OECD Integrity and Anti‑Corruption Review of Ukraine

Since bribery and other forms of corruption generally involve misconduct of a transactional nature, the rules regarding how transactions are approved, recorded and externally scrutinised are crucial to mitigating corruption risk in companies. In this regard, the OECD Anti-Bribery Convention and related instruments require the prohibition of several specific types of accounting offences that could be used to commit or hide bribery, as well as the establishment of related dissuasive sanctions and effective enforcement. They also recommend that governments encourage companies to establish adequate internal controls, ethics and compliance measures, overseen by corporate monitoring bodies such as boards and their audit committees. Measures should be in place to ensure that external auditors are sufficiently independent and have adequate incentives – as well as legal protections – to report any suspected misconduct uncovered during audits to company boards or the authorities. Finally, data-protection rules should not hinder the gathering and exchange of information necessary for corruption investigations.

The OECD Anti-Bribery Convention stipulates that national rules should prohibit various accounting practices that aim to enable the bribery of foreign public officials or hide such bribery.1 Examples of the specific offences enumerated in the Convention include: the use of off-the-books accounts or transactions, inadequately identified transactions, the use of false documents and the recording of non-existent expenditures. Effective civil, administrative or criminal penalties should be applied to such accounting offences and the authorities should give due consideration to pursuing cases against natural or legal persons that commit them. The 2021 Anti-Bribery Recommendation additionally recommends that companies be required to disclose all material contingent liabilities. Material contingent liabilities would include, for example, the possibility for future fees or penalties stemming from an eventual bribery conviction or related investigation. Such a requirement for disclosure can have a dissuasive impact owing, among others, to the potential reputational damage from the point of view of a company’s consumers, investors and other stakeholders.

For background, Ukrainian enterprises must prepare financial statements and can do so based on national or international standards. Related requirements are set forth in the Law 996-XIV on Accounting and Financial Reporting, which notably establishes that “enterprises are required to prepare financial statements based on accounting data” (Article 11, Part 1). Certain categories of enterprises, including notably public-interest enterprises (a category that includes all large enterprises), public joint-stock companies, and enterprises engaged in the extractive industries, must prepare financial statements in accordance with international standards, while other companies may choose to use national standards (Article 12-1). National standards are designed to be broadly aligned with international standards, although there are some differences. Most enterprises are required to publish their financial statements on their websites. The law further outlines how primary documents related to economic transactions must be recorded in enterprise accounting systems.

Ukrainian legislation prohibits changes to accounting records, but does not explicitly prohibit all the specific accounting offences enumerated in OECD standards. This is not inconsistent with the practices of many OECD countries, where legislation often establishes general rules for accurate accounting and financial disclosures, without necessarily enumerating all the specific accounting offences referenced in OECD standards. However, there may still be scope to fine-tune Ukrainian legislation to enumerate more of the specific accounting offences listed in the OECD Anti-Bribery Convention. Currently, the Law on Accounting and Financial Reporting (Article 9, Part 7) tasks enterprises with taking all measures necessary to “prevent unauthorised and imperceptible correction of records in primary documents and accounting registers” (Verkhovna Rada of Ukraine, 1999[1]). Although the Criminal Code of Ukraine does not reference accounting offences specifically, it does establish criminal liability for forgery of documents, including those issued or certified by an enterprise (Verkhovna Rada of Ukraine, 2001[2]).

Administrative penalties are foreseen for accounting offences, but limited data were provided on the imposition of such penalties and whether related offences involved bribery. OECD standards recommend that foreseen criminal, administrative or civil penalties for the accounting offences enumerated in the OECD Anti-Bribery Convention be “effective, proportionate and dissuasive” and that the authorities give due consideration to initiating procedures against those who commit accounting offences for the purpose of engaging in, or hiding, bribery. Ukraine’s Code on Administrative Offences establishes administrative penalties in the form of fines for certain accounting offences, including, inter alia “Concealment of […] non-productive costs and losses2, lack of accounting or keeping it in violation of the established procedure, entering false data in the financial statements, failure to submit financial statements” and obstructing state financial controls (Article 164-2).

The foreseen fines are equivalent to 8-15 times the monthly minimum gross income of citizens of Ukraine, or higher in the case of repeat offences.3 Publicly traded companies are subject to much higher potential fines for the submission of inaccurate or incomplete information to the securities regulator, ranging from one thousand to five thousand times the minimum income (Verkhovna Rada of Ukraine, 2024[3]). Ukrainian authorities interviewed in the context of this review have conceded that in cases where the potential financial gain from committing certain accounting offences is very high, the level of possible sanctions may not be adequately dissuasive. Additionally, the authorities provided only limited data on the imposition of administrative penalties for accounting offences, making it difficult to judge the extent to which the authorities give due consideration to pursuing related cases in line with OECD recommendations.4

Disclosure of material contingent liabilities is required for companies regardless of whether they implement international or national accounting standards. This requirement is consistent with OECD standards recommending such disclosure requirements. For companies that keep accounts and disclose in accordance with international standards, the International Accounting Standard 37 (IAS 37) requires the disclosure of material contingent liabilities in the notes of company financial statements (IFRS, 2001[4]). For companies that keep accounts in accordance with national standards, national accounting standard number 11 on “Liabilities” also requires the disclosure of contingent liabilities in the notes to the financial statements. The definition of contingent liability provided in the national standard is broadly equivalent to that set forth in the international standard (Ministry of Finance of Ukraine, 2000[5]). The national standard requires that related disclosures include a description of the liability as well as information on its expected financial impact, if such an estimation is possible. That being said, this review has not undertaken to assess the extent to which companies comply with these disclosure requirements, which could be a fruitful area for additional research.

Recommendation: Expand the scope of accounting offences explicitly prohibited by law and strengthen monitoring and enforcement efforts. The legislation in force in Ukraine establishes a general prohibition of unauthorised correction of accounting records and foresees administrative penalties for several specifically enumerated accounting offences. However, most of the accounting offences enumerated in the OECD Anti-Bribery Convention are not specifically referenced in Ukrainian legislation. The authorities may therefore wish to consider expanding the scope of accounting offences explicitly prohibited by law, including through potential amendments to the Code on Administrative Offences and/or the Criminal Code.5 Additionally, in light of the limited data available on the application of administrative penalties for accounting offences, the authorities should improve related monitoring efforts. Finally, it could be fruitful to consider increasing the severity of foreseen sanctions for accounting offences, to ensure that they are sufficiently dissuasive.

Several categories of Ukrainian enterprises, including notably large, publicly traded and other public-interest enterprises, must have their financial statements externally audited6. This is broadly consistent with the practices of many OECD countries, where it is common to require external audits for companies where accounting or financial-statement fraud could have a significant negative impact on a large stakeholder population, notably companies that are stock-exchange listed, large or systemically important (e.g. banks).

At the same time, the authorities did not provide any data on the extent to which companies comply with these audit requirements, pointing to scope for strengthened monitoring. Concerning the specific legal provisions on external audit in Ukraine, the Law on Accounting and Financial Reporting establishes which enterprises must undergo an external financial-statement audit. These enterprises include notably: public-interest enterprises (which includes banks, large enterprises and publicly traded companies); public joint-stock companies; business entities operating in the extractive industries; large enterprises; medium-sized enterprises; and financial institutions and non-state pension funds that are micro enterprises (Verkhovna Rada of Ukraine, 1999[1]).

Following legislative amendments that entered into force in March 2024, state-owned enterprises with the special legal form of “state unitary enterprise” – a category which represents over 80% of SOEs owned by Ukraine’s central government (OECD, 2021[6]) – are also required to have their financial statements independently audited. Specifically, the Law on Improving SOE Corporate Governance (which was signed on 22 February 2024 and entered into force on 8 March 2024) establishes, through foreseen amendments to Article 73 of the Commercial Code, that: “The annual financial statements of the state unitary enterprise are subject to mandatory verification by the subject of audit activity in accordance with the legislation" (Verkhovna Rada of Ukraine, 2024[7]).

At the time of writing, it was too early to assess implementation of these rules by SOEs. Concerning how these audits should be carried out and by whom, the Law on Audit of Financial Statements and Audit Activity sets forth (in Article 14, Part 3) rules governing the auditing profession and outlining external-audit procedures and principles. It stipulates several required tasks of the external auditor, including producing a clear opinion on whether the audited financial statements “in all material respects reliably and objectively disclose financial information in accordance with international financing reporting standards or national standards” and have been prepared in accordance with applicable legislation (Verkhovna Rada of Ukraine, 2018[8]).

Mandatory audits of the financial statements of public-interest enterprises are subject (under Article 14) to specific requirements beyond those required of other companies. Audit reports for public-interest entities must, for example: identify the body who appointed the auditor; provide a description of “the most significant risks of material misstatement of information […] including as a result of fraud” and of measures taken by the auditor to address those risks; and provide information regarding the auditor’s independence (Verkhovna Rada of Ukraine, 2018[8]).

Recommendation: The authorities should ensure full implementation of the new rules for state unitary enterprises to undergo external audits of their financial statements. The legislation requiring such audits only entered into force in March 2024 and its implementation should be carefully monitored in the SOEs for which such audits are now mandatory, in particular given that many provisions of the new Law on Improving SOE Corporate Governance contain limitations or postponements during the period of martial law.

Legislative provisions are in place to ensure auditor independence, complemented by national audit standards that closely align with international standards. Together, these legislative provisions and national standards constitute sound efforts by both the authorities and professional associations (the national standards are elaborated by a private chamber of auditors) to maintain adequate standards of auditor independence, in line with OECD anti-bribery standards.

In particular, Ukraine’s Law on Audit of Financial Statements and Audit Activity sets forth principles applicable to external auditors relating, for example, to professional ethics, professional scepticism and auditor independence and objectivity. The law explicitly references the applicability of international auditing standards – which themselves include high standards related to auditor independence – to the practice of external audits in Ukraine. For all companies, external auditors are prohibited from providing certain non-audit services to their audit clients if the provision of such services could jeopardise auditor independence.

For public-interest entities, the related prohibition is stricter, with auditors not being permitted to provide several specific non-audit services at the same time as undertaking financial-statement audits. Prior to undertaking external audits, all audit entities (auditors) are required by the law to “assess, evaluate and document” their compliance with the independence requirements established by the law. Public-interest entities are additionally required to evaluate and document information about their compliance with other requirements, including the aforementioned restrictions on the provision of non-audit services.

Disciplinary sanctions are foreseen for professional misconduct, including auditors’ non-compliance with independence requirements. The Law on Audit of Financial Statements and Audit Activity sets forth that disciplinary proceedings for professional misconduct by statutory auditors are carried out either by the governmental Audit Public Oversight Body (APOB), in cases when they audit or have the right to audit public-interest entities, or by the Audit Chamber of Ukraine (a private industry association), for other companies (Article 42, Parts 2 and 3).

Professional misconduct of statutory auditors as outlined in the law includes notably: not performing or improperly performing duties; non-compliance with independence requirements; violating international auditing standards; not complying with procedures related to the quality control of audit services provided by statutory auditors; and other violations enumerated in the law. Disciplinary proceedings can result in, among others: warnings, suspension of auditing services for a defined period, imposition of fines, or cancellation of the auditing licence (Verkhovna Rada of Ukraine, 2018[8]).

The APOB, responsible for public-interest entities, is a relatively new institution, established in 2017 under the Ministry of Finance to improve audit oversight in Ukraine. Now that the institution has had some time to develop and implement its mission, the authorities might find it fruitful to assess the APOB’s effectiveness, with a view to addressing any related challenges and ultimately strengthening its audit-oversight activities.

Legislation requires the APOB to make public an annual report summarising its activities, including information on any penalties imposed by the APOB against auditors and audit firms. At the time of writing, the latest such available report was for APOB activities undertaken in 2023. According to the APOB’s website as of 29 March 2025, in 2025, four audit firms and one individual auditor had been held liable for professional misconduct or violation of applicable laws either by the APOB’s Audit Supervision Board (two firms and one individual auditor) or the Council of the Audit Chamber of Ukraine (two firms). Two of those cases specifically involved the violation of international audit standards, for which the applied penalties imposed by the APOB were, respectively, a suspension of the audit firm’s right to provide audit services for one year and a suspension of the individual auditor’s right to sign audit reports for six months (Audit Public Oversight Body of Ukraine, 2025[9]; [10]). In 2024, 18 audit firms were subject to disciplinary sanctions, 6 of which by the APOB and 12 by the Council of the Audit Chamber of Ukraine. Three APOB sanctions related to misconduct in violation of international audit standards. Also in 2024, two individual auditors were applied disciplinary sanctions by the Council of the Audit Chamber of Ukraine, while the APOB imposed no sanctions on individual auditors.

The rather small number of disciplinary penalties imposed by the APOB on auditors in 2024 and the first part of 2025 points to potential scope for bolstering the APOB’s monitoring and enforcement work. Auditors’ independence is crucial for maintaining their ability to objectively assess the credibility of financial statements and for incentivising them to report suspected acts of corruption to corporate monitoring bodies and/or the authorities. Ukrainian legislation and auditing standards establish sound principles relative to auditor independence. The APOB supports implementation of these standards for public-interest entities through its monitoring and enforcement efforts.

External auditors are subject to a broadly applicable requirement to report any suspected illegal acts uncovered during an audit to corporate management. Still, shortcomings persist relative to OECD anti-bribery standards, including notably (i) the fact that requirements for auditors to escalate reporting to the supervisory board in case of insufficient response from management only apply to public-interest entities; (ii) there are no requirements in the Law on Audit of Financial Statements and Audit Activity for external auditors to report suspected acts of corruption to the public authorities; and (iii) there is limited evidence that the authorities are actively encouraging company management to adequately respond to such reporting.

Ukraine’s relevant legislative provisions are set forth in the Law on Audit, which requires auditors to report suspected “violations” to the “management body” (Article 31), which refers to either the management board (if established) or the CEO (if no management board is in place). Although bribery and other forms of corruption are not specifically referenced in the law, the CC establishes bribery as an illegal act that would naturally fall under the scope of the aforementioned “violations” that auditors must report.

Several more specific reporting requirements are applied to the auditors of public-interest entities that find evidence of illegal acts. In particular, the law (Article 31, Part 2) requires auditors of public-interest entities to inform “the management body” of “violations, […] in particular in relation to the financial statements”, to encourage the management body to take appropriate measures to eliminate the violations, and to subsequently inform the supervisory board (Verkhovna Rada of Ukraine, 2018[8])7 if the management does not act on the information received.

Such a foreseen escalation of reporting is an approach also employed in many OECD countries, although often without restrictions related to the type of company. The Ukrainian authorities might therefore consider amending the legislation to strengthen the reporting line between auditors and supervisory boards for companies that are not public-interest entities (when such companies have established a two-tier board structure).

Recommendation: Bolster auditors’ role in reporting corruption to corporate monitoring bodies and authorities. This could be done through legislative changes, for example, requiring that auditors escalate reporting of suspected corruption to boards and/or the public authorities in case of insufficient response from management (an arrangement which currently only applies to public-interest entities).Certain whistle-blower protections can be understood to exempt auditors, to some extent, from liability for reporting suspected corruption to the authorities. Related provisions in the Law on Prevention of Corruption notably stipulate that a whistle-blower “bears no legal responsibility for reporting possible facts of corruption or corruption-related offences despite the possible violation of his official, civil, labour or other duties by such a report” and is released from “civil liability for property and/or moral damage” in connection with related reporting (Article 53).

This being said, there may be scope to establish a more explicit and comprehensive protection of auditors (not just when acting as “whistle-blowers”) from disciplinary, administrative, civil or criminal liability in connection with reporting suspected acts of corruption to the relevant authorities (in addition to requiring such reporting in the first place). Such specific protections are, for example, in place for auditors that report information to Ukraine’s anti-money-laundering authority, and explicitly apply even if the reporting causes damage to any legal entities or individuals (Verkhovna Rada of Ukraine, 2020[11]).8

The Law on Audit of Financial Statements and Audit Activity does nonetheless provide some specific protections for auditors, stipulating that auditor reporting on suspected violations, including notably “fraud in respect of the financial statements” “does not constitute a violation of contractual or legal restrictions on the disclosure of information” (Article 31, Part 2). Perhaps a more explicit exemption from liability, specifically naming professional auditors, would serve to allay any concerns about legal retaliation that might discourage them from reporting suspected corruption to the authorities.

Also related to incentivising auditors to report misconduct, stakeholders interviewed in the context of this review noted the need to ensure that professional auditors fully understand their specific legal obligations with respect to reporting potential misconduct. This includes knowing exactly when the obligation to report misconduct commences; understanding the different categories of offences that necessitate reporting; and understanding their legal obligations with respect to non-disclosure agreements concluded with audited entities.

Recommendation: Make auditors’ exemption from disciplinary, administrative, civil and criminal liability in connection with reporting suspected fraud or misconduct more explicit in the legislation.

Recommendation: Establish stronger legal protections in connection with auditor reporting of suspected misconduct and offer professional training so that auditors fully understand their related legal obligations.

Audit committees, which for certain companies must include independent members, are required for several types of enterprises, including listed companies, banks and some SOEs. Large companies are required by the Law on Audit to either establish an audit committee or assign its prescribed functions to a supervisory or management board.

Ukraine’s audit committee requirements are broadly consistent with OECD anti-bribery standards recommending that the authorities encourage the creation of corporate monitoring bodies, such as boards and audit committees, independent of management. Where audit committees are established, legislation foresees a strong role for them in overseeing financial reporting, external audits and internal controls.

Additionally, although not required to establish an audit committee per se, all public-interest entities must implement, either through a board or its audit committee, heightened standards of supervision over financial reporting, external audits, internal control and risk management, as per the Law on Audit of Financial Statements and Audit Activity.9

Large companies are specifically required to either establish an audit committee or assign its functions to a supervisory or management board. In large enterprises in which the management board undertakes an audit committee’s functions, decisions related to the aforementioned responsibilities must be made by a majority vote of non-executive members, a requirement which introduces a degree of external scrutiny over company management in these companies.

Similarly, the majority of the members of audit committees in public-interest entities (where such are established) must be independent from the company, although, as mentioned before, public-interest entities are not explicitly required to establish audit committees. Separately, joint-stock companies that are public (whose shares can be traded on the stock market) or majority state-owned must, as per the Law 2465-IX on Joint Stock Companies, form a supervisory-board audit committee chaired by an independent director (Verkhovna Rada of Ukraine, 2023[12]).

Finally, since the February 2024 legislative reform affecting SOEs, audit committees are required for those SOEs mandated to establish supervisory boards. At the time of writing, the authorities were still in the process of determining which SOEs would be subject to this requirement going forward, so this is an area for continued monitoring. The creation of audit committees is optional for most other companies, including public-interest entities not otherwise included in the scope of the aforementioned requirements.

Box 9.1 highlights practices that have been employed in the Netherlands and Bulgaria to strengthen company accounting and external audit requirements, based on monitoring by the OECD Working Group on Bribery.

Internal controls, ethics and compliance measures are efforts employed by enterprises that, among many other important functions, seek to prevent corruption from within. The 2021 Anti-Bribery Recommendation recommends that governments encourage companies, including SOEs, to implement adequate internal measures, taking into account the OECD Good Practice Guidance on Internal Controls, Ethics and Compliance (set forth in Annex II of the Recommendation).

Governments should further encourage private-sector associations to assist companies in developing such measures, while company management should be encouraged to disclose information on their related efforts. Governments should also encourage the establishment of independent monitoring bodies, such as boards of directors and audit committees, which help to enhance external scrutiny over company management activities. Finally, governments should encourage companies to adequately protect persons who report suspected corruption, to establish sufficient channels for such reporting, and to undertake necessary action in response to such reporting.

The OECD Good Practice Guidance on Internal Controls, Ethics and Compliance provides extensive advice to companies on establishing such measures. It highlights, for example, the importance that companies introduce a strong tone from the top – including explicit policies that are applicable, and available, to all employees – regarding the corporate commitment to preventing bribery and relevant internal rules and procedures. It recommends that one or more senior executive officers with sufficient independence from management be responsible for overseeing corporate ethics and compliance programmes and should have the authority to report related matters directly to corporate monitoring bodies such as boards of directors, supervisory boards and/or relevant board committees.

Ethics and compliance programmes should communicate company policy with respect to myriad areas involving heightened corruption risk, including, among others, the reception of gifts, conflicts of interest, political contributions and hiring processes. Financial and accounting procedures should also be designed to mitigate corruption risks by ensuring that company books and records are accurate and cannot be employed to undertake or hide bribery.

The guidance also recommends specific measures related to corporate relationships with third parties such as business partners. It also outlines key elements that should be in place to (i) allow individuals to report suspected corruption without retaliation and (ii) ensure an adequate response to such reporting, including co-operation with law enforcement and implementing remedial measures to mitigate future occurrences.

Box 9.2 describes approaches adopted in Chile and France to strengthen company anti-corruption compliance practices, based on monitoring by the OECD Working Group on Bribery.

All legal entities in Ukraine, including all enterprises, are required by law to implement measures to prevent corruption in their activities. The legislative provisions, set forth in the Law on Prevention of Corruption, do not specifically discuss internal controls, ethics and compliance per se. However, implementing guidance developed by the NACP (the Handbook on Building a Virtuous Organisation discussed in more detail below) does reference the measures and constitutes a step to align Ukrainian practices with OECD anti-bribery standards, which recommend that the authorities encourage companies to establish such measures.

Concerning specific provisions, the law requires legal entities to ensure the development and implementation of measures “necessary and justified for the prevention and counteraction of corruption in the activities of the legal entity” (Article 61). All legal entities must furthermore carry out corruption risk assessments, for which the ultimate responsibility falls on the managers and owners. However, the law does not stipulate any oversight mechanism regarding the implementation of these requirements. Officials and employees of legal entities that have knowledge about cases of incitement to commit a corruption offence must inform the “official responsible for preventing corruption in the activities of the legal entity, the manager of the legal entity or the founders (participants) of the legal entity”.

The law further establishes that a legal entity can be subject to criminal liability if its “authorised person” commits a criminal offence, as defined in the CC, “on behalf of and in the interests of the legal entity”. In a March 2024 case considered by Ukraine’s High Anti-Corruption Court, a fine of UAH 340 000 (∼7 500 EUR) was imposed on a fishing company for an attempt by its CEO to bribe a local official into lifting a ban prohibiting small fishing vessels from entering certain waters (High Anti-Corruption Court of Ukraine, 2024[15]).

Building on the requirement for all legal entities to implement corruption-prevention measures, certain large SOEs and companies participating in high-value public procurement contracts are additionally required to establish dedicated anti-corruption programmes. The Law on Prevention of Corruption explicitly applies this requirement to central and municipal SOEs above a certain size (with an average number of employees exceeding 50 persons and yearly income exceeding UAH 70 million or approx. EUR 1.6 million) as well as to enterprises participating in public procurement contracts whose value equals or exceeds UAH 20 million or approx. EUR 460 000. The Model Anti-Corruption Programme of a Legal Person developed by the NACP in 2021 is available to support companies in complying with this requirement (NACP, 2021[16]). An anti-corruption programme is defined in the Law on Prevention of Corruption (Article 62) as “a set of rules, standards and procedures for detecting, countering and preventing corruption in the activity of a legal entity” (Verkhovna Rada of Ukraine, 2014[17]).

The legal entities subject to these rules must also have in place an authorised person, “anti-corruption commissioner”, responsible for implementation of the programme. The anti-corruption commissioner is appointed either by the head of the legal entity or its founders. The mandate for these enterprises to appoint an anti-corruption commissioner is consistent with provisions of the OECD Good Practice Guidance on Internal Control, Ethics and Compliance that recommend one or more senior management officers be responsible for corporate ethics and compliance. However, as discussed in more detail below, Ukrainian legislation does not require establishing for the anti-corruption commissioner a reporting line to corporate monitoring bodies that are independent of management, such as supervisory boards and specialised committees.

Concerning the programmes’ foreseen scope of applicability, an earlier OECD monitoring assessment notably highlighted the high threshold value of public procurement contracts that triggers the mandatory implementation of an anti-corruption programme, as well as issues with using only employment and income criteria for determining the inclusion of SOEs in the scope of the mandate (OECD, 2022[18]). As noted during interviews with the Ukrainian authorities in the context of this review, some SOEs are excluded from these requirements because they have very limited income, although their economic or systemic importance warrant the establishment of dedicated anti-corruption programmes.

The Ukrainian authorities have notified that there are efforts underway to fine-tune the criteria so that such programmes are required in a larger portfolio of enterprises, including the aforementioned types of SOEs. A broader issued noted by stakeholders interviewed in the context of this review is the need to ensure that the anti-corruption programmes are effective in practice and not merely a bureaucratic exercise. The Ukrainian authorities have similarly indicated that an analysis of the effectiveness of company anti-corruption programmes would be useful prior to expanding them to a larger portfolio of enterprises.

From a corporate-governance perspective, the possibility for managers (and not boards) to appoint the anti-corruption commissioners is also problematic. As highlighted in the aforementioned OECD monitoring assessment, this introduces obvious constraints to the anti-corruption commissioners’ independence and may increase the risk that any misconduct undertaken, or condoned, by management, is not adequately reported or addressed by the anti-corruption commissioner (OECD, 2022[18]). This applies also to SOEs, many of which are required to establish supervisory boards with independent members by March 2025 (as discussed below), which could potentially play a role in appointing anti-corruption commissioners. Of course, not all companies operate under a board of directors, but if they do, involving these boards in the appointment of anti-corruption commissioners, and potentially also requiring that anti-corruption commissioners (also) report to them, could help strengthen external scrutiny over company efforts to prevent corruption.

The NACP’s aforementioned Handbook on Building a Virtuous Organisation discusses the advantages and disadvantages of different possible reporting models for the anti-corruption commissioner, noting that reporting to the supervisory board or the general meeting of shareholders is optimal for large companies. However, it could be fruitful to require, or more strongly encourage, the integrity officer’s subordination to the supervisory board if such a board is in place.

A final concern relates to whether the functions of the dedicated anti-corruption commissioners could be undertaken by existing corporate officers, such as compliance officers. According to interviews with private-sector representatives conducted in the virtual consultations for this review, anti-corruption commissioners should be integrated into existing corporate compliance functions where such exist, but in practice the NACP has suggested that anti-corruption commissioners must be entirely separate officers. The NACP has clarified, in the context of this review, that the Law on Corruption Prevention does not prohibit the practice of assigning integrity functions to company compliance officers. Still, given the feedback from private-sector representatives, there is perhaps scope for the NACP to communicate more specific guidance to companies regarding who can fulfil the functions of the anti-corruption commissioners and how those functions might be integrated into existing corporate-governance arrangements. This is particularly relevant for companies that are already required by applicable legislation to establish internal controls and compliance measures overseen by boards of directors, namely public joint-stock companies and SOEs. Related requirements applicable to these companies are recalled in Box 9.3.

Recommendation: Bolster the role of boards in overseeing and implementing anti-corruption efforts. Boards of directors (and their audit committees) can play a crucial role in overseeing internal controls, compliance and risk management, all of which are relevant to detecting and preventing corruption. For companies that have established boards of directors (whether two-tier or one-tier), there is scope to strengthen their foreseen role in overseeing company anti-corruption efforts. Potential related reform measures could include:

• requiring that company employees and officials with knowledge of corrupt acts within the company report their knowledge to supervisory boards (if in place), and not only anti-corruption officials, management and/or founders, as currently foreseen in the Law on Prevention of Corruption

• granting supervisory or management boards (if established) responsibility for appointing anti-corruption commissioners in the companies for which they are mandatory10

• allowing for existent corporate officers, such as compliance officers, or other similar functions to undertake the tasks of anti-corruption commissioners. This could allow companies to integrate anti-corruption efforts into their existent corporate control framework, in the interest of efficiency and effectiveness.

• continuing to strengthen the role of SOE supervisory boards to limit ad hoc and politically motivated interference in SOE management decisions.

Recommendation: Review and strengthen the effectiveness of dedicated anti-corruption programmes and consider (eventually) requiring them in a broader portfolio of enterprises. The mandate for anti-corruption programmes in certain SOEs as well as companies participating in high-value public procurement contracts constitutes a positive step to support company anti-corruption efforts. However, private-sector representatives have communicated significant concerns regarding the actual impact of these programmes. To ensure the anti-corruption programmes are effective and not merely a formal “box-ticking” exercise, the authorities should assess their impact, with feedback from non-governmental stakeholders and companies, to inform improvements in their design and implementation. Section 10.4 of this review describes practices in some OECD countries to review the effectiveness of mandated compliance programmes and sets forth more detailed recommendations for strengthening the supervision of Ukraine’s mandated anti-corruption programmes. At a later stage, the authorities should consider expanding the mandate to establish anti-corruption programmes, for example by lowering the threshold value of public-procurement contracts that triggers their mandate in bidding companies and requiring the programmes in all systemically important SOEs.

Recommendation: Move forward with plans to strengthen SOEs’ corporate governance and financial reporting practices (notably the new requirement for state unitary enterprises to have their financial statements externally audited). The authorities should ensure that the requirement for certain SOEs to establish supervisory boards including a majority of independent members is at least applied to SOEs that are systemically important or exposed to high corruption risk. If these supervisory boards are sufficiently independent (from both the state and the SOEs) and empowered to oversee management, then they can play a crucial role in monitoring the effectiveness of internal controls, ethics and compliance measures, including those employed to prevent corruption. The authorities should ensure full implementation of strengthened SOE corporate governance and disclosure rules, including rules whose implementation has been postponed during the period of martial law.

To support company compliance with the obligation to develop anti-corruption measures, the NACP has developed dedicated practical guidance. This includes notably the NACP’s 2024 Handbook on Building a Virtuous Organisation and its 2021 Model Anti-Corruption Program of a Legal Person (NACP, 2024[20]) (NACP, 2021[16]). The Handbook is a tool addressed primarily to company managers to help them design and implement anti-corruption measures internally. While the guidance is considered optional, the NACP “strongly recommends”, in the text of the Handbook itself, its implementation by the SOEs and public-procurement participants for which anti-corruption programmes are mandatory.

The Handbook includes detailed practical guidance related, for example, to the appropriate distribution of responsibilities between corporate monitoring, executive bodies and corporate officers, including the anti-corruption commissioner. It also addresses corruption risk management, the development of internal documents on corruption prevention, the provision of education and training to employees, and internal systems and procedures for reporting corruption and addressing those reports. Consistent with OECD anti-bribery recommendations, the Handbook mentions the OECD Good Practice Guidance on Internal Controls, Ethics and Compliance as a key reference. However, according to feedback from private-sector associations, when developing the Handbook, the NACP did not adequately take into account input from the business community regarding the need for very practical guidelines for setting up compliance functions. This indicates there is perhaps scope to revisit the guidelines with input from businesses that intend to use them. The NACP also conducts and participates in trainings and seminars aimed at promoting a culture of integrity in businesses, including in co-operation with private-sector associations and NGOs, such as the Corporate Governance Professional Association and the UNIC.

Interviews and survey data point to both recent progress and continued shortcomings regarding companies’ internal controls, ethics and compliance measures in practice. Civil-society representatives interviewed in the context of this review noted in particular that many strategic SOEs, as well as other large companies, have strengthened their compliance functions considerably over the past several years. They also noted that there is a growing recognition of the importance of strong corporate-governance and compliance, particularly among companies, including SOEs, seeking funding and business opportunities abroad.

According to research by CIPE, local business associations have played an important role in building anti-corruption compliance capacity within both state-owned and private companies: from 2017 to 2023, over 400 representatives of large companies and SOEs participated in five-day anti-corruption trainings organised by the Ukrainian Corporate Governance Professional Association (Center for International Private Enterprise, 2023[21]). Participant surveys conducted after the trainings reported improvements in company practices, notably better internal communication about corruption risks, as well as efforts to revise codes of conduct and strengthen internal reporting mechanisms (Center for International Private Enterprise, 2023[21]).

At the same time, the Ukrainian authorities did not provide concrete information on the number of SOEs that have established required anti-corruption programmes, pointing to scope for improved monitoring. If future monitoring were undertaken, it should examine not just the number of SOEs with anti-corruption programmes formally in place, but also, as indicated in the preceding section, how robust those programmes are in practice.

There is also evidence that smaller companies are developing dedicated internal anti-corruption measures, but gaps persist. A recent survey of 374 micro, small and medium-sized enterprises operating in Ukraine – 60% representing industry (non-agricultural manufacturing) – found that approximately half of the surveyed companies had a code of ethics in place, but only about one third had a full-fledged compliance programme and less than one fifth had rules on gifts and hospitality (Institute for Economic Research and Policy Consulting, 2024[22]).

Even more recently, the results of the November 2024 survey of 1 200 active, mostly small and medium, Ukrainian companies by the Rating Group (commissioned by USAID and UK Dev's Promoting Integrity in the Public Sector Activity (Pro-Integrity)), similarly suggest that (1) a large proportion of Ukrainian companies (59%) does not have a dedicated anti-corruption policy to provide a foundation for related internal controls, ethics and compliance programmes and (2) where companies implement anti-corruption internal controls, ethics and compliance measures, there is room for improvement regarding their scope as compared to the corporate actions recommended in the 2021 Anti-Bribery Recommendation and its associated instruments. Box 9.4 highlights select results of the survey.

OECD anti-bribery standards recommend that data-protection rules do not impede effective international co-operation in undertaking bribery-related investigations. Data-protection rules that prohibit the transmission of economic or commercial information can be misused as a justification for companies or individuals to hold back information requested in the context of corruption investigations. The legal framework, together with its application by law enforcement and other authorities, should strike the right balance between the need to protect personal data and business secrets and the need to provide the authorities with access to information necessary for investigating suspected acts of bribery and other forms of corruption. Similarly, rules on data protection should not impede the implementation by companies of effective internal controls, ethics and compliance programmes and measures. The authorities are encouraged to develop guidance or issue regulations that help companies process data appropriately when conducting anti-corruption related due diligence or internal investigations.

Ukraine’s Law on Prevention of Corruption allows for cross-border exchange of information specifically in the context of corruption investigations, consistent with OECD anti-bribery standards. Related provisions allow for such exchanges, in response to requests from foreign authorities, provided that the data cannot be disclosed for other purposes, including through “unauthorised access” (Article 72). The NACP reports that prior to engaging in cross-border information exchanges, an assessment is conducted examining notably: the legal basis of the request; whether adequate technical and organisational mechanisms are in place to prevent unauthorised access; and the risk of disclosure beyond the intended recipients. Separately, Ukraine’s Law 2657-XII on Information prohibits the collection, storage and use of confidential personal data without the concerned person’s consent, but it allows for exceptions in cases “specified by law” (Article 11).

The authorities have not developed specific guidance, as recommended in OECD anti-bribery standards, to help companies correctly process data in the context of their anti-corruption due diligence or internal investigations. However, the Model Anti-Corruption Program of a Legal Person developed by the NACP does include a section on procedures for conducting internal investigations. Although the guidance does not relate specifically to data processing, responses to the survey of 18 companies conducted by UNIC indicate that this might not be a particularly pressing issue for companies in Ukraine. One respondent noted that, in practice, employees generally sign consent forms that would allow for the processing of their personal data in the context of company internal investigations, while another noted that adequate legislation to protect personal data is in place. At the same time, concerning SOEs specifically, a 2023 CIPE report noted that weaknesses in the procedures for conducting internal investigations constitute a “critical gap” in SOEs’ compliance programmes (Center for International Private Enterprise, 2023[21]). Although the report did not mention data-protection specifically, the findings point to the need to further train SOE employees on how to conduct internal investigations more generally.

Recommendation: Taking into account the apparent weaknesses in SOEs’ procedures for conducting internal investigations, the authorities, in collaboration with non-governmental partners, should consider including this topic in any future training offerings.

[10] Audit Publci Oversight Body of Ukraine (2025), “Information on professional liability and sanctions for auditors”, https://www.apob.org.ua/?page_id=1518&lang=en (accessed on 9 April 2025).

[9] Audit Public Oversight Body of Ukraine (2025), Information on bringing to professional liability and imposing penalties on audit entities, https://www.apob.org.ua/?page_id=1509&lang=en (accessed on 9 April 2025).

[21] Center for International Private Enterprise (2023), Rebuild with Trust: How Ukraine’s Private Sector Can Strengthen the Integrity of Reconstruction and Combat Corruption, https://www.cipe.org/wp-content/uploads/2023/11/CIPE_Ukraine_Rebuild-with-Trust_2023.pdf.

[14] French Anti-Corruption Agency (2025), , https://www.agence-francaise-anticorruption.gouv.fr/fr/convention-judiciaire-dinteret-public.

[15] High Anti-Corruption Court of Ukraine (2024), Case No. 991/846/24, https://reyestr.court.gov.ua/Review/117443133 (accessed on 9 April 2025).

[4] IFRS (2001), “International Accounting Standard 37 on “Provisions, Contingent Liabilities and Contingent Assets””, https://www.ifrs.org/issued-standards/list-of-standards/ias-37-provisions-contingent-liabilities-and-contingent-assets/ (accessed on 9 April 2025).

[22] Institute for Economic Research and Policy Consulting (2024), Ukraine: Business Leadership in Post-War Reconstruction: Results of the 2nd Survey of Small and Medium-sized Businesses, http://www.ier.com.ua/files/Projects/2024/TFD/IER_SME_Survey_June_2024_ENG.pdf.

[5] Ministry of Finance of Ukraine (2000), “On the approval of the National Regulation (standard) of Accounting 11 “Liabilities””, https://zakon.rada.gov.ua/laws/show/z0085-00?lang=en#Text (accessed on 9 April 2025).

[20] NACP (2024), Handbook on Building a Virtuous Organisation (in Ukrainian language), https://wiki.nazk.gov.ua/wp-content/uploads/2024/nastilna_knyga_z_rozbudovy_dobrochesnocti.pdf.

[16] NACP (2021), Model Anti-Corruption Program of a Legal Person, https://nazk.gov.ua/wp-content/uploads/2022/08/Model-ACP-of-JP_.pdf.

[13] OECD (2025), Fighting Foreign Bribery webpage, https://www.oecd.org/en/topics/sub-issues/fighting-foreign-bribery.html#country-monitoring.

[19] OECD (2025), Forthcoming: Update of the OECD Review on Corporate Governance of State-Owned Enterprises in Ukraine: Interim draft, OECD.

[18] OECD (2022), Anti-Corruption Reforms in Ukraine: Pilot 5th Round of Monitoring Under the Istanbul Anti-Corruption Action Plan, OECD Publishing, Paris, https://doi.org/10.1787/b1901b8c-en.

[6] OECD (2021), OECD Review of the Corporate Governance of State-Owned Enterprises: Ukraine, Corporate Governance, OECD Publishing, Paris, https://doi.org/10.1787/9dcc5ed0-en.

[3] Verkhovna Rada of Ukraine (2024), “Law of Ukraine “On Amendments to the Law of Ukraine on State Regulation of Capital Markets and Organised Commodity Markets” and Certain Other Legislative Acts of Ukraine on Improving State Regulation and Supervision of Capital Markets and Organised Commodity Markets 3585-IX”, https://zakon.rada.gov.ua/laws/show/3585-ix?lang=en#Text (accessed on 9 April 2025).

[7] Verkhovna Rada of Ukraine (2024), On Amendments to Certain Legislative Acts of Ukraine Regarding Improvement of Corporate Governance 3587-IX, https://zakon.rada.gov.ua/laws/show/3587-20?lang=en#Text (accessed on 9 April 2025).

[12] Verkhovna Rada of Ukraine (2023), Law on Joint Stock Companies 2465-IX, https://zakon.rada.gov.ua/laws/show/2465-ix#Text (accessed on 9 April 2025).

[11] Verkhovna Rada of Ukraine (2020), Law on Prevention and Counteraction of Legalisation (Laundering) of Criminally Obtained Income, Financing of Terrorism and Financing the Proliferation of Weapons of Mass Destruction 361-IX, https://zakon.rada.gov.ua/laws/show/361-ix?lang=en#Text (accessed on 9 April 2025).

[8] Verkhovna Rada of Ukraine (2018), Law on Audit of Financial Statements and Audit Activity 2258-VIII, https://zakon.rada.gov.ua/laws/show/2258-viii?lang=en#Text (accessed on 9 April 2025).

[17] Verkhovna Rada of Ukraine (2014), Law on Prevention of Corruption 1700-VII, https://zakon.rada.gov.ua/laws/show/1700-vii?lang=en#Text (accessed on 9 April 2025).

[2] Verkhovna Rada of Ukraine (2001), Criminal Code of Ukraine 2341-III.

[1] Verkhovna Rada of Ukraine (1999), Law On Accounting and Financial Reporting in Ukraine 996-XIV, https://zakon.rada.gov.ua/laws/show/en/996-14?lang=en#Text (accessed on 9 April 2025).