Regulation on Internal Controls and Internal Audit of Insurers

Pursuant to Article 35, Paragraph 1, Subparagraph 1.1 of the Law No. 03/L-209 on the Central Bank of the Republic of Kosovo (Official Gazette of the Republic of Kosovo, No. 77/16 August 2010), Article 4, Paragraph 3, and Article 76, Paragraph 6 and Article 77, Paragraph 6 of the Law No. 05/L-045 on Insurance (Official Gazette of the Republic of Kosovo, No. 38/24 December 2015), the Board of the Central Bank of the Republic of Kosovo in the meeting held on 28th of April 2016 approved the following: REGULATION ON INTERNAL CONTROLS AND INTERNAL AUDIT OF THE INSURERS Article 1 Purpose and Scope

1. The purpose of this regulation is to define basic principles on the organization and operation of internal controls and the function of internal audit for insurers.
2. This Regulation applies to all insurers and branches of foreign insurers, licensed by the CBK to operate in the Republic of Kosovo, hereinafter referred to as insurers. Article 2 Definitions
3. All terms used in this Regulation shall have the same meaning as the terms defined in Article 3 of Law No. 05/L-045 on Insurance (hereinafter referred to as Law on Insurance), or by the following definitions for the purpose of this Regulation: a) The system of internal controls is a process under the control of the Board of Director, senior management and other insurance personnel, established for providing a reasonable assurance in achieving operational effectiveness and efficiency, reliable financial reporting, and compliance with applicable laws, regulations and policies. b) Internal Audit function is an independent, objective and consulting activity designed to add value and improve insurer's operations. This function assists the insurer accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. c) For the purposes of this regulation the term "insurer" means "insurers and / or reinsurers. d) Inherent risk means the risk that is continuously present, while conducting the activities of the insurer, as a result of lack of functioning of the system of internal controls.

Article 3 Requirements for Internal Controls

1. Insurers should establish a sound system of internal controls in order to prevent losses, maintaining reliable financial reporting and management, expanding their prudential operation and promote stability in the financial system of the Republic of Kosovo.
2. Insurers must have an effective system of internal controls that is consistent with the nature, complexity and inherent risk in activities of on and off balance sheet items and that this adapts to changes in environment and conditions of their business.
3. The goals of the internal control system should be to reduce fraud, abuse and erroneous actions, and reduce other risks faced by insurers, which will: a) Promote the efficiency and effectiveness of activities and measures that protect insurers in using its assets and other resources and their protection against losses; b) Ensure reliability, completeness and accuracy of financial and management information, so that senior managers, directors, shareholders, external parties and supervisors can rely on for decision making, and c) Ensure compliance with applicable laws, regulations and policies.
4. An effective system of internal control consists of the following interrelated components: a) supervision by the board of directors, senior managers and control culture; b) risk recognition and assessment; c) control activities and distribution of duties; d) information and communication; and e) monitoring activities and correcting deficiencies. Article 4 Oversight by the Board of Directors, Senior Management and Control Cultures
5. The Board of Directors and senior managers are responsible for promoting high standards of ethics and integrity and establishing a culture within an insurer, which emphasizes and demonstrates the importance of internal controls for all levels of personnel. Senior managers ensure that all personnel understand their role in the internal control process and they will be fully involved in this process.
6. The Board of Directors is responsible for the direction, management and supervision of the insurer and to ensure that the work is being carried out in the best of their interest. The Board of Directors is obliged to act carefully in fulfilling the important task of directing and supervising the activities of senior managers, ensuring that daily operations of insurers are in the hands of qualified, honest and competent persons.
7. Specific duties of the board of directors in the area of internal controls are: a) approval and review, at least annually, of the overall business strategy and significant policies of the insurers;

b) establishment of organizational structure, including its operating units, sub-units, functions and supervisory positions of the insurer; c) establishment of the audit committee in accordance with paragraph 3, article 30 of the Law on Insurance; d) identification of the main risks facing the insurer, set acceptable levels for these risks and ensure that senior management is monitoring the effectiveness of the internal controls system; e) formal review, at least once a year, of the internal controls system and internal audit function; f) ensure the establishment and effective functioning of the internal controls system. 4. Senior managers are responsible for organizational and procedural controls of the insurer, ensuring the integrity of internal controls and establishing effective management team, which is characterized by professional culture of control and is responsible for the fulfillment of its responsibilities; 5. Specific duties of the senior managers in the field of internal control are: a) implementation of strategies and policies approved by the Board of Directors; b) development of processes that identify, measure, monitor and control risks incurred by the insurer; c) establishment of an organizational structure that clearly assigns responsibility, authority and reporting relationships; d) ensure that delegated responsibilities are met in an effective, place appropriate policies on internal controls and monitor the adequacy and effectiveness of internal controls system; e) ensure that the contractual services of any kind are with contractors that have an adequate system of internal controls. Contracts for these services need to determine that external auditors, internal auditors and the CBK examiners will have access to any documentation or information source or system that may be required in the performance of their respective functions. Article 5 Risk Recognition and Assessment

1. All material risks that could adversely affect the achievement of insurer’s objectives should be recognized and continually assessed. This assessment should cover all risks facing the insurer and the consolidated group, that the insurer is part of (including underwriting risk, predicting and estimating the potential maximum risk, reserves risk, liquidity risk, operational risk and reputational risk).
2. Internal controls should be reviewed at least annually to properly address any new and previously unchecked risk.
3. Effective risk assessment should identify and consider internal factors (such as the complexity of the organizational structure, the nature of the insurer’s activities, personnel quality, organizational changes and employee turnover) and external factors (such as changes in economic conditions,

changes in the industry and technological advances) that could adversely affect the achievement of insurer’s objectives. 4. The risk assessment should be carried out at all levels of individual activities and across the wide spectrum of activities. This assessment should address measurable and non-measurable aspects of risks and weigh the costs of controls against the benefits they provide. 5. The risk assessment process should also include an assessment of the risks to determine which of them are controllable and which are uncontrollable by the insurer. For risks that are controllable, the insurer must assess whether to accept them or the extent to which it wishes to mitigate the risks through control procedures. For uncontrollable risks, the insurer must decide whether to accept these risks or to withdraw from them, or to reduce the level of business activity associated with these risks. Article 6 Control of Activities and Distribution of Duties

1. Control activities should be an integral part of the daily activities of insurers. Senior management should establish appropriate structure of control, with control activities defined at every level of the business, including: high-level reviews, appropriate control activities for departments and various units, physical controls, checking for compliance with exposure limits and follow-up of noncompliance, system of approvals and authorizations, system of verifications as well as coordination.

2. Control activities should be designed and implemented to address the risks identified by the insurer, through its risk assessment process. Control activities are divided into two phases: a) establishment of adequate control policies and procedures; and b) verify that these policies and procedures are being followed;

3. Control activities should involve all levels of staff of the insurer from senior management to front line staff.

4. The tasks should be distributed appropriately and the staff will not be assigned responsibilities that could result in conflict of interest. Areas of potential conflicts of interest should be identified, minimized and subject to careful and independent monitoring. Article 7 Information and Communication

5. Management must collect, record and maintain internal adequate and comprehensive financial, operational and compliance records, as well as external market information about events and conditions that are relevant to the decision making. The information must be reliable, timely and accessible, and maintained in a sustainable format.

6. Reliable information systems should be established to cover all the important activities of insurers. These systems, including those that contain and use data in an electronic form, must be secured, monitored independently and supported by adequate contingency plans.

7. Management should establish effective lines of communication to ensure that the staff fully understands and supports policies and procedures impacting their duties and responsibilities and that other relevant information is communicated to appropriate personnel. Article 8 Monitoring of Activities and Correcting Deficiencies

8. The overall effectiveness of the insurer's internal controls should be monitored continuously by the board of directors and senior managers. Monitoring of key risks should be part of the daily activities of all operational areas and business of the insurer. The meeting minutes of the board of directors should include actions taken with regard to the deficiencies identified by internal controls.

9. The internal policies and procedures of the insurer should establish clear lines of responsibility for any operational and business area. Periodic and separate reviews ought to be performed by operational and business areas and report internal control deficiencies at certain intervals to the appropriate management level and addressed promptly. Material weaknesses in internal controls should be reported to senior managers, the audit committee and board of directors.

10. The system of internal controls of the insurer must be complemented by an effective internal audit function, which independently evaluates the control systems of the insurer. An effective and comprehensive internal controls system must be performed by independent staff, competent and properly trained. Article 9 Internal Audit Function

11. The internal audit function is part of the ongoing monitoring of internal controls system of the insurer, which provides an independent assessment of the adequacy of and compliance with established policies and procedures of the insurer. As such, the internal audit function helps senior managers and board of directors in the efficient and effective conduct of their responsibilities.

12. The scope of the internal audit function should include: a) examination and evaluation of the adequacy and effectiveness of internal controls systems; b) review the application and effectiveness of risk management procedures and risk assessment methodologies; c) review of the management systems and financial information, including electronic information system of the insurer; d) reviewing the accuracy and reliability of the accounting records and financial reports; e) review of the insurer's system for capital valuation in relation to risk assessment; f) assessment of economy and efficiency of operations;

g) testing of transactions and functioning of specific procedures of internal controls; h) review the systems established to ensure compliance with legal and regulatory requirements, code of conduct and implementation of policies and procedures; i) testing for accuracy and credibility of regulatory reporting and j) conduct specific audit tasks. 3. Senior management is responsible to ensure that the internal audit unit is kept fully informed on new developments, initiatives, products and operational changes. 4. Each insurer must have an internal audit function in order to fulfill its duties and responsibilities. The Board of Directors shall be responsible for ensuring the independence of the audit function and that sufficient human and material resources are available for the adequate performance of its functions and duties. 5. The internal audit function should be independent of the audited activities and the daily processes of internal controls. The head of the internal audit department should have the authority to communicate directly and with his/her initiative with the external auditor, the board of directors, or through the Audit Committee. The Board of Directors will decide on the remuneration of the head of the internal audit unit. 6. The decision on the dismissal or resignation of the head of internal audit department and the reasons for the dismissal or resignation, should be communicated to the CBK within seven business days. 7. Each insurer must have a written audit charter that expresses the position and the authority of the internal audit function within the insurer. The internal audit charter should at least specify: a) objectives and scope of the internal audit function; b) the position of the internal audit unit within the insurer, its powers, responsibilities and relations with other control functions; and c) the responsibility of the head of the internal audit unit. 8. The audit charter should be drafted and periodically reviewed by the internal audit unit; it must be approved by the Audit Committee and then confirmed by the Board of Directors as part of its supervisory role; 9. Audit charter shall mandate internal audit unit the right to initiate control and authorize it to access and communicate with any member of the staff, to examine any activity or unit of the insurer, as well as have access to any records, files or data, including management information and the minutes of all consultative and decision making bodies, whenever it is relevant to the performance of its duties; 10. The charter shall determine the terms and conditions under which the internal audit unit can be called upon to provide consulting or advisory services or perform other specific tasks.

11. Besides the abovementioned charter, the Board should ensure a Charter for the Audit Committee that would regulate the organization and functioning of this Committee.
12. The professional competence of every internal auditor and the internal audit function is essential for proper functioning of the internal audit function. Members of the internal audit department must meet the requirements as described below: i. professional skills necessary to implement and follow procedural standards and auditing techniques in the operational areas of the insurer; ii. knowledge and experience with International Financial Reporting Standards; iii. knowledge of the principles for risk management and prudential internal auditing techniques for financial institution. The head of internal audit unit must be an individual with high ethical and professional reputation and adequate experience in the area of insurance and auditing.
13. The head of the internal audit department should prepare an annual audit plan for scheduling and performance of duties which will be approved by the Board of Directors. This approval means that the insurer will provide the necessary resources for the internal audit unit. a) the annual audit plan should include in detail the timing and frequency of the internal audit, the necessary resources in terms of personnel and should be based on a written assessment of material risks of internal controls, updated annually; b) the reports of the internal audit unit must be presented to the Audit Committee and the Board of Directors, containing the findings and recommendations and responses of senior managers; c) reports and working papers should be kept for at least five years; d) the internal audit unit must follow up its recommendations to verify whether they are implemented.
14. The head of the internal audit unit should prepare and submit an annual performance report in relation to its work in internal controls, as follows: a) the annual report of the head of the internal audit unit must be presented to the Audit Committee and the Board of Directors, containing the findings and recommendations and responses of senior managers; b) the minutes of the meetings of the Audit Committee and the Board of Directors should include a copy and receipt of such a report and their actions taken with regard to the deficiencies identified by the internal audit. Article 10 Enforcement, Remedial Measures and Civil Penalties Violation of the provisions of this regulation is subject to administrative measures and penalties with fines as specified in the Law No. 03/L-209 for the Central Bank and the Law 05/L-045 on Insurance.

Article 11 Entry into Force This regulation shall enter into force on 2nd of May 2016. With the entry into force of this regulation, the CBK Rule 26 on Internal Controls approved on 28th of March 2002 and any other provision that is in contradiction with this regulation is abrogated. Chairman of the Board of the Central Bank of the Republic of Kosovo

---

Prof. Dr. Bedri Peci