LogoRegulatory Alerts
2015-12-22

Regulation on Internal Controls and the Functioning of Internal Audit in Microfinance Institutions

The Central Bank of Kosovo (CBK) issued this regulation to establish comprehensive internal control and audit standards for microfinance institutions operating in Kosovo. It mandates that MFIs implement robust internal control systems covering risk assessment, activity controls, information flow, and continuous monitoring, with clearly defined responsibilities for the Board of Directors and senior management. Additionally, the regulation requires each MFI to maintain an independent internal audit function or contracted audit service overseen by an Audit Committee, while specifying reporting obligations, professional competence standards for auditors, and applicable penalties for non-compliance.

Central Bank of the Republic of Kosovo logo

Kosovo

Central Bank of the Republic of Kosovo

Click to view thumbnail

1 Based on Article 35, paragraph 1.1 of Law No. 03/L-209 on the Central Bank of the Republic of Kosovo (Official Gazette of the Republic of Kosovo, No. 77 / August 16, 2010) and Articles 98, 103, and 114 of Law No. 04/L-093 on banks, microfinance institutions, and non-bank financial institutions (Official Gazette of the Republic of Kosovo, No. 11 / May 11, 2012), the Board of the Central Bank of the Republic of Kosovo, in its meeting held on August 29, 2013, approved the following:

REGULATION ON INTERNAL CONTROLS AND THE FUNCTIONING OF INTERNAL AUDIT IN MICROFINANCE INSTITUTIONS

Article 1 Purpose and Scope

  1. The purpose of this regulation is to define the basic principles regarding the organization and operation of internal controls by microfinance institutions (hereinafter: MFI).
  2. This regulation applies to all MFIs, as well as foreign branches of MFIs registered by the Central Bank of Kosovo (CBK) to operate in the Republic of Kosovo.

Article 2 Definitions

  1. All terms used in this regulation have the same meaning as the following definitions for the purpose of this regulation: a. Foreign MFI branch or branch of another foreign financial institution (hereinafter: foreign MFI branch) means a legal entity, which has its main seat and is licensed to conduct microfinance activities in another jurisdiction besides the Republic of Kosovo; b. Internal control system means the process influenced by the Board of Directors, senior management, and other personnel, established to provide reasonable assurance regarding the achievement of effectiveness and efficiency of operations, reliability of reporting, and compliance with applicable laws and regulations. c. Internal Audit Function is an independent, objective, and advisory activity established to add value and improve the operations of the MFI. This function helps achieve objectives by providing a systematic and disciplined approach to assessing and improving the efficiency of risk management, control, and governance processes. d. Senior Manager - the chief executive officer, chief financial officer, chief operating officer, chief risk officer, and any person, other than a director, who: (i) reports directly to the board or participates or has authority to participate in key policymaking functions of the MFI, regardless of whether that person holds an official title or receives compensation for such activities; and (ii) is designated as a senior manager by the CBK. In cases where a foreign MFI registers with the CBK to operate one or more branches in Kosovo, the manager of the main branch in Kosovo shall be considered a member of senior management;

Article 3 Requirements

  1. MFIs must provide an effective internal control system aimed at preventing losses, maintaining reliable financial and management reporting, expanding their mature operations, and promoting stability in the financial system of the Republic of Kosovo.
  2. The CBK requires MFIs to have an effective internal control system that is consistent with the nature, complexity, and potential risk of on-balance-sheet and off-balance-sheet activities, and that responds to changes in their environment and conditions.
  3. The objectives of the internal control system must be the prevention of fraud, mismanagement, and erroneous actions, and the reduction of other risks faced by the MFI, which will: a. Promote efficiency and effectiveness of activities and measures that protect the MFI in the use of assets and other resources, and protect it from losses; b. Ensure reliability and accuracy of financial and management information, so that senior managers, directors, shareholders, external parties, and supervisors can rely on them for decision-making; and c. Ensure compliance with applicable laws and regulations.
  4. An effective internal control system consists of the following interrelated components: a. Governance, oversight, and control culture; b. Risk identification and assessment; c. Control of activities and segregation of duties; d. Information and communication; and e. Monitoring of activities and correction of deficiencies.

Article 4 Oversight and Control Culture The Board of Directors and senior administrators are responsible for promoting high standards of ethics and integrity and establishing a culture within the organization that emphasizes and demonstrates the importance of internal controls for all levels of personnel. Senior managers must ensure that all personnel understand their role in the internal control process and are fully involved in it.

  1. Responsibilities of the Board of Directors
  2. The Board of Directors is responsible for directing, leading, and overseeing MFIs and ensuring that entity operations are carried out in the best interest of the institution. The Board has a duty to act with care in fulfilling its leadership and oversight role over management activities, ensuring that daily operations are handled by qualified, honest, and competent management.
  3. Specific duties of the Board of Directors regarding internal controls include: a. Approving and reviewing, at least annually, comprehensive business strategies and key institutional policies; b. Establishing the MFI's structure and administration, including its operational and administrative units, sub-units, functions, supervisory positions, and relationships; c. Establishing the Audit Committee in accordance with Article 98 of Law No. 04/L-193 and ensuring its function; d. Understanding the main risks faced by the institution, setting acceptable levels for these risks, and ensuring that senior management oversees the effectiveness of the internal control system; e. Reviewing at least once a year, the internal control system and the internal audit function; f. Ensuring that an effective internal control system is established and maintained.
  4. Responsibilities of Senior Management
  5. Senior managers are responsible for the organizational and procedural controls of MFIs and, to fulfill this responsibility, ensure the integrity of internal controls and establish an effective management team characterized by a control culture responsible for fulfilling its duties;
  6. Specific internal control duties of senior managers include: a. Implementing strategies and policies approved by the Board of Directors; b. Developing processes that identify, measure, oversee, and control risks caused by the institution; c. Maintaining an organizational structure that clearly defines responsibilities, authority, and reporting relationships; d. Ensuring delegated responsibilities are fulfilled effectively, establishing appropriate internal control policies, and monitoring the suitability and effectiveness of the internal control system; e. Ensuring that contracted services are provided by licensed companies with an appropriate internal control system. Contracts for these services must specify that external auditors, internal auditors, and CBK examiners have access to any documentation, information source, or system that may be required in performing their respective functions.

Article 5 Risk Identification and Assessment

  1. All material risks that may have an adverse impact on achieving the MFI's objectives must be identified and continuously assessed. This assessment must cover all risks faced by the MFI (including credit risk, liquidity risk, operational risk, and reputation risk).
  2. Internal controls must be reviewed at least annually to properly address any new or previously uncontrolled risks.
  3. Effective risk assessment must identify and consider internal factors (such as organizational structure complexity, nature of activities, personnel quality, organizational changes, and staff movements) as well as external factors (such as changing economic conditions, industry shifts, and technological advancements) that may affect the achievement of institutional objectives.
  4. Risk assessment must be conducted at all levels of individual businesses and across a wide spectrum of activities. Risk assessment must address measurable and non-measurable aspects of risk and weigh the costs of controls against the benefits they provide.
  5. The risk assessment process will include evaluating risks to determine which are controllable by the institution and which are not. For controllable risks, the MFI must assess whether to accept them or the extent to which it wishes to reduce risks through controlling procedures. For uncontrollable risks, the institution must decide whether to accept them, withdraw, or reduce the level of business activities related to these risks.

Article 6 Control of Activities and Segregation of Duties

  1. Control activities must be an integral part of the daily activities of the MFI. Senior management must establish an appropriate control structure, with control activities defined at each business level, including: senior-level reviews, appropriate control activities for various departments and units, physical controls, compliance checks against exposure limits and monitoring of exceptions, an approval and authorization system, and a verification and coordination system.
  2. Control activities must be designed and implemented to address risks identified by the MFI through the risk assessment process. Control activities must include two steps: • establishment of control policies and procedures, and • verification that these policies and procedures are being implemented.
  3. Control activities must involve all levels of institutional personnel, from senior management to first-line staff.
  4. Duties must be properly distributed, and personnel should not be assigned responsibilities resulting in conflicts of interest. Potential conflict areas must be identified, minimized, and subject to careful and independent oversight, particularly in cases related to fund approval and payment, assessment of client and private accounts, supervision of loans, and any other field where significant conflicts of interest arise and are not mitigated by other factors.

Article 7 Information and Communication

  1. Management must collect, record, and maintain adequate and comprehensive internal financial, operational, and compliance data, as well as external market information related to events and conditions relevant for decision-making. Information must be reliable, timely, accessible, and maintained in a stable format;
  2. Reliable information systems must be in place and adequate to cover all significant activities of the MFI. These systems, including those that store and use electronic data, must be secured, independently overseen, and supported by adequate contingency plans;
  3. Management must maintain effective communication channels to ensure that staff fully understand and support the policies and procedures affecting their duties and responsibilities, and that other relevant information is communicated to the appropriate personnel.

Article 8 Monitoring of Activities and Correction of Deficiencies

  1. The overall effectiveness of the MFI's internal controls must be continuously monitored by management. Monitoring of key risks must be part of the daily activities of all operational and business fields of the MFI. Board of Directors meeting minutes must record adapted decisions regarding internal control deficiencies;
  2. Internal regulations must establish clear lines of responsibility for each operational and business field. Periodic and separate reviews must be conducted by operational and business fields, reporting internal control deficiencies at specified time intervals to the appropriate management level, and addressed accurately. Material deficiencies in internal control must be reported to senior management, the Audit Committee, and the Board of Directors;
  3. Adequate internal control within MFIs must be complemented by an effective internal audit function, which independently evaluates the institution's control system. A comprehensive and effective internal audit of the internal control system must be conducted by operationally independent, properly trained, and competent staff;

Article 9 Internal Audit Function

  1. The internal audit function is part of a continuous monitoring system of the covered institution's internal control system, which ensures an independent assessment of adequacy and compliance with established institutional policies and procedures. As such, the internal audit function assists senior management and the Board of Directors in effectively fulfilling their responsibilities. Each MFI must have an internal audit department, or this function may be performed by contracted external/internal auditors, which are overseen by the Audit Committee.
  2. The scope of the internal audit function must include: a. Examination and assessment of the suitability and effectiveness of internal control systems; b. Review of the application and effectiveness of risk management procedures and risk assessment methodologies; c. Review of management and financial information systems, d. Review of the accuracy and reliability of accounting records and financial reports; e. Review of asset preservation methods; f. Testing of transactions and functioning of specific internal control procedures; g. Review of systems established to ensure compliance with legal and regulatory requirements, code of conduct, and implementation of policies and procedures; h. Testing the reliability and accuracy of regularly submitted regulatory reports; and i. Performance of specific audit duties.
  3. Senior management is responsible for ensuring that the internal audit department remains fully informed regarding new developments, initiatives, products, and operational changes.
  4. Each MFI must have a permanent and independent audit function to fulfill its duties and responsibilities. The Board of Directors must ensure the independence of the audit function and that sufficient material and human resources are available for adequate performance of its functions and duties. The Board of Directors appoints the Audit Committee, as well as the head of internal audit or contracted internal audit.
  5. The internal audit function must be independent from audited activities and daily internal control processes. The head of the internal audit department must have the authority to communicate directly and on his/her own initiative with the Board of Directors or through the Audit Committee, which also decides on his/her compensation.
  6. The decision regarding the resignation or dismissal of the head of the internal audit department and its reasons shall be communicated to the CBK within seven working days after the decision;
  7. Each MFI must have a written audit charter expressing the position and authority of the internal audit function within the institution. a. The legal instrument of internal audit must contain at least these elements: i. Objectives and scope of the internal audit function; ii. Position of the Internal Audit Department within the organization, its powers, responsibilities, and relationships with other control functions; iii. Responsibility of the head of the Internal Audit Department. b. The audit charter must be drafted and periodically reviewed by the Internal Audit Department; it must be approved by the Audit Committee and subsequently confirmed by the Board of Directors as part of its oversight role; c. The audit charter must grant the internal audit mandate with the right to initiate, as well as authorize it to have access and communicate with any member or staff, examine any activity or entity of the MFI, and have access to any register, file, or data, including management information and minutes of all consultative and decision-making bodies, whenever important for performing its duties; d. The charter must specify terms and conditions under which the Internal Audit Department may be called upon to provide advisory services or perform other specific duties.
  8. The professional competence of each internal auditor and the internal audit function as a whole, which will vary depending on the size and complexity of MFI operations, is essential for adequate functioning of the internal audit function. a) Members of the Internal Audit Department must meet qualities and skills as described in one of the following provisions: i. Professional ability to implement and apply procedural standards and audit techniques in operational fields of the covered institution; ii. Knowledge and/or experience with International Financial Reporting Standards; iii. Knowledge of risk management principles and established internal audit techniques of the covered institution; b) The head of the Internal Audit Department shall be selected as an individual with high ethical and professional reputation and adequate experience in the field of audit.
  9. The head of the Internal Audit Department must prepare an audit plan for determining and performing duties, which will be approved by the Supervisory Board or Audit Committee. This approval implies that the covered institution will provide necessary resources for the Internal Audit Department. a) The annual audit plan must include in detail the duration and frequency of planned internal audit work, necessary
Share