Regulation on External Audit of Banks

1 Pursuant to Article 35, paragraph 1.1 of the Law No. 03/L-209 of the Central Bank of the Republic of Kosovo (Official Gazette of the Republic of Kosovo, No. 77/16 August 2010), and Articles 54 and 85 of the Law No. 04/L-093 on Banks, Microfinance Institutions and Non-Bank Financial Institutions, (Official Gazette of the Republic of Kosovo, No. 11/11 May 2012), the Board of the Central Bank of the Republic of Kosovo at the meeting held on November 09, 2012, approved the following: REGULATION ON EXTERNAL AUDIT OF BANKS Article 1 Purpose and Scope

1. The purpose of this Regulation is to strengthen the regulatory framework related to external auditors of banks and to ascertain the quality of the services performed by these external auditors, in relation to the specific risks of banks and financial sector in general. It determines the requirements for the approval of external auditors, the carrying out of the external audit of banks and the relationship between external auditors, banks and the CBK.
2. This Regulation applies to all banks licenced by the CBK to operate in the Republic of Kosovo.
3. This Regulation applies also to branches of foreign banks only in that the CBK must be satisfied that all provisions of paragraph 4 of Article 54 of the Law on Banks are met. Article 2 Definitions
4. All terms used in this Regulation are as defined in Article 3 of the Law No. 04/L-093 on Banks, Micro-Finance Institutions and Non-Bank Financial Institutions (hereafter: the Law on Banks) and/or as further defined herein for the purpose of this Regulation: a) Audit Firm - means a legal entity or any other entity, without taking into consideration its legal form, which is licensed, in compliance with law No. 04/L-014 on Accounting, Financial Reporting and Auditing (Official Gazette of the Republic of Kosovo, No. 11 / 26 August 2011) (hereafter: Law on Financial Reporting) for performing auditing jobs. b) External Auditor - means only the auditing firm. c) Financial Statement - means balance sheet, income statement, cash flow statement, the statement of changes in equity, and additional notes and explanatory materials that are the integral parts of a financial statement.

2 Article 3 General Conditions

1. The external auditor of a bank licensed by the CBK to operate in the Republic of Kosovo shall be approved by the CBK.
2. Based on a written application, the CBK shall grant approval to an external auditor of a bank, only as: a) An external auditor licensed in the Republic of Kosovo in accordance with the Law on Financial Reporting. b) An external auditor who has at least three (3) years of experience in the field of auditing of financial statements of banks and any other financial institutions or its participating staff which carries out the auditing shall have such an equivalent experience. Article 4 Specific Conditions and Requirements
3. The approval granted to the external auditor is limited to one specific bank and is valid for one financial year.
4. Applications for approval must be submitted to the CBK before 30 June of each year.
5. The bank, together with the application for approval, shall provide the CBK with: a) The proposal of its Audit Committee and its Board of Directors or of the relevant authority of parent bank in case of a branch of a foreign bank, for appointment of the external auditor; b) An audit program for the audit of the bank; c) A description of the use of resources in the audit mission; d) External auditor’s letter of commitment or the contract of supplied service; e) A relevant document that proves sufficient experience of external auditor or its staff which carries out the auditing in the field of audit of banks or other financial institutions; f) A certificate issued from the Kosovo Council for Financial Reporting (KCFR) containing the recent external auditor’s result of the quality for the external auditor (this certificate will not be required by the CBK until the KCFR is able to issue such a certificate); and g) A written declaration of external auditor for meeting the criteria set forth in Article 7 of this Regulation.
6. The audit program and use of resources in the audit mission shall be sufficiently adequate in relation to the character and size of the bank.
7. Continuous employment of the same external auditor is limited to three years or three consecutive audits.

3 Article 5 Good Repute The CBK shall grant approval as an external auditor of a bank to external auditors of good repute who are not engaging in any activity which is incompatible with the external audit function. Article 6 Re-auditing CBK reserves the right to request a re-audit by a different external auditor, at the expense of the bank, to the extent that existing external auditor of the bank has carried out the audit or has submitted a report which is inconsistent with the requirements of the Law on Banks, CBK Regulations, International Standards on Auditing (ISA) and does not reflect the true and accurate financial situation of the bank. Article 7 Professional Ethics External auditors shall be subject to principles of professional ethics defined by the International Federation of Accountants’ “Code of Ethics for Professional Accountants”. Article 8 Independence and Objectivity

1. When carrying out an audit, external auditors shall be independent from the audited entity and shall not in any way be involved in management decisions of the audited entity. External auditors shall not carry out an audit if there is any direct or indirect financial, business, employment or other relationship including the provision of additional non-audit services between the external auditors and the audited entity from which an objective, reasonable and informed third party would conclude that the independence of the external auditor is compromised.
2. Approved external auditors shall also comply with the provisions of the European Union (EU) Commission Recommendation of 16 May 2002 on Statutory Auditors’ Independence in the EU: A Set of Fundamental Principles. Moreover, the CBK will ensure compliance with Chapter IV of EU Directive 2006/43 on statutory audits of annual accounts and consolidated accounts.
3. The external auditors shall document in the audit working papers, all threats to their independence, as well as the safeguards applied to mitigate those threats. Article 9 Independence and Objectivity of Auditors Carrying Out an Audit on Behalf of Audit Firms The owners or shareholders of an approved audit firm, as well as the members of the administrative, management and supervisory bodies of such a firm, or an affiliated firm, shall not intervene in the execution of an audit in any way that might jeopardize the independence and objectivity of the auditor who carries out the audit on behalf of the audit firm.

4 Article 10 Audit Fees

1. Fees for audit services: a) Shall be adequate to allow proper audit quality; b) Shall not be influenced or determined by the provision of additional services to the audited bank; and c) Cannot be based on any form of contingency. Article 11 Requirements for External Auditors when Auditing Annual Accounts External auditors shall carry out all audits of banks in accordance with International Auditing Standards (ISA). Article 12 Audits Content
2. External auditors shall assess whether or not the annual accounts of the bank have been prepared and finalized in accordance with International Financial Reporting Standards (IFRS), the Law on Banks, and CBK Regulations, and whether or not the management of the bank has fulfilled its obligation to ensure proper and clearly set out recording and documentation of the accounting information in accordance with the Law on Banks and CBK Regulations.
3. External auditors shall assess whether or not information in annual reports pertaining to annual accounts, assumptions regarding continued operation and proposals concerning the utilization of surpluses or coverage of losses are in accordance with the Law on Banks and CBK Regulations and whether or not the information is consistent with the annual accounts.
4. External auditors should assess the adequacy of risk management systems of bank, based on the assessment of: a) Compliance with the requirements for the organizational structures with regard to any special risk management; b) Policies and procedures on any special risk management and their implementation; c) Adequacy of identification, measure and monitoring of any special risk; d) Adequacy and efficiency of internal audit system regarding the management of any special risk.
5. Specific risks include: credit risk, market risk, operational risk, liquidity risk and other risks to which banks are exposed.
6. External auditors shall ensure that banks have arranged for satisfactory asset management and that proper internal controls are in place.
7. Audit of banks should cover areas such as the loan portfolio, loan loss reserves, non￾performing assets, asset valuations, trading and other securities activities, derivatives, asset securitizations, and the adequacy of internal controls over financial reporting.

5 7. External auditors shall, through audits, contribute to the prevention and disclosure of irregularities and errors. Article 13 External Auditors’ Duties

1. External auditors shall execute audits to the best of their judgment, including assessing the risk that a material misstatement may be included in the annual accounts due to irregularities or errors.

2. External auditors shall ensure that they have an adequate basis for assessing whether or not any contraventions of the Law on Banks and CBK Regulations have taken place and whether they are material to the annual accounts.

3. External auditors shall check the adequacy, accuracy and completeness of the banks reports presented at the CBK in compliance with the applicable regulatory requirements approved by the CBK. Based on the audit performed, external auditors shall valuate if the reports are conducted in line with the stipulations of the Law on Banks and CBK Regulations and if they reflect in realistic and objective terms the financial position of the bank.

4. External auditors shall point out the following circumstances in writing to the Board of Directors of the banks: a) Deficiencies regarding the duty to ensure proper and clearly laid out recording and documentation of accounting information; b) Errors and deficiencies in the organization and control of asset management; c) Irregularities and errors that may lead to erroneous information in the annual accounts; d) Circumstances that may lead to liability on the part of members of the Board of Directors, General Meeting of Shareholders, or Senior Management. Article 14 Documentation of Assignment As required by ISA 230, “Audit Documentation,” external auditors must document how an audit was carried out, as well as the result of the audit in a sufficient manner. Matters that indicate that irregularities or errors may be present must be documented in a special manner. Article 15 Maintenance of Audit Working Papers Audit working papers shall be prepared and maintained in accordance with relevant ISA. Article 16 External Auditors’ Report

5. External auditors shall prepare an annual audit report with an audit opinion in accordance with IFRS and in cases when there are material differences, they shall also prepare an audit report with an audit opinion in accordance with the Regulation on Credit Risk Management.

6 2. The audit report shall confirm that the audit services have been carried out in accordance with the provisions in the Law on Banks, this Regulation and other relevant CBK Regulations. 3. The audit report shall verify and disclose the following matters: a) Whether or not the annual accounts have been prepared and finalized in accordance with IFRS, the Law on Banks and relevant CBK Regulations, and present a true and fair view of the financial condition and activities of the bank; b) Whether or not the management of the bank has fulfilled its duty to ensure the proper and clearly laid out recordation and documentation of accounting information; and c) Whether or not the information in the annual report related to the annual accounts, assumptions concerning continued operation, and proposals regarding the use of surpluses or coverage of losses, is in accordance with the Law on Banks and relevant CBK Regulations, as well as whether or not the information is consistent with the annual accounts. 4. If the accounts do not provide the information about the result and position of the bank that ought to be provided, external auditors shall stress this, or stipulate the auditor’s reserve opinion and possibly provide necessary supplementary information in the audit report. 5. If external auditors reach the conclusion that accounts should not be finalized in their current form, this shall be distinctly stated. 6. If external auditors, during the performance of the audit, find that circumstances exist that may lead to liability on the part of members of the Board of Directors, General Meeting of Shareholders, or senior management, this shall be remarked upon in the audit report. External auditors shall also provide other information about circumstances that they believe should be known to the participants in, or shareholders of, the bank. 7. External auditors should assess the implementation of recommendations provided by the external auditors for the previous financial year. 8. External auditors who audit the annual accounts of a parent company of the bank shall prepare a separate auditor’s report for the group, as required by ISA. The provisions of paragraph 1 to 7 of this Article equally apply to the group’s audit report. Article 17 Management Letter

1. External auditors shall, in accordance with the Law on Banks and relevant CBK Regulations, produce a final management letter to the bank at the conclusions of the audit process. The management letter shall include any conclusions the external auditor may have reached on the activity or the financial situation of the bank, and information on the diligences they have performed in the scope of the audit mission.
2. In the final management letter, the external auditors shall make a specific statement concerning the internal controls system in order to provide specific assurance on, and for the purpose of disclosing material matters in, the internal control structure. The specific statement shall also include comments on the internal audit function.

7 Article 18 Confidentiality

1. External auditors and external auditors’ co-workers have a duty of confidentiality regarding everything of which they have gained knowledge through their activities unless otherwise stipulated by law, or the person the information concerns has consented the duty of professional secrecy does not apply. External auditors and external auditors’ co-workers may not use such information in their own activities or in the service or employment of others.
2. Without limitations by the paragraph 1 of this Article or an agreed duty of confidentiality, external auditors are allowed to submit explanations and present documentations regarding an audit assignment when required by the Legislation in force in the Republic of Kosovo.
3. The duty of confidentiality continues to apply after the assignment has been concluded. Article 19 Duty to Inform
4. External auditor shall, within the framework of an assignment, provide information about matters regarding the bank that the external auditor has become aware of during the audit when this is required by general meeting of shareholders, Board of Directors, senior management, an audit committee or by a person authorized by the CBK.
5. The external auditor shall, immediately communicate to the Audit Committee or Board of Directors of the bank any matters of governance interest which comes to the attention of the auditor during his performance of the audit. The external auditor shall immediately report to governance bodies of the bank and the CBK when the auditor, during the performance of the audit of the bank, establishes that: a) Information exists that indicates a failure to fulfill a requirement for a license from the CBK; b) A serious conflict exists within the decision-making bodies or a manager in a key function unexpectedly departed; c) Information exists that may indicate a material breach of Laws, Regulations, Instructions and Orders of CBK as well as charter and by-laws of banks; or d) The intention of the internal auditor to resign or the removal of the internal auditor and material or adverse changes in the risks of the bank’s business and possible risks going forward.
6. External auditor shall, upon request from the CBK, provide the CBK with any information, during the full audit mission, concerning to its performance of audit services to a bank.
7. The CBK maintains regular contacts and can initiate meetings with external auditor of banks in any time when such contacts are deemed necessary. Article 20 Quality Control and Its Review
8. External auditors approved by the CBK shall apply adequate quality control policies and procedures that address all significant aspects of the audit.

8

2. External auditors approved by the CBK shall be subject to quality assurance review from the CBK.

3. The quality review of an approved external auditor shall cover one specific audit assignment, and shall be executed by the CBK or by one reviewer designated by the CBK.

4. During the quality review, the CBK or the reviewer shall determine the extent to which the external auditor has adequate quality control policies and procedures that address all significant aspects of auditing. During the review, the CBK or the reviewer shall have access to the working papers of the external auditor as far as necessary to conduct a sufficient and adequate quality control.

5. Concerning obligations on confidentiality, Article 18 of this Regulation applies equally to the CBK and the quality reviewer.

6. Aggregate results of the quality assurance review shall be published by the CBK, including recommendations, follow up of recommendations and, if the case arises, sanctions. Article 21 Dismissal and Resignation

7. External auditors of banks may only be dismissed where there are proper grounds. Divergence of opinions on accounting treatments or audit procedures shall not be a proper ground for dismissal.

8. Both the audited banks and the external auditors shall inform the CBK about the dismissal or resignation and shall give an adequate explanation of the reasons thereof. Article 22 Revoking of Approval Approval of an external auditor shall be revoked if the good repute of that audit firm has been seriously compromised or any of the requirements of this Regulation are no longer fulfilled. Article 23 Enforcement, Remedial Measures and Civil Penalties

9. If external auditors of banks have contravened the auditor’s duties pursuant to the Law on Banks, this Regulation and other relevant CBK Regulations, the CBK can impose a written warning to the external auditor with a copy to the bank.

10. If the circumstances described with paragraph 1 of this Article are repeated, the CBK has the right to refuse the approval of the external auditor from performing audits of financial institutions licensed from the CBK to operate in the Republic of Kosovo or, to take measure in accordance with paragraph 3 of Article 54 of the Law on Banks.

11. The CBK may impose civil penalties in accordance with paragraph 3 of Article 82 of the Law on Banks.

9 Article 24 Abrogation Upon the entry into force of this Regulation, it shall abrogate the Amended Rule on External Auditing and External Auditors of Financial Institutions adopted on February 18, 2008, and any other provisions that may be in conflict with this Regulation. Article 25 Entry into Force This Regulation enters into force on December 03, 2012. The Chairman of the Board of the Central Bank of the Republic of Kosovo

---

Gazmend Luboteni