UK SOX 2026: what 147 controls across 12 process cycles actually looks like
If you chair an audit committee, run internal audit, or sit as group FD for a UK listed company or a US-listed UK subsidiary, the question on the agenda is some version of this: the FRC Provision 29 attestation comes due, our existing controls work is uneven, and we have neither the bench nor the design capability inside to produce a programme that survives inspection. What does a credible controls programme actually look like, who needs to do what, and what does the audit cycle that follows it cost in time and fee? This article is the answer, with the numbers and the design decisions from a programme that has already been through it.
Atlas Verum has delivered a first-year SOX 404 controls design programme that produced 147 key controls across 12 process cycles, subsequently attested by the client's partner audit firm under PCAOB AS 2201 with zero FRC inspection findings, and adopted as the template for additional EMEA subsidiary entities. The same pattern is what UK Corporate Governance Code Provision 29 sub-certification regimes from 1 January 2026 require, scaled to the entity's risk profile. This article walks through what the work looks like in practice.
Most articles about UK SOX 2026 are abstract. They describe the regime, list the regulatory references, and gesture at implementation. This is different. It is what one operator actually produced across a 12-month engagement for a single US-listed UK subsidiary, with the controls broken down by cycle, the design methodology made explicit, and the attestation outcome documented.
What 147 controls means at the right level of abstraction
Most people new to ICFR design see "147 controls" and imagine a list of 147 separate things to check. That is not the right mental model. The right mental model is: 12 process cycles each have a finite set of risks that produce material misstatement, and each risk is mitigated by a small set of controls that, together, drive the risk of misstatement to the level acceptable for management's assessment.
The 147 controls in this engagement decomposed as follows. In Record to Report (R2R), 18 controls covering chart-of-accounts hygiene, journal entry authorisation, period-end close cut-off, FX translation accuracy, consolidation eliminations, and reporting pack assembly. In Procure to Pay (P2P), 16 controls covering supplier onboarding, three-way match, invoice approval thresholds, payment file authorisation, AP reconciliation, and accruals capture. In Order to Cash (O2C), 14 controls covering customer onboarding and credit assessment, order release authorisation, invoicing accuracy, AR reconciliation, bad debt provisioning, and revenue recognition cut-off. In Treasury, 13 controls across bank reconciliation, FX hedge documentation, intercompany loan tracking, cash forecast governance, and bank-mandate authority. In Financial Close, 11 controls across the close timetable, manual journal review, supporting documentation completeness, balance sheet substantiation, and supervisory review.
The remaining cycles, each contributing between 9 and 13 controls, covered Hire to Retire (payroll authorisation, leaver controls, sensitive HR data), Acquire to Retire (capex authorisation, fixed asset register maintenance, depreciation review), Forecast to Report (budget variance review, reforecast cycle, board pack preparation), Treasury (already counted), Tax (corp tax provisioning, deferred tax, transfer pricing), Payroll (already partially counted), and ITGCs (access management, change management, computer operations, programme development), which provided the cross-cutting general controls layered over all the process cycles.
The point of breaking this down is to show that 147 is not an arbitrary number. It is the disciplined output of 12 cycles, each addressed at the level required for the entity's risk profile, with the ITGC layer providing the foundation. Half that number for a smaller entity would not be a deficient design; it would be the right design for the smaller risk surface. Twice the number for a larger entity would not be redundant; it would be the design for the larger surface.
The misconception is that ICFR maturity is measured in volume. It is not. ICFR maturity is measured in coverage and effectiveness against the actual risk profile, and the appropriate number falls out of that, not the other way around.
The 12 process cycles and how they were scoped
The choice of 12 process cycles was not arbitrary either. It reflects the standard UK ICFR scoping convention for a regulated financial services subsidiary with a single line of business, a single ERP environment, and a 5-to-10-entity sub-group consolidating to the US parent. The 12 cycles were: R2R, P2P, O2C, Treasury, Financial Close, Hire to Retire, Acquire to Retire, Forecast to Report, Tax, Payroll, IT environment, and entity-level controls.
For a more complex entity, this list expands. Multi-line-of-business operations add product-specific cycles. Multi-ERP environments add an inventory of the ERP boundaries themselves as a cycle. International subsidiaries add intercompany cycles as a separately-scoped flow. The 12-cycle template is the starting point; the actual scope is determined by the entity's complexity, materiality, and risk concentration.
Scoping happens at the start of the engagement and is reviewed at quarter-end. A scoping document records the rationale for inclusion and exclusion of each cycle and identifies the management assertion that each cycle addresses. The partner audit firm consumes this document as the entry point to their substantive testing scope, so the scoping rigour matters: a poorly-scoped cycle leads to a more expensive audit cycle, because the auditor has to do scoping work the management failed to do.
The four-stage critical-analysis protocol applied to controls design
Atlas Verum's standard delivery methodology for controls design uses the four-stage critical-analysis protocol. Stage one, critical analysis, walks the process end-to-end with the process owner. Stage two, gap surfacing, identifies where the actual operating reality differs from the documented reality, where assertions are at risk, and where automated checks are absent. Stage three, bridging, chooses between manual control, semi-automated control with manual review, fully-automated control with monitoring, or hybrid, based on what works rather than what is available. Stage four, documentation, captures the design at the inspection standard expected by the partner audit firm.
In the 147-control engagement, the bridging-stage decisions matter more than the volume of controls. Some examples. Bank reconciliation could have been a manual monthly process with a sign-off; instead it was implemented as a semi-automated daily reconciliation with exception escalation, because the entity's payment volume justified the higher-frequency design. Journal entry review could have been a sample-based monthly check; instead it was implemented as a full-population analytical review with material threshold-based escalation, because the partner audit firm's substantive testing approach made full-population coverage cost-efficient. Three-way match could have been a manual check at invoice approval; instead it was implemented as a system-enforced control in the P2P ERP module, because the volume and the predictability of the three-way pattern made the automation case clear.
The bridging-stage decisions are what differentiate a controls design that survives FRC inspection from one that doesn't. The inspection regime asks whether the choice of control mechanism was deliberate and whether the implementation evidence supports the operating effectiveness assertion. Random choices fail; deliberate choices grounded in the bridging matrix pass.
Documentation to inspection standard
The documentation produced for this engagement followed FRC Audit Quality Review inspection standard from day one. That means every control had a risk-and-control matrix entry, a walkthrough document, a test of design conclusion, and a test of operating effectiveness procedure. The risk-and-control matrix was constructed with explicit references to the management assertion (existence, completeness, accuracy, classification, presentation), the control owner, the control frequency, the evidence retention pattern, and the linkage to the underlying ITGC dependencies.
The walkthrough documents were screen-captured where possible, with the system flows annotated to show the control point. The test of design assessed whether the control as designed would prevent or detect the assertion-level risk, with deficiency classification at the design level (significant deficiency vs material weakness) if the design was insufficient. The test of operating effectiveness used statistical sampling proportionate to the population frequency, with the partner audit firm's substantive testing approach informing the precision of the sampling design.
For the partner audit firm to consume this documentation and form their PCAOB AS 2201 attestation, two things had to hold. First, the documentation had to be complete enough that the auditor could re-perform the walkthrough independently without the operator's involvement. Second, the documentation had to be specific enough that the auditor could trace any individual transaction through the control chain back to the underlying record. Both conditions were met across all 147 controls.
The audit opinion was delivered by the partner audit firm under PCAOB AS 2201. The audit cycle ran cleanly because the documentation supported the substantive testing without requiring the auditor to fill scope gaps. The FRC inspection of the partner audit firm's work on this engagement returned zero findings on the controls scope. The framework was subsequently adopted by the parent group as the template for additional EMEA subsidiary entities. These are facts traceable to the engagement record.
What this means for Provision 29 cohort entities
UK Corporate Governance Code Provision 29, effective from 1 January 2026, requires UK listed companies (and an expanding set of large private companies subject to the Code) to attest to the effectiveness of internal control over financial reporting. The sub-certification regime that cascades from this requirement (board, audit committee, executive management, process owners) is structurally similar to US SOX 404 in design, though scoped to the UK regulatory and reporting regime rather than the SEC.
For Provision 29 cohort entities, the lessons from the 147-control engagement translate directly. The 12-cycle template is a starting point that adapts to entity complexity. The four-stage critical-analysis protocol works regardless of regime. The bridging-stage decisions are what differentiate inspection-survivable designs from compliance-checklist designs. The documentation standard required to support partner audit firm attestation is the same whether the framework is PCAOB AS 2201 or the FRC's equivalent under the UK regime.
The difference, for Provision 29, is that the cohort entities are likely doing this for the first time without the benefit of an existing US SOX framework. The temptation is to over-engineer (replicating a full US SOX framework that is disproportionate to the UK reporting requirement) or to under-engineer (producing a thin compliance document that fails inspection). The right path is in the middle: a deliberately-scoped framework that matches the entity's actual risk profile, designed using the four-stage protocol, documented to inspection standard, attested by a UK audit partner firm.
What Atlas Verum produces for a Provision 29 engagement
Atlas Verum delivers Provision 29 readiness as a controls design programme under Module 5 (Internal Controls Design). The standard scope:
A risk-and-control matrix designed to COSO 2013's 17 principles, scoped to the entity's actual processes. Walkthrough documentation across the in-scope process cycles, captured to inspection standard. Test of design documentation for control owners. ITGC scoping across the in-scope ERP and cloud environment. Segregation of duties analysis at the ruleset level where the entity is at F500 scale, or at the role level for smaller scopes. SOC 1 Type 2 reliance evaluation where third parties are in scope. Deficiency tracking framework and aggregation logic. Sub-certification cascade design (the explicit Provision 29 deliverable). Audit committee deliverables and board reporting pack. Partner-audit-firm handoff pack for the attestation cycle.
Engagement structures range from a retained design phase through a full programme covering remediation, testing and attestation handoff. Scope, duration and commercials are shared after a discovery call, sized to the entity's risk profile and the timeline to first attestation.
Audit attestation is delivered separately by the entity's partner audit firm. Atlas Verum coordinates the partner-firm introduction and runs the audit cycle from the client side. Two contracts, two scopes, aligned outcome.
What comes next
Articles 3 and 4 in this series will cover the group reporting transformation (the 18-to-9 day close on a six-entity FRS 102 consolidation) and the IFRS 18 transition (effective 1 January 2027) respectively. Both pieces apply the same critical-analysis protocol to different domains.
For now, the takeaway. 147 controls across 12 process cycles is not a number to memorise. It is a verified output of a disciplined design programme that produced a clean PCAOB AS 2201 attestation by the partner audit firm and zero FRC inspection findings. That outcome is replicable, with the right scoping, the right bridging-stage choices, and inspection-standard documentation from day one. Provision 29 cohort entities now have 18 months of operating cycles before the first attestation comes due. The discipline above is what makes that attestation clean rather than expensive.
Atlas Verum Limited · Company No. 17203202 · 71–75 Shelton Street, Covent Garden, London WC2H 9JQ · DK@AtlasVerum.co.uk · AtlasVerum.co.uk
Field Notes · Atlas Verum thought-leadership programme · Audit opinions delivered by Atlas Verum's trusted UK partner audit firm network.