LogoRegulatory Alerts
2012-11-09

Regulation on Internal Controls and Internal Audit

The Central Bank of the Republic of Kosovo issued this regulation to establish comprehensive requirements for internal controls and audit functions across all licensed banks and foreign bank branches operating in Kosovo. Banks must implement robust control systems that encompass risk assessment, segregation of duties, reliable information reporting, and continuous monitoring to mitigate operational and financial risks. The mandate further requires each institution to maintain an independent internal audit department with clear governance, defined reporting lines to the Board of Directors or Audit Committee, and standardized outsourcing and enforcement provisions.

Central Bank of the Republic of Kosovo logo

Kosovo

Central Bank of the Republic of Kosovo

Click to view thumbnail

1 Pursuant to Article 35, paragraph 1.1 of the Law No. 03/L-209 of the Central Bank of the Republic of Kosovo (Official Gazette of the Republic of Kosovo, No. 77/16 August 2010), and Articles 85 and 32 of the Law No. 04/L-093 on Banks, Microfinance Institutions and Non-Bank Financial Institutions, (Official Gazette of the Republic of Kosovo, No. 11/11 May 2012), the Board of the Central Bank of the Republic of Kosovo at the meeting held on November 9, 2012, approved the following: REGULATION ON INTERNAL CONTROLS AND INTERNAL AUDIT

Article 1 Purpose and scope

  1. The purpose of this Regulation is to provide the basic principles on the organization and operation of the internal controls and internal audit function of Banks.
  2. This Regulation applies to all banks and branches of foreign banks licensed by the CBK to operate in the Republic of Kosovo, hereafter referred to as banks.

Article 2 Definitions

  1. All terms used in this Regulation are as defined in Article 3 of Law No. 04/L-093 on Banks, Microfinance Institutions and Non-Bank Financial Institutions (hereafter referred as Law on Banks), and/or as further defined in this Regulation as follows: a. Internal Control System means - the process monitored by the Board of Directors, senior managers and other personnel, and established to provide reasonable assurance regarding the achievement of effectiveness and efficiency of operations, reliability of reporting and compliance with applicable laws and regulations. b. Internal Audit Function - is an independent, objective assurance and consulting activity designed to add value and improve the banks’ operations. It helps a bank accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes CHAPTER I INTERNAL CONTROLS Article 3 Requirements for Internal Controls
  2. Banks shall establish a sound internal control system for the purpose of preventing losses, maintaining reliable financial and management reporting, enhancing their prudent operation, and promoting stability in the financial system of the Republic of Kosovo.

2 2. Banks, regardless of their size, shall have an effective system of internal controls that is consistent with the nature, complexity, and risk inherent in their on- and off-balance sheet activities and that responds to changes in their environment and conditions. 3. The goals of the system of internal controls should be to reduce fraud, misappropriation and errors, and to mitigate other risks faced by the Banks, which shall: a. Promote the efficiency and effectiveness of activities and measures that protect the Banks in using its assets and other resources and protecting it from losses b. Ensure the reliability, completeness and timelines of financial and management information, so that administrators, directors, shareholders, external parties, and supervisors can rely on for decisions-making; and, c. Ensure compliance with applicable laws and regulations. 4. An effective internal control system consists of following interrelated components: a. Management oversight and the control culture; b. Risk recognition and assessment; c. Control activities and segregation of duties; d. Information and communication; and e. Monitoring activities and correcting deficiencies. Article 4 Management Oversight and the Control Culture

  1. The Board of Directors and senior management shall be responsible for promoting high ethical and integrity standards, and for establishing a culture within a Bank that emphasizes and demonstrates to all levels of personnel the importance of internal controls. Senior managers shall ensure that all personnel understand their role in the internal controls system and shall be fully engaged in the process.
  2. Responsibilities of the Board of Directors a. The Board of Directors shall be responsible for providing direction, guidance and oversight to Bank, and ensuring that the affairs of the entity are carried out in the best interest of the organization. The Board of Directors has a duty to act carefully in fulfilling the important task of directing and monitoring the activities of management, ensuring that the Bank’s day to day operations are in the hands of qualified, honest and competent management. b. Specific internal control duties of the Board of Directors shall be to: i. Approve and review, on at least an annual basis, the overall business strategy and significant policies of the Banks; ii. Establish the structure of the organization, including its operational units, their sub￾units functions and supervisory positions; iii. Establish the Audit Committee, in accordance with Article 29 of the Law on Banks; iv. Identify the major risks within the Bank and set acceptable levels for these risks and ensure that senior management is monitoring the effectiveness of the internal control system; v. Formally review, at least once a year, the internal control system and the internal audit function;

3 vi. Ensure that adequate and effective system of internal controls is established and maintained. 3. Responsibilities of Senior Management a. The senior managers shall be ultimately responsible for the Bank’s organizational and procedural controls, by ensuring the integrity of internal controls and by having in place an effective management team that is characterized by a culture of control and that is accountable for the performance of its responsibilities; b. Specific internal control duties of the senior managers shall be: i. Implement strategy and policies approved by the Board of Directors; ii. develop processes that identify, measure, monitor and control risks incurred by the Bank; iii. Maintain an organizational structure that clearly assigns responsibility, authority and reporting relationships; iv. Ensure that delegated responsibilities are effectively carried out, set appropriate internal control policies; and monitor the adequacy and effectiveness of the internal control system; v. Ensure that outsourced services of any kind are with reputable companies that they have an adequate internal control system. The contracts for these services shall stipulate that external auditors, internal auditors and CBK examiners have access to any documentation or information source or system that may be requested in the discharge of their respective function; Article 5 Risk Recognition and Assessment

  1. All material risks that could adversely affect the achievement of the Bank’s goals shall be recognized and continually assessed. This assessment shall cover all risks facing the covered institution and the consolidated banking organization (including credit risk, country and transfer risk, market risk, liquidity risk, operational risk, and reputation risk).
  2. Internal controls shall be reviewed at least annually to appropriately address any new previously uncontrolled risks.
  3. Effective risk assessment shall identify and consider internal factors (such as the complexity of the Bank’s structure, the nature of it’s activities, the quality of personnel, organizational changes and employee turnover) as well as external factors (such as fluctuation of economic conditions, changes in the industry and technological advances) that could adversely affect the achievement of the Bank’s goals.
  4. The risk assessment shall be conducted at all level of individual activities and across the wide spectrum of activities. Risk assessment shall address both measurable and nonmeasurable aspects of risks and shall weigh costs of controls against the benefits they provide.
  5. The risk assessment process shall also include the evaluation of risks to determine which are controllable and non-controllable by the Bank. For those risks that are controllable, the Bank must assess whether to accept those risks or the extent to which it wishes to mitigate the risks through control procedures. For those risks that cannot be controlled, the Bank must decide whether to accept these risks or to withdraw from or reduce the level of business activity concerned.

4 Article 6 Control Activities and Segregation of Duties

  1. Control activities shall be an integral part of the daily activities of a Bank. Senior management shall establish an appropriate control structure, with control activities defined at every business level, including: top level reviews; appropriate activity controls for different departments or divisions; physical controls; checking for compliance with exposure limits and follow-up on non-compliance; a system of approvals and authorizations; and a system of verification and reconciliation.
  2. Control activities shall be designed and implemented to address the risks identified by the Bank through its risk assessment process. Control activities shall involve two steps:

a. Establishment of control policies and procedures, and b. Verification that the control policies and procedures are being complied with. 3. Control activities shall involve all levels of personnel of the institution, including senior management as well as front line personnel. 4. Duties shall be allocated appropriately and personnel shall not be assigned responsibilities that would result in conflict of interest. Areas of potential conflicts of interest shall be identified, minimized, and subject to careful, independent monitoring, particularly in those instances related to approval and disbursement of funds, costumer and accounts assessment and monitoring of loans and any other areas where significant conflicts of interest emerge and are not mitigated by other factors. Article 7 Information and Communication

  1. Management shall collect, record and retain adequate and comprehensive internal financial, operational and compliance data, as well as external market information about events and conditions that are relevant for decision-making. Information shall be relevant, reliable, timely, and accessible and maintained in a consistent format.
  2. Reliable information systems shall be in place to cover all significant activities of the Bank. These systems, including those that hold and use data in an electronic form, must be secured, monitored independently and supported by adequate contingency arrangements.
  3. Management shall maintain effective channels of communication to ensure that staff fully understand and adhere to policies and procedures affecting their duties and responsibilities and that other relevant information is communicated to the appropriate personnel. Article 8 Monitoring Activities and Correcting Deficiencies
  4. The overall effectiveness of the Banks’s internal controls shall be monitored by management on an ongoing basis. Monitoring key risks shall be part of the daily activities of all operational and business areas of the covered institution. The minutes of the board of directors’ meetings shall record the decisions adopted concerning internal control deficiencies.

5 2. Internal rules shall establish clear lines of responsibility for each operational and business area. Periodic and separate reviews shall be performed by operational and business areas and internal control deficiencies shall be reported in a timely manner to the appropriate management level and addressed promptly. Material internal control deficiencies shall be reported to senior managers, audit committee and to the board of directors. 3. Adequate internal controls within the Bank shall be supplemented by an effective internal audit function that independently evaluates the control systems within the Bank. An effective and comprehensive internal audit of the internal control system shall be carried out by operationally independent, appropriately trained and competent staff. CHAPTER II INTERNAL AUDIT Article 9 Internal Audit Function

  1. Internal audit function is part of the ongoing monitoring of the Bank’s system of internal controls, which provides an independent assessment of the adequacy of, and compliance with, the institution’s established policies and procedures. As such, the internal audit function assists senior administrators and the Board of Directors in the efficient and effective discharge of their responsibilities.
  2. Scope of an internal audit function shall include: a. The examination and evaluation of the adequacy and effectiveness of the internal control systems b. The review of the application and effectiveness of risk management procedures and risk assessment methodologies c. The review of the management and financial information systems, including electronic information system and electronic banking services d. The review of the accuracy and reliability of the accounting records and financial reports; e. The review of the means of safeguarding assets f. The review of the bank’s system of assessing its capital in relation to its estimate of risk g. The appraisal of the economy and efficiency of the operations h. The testing of both transactions and the functioning of specific internal control procedurës i. The review of the systems established to ensure compliance with legal and regulatory requirements, codes of conduct and the implementation of policies and procedurës j. The testing of the reliability and timeliness of the regulatory reporting and k. The carrying-out of special audit tasks
  3. Senior management is responsible to ensure that the internal audit department is kept fully informed of new developments, initiatives, products and operational changes.
  4. Each Bank should have a permanent and independent audit function in order to fulfill its duties and responsibilities. The Board of Directors shall be responsible for ensuring the independence of the audit function and that sufficient human and material resources are available for the adequate performance of its functions and duties.

6 5. The internal audit function shall be independent of the activities audited and from the every day internal control processes. The head of the internal audit department should have the authority to communicate directly, and on his/her own initiative, to the Board of Directors, or through the Audit Committee, which shall also set his or her compensation. 6. The dismissal or resignation of the head of internal audit department and its causes shall be communicated to the CBK within seven working days after it was decided. 7. Each Bank should have a written audit charter that enhances the standing and authority of the internal audit function within the institution. a. The internal audit charter should establish at least: i. The objectives and scope of the internal audit function ii. The internal audit department’s position within the Banks, its powers, responsibilities and relations with other control functions and iii. The accountability of the head of the internal audit department. b. The audit charter should be drawn up – and reviewed periodically – by the internal audit department; it should be approved by the Audit Committee and subsequently confirmed by the Board of Directors as part of its supervisory role; c. The audit charter shall mandate the internal audit department with the right to initiate and authorizes it to have access to and communicate with any member or staff, to examine any activity or units of the Bank, as well as to access any records, files or data, including management information and the minutes of all consultative and decision making bodies, whenever relevant to the performance of its assignments; d. The charter shall specify the terms and conditions to which the internal audit department can be called upon to provide consulting or advisory services or perform other special tasks. 8. The professional competence of every internal auditor and of the internal audit function as a whole, which will vary depending on the size and complexity of a Bank’s operations, is essential for the proper functioning of the internal audit function. a. The members of the internal audit department should meet at least the qualities and skills as outlined in one of the following arrangements: i. Professional capability to implement and adhere to procedure standards and auditing techniques in the operating fields of the Bank; ii. Knowledge and experience with International Financial Reporting Standards; iii. Knowledge of risk administrating principles and prudent internal auditing techniques of the financial institution; b. The head of the internal audit department shall be an individual with a high ethical and professional reputation and with an adequate experience in the banking and auditing fields. 9. The head of the internal audit department shall prepare an audit plan for the assignments to be performed, which shall be approved by the Board of Directors or its Audit Committee. This approval implies that the financial institution will make the appropriate resources available to the internal audit department.

7 a. The annual audit plan shall include in detail the timing and frequency of planned internal audit work, the necessary resources in terms of personnel and it shall be based on an evaluation of internal controls and on a written assessment of material risks, updated yearly. b. The reports of the internal audit department shall be presented to the Audit Committee, containing the findings and recommendations as well as the responses of senior managers; c. The reports and working papers shall be kept for at least five years; d. The internal audit department shall follow up its recommendations to verify whether they are implemented. Article 10 Outsourcing of Internal Audit

  1. An internal audit outsourcing arrangement may be contracted between the Bank and a qualified professional.
  2. Regardless of the contractual stipulations, the Board of Directors and senior managers shall remain ultimately responsible for ensuring that the internal audit function is adequate and operates effectively.
  3. All the conditions of this Regulation remain applicable in case any internal audit activity is outsourced. Article 11 Enforcement, Remedial Measures and Civil Penalties Any violation of this Regulation shall be subject to the remedial measures and penalties provided for in Articles 58, 59 and 82 of the Law on Banks Article 12 Abrogation Upon the entry in to force of this Regulation, it shall abrogate the Rule XXX of CBK on Internal Control System, approved on November 1, 2008 and any other provisions that may be in conflict with this Regulation. Article 13 Entry into Force This Regulation shall enter into force on December 3, 2012. The Chairman of the Board of Central Bank of the Republic of Kosovo

Gazmend Luboteni

Share