China Introduces New Data Compliance Rules for Accounting Firms

In the digital age, data security has become an important issue in enterprise operations, especially for accounting firms that handle a large amount of sensitive financial information, data security management is particularly important. Recently, the Ministry of Finance and the Cyberspace Administration of China issued the Interim Measures for Data Security Management of Accounting Firms (hereinafter referred to as the “Interim Measures”), which will come into force on October 1, 2024. The Interim Measures aim to provide clear guidance for accounting firms on data security management, strengthen data security management, and promote the healthy development of the industry. This article will give a brief introduction of its contents.

  1. The Interim Measures specify the applicable objects

Interim Measures shall apply to the data processing activities associated with the following audit services provided by accounting firms that are lawfully established in the territory of the People’s Republic of China: (1) provision of audit services to listed companies, and state-owned financial institutions and central enterprises that are not listed, etc.; (2) provision of audit services to critical information infrastructure operators or online platform operators with more than one million users; and (3) provision of audit services to domestic enterprises for overseas listing. Interim Measures shall also apply to the audit businesses of accounting firms that are beyond the scope specified in the preceding paragraph but involve important data or core data.

  • Accounting firms should conduct classified and graded management of data

The Interim Measures require that the accounting firm shall, in accordance with the provisions of relevant laws and regulations and the standards of data classification and classification of the industry in which the audited unit is located, determine the core data important data and general data, and make clear requirements on the storage of the core data and important data related to log transmission, and the audited unit has the obligation to inform the accounting firm of the core data and important data related information in the audit materials though the business engagement letter Confirmation letter and other means.

 Import DataCore DataGeneral Data
Data storage  The information systems for storing important data shall meet the requirements for graded cybersecurity protection at Level 3 or above.  The information systems for storing core data shall meet the requirements for Level 4 graded cybersecurity protection.  The interim measures do not make requirements
Log managementIf any important data is involved, relevant log shall be retained for no less than one year; if any important data is provided to others, processed as entrusted, or processed jointly, relevant log shall be retained for no less than three years.  If any core data is involved, relevant log shall be retained for no less than three years.  
  • Audit working papers should be stored in China

The Interim Measures stipulate that the audit working papers of accounting firms shall be stored in China in accordance with relevant regulations. An accounting firm shall not include in the business agreement or similar contract similar clauses such as the provision of domestic project information and data by the accounting firm to overseas regulatory authorities. If an overseas regulatory authority truly needs to obtain domestic audit working papers due to regulatory needs, it shall obtain them through the corresponding cross-border regulatory cooperation mechanism in accordance with laws and regulations, and the corresponding audit working papers shall go through approval formalities when leaving the country. Accounting firms shall establish a step-by-step review mechanism for the export of audit working papers, and implement data security management and control responsibilities.

  • Accounting firms shall strengthen cyber security management & establish data backup system

The Interim Measures set out specific requirements for accounting firms to establish internal network security management systems, investment in network management resources, network security technical protection, and network management account authority, and ensure information system security management and technical protection, set up strict access control policies, and prevent unauthorized access.

Additionally, the accounting firms shall establish data backup system to ensure that they can still access, retrieve and use relevant audit working papers in the event that the use of audit-related application systems is suspended or restricted due to external technical reasons. Encryption devices shall be set up within the territory of the country and shall be operated and maintained by the domestic team, and the keys shall be stored within the territory.

In summary, the Interim Measures further regulate the data processing activities of accounting firms, especially the cross-border transfer of the working audit papers and strengthen data security management. Accounting firms should carry out data compliance work in light of their own business conditions, to ensure that business activities are carried out in compliance manner.

Jennie Lin Jennie Lin

Jennie Lin

Associate
Jennie Lin, a Junior Associate at D’Andrea & Partners Legal Counsel, is based in the Shanghai office.
Aris Xie Aris Xie

Aris Xie

Senior Associate
Aris Xie is a Senior Associate at D’ Andrea & Partners Legal Counsel, located in Shanghai.

Contact us for a
first consultation

CONTACT US FOR A FREE CONSULTATION

This field is for validation purposes and should be left unchanged.