Summary of "INTERNAL AUDIT & CONTROL - 2025"

Summary of “INTERNAL AUDIT & CONTROL - 2025”

Focus: Business-specific insights on internal audit strategy, operations, management, and emerging risks

1. Current Challenges and Environment

Natalia Pavlova, Managing Partner, Attorneys Association

Context: - Ukraine’s internal audit profession faces legislative, regulatory, and operational challenges amid geopolitical instability and economic crisis risks. - Financial reporting often shows inflated asset values but insufficient cash flow to service obligations, raising sustainability concerns. - Crisis of confidence due to misinformation and AI-generated falsified reports complicates audit reliability.

Key Issues: - Internal auditors in Ukraine lack true independence, reducing trust in audit outputs. - Liability risks are significant, especially in banking and joint-stock companies, with potential lawsuits years after audit work. - Internal auditors often assigned functions outside their scope (e.g., advance contract checks), leading to legal exposure. - Lack of liability insurance for auditors is a critical gap; advocacy for insurance schemes is ongoing. - Staffing shortages and resource constraints threaten audit quality; calls for supervisory boards to address resourcing. - Attempts to regulate the profession via public bodies are viewed skeptically; preference for regulation embedded in sector-specific laws. - Emphasis on strict compliance with laws over international standards—legal hierarchy must guide audit judgments.

Recommendations: - Write openly about risks in financial statements when cash flow is insufficient. - Avoid assumptions in reports; focus on concise, evidence-based findings. - Push for insurance and clearer appointment/dismissal procedures for internal auditors. - Use Supreme Court precedents to guide audit practices and protect against liability.

2. Key Risks for Internal Auditors in 2026

Maxim Pomerka, President, Institute of Internal Auditors of Ukraine

Global and Regional Context: - Multiple shocks: COVID-19 pandemic, war in Ukraine, geopolitical conflicts, tariff changes, and macroeconomic uncertainty. - World Bank forecasts weaker global growth, increasing operational risks.

Top 5 Risks Identified in Europe Region: 1. Cybersecurity and Data Security (82% of internal audit managers rate this top risk) - Persistent, evolving threats including sophisticated hacking (APT groups). - Emerging threat: Quantum computing potentially breaking current encryption; need to prepare for post-quantum cryptography. - Internal audit role: Assess cyber protection, backups, and prepare organizations for quantum transition. 2. Talent Management and Human Capital - Acute shortage of skilled personnel and high turnover (e.g., 30% annual turnover in UK). - Risk of deskilling due to AI automation of junior roles. - Internal audit insufficiently focused on talent risk (ranked 9th in audit focus). 3. Digital Change, New Technologies, and Artificial Intelligence - Rising to 3rd place risk; expected to be 2nd in future. - Risks include over-reliance on opaque AI models (“black box”), supplier dependency, and model inaccuracies (example: Deloitte Australia scandal). - Auditors must critically assess AI outputs, monitor strategy flexibility, and supplier risks. 4. Macroeconomic and Geopolitical Uncertainty - Rapid structural changes affecting business strategies and supply chains. - Internal audit should analyze impacts and advise management on strategic opportunities and risks. 5. Food Security and Sustainability Reporting (declining in priority) - Complex sustainability reporting (CSRD) with “double materiality” concept is challenging due to lack of quality data. - Circular economy and resource recycling are emerging positive trends to integrate into strategy.

Changing Role of Internal Audit: - Shift towards agility and consulting services; advisory roles now occupy over 50% of audit resources in some European teams (up from 20%). - Internal audit expected to provide independent assurance, advice, analysis, and foresight.

Recommendations: - Avoid groupthink in strategic decision-making. - Strengthen third-party risk management. - Evaluate AI strategy and control environment critically. - Enhance talent acquisition and retention strategies.

Call to Action: - Participate in ongoing profession state surveys to shape future audit practices.

3. Internal Audit in Banking Sector

Ivan Levkivskyi, Ukrsebank

Corporate Governance and Regulation: - Banking internal audit function is well-regulated by law and National Bank regulations. - Internal audit heads have defined appointment/dismissal procedures, though not fully equated with bank managers. - War conditions multiply risks and regulatory changes; EU accession will increase regulatory complexity.

Risk-Based Audit Planning: - Residual risk assessment (inherent risk adjusted by governance and controls) guides audit priorities. - Increased frequency of audits due to elevated risk (e.g., annual rather than multi-year cycles). - Limited resources necessitate focus on highest risk areas.

Talent and Technology: - Severe shortage of qualified internal auditors due to war-related labor outflows. - Urgent need to integrate data analytics and AI specialists into audit teams. - AI tools used for document analysis, data reconciliation, and monitoring audit evidence. - Collaboration with other control functions (compliance, legal, risk management) is vital to optimize resources and reduce duplication.

Internal Audit as Management Function: - Internal audit seen as a managerial function supporting risk minimization, process efficiency, compliance, and strategic advisory. - Effective communication with stakeholders throughout audit lifecycle is critical for relevance and impact. - Horizontal audits across multiple entities (transversal checks) improve comparability and resource efficiency.

4. Strategic Partnerships and Evolving Role of Internal Audit

Evgenia Ilyukhina, Unity Group

Shift from Inspector to Strategic Partner: - Internal audit role expanding beyond financial checks to strategic advisory, risk evaluation, and project partnerships. - Examples include audit involvement in investment evaluations, market entry, and technology implementations. - Close cooperation with other departments and external experts optimizes resource use and enhances impact.

Challenges: - Risk of blurring audit independence when providing consulting services; need to document and manage responsibilities carefully. - Importance of trust-building with management, audit committees, and other stakeholders. - Reports should be clear, concise, and structured with risk prioritization to improve stakeholder reception.

Coordination of Assurance: - Emphasis on integrated assurance frameworks and taxonomy to align internal audit with other control functions.

5. Panel Discussion Highlights: Creating Effective Internal Audit in a Changing World

Organizational Maturity and Resource Constraints: - Many organizations (especially state-owned or newly formed) lack mature control systems, digitalization, and adequate funding for internal audit. - Talent acquisition is difficult due to war, low salaries, and lack of candidate commitment. - Continuous training and competitive compensation are essential to retain skilled auditors.

Professional Development and Competencies Needed: - Analytical skills, technical competence (IT, cybersecurity, AI), communication, critical thinking, ethical integrity, business acumen, adaptability, interpersonal skills, and project management. - Continuous professional development and English language proficiency are vital for keeping up with global standards.

Ethics and Professional Courage: - New global standards emphasize professional skepticism and courage. - Internal auditors must balance independence with organizational realities, often facing pressure to alter findings. - Ethical behavior and corporate culture development are key auditor responsibilities.

Role Clarity and Awareness: - Internal audit is often misunderstood as a policing or purely financial function; education of management and staff is critical. - Clear communication and informal engagement improve audit acceptance and effectiveness.

Technology and Automation: - Need for better automation and standardization tools beyond Excel/Word to improve audit quality and efficiency. - Data analytics and AI integration into audit processes is uneven but growing; specialists are needed.

Public Interest and Social Responsibility: - Internal audit has a role in protecting public interest, especially in state-owned or public service organizations. - Reporting and acting on fraud or corruption risks may require escalation beyond internal management.

6. AI and Digital Risks in Internal Audit

Dmitry Lozuchenkov, EIAA

Trends: - Increasing use of AI and machine learning in business processes, with 74% of executives considering AI critical. - AI accounts for over 60% of cyberattack surfaces, highlighting dual role as risk and tool. - AI auditing requires understanding data quality, model explainability, monitoring for “model drift,” and human oversight (“human in the loop”). - Blackbox AI models pose audit challenges; reliance on vendor documentation and control over input data is critical.

AI in Audit Processes: - Automation of routine tasks, document analysis, risk identification, and report generation using AI tools (e.g., EVIA Virtual Internal Auditor and “Zhenya” generative AI assistant). - AI can increase audit efficiency, but human review remains essential.

Risk Framework for AI Models: - Assess model complexity, explainability, predictability, human involvement, and data governance. - Continuous monitoring and validation are mandatory to prevent manipulation or degradation of AI outputs.

Practical Advice: - Use AI where it adds value and has a clear business case. - Avoid hype-driven blind adoption; focus on tested, industrial-grade solutions. - Prepare for increasing regulation of AI in Ukraine aligned with global standards.

7. Ethics in Internal Audit

Kateryna Lukyanenko, KPMG

Updated Global Standards: - Ethics now a separate section with 13 principles, including a new emphasis on professional skepticism and professional courage. - Auditors must contribute to ethical culture development in organizations.

Challenges in Practice: - Many auditors feel pressure to alter findings or conceal information. - Independence is often an “illusion” due to organizational maturity and internal dependencies. - Internal audit function is still often perceived as purely control/policing rather than value-adding.

Improving Perception: - Educate management and staff about internal audit’s role through onboarding and ongoing communication. - Maintain clear, calm communication during audits to reduce fear and resistance. - Build auditor competencies in communication, business understanding, ethics, and technical skills. - Outsourcing internal audit can improve perceived authority and reduce resistance but may risk sustainability.

Ethical Behavior: - Auditors must model high ethical standards, confidentiality, and professionalism. - Ethical conduct is critical given auditors’ access to sensitive information.

8. Additional Notes

Certificates for professional internal auditor training (IAPBE UK diploma) were offered free to conference participants with instructions for registration.
Panelists and speakers encouraged active participation in profession-wide surveys to influence future standards and practices.

Key Frameworks, Processes, and Playbooks Highlighted

Risk-Based Audit Planning: Assess inherent risk, governance quality, control effectiveness to prioritize residual risks for audit focus.
AI Audit Framework: Evaluate data quality, model explainability, human oversight, continuous monitoring, and control environment.
Ethics and Professional Standards: Adoption of updated global internal audit standards emphasizing professional skepticism, courage, and ethical culture development.
Coordination of Assurance: Integration and taxonomy alignment across internal audit, compliance, legal, and risk management functions.
Talent Management: Strategic planning for recruitment, retention, and skill development, including cross-functional and technical competencies.

Key Metrics, KPIs, and Targets

Cybersecurity risk recognized by 82% of internal audit heads as top priority.
Talent turnover example: 30% annual staff turnover in UK internal audit teams.
Consulting/advisory services now consume over 50% of audit resources in some European teams (up from 20%).
AI adoption in business processes reported by ~50% of participants; AI-related audits rare but expected to grow.
Internal audit function staffing in Ukraine around 66% filled, indicating significant talent gaps.

Presenters and Sources

Natalia Pavlova – Managing Partner, Attorneys Association, Certified Internal Auditor
Maxim Pomerka – President, Institute of Internal Auditors of Ukraine
Ivan Levkivskyi – Head of Internal Audit, Ukrsebank
Evgenia Ilyukhina – Head of Internal Audit Service, Unity Group
Malcolm Trotter – President, International Alliance of Professional Business Elites (IAPBE), UK
Dmitry Lozuchenkov – Partner, EIAA Company (Digital Risks and AI in Audit)
Kateryna Lukyanenko – Manager, Consulting Department, KPMG Ukraine
Panelists: Lyubov Kosovets (Moderator), Dmytro Sergienko (Ukrnafta), Natalia Stepanov (National Public Broadcasting Company of Ukraine), and others.

Overall, the conference emphasized the urgent need for internal audit functions to evolve from traditional compliance controllers to strategic, agile partners equipped with advanced technology, ethical courage, and strong stakeholder communication, especially under conditions of geopolitical and economic uncertainty.