Regulation on Audit in Pension Insurance Companies (NN, Nos. 131/24 and 139/25)

Croatian Financial Services Supervisory Agency (HANFA), 10000 Zagreb, Franje Račkoga 6, P.O. Box 164, Croatia t: 01 6173 200, f: 01 4811 507, e: info@hanfa.hr, OIB: 49376181407, MB: 02016419, w: www.hanfa.hr REGULATION ON AUDIT IN PENSION INSURANCE COMPANIES (Official Gazette, Nos. 131/24 and 139/25)

Introductory Provisions Article 1. (NN 139/25) By this Regulation, the Croatian Financial Services Supervisory Agency (hereinafter: HANFA) prescribes:

1. the scope and content of the audit in a pension insurance company for HANFA's purposes, performed by an auditing firm under Articles 100.a and 100.f of the Act on Pension Insurance Companies (Official Gazette, Nos. 22/14, 29/18, 115/18, 156/23, 52/25, hereinafter: the Act),
2. the method and deadlines for submitting the audit report for HANFA's purposes,
3. the assessments and grounds for rejecting an auditor's assessment.

Article 2. (1) The management of a pension insurance company is obliged to make all necessary documentation available to the auditing firm and allow it access to accounting books, files, and computer printouts. The pension insurance company must enable auditors access to business and working premises. (2) For the purpose of conducting the audit, the pension insurance company is obliged to provide the auditing firm with appropriate premises and equipment. If data entry or storage was performed using computer processing, the pension insurance company must, at its own expense and within a reasonable time, make available to the auditing firm equipment necessary for reading documentation and, if necessary, ensure clear permanent prints in the required number of copies.

Article 3. (1) For the purposes of this Regulation, audit refers to an audit for HANFA's purposes. (2) The auditing firm performing the annual financial statements and consolidated annual financial statements for the business year to which the audit relates is obliged to prepare an audit report for HANFA's purposes for that business year. (3) The auditing firm is obliged, after completing the audit, to prepare a letter of recommendations for management and submit it to the management of the pension insurance company and HANFA together with the report from paragraph 2 of this article. (4) Exceptionally, under paragraph 2 of this article, the verification and assessment of the state of the information system and the adequacy of its management for a specific pension insurance company may be performed by an auditing firm different from the one performing the statutory audit of that pension insurance company.

Scope and Content of Audit and Auditors' Assessments Article 4. (NN 139/25) (1) The audit is a procedure for verifying and assessing the correctness, accuracy, and completeness of:

1. annual supplementary reports submitted to HANFA in accordance with the Regulation on the Structure and Content of Financial and Supplementary Reports of a Pension Insurance Company,
2. year-end reports submitted to HANFA in accordance with the Regulation on Permitted Investments and Investment Limits of Assets for Covering Technical Provisions of a Pension Insurance Company,
3. year-end reports submitted to HANFA in accordance with the Regulation on Capital Adequacy of a Pension Insurance Company. (2) The auditing firm is obliged to verify the correctness, accuracy, and completeness of the reports from paragraph 1 of this article by assessing whether these reports are prepared in accordance with the Act and regulations adopted under the Act, and whether comparable items are aligned with the audited annual financial statements. (3) The audit report for HANFA's purposes consists of the following reports:
4. Report on the State and Changes in Technical Provisions,
5. Report on the State and Structure of Asset Investments for Covering Technical Provisions,
6. Report on Compliance with Capital Adequacy Conditions,
7. Report on the Method of Keeping Accounting Books,
8. Report on the Correctness and Completeness of Notifications and Reports Submitted to HANFA,
9. Report on Compliance with Risk Management Rules, and
10. Report on the State of the Information System and Adequacy of Information System Management.
11. Report on the Performance of Key Functions. (4) The auditor's assessment is descriptive and ranges from fully satisfactory to completely unsatisfactory, determined according to the following criteria:
12. fully satisfactory – without remarks for the area under verification and assessment, and without remarks regarding the pension insurance company's procedures in relation to the auditor's recommendations from previous years,
13. satisfactory – minor deficiencies that do not have a significant impact on the area under verification and assessment, and/or regarding the pension insurance company's procedures in relation to the auditor's recommendations from previous years,
14. unsatisfactory – significant deficiencies identified for the area under verification and assessment, requiring special monitoring, for which the auditor has issued recommendations,
15. completely unsatisfactory – identified problems that affect the operating results, financial position, and solvency of the pension insurance company, and which may jeopardize its future operations.

Report on State and Changes in Technical Provisions Article 5. (1) The auditing firm is obliged to verify and assess the state and changes in technical provisions, for which it must prepare a Report on State and Changes in Technical Provisions. (2) The report from paragraph 1 of this article must contain at least: – the state of technical provisions at the beginning and end of the year, as well as changes during the year, – a description of the methods applied by the pension insurance company for forming technical provisions (if the pension insurance company changed the calculation method, the auditor must clarify the change and its effect on financial results and position), – auditor's recommendations with identified weaknesses and risks arising from the method of forming technical provisions, – statements regarding the pension insurance company's procedures in relation to the auditor's recommendations from previous years, – an independent authorized actuary's opinion on the state of technical provisions, which must include an assessment of the state of technical provisions and reasons for a positive opinion, qualified opinion, or negative opinion, – the auditor's assessment from Article 4, paragraph 4 of this Regulation. (3) The report from paragraph 1 of this article is prepared separately for technical provisions for mandatory pension insurance, respectively business under Article 9, paragraph 1, point 1 of the Act; separately for voluntary pension insurance, respectively business under Article 9, paragraph 1, points 2, 3, and 4 of the Act; and separately for other business related to pension insurance business under Article 9, paragraph 1, point 5 of the Act. (4) The independent authorized actuary from paragraph 2, line 5 of this article is a person meeting the conditions prescribed by Article 55 of the Act, with the exception that she/he is not employed in the pension insurance company or an affiliated entity of the pension insurance company whose reports are subject to audit under Article 3, point 32 of the Act.

Report on State and Structure of Asset Investments for Covering Technical Provisions Article 6. (NN 139/25) (1) The auditing firm is obliged to verify and assess the state and structure of asset investments for covering technical provisions, for which it must prepare a Report on State and Structure of Asset Investments for Covering Technical Provisions. (2) The report from paragraph 1 of this article must contain at least: – a brief description of the state and structure of asset investments for covering technical provisions with a comparative tabular presentation of technical provisions, – the state of asset investments for covering technical provisions at the beginning and end of the year, as well as changes during the year, – auditor's recommendations with identified weaknesses and risks, with special attention to investments in financial derivatives under Article 92, paragraph 1, point 15 of the Act and alternative investments under Article 93, paragraph 3 of the Act, if applicable – statements regarding the pension insurance company's procedures in relation to the auditor's recommendations from previous years, and – statements regarding the state and structure of asset investments for covering technical provisions and the alignment of such investments with the provisions of the Act and regulations adopted under it, with special attention to investments in financial derivatives under Article 92, paragraph 1, point 15 of the Act and alternative investments under Article 93, paragraph 3 of the Act, if applicable – the auditor's assessment from Article 4, paragraph 4 of this Regulation. (3) The report from paragraph 1 of this article is prepared separately for asset investments for covering technical provisions for mandatory pension insurance, respectively business under Article 9, paragraph 1, point 1 of the Act; separately for voluntary pension insurance, respectively business under Article 9, paragraph 1, points 2, 3, and 4 of the Act; and separately for other business related to pension insurance business under Article 9, paragraph 1, point 5 of the Act.

Report on Compliance with Capital Adequacy Conditions Article 7. (1) The auditing firm is obliged to verify and assess the compliance with capital adequacy conditions of a pension insurance company, for which it must prepare a Report on Compliance with Capital Adequacy Conditions. (2) The report from paragraph 1 of this article must contain at least: – a brief description of the state and structure of capital with regard to basic capital, supplementary capital, and deduction items, – the state of capital at the beginning and end of the year, as well as changes during the year with a comparative presentation of the solvency margin requirement, – auditor's recommendations with identified weaknesses and risks, and – statements regarding the pension insurance company's procedures in relation to the auditor's recommendations from previous years, – the auditor's assessment from Article 4, paragraph 4 of this Regulation.

Report on the Method of Keeping Accounting Books Article 8. (1) The auditing firm is obliged to verify and assess the method of keeping accounting books, for which it must prepare a Report on the Method of Keeping Accounting Books. (2) The report from paragraph 1 of this article includes the auditor's assessment from Article 4, paragraph 4 of this Regulation regarding the method of keeping accounting books by a pension insurance company, with identification of any irregularities or weaknesses found during the audit, as well as risks arising from these weaknesses.

Report on Correctness and Completeness of Notifications and Reports Submitted to HANFA Article 9. (1) The auditing firm is obliged to verify and assess the correctness and completeness of notifications and reports submitted to HANFA based on the Act and regulations adopted under it, for which it must prepare a Report on Correctness and Completeness of Notifications and Reports Submitted to HANFA. (2) The report from paragraph 1 of this article includes the auditor's assessment from Article 4, paragraph 4 of this Regulation regarding the correctness and completeness of notifications and reports submitted to HANFA based on the Act and regulations adopted under it.

Report on Compliance with Risk Management Rules Article 10. (1) The auditing firm is obliged, in accordance with Article 100.f, paragraph 1, point 1 of the Act, to verify and assess compliance with risk management policy, compliance with defined acceptable risk levels for a pension insurance company, compliance with procedures and measures for assuming, reducing, diversifying, transferring, and avoiding risks, as well as the application of these acts, for which it must prepare a Report on Compliance with Risk Management Rules. (2) The auditing firm makes the assessment of risk management adequacy from paragraph 1 of this article based on an evaluation: – compliance with organizational requirements related to the management of individual risks, – policies and procedures relating to the management of individual risks, – implementation of adopted policies and procedures, – adequacy of identification, measurement, and monitoring of individual risks, and – adequacy and effectiveness of internal control systems related to the management of individual risks. (3) The report from paragraph 1 of this article must contain at least: – a brief description of risks to which the pension insurance company is or may be exposed in its operations, – an assessment of the appropriateness and effectiveness of risk management policies, as well as procedures, tools, and techniques for measuring and managing risks, – alignment of the pension insurance company's conduct with risk management policies, as well as procedures, tools, and techniques for managing risks, – alignment of the level of risk exposure for a pension insurance company with defined internal risk exposure limits and the company's risk profile, – statements regarding the pension insurance company's conduct based on internal audit recommendations, – statements regarding the pension insurance company's procedures in relation to the auditor's recommendations from previous years, – auditor's recommendations with identified weaknesses and risks, and – the auditor's assessment from Article 4, paragraph 4 of this Regulation regarding adequacy of identification, measurement, and management of individual risks, and adequacy and effectiveness of internal control systems related to risk management.

Report on State of Information System and Adequacy of Information System Management Article 11. (1) The auditing firm provides an assessment of the state of the information system and adequacy of its management under Article 100.f, paragraph 1, point 2 of the Act in a Report on State of Information System and Adequacy of Information System Management, which must contain at least:

1. basic data on the implementation of audit procedures,
2. description of the information system,
3. statements regarding the pension insurance company's procedures in relation to the auditor's recommendations from previous years,
4. auditor's recommendations with identified weaknesses, deficiencies, and risks of the information system, and
5. auditor's assessment of the state and adequacy of information system management in accordance with Article 4, paragraph 4 of this Regulation. (2) In case the auditing firm did not take into account the Guidelines for Implementation of Information System Audit by Supervised Entities from Auditing Firms, published on HANFA's website, while preparing the report from paragraph 1 of this article, it must explain the reasons for such conduct.

Report on Performance of Key Functions Article 12. (NN 139/25) (1) The auditing firm is obliged to verify and assess the compliance of key functions with statutory provisions, adequacy of established organization, and their effectiveness, and prepare a Report on Performance of Key Functions. (2) The report from paragraph 1 of this article must contain at least: – a list of deficiencies in the operation of key functions and risks arising from them, – statements regarding the pension insurance company's procedures in relation to the auditor's recommendations from previous years, – auditor's recommendations with identified weaknesses and risks, – the auditor's assessment of whether the pension insurance company has established key functions within its management system and whether key functions perform duties in accordance with the Act and regulations adopted under it, in accordance with Article 4, paragraph 4 of this Regulation.

Content of Audit Report for HANFA's Purposes Article 13. (NN 139/25) (1) The audit report for HANFA's purposes must contain: – a separate assessment of the state and changes in technical provisions, – a separate assessment of the state and structure of asset investments for covering technical provisions, – a separate assessment of compliance with capital adequacy conditions, – a separate assessment of the method of keeping accounting books, – a separate assessment of correctness and completeness of notifications and reports submitted to HANFA, – a separate assessment of compliance with risk management rules, – a separate assessment of the state of information system and adequacy of information system management, and – a separate assessment of performance of key functions. (2) Rejection of the assessment from paragraph 1 of this article does not result in rejection of annual financial statements, or consolidated annual financial statements for that year, regarding which a positive or qualified opinion was issued in the audit report. (3) If HANFA determines that the assessment from paragraph 1 of this article was not issued in accordance with the Act and/or provisions of this Regulation, and with regard to line 7 from paragraph 1 of this article and/or in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011, or if HANFA otherwise determines through supervision that it is not based on true and objective facts, it may require the auditor to correct or supplement the assessment. If the auditor does not comply with HANFA's request, HANFA may reject the assessment and require the pension insurance company to have the assessment provided by authorized auditors from another auditing firm at its expense. (4) The audit report is accompanied by reports that were subject to the audit. (5) The audit report is prepared and signed by an authorized auditor in his/her own name, as well as the responsible person of the auditing firm on behalf of the auditing firm. (6) The auditing firm is obliged to prepare the audit report for HANFA's purposes in written form.

Deadlines for Submission Article 14. (NN 139/25) The auditing firm is obliged to submit the audit report for HANFA's purposes to HANFA no later than four months after the end of the business year for which the report is prepared.

Method of Submission Article 15. (NN 139/25) The auditing firm is obliged to submit the audit report for HANFA's purposes to HANFA in written form, directly or by post.

Entry into Force Article 15. (1) Upon entry into force of this Regulation, the Regulation on Audit of Reports of a Pension Insurance Company (Official Gazette, Nos. 116/2019 and 155/2022) ceases to apply. (2) This Regulation enters into force on the eighth day after its publication in the Official Gazette.

CLOSING PROVISION The Regulation on Amendments and Supplements to the Regulation on Audit in Pension Insurance Companies (NN, No. 139/25) entered into force on November 20, 2025. Article 7. This Regulation enters into force on the eighth day after its publication in the Official Gazette.