OECD Integrity and Anti‑Corruption Review of Ukraine

Well-designed audit and control frameworks provide several levels of assurance that public funds are spent efficiently, effectively and in line with their intended purpose. To safeguard integrity in public sector organisations, Principle 10 of the OECD Recommendation on Public Integrity calls on adherents to apply an internal control and risk management framework (OECD, 2017[1]). A strategic approach to risk management should include assessments of integrity risks and ensure that control mechanisms provide clear procedures for reporting suspected violations of laws (OECD, 2020[2]). In addition, to safeguard public funds from fraud and corruption, Principle 12 calls on adherents to reinforce the role of external oversight and control (OECD, 2017[1]). To this achieve this, countries can benefit from adapting and implementing the International Standards for Supreme Audit Institutions (ISSAIs) developed by the International Organisation of Supreme Audit Institutions (INTOSAI) (OECD, 2020[2]).

A comprehensive audit and control system puts in place three lines of assurance to protect public funds against fraud, corruption and other risks (IIA, 2015[3]; IIA/INTOSAI, 2022[4]):

• The first line is management, which designs control measures and makes decisions about what risks are worth assuming.

• Below them are internal oversight and monitoring functions such as risk management, information security, financial control, health and safety, inspection, compliance, and legal units. These functions are responsible for assisting management in the assessment and management of risks.

• Finally, the third line of assurance consists of internal auditors who provide independent, objective assurance that internal control is effective (IIA, 2024[5]). See Figure 5.1 for a more detailed explanation of the role of each line.

External audit provides an additional layer of assurance that public funds are used as intended. In the public sector, the Supreme Audit Institution (SAI) is responsible for external audit. It is accountable to the legislature, and it is responsible for conducting audits that ensure the legality, regularity, economy, efficiency and effectiveness of use of public resources.

While audit and control are much broader topics with many elements not covered in this chapter, the analysis of Ukraine’s audit and control system in the context of the overall integrity framework suggests three main findings:

• Corruption risk assessment is widespread in public institutions, but it is disconnected from the overall risk management and control framework. While integrating corruption risk assessment into the overall assurance system of public organisations can make them more effective, it is first necessary to strengthen the practice of internal control in public organisations.

• Despite the strong regulatory framework for internal control and risk management, implementation of internal audit remains inconsistent across public authorities. Internal audit also requires mainstreaming to local self-government.

• Legislative amendments from 30 October 2024 were a major step in improving the institutional framework, methodological approach and effectiveness of external audit. However, these amendments will have limited effectiveness if they are not supplemented by effective external audit in practice, and there is also a need to ensure there is no reform backsliding.

The overall context for these findings is the need for a cultural shift in assurance practices from inspections towards strategic risk management and performance-oriented internal and external audits. In practice, this means that thousands of professionals require retraining. At the same time, the training topics must be relevant to the current state of internal control and internal audit. In addition, a large shortage of human resources in the public sector due to the war in Ukraine and low salaries compared to the private sector exacerbate challenges to incremental reforms.

The institutional model of assurance in public sector entities in Ukraine has many of the necessary components, although its structure diverges from the EU’s approach to public internal financial control (PIFC) in terms of an additional financial inspection body with unclearly delineated audit and inspection functions and a lack of authority for the Ministry of Finance at the local level. The Budget Code is the central piece of legislation, with secondary regulations from the Cabinet of Ministers outlining requirements for internal control in public bodies (OECD, 2024[7]). A central harmonisation unit (CHU) within the Ministry of Finance is responsible for standardising internal control across the public administration and promoting good practices. While central government bodies are required to have internal audit under the Budget Code, Ukraine also has a separate central financial inspection body – the State Audit Service (SAS) – which is responsible for detecting financial violations (European Commission, 2024[8]). The Accounting Chamber (ACU) is responsible for external audit and is Ukraine’s SAI (European Commission, 2024[8]). The Law on the Accounting Chamber outlines its role, which centres around ensuring that funds from the state budget are used as intended and reporting to the Verkhovna Rada. Figure 5.2 outlines institutional responsibilities for audit and control in more detail.

The OECD Public Integrity Indicators (PII) on “Effectiveness of Internal Control and Risk Management”, which measure the strength of elements of the internal control system relevant to promoting integrity and preventing and combatting fraud and corruption, show that Ukraine performs above the OECD average in most areas (see Figure 5.3). Regulations for internal control and internal audit are around the OECD average and Ukraine performs far above the OECD average when it comes to central functions and reporting for internal control and internal audit. The risk management framework is also strong at least insofar as corruption risk management is concerned. However internal audit in practice requires further development, and Ukraine also does not track the percentage of budget organisations internally audited in the past five years. This suggests that improving internal audit in practice should be a reform priority.

Reform is nonetheless complicated by Russia’s full-scale invasion of Ukraine, which has left the public administration short on human, financial and technical resources. This makes, for example, efforts to attract more internal auditors in the public sector more difficult. In the current context policymakers and public sector managers will therefore need to contemplate how to maximise gains from the resources that are available.

Risk management, including management of corruption risks, is a fundamental element of internal control. While personnel at all levels of a public organisation have a responsibility for managing corruption risks, management is responsible for creating and maintaining a control environment that emphasises integrity in accordance with the three lines model (OECD, 2020[2]). Organisations may decide to have a dedicated unit responsible for managing integrity and corruption risks, which enhances internal control by conducting corruption risk assessments to identify vulnerabilities and ensure effective mitigation strategies are in place.

In the context of the overall risk assessment framework, corruption risk assessment aims to ensure efficient and lawful use of funds and prevent corruption as one of the threats to an organisation’s objectives (OECD, 2020[2]). The exact form that corruption risk assessment takes in a public organisation should depend on its size, the volume of funding it receives, and whether it operates in a high-risk sector (e.g. infrastructure). Corruption and fraud risk assessments can be stand-alone exercises or embedded into an organisation’s risk assessment activities, recognising the interlinkages among different risk categories, such as strategic, operational, financial, compliance and reputational risks. Risk management is an iterative process of establishing the context, assessing and treating risks and ensuring ongoing monitoring, communication and consultation.

In Ukraine, there is a robust system of corruption risk assessment in public organisations under the auspices of the NACP, and corruption risk management is widely practiced. Performance in practice is noteworthy, as the PIIs show that corruption risk assessment is still not common practice in most OECD countries (see Figure 5.4).

However, while corruption risk assessments in Ukrainian public organisations fall within the internal control system, they are a stand-alone-exercise and in practice mainly serve the purpose of providing the basis for organisational anti‑corruption programmes (see Chapter 1 and Box 5.1). Thus, managers and employees often perceive it as serving a policy or strategic function. Instead, as a part of internal control, corruption risk management should help identify, assess and mitigate risks that could prevent an organisation from achieving its objectives and ensuring effective and efficient operations.

The NACP survey of authorised persons also substantiates the need to review the corruption risk management function in organisations. In this survey, 64% of respondents consider applying the corruption risk management methodology as their most challenging task, almost every second respondent (42%) pointed out the need to revise the requirements of the organisational anti‑corruption programmes regarding corruption risk assessment and every fourth respondent (26%) suggested revising the tasks of authorised persons related to corruption risk management. These challenges in regulations and in practice can lead to the low analytical quality and thus low value of corruption risk management (NACP, 2023[11]).

The following recommendations suggest increasing the practical value of corruption risk assessments by better integrating them into organisations’ overall internal control system. This re‑assessment of the corruption risk management in Ukraine should take place in three subsequent steps as outlined below:

• In the logic of the three lines of assurance (see Figure 5.1), there is a need to strengthen the first line of assurance in order to ensure that organisational managers are familiar with and see the value in the internal control and risk management practices. Success in this area is closely linked to the efforts to cultivate a culture of integrity outlined in Chapter 2.

• Next, integrating corruption risk assessments into overall organisational risk management would help ensure that this process is more organic and therefore more effective.

• Finally, public organisations could benefit from better leveraging the interplay between the second and third lines of assurance as regards combatting corruption so as to ensure not only that roles and responsibilities are clearly understood but also that these lines’ activities serve common goals.

Corruption risk management should exist within an appropriate enabling environment. Internal control is the primary mechanism within the public administration for ensuring individual organisations and those within them operate optimally. Internal control refers to the organisations, policies and procedures used to help ensure that government programmes achieve their intended results; that the resources used to deliver these programmes are consistent with the stated aims and objectives of the organisations concerned; that programmes are protected from waste, fraud and mismanagement; and that reliable and timely information is obtained, maintained, reported and used for decision making. It consists of five components: control environment, risk assessment, control activities, information and communication, and monitoring (COSO, 2013[12]). The risk assessment component also includes corruption-related risks.

Ukraine has a strong regulatory framework for internal control and risk management at the central government level (see Table 5.1). In addition to the Budget Code, secondary regulations specify requirements for internal control and internal audit in public institutions.1 Management is required to act as the first line of assurance, and all central government institutions have set up an anti‑corruption unit as part of the second line of assurance as well as an internal audit unit that constitutes the third line, even if some of them are not currently operational due to vacancies. The Basic Principles of Internal Control by Budgetary Fund Managers, approved by Resolution of the Cabinet of Ministers of Ukraine No. 1062 of 12 December 2018, stipulate that the head of an institution shall organise and ensure internal control in accordance with the laws regulating, among other things, activities to prevent and detect corruption.

In practice, the system of assessing and managing corruption risks is strong in most central government entities (see Table 5.2). However, in most public internal control systems need to be improved as they tend to focus more on compliance than on improving organisational performance, as noted in the Ukraine’s public financial management (PFM) strategy for 2022-2025 (Cabinet of Ministers of Ukraine, 2021[13]). Outside of the mandatory anti‑corruption programme many public institutions did not provide any evidence of broader risk assessment or entity-wide risk-mitigation measures connected to organisational objectives in the process of data collection for the PII (OECD, 2024[9]). The latest SIGMA assessment of Ukraine notes that in many organisations risk management is not integrated in day-to-day managerial processes, risk assessment is not usually embedded in internal planning and reporting, and risk information is not connected to managerial decision-making (OECD, 2024[7]). Improving internal control systems would have tangible benefits in these areas by reducing the fraud and waste that may contribute to them.

Incorporating corruption risk assessment into managerial internal control will in many cases first require that public managers improve their general risk management processes. The lack of an effective risk management system in public organisations reduces the likelihood of these organisations implementing meaningful corruption risk management, even if legal requirements exist, because the role of risk management in organisational decision-making is poorly understood. At the same time, the effective corruption risk management system in selected public organisations in Ukraine can serve as an example to follow in establishing overall risk management and control practices. For example, the registry of typical corruption risks that NACP maintains (NACP, 2024[14]) could serve as a model for an entity-wide risk register that includes both corruption and other risks. Over time such changes could help management better understand its role in organisational risk management, as well as the importance and added value of this process. Embedding corruption risk management in overall organisational risk management could also help instil a sense of responsibility for corruption prevention in officials outside of dedicated anti‑corruption units.

Lack of clarity from the central level about how to institutionalise internal control and risk management can lead to a perception that integrity objectives – and the internal control and risk management activities that support them – are separate from other strategic and operational objectives (OECD, 2020[2]). Policy makers and standard setting bodies should therefore ensure they provide uniform standards, policies and guidance, which can help raise awareness about the value of internal control and risk management for decision making and achieving organisational goals.

While corruption risk management is widely practiced in Ukraine, the challenge now is to make the corruption risk assessment process an integrated part of public bodies’ overall risk management frameworks and encourage managers to tailor it to the specifics of their organisation. The fact that the corruption risk management lacks clear regulatory links to general requirements on internal control and risk management increases the risk of it being perceived as a compliance exercise rather than a tool to support management. This, in turn, increases the risk that managers do the bare minimum that is required of them but do not take meaningful steps to mitigate identified risks, particularly given that anti‑corruption officers/units – that are often understaffed (NACP, 2023[11]) and siloed (OECD, 2024[7]) – are responsible for conducting corruption risk assessments. In many cases, especially in ministries, the head of the institution often delegates responsibility for corruption risk management to lower-level management despite legal requirements for direct management communication (NACP, 2023[11]). This further contributes to the sidelining of anti‑corruption officers/units by limiting their communication with – and impact on – organisational leadership. The Ministry of Finance also released a methodological guide on risk management as part of internal control in early 2023. However, it is not legally binding and does not address the role of the corruption risk assessment process under the responsibility of the NACP, even if that process is implicitly covered as part of the internal control system.

To resolve the regulatory disconnect between internal control and corruption risk management, Ukrainian authorities could consider amendments to LPC and the Budget Code that would clarify the relationship between relevant processes. The Cabinet of Ministers, Ministry of Finance and the NACP could also consider amending secondary regulations such as Cabinet of Ministers Order 1001 of 28 September 2011 and Ministry of Finance and the NACP’s risk assessment methodologies so that they mirror this arrangement.

Figure 5.1 provides an example how corruption risk assessment is integrated into general internal control and internal audit regulations in Lithuania, which has a similar regulatory framework to Ukraine. Establishing such a regulatory link between internal control and corruption risk management could help managers, anti‑corruption units, internal auditors and public employees generally better understand corruption risk assessment as a component of effective internal control. Such regulatory changes would also be most effective if they are amended to focus less on processes and outputs and more on outcomes in order to encourage managerial and institutional ownership and innovation.

After addressing regulatory and policy ambiguity, the NACP and the Ministry of Finance could then work together to develop further implementation support for public institutions. This could include guidance on incorporating corruption risk management into a larger system of managerial internal control and leveraging organisational expertise on corruption risk management to develop entity-wide risk management. This guidance could take the form of written documents or trainings. Over time, such initiatives could help ensure that corruption risk management – and risk management generally – become a more organic part of public sector management.

While corruption risk assessment is primarily the responsibility of the second line of assurance, meaningful interaction with internal audit as the third line of assurance can be mutually reinforcing. At the same time, it is necessary to maintain clear division of functions. Internal audit can support corruption risk management, but internal auditors should never be directly responsible for corruption risk assessment. While they may provide consulting services on how to improve risk management, direct involvement in risk assessment would undermine internal auditors’ role as a separate, independent third line of assurance (IIA, 2009[16]). Table 5.3 outlines activities in which internal auditors should and should not participate.

In Ukraine corruption risk assessment and internal audit are often disconnected in practice, and mutually reinforcing interaction is more the exception than the norm. As part of the data collection process for the OECD PIIs, all ministries and the 10 largest agencies in terms of budget provided documentation on their risk assessment and internal audit activities. These responses showed that while all institutions perform both corruption risk assessment and internal audit, there is little to no interaction between the two exercises (OECD, 2024[9]). Surveyed institutions nearly always relied on a risk-based approach to plan internal audits, but corruption was rarely considered within this process (see Section 5.2). Just two institutions’ most recent audit plans foresaw internal audits focused explicitly on improving controls to combat corruption or fraud, which suggests that internal audit is underutilised in the fight against corruption. This is concerning considering that one of the most important ways internal audit provides value to an organisation is in providing objective assurance that major risks are being managed appropriately and that the risk management and internal control framework is operating effectively (IIA, 2009[16]).

To further clarify the appropriate role of internal audit in combatting corruption, the Ministry of Finance could consider focusing how to conduct internal audits focused on integrity and corruption issues in its training activities, incorporating input from the NACP as necessary.

While the PIIs show that second line anti‑corruption units are widespread (OECD, 2024[9]), research from the NACP suggests that the relationship between these authorised anti‑corruption units and internal audit units varies widely across the public administration (NACP, 2023[11]), with some institutions potentially blurring the second and third lines of assurance by delegating implementation of the anti‑corruption programme, which could include elements of corruption risk management, thereby undermining the independence of internal audit.

An in-depth analysis on the role that internal audit units currently play in corruption risk assessment in practice would be useful in determining whether internal auditors are sufficiently independent in practice. The NACP could consider conducting such a study and if necessary, providing further training and guidance on which tasks are and are not appropriate for internal auditors to perform. Amendments to the corruption risk assessment methodology (Chapter II) may also help clarify that internal auditors should not be part of anti‑corruption units or perform second line functions. While standard 5 of Ministry of Finance Order 1247 of 4 October 2011 specifies this, there is no equivalent regulatory provision in the process for corruption risk assessment. Explicitly stating how internal audit does and does not fit into this specific process could help clarify roles and responsibilities. Box 5.4 provides more detail on how the law defines roles and responsibilities in Greece.

Internal audit is a vital component of a public organisation’s internal control system since it makes up the third line of assurance. It provides objective assurance of this system and is instrumental in identifying where weaknesses in the corruption risk management framework exist and recommending measures to address them (OECD, 2020[2]). This can include evaluating both processes and areas that present a high risk of fraud and the effectiveness of organisational ethics policy more generally. The role of internal audit should also go beyond compliance-oriented inspection of documents and processes and should instead aim to improve organisational decision making, risk management and achievement of strategic objectives. Without a well-resourced and competent internal audit unit, there is little guarantee that internal control will succeed in detecting, preventing, and responding to instances of corruption.

The PIIs suggest that internal audit is a priority area for reform in Ukraine. Table 5.4 outlines criteria related to internal audit that Ukraine does not fulfil. While Ukraine performs well on internal audit regulations, there are still notable gaps. These include, for instance, legal requirements on managing conflicts of interest for internal auditors.

Criteria on internal audit in practice show more room for improvement (see Table 5.5). Most notably, there are severe capacity shortages with many internal audit units lacking a sufficient number of auditors. The number of certified auditors is even smaller, although it is growing with the creation of the Ministry of Finance’s certification scheme.

The main challenge that most stakeholders in Ukraine highlight is the ongoing cultural shift from inspection-oriented compliance audits towards risk-based auditing and greater use of performance audits. This shift necessitates redefining the role of internal auditors and re-training auditors accordingly. Despite the rapid pace of reform since the 2010s to bring internal audit in line with IIA standards, challenges related to understanding of the role of internal auditors remain (Voldina, Grossi and Vakulenko, 2023[18]). While the Ministry of Finance’s guidelines envision internal auditors conducting performance audits, and the ministry noted that the share of performance audits conducted in internal audit units has increased from 18% in 2019 to 51% in 2023, stakeholders that the OECD consulted noted that some internal auditors continue to perform a more traditional “watchdog” function. Several auditors that the OECD consulted explained that managers do not understand the role of internal auditors, and since turnover is high, they focus on creating a façade of regulatory compliance.

Role confusion is also not limited to managers. Stakeholders that the OECD consulted explained that many longtime auditors worked when the role of auditor was indeed closer to inspection and therefore may struggle to understand its new functions. A survey of auditors found that even those internal auditors who do understand their responsibilities under the new guidelines have historically limited by management’s requests for them to find violations rather than advise on improving internal control (Voldina, Grossi and Vakulenko, 2023[18]). While this survey was conducted in 2020 and 2021, changing such longstanding norms takes time. Several auditors that the OECD consulted expressed that they felt caught between the expectations of the Ministry of Finance and international partners and the expectations of their own organisation. Many also felt that success cases are largely attributable to individual managers’ openness to change. At the same time the Ukrainian public sector struggles to attract and retain highly competent managers (OECD, 2024[7]), which increases the likelihood of issues with role confusion. Changing perceptions around the role of auditors is therefore also a key component of making internal audit more effective in Ukraine.

To ensure that the trajectory of ongoing reforms continues, the following section provides recommendations on:

• closing integrity loopholes in audit regulations

• addressing staff and professional capacity

• mainstreaming internal audit practice into local self-government bodies.

One of the main sources of a conflict of interest for an internal auditor occurs when he or she is called on to audit operations on which he or she previously worked. In the context of anti‑corruption work such a situation could occur if an internal auditor previously worked in the anti‑corruption unit and then begins an audit of that unit. In such cases, the internal auditor may feel compelled to overlook certain vulnerabilities or exaggerate minor vulnerabilities. Standard 2.2 of the IIA Global Internal Audit Standards states that internal auditors should refrain from assessing operations for which they were previously responsible for at least 12 months (IIA, 2024[5]).

In Ukraine, the integrity standards for internal auditors are defined in the Code of Ethics for Internal Auditors and in Cabinet of Ministers Order no. 1001 of 28 September 2011 (see Box 5.6). However, Ukraine does not fulfil the PII criterion “The regulatory framework prohibits or establishes cooling-off periods for internal audit staff to audit operations for which they have previously been responsible to avoid any perceived conflict of interest.” Such a gap in the integrity framework can result in perceived conflicts of interest, thereby undermining trust in governmental bodies.2 The Cabinet of Ministers could therefore consider amending Order 1001 to establish a cooling off period of at least 12 months for auditors to audit operations for which they were previously responsible.

Ukraine’s PFM strategy 2022-2025 (activities 138 and 139) notes a need to shift the focus of internal audit from compliance audits to performance audits and raise the response rate to internal audit recommendations. While internal audit reports are generally in line with the format of such reports mandated by national and international standards, the recommendations contained in these reports are often poorly connected to the audit evidence gathered. The content of most reports is closer to a compliance check than a systemic analysis of internal control. Finally, there are few instances of combining audit disciplines in a single audit engagement to address horizontal risks (OECD, 2024[7]).

The certification scheme for internal auditors that the Ministry of Finance introduced in 2023 is a promising step toward improving the overall quality of internal audit. The data that the Ministry of Finance provided for the PII shows that 246 candidates have applied for the certification, of whom 52 have passed the examination. While this is a relatively low rate of passing, the Ministry of Finance is developing preparation materials for the exam; has engaged higher education institutions to secure their assistance in exam prep; and has organised training courses alongside experts from the Ministry of Finance of the Netherlands, the Ministry of Economy of Ukraine, IIA Ukraine and the State Tax University. The Ministry of Finance could continue scaling up these initiatives to increase the percentage of would-be internal auditors who are able to pass the certification exam.

Based on identified issues with internal audit, the Ministry of Finance could then consider producing methodological guidance on improving in common weak areas such as drafting audit recommendations and planning horizontal audit engagements. This guidance would be even stronger if it drew on examples from real world internal audits. Over time, such measures could improve the quality of the audits conducted and ensure that they meaningfully support public institutions’ anti‑corruption endeavours.

Given the Ministry of Finance’s limited capacity, partnerships with other organisations of internal auditors can be a valuable way of sharing knowledge and expertise. While the Ministry of Finance already engages with many such partners (Ministry of Finance of Ukraine, 2024[19]), it could consider partnering with IIA Ukraine and private sector actors to facilitate peer to peer learning that would allow public sector internal auditors to learn from their private sector counterparts. Similarly, it could partner with equivalent ministries in OECD countries, as it already is with the Ministry of Finance of the Netherlands, to organise peer to peer learning with public sector internal auditors in these countries.

Where possible, internal audit units should also invest in their own growth and innovation. Box 5.7 provides more information on the internal audit department in Kyiv City, which introduced transparent monitoring of its own work. While such efforts are not always possible due to capacity shortages, other internal audit units could benefit from taking similar steps.

While the Budget Code requires local self-government entities to implement internal control and internal audit, because of the principle of local self-governance, Cabinet of Ministers Order 1001 of 28 September 2011 can only recommend the form that this should take. As of 2020, 0.5% of local authorities had an internal audit unit in place (Antoniuk et al., 2021[21]). Even in municipalities like Lviv that do have an internal audit unit, independent evaluations have noted that a lack of independence and employees undermines the unit’s functioning (PEFA, 2022[22]). This means that there is very little systematic assurance that funds allocated to reconstruction via local government entities will not facilitate corruption. In OECD countries such as Poland and Lithuania municipalities follow similar rules on internal audit to central government entities and report to the CHU (OECD, 2024[9]).

However other countries have found innovative solutions for ensuring that internal control and audit function effectively in local government while still maintaining a high degree of self-government for municipalities. These solutions typically involve separate reporting lines and co-ordination bodies. See Box 5.8 for examples from the Netherlands and the United Kingdom. If Ukrainian authorities prefer not to establish a reporting line from municipalities to the CHU, such a solution could be a worthwhile alternative. The Verkhovna Rada could therefore consider amending Section III of the Budget Code to require internal audit of local government with a separate reporting line.

As in central government, allowing local government entities to share internal audit units could also help address capacity shortages. For example, in the Australian state of New South Wales, local government entities are required to have both internal audit units and second line risk management units. However, municipalities with limited capacity can share both types of units as long as all participating municipalities are confident that such an arrangement will adequately cover the organisational needs for these functions (OLGNSW, 2023[25]). Ukrainian authorities could consider a similar solution.

Solving capacity challenges will however have little effect without corresponding efforts to ensure that local-level internal auditors receive the necessary tools and support from management (see Chapter 2 for a more detailed discussion on building a culture of integrity). Voluntary co-operation and information sharing can be an effective mechanism for establishing minimum expectations for local-level integrity policy (OECD, 2020[2]). The Ministry of Development of Communities and Territorial Development (Міністерство розвитку громад та територій, MCTD), which is responsible for local government policy in Ukraine, could therefore consider partnering with the Ministry of Finance to highlight and promote good practices from individual municipalities. Box 5.9 summarises good practices from the internal audit unit in Lviv. They could achieve this by, for example, establishing regular meetings of local-level internal auditors and integrity officers or organising programmes for these officials to travel to other municipalities and share their experiences. Where possible given resource constraints, secondment programmes could help spread the knowledge of local-level internal auditors more widely. Information sharing fora could also benefit from including mayors and other municipal-level managers who can share how internal audit has benefitted their organisations given the cultural scepticism of internal auditors in Ukrainian public administration. This could help create a more supportive environment for internal auditors in the long term.

When it comes to the unique challenge of reconstruction, international donors benefit from having the ability to impose conditions on the use of their funds. Therefore, where possible these donors should make the development of internal audit and corruption risk management a precondition for their support. They could also consider providing support to local government entities for setting up these functions alongside their support for reconstruction efforts. While reconstruction funds may be subject to donors’ own ad hoc audit and control mechanisms in their country of origin, investing in local Ukrainian capacity will pay dividends in the long term by reducing the need for such mechanisms. After all, while donor countries’ SAIs – and in some cases ad hoc bodies to audit reconstruction efforts like the Special Inspector General for Afghanistan Reconstruction (SIGAR) and Special Inspector General for Iraq Reconstruction (SIGIR) created in the United States – can audit the allocation of reconstruction funds, they cannot audit funds that have already been allocated to local partners. Alternatively, donors could channel reconstruction funds through regional (oblast) governments, which are subject to more stringent internal audit requirements.

External scrutiny and oversight are essential parts of an integrity system. Public organisations and officials are accountable for their decisions, actions and expenditures. Accountability requires an adequate institutional setup at two levels: internal mechanisms and external oversight and control mechanisms. Internal control mechanisms can eliminate most irregularities and provide information that external oversight bodies can build on. However, internal control mechanisms may lack independence and objectivity in investigating wrongdoing, which highlights the importance of external oversight in ensuring accountability of public sector organisations (OECD, 2020[2]).

The legislature requires an oversight mechanism that can provide reasonable assurance that public funds are spent as intended. In nearly all OECD countries an independent audit body accountable to parliament – the Supreme Audit Institution (SAI) – is the institution responsible for providing this assurance. SAIs in most countries also increasingly focus on performance audits in response to the failings of older inspectorial SAI models (OECD, 2016[26]). These performance audits typically lead to recommendations that, if well-constructed and properly implemented, could help public organisations enhance performance and operations, including strengthening integrity and preventing corruption. There is empirical evidence that SAI audits reduce public sector corruption. However, this is only the case when the SAI is independent, its staff are qualified and highly trained and it communicates regularly with the public (Gustavson and Sundström, 2018[27]).

In Ukraine, three longstanding challenges are undermining the SAI’s role in ensuring accountability within the system of integrity:

• Perceived political dependence undermines trust towards audits, which are perceived as a politicised instrument used selectively. In 2023, only 28% of citizens perceived the ACU as independent (OECD, 2024[7]). A 2021 World Bank assessment of SAIs rated the ACU as having “moderate” independence – the second lowest category (World Bank, 2021[28]). This was lower than all other EU and EU accession countries assessed. Similarly, the SIGMA monitoring report for Ukraine (OECD, 2024[7]) shows that the ACU has lower legal and organisational independence than other countries, although it is closer to the average in terms of perceived independence (see Table 5.6).

• ACU’s historically weak mandate has left a significant share of the public budget without external assurance and thus increased corruption risks in local budgets and utility companies, extra-budgetary funds and funds received from international partners. In 2023 the ACU audited UAH 771 billion (Accounting Chamber of Ukraine, 2023[29]), which amounts to 19% of the state budget.3 One potential source of this low coverage is the lack of a clear delineation between the functions of the SAS and ACU. With the expansion of the ACU’s mandate, the need to increase audit coverage will become even more acute.

• The unclear recommendations and low awareness of the ACU’s role have sometimes meant that its audits do not result in action on behalf of auditees. This undermines the ACU’s ability to ensure accountability for implementing audit findings, which is necessary to resolve gaps in public institutions’ integrity systems. As outlined in Figure 5.6, since 2020 the rate of full implementation of ACU recommendations has fluctuated between 40% and 45%, and there is therefore a need to ensure both that ACU recommendations are implementable and that they are implemented.

While internal control mechanisms in Ukraine have been undergoing reform for a decade, a breakthrough in the reform of external audit and oversight of public finance only took place in 2024 with the amendments to the Law on the Accounting Chamber from 30 October. These amendments bring the ACU’s mandate and audit methodology more in line with European and international standards:

• Institutionally, the amendments strengthened the political and financial independence of the ACU and introduced competences to audit local budgets and utility companies, extra-budgetary funds and funds received from international partners. The expansion of the ACU’s mandate to include local government is in line with practice in 19 of 27 EU member states (European Court of Auditors, 2024[31]), including some with high fiscal autonomy for municipalities and/or a federal state structure (OECD, 2021[32]). However these changes are yet to be implemented, and there is a risk of backsliding due to legal challenges if not resolved.

• Methodologically, the ACU’s approach is changing from financial inspections towards risk-based financial, compliance and performance audits that are in line with international standards, mirroring the trend in internal audit. To ensure impartiality and effectiveness of these audits, the planning methodology should be risk-based, and performance audits should build upon solid financial data. Awareness of the need for both changes is rising in Ukraine, but they are not yet systematic in practice, and conflict-of-interest concerns surrounding audit specialisation remain.

• Audit reporting now focuses more on improving organisational effectiveness, which in turn requires clear, actionable recommendations to ensure their implementation. To increase impact, collaboration with key stakeholders is also necessary.

The following recommendations aim to ensure that external audit of public finance continues in a positive direction. Figure 5.5 provides an overview of steps the ACU could take to ensure external audits are impartial and effective at all stages of the audit cycle.

The Constitution and two laws define the institutional setup for external audit and financial control in Ukraine (see Box 5.10). However legal ambiguity in the laws governing the ACU and the SAS continues to create uncertainty over their respective mandates. Furthermore, the October 2024 amendments to the Law on the Accounting Chamber that expanded the ACU’s authority to include local budgets may face constitutional challenges, given past rulings restricting its scope to the State Budget.

To ensure roles and responsibilities are clearly understood and avoid duplication, the Verkhovna Rada could increase legal clarity about how the “financial control” performed by the ACU and SAS differs. In particular, two laws regulating the work of ACU and SAS assign each institution responsibility for “state financial control” but do not define what this is. Such a definition could help delineate some functions between the ACU and the SAS. The EU has also noted that there is not a clear delineation of mandates between the ACU and the SAS (European Commission, 2024[8]).

A further challenge is the extended scope of the ACU’s responsibilities beyond the state budget as it is defined in the Budget Code. The 30 October 2024 amendments extended the ACU’s mandate to include local budgets of hromadas (municipalities), which are formed independently of the state budget. However, a past Constitutional Court ruling prohibited an extended interpretation of the ACU’s mandate (for more information see Box 5.10). Since the Constitution cannot be amended under martial law, this discrepancy should be addressed through additional legislative changes to ensure that ACU retains its competence to audit local budgets.

In addition to the legal challenges, there is also a capacity challenge for the ACU’s expanded mandate. With the ACU only auditing 19% of the central government budget annually, it will be difficult to also conduct meaningful oversight of local government and extra-budgetary funds with its current HR capacity, especially given that 31% of staff positions in the ACU were vacant as of January 2024 (Ministry of Finance of Ukraine, 2024[33]). External audit of local government is highly important in view of the increased public funds local self-governments have at their disposal since post-2014 fiscal decentralisation. Giving the ACU competence over local government brings Ukraine’s system more in line with European standards and practice (European Court of Auditors, 2024[31]), but it will require corresponding resource increases. While the average monthly salary at ACU rose with amendments to the Law on the Accounting Chamber and as of December 2024 was comparatively high for the Ukrainian public sector at UAH 105 000 (Ministry of Finance of Ukraine, 2024[33]), it is still far below the average monthly salary for an auditor in the private sector, which is UAH 205 000. If the ACU is to successfully hire more staff, reducing this difference would go a long way.

When it comes to the quality of ACU audits, the recently adopted amendments to the Law on the Accounting Chamber also contain positive improvements. Article 4 of the law now more explicitly requires that audits follow the methodologies outlined in INTOSAI standards, and Article 27 requires a risk-based approach to audit planning. Article 30 also provides more detail on what content the ACU must include in annual reports to the Verkhovna Rada. These regulatory amendments follow the adoption of an improved audit methodology in the ACU in 2023 that is more closely aligned with the International Standards on Supreme Audit Institutions (ISSAIs). One goal of this methodology was to address ongoing challenges with ACU performance audits being closer to compliance audits in nature (OECD, 2024[7]).

A clear and transparent methodology for planning financial, compliance, and performance audits ensures the impartiality of external audit, and with it, more effective oversight of public funds. While performance audits should serve as objective evaluations against an organisation’s pre-defined objectives, auditees often perceive them as a political tool to either downplay problems in organisations in favour with the Government or sanction organisations that are out of favour with the Government (Grossi et al., 2023[34]). It is therefore important that audit plans do not fluctuate based on real or perceived political influence.

The requirement for risk-based audit planning in Ukraine is therefore a positive development and should help ensure more effective oversight of public funds. However, while the ACU adopted the “Procedure for annual planning of the Accounting Chamber’s activities” in 2023, which elaborates a methodology for risk-based audit planning, the methodology is not publicly available so it was not possible for the OECD to evaluate it. It also had not been used in practice as of December 2024 (TI Ukraine, 2024[35]). The ACU could therefore consider publishing and implementing this methodology without delay to ensure that its benefits are fully realised. Box 5.11 outlines the Australian SAI’s approach to performance audit planning, and the ACU could consider incorporating similar risk factors into its methodology if it has not already.

Another outstanding concern related to audit planning is the fact that members have divided responsibility for different sectors of the public administration between themselves (Accounting Chamber of Ukraine, 2024[38]). While dividing audit specialties occurs in many countries and can leverage individual expertise, it can also result in a situation where auditors and auditees develop inappropriately friendly relations that can bias audit conclusions if appropriate safeguards are not in place. The fact that there is no regulation governing how this division of sectors should take place, even though civil society stakeholders consulted noted that it occurs in practice (TI Ukraine, 2024[39]), magnifies conflict-of-interest risks because there is no framework to ensure the division occurs in an objective and accountable way.

The ACU has taken positive steps to improve internal integrity by adopting its own code of ethics in 2023 (Accounting Chamber of Ukraine, 2023[40]) and creating its own ethics council. However, in addition to rigorous implementation of the code of ethics, the ACU could consider adopting a regulation outlining an objective procedure for dividing responsibilities between its members – as well as management level auditors – that involves periodic rotation of focus areas and measures to identify and manage conflict of interest. Such a measure is foreseen in INTOSAI’s code of ethics (INTOSAI, 2019[41]) and is a common mechanism to promote objectivity (INTOSAI, 2018[42]). Box 5.12 outlines how such a system works in New Zealand. Rotation could also involve a check of newly appointed members’ declarations of assets, interests and family ties to ensure they are able to audit a given sector impartially. Integrity tools like INTOSAI’s IntoSAINT instrument (INTOSAI, 2025[43]) could also be helpful in identifying and responding to internal integrity challenges.

Audit recommendations are only effective if they are implemented. However, the ACU’s annual reports show that the rate of full implementation of ACU recommendations has hovered between 40% and 45% since 2020 (see Figure 5.6). By the beginning of 2024, 41% of ACU recommendations made in 2022 and 2023 had been fully implemented and another 23% were in the process of being implemented (Accounting Chamber of Ukraine, 2023[29]).

Audit recommendations of high methodological quality form the cornerstone of effective audits. However, in practice, ACU recommendations often suffer from a lack of clarity. A study that examined 853 recommendations from 53 ACU reports issued between 2019 and 2023 found that only 14% of recommendations met all five SMART criteria (specific, measurable, achievable, relevant, time-bound) (Institute of Analytics and Advocacy, 2024[45]). Overall, the lack of timeframes was the most common issue, as 84% of recommendations were not time-bound. In addition, 29% of recommendations were unmeasurable, 20% were unspecific, and 7% were not relevant (already being implemented or would worsen the situation). Finally, 12% of recommendations were not clearly linked to their respective audits.

This lack of clarity could undermine the ability and/or likelihood of auditees to implement recommendations and may be one cause of the low implementation rate. Recommendations meeting the SMART criteria were half as likely to remain unimplemented (Institute of Analytics and Advocacy, 2024[45]), which suggests that formulating recommendations in this way could help increase the implementation rate.

While the amendments to Article 30 of the Law on the Accounting Chamber aim to improve report content, these new provisions are not detailed enough on their own to improve recommendation quality. ACU could therefore consider adopting a methodology for closer adherence to international standards and the SMART framework, that supports implementation of the relevant legislative amendments. As part of this methodology, the ACU could also create templates, such as for example a template of a recommendation implementation plan (Institute of Analytics and Advocacy, 2024[45]), that would increase the likelihood of auditees implementing their recommendations.

Beyond improving recommendation formulation, effective stakeholder engagement can foster accountability for recommendation implementation. Stakeholder engagement can also help ensure that trends from ACU audits inform policymaking and there is accountability for legal violations that the ACU uncovers, even if this is not an SAI’s primary purpose.

INTOSAI calls on SAIs to engage transparently and proactively with parliamentary committees and the general public (INTOSAI, 2019[46]). SAIs in many countries increasingly engage with external stakeholders such as civil society organisations (CSOs), the media, academia, professional organisations and the general public to increase the impact of their work (Brétéché and Swarbrick, 2024[47]). Consulting external stakeholders as experts on particular topics can help improve the quality of SAI audits, while communication with external stakeholders about audit findings can help increase the degree to which the SAI’s work fosters government accountability. SAIs should also have strong co-operation with law enforcement. When an SAI audit uncovers suspected corruption it can form the basis for a law enforcement investigation, while the results of law enforcement investigations can help SAIs better understand patterns of corruption, plan their audit engagements and assess implementation of their recommendations (UNODC, 2022[48]).

The late 2024 amendments to the Law on the Accounting Chamber introduced a legal requirement for the Verkhovna Rada to respond to the ACU’s reports, which is a positive step toward improving both the quality and uptake of these reports. The Verkhovna Rada and its committees – including the budget committee which is the primary responsible committee – also frequently discuss and act on ACU reports in practice (OECD, 2024[7]), but civil society groups have nevertheless noted a lack of monitoring of the implementation of ACU recommendations and a lack of uptake in the Verkhovna Rada. In 2024 the ACU reported that just 5 out of 23 Verkhovna Rada committees considered issues stemming from ACU reports. While uptake in committees was higher in 2023, a 2021 study (Institute of Legislative Ideas, 2021[49]) found similar levels of uptake to 2024, which demonstrates that the situation has improved little over time.

The ACU is working with the Verkhovna Rada to improve monitoring and uptake of its recommendations through digital tools. However, the ACU could also consider employing additional effective tactics used by SAIs in other countries. These include providing training to parliamentary committees that enables them to better understand audit reports, sending letters to new MPs about past uptake of SAI recommendations, sending briefings to parliament suggesting matters for follow-up, and employing communications specialists to make sure audit reports are written in a way that enables non-specialist comprehension (INTOSAI, 2019[46]).

The Verkhovna Rada’s assessment of the ACU’s performance and impact also leaves room for improvement, as it is based on the number of audits conducted rather than the impact of audit recommendations (European Commission, 2023[50]). The Verkhovna Rada could therefore consider amending this methodology so that it focuses more on the impact of recommendations. Beyond indicators such as the number of audits undertaken, other measures of SAI impact can include the following (OECD, 2022[51]):

• savings due to the measures implemented

• increases in revenue

• reductions in expenditure

• increases in satisfaction with the delivery of public services delivered by the public administration

• providing legal certainty by ensuring compliance with the legal frameworks

• improvements in achieving other policy goals, e.g. related to SDGs (environmental quality, education, health, gender equality, anti‑corruption and integrity etc.)

• public trust.

The ACU could also benefit from improved engagement with civil society, the media and the general public to increase accountability for recommendation implementation. The ACU recognised this fact through the focus on improving stakeholder engagement in its Strategy for Development of the Accounting Chamber 2019-2024 (Accounting Chamber of Ukraine, 2019[52]). However, the strategy focused mostly on improving transparency and the quantity of engagement. More focus on the engagement techniques used could help the ACU maximise the impact of its engagement. The ACU explained that it is in the process of preparing the next strategy based on a survey of stakeholders. Some engagement techniques to consider in this new strategy or other work include:

• Involving external experts in its audits. This could help the ACU demonstrate an ability to produce useful reports for the Verkhovna Rada, while communicating findings more strategically and effectively could help increase awareness of the ACU’s work among civil society, including any audits related to corruption and integrity. In turn civil society could amplify the recommendations in these audits and increase government accountability for audit findings. The ACU adopted a procedure for engaging external experts with specialised knowledge via its decision no. 1-4 of 14 January 2025, but the ACU should now ensure that such expertise is leveraged effectively in practice. Continued partnerships with international partners can also help improve audit expertise.

• Grouping documents related to a given audit and/or thematic area in one place on the ACU’s website. This would make it easier for stakeholders to locate, understand, and use ACU reports. ACU could also monitor its stakeholder engagement through indicators such as parliamentary requests for ACU input, mentions in media outlets, and website and social media engagement as well as surveys of MPs (EUROSAI, 2019[53]) to better understand and strive to improve the utility of its work.

• Developing a dedicated communications strategy that focuses on moving beyond passive transparency mechanisms. Effective techniques could include a website, social media posts and public events with a focus on active, targeted stakeholder engagement. See Box 5.13 for an example of the Moldovan SAI’s strategic approach to stakeholder engagement.

External evaluation of SAI activities can be helpful in not only improving audit impact but also in building trust towards – and accountability for – SAIs. It can also help develop quality management arrangements (as required under ISSAI 140). The ACU has taken noteworthy steps to improve engagement with external experts, including by resuming the work of the Advisory and Scientific Council in July 2024 (Accounting Chamber of Ukraine, 2024[55]) and adopting a procedure for engaging external experts with specialised knowledge in specific audits in January 2025. However, the ACU should now ensure that it effectively leverages expert advice in practice. Box 5.14 outlines how the SAIs in Denmark and Finland incorporate knowledge from external experts and could provide inspiration.

Finally, improving the ACU and SAS’s cooperation with law enforcement bodies would help strengthen the ability of these bodies to combat public sector corruption (European Commission, 2023[50]), even if detection of fraud and corruption is not and should not be an SAI’s primary purpose, which in accordance with INTOSAI standards is more preventative in nature. Under Article 41 of the Law on the Accounting Chamber, the ACU forwards any suspicions of legal violations to the relevant law enforcement authority, and in 2023 the ACU sent 20 reports to law enforcement bodies, including seven to the PGO and two to the NABU (Accounting Chamber of Ukraine, 2023[29]). The SAS also participates in the inter-institutional council that acts as the anti‑fraud co-ordination service in Ukraine in accordance with Cabinet of Ministers Resolution no. 1031 of 6 September 2024, which makes it responsible for sharing suspicions of fraud with law enforcement and the European Anti‑Fraud Office (OLAF).

While the ACU already has memoranda of understanding allowing information exchange with bodies like the NABU and SBI, and SAS has a department responsible for liaising with law enforcement, further formalising co-operation between Ukrainian law enforcement and the ACU and SAS could be beneficial. The ACU, SAS and Ukrainian law enforcement could therefore consider developing more proactive and co-operative channels for information exchange (see Box 5.15 for examples). This could help increase accountability for ACU and SAS audit findings and improve the efficiency of law enforcement investigations into corruption and related crimes.

[58] Accounting Chamber of Ukraine (2025), Annual reports [Річні звіти], Accounting Chamber of Ukraine, https://rp.gov.ua/Activity/Reports/ (accessed on 16 April 2025).

[38] Accounting Chamber of Ukraine (2024), Leadership, Accounting Chamber of Ukraine, https://rp.gov.ua/Management/HeadChamber/?id=1746 (accessed on 24 October 2024).

[55] Accounting Chamber of Ukraine (2024), “The Accounting Chamber has resumed the work of the Advisory and Scientific Council: A new composition has been agreed upon [Рахункова палата поновила роботу Консультативно-наукової ради: погоджено новий склад]”, Accounting Chamber of Ukraine, Kyiv, Ukraine, https://rp.gov.ua/News/?id=2012 (accessed on 18 February 2025).

[40] Accounting Chamber of Ukraine (2023), Code of Ethics of the Accounting Chamber [КОДЕКС ЕТИКИ РАХУНКОВОЇ ПАЛАТИ], Accounting Chamber of Ukraine, Kyiv, Ukraine.

[29] Accounting Chamber of Ukraine (2023), Report of the Accounting Chamber 2023, Accounting Chamber of Ukraine, Kyiv, Ukraine.

[52] Accounting Chamber of Ukraine (2019), Strategy for Development of the Accounting Chamber 2019-2024 [СТРАТЕГІЯ розвитку Рахункової палати на 2019–2024 роки], Accounting Chamber of Ukraine, Kyiv, Ukraine.

[36] ANAO (2024), Annual Audit Work Program 2024–25: Overview, Australian National Audit Office, https://www.anao.gov.au/work-program/overview (accessed on 5 November 2024).

[21] Antoniuk, O. et al. (2021), “Development of internal control and audit in Ukraine”, Independent Journal of Management and Production, Vol. 12/6, pp. s376-s390, https://doi.org/10.14807/ijmp.v12i6.1761.

[17] ARMA (2024), Внутрішній аудит [Internal Audit], Agency for Asset Recovery and Management, https://arma.gov.ua/internal-audit (accessed on 20 November 2024).

[47] Brétéché, B. and A. Swarbrick (2024), “Increasing the impact of supreme audit institutions through external engagement: Compendium of European experiences with developing effective relationships between SAIs and non-governmental stakeholders”, SIGMA Papers, No. 69, OECD Publishing, Paris, https://doi.org/10.1787/5d25341e-en.

[13] Cabinet of Ministers of Ukraine (2021), Strategy for Public Financial Management System Reform in 2022-2025, Cabinet of Ministers of Ukraine, Kyiv, Ukraine.

[57] Chornovalov, O. (2023), Тінь Азарова в міністерстві Галущенка (розслідування) [Azarov’s shadow in Galushchenko’s ministry (investigation)], Radio Svoboda, https://www.radiosvoboda.org/a/skhemy-tin-azarova-v-ministerstvi-halushchenka/32477802.html (accessed on 6 January 2025).

[24] CIPFA (2024), Local Government, Chartered Institute of Public Finance and Accountancy, https://www.cipfa.org/local-government (accessed on 30 October 2024).

[44] Controller and Auditor-General of New Zealand (2025), Part 4A: Independence for Audit and Review Engagements, https://oag.parliament.nz/auditing-standards/guide-to-the-code/part-4a (accessed on 6 January 2025).

[12] COSO (2013), Internal Control - Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission.

[54] Court of Accounts of the Republic of Moldova (2022), The Communication Strategy of the Court of Accounts for the Period 2022-2025 [Strategia de comunicare a Curții de Conturi pentru perioada 2022-2025], Court of Accounts of the Republic of Moldova, Chisinau, Moldova.

[8] European Commission (2024), Ukraine Report 2024, European Commission, Brussels, Belgium.

[50] European Commission (2023), Ukraine Report 2023, European Commission, Brussels, Belgium, https://neighbourhood-enlargement.ec.europa.eu/ukraine-report-2023_en (accessed on 4 June 2024).

[31] European Court of Auditors (2024), Supreme Audit Institutions in the EU and Its Member States - An Overview, European Court of Auditors, https://op.europa.eu/webpub/eca/book-state-audit/en/ (accessed on 21 August 2024).

[53] EUROSAI (2019), Guideline on the Social Utilisation and Transparency of Public Sector Audits, European Organisation of Supreme Audit Institutions, Madrid, Spain.

[23] Government of the Netherlands (2024), Bedrijfsvoering en audits gemeenten en provincies [Business Operations and Audits for Municipalities and Provinces], https://www.rijksoverheid.nl/onderwerpen/financien-gemeenten-en-provincies/bedrijfsvoering-en-audits-gemeenten-en-provincies (accessed on 30 October 2024).

[34] Grossi, G. et al. (2023), “Changing the boundaries of public sector auditing”, Journal of Public Budgeting, Accounting and Financial Management, Vol. 35/4, pp. 417-430.

[27] Gustavson, M. and A. Sundström (2018), “Organizing the audit society: Does good auditing generate less public sector corruption?”, Administration and Society, Vol. 50/10, pp. 1508-1532.

[5] IIA (2024), Global Internal Audit Standards, Institute of Internal Auditors.

[6] IIA (2020), The IIA’s Three Lines Model: An Update of the Three Lines of Defence, Institute of Internal Auditors.

[3] IIA (2015), “Leveraging COSO across the three lines of defence”, Institute of Internal Auditors.

[16] IIA (2009), “IIA Position Paper: The role of internal auditing in enterprise-wide risk management”, Institute of Internal Auditors.

[4] IIA/INTOSAI (2022), “Applying the Three Lines Model in the public sector”, Institute of Internal Auditors and International Organization of Supreme Audit Institutions, https://www.theiia.org/globalassets/site/content/articles/applying_the_three_lines_model_in_the_public_sector.pdf.

[45] Institute of Analytics and Advocacy (2024), How the Supreme Audit Institution Operates in Ukraine, Institute of Analytics and Advocacy, Poltava, Ukraine.

[49] Institute of Legislative Ideas (2021), Activity of Parliamentary Committees in 2020: Effectiveness and Interaction with Stakeholders, Institute of Legislative Ideas, Kyiv, Ukraine.

[43] INTOSAI (2025), IntoSAINT – A Tool to Assess the Integrity of Supreme Audit Institutions, International Organization of Supreme Audit Institutions, https://www.intosaicbc.org/intosaint/ (accessed on 6 January 2025).

[46] INTOSAI (2019), GUID 9040: Good Practices Related to SAI Transparency, International Organization of Supreme Audit Institutions.

[41] INTOSAI (2019), ISSAI 130: Code of Ethics, International Organization of Supreme Audit Institutions.

[42] INTOSAI (2018), Strengthening Supreme Audit Institutions: A Guide for Improving Performance, International Organization of Supreme Audit Institutions.

[20] Kyiv City Council (2025), Департамент внутрішнього фінансового контролю та аудиту [Department of Internal Financial Control and Audit], Official Portal of Kyiv, https://kyivcity.gov.ua/kyiv_ta_miska_vlada/struktura_150/vikonavchiy_organ_kivsko_misko_radi_kivska_miska_derzhavna_administratsiya/departamenti_ta_upravlinnya/departament_vnutrishnogo_finansovogo_kontrolyu_ta_auditu/ (accessed on 6 January 2025).

[56] Ministry of Finance of Ukraine (2024), Інформація про виконання Державного бюджету України за 2023 рік [Information on the Implementation of the State Budget for 2023], Ministry of Finance of Ukraine, Kyiv, Ukraine, https://mof.gov.ua/uk/budget_2023-582 (accessed on 19 November 2024).

[19] Ministry of Finance of Ukraine (2024), Проведені заходи з питань ДВФК (Measures Taken to Address the Issues of the SIFC], Ministry of Finance of Ukraine, https://mof.gov.ua/uk/provedeni-zahodi-z-pitan-dvfk (accessed on 4 November 2024).

[33] Ministry of Finance of Ukraine (2024), Чисельність працівників державних органів у 2023 році [The Number of Employees in State Bodies in 2023], Ministry of Finance of Ukraine, Kyiv, Ukraine, https://app.powerbi.com/view?r=eyJrIjoiZDE4NWJjNGQtZTY1OS00MzZmLTk2YTctMGY1YTNjYWYwOGIwIiwidCI6IjAwZTQ4ZjNmLWNhNGEtNGRhNy1hM2EwLTc3MTlmYjI0NjIzOSIsImMiOjl9&pageName=ReportSection (accessed on 20 November 2024).

[14] NACP (2024), Каталог корупційних ризиків [Catalogue of Corruption Risks], National Agency on Corruption Prevention, Kyiv, Ukraine, https://antycorportal.nazk.gov.ua/risks/ (accessed on 6 January 2025).

[11] NACP (2023), АНАЛІТИЧНЕ ДОСЛІДЖЕННЯ поточного стану та перспектив розвитку інституту антикорупційних уповноважених [Analytical Study of the Current State and Development Prospects of the Institute of Anti-corruption Commissioners], National Agency on Corruption Prevention, Kyiv, Ukraine.

[9] OECD (2024), OECD Public Integrity Indicators Database, OECD Data Explorer, https://data-explorer.oecd.org/ (accessed on 5 November 2024).

[30] OECD (2024), Principles of Public Administration Data Portal, SIGMA, OECD, Paris, https://par-portal.sigmaweb.org/ (accessed on 19 December 2024).

[7] OECD (2024), Public Administration in Ukraine: Assessment against the Principles of Public Administration, SIGMA Monitoring Reports, OECD Publishing, Paris, https://doi.org/10.1787/078d08d4-en.

[51] OECD (2022), “What drives the impact of Supreme Audit Institutions”, in Enhancing the Oversight Impact of Chile’s Supreme Audit Institution: Applying Behavioural Insights for Public Integrity, OECD Publishing, Paris, https://doi.org/10.1787/260b717c-en.

[32] OECD (2021), Fiscal Federalism 2022: Making Decentralisation Work, OECD Publishing, Paris, https://doi.org/10.1787/201c75b6-en.

[2] OECD (2020), OECD Public Integrity Handbook, OECD Publishing, Paris, https://doi.org/10.1787/ac8ed8e8-en.

[37] OECD (2018), “Using Risk Assessment in Multi-year Performance Audit Planning”, OECD Public Governance Policy Papers, No. 53, OECD Publishing, Paris, https://doi.org/10.1787/bc8b7a21-en.

[1] OECD (2017), Recommendation of the Council on Public Integrity, OECD, Paris, https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0435.

[26] OECD (2016), Supreme Audit Institutions and Good Governance: Oversight, Insight and Foresight, OECD Public Governance Reviews, OECD Publishing, Paris, https://doi.org/10.1787/9789264263871-en.

[25] OLGNSW (2023), Risk Management and Internal Audit for Local Government in NSW, Office of Local Government of New South Wales, Sydney, Australia.

[22] PEFA (2022), Оцінювання державних видатків та фінансової підзвітності (ДВФП) на субнаціональному рівні: Львівська Міська Рада (Україна) [Assessment of Public Expenditure and Financial Accountability (PFA) at the Subnational Level: Lviv City Council (Ukraine)], Public Expenditure and Financial Accountability Program, Washington, DC.

[15] STT (2021), Law on the Prevention of Corruption, from 01-01-2022, Special Investigation Service of Lithuania, https://www.stt.lt/en/corruption-prevention/law-on-the-prevention-of-corruption-from-01-01-2022/7588 (accessed on 30 October 2024).

[39] TI Ukraine (2024), Eight Steps to Increase Accounting Chamber Capacity, Transparency International Ukraine, Kyiv, Ukraine.

[35] TI Ukraine (2024), “Новий закон — лише початок: чотири наступні кроки для реформи Рахункової палати [The new law is just the beginning: Four next steps for the reform of the Accounting Chamber]”, Transparency International Ukraine, Kyiv, Ukraine, https://ti-ukraine.org/blogs/novyj-zakon-lyshe-pochatok-chotyry-nastupni-kroky-dlya-reformy-rahunkovoyi-palaty/ (accessed on 17 February 2025).

[48] UNODC (2022), Enhancing Collaboration between Supreme Audit Institutions and Anti-Corruption Bodies in Preventing and Fighting Corruption: A Practical Guide, United Nations Office on Drugs and Crime, Vienna, Austria.

[10] Verkhovna Rada of Ukraine (2015), Law on Corruption Prevention 1700-VII, https://zakon.rada.gov.ua/laws/show/en/1700-18#top.

[18] Voldina, T., G. Grossi and V. Vakulenko (2023), “The changing roles of internal auditors in the Ukrainian central government”, Journal of Accounting and Organizational Change, Vol. 19/6, pp. 1-23.

[28] World Bank (2021), Supreme Audit Institutions Independence Index: 2021 Global Synthesis Report, World Bank, Washington, DC.