China’s finance ministry has proposed that auditors undergo or conduct additional cybersecurity reviews when their work involves national security, as authorities step up efforts to ensure data security.
The proposal is aimed at “strengthening the data-security management of accounting firms, and standardising the data-processing activities of accounting firms”, according to a statement posted by the Ministry of Finance on Monday.
The draft of the new measures, co-drafted by the Cyberspace Administration of China, apply specifically to auditors who have been hired by listed firms and non-listed state-owned financial institutions, as well as other state-owned companies. The draft rules also apply to those who conduct cross-border auditing.
The document highlighted Beijing’s latest efforts to tighten its grip on data security and management across industries since its introduction of two sets of law on data security and privacy in 2021. The law contained provisions on protecting “important” and “core” data concerning “national security” from being exported.
After Beijing’s charm offensive to woo investors, has it undone all its hard work?
After Beijing’s charm offensive to woo investors, has it undone all its hard work?
According to the document, accounting firms that undertake auditing business in “important areas related to the national economy and people’s livelihood carry out data-processing activities that affect or may affect national security”, and thus they should “conduct network-security reviews in accordance with relevant network-security review mechanisms”.
Authorities should step up with “all-rounded supervision and check” and “strengthen regular monitoring” on accounting firms that take on auditing work in a list of industries: finance, energy, telecommunications, transport, technology and national defence, the draft rules said.
Moreover, auditors should “comprehensively adopt technical means such as network isolation, user authentication, access control, data encryption, virus prevention, and illegal intrusion detection to strengthen data management, and relevant data should be stored within China”, according to the draft rules.
The chief partner of an auditing firm is the person responsible for data security, according to the draft rules. The proposal is open for public consultation until December 11.
PwC, Deloitte, KPMG and EY – the world’s big-four auditing firms – did not immediately respond to requests for comment on the draft rules.
Concern over data security has prompted Chinese authorities to step up scrutiny of auditors in recent years.
In May, the Ministry of Finance and the State-owned Assets Supervision and Administration Commission – the top supervisor of China’s state-owned groups – along with the China Securities Regulatory Commission, the nation’s securities watchdog, asked state-owned companies and those listed on the mainland to step up their security checks when appointing auditors.
Auditing had been a long-running area of dispute between Washington and Beijing. In 2021, US authorities warned that more than 100 Chinese companies listed in the US would face delisting if Chinese authorities continued to bar overseas regulators from inspecting local accounting firms by citing national security concerns.
A bilateral deal was reached in August 2022 to let US auditors inspect China-based accountants.
Wu Changhai, associate dean of the Capital Finance Institute at the China University of Political Science and Law, said that the new set of measures have clarified the specific legal responsibilities among accounting firms and supervising authorities, but that they do not expand the scope of what the data-security law has already put in place.
“This will not affect Chinese companies listing in the US, because their audit working papers have to comply with the signed protocol agreement between China and the US anyway, so this should not affect the works of the accounting firms,” Wu said, referring to the deal in 2022.
Wu described the latest measures as a step toward further institutionalising China’s overall data-security architecture.
“There will be more industry-specific laws and regulations that follow,” he said.
Chen Zhiwu, chair professor of finance at the University of Hong Kong, said auditing firms may be asked to “create real barriers” between their Chinese and offshore clients, including the use of separate servers, and they may take the tighter security requirements in stride.
Additional reporting by Luna Sun and Ralph Jennings
