Regulation on Internal Controls and Internal Auditing of Pension Funds

1 Pursuant to Article 35, paragraph 1, subparagraph 1.1, of Law no. 03/L-209 on the Central Bank of the Republic of Kosovo(Official Gazette of the Republic of Kosovo, no. 10/16 August 2010), Article 4, paragraph 4.1, Article 13, paragraph 13.1, sub-paragraph (a), relating also to Article 15, Paragraph 15.7, sub-paragraph (e), Article 20, paragraph 20.1, sub￾paragraph (a), and Article 22, paragraph 22.7, subparagraph (e) of Law no. 04 / L-101 on Pension Funds of Kosovo (Official Gazette of the Republic of Kosovo, No. 10/8 May 2012), and pursuant to Article 11 of Law no. 05 / L-116 on Amending and Supplementing the Law no. 04 / l-101 on the Pension Fund of Kosovo, as amended and supplemented by Law no. 04 / L-115 and Law no. 04 / L-168, the Central Bank Board at its meeting held on 29 June 2017 approved the following: REGULATION ON INTERNAL CONTROLS AND INTERNAL AUDITING OF PENSION FUNDS Article 1 Aim and Scope

1. The aim of this Regulation is to provide basic principles on the organization and functioning of internal controls and internal audit function of Pension Funds.
2. This Regulation applies to the Kosovo Pension Saving Trust, Supplementary Pension Funds from Employers and Individual Supplementary Pensions Funds (hereinafter: Pension Funds) licensed by the CBK to operate in the Republic of Kosovo. Article 2 Definitions
3. All terms in this Regulation shall have the same meaning as the terms defined in Article 1 of Law no. 04 / L-101 on Pension Funds of Kosovo or as by the following definitions for the purposes of this Regulation: "Internal Audit Function" - means an independent, objective and advisory activity, established for enhancing values and improving the operations of the Pension Fund. This function assists the Pension Fund in achieving its objectives by providing a systematic and disciplined approach in assessing and improving the efficiency of risk management, control and governance processes.

2 "Internal control system" - means a process influenced by the governing board, senior managers and other staff, established to provide reasonable assurance regarding the effectiveness and efficiency of operations, protection of pension assets, reliability of reporting and compliance with applicable laws and regulations. "Competence" - means possession and use of knowledge, necessary skills and experience in exerting the audit activity. "Integrity" - means honesty, objectivity, skill and avoidance of conflict of interest while exerting their function. "Independence and objectivity" - means that the activity of internal audit shall be independent and internal auditors shall be objective during the performance of their work. "Senior Managers" - means the managing directors, deputy managing directors. "Management" - means those who are not senior managers, but who have a leading position or have on their dependence some personnel that they manage. "Operational Risk" - means the risk that results from inadequate or inappropriate internal processes caused by people, systems and external events. Operational risk includes legal risk, but excludes strategic and reputational risk. Legal risk includes, but is not limited to, exposure to fines, punishments or punitive measures resulting from the actions of supervisors, as well as any other type of agreement with the parties individually. Although the reputation risk and strategic risk are not easily identifiable, the Pension Fund is expected to develop techniques to manage all aspects of risk. Article 3 Requirements for internal controls

1. The Governing Board and senior managers of the Pension Fund shall ensure the establishment of a sound internal system of control with a view to maintaining sound financial reporting, enforcement of internal policies, prevention of losses, development of prudent operation and promotion of stability in the financial system of the Republic of Kosovo.
2. The purposes of the internal control system shall be to prevent fraud, abuse and misconduct and reduce other risks faced by the Pension Fund, which will: 2.1. ensure the development of Pension Fund activities in accordance with the applicable legal acts and subordinate legislation as well as the implementation of the internal acts adopted by the managing bodies of the Pension Fund; 2.2. ensure the identification, measurement and monitoring of the level of risks, as well as their effective prevention and management;

3 2.3. provide adequate, accurate and reliable information on the financial condition of the Pension Fund, as well as administration under the Pension Fund Procedures; 2.4. ensure monitoring of the implementation of Pension Fund policies, assessing the degree of achievement of the objectives stated in these policies; 3. An effective system of internal control shall consist of the following interrelated components: 3.1. supervision by the governing board and senior managers; 3.2. risk knowledge and assessment; 3.3. control of activities and division of tasks; 3.4. information and communication; and 3.5. monitoring activities and correcting deficiencies. Article 4 Supervision by the governing board and senior managers

1. The governing board and senior managers are responsible for supporting high standards of ethics and integrity, and ensure that the entire personnel understands their role in the internal control process and that they will be fully involved in this process.
2. The Governing Board shall have the ultimate responsibility to ensure that the management of the Pension Fund has installed a sufficient, efficient and effective system of internal control and to assess the performance of the internal control system at least once a year.
3. The specific tasks of the Governing Board in the field of internal control are: 3.1. approve and review, at least on an annual basis, important Pension Fund policies; 3.2. ensure the establishment and maintenance of an appropriate and effective internal control system, which should be reviewed at least once a year; 3.3. approve policies for determining the limits of competencies, delegating them and allocating responsibilities to Pension Fund employees; 3.4. approve internal policies for risk monitoring and assessment of the effectiveness of procedures and methods for their administration; 3.5. provide means of reporting deficiencies identified in the internal control system of the Pension Fund; 3.6. approve the Code of Ethics and approval of policies or procedures for handling conflicts of interest for Pension Fund employees; and 3.7. establish the Audit Committee according to the requirements of Article 11 of Law no. 05 / L-116 on Amending and Supplementing the Law no. 04 / L-101 on Pension Funds of Kosovo, as amended and supplemented by Law no. 04 / L-115 and Law no. 04 / L-168;

4 4. Senior managers are responsible for the organizational and procedural controls of the Pension Fund by ensuring the integrity of internal controls and by establishing an effective management team that is characterized by an adequate culture and responsibility; 5. Specific tasks of senior managers in the field of internal control are: 5.1. implement the strategy and policies approved by the Governing Board; 5.2. develop processes that identify, measure, supervise and control the risks caused by the Pension Fund; 5.3. maintain an organizational structure, which clearly defines the responsibilities, authority and reporting relationships; 5.4. ensure that delegated responsibilities are effectively met, establishing appropriate policies of internal control and monitoring the adequacy and effectiveness of the internal control system; 5.5. ensure that contracted services of any kind are with reputable companies, which have an appropriate internal control system. Contracts for these services should stipulate that external auditors, internal auditors and CBK examiners will have access to any kind of documentation or source of information or system that may be required in the performance of their respective functions. Article 5 Knowing and assessing risk

1. All material risks that may have an adverse impact on achieving the goals of the Pension Fund should be recognized and evaluated continuously. This assessment should cover all the risks faced by the Pension Fund (including investment risk, governmental risk and transfer risk, market risk, liquidity risk, operational risk and reputation risk).
2. Internal controls should be reviewed at least once a year to properly address any new risk uncontrolled before.
3. Risk assessment should identify and take into account internal factors (such as the complexity of the organizational structure, the nature of pension fund activities, the quality of staff, organizational changes and staff movements) as well as external factors (such as changes in economic conditions, changes in the industry and technological advances) that may violate the achievement of the Pension Fund's goals.
4. Risk assessment must be carried out at all levels of Pension Fund activities. This assessment should address measurable and non-measurable aspects of risk and should weigh the costs of controls against the benefits they provide.

5 Article 6 Control of activities and division of tasks

1. Senior managers should establish an appropriate control structure with the control activities well defined at each level, including top-level reviews, appropriate control activities for different units and departments, physical control, control for compliance with exposed limits and non-compliance tracking, a system of approvals and authorizations, and a system of verifications and co-ordination.
2. Control activities include the establishment of control policies and procedures and verification if these policies and procedures are being implemented.
3. Control activities should include all levels of pension fund staff, from the Management Director to the first line staff.
4. Tasks should be appropriately distributed and to personnel shall not be assigned responsibilities that may result in conflict of interest. Areas of potential conflicts of interest need to be identified, minimized and be subject of careful, independent monitoring, especially in those cases related to the approval and payment of transactions for the operation of pension funds, the evaluation and monitoring of the selection of funds for investments or institutions where the pension assets are allocated, and any other area where significant conflicts of interest arise and which are not diminished by other factors. Article 7 Information and communication
5. Management shall collect, record and maintain adequate and comprehensive financial, operational and compliance internal data as well as external market information about events and conditions that are relevant to decision-making. The information must be reliable, timely and accessible, and kept in a sustainable format.
6. Reliable information systems should be set up to cover all important activities of the Pension Fund. These systems, including those that keep and use data electronically, shall be secured, independently monitored and supported by adequate emergency plans.
7. Management shall maintain effective communication channels to ensure that staff understands and fully supports policies and procedures that affect their duties and responsibilities and that other relevant information is communicated to the appropriate staff.

6 Article 8 Monitoring activities and correcting deficiencies

1. The overall development and effectiveness of internal controls on Pension Funds should be continuously monitored by management. Main risk monitoring should be part of day￾to-day activities. In the minutes of the Governing Board meetings, shall be record the decisions adopted regarding internal control shortcomings.
2. Pension Funds, through internal rules should establish clear lines of responsibility for each activity. Review of these rules should be made on an annual basis and any deficiencies should be reported to management, audit committee and governing board.
3. Internal control of the Pension Fund is supplemented by internal audit, which assesses the internal control system of the Pension Fund. Article 9 Internal Audit Function
4. Internal audit, as an independent process and activity from its standpoint, assesses the functioning of the internal control system and compliance with the policies and procedures of the Pension Fund. The audit process assists senior management and board to fulfil their responsibilities.
5. General principles of internal audit functioning – The internal audit should be exercised and based on the principles of: 2.1. Impartiality, which means the objective, transparent and true reflection of all facts and circumstances related to the activity of the audited public entity, without being influenced by personal interest or views of third parties; 2.2. Integrity, which means honesty, objectivity, ability, avoidance of conflicts of interest while exerting audit activity; 2.3. Independence and objectivity, which implies independence while exerting the audit activity and the provision of objective opinions and judgments in carrying out audits; 2.4. Professionalism and continuous professional upgrading, which requires the implementation of standards with the right professional care, as well as continuous efforts for professional formation and development, raising and improving the knowledge of any auditor.
6. The scope of the internal audit function should include: 3.1. auditing and evaluating the adequacy and effectiveness of internal control systems; 3.2. reviewing and evaluating the implementation of risk management procedures and risk assessment methodologies;

7 3.3. review management systems and financial information systems, including electronic information system and electronic services of the Pension Fund; Reviewing the accuracy and reliability of accounting records and financial reports; 3.4. review of the Pension Fund System for its capital valuation related to risk assessment; 3.5. reviewing and evaluating the means of asset retention; 3.6. review of established systems to ensure compliance with legal and regulatory requirements, code of conduct and implementation of policies and procedures; and 3.7. testing of the reliability and timeliness of regulatory reporting and performing specific audit tasks shall be made on a quarterly basis. 4. Management is responsible for ensuring that internal audits are kept fully informed about new developments in international financial markets or domestic markets, performance of investment funds, and operational changes, etc. 5. Each Pension Fund should have a permanent and independent audit function in order to fulfil its duties and responsibilities. The Governing Board shall be responsible for ensuring the independence of the audit function and for sufficient material and human resources be available for the proper performance of their functions and duties. 6. The internal audit function should be independent of the audited activities and of the day￾to-day internal control processes. The head of the internal audit function should have the authority to communicate directly and on his or her own initiative with the governing board or through the audit committee, which will also decide on his / her compensation. 7. The Pension Fund must have a written audit statute stating the position and authority of the internal audit function within the institution, which must contain at least: 7.1. objectives and scope of the internal audit function; 7.2. position of the head of the internal audit function within the Pension Fund; 7.3. its powers and relations with other control functions; and 7.4. the responsibility of the head of the internal audit function. 8. The statute of audit and any amendments thereto shall be made on a proposal from the audit committee and approved by the governing board of the Pension Funds. The statute of audit should be periodically reviewed by the internal audit function. 9. The statute of audit shall determine full competences regarding the access and communication of each member or staff; examine any activity or unit, providing access to data, records, management information and minutes of all consultative and decision￾making bodies, whenever it is important for performance of his duties. 10. The statute should specify the terms and conditions in which the internal audit function may be called upon to provide consultative or advisory services or to fulfil other specific tasks.

8 11. Members of the internal audit function must at least fulfil the qualities and capabilities as described below: 11.1. professional ability to implement and follow procedural standards and audit techniques; 11.2. knowledge and experience regarding International Financial Reporting Standards; and 11.3. knowledge of the principles of risk management and prudential techniques of internal audit of the financial institution. 12. The head of the internal audit function shall be of a high ethical and professional reputation, with experience in the field of audit. 13. The head of the audit function should prepare an audit plan for assignment and performance of duties, which will be proposed by the audit committee and approved by the board of the Pension Fund. This plan shall include in detail the duration and frequency of planned internal audit work, the resources needed in terms of personnel, and should be based on an assessment of internal controls and on a written estimate of material risks up￾dated yearly. 14. The reports of the internal audit department shall be presented to the audit committee, and shall contain the findings and recommendations as well as the responses of senior managers. 15. Reports and working papers must be kept for at least five years. 16. The internal audit department shall follow up its recommendations to verify whether they have been implemented. Article 10 Contracting internal audit in specific cases

1. The Pension Fund, in specific cases, may contract a qualified professional to conduct internal audit for specific areas and activities, when the Pension Fund has a deficit of the professional staff or specialized resources in the respective fields.
2. Notwithstanding the contractual terms, the governing board and senior managers shall remain ultimately responsible for ensuring that the internal audit function is adequate and operates effectively.

9 Article 11 Implementation and remedial measures Violations of the provisions of this Regulation shall be subject to the measures provided for in Article 33 of the Law on Pension Funds. Article 12 Entry into force This Regulation shall enter into force 15 days after its approval from the Central Bank of the Republic of Kosovo. Chairman of the Board of Central Bank of Kosovo Prof. Dr. Bedri Peci