, which has been in effect throughout 2025. The next milestone arrives on 1 January 2026, when boards will need to make a declaration on the effectiveness of material controls under Provision 29.
Provision 29 isn’t the main character of this story, but it does set the backdrop. It raises expectations around evidence, clarity and consistency, and it’s already prompting organisations to revisit how their internal controls operate day to day. That makes this a good moment to take stock, not only of what compliance requires, but what stronger controls can do for the business.
Because when you strip everything back, the case for investing in better controls is simple: they reduce risk, improve decision-making and build trust. And in many organisations, they also cut cost.
Here’s how to build that case in a way that resonates with stakeholders across the business.
Start with the outcomes different stakeholders care about
A single controls programme can deliver very different benefits depending on who you speak to. The strongest business cases reflect this.
Executive teams
Executives want confidence that the information they rely on is accurate and that risk conversations are grounded. Stronger controls support cleaner forecasting, fewer surprises and more certainty during planning cycles.
Investors
Investors increasingly expect disclosures that are specific and evidence-based. With the new Code requiring more transparency on control effectiveness from 2026, investors will be looking for clarity, not boilerplate. Strong controls reinforce trust.
Customers
The new declaration covers more than financial controls. When ESG, health and safety and ethical practices sit within a clear control framework, customers feel more confident that the organisation delivers on its commitments.
Employees
People want to know they’re part of a well-run organisation. Clear controls help build a culture of accountability and reduce frustration in process-heavy areas.
A practical tip I often see work well: identify hotspots. That might be a recurring operational error, slow remediation cycles or issues in ESG reporting. These hotspots help you show the business where controls improvements make an immediate difference.
Where automation helps (and where it doesn’t)
Automation is becoming an essential part of how organisations strengthen internal controls. It reduces manual checks, lowers error rates and provides more consistent evidence throughout the year. This is useful for the new Code’s expectations but is even more useful for everyday business.
But automation isn’t a magic wand. It works best when the underlying process is clear. If a process already causes confusion or rework, automating it only amplifies the problem. A better approach is to start with a pilot:
Focusing on the first line is key. People closest to the process can tell you what needs improving and what information they need to work more effectively. When automation helps them, evidence quality improves without extra effort.
Build a roadmap that avoids common blockers
Internal controls touch multiple teams and systems, and sometimes third parties too. Without a structured plan, programmes lose momentum quickly.
A roadmap with four early decisions makes all the difference:
1. Scope
Agree what counts as a material control. This should reflect risks, regulatory duties and anything that could affect key reporting. Provision 29 specifically requires boards to cover financial, operational, reporting and compliance controls.
2. Evidence
Set expectations for what “good evidence” looks like. This includes testing frequency, documentation standards, thresholds for exceptions and how remediation is tracked.
3. Assurance
Clarify how first, second and third line work together. Assurance should be coordinated rather than duplicated, especially as organisations prepare for the more structured disclosure requirements in 2026.
4. Delivery
Align data, systems, processes and owners. Third-party providers need to be included early where they support key controls.
Most delays come from not agreeing these points upfront. Once the basics are settled, teams can focus on testing, fixing gaps and building confidence in the framework.
Start early, focus on value and support people through change
Although the declaration applies to 2026 year ends, organisations need a full year’s worth of monitoring and evidence behind it. Starting now means fewer surprises and more time to test, remediate and refine.
Different stakeholders move at different speeds. Some need more context, others want reassurance that the work will help them, not add to their workload. Tailoring the message to each group helps maintain momentum.
The lesson I see again and again is simple: Keep the needs of first-line managers front and centre.
When ownership is clear and processes run smoothly, the evidence is stronger, the board can form its view with confidence and the whole organisation benefits from fewer operational issues.
Strengthening internal controls is not only about meeting the Code. It’s about creating a clearer, more predictable and more resilient business.
That’s where the real ROI lies.
If you’re building your approach for 2026:
Diligent Internal Controls Management offers a simpler way to coordinate testing, evidence and remediation, so your controls framework stays clear and consistent throughout the year.
Keep exploring
Provision 29: A practical guide to board declarations on internal controls
Learn what Provision 29 requires from boards, how to define material controls, and how to produce a clear, evidence‑based declaration that supports investor confidence.
The UK Corporate Governance Code: Key provisions and updates
Gain a better understanding of the UK Corporate Governance Code. Discover what it is and how your organisation can comply for more effective governance.
UK Corporate Governance Code brief: Identifying material controls
Learn about the new UK Corporate Governance Code provision requiring annual reviews of both financial and non-financial controls by boards.
