LogoRegulatory Alerts
2013-08-29

Internal Control and Internal Audit of Microfinance Institutions

The Central Bank of the Republic of Kosovo mandates that all registered microfinance institutions and foreign branches establish robust internal control systems aligned with their operational complexity and risk profiles. The regulation assigns specific oversight duties to boards and senior management while requiring continuous risk assessment, strict segregation of duties, and reliable information infrastructure. It further standardizes the internal audit function by enforcing operational independence, formalized audit charters, qualified personnel, and direct reporting channels to both the board and the regulator.

Central Bank of the Republic of Kosovo logo

Kosovo

Central Bank of the Republic of Kosovo

Click to view thumbnail

1 Pursuant to Article 35, paragraph 1.1 of the Law No. 03/L-209 on Central Bank of the Republic of Kosovo (Official Gazette of the Republic of Kosovo, No.77 / 16 August 2010) and Articles 98, 103 and 114 of the Law No. 04/L-093 on Banks, Microfinance Institutions and Non-Bank Financial Institutions (Official Gazette of the Republic of Kosovo, No.11 / 11 May 2012), the Board of the Central Bank of Republic of Kosovo at the meeting held on August 29, 2013 approved the following: RREGULATION ON INTERNAL CONTROLS AND INTERNAL AUDIT FUNCTION IN MICROFINANCE INSTITUTIONS Article 1 Scope and Purpose

  1. This Regulation is issued to provide the basic principles on the organization and operation of the internal controls of Microfinance Institutions (hereafter: MFIs) 2 This Regulation applies to all MFIs and branches of foreign MFIs that are registered by the CBK to operate in the Republic of Kosovo. Article 2 Definitions
  2. All terms used in this Regulation have the same meaning with the following definitions for the purposes of this Regulation: a. “Branch of a foreign MFI or branch of other foreign Financial Institution (hereafter: branch of foreign MFI) means a legal person that is organized to operate microfinance activities within the Republic of Kosovo but its parent MFI or parent Financial Institution has its head office and holds a license to engage in the activities of microfinance in a jurisdiction other than the Republic of Kosovo; a. “Internal Control System”- the process effected by the Board of Directors, Senior Managers and other personnel, established to provide reasonable assurance regarding the achievement of effectiveness and efficiency of operations, reliability of reporting and compliance with applicable laws and regulations.

2 b. “Internal Audit Function”- is an independent, objective assurance and consulting activity designed to add value and improve an MFI’s operations. It helps a MFI accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. c. Senior Manager - means the chief executive officer, chief financial officer, chief operating officer and chief risk officer of a MFI and any person, other than a director, who (i) reports directly to the board or participates or has authority to participate in major policymaking functions of the MFI, whether or not such person has an official title or receives compensation for such actions, and (ii) is designated as a senior manager by the CBK. In the case of a foreign MFI registered to operate one or more branches in Kosovo, the manager of the principal branch in Kosovo will be deemed to be a member of senior management. Article 3 Requirements

  1. The CBK requires that MFI’s to establish a sound internal control system for the purpose of preventing losses, maintaining reliable financial and management reporting, enhancing their prudent operation, and promoting stability in the financial system of the Republic of Kosovo.
  2. The CBK requires from MFIs to have an effective system of internal controls that is consistent with the nature, complexity, and risk potential in their on and off balance-sheet activities and that responds to changes in their environment and conditions.
  3. The goals of the system of internal controls should be to reduce fraud, misappropriation and errors, and to mitigate other risks faced by MFIs, which shall: a. Promote the efficiency and effectiveness of activities and measures that protect the MFI in using its assets and other resources and protecting it from losses; b. Ensure the reliability and accuracy of financial and management information, so that senior managers, directors, shareholders, external parties, and supervisors can rely on for decisions-making; and, c. Ensure compliance with applicable laws and regulations.
  4. An effective internal control system consists of following interrelated components: a. Management oversight and the control culture; b. Risk recognition and assessment; c. Control activities and segregation of duties;

3 d. Information and communication; and e. Monitoring activities and correcting deficiencies. Article 4 Management Oversight and the Control Culture The Board of Directors and Senior Management are responsible for promoting high ethical and integrity standards, and for establishing a culture within the organization that emphasizes and demonstrates to all levels of personnel the importance of internal controls. Senior managers shall ensure that all personnel understand their role in the internal controls system and shall be fully engaged in the process.

  1. Responsibilities of the Board of Directors
  2. The Board of Directors is responsible for providing direction, guidance and oversight to MFI’s, and ensuring that the affairs of the entity are carried out in the best interest of the organization. The Board of Directors has a duty to act carefully in fulfilling the important task of directing and monitoring the activities of management, ensuring that the organization’s day to day operations are in the hands of qualified, honest and competent management.
  3. Specific internal control duties of the Board of Directors are: a. approve and review, on at least annual basis, the overall business strategies and significant policies of the organization; b. establish the structure of the organization and its administration, including its operational and administrative units, their sub-units and functions, supervisory positions and relationships; c. establish the function of the Audit Committee, in accordance with Article 98 of the Law; d. understand the major risks run by the institution and set acceptable levels for these risks and ensure that senior management is monitoring the effectiveness of the internal control system; e. formally review, at least once a year, the internal control system and the internal audit function; f. ensure that an adequate and effective system of internal controls is established and maintained.
  4. Responsibilities of Senior Management

4

  1. The senior managers are ultimately responsible for the MFI’s organizational and procedural controls and to fulfill this responsibility by ensuring the integrity of internal controls and by having in place an effective management team that is characterized by a culture of control and that is accountable for the performance of its responsibilities.
  2. Specific internal control duties of the senior managers shall be to: a. implement strategies and policies approved by the Board of Directors; b. develop processes that identify, measure, monitor and control risks incurred by the institution; c. maintain an organizational structure that clearly assigns responsibility, authority and reporting relationships; d. ensure that delegated responsibilities are effectively carried out, set appropriate internal control policies; and monitor the adequacy and effectiveness of the internal control system; e. ensure that outsourced services of any kind are with licensed companies that they have an adequate internal control system. The contracts for these services shall stipulate that external auditors, internal auditors and CBK examiners have access to any documentation or information source or system that may be requested in the discharge of their respective functions. Article 5 Risk Recognition and Assessment
  3. All material risks that could adversely affect the achievement of the MFI’s goals shall be recognized and continually assessed. This assessment shall cover all risks facing the MFI (including credit risk, liquidity risk, operational risk, and reputation risk).
  4. Internal controls shall be reviewed at least annually to appropriately address any new previously uncontrolled risks.
  5. Effective risk assessment shall identify and consider internal factors (such as the complexity of the institution’s structure, the nature of its activities, the quality of personnel, organizational changes and employee turnover) as well as external factors (such as fluctuation of economic conditions, changes in the industry and technological advances) that could adversely affect the achievement of the institution’s goals.
  6. The risk assessment shall be conducted at all level of individual businesses and across the wide spectrum of activities. Risk assessment shall address both measurable and immeasurable aspects of risks and shall weigh costs of controls against the benefits they provide.

5 5. The risk assessment process shall also include the evaluation of risks to determine which are controllable by the institution, which are not. For those risks that are controllable, the MFIs must assess whether to accept those risks or the extent to which it wishes to mitigate the risks through control procedures. For those risks that cannot be controlled, the MFIs must decide whether to accept these risks or to withdraw from or reduce the level of business activity concerned. Article 6 Control Activities and Segregation of Duties

  1. Control activities shall be an integral part of the daily activities of a MFIs. Senior management shall establish an appropriate control structure, with control activities defined at every business level, including: top level reviews; appropriate activity controls for different departments or divisions; physical controls; checking for compliance with exposure limits and follow-up on non￾compliance; a system of approvals and authorizations; and a system of verification and reconciliation.
  2. Control activities shall be designed and implemented to address the risks identified by the MFI’s through its risk assessment process. Control activities shall involve two steps: a. the establishment of control policies and procedures; and b. verification that the control policies and procedures are being complied with.
  3. Control activities shall involve all levels of personnel of the institution, including senior management as well as front line personnel.
  4. Duties shall be allocated appropriately and personnel must not be assigned responsibilities that would result in conflict of interest. Areas of potential conflicts shall be identified, minimized, and subject to careful, independent monitoring, particularly in those instances related to approval and disbursement of funds, costumer and proprietary accounts assessment and monitoring of loans and any other areas where significant conflicts of interest emerge and are not mitigated by other factors. Article 7 Information and Communication
  5. Management shall collect, record and retain adequate and comprehensive internal financial, operational and compliance data, as well as external market information about events and conditions that are relevant for decision-making. Information shall be relevant, reliable, timely, and accessible and maintained in a consistent format.
  6. Reliable information systems shall be in place and adequately to cover all significant activities of the MFI. These systems, including those that hold and use data in an electronic form must be secured, monitored independently and supported by adequate contingency arrangements.

6 3. Management shall maintain effective channels of communication to ensure that staff fully understand and adhere to policies and procedures affecting their duties and responsibilities and that other relevant information is communicated to the appropriate personnel. Article 8 Monitoring Activities and Correcting Deficiencies

  1. The overall effectiveness of the MFI’s internal controls shall be monitored by management on an ongoing basis. Monitoring key risks shall be part of the daily activities of all operational and business areas of the MFI. The minutes of the Board of Directors’ meetings shall record the decisions adopted concerning internal control deficiencies.
  2. Internal rules shall establish clear lines of responsibility for each operational and business area. Periodic and separate reviews shall be performed by operational and business areas and internal control deficiencies shall be reported in a timely manner to the appropriate management level and addressed promptly. Material internal control deficiencies shall be reported to senior managers, audit committee and to the Board of Directors.
  3. Adequate internal controls within MFI shall be supplemented by an effective internal audit function that independently evaluates the control systems within the institution. An effective and comprehensive internal audit of the internal control system shall be carried out by operationally independent, appropriately trained and competent staff. Article 9 Internal Audit Function
  4. Internal audit function is part of the ongoing monitoring of the institution’s system of internal controls, which provides an independent assessment of the adequacy of, and compliance with, the institution’s established policies and procedures. As such, the internal audit function assists senior managers and the Board of Directors in the efficient and effective discharge of their responsibilities. Each MFI must have internal audit department or this function should be performed by Outsourcing of internal audit, which are supervised by the Audit Committee
  5. Scope of an internal audit function shall include: a. the examination and evaluation of the adequacy and effectiveness of the internal control systems; b. the review of the application and effectiveness of risk management procedures and risk assessment methodologies; c. the review of the management and financial information systems, d. the review of the accuracy and reliability of the accounting records and financial reports;

7 e. the review of the means of safeguarding assets; f. the testing of both transactions and the functioning of specific internal control procedures; g. the review of the systems established to ensure compliance with legal and regulatory requirements, codes of conduct and the implementation of policies and procedures; h. the testing of the reliability and timeliness of the regulatory reporting; and, i. the carrying-out of special audit tasks. 3. Senior management is responsible to ensure that the internal audit department is kept fully informed of new developments, initiatives, products and operational changes. 4. Each MFI should have a permanent and independent audit function in order to fulfill its duties and responsibilities. The Board of Directors is responsible for ensuring the independence of the audit function and that sufficient human and material resources are available for the adequate performance of its functions and duties. The Board of Directors appoints the Audit Committee and the chief of internal audit or internal audit outsourcing. 5. The internal audit function shall be independent of the activities audited and from the everyday internal control processes. The head of the internal audit department should have the authority to communicate directly, and on his/her own initiative to the Board of Directors, or through the Audit Committee which shall also set his/her compensation. 6. The dismissal or resignation of the head of internal audit department and its causes shall be communicated to the CBK within seven working days form the decision. 7. Each MFI should have a written audit charter that enhances the standing and authority of the internal audit function within the institution. a. The internal audit charter should establish at least: i. the objectives and scope of the internal audit function ii. the internal audit department’s position within the institution, its powers, responsibilities and relations with other control functions and iii. the accountability of the head of the internal audit department. b. The audit charter should be drawn up – and reviewed periodically – by the internal audit department; it should be approved by the Audit Committee and subsequently confirmed by the Board of Directors as part of its supervisory role c. The audit charter shall mandate the internal audit with the right to initiate and authorizes it to have access to and communicate with any member or staff, to examine any activity or entity of the MFI, as well as to access any records, files or data, including management

8 information and the minutes of all consultative and decision making bodies, whenever relevant to the performance of its assignments. d. The charter shall specify the terms and conditions to which the internal audit department can be called upon to provide consulting or advisory services or perform other special tasks. 8. The professional competence of every internal auditor and of the internal audit function as a whole, which will vary depending on the size and complexity of a MFI’s operations, is essential for the proper functioning of the internal audit function. a. The members of the internal audit department should meet the qualities and skills as outlined in one of the following arrangements: i. professional capability to implement and adhere to procedure standards and auditing techniques in the operating fields of the MFI; ii. knowledge of and/or experience with International Financial Reporting Standards; iii. knowledge of risk administrating principles and prudent internal auditing techniques of the MFI; b. The head of the internal audit department shall be an elected individual with high ethical and professional reputation and with an adequate experience in auditing field. 9. The head of the internal audit department shall prepare an annual audit plan for the assignments to be performed, which shall be approved by the Board of Directors or Audit Committee. This approval implies that the MFI will make the appropriate resources available to the internal audit department. a. The annual audit plan shall include in detail the timing and frequency of planned internal audit work, the necessary resources in terms of personnel and it shall be based on an evaluation of internal controls and on a written assessment of material risks, updated yearly; b. The reports of the internal audit department shall be presented to the audit committee, containing the findings and recommendations as well as the responses of senior managers; c. The reports and working papers shall be kept for at least five years; d. The internal audit department shall follow up its recommendations to verify whether they are implemented.

9 Article 10 Outsourcing of Internal Audit

  1. An internal audit outsourcing arrangement may be contracted between the MFI and a qualified professional.
  2. Regardless of the contractual stipulations, the Board of Directors shall remain ultimately responsible for ensuring that the internal audit function is adequate and operates effectively.
  3. All the conditions of this Regulation remain applicable in case any internal audit activity is outsourced.
  4. If deemed necessary, the CBK reserves the right to request the IMF establishment of the internal audit department. Article 11 Penalties and Remedial Measures Any violation of the provisions of this Regulation shall be subject to the remedial measures and penalties provided for in Articles 105 and 106 of the Law no.04/L-093. Article 12 Entry into Force This Regulation shall enter into force 15 days after its approval by the Board of CBK. The Chairman of the Board of Central Bank of the Republic of Kosovo

Mejdi Rexhepi

10

Share