Bank of Albania Regulation 67/2015 on the Internal Audit System

REPUBLIC OF ALBANIA BANK OF ALBANIA SUPERVISORY COUNCIL D E C I S I O N No. 67, dated 2.9.2015 APPROVAL OF THE REGULATION “ON THE INTERNAL AUDIT SYSTEM” In accordance with Article 12, (a) and Article 43, (c) of the Law No. 8269, dated 23.12.1997 “On the Bank of Albania”, as amended, Article 47, paragraph 3, and 4 of the Law No. 9662, dated 18.12.2006 “On banks in the Republic of Albania”, as amended, the Supervisory Council of the Bank of Albania, having regard to the proposal from the Supervision Department, DECIDED:

1. To adopt the Regulation “On the internal audit system” as provided in the text therein.
2. The Supervision Department is charged with the implementation of this Decision.
3. Public Relations Department is responsible for the publication of this Decision in the Official Journal of the Republic of Albania and in the official Bulletin of the Bank of Albania.
4. The Regulation “On the internal audit system” adopted with the Decision of Supervisory Council No. 24, dated 26.03.2008 shall be repealed upon entry into force of this Decision. This Regulation shall enter into force on the fifteenth day following that of its publication in the Official Journal of the Republic of Albania. SECRETARY CHAIRMAN Elvis Çibuku Gent Sejko

REGULATION “On the internal audit system” (Approved by decision No. 67, dated 2.9.2015 and amended by decision No. 74, dated 6.12.2017 of the Supervisory Council of the Bank of Albania) CHAPTER I GENERAL PROVISIONS Article 1 Subject matter The scope of this regulation is to lay down the rules on the organization, function and responsible units of the internal audit system of the bank and foreign banks’ branches. Article 2 Scope of application This Regulation shall apply to banks and the branches of foreign banks licensed by Bank of Albania to run banking and/or financial operations within the Republic of Albania, hereinafter referred to with the common term “banks”. Article 3 Legal foundation This regulation is drafted in accordance with Law no. 8269 dated 23/12/1997 “On the Bank of Albania”, Article 12(a) and Article 47, paragraph 3, and 4 of the Law No. 9662, dated 18.12.2006 “On banks in the Republic of Albania”, as amended, which hereinafter in the Regulation shall be referred to as the Law “On banks”. Article 4 Definitions

1. Terms used in this regulation are equivalent to the terms defined in the Law “On banks” and other regulatory acts of the Bank of Albania.
2. Excluding what is forewarned in paragraph 1 of this Article, for the purpose of application of this regulation, the terms below are defined as follows: a) “The Internal Audit System” includes:

I. The process of monitoring and the ongoing evaluation of the effectiveness and adequacy of internal acts and controlling mechanisms within a given bank, as well as the quality of its activities conducted by the responsible units of the bank, for the realization of the functions of the internal audit system, II. Outlining of coherent activities of controlling structures, mechanisms, and procedures that shall ensure: i. Monitoring the bank’s policies implementation, assessing the extent to which targets that are outlined in these policies are met, ii. Evaluating the efficiency of its banking and financial activities, iii. Identifying, computing and monitoring the risk levels, as well as preventing and effectively managing risks, iv. Safeguarding of assets, v. Suitable, accurate and credible information on the financial situation of the bank and handling of this information in accordance with bank procedures; and vi. Compliance with laws and bylaws in force, and implementation of internal acts as approved by the managing bodies of the bank. b) The ‘risk matrix’ is the table drafted by the bank itself on evaluating identified risks in the bank, where each risk is evaluated based upon its probability to materialize and its impact level on the financial state of the bank. CHAPTER II INTERNAL AUDIT SYSTEM Article 5 Internal Audit System’s Units

1. The main units responsible for carrying out the functions of the internal audit are: a) the Managing Council (Executive Board); b) the Audit Committee; c) the Department and any other organizational structure in the bank that belongs to the first and the second line of control, as stipulated in Annex 1 of this regulation; d) the Internal Audit Unit; e) specific committees established by decision of the executive board in order to deal with specific matters related to the internal audit of the bank.

2. The units set out in paragraph 1 of this Article shall be responsible for the realization of the functions of the internal audit system, in compliance with the tasks and competencies laid down in the Law “On the banks”, bylaws of the Bank of Albania, as well as those in the internal acts of the bank approved by its managing bodies. Article 6 General requirements

3. Depending on its nature, size, complexity of its operations and its risk profile, the bank shall draft internal acts on the manner of functioning of its internal audit system, which shall be approved by the Executive Board.

4. The bank ensures verification and continuous evaluation of an effective activity of the internal control system; by organizing it in a sufficient manner to guarantee the risks management in all the bank processes, including those made by third parties or by its subsidiaries and branches.

5. The bank ensures adequate resources – including financial ones – for the qualification, evaluation and motivation of internal audit employees, organized as per the model of three lines of defence, as well as for carrying out the annual plan of the activity of the Internal Audit Unit. Article 7 Responsibilities of the Executive Board

6. In addition to the core responsibilities defined in the Law “On banks”, in the context of the internal audit system, the Executive Board of the bank, periodically shall approve and review, at least: a) The responsible organizational unit of the bank for executing the functions of the internal audit system, and reporting and controlling relations within the bank; b) Rules that determine the competency margins, their delegation and distribution of responsibility among administrators and bank employees; c) The competencies to authorize, follow up and report on the bank’s operations; d) Internal rules for monitoring risks and assessing the efficiency of methods and procedures used in managing risks; e) Internal rules for the administration and use of the systems of information and communication technology (ICT); f) The method of reporting of identified flaws (inadequacies) in the internal audit system of the bank; g) The code of ethics and of treating conflicts of interest for administrators and employees of the bank;

h) Rules on discrepancies and on prohibiting the concurrent execution of more than one function related to the authorization, carrying out and reporting of bank’s operations; i) Other competencies that serve to improve the functioning of the internal audit system. 2. The Executive Board shall establish an organizational unit responsible for the monitoring and reporting of the extent of implementation of the recommendation of the supervisory authority, 1 statutory auditor or the auditing company, mother bank’s auditing structures, etc. 3. The Executive Board has the ultimate responsibility to ensure that the bank’ s head office has set up an adequate, efficient and effective internal audit system, and shall assess the performance of the internal audit system at least annually. 4. The Executive Board shall approve the structure of the Internal Audit Unit of the bank, for which must be taken into consideration the nature, size, complexity of operations and its (bank’s) and risk profile, and that in any case, consists of at least 2 (two) employees. 5. The Executive Board shall appoint and dismiss the head and employees of the Internal Audit Unit. 6. The Executive Board and / or the Audit Committee shall evaluate the work done and shall determine the remuneration of the Internal Audit Unit of the bank. The remuneration of employees of the Internal Audit Unit should be consistent with the bank's remuneration policies and should avoid conflicts of interest and violation of the independence and objectivity. 7. The Executive Board shall submit to the Bank of Albania, within the first quarter of the following year, an annual report on the activities of Internal Audit Unit as defined in Article 19 of this Regulation, and at the request of the Bank of Albania, shall report on the performance of controls and other activities of this unit. Article 8 Responsibilities of the Audit Committee

1. The Audit Committee, in the context of the internal audit system, in addition to the core responsibilities defined in the Law “On banks”, shall: a) monitor the effectiveness of the Internal Audit Unit; b) 2 ensure that the Internal Audit Unit carries out its responsibilities independently and based on the international standards for internal audit; c) ensure that the Internal Audit Unit maintains open and consistent communication with the Directory, 3 statutory auditor or the auditing company, Audit Committee and the supervisory authority;

1 Amended upon the Supervisory Council decision no. 74, dated 6.12.2017. 2 Amended upon the Supervisory Council decision no. 74, dated 6.12.2017.

d) ensure that the Directory has set up and maintains a first and second line of internal control, which is adequate and effective, continuously ensuring well-performing processes in areas such as: reporting (financial, operational, risk related) monitoring compliance with laws, bylaws and internal acts, as well as the efficiency and effectiveness of operations and safeguard of assets; 2. 4The Audit Committee may propose to the Executive Board the appointment or dismissal of the head and employees of the Internal Audit Unit. 3. 5Members of Audit Committee may be members of the Executive Board, and the Head of Audit Committee shall be, in any case, a member of the Executive Board of the bank. Article 9 Responsibilities of the bank’s Directorate

1. In the context of the internal audit system, the Directorate shall be responsible for the following: a) To perform the daily management and control of the activities of the bank, implementing the rules approved by the Executive Board for identifying, computing, monitoring and controlling the risks to which the bank is exposed; b) To report to the Executive Board at least once a year on the meeting of its responsibilities related to the progress of the internal audit system and on the evaluation procedure of the bank’s demand for capital; c) To ensure that the Internal Audit Unit is informed in a timely fashion on the developments, initiatives and new products and operational changes, so as this unit may identify risks ahead of time. d) in collaboration with the Executive Board, it shall create an organizational structure that ensures a clear separation of the duties, responsibilities and reporting, following the model of three lines of defence, as defined in Annex 1 of this regulation; e) The Directorate shall be responsible for the timely undertaking of appropriate measures to address internal audit recommendations. Article 10 Responsibilities of the Risk Management Unit
2. The Risk Management Unit shall be organized and shall conduct its functions as defined in the Regulation "On core management principles of banks and branches of foreign banks and the criteria for the approval of their administrators".

3 Amended upon the Supervisory Council decision no. 74, dated 6.12.2017. 4 Amended upon the Supervisory Council decision no. 74, dated 6.12.2017. 5 Added upon the Supervisory Council decision no. 74, dated 6.12.2017.

2. The Risk Management Unit, in the context of the internal audit system, shall be responsible for monitoring all the units in the bank that undertake risks.
3. The Risk Management Unit must have sufficient authority in the bank to carry out its functions. Article 11 Responsibilities of the Compliance Unit
4. The Compliance Unit shall be organized and shall conduct its functions as defined in the Regulation "On core management principles of banks and branches of foreign banks and the criteria for the approval of their administrators".
5. The Compliance Unit, in the context of the internal audit system, shall be responsible for ensuring that the bank will act with integrity and in accordance with the laws and bylaws in force, as well as with internal acts related to the performance of its functions.
6. The Compliance Unit must have sufficient authority in the bank to carry out its functions. CHAPTER III ORGANISATION, RESPONSIBILITIES AND FUNCTION OF THE INTERNAL AUDIT UNIT Article 12 General Requirements for the Internal Audit Unit
7. The Internal Audit Unit is a specific administrative unit (structure) of the bank, independent of the activities, structures and individuals that it reviews or oversees, that reports to the Executive Board and/or to the Audit Committee of the bank.
8. Each activity, department, branch, and other organizational units of the bank are included in the control area of the Internal Audit Unit.
9. The Internal Audit Unit of a branch of a foreign bank shall be organized by the ‘mother’ bank in adherence to its internal procedures as defined by its managing bodies and in line with the requirements laid down in this regulation and other legal acts in force.
10. 6The Internal Audit Unit shall implement the international standards for internal audit, as stipulated in the Law “On Statutory Auditing and Organization of Statutory Auditor and Approved Accountant Professions”.

6 Added upon the Supervisory Council decision no. 74, dated 6.12.2017.

Article 13 Duties and responsibilities of the Head of the Internal Audit Unit

1. The Head of the Internal Audit Unit, in addition to what is set forth in paragraph 2 of this Article, shall comply with all the requirements for the administrators, stipulated in the regulatory acts of the Bank of Albania.
2. The Head of the Internal Audit Unit shall be appointed a person who enjoys: a) an exemplary ethical and professional reputation; b) an adequate experience in banking and auditing field. c) the appropriate and adequate managerial experience (at least 3 years in the banking or financial sector).
3. The Head of the Internal Audit Unit shall ensure and oversight the implementation of principles and standards of the professional activity of the internal audit, and the efficiency of the activity of the Internal Audit Unit.
4. The Director of the Internal Audit Unit shall approve the programs for the performing of detailed auditing tasks, for the implementation of the annual plan of the Internal Audit Unit’s activity.
5. The Head of the Internal Audit Unit shall immediately notify in writing the Executive Board and the Audit Committee, at any time when concludes that the decision taken by the Directory carries risks for the bank and is in violation of laws and regulations or with its internal acts. Article 14 Employees of the Internal Audit Unit
6. The employees of the Internal Audit Unit should meet the qualities and skills in the following areas, as outlined: a) professional capability to implement international7 internal audit standards and auditing procedures and techniques in all of the operating areas of the bank; b) knowledge of and/or experience in implementing accounting standards; c) knowledge of risk management principles and prudent banking techniques.
7. The bank shall ensure that, in accordance with the nature, scope and complexity of its operations, the knowledge, experiences and qualifications of the employees of the Internal Audit Unit shall complement each other, in order to create a collective qualification, convenient for the Internal Audit Unit.
8. The employees of the Internal Audit Unit, should:

7 Added upon the Supervisory Council decision no. 74, dated 6.12.2017.

a) implement the best practices and guiding principles of ethical performance (bank’s ethic code, International Code of Ethics for internal audit, etc.); b) display the best ethical standards in their own relations and contact with third parties; c) respect the confidentiality of information received while on duty, not use this information for personal gain or malicious actions and care for storing the information; d) avoid conflict of interest and, for an adequate period of time, do not get involved in auditing units for which they have been previously responsible. Article 15 Internal acts of the Internal Audit Unit

1. The bank, in the context of the functioning of the Internal Audit Unit, shall draft and approve internal acts for the functioning and carrying out the activity of this unit.
2. The internal acts rules shall be drafted and reviewed as frequently as deemed necessary by the Head of the Internal Audit Unit, and shall be approved by the Executive Board of the bank.
3. The internal acts which define the manner of functioning and of carrying out of the activity of the Internal Audit Unit, must include at least the following elements: a) scope and area of activity of the Internal Audit Unit; b) role, authority and responsibility of the Internal Audit Unit; c) relations of the Internal Audit Unit with other functions of the audit system within the bank; d) manners and lines of communication of the results of the auditing activities; e) procedures for the coordination with 8 the statutory auditor or the auditing company and the supervisory authority; f) the risk based methodology (including the risk matrix); g) the right for unlimited and unconditional use of any registration, file, database, physical assets of the bank, as well as every document of the advisory and decision￾making bodies or organizational units in the bank, necessary for the carrying out of its functions; h) the right of the Head of the Internal Audit Unit to have direct communication with the managing bodies; i) the right of planning and determining controls independently from the Head of the Internal Audit Unit; j) the assurance of avoidance of any conflict of interests in carrying out the duties of internal audit; k) requirements for compliance with the best standards of internal audit.

8 Amended upon the Supervisory Council decision no. 74, dated 6.12.2017.

Article 16 Responsibilities of the Internal Audit Unit

1. In the context of internal audit, the Internal Audit Unit in addition to the core responsibilities defined in the Law “On banks”, in due completion of its duties, shall monitor and assess amongst others: a) the adequacy and efficiency of the internal audit system; b) the implementation and efficiency of risk administration procedures and of the risk evaluation methodology; c) the efficiency and credibility of the compliance function and risk management; d) the accuracy and credibility of the systems of accounting booking and financial statements; e) the implementation and efficiency of strategies and procedures for the internal assessment of capital adequacy; f) the methods for safeguarding the assets of the banks; g) the information and reporting systems, including the electronic system of information and the electronic banking services, the technology and information system and the accuracy of data information; h) the systems for gathering data and the validity of the published information; i) the implementation of hiring procedures of the employees, as well as the matching of job descriptions with the assigned tasks. j) the monitoring the compliance of the overall banking activity with laws and bylaws of Bank of Albania.
2. The Internal Audit Unit shall not be involved in the design, selection and implementation of specific measures of the internal audit system, but in any case it is deemed reasonable, the Head Office may seek suggestions from this unit, on issues related to risks and internal control.
3. While carrying out their tasks, the employees of the Internal Audit Unit have the right to: a) use every registration, file and data of the bank, including decisions made by the managing bodies and executive directors, as well as information and accounting systems; b) to inquire and collect reports and other documents intended for examination, as it pertains to assigned tasks; c) to recommend, in accordance with internal procedures, the hiring of experts who will undertake specific tasks of auditing.
4. Reviews and auditing actions undertaken by the Head Office, within its competencies, cannot substitute for the functions of the Internal Audit Unit.
5. The Internal Control Unit ensures, independently, the Executive Board and / or the Directory on the quality and effectiveness of internal audit of the bank, and the system and processes of administration / governance and risks management.

Article 17 Work plan of the Internal Audit Unit

1. The Director of the Internal Audit Unit shall be responsible to draft at every end-year the work plan for the following year, which shall be subject to approval by the bank’s Executive Board.

2. When changes occur, the Head of the Internal Audit Unit shall prepare the work plan for the current year with the relevant changes, and shall submit it for approval to the Executive Board.

3. The frequency of the audit shall be based in the evaluation of every area of activity and/or organizational unit, according to the risk based methodology. All the areas of activity and/or organizational unit of the bank shall be subject to auditing by the Internal Audit Unit at least every three years, including those of low risk.

4. The work plan of the Internal Audit Unit shall include as a minimum: a) a list of all the planned activities to be covered by the Internal Audit Unit; b) a list of the business areas of the bank that will be covered by control; c) the period over which the planned audits are expected to be accomplished. Article 18 Documentation of the audit activity and reporting of results

5. The Internal Audit Unit shall prepare a report on any audit carried out. This report should include at a minimum: a) the audit object; b) the description of the audit work (description of the methodology, steps and procedures followed so as to attain the audit targets); c) audit findings; d) comments by managers of the audited organizational units on the audit findings; e) assessements on the qualifications of employees, adequacy of internal regulatory acts and risk assessment system, on a case by case basis; f) recommendations on revising and improving findings that were observed during the audit session, and g) extent of implementation of recommendations proposed by previous audits.

6. The reports and documents prepared by the members of the Internal Audit Unit, must be approved by the Director of the Internal Audit Unit.

7. During the audit process, careful attention must be paid to the documentation and keeping of evidence of the work conducted by the Internal Audit Unit, so as the collected information supports the findings, assessments and recommendations made.

8. The Head of the Internal Audit Unit presents the audit report prepared in line with paragraph 1 of this Article to the manager of the audited organizational unit.

9. The manager of the audited organizational unit presents explanations (arguments) and/or claims related to the findings and recommendations laid out, within deadlines set in the internal regulations of the bank.

10. The employees of the Internal Audit Unit present conclusions on each of the laid out recommendations, upon which the manager of the audited organizational unit has presented written explanations or claims.

11. The Head of the Internal Audit Unit presents the final report and the documents in line with paragraphs 5 and 6 of this Article to the respective management bodies of the bank, according to the method defined by the Executive Board.

12. Based on the findings and recommendations laid out in the Internal Audit Unit report, the management bodies of the bank shall decide whether it is necessary to impose remedial measures and to notify the Head of the Audit Unit and the organizational unit in charge with their due implementation.

13. The Executive Board of the bank analyzes the Internal Audit Unit report not less than once in every six (6) months.

14. The Audit Committee shall check and oversee the implementation of all the tasks assigned by the bank’s Executive Board, related to all the issues presented in the Internal Audit Unit reports.

15. The General Director and the managers of respective organizational units shall coordinate the work for the implementation of remedy measures, which have been determined by the management bodies of the bank and which address the recommendations laid out in the Internal Audit Unit report. Article 19 The annual report of the Internal Audit Unit

16. The Head of the Internal Audit Unit presents an annual report on the work conducted by the unit to the relevant bodies (the Executive Board, Audit Committee or Directory of the bank), according to the rules set by the Executive Board or the decision-making bodies of the foreign bank (assembly of shareholders, executive board, etc) in the case of a branch of a foreign bank.

17. The annual report of the Internal Audit Unit shall contain as at minimum the following elements: a) a report on the level of implementation of the annual work plan of the Internal Audit Unit; b) a list of all the activities planned and carried out by the Internal Audit Unit;

c) a list of all the activities conducted, but not planned in the annual work plan of the Internal Audit Unit; d) a list of all the activities planned, but unrealized by the Internal Audit Unit, along with the reasons for non-realization; e) a summary of the most important findings identified during audits; f) a general assessment of the adequacy and efficiency of the internal control system in the areas covered by the Internal Audit Unit; g) a general assessment of the adequacy and efficiency of the risk management system; h) a report on the extent of implementation of recommendations and corrective measures defined based on the recommendations, as well as reasons for the lack of their implementation. CHAPTER IV SUPERVISORY PROCESS Article 20 Supervision and communication with the structures of the internal audit system

1. Bank of Albania shall assess the organization and efficiency of the internal audit system in the bank, and whenever it deems it reasonable, may rely on the Internal Audit Unit’s reports in carrying out its supervisory functions.
2. Bank of Albania (the Supervision Department) shall meet periodically the structures of the internal audit system of the bank, to discuss on the risk areas identified by the bank and the supervisory authority, on findings, recommendations, audit plan and remedies undertaken, as well as on the overall functioning of the Internal Audit Unit.
3. The frequency of these meetings should be commensurate with the bank’s size, the nature, scope and complexity of the bank's activities. Article 21 Preventing and Punitive Measures In the event of noncompliance with the provisions laid down in this regulation, Bank of Albania enforces the provisions set out in Articles 74 to 80 and Article 89 of the Law “On banks” and in other related laws and bylaws.

CHAPTER V FINAL PROVISIONS Article 22 Common area of application The requirements set out in the Regulation "On core management principles of banks and branches of foreign banks and the criteria for the approval of their administrators", approved by decision No. 63 dated 14.11.2012 of the Supervisory Council, shall apply also to the internal audit system in banks and branches of foreign banks, unless otherwise required by this regulation. 9Article 23 Transitional provisions Banks shall undertake the necessary measures to meet the requirement laid down in Article 8, paragraph 3, of this Regulation, within the year 2018. Chairman of the Supervisory Council Gent Sejko

9 Added upon the Supervisory Council decision no. 74, dated 6.12.2017.

Annex 1 The Model of “Three lines of defence” The model "Three lines of defence" - represents the relationship between the bank's business units, the support units and the internal audit unit. ►The first line of defense consists in business units, which undertake risks within the permitted levels and are responsible for identifying, assessing and continuous control of the risks of the respective units. ►The second line of defense includes support units, which, in cooperation with the first line of defense, ensure consistently adequate identification and management of risks. Support units, in cooperation with each other, work for defining strategies, implementation of policies and procedures of the bank, as well as to collect information to create an overview of the risks of the bank. ►The third line of defense is represented by the internal audit unit of the bank, which independently assesses the effectiveness of the processes established in the first and second lines, and ensures the smooth running of these processes. Line of defence (control) Organizational units included in each line Type and Frequency of control First Line Each business unit and that has a direct relationship with the client Based on transactions, continuous. Second Line Risk management unit, compliance unit, legal unit, human resources, finance, operations and information technology unit etc. Based on risk, continuous or periodical. Third Line Internal Control Unit Based on risk, periodical. Internal control responsibilities defined for each line under the model of "Three lines of defence" cannot be transferred from one line of defense to the next line.