If the annual financial report of a banking business is audited and certified by CPA the business should also delegate the CPA to conduct an audit on its internal control system. The CPA should also comment on the correctness of the report submitted to the competent authority for the banking business, the execution status of internal control system and regulatory compliance system, and the appropriateness of policies for loan loss reserves, including those of the foreign business units of the banking business.
The competent authority may request a banking business to provide the examination report of its personal data protection and AML/CFT mechanism
issued by CPA.
The audit fees for the CPA should be negotiated by the banking business and the CPA. The business should pay the CPA as negotiated.
The provisions of Paragraph 1 and Paragraph 2 are not applicable to banking business taken over by the competent authority.

When necessary, the competent authority is allowed to invite the banking business and its delegated accountant to conduct further discussion concerning the affairs of such audit. If the competent authority finds the delegated accountant is not competent for the audit affairs delegated by the business, the authority should demand the banking business to alter the delegation to another accountant for another audit.

When an accountant conducts audit affairs following the regulations of Article 28, the accountant should inform the competent authority immediately when the following conditions are found:
A. During the process of audit, the business fails to provide the required reports, certificates, books of accounts, and meeting minutes for the accountant, or refuses to make further explanation on the queries submitted by the accountant, or there are other objective environment restrictions to cause the accountant unable to continue his or her audit work.
B. When there are severe false, forged data, or missing in its accounting or other records.
C. Its assets are insufficient to pay its debts or its financial condition is worsened.
D. There is evidence indicating that its transactions will cause great damage to the bank's net asset.
If an audited banking business has conditions listed in Paragraph 2 to 4, the accountant should submit in advance a summary report to the competent authority based on the auditing results.

When a banking business delegates a CPA to conduct audit as provided in Paragraph 1 of Article 28, the business should provide the CPA audit report of the previous year to the competent authority by the end of April each year for recordation. The audit report should at least entail the scope, basis, procedure, and results of the audit.
When a credit cooperative conducts such audit in accordance with the preceding paragraph, the audit report shall be submitted via the finance department of municipal government or the county (city) government.
When the competent authority has queries concerning the contents of the audit report, the CPA should provide relevant information and explanation based on facts.