Regulation on Internal Controls and Internal Audit of Non-Bank Financial Institutions

1 of 9 Based on Article 35, paragraph 1, sub-paragraph 1.1 of Law No. 03/L-209 on the Central Bank of the Republic of Kosovo (Official Gazette of the Republic of Kosovo, No. 77/16 August 2010) as well as Article 103, paragraph 2, and Article 114 of Law No. 04/L-093 on Banks, Microfinance Institutions and Non-Bank Financial Institutions (Official Gazette of the Republic of Kosovo, No. 11/11 May 2012), the Board of the Central Bank, at its meeting held on 27 December 2018, approved this:

REGULATION ON INTERNAL CONTROLS AND INTERNAL AUDIT OF NON-BANK FINANCIAL INSTITUTIONS

Article 1 Purpose and Scope

1. The purpose of this regulation is to define the basic principles regarding the organization and operation of internal controls and the function of internal audit of non-bank financial institutions (hereinafter: NBFIs).
2. This regulation applies to all NBFIs registered by the CBK to operate in the Republic of Kosovo, excluding NBFIs registered with a sole activity of currency exchange, for which provisions of this regulation apply only upon specific request by the CBK.

Article 2 Definitions

1. All terms used in this regulation have the same meaning as terms defined in Article 3 of Law No. 04/L-093 on Banks, Microfinance Institutions and Non-Bank Financial Institutions (hereinafter: Law on Banks, MFIs and NBFIs) or according to the following definitions, for the purpose of this regulation: 1.1 Internal Control System - means the process monitored by the board of directors, senior management and other personnel, established to provide reasonable assurance regarding the achievement of effectiveness and efficiency of operations, reliability of reporting and compliance with laws and regulations in implementation. 1.2 Internal Audit Function - is an independent, objective and advisory activity established to enhance values and improve the operations of the NBFIs. This function helps achieve objectives by providing a systematic and disciplined approach to assessing and improving the efficiency of risk management, control and governance processes.

2 of 9 Article 3 Requirements

1. NBFIs must ensure an effective internal control system aimed at preventing losses, maintaining reliable financial and management reporting, expanding their mature operations and promoting stability in the financial system of the Republic of Kosovo.
2. The CBK requires NBFIs to have an effective internal control system that is consistent with the nature, complexity and potential risk in on-balance sheet and off-balance sheet activities, and that it responds to changes in their environment and conditions.
3. The objectives of the internal control system must be the prevention of fraud, misappropriations and erroneous actions, as well as the reduction of other risks faced by the NBFIs, in order to: 3.1 Promote the efficiency and effectiveness of activities and measures that protect the NBFIs in the use of assets and other resources and against losses; 3.2 Ensure the reliability and accuracy of financial and management information, so that senior managers, directors, shareholders, external parties and supervisors can rely on them for decision-making; and 3.3 Ensure compliance with laws and regulations in force.
4. An effective internal control system consists of the following interrelated components: 4.1 Governance, supervision and control culture; 4.2 Risk identification and assessment; 4.3 Control of activities and segregation of duties; 4.4 Information and communication; and 4.5 Monitoring of activities and correction of deficiencies.

Article 4 Supervision and Control Culture - Responsibilities of the Board of Directors and Senior Management

1. The board of directors and senior administrators are responsible for promoting high standards of ethics and integrity and establishing a culture within the organization that emphasizes and demonstrates the importance of internal controls for all levels of personnel. Senior managers must ensure that all personnel understand their role in the internal control process and will be fully involved in this process.
2. The board of directors is responsible for the direction, leadership and supervision of NBFIs and ensuring that work is carried out in the best interest of the institution. The board of directors is obliged to act with care in fulfilling its leadership and supervision duties, ensuring that the institution's daily operations are handled by qualified, honest and competent management.
3. The specific duties of the board of directors regarding internal controls include: 3.1 Approving and reviewing, at least annually, the institution's comprehensive business strategies and key policies; 3.2 Determining the structure and administration of the NFI, including operational and administrative units, functions and supervisory positions; 3.3 Establishing the committee that supervises the internal audit function as defined in Article 98 of the Law on Banks, MFIs and NBFIs, and ensuring its operation. 3.4 Understanding the main risks faced by the institution, setting acceptable levels for these risks and ensuring that senior management effectively supervises the internal control system; 3.5 Reviewing the internal audit function at least once a year; 3.6 Ensuring that an effective internal control system is established and maintained.
4. Senior managers are responsible for the organizational and procedural controls of NBFIs and, to fulfill this responsibility, ensure the integrity of internal controls and establish an effective management team characterized by a control culture and responsible for fulfilling its duties.
5. The specific internal control duties of senior managers will be: 5.1 Implementing strategies and policies approved by the board of directors; 5.2 Developing processes that identify, measure, supervise and control risks caused by the institution; 5.3 Maintaining an organizational structure that clearly defines responsibilities, authority and reporting relationships; 5.4 Ensuring that delegated responsibilities are fulfilled effectively, establishing appropriate internal control policies and monitoring the appropriateness and effectiveness of the internal control system; 5.5 Ensuring that contracted services of any kind are provided by companies with an appropriate internal control system. Contracts for contracted services must specify that external auditors, internal auditors and CBK examiners have access to any documentation or information source or system that may be required in performing their respective functions.

3 of 9 Article 5 Risk Identification and Assessment

1. All material risks that may have an adverse impact on the achievement of NFI objectives must be identified and continuously assessed. This assessment must cover all risks faced by the NFI (including credit risk, liquidity risk, operational risk and reputation risk) depending on the activities for which it is registered.
2. Internal controls must be reviewed at least annually by the Board of Directors and/or the Audit Committee to properly address any new and previously uncontrolled risks.
3. An effective risk assessment must identify and consider internal factors (such as organizational structure complexity, nature of activities, personnel quality, organizational changes and staff movements) as well as external factors (such as changing economic conditions, industry changes and technological advances) that may affect the achievement of the institution's objectives.
4. Risk assessment must be conducted at all levels of individual businesses and across a wide spectrum of activities. Risk assessment must address measurable and non-measurable aspects of risk and must weigh the costs of controls against the benefits they provide.
5. The risk assessment process will include risk evaluation, to determine which are controllable by the institution and which are not. For those risks that are controllable, the NFI must assess whether to accept them or the extent to which it wishes to reduce risks through controlling procedures. For uncontrollable risks, the institution must decide whether to accept them or cease or reduce business activities related to these risks.

Article 6 Control of Activities and Segregation of Duties

1. Control activities must be an integral part of the NFI's daily operations. Senior management must establish a suitable control structure, with control activities defined at each level of business, including: senior-level reviews, appropriate control activities for different departments and units, physical controls, compliance checks against exposure limits and monitoring of non-compliance, an approval and authorization system, as well as a verification and coordination system.
2. Control activities must be designed and implemented to address risks identified by the NFI through the risk assessment process. Control activities must contain two steps: 2.1 Derivation of control policies and procedures; and 2.2 Verification that these policies and procedures are being implemented.
3. Control activities must include all levels of institution personnel, from senior management to first-line staff.
4. Duties must be properly distributed and personnel should not be assigned responsibilities resulting in conflicts of interest. Areas of potential conflicts must be identified, minimized and subjected to careful and independent supervision, particularly in cases related to the approval and payment of funds, assessment of client and private accounts, supervision of loans, as well as any other area where significant conflicts of interest arise and are not mitigated by other factors.

4 of 9 Article 7 Information and Communication

1. Management must collect, record and maintain adequate and comprehensive internal financial, operational and compliance data, as well as external market information related to events and conditions relevant for decision-making. Information must be reliable, timely and accessible, and maintained in a consistent format.
2. Information systems must be reliable and adequate to cover all significant activities of the NFI. These systems, including those that store and use electronic data, must be secured and supervised by NFI management independently and supported by adequate emergency plans.
3. Management must maintain effective communication channels to ensure that staff fully understands and supports policies and procedures affecting their duties and responsibilities, and that other relevant information is communicated to the appropriate personnel.

Article 8 Monitoring of Activities and Correction of Deficiencies

1. The overall effectiveness of NFI internal controls must be continuously monitored by management. Monitoring of key risks must be part of daily activities for all operational and business fields of the NFI. Board of directors meeting minutes must record decisions adapted regarding internal control deficiencies.
2. Internal rules must establish clear lines of responsibility for each operational and business field. Periodic and separate reviews must be carried out by operational and business fields and report internal control deficiencies on a specified basis to the appropriate level of management and address them accurately. Material deficiencies in internal control must be reported to senior managers, the committee supervising the internal audit function and the board of directors.
3. Adequate internal control within NBFIs must be complemented by an effective internal audit function, which independently evaluates the institution's control system. A comprehensive and effective internal audit of the internal control system must be carried out by staff who are operationally independent, properly trained and competent.

5 of 9 Article 9 Internal Audit Function

1. The internal audit function is part of a continuous monitoring system of the institution's internal control system, which ensures an independent assessment of adequacy and compliance with established policies and procedures. As such, the internal audit function assists senior managers and the board of directors in performing their duties effectively and efficiently. Each NFI must have an internal audit function or this function may be performed by contracting internal audit services, which will be supervised by the relevant committee according to Article 4, paragraph 3, sub-paragraph 3.3 of this regulation.
2. The scope of the internal audit function must include: 2.1 Examination and assessment of the appropriateness and effectiveness of internal control systems; 2.2 Review of the application and effectiveness of risk management procedures and methodologies for risk assessment; 2.3 Review of management and financial information systems; 2.4 Review of the accuracy and reliability of accounting records and financial reports; 2.5 Review of asset safeguarding methods; 2.6 Testing of transactions and functioning of specific internal control procedures; 2.7 Review of systems established to ensure compliance with legal and regulatory requirements, code of conduct and implementation of policies and procedures; 2.8 Testing the reliability and accuracy of regulatory reporting; 2.9 Performing specific audit duties.
3. Senior management is responsible for ensuring that the internal audit function remains fully informed regarding new developments, initiatives, products and operational changes.
4. Each NFI must have a permanent and independent audit function to fulfill the defined duties and responsibilities. The board of directors is responsible for ensuring the independence of the audit function and that sufficient material and human resources are available to adequately perform its functions and duties. The board of directors appoints the Committee supervising the internal audit function as well as the head of the internal audit function or contracted internal audit.
5. The internal audit function must be independent from the audited activities and daily control processes. The head of the internal audit function will have the competence to communicate directly with the board of directors and on its own initiative or through the Committee supervising the internal audit function, which will also decide on his/her compensation.
6. The internal auditor will be approved by the CBK in accordance with the provisions for senior managers in the Regulation on Registration, Supervision and Activities of Non-Bank Financial Institutions.
7. The decision on the resignation or dismissal of the head of the internal audit function and its reasons will be communicated to the CBK within seven working days after the decision.
8. Each NFI must have a written audit charter that defines the mandate and authorizations of the internal audit function within the institution.
9. The internal audit charter must contain at least these elements: 9.1 Objectives and scope of the internal audit function; 9.2 Position of the internal audit function within the organization, authorizations, responsibilities and relationships with other control functions; and 9.3 Responsibility of the head of the internal audit function.
10. The audit charter must be drafted and periodically reviewed by the internal audit function, approved by the committee supervising the internal audit function and subsequently confirmed by the board of directors as part of its supervisory role.
11. The audit charter must grant the internal audit mandate, authorizing it to initiate and have access to and communicate with any member or staff, examine any activity or entity of the NFI, as well as have access to any register, file or data, including management information and minutes of all consultative and decision-making bodies, whenever important for performing its duties.
12. The charter must specify the terms and conditions for the internal audit function to provide advisory services or fulfill other specific duties.
13. The professional competence of each internal auditor and the internal audit function as a whole, which will vary depending on the size and complexity of NFI operations, is essential for the adequate functioning of the internal audit function.
14. Members of the internal audit function must meet at least the following qualities and skills: 14.1 Professional skills to implement and apply procedural standards and audit techniques in the operational fields of NBFIs; 14.2 Knowledge and/or experience regarding International Financial Reporting Standards; 14.3 Knowledge of risk management principles and measured techniques of internal audit of NBFIs.
15. The head of the internal audit function will be selected as an individual with a high ethical and professional reputation and adequate qualification and experience in the field of audit.
16. The head of the internal audit function must prepare an audit plan for determining and performing duties, which will be approved by the board of directors and/or the committee supervising the internal audit function. The NFI will provide the necessary resources for the internal audit function.
17. The annual audit plan must include in detail the duration and frequency of planned internal audit work, necessary personnel resources, and must be based on an assessment of internal controls and a written assessment of material risks updated for each operating year.
18. Reports of the internal audit function, which contain findings and recommendations as well as responses from senior managers, must be presented to the committee supervising the internal audit function and/or the board of directors.
19. Internal audit reports and work papers must be kept for at least five years from the date of reporting.
20. The internal audit function must follow up on its recommendations to verify if they have been implemented.

6 of 9 Article 10 Contracting of Internal Audit

1. A contractual agreement for internal audit may be contracted between an NFI and a qualified professional or a commercial company whose primary activity is providing professional services related to internal audit. In these cases, the commercial company must employ at least one qualified professional who meets the criteria of this regulation for the head of internal audit.
2. Regardless of contractual conditions, the board of directors will remain ultimately responsible for ensuring that the internal audit function is adequate and operates effectively;
3. All provisions of this regulation remain applicable in cases where internal audit activities are contracted.
4. The commercial company defined in paragraph 1 of this article, contracted for the internal audit function, must be approved by the CBK.
5. If it deems necessary, the CBK reserves the right to request that the NFI establish an internal audit function within its structure, excluding the possibility of contracting internal audit.

Article 11 Penalties and Improvement Measures Every violation of the provisions of this regulation will be subject to improvement and punitive measures, as defined in Law No. 03/L-209 on the Central Bank of the Republic of Kosovo and Law No. 04/L-093 on Banks, Microfinance Institutions and Non-Bank Financial Institutions.

Article 12 Repeal With the entry into force of this regulation, the provision of Article 18, paragraph 1, sub-paragraph 1.7, of the Regulation on Registration, Supervision and Activities of Non-Bank Financial Institutions is repealed.

Article 13 Entry into Force This regulation enters into force 15 days after approval. Flamur Mrasori, Chairman of the Board of the Central Bank