Article 68 A commercial bank shall, in the process of entrusting an audit, ensure that the external audit institution can check the bank's hardware, software, documents and data in order to discover the risks existing in information technology, except for the important commercial and technical confidential information stipulated by national laws, regulations, rules and normative documents.
Article 69 Before conducting external audit, commercial banks should fully communicate with external audit institutions, determine the audit scope in detail, and may not intentionally conceal facts or obstruct audit inspection.
Article 70 The CBRC and its dispatched offices may, as required, designate external audit institutions with corresponding qualifications to conduct information technology audits or related inspections of commercial banks. When an external audit institution audits a commercial bank according to the entrustment or authorization of the CBRC or its dispatched office, it shall issue a power of attorney and conduct the audit according to the scope specified in the power of attorney.
Article 71 The audit report issued by an external audit institution according to the authorization shall have the same effect as the inspection report issued by the CBRC and its dispatched offices after being examined and approved by the CBRC. The audited commercial bank shall propose a rectification plan according to the audit report and implement the rectification within the specified time.
Article 72 When a commercial bank entrusts an external audit institution to conduct external audit, it shall sign a confidentiality agreement with it, and urge it to strictly abide by laws and regulations, keep its business secrets and information technology risk information, and prevent it from modifying, copying or taking away any documents provided by it without authorization.