Regulation on Internal Controls and Internal Audit of Non-Bank Financial Institutions

1 of 9 Pursuant to Article 35, paragraph 1.1 of the Law No. 03/L-209 of the Central Bank of the Republic of Kosovo (Official Gazette of the Republic of Kosovo, No. 77/16 August 2010), and Articles 103 paragraph 2, and Article 14 of the Law No. 04/L-093 on Banks, Microfinance Institutions and Non-Bank Financial Institutions, (Official Gazette of the Republic of Kosovo, No. 11/11 May 2012), the Board of the Central Bank of the Republic of Kosovo at the meeting held on December 27, 2018, approved the following: REGULATION ON INTERNAL CONTROLS AND INTERNAL AUDIT OF NON-BANK FINANCIAL INSTITUTIONS Article 1 Purpose and scope

1. The purpose of this Regulation is to provide the basic principles on the organization and operation of the internal controls and internal audit function of Non-Bank Financial Institutions (hereinafter: NBFI).
2. This Regulation applies to all NBFIs registered by the CBK to operate in the Republic of Kosovo, with the exception of NBFIs registered in a single currency exchange activity, for which the provisions of this regulation apply only upon a particular request of the CBK. Article 2 Definitions
3. All terms used in this Regulation are as defined in Article 3 of Law No. 04/L-093 on Banks, Microfinance Institutions and Non-Bank Financial Institutions (hereafter referred as Law on Banks, MFIs and NBFIs), and/or as further defined in this Regulation as follows: 1.1 Internal Control System - means the process monitored by the Board of Directors, senior managers and other personnel, and established to provide reasonable assurance regarding the achievement of effectiveness and efficiency of operations, reliability of reporting and compliance with applicable laws and regulations. 1.2 Internal Audit Function - is an independent, objective and consulting activity designed to add value and improve the NBFIs’ operations. It helps in accomplishing

2 of 9 the objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Article 3 Requirements

1. NBFIs shall establish an efficient internal control system for the purpose of preventing losses, maintaining reliable financial and management reporting, enhancing their prudent operation, and promoting stability in the financial system of the Republic of Kosovo.
2. According to CBK, NBFIs shall have an effective system of internal controls that is consistent with the nature, complexity, and risk inherent in their on- and off-balance sheet activities and that responds to changes in their environment and conditions.
3. The goals of the system of internal controls should be to prevent fraud, misappropriation and errors, and to mitigate other risks faced by the NBFIs, which shall: 3.1 Promote the efficiency and effectiveness of activities and measures that protect the NBFIs in using its assets and other resources and protecting it from losses; 3.2 Ensure the reliability, completeness and timelines of financial and management information, so that administrators, directors, shareholders, external parties, and supervisors can rely on for decisions-making; and 3.3 Ensure compliance with applicable laws and regulations.
4. An effective internal control system consists of following interrelated components: 4.1 Management oversight and the control culture; 4.2 Risk recognition and assessment; 4.3 Control activities and segregation of duties; 4.4 Information and communication; and 4.5 Monitoring activities and correcting deficiencies. Article 4 Oversight and the Control Culture - Responsibilities of the Board of Directors and of the Senior Management
5. The Board of Directors and senior management shall be responsible for promoting high ethical and integrity standards, and for establishing a culture within an organization that emphasizes and demonstrates to all levels of personnel the importance of internal controls. Senior managers shall ensure that all personnel understand their role in the internal controls system and shall be fully engaged in the process.
6. The Board of Directors shall be responsible for providing direction, guidance and oversight to NBFIs, and ensuring that the affairs of the entity are carried out in the best interest of the organization. The Board of Directors has a duty to act carefully in fulfilling

3 of 9 the important task of directing and monitoring the activities of management, ensuring that the Institution’s day to day operations are in the hands of qualified, honest and competent management. 3. Specific internal control duties of the Board of Directors shall be to: 3.1 Approve and review, on at least an annual basis, the overall business strategy and significant policies of the institution; 3.2 Decide on the NBFI's structure and the NBFI's management, including its operational and administrative units, functions and supervisory positions; 3.3 Establish a committee that oversees the internal audit function as defined by Article 98 of the Law on Banks, MFIs and NBFIs, and to ensure its functioning. 3.4 Identify the major risks within the Institution, set acceptable levels for these risks, and ensure that senior management is monitoring the effectiveness of the internal control system; 3.5 Review, at least once a year, the internal audit function; 3.6 Ensure that adequate and effective system of internal controls is established and maintained. 4. The senior managers shall be ultimately responsible for the NBFIs’ organizational and procedural controls, by ensuring the integrity of internal controls and by having in place an effective management team that is characterized by a culture of control and that is accountable for the performance of its responsibilities. 5. Specific internal control duties of the senior managers shall be to: 5.1 Implement strategy and policies approved by the Board of Directors; 5.2 develop processes that identify, measure, monitor and control risks incurred by the Institution; 5.3 Maintain an organizational structure that clearly assigns responsibility, authority and reporting relationships; 5.4 Ensure that delegated responsibilities are effectively carried out; set appropriate internal control policies; and monitor the adequacy and effectiveness of the internal control system; 5.5 Ensure that outsourced services of any kind are with reputable companies that they have an adequate internal control system. The contracts for these services shall stipulate that external auditors, internal auditors and CBK examiners have access to any documentation or information source or system that may be requested in the discharge of their respective function. Article 5 Risk Recognition and Assessment

4 of 9

1. All material risks that could adversely affect the achievement of the NBFI’s goals shall be recognized and continually assessed. This assessment shall cover all risks with which the NBFI is faced (including credit risk, liquidity risk, operational risk, and reputation risk) depending on the activities for which it has been registered.
2. Internal controls shall be reviewed at least annually by the Board of Directors and/or the Audit Committee to appropriately address any new previously uncontrolled risks.
3. Effective risk assessment shall identify and consider internal factors (such as the complexity of the organizational structure, the nature of its activities, the quality of personnel, organizational changes and employee turnover) as well as external factors (such as fluctuation of economic conditions, changes in the industry and technological advances) that could adversely affect the achievement of the Institution’s goals.
4. The risk assessment shall be conducted at all levels of individual activities and across the wide spectrum of activities. Risk assessment shall address both measurable and nonmeasurable aspects of risks and shall weigh costs of controls against the benefits they provide.
5. The risk assessment process shall also include the evaluation of risks to determine which are controllable and non-controllable by the Institution. For those risks that are controllable, the NBFI must assess whether to accept those risks or the extent to which it wishes to mitigate the risks through control procedures. For those risks that cannot be controlled, the Institution must decide whether to accept these risks or to withdraw from or reduce the level of business activity concerned. Article 6 Control activities and segregation of duties
6. Control activities shall be an integral part of the daily activities of the NBFI. Senior management shall establish an appropriate control structure, with control activities defined at every business level, including: top level reviews; appropriate activity controls for different departments or divisions; physical controls; checking for compliance with exposure limits and follow-up on non-compliance; a system of approvals and authorizations; and a system of verification and reconciliation.
7. Control activities shall be designed and implemented to address the risks identified by the NBFI through its risk assessment process. Control activities shall involve two steps: 2.1 Establishment of control policies and procedures, and 2.2 Verification that the control policies and procedures are being complied with.
8. Control activities shall involve all levels of personnel of the institution, including senior management as well as front line personnel.
9. Duties shall be segregated appropriately and personnel shall not be assigned responsibilities that would result in conflict of interest. Areas of potential conflicts of interest shall be identified, minimized, and shall be subject to careful, independent

5 of 9 monitoring, particularly in those instances related to approval and disbursement of funds, costumer and accounts assessment and monitoring of loans and any other areas where significant conflicts of interest emerge and are not mitigated by other factors. Article 7 Information and Communication

1. Management shall collect, record and retain adequate and comprehensive internal financial, operational and compliance data, as well as external market information about events and conditions that are relevant to decision-making. Information shall be relevant, reliable, timely, and accessible and maintained in a consistent format.
2. Reliable information systems shall be in place to cover all significant activities of the NBFI. These systems, including those that hold and use data in an electronic form, must be secured, monitored independently and supported by adequate contingency arrangements.
3. Management shall maintain effective channels of communication to ensure that staff fully understand and adhere to policies and procedures affecting their duties and responsibilities and that other relevant information is communicated to the appropriate personnel. Article 8 Monitoring activities and correcting deficiencies
4. The overall effectiveness of the NBFI’s internal controls shall be monitored by management on an ongoing basis. Monitoring key risks shall be part of the daily activities of all operational and business areas of the NBFI. The minutes of the board of directors’ meetings shall record the decisions adopted concerning internal control deficiencies.
5. Internal rules shall establish clear lines of responsibility for each operational and business area. Periodic and separate reviews shall be performed by operational and business areas and internal control deficiencies shall be reported in a timely manner to the appropriate management level and addressed promptly. Material internal control deficiencies shall be reported to senior managers, audit committee and to the board of directors.
6. Adequate internal controls within the NBFI shall be supplemented by an effective internal audit function that independently evaluates the control systems within the Institution. An effective and comprehensive internal audit of the internal control system shall be carried out by operationally independent, appropriately trained and competent staff. Article 9 Internal audit function
7. Internal audit function is part of the ongoing monitoring of the Institution’s system of internal controls, which provides an independent assessment of the adequacy of, and

6 of 9 compliance with, the institution’s established policies and procedures. As such, the internal audit function assists senior administrators and the Board of Directors in the efficient and effective discharge of their responsibilities. Each NBFI shall have an internal audit function or this function shall be performed by contracting internal audit, which shall be supervised by the relevant committee according to Article 4, paragraph 3, sub-paragraph 3.3 of this Regulation. 2. The scope of an internal audit function shall include: 2.1 The examination and evaluation of the adequacy and effectiveness of the internal control systems; 2.2 The review of the application and effectiveness of risk management procedures and risk assessment methodologies; 2.3 The review of the management and financial information systems; 2.4 The review of the accuracy and reliability of the accounting records and financial reports; 2.5 The review of the means of safeguarding assets; 2.6 The testing of both transactions and the functioning of specific internal control 2.7 procedures; 2.8 The review of the systems established to ensure compliance with legal and regulatory requirements, codes of conduct and the implementation of policies and procedures; 2.9 The testing of the reliability and timeliness of the regulatory reporting; 2.10 The carrying-out of special audit tasks. 3. Senior management is responsible to ensure that the internal audit department is kept fully informed of new developments, initiatives, products, and operational changes. 4. Each NBFI should have a permanent and independent audit function in order to fulfil its duties and responsibilities. The Board of Directors shall be responsible for ensuring the independence of the audit function and that sufficient human and material resources are available for the adequate performance of its functions and duties. The Board of Directors shall appoint the Committee that supervises the internal audit function as well as the head of the internal audit function, or the contracting of the internal audit. 5. The internal audit function shall be independent of the activities audited and from the everyday internal control processes. The head of the internal audit department should have the authority to communicate directly, and on his/her own initiative, to the Board of Directors, or through the Audit Committee, which shall also set his or her compensation. 6. The internal auditor shall be appointed by the CBK in accordance with the definitions for senior manager in the Regulation on the Registration, Supervision and Activities of Non￾Bank Financial Institutions.. 7. The dismissal or resignation of the head of internal audit department and its causes shall be communicated to the CBK within seven working days after it was decided.

7 of 9 8. Each NBFI should have a written statute of audit setting out the mandate and authorizations of the internal audit function within the institution. 9. The internal audit charter should contain at least: 9.1 The objectives and scope of the internal audit function; 9.2 The internal audit department’s position within the organization, its powers, responsibilities and relations with other control functions; and 9.3 The accountability of the head of the internal audit department. 10. The audit charter should be drawn up – and reviewed periodically – by the internal audit department; it should be approved by the Audit Committee and subsequently confirmed by the Board of Directors as part of its supervisory role. 11. The audit charter shall mandate the internal audit department with the right to initiate and authorizes it to have access to and communicate with any member or staff, to examine any activity or units of the NBFI, as well as to access any records, files or data, including management information and the minutes of all consultative and decision making bodies, whenever relevant to the performance of its assignments. 12. The charter shall specify the terms and conditions for the internal audit function can to provide advisory services or to perform other specific tasks. 13. The professional competence of every internal auditor and of the internal audit function as a whole, which will vary depending on the size and complexity of NBFI’s operations, is essential for the proper functioning of the internal audit function. 14. The members of the internal audit function must at least fulfil the following qualities and capabilities: 14.1Professional capability to implement and adhere to procedure standards and auditing techniques in the operating fields of the NBFI; 14.2Knowledge and experience with International Financial Reporting Standards; 14.3Knowledge of risk administrating principles and prudent internal auditing techniques of the NBFI. 15. The head of the internal audit function shall be an individual with a high ethical and professional reputation and with adequate experience in the auditing fields. 16. The head of the internal audit function shall prepare an audit plan for assignment and performance of tasks, which will be approved by the Board of Directors and/or its Committee supervising the internal audit function. NBFI shall make the appropriate resources available to the internal audit function. 17. The annual audit plan shall include in detail the timing and frequency of planned internal audit work, the necessary resources in terms of personnel and it shall be based on an evaluation of internal controls and on a written assessment of material risks, updated annually.

8 of 9 18. The reports of the internal audit function, which contain the findings and recommendations as well as the responses of senior managers, should be presented to the committee overseeing the internal audit function and/or the board of directors.. 19. Internal audit reports and working papers shall be kept for at least five years, as of the reporting date. 20. The internal audit function shall follow up its recommendations to verify whether they are implemented. Article 10 Outsourcing of Internal Audit

1. An internal audit outsourcing agreement may be outsourced between an NBFI and a qualified professional or a business organization which, as a primary activity, provides professional services related to internal auditing. In these cases, the business organization must have at least one qualified professional who meets the criteria of this regulation for the head of internal audit.
2. Regardless of the contractual stipulations, the Board of Directors shall remain ultimately responsible for ensuring that the internal audit function is adequate and operates effectively;
3. All the conditions of this Regulation remain applicable in case any internal audit activity is outsourced.
4. The business organization referred to in paragraph 1 of this Article contracted for the internal audit function shall be approved by the CBK.
5. If deemed necessary, the CBK reserves the right to require from NBFI to establish an internal audit function within the NBFI structure, excluding the possibility of outsourcing internal audit. Article 11 Penalties and remedial measures Any violation of the provisions of this Regulation shall be subject to remedial and punitive measures as defined in Law No 03/L-209 on the Central Bank of the Republic of Kosovo and Law No 04/L-093 on Banks, Microfinance Institutions and Non-Bank Financial Institutions.. Article 12 Abrogation Upon the entry into force of this regulation, the provision of Article 18, paragraph 1, subparagraph 1.7 of the Regulation on Registration, Supervision and Activities of Non-Bank Financial Institutions shall be abrogated.

9 of 9 Article 13 Entry into force This Regulation shall enter into force 15 days upon its adoption. Flamur Mrasori Chairman of the Board of the Central Bank of Kosovo