Regulation on the External Audit of Insurers, Insurance Intermediaries, Claim Handlers and the Kosovo Insurance Bureau

Pursuant to Article 35, Paragraph 1, Subparagraph 1.1 of the Law No. 03/L-209 on the Central Bank of the Republic of Kosovo (Official Gazette of the Republic of Kosovo, No. 77/16 August 2010), Article 4, Paragraph 3, and Article 81, Paragraphs 2 and 3 of the Law No. 05/L-045 on Insurance (Official Gazette of the Republic of Kosovo, No. 38/24 December 2015), the Board of the Central Bank of the Republic of Kosovo in the meeting held on 28th of April 2016 approved the following: REGULATION ON THE EXTERNAL AUDIT OF INSURERS, INSURANCE INTERMEDIARIES, CLAIM HANDLERS AND THE KOSOVO INSURANCE BUREAU Article 1 Scope and Purpose

1. This Regulation concerns the approval by the CBK of external auditors that do external audits of insurers, insurance intermediaries, claim handlers, and the Kosovo Insurance Bureau, licensed, supervised and regulated by the CBK. With this regulation CBK also sets requirements related to carrying out external audits, it regulates their engagements and holds a registry of external auditors that carry out external audits of the above-mentioned insurance entities.
2. The purpose of this regulation is to strengthen the regulatory framework related to external auditors of the insurers, insurance intermediaries, claim handlers, and the Kosovo Insurance Bureau and to ascertain the quality of the services performed by these external auditors, in relation to the specific risks in insurance and of the financial sector as a whole.
3. This regulation applies to insurers, including branches of foreign insurers, insurance intermediaries, claim handlers, and the Kosovo Insurance Bureau, that are licensed by the CBK to carry out certain insurance activities, and that are supervised and regulated by the CBK. Article 2 Definitions
4. All terms used in this regulation have the same meanings as set forth in Article 3 of the Law No. 05/L-045 on Insurance (hereinafter: Law on Insurance) and / or as specified further for the purposes of this regulation: a) “External Audit” means an audit of annual accounts or consolidated accounts in accordance with the insurance legislation in Kosovo. b) “External Auditor” means only the auditing firm. c) “Audit Firm” - means a legal entity or any other entity, regardless of their legal form, that has been licensed in compliance with the current Law on Accounting, Financial Reporting and Auditing (hereinafter: Law on Financial Reporting) for performing auditing jobs.

d) "Appointed External Auditor" means an external auditor who is appointed by an insurer, insurance intermediary or Kosovo Insurance Bureau to provide auditing services and a report and an opinion on the financial position, a summary report on internal controls, a report on risk exposure, financial exposure and work papers. e) “Qualified External Auditor" means a licensed member of the Kosovo Financial Reporting Council (KFRC) and a member of a recognized accounting or external audit professional association in Kosovo or abroad, who has been approved as qualified by the CBK to perform external audits and are competent for signing the opinion on financial position of the audited reports for clients in insurance. f) “Financial Statement” - means a statement of the financial position, income statement, cash flow statement, the statement of changes in equity, and additional notes and explanatory materials that are the integral parts of a financial statement. g) “Insurer” means a legal person licensed to carry out insurance activities according to the provisions of the Law on Insurance. h) “Reinsurer” means a legal person licensed to carry out reinsurance activities according to the provisions of the Law on Insurance. i) “Insurance Intermediary” means a legal person licensed by the CBK as an insurance agency company and insurance brokerage company, to carry out insurance intermediary activities. j) “Claim Handler” means a legal person licensed by the CBK and contracted by the insured or the insurers, to carry out claim assessment activities. k) “Foreign Insurer” means a branch of a foreign insurer, headquartered in another country and has been licensed to carry out insurance activities through its branch in the Republic of Kosovo. 2. Whenever the term insurer is used in this regulation it shall also mean reinsurer, and whenever the term insurance intermediary is used it shall also mean reinsurance intermediary. Article 3 CBK External Auditor Approval Requirements and Conditions

1. The external auditor of an insurer, insurance intermediary, claim handler, and the Kosovo Insurance Bureau, must be approved by the CBK.

2. Based on a written application, the CBK may grant approval as an auditor of an insurer, insurance agencies, insurance brokerage companies, the Kosovo Insurance Bureau, and other insurance businesses, only to: a) An external auditor licensed in the Republic of Kosovo in accordance with current Law on Accounting, Financial Reporting and Auditing; b) Auditors of an audit firm licensed in Kosovo in accordance with the current Law on Accounting, Financial Reporting and Auditing, and upholding a regular membership in a professional accounting and auditing association in Kosovo, in accordance with the Law on Accounting, Financial Reporting and Auditing;

3. A foreign auditor or a foreign audit firm needs to be licensed in accordance with the Law on Accounting, Financial Reporting and Auditing. A foreign auditor or a foreign audit firm must comply with the Law on Accounting, Financial Reporting and Auditing and the requirements foreseen in the KFRC instructions on licensing.

4. The CBK may grant approval as an auditor of an insurer, insurance agencies, insurance brokerage companies, the Kosovo Insurance Bureau, and other insurance business professionals, to auditors or audit firms of good repute who are not engaging in any other non￾financial audit activity which is deemed by the CBK as incompatible with the external audit engagement. Article 4 Specific Requirements and Conditions

5. In order for the staff of the external auditor to hold their respective positions of external auditor for the insurer, insurance intermediary, claim handlers and Kosovo Insurance Bureau, need to fulfill all of the following criteria and be: a) be fit and proper; b) have integrity, honesty and commitment to the fulfillment of their duties; c) competence, professional skills and sound judgment in fulfilling their duties; d) independence in order to not adversely affect the interests of the insurer by the conflict of interest that may arise while fulfilling their duties; e) have the professional qualifications determined by a degree or a certificate issued by a university or a recognized professional organization that certifies the successful completion of the full cycle of external auditor qualifications; f) be a member of a professional accounting and auditing association or organization that fulfills the requirements for a license in accordance with Laq on Financial Reporting; g) an external auditor that has at least 3 (three) years of experience in the field of external audit of insurer’s financial statements or other financial institutions or at least the participatory staff that is conducting the audit, should have such experience; h) possess and master professional knowledge of the legislation, ethics, and best practices for insurance in Kosovo; i) in addition to the provisions set forth above, the CBK estimates the previous conduct and activities of the person concerned, in business or financial matters and, in particular, examine if there is evidence to show that this person has been or currently is; i. convicted within the last 10 years of any criminal offense; ii. involved or associated with any financial loss caused by the actions of dishonesty, recklessness or negligence, in connection with the performance of financial services and the management of other companies; iii. engaging in commercial business practices, including tax evasion, which CBK deem fraudulent practices, inappropriate or threatening in some way reflect a person's values deficiencies in the performance of financial services and other business operations; iv. have no overdue or outstanding tax or other government obligations.

6. Application for approval should contain: a) insurers’ audit program; b) description on usage of resources during the audit service; c) engagement letter for the external auditor or a contract for the services provided; d) a document that proves the necessary experience of the external audit or its staff which that is conducting the audit in the area of insurance audit; or other financial institutions;

e) an attestation issued by KFRC related to the results of the last quality control for the external auditor (if the KFRC does not issue such an attestation, the same will not be required by the CBK); f) the audit program and usage of resources during the service of audit, should be suitable in relation with the character and size of the insurer. 3. CBK approves for one year only the external auditor or the audit firm, the approval is limited to one specific insurance institution such as: insurer, insurance intermediary, claim handler or the Kosovo Insurance Bureau. 4. No external auditor can be engaged in an external audit of an insurer, insurance intermediary, claim handler and Kosovo Insurance Bureau, for more than five (5) consecutive years, and can retake place in audits of the same insurer after a time period of at least two (2) years. Article 5 Appointment of the External Auditor The external auditor will be appointed each year by the general assembly of members of the audited entity. Insurer, insurance intermediary, claim handler and the Kosovo Insurance Bureau, is obligated to inform the CBK in writing about the appointment of the external auditor and submit an application for approval not latter then July 30 each year. Article 6 Register for Approved Insurance External Auditors CBK shall maintain a public registry on its website of each approved insurance external auditors approved for auditing insurance institutions in Kosovo. This public register shall contain general information on external auditors. Article 7 Re-auditing CBK has the right to ask for a redo of the audit by another external auditor at the expense of the insurer, in cases where the existing insurers external auditor has finished the audit or submitted a report, which is not in accordance with the International Accounting Standards (IAS), requirements of the Law on Insurance, CBK regulations, or do not present the real and accurate financial position of the insurer. Article 8 Professional Ethics

1. External auditors shall be subject to principles of professional ethics set forth by the International Federation of Accountants “Code of Ethics for Professional Accountants”.
2. External auditors shall be subject to principles which at least cover the overall responsibility of the external auditors towards the public, their integrity and objectivity, and their professional competence and due care.

Article 9 Independence and Objectivity

1. When carrying out an audit, external auditors shall be independent from the audited entity and shall not in any way be involved in management decisions of the audited insurer. External auditors shall not be allowed to carry out an audit if there is any direct or indirect financial, work, employment interest or any other relationship, including provisioning for additional non￾audit services between the external auditors and the audited insurers from which an objective, reasonable and informed third party would conclude that the external auditor's independence is compromised.
2. The external auditors shall document in the audit working papers all threats to their independence as well as the safeguards applied to mitigate those threats. Article 10 Independence and Objectivity of Auditors that Conduct and Audit as an Audit Firm Owners or shareholders of an approved audit firm, also the members of the administrative, management and oversight bodies of this firm or an associated firm, should not intervene in the execution of an audit in any way that would jeopardize the independence and objectivity of the auditor conducting the audit in the name of the auditing firm. Article 11 Confidentiality and Professional Secrecy
3. External auditors and external auditors’ associates have a duty of keeping confidentiality regarding everything they have gained knowledge of through their activities, unless otherwise stipulated by current legislation or in cases when the information concerns a person the duty of which does not require professional secrecy. External auditors and external auditors’ associates may not use such information in their own activities or in the service or employment of others.
4. External auditors, in contrary with the limitations mentioned in paragraph 1 of this article or the agreement on confidentiality, are allowed to give explanations or present documentation in connection to their audits, when it is required by the current legislation in force in Kosovo.
5. When an external auditor or an audit firm has been replaced by another external auditor or audit firm, the previous external auditor or audit firm should provide, to the current external auditor or audit firm, access to all necessary information related to the entity being audited.
6. The duty of keeping confidentiality for an external auditor or an audit firm continues to apply after the assignment for an insurer has been concluded. Article 10 Scope of the Audit
7. External auditors shall assess whether or not the annual accounts of the financial institution have been prepared and finalized in accordance with International Financial Reporting Standards (IFRS), the Law on Insurance and CBK regulations, and whether or not the

management of the financial institution has fulfilled its obligation to ensure proper and clearly set out recording and documentation of the accounting information in accordance with the abovementioned standards, the law and regulations. 2. External auditors shall assess whether or not information in annual reports pertaining to annual accounts, assumptions regarding continued operation and proposals concerning the utilization of surpluses or coverage of losses are in accordance with the Law on Insurance and CBK Regulations. 3. The external auditors shall evaluate the adequacy of risk management systems of the insurer, based on assessments of: a) Compliance with requirements for organizational structures for the administration of each specific risk; b) Policies and procedures on managing each specific risk and their implementation; c) Adequate identification, measuring and monitoring of each specific risk; d) Adequacy and efficiency of the system of internal audit for the management of each specific risk. 4. Specific risks cover: liquidity risk, inherent risk, market risk, operational risk and other risks that the insurer is exposed to. 5. External auditors should conduct an evaluation for the insurer’s way of managing assets and placement of proper internal controls. 6. Auditing of insurers should cover all areas of activities for an insurer: insurance portfolio, asset assessment and their adequacy, technical provisions that need to be adequate in covering contracted liabilities and loses against risks that arise from insurance contracts, technical provisions for unearned premium, reserves for gross claims, as described in Article 67 of the Law on Insurance, as well as provide an opinion on their adequacy calculated by the insurer’s actuary. 7. The audit should also cover the functioning and adequacy of internal controls as well as the functioning of the management systems. 8. External auditors shall contribute in prevention and disclosure of any irregularities and errors through their audit. Article 13 External Auditor’s Duties

1. External auditors shall execute audits to the best of their judgment, including assessing the risk that erroneous information may be included in the annual accounts due to irregularities or errors.

2. External auditors shall ensure that they have an adequate basis for assessing whether or not contraventions of the Law on Insurance and CBK Regulations have taken place that are of significance with respect to the annual accounts.

3. External auditors should check the regularity, accuracy and conclude that the reporting presented by the insurer to the CBK is complete and in accordance with the regulatory requirements in force approved by the CBK. Based on the exercised control, the external auditors should evaluate whether the reporting was carried out in accordance with the Law on Insurance and the CBK Regulations and if those reflect correctly and objectively the financial positions of the insurer.

4. External auditors shall point out the following circumstances in writing to the insurer’s board of directors: a) Deficiencies regarding the duty to ensure proper and clearly laid out recording and documentation of accounting information; b) Errors and deficiencies in the organization and control of asset management; c) Irregularities and errors that may lead to erroneous information in the annual accounts; d) Circumstances that may lead to liability on the part of members of the Board, general assembly of shareholders or senior management. Article 14 Requirements for External Auditors when Auditing Annual Accounts

5. External auditors shall carry out all audits of insurers in accordance with International Auditing Standards (ISA).

6. While auditing an insurer, insurance intermediary, claim handler or the Kosovo Insurance Bureau, external auditors are required to focus on the evaluation of liquidity risk, inherent risk, market risk, operational risk, and other risks that the insurer is exposed to as well as express their opinion on the audit report. External auditors shall ensure and report that the insurers have arranged for satisfactory asset management and that proper controls are in place. Article 15 Professional Liability insurance External auditors are required to procure a professional liability insurance policy, as set forth in the Administrative Instruction 2015-01 on Licensing of Legal Auditors, of KFRC. Article 16 Management Letter

7. External auditors shall, in accordance with the Law on Insurance and relevant CBK regulations, at the conclusion of the audit process prepare a management letter to the insurer, and a copy to the CBK. The management letter shall include all conclusions the external auditor may have reached on the activity of the financial situation of the insurer.

8. In the management letter, the external auditors shall make a specific statement concerning their assessment of the internal control system in order to disclose material matters in the internal control structure. The specific statement shall also include the assessment of the company’s internal audit function.

9. In the management letter, the external auditors shall make a specific statement concerning whether they conclude that the insurer is in compliance with the respective CBK laws and regulations and whether the insurer is in compliance with latest CBK findings and recommendations. Article 17 Matters required to be Included in the Engagement Letter of External Auditors

10. Requirements and conditions to be included in the engagement letter of the external auditor of a CBK licensed insurer are as follows: a) Frequency of the audit - licensed insurers must have their financial statements audited each year to conform to their financial/accounting period. b) Appointment of the external auditor must be in writing and subject to the approval of the CBK. c) Independence of the auditor - the auditor or its firm must not be a related party of the licensed insurer. d) Scope of the audit work: i. Review of the adequacy of internal audit and internal control practices and procedures, identify and note deficiencies and make recommendations for implementation. ii. Express an opinion as to whether the financial statements present a true and fair view of the financial condition and activities of the licensed insurer in accordance with International Financial Reporting Standards. iii. Degree of regulatory compliance - the audit report must express an opinion on whether the licensed insurer is in compliance with the insurance laws, regulations, and rules as approved by the CBK.

11. The external auditor must report directly to the CBK the following matters: a) A fraudulent act committed by an employee of the licensed insurer, any irregularity or deficiency in its administration or operations that may be reasonably expected to result in a material loss of the licensed insurer. b) If the licensed insurer is systematically contravening insurance rules or this regulation. c) If the audit report’s conclusions are being ignored or unduly influenced by the licensed insurer’s management or board of directors, directly or indirectly.

12. Additional matters to be included in the engagement letter of external auditors in addition to the requirements prescribed in paragraph 1 of this article, are as follows: a) The engagement letter must contain the acceptance signature of the auditor agreeing to its terms and conditions. b) The board of director’s responsibility to keep the CBK informed about the affairs of the licensed insurer’s business. c) The right of the auditor to communicate with the CBK any information or opinion on a matter of which he becomes aware that is relevant to the supervisory oversight of the CBK. d) The auditor’s duty to report matters of material significance to the CBK. e) The auditor’s duty to provide access to his working papers for regulatory purposes upon the request of the CBK.

Article 18 Duty to Inform

1. External auditors shall provide information about matters regarding the insurer, that the external auditor has identified during the audit when this is required by shareholders at a general meeting, board of directors, senior management, audit committee or a person authorized by the CBK.
2. The external auditor shall immediately communicate to the audit committee or board of directors of the insurer, any matters of governance interest which comes to the attention of the auditor during his performance of the audit. The external auditor shall report to the governance bodies of the insurer and the CBK when the auditor, during the performance of the audit of the client, notices: a) Information that indicates a failure to fulfill a requirement for maintaining a license with the CBK; b) A serious conflict within the decision-making bodies or the unexpected departure of a manager in a key function; c) Information that may indicate a material breach of current CBK legislation, regulations, instructions and orders and the insurer’s articles of association, charter, or by-laws; or d) The intention of the external auditor to resign or the removal of the external auditor and material or adverse changes that present a risk for the insurer’s business and possible risks going forward.
3. The CBK maintains regular contact and can initiate meetings with external auditors of insurers at any time when such contacts are deemed necessary. Article 19 Quality Control and its Review
4. External auditors approved by the CBK may be subject to quality review from the CBK.
5. External auditors approved by the CBK should apply adequate quality control policies and procedures that address all significant aspects of the audit.
6. The quality review of an approved external auditor should cover one specific audit assignment, and may be executed by CBK or a reviewer appointed by the CBK.
7. During the quality review, the CBK or the reviewer shall determine the extent to which the external auditor have adequate quality control policies and procedures that address all significant aspects of auditing. During the review, CBK or the reviewer shall have access to the working papers of the external auditor, as far as necessary to conduct a sufficient and adequate quality control.
8. Concerning obligations on keeping confidentiality, Article 11, of this Regulation applies equally to the CBK and the reviewer.
9. Aggregate results of the quality review shall be published by the CBK, including recommendations, follow up of recommendations and, if the case arises, sanctions.

Article 20 Documenting the Concluded Work As required by ISA “Documentation of the Audit”, external auditors shall document how the audit was conducted as well as the results of that audit. Issues indicating that irregularities or errors might be present should be documented in a special manner. Article 21 External Auditor Report

1. External auditors shall prepare an annual audit report with an audit opinion in accordance with the IFRS in case of material differences, as well as an audit report with an audit opinion in accordance with the CBK regulations on risk management of the insurer.
2. The audit report should confirm that the audit services have been carried out in accordance with the provisions of the Law on Insurance, this regulation and other relevant CBK regulations.
3. The audit report shall express an opinion regarding the following matters: a) Whether the annual accounts have been prepared and finalized in accordance with IFRS, the Law on Insurance and relevant CBK regulations, and present a true and fair view of the financial condition and activities of the company, b) If the management of the insurer has fulfilled its obligations, in securing accurate and appropriate data as well as documentation of accounting information; and c) Whether the information in the annual report related to the annual accounts, assumptions concerning continued operation, and proposals regarding the use of surpluses (earnings) or coverage of losses, are in accordance with the Law on Insurance and relevant CBK regulations.
4. If the accounts do not provide the information about the result and position of the insurer, external auditors shall stress this, or stipulate the auditor’s opinion and possibly provide necessary supplementary information in the auditor’s report.
5. If the external auditors reach the conclusion that accounts should not be finalized in their current form, this shall be distinctly stated.
6. If external auditors, during the performance of the audit, find that circumstances exist that may lead to liability on the part of members of the board, general assembly of shareholders or senior management, this shall be remarked upon in the audit opinion. External auditors shall also provide other information about circumstances that they believe should to be known to the participants or shareholders of the insurer.
7. External auditors shall also evaluate the implementation of recommendation from the audit during the previous financial year.
8. External auditors that audit annual accounts of the insurer’s parent company shall prepare a special audit report for the group as is required by ISA. Provisions of paragraphs 1 to 7 of this article shall apply the same for the group’s audit report.

Article 22 Audit Report Submission

1. Insurers, insurance intermediaries, claim handlers and Kosovo Insurance Bureau must submit to the CBK annual audited financial statements along with a management letter, not later than April 20th of the current year for the previous year.

2. Branches of foreign insurers, except as required in the previous paragraph, must submit to the CBK the consolidated annual financial statements of their parent company along with the external audit report not later than June 30th of the current year for the previous year. Article 23 Maintenance of Audit Working Papers Audit working papers shall be prepared and maintained in accordance with relevant ISA. Article 24 Audit Fees

3. Fees for audit services contextually should be objective: a) Shall be adequate to allow proper audit quality; b) Shall not be influenced or determined by the provision of additional services to the audited insurer; and c) Cannot be based on any form of conditioning. Article 25 Changes in External Auditor

4. When an insurer, insurance intermediary, claim handler and the Kosovo Insurance Bureau, intends to change its external auditor, they shall notify the CBK in writing detailing the reason for the change of the external auditor.

5. Also the external auditor shall notify the CBK in writing for the reason of the change why did the change of the external auditor of the entity that was approved by the CBK occur. Article 26 Dismissal, Termination, and Resignation of External Auditors

6. External auditors of insurers, insurance intermediaries, claim handlers and the Kosovo Insurance Bureau may only be dismissed where there are proper grounds for such an action. Divergence of opinions on accounting treatments or audit procedures shall not be a proper ground for dismissal.

7. Both the audited insurer, insurance intermediary, claim handler and the Kosovo Insurance Bureau, shall inform the CBK about the dismissal, termination or resignation and shall give an adequate explanation of the reasons thereof.

8. Insurers, insurance intermediaries, claim handlers and the Kosovo Insurance Bureau are required to notify the CBK of any new external auditor appointment within 15 days of the actual appointment. Article 27 Measures Against the External Auditor

9. If the external auditors of insurers, insurance intermediaries, claim handlers and the Kosovo Insurance Bureau have contravened the auditor’s duties pursuant to this regulation, Law on Insurance and other relevant CBK regulations, the CBK through a letter may warn the external auditor or issue a written warning, depending on the severity of the contravention.

10. If the external auditors of insurers, insurance intermediaries, claim handlers and the Kosovo Insurance Bureau have gravely or repeatedly contravened the external auditor’s duties pursuant to this regulation, Law on Insurance and other relevant CBK regulations, the CBK has the right to prohibiting an external auditor from auditing insurers, insurance intermediaries, claim handlers and the Kosovo Insurance Bureau for a period of three (3) years. Article 28 Withdrawal of External Auditors Approval by the CBK

11. The CBK shall withdraw the approval of the approved external auditor in the following cases: a) the CBK determined that the approval was obtained on the basis of deliberate false data; b) the approved external auditor conducts a serious violation of the insurance laws, regulations, and rules and the audit profession and code of ethics; c) the approved external auditor violates the provisions of any article of this regulation, law on insurance or other CBK regulations; d) if it is determined by the CBK that the good repute of any licensed audit individual or firm has been seriously compromised;

12. The CBK shall inform the insurer, insurance intermediary, claim handler and the Kosovo Insurance Bureau, for which the authorized external auditor carries out audit services, about the withdrawal of the external auditor’s approval. Article 29 Entry into Force This regulation shall enter into force on 2nd May 2016. With the entry into force of this regulation, concerning insurers, insurance intermediaries, claim handlers and Kosovo Insurance Bureau, any provision of CBK rregullative instruments that is in contradiction with this regulation is abrogated. Chairman of the Board of the Central Bank of the Republic of Kosovo

---

Prof. Dr. Bedri Peci