The engagement of a CPA by a public company, or the appointment thereof by the FSC pursuant to Article 38-1 of the Act, to conduct a special audit of the company's internal control systems shall be governed by these Regulations and other applicable laws and regulations; matters not provided for therein shall be handled in accordance with the Standards on Assurance Engagements issued by the Accounting Research and Development Foundation (the "Standards on Assurance Engagements").

The purpose for a CPA to conduct a special audit of a public company's internal control systems is to inform the company's interested persons of whether the company's internal control systems are effectively designed and operating.

Special audits of internal control systems of a public company shall be jointly carried out and attested by two or more CPAs qualified under the Criteria Governing Approval for Auditing and Certification of Financial Reports of Public Companies prescribed by the FSC.

Except as otherwise provided by the FSC, the scope of special audits of internal control systems of a public company by CPAs shall be the internal control systems of the audited company with respect to external financial reporting and safeguarding of asset security.
The term "safeguarding of asset security" referred to in the preceding paragraph means preventing unauthorized acquisition, use, and disposition of assets.

Except as otherwise provided by the FSC, the time period covered by a special audit of a public company's internal control systems by CPAs shall be consistent with the time period covered in its Internal Control System Statement.

When auditing the internal control design and operation of a public company and the matters represented in the Internal Control System Statement produced by the audited company, the CPAs shall provide reasonable assurance, and collect sufficient and appropriate evidence to reduce their attestation risks to an acceptable degree, and shall comply with the following matters:
1. Special audits shall be conducted by professionally trained and competent CPAs.
2. CPAs shall possess adequate knowledge of the matters represented in the Internal Control System Statement produced by the audited company.
3. CPAs shall have the ability to assess statements or internal control systems of the audited company consistently by using reasonable assessment items as standards before accepting audit engagements. The above-stated standards shall be prescribed by the FSC or by an authoritative institution.
4. In affairs relating to special audits, CPAs shall maintain an attitude of rigor and impartiality and a detached and independent viewpoint.
5. CPAs shall exercise all due professional diligence when conducting special audits.
6. Special audits shall be carefully planned and assistants, if any, shall be properly supervised.
7. CPAs shall obtain sufficient and appropriate evidence regarding the effectiveness of each constituent element of the internal control systems, to provide a reasonable basis on which to form a conclusion on the audited company's internal control systems.
8. The preparation and retention of the working papers of special audits shall be handled in compliance with Standard on Assurance Engagements 3000.
9. The issuance of the internal control system audit report shall be handled in compliance with Standard on Assurance Engagements 3000.

CPAs retained to conduct special audits of internal control systems of a public company shall conduct such procedures in four stages:
1. Planning:
A. Obtain written records of the audited company's board of directors' and managers' control objectives and internal control system policies and procedures, and other necessary information.
B. Formulate an audit plan. The following factors at least shall be taken into consideration: the characteristics of the industry to which the enterprise belongs, information obtained when undertaking work under other engagements with the audited company, the condition of the audited company and recent changes in it, evidence available to the CPAs, the nature of specific internal control system procedures and the importance of such procedures to the overall internal control systems, preliminary assessment of the effectiveness of the overall internal control systems, differences among various operating locations, degree of centralization, transactions executed and the control environment, and the materiality/significance level and control risk in connection with the internal control system that are acceptable to the CPAs.
2. Gaining an understanding of the internal control system:
CPAs may use means such as inquiry, inspection, and observation to gain an understanding of the internal control system of the audited company, by which to assess the effectiveness of the internal control system.
3. Assessing the effectiveness of the design of the internal control system:
A. When assessing the effectiveness of the design of the audited company's internal control system, CPAs shall collect evidence regarding the effectiveness of the design. Methods for collecting such evidence include inquiry, inspection, and observation.
B. When assessing the effectiveness of the design of the internal control system, CPAs shall focus on whether the overall internal control system achieves a given goal rather than whether any given specific operation of the internal control system is inappropriate.
C. When engaged only to evaluate the effectiveness of the design of the internal control system, CPAs shall conduct necessary control tests based on actual needs.
4. Testing and assessing the operating effectiveness of the internal control system:
A. CPAs shall conduct control tests to collect evidence regarding the operation of the internal control system to provide a basis for assessing the operating effectiveness of the internal control system.
B. Methods for conducting control tests by CPAs include inquiry, inspection, observation, and re-testing. Control tests shall be conducted until sufficient and appropriate evidence has been collected. Evidence collected by the audited company during self-assessment of the internal control system shall not be substituted directly for evidence to be collected by the CPAs.
C. Whether the evidence collected by CPAs is sufficient and appropriate is affected by the following factors: the nature of the audited company's internal control procedures, the importance of the internal control procedures to attainment of the control objectives, the probability of violation of control procedures by the audited company, the nature and extent of control tests already conducted by the audited company, and the CPAs' preliminary assessment of the effectiveness of the control procedures. CPAs shall also execute necessary procedures and collect necessary evidence regarding subsequent events during the post audit period.

(Deleted)

(Deleted)

Where appointed by the FSC pursuant to Article 38-1 of the Act, CPAs failing to acquire the audited company's Statement about the internal control system at issue shall provide reasonable assurance with respect to the audited company's internal control design and operating effectiveness, and issue an audit report in compliance with Standard on Assurance Engagements 3000.

(Deleted)

CPAs discovering defects when conducting special audits of internal control systems of a public company shall issue internal control system recommendations in the prescribed format, for reference by the audited company to take corrective measures.

CPAs retained to conduct special audits of the internal control systems of a company conducting initial public offering of stocks shall conduct such audits pursuant to Articles 25 through the preceding article.
When conducting special audits under the preceding paragraph, CPAs shall focus on whether the company has meet the requirements of applicable laws and regulations, and, particularly, express opinions on the company's operational procedures such as for acquiring or disposing of assets, engaging in derivatives transactions, management of loans to others, management of endorsements or guarantees for others, management of related party transactions, management of the procedures for preparation of financial statements, and supervision and management of subsidiaries, and shall give an appropriate explanation thereof in a single separate paragraph in the audit report.
Except as otherwise provided by the FSC, the time period covered by a special audit under paragraph 1 shall be the most recent fiscal year before the company filed its report for public issuance of its stock. If on the date of the report for public issuance eight months have already lapsed since the beginning of the fiscal year, the time period covered shall be the second half of the most recent fiscal year and the first half of the current fiscal year.