Promulgated by: Ministry of Finance; Cyberspace Administration of China.
Document No.: Cai Kuai [2024] No. 6.
Issued on April 15, 2024. Effective October 1, 2024.
Chapter 1 General Provisions
Article 1. These Measures are formulated pursuant to the Law of the People’s Republic of China on Certified Public Accountants, the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China and other laws and regulations, in order to safeguard the data security of accounting firms and regulate the data-processing activities of accounting firms.
Article 2. These Measures shall apply to accounting firms lawfully established within the territory of the People’s Republic of China that carry out data-processing activities relating to the following audit engagements:
(I) providing audit services to listed companies and to non-listed state-owned financial institutions, central enterprises and the like;
(II) providing audit services to operators of critical information infrastructure or to operators of network platforms with more than 1 million users; or
(III) providing audit services for the overseas listing of domestic enterprises.
Where an audit engagement undertaken by an accounting firm does not fall within the scope prescribed in the preceding paragraph but involves important data or core data, these Measures shall apply.
Article 3. For the purposes of these Measures, “data” means any record of information, in electronic or other forms, that an accounting firm obtains externally or generates internally in the course of performing audit engagements.
“Data security” means, by taking necessary measures, ensuring that data is in a state of effective protection and lawful utilization, and the capacity to ensure a state of continuous security.
Article 4. An accounting firm shall bear the principal responsibility for the data security of the firm and perform data security protection obligations.
Article 5. The Ministry of Finance shall be responsible for the supervision of the data security of accounting firms throughout the country. Provincial-level (including Shenzhen Municipality and the Xinjiang Production and Construction Corps) finance departments shall be responsible for the supervision of the data security of accounting firms within their respective administrative regions.
Article 6. The Institute of Certified Public Accountants shall strengthen industry self-discipline, guide accounting firms in strengthening data security protection, and improve the level of data security management.
Chapter 2 Data Management
Article 7. An accounting firm shall perform the firm’s data security management responsibilities in the following aspects:
(I) establishing and improving a full-life-cycle data security management system, and improving the data operation and control mechanism;
(II) improving the organizational structure for data security management, and clarifying the mechanism of rights and responsibilities for data security management;
(III) implementing data classification and grading management commensurate with the characteristics of its business;
(IV) establishing a data-permission management strategy, setting data access and processing permissions in accordance with the principle of least authorization, periodically reviewing them, and retaining data access records in accordance with the relevant provisions;
(V) organizing and carrying out data security education and training; and
(VI) other matters prescribed by laws and regulations.
Article 8. The chief partner (chief accountant) of an accounting firm is the firm’s data security officer.
Article 9. An accounting firm shall, in accordance with the provisions of laws and administrative regulations and the data classification and grading standards of the industry in which the audited entity operates, determine core data, important data and general data.
The accounting firm and the audited entity shall, through means such as engagement letters and confirmation letters, clarify the nature, content and scope of the core data and important data in the audit materials.
Article 10. The storage and processing by an accounting firm of core data and important data shall comply with the relevant provisions of the State.
Information systems storing core data shall implement the requirements of Level-4 cybersecurity multi-level protection. Information systems storing important data shall implement the requirements of Level-3 or above cybersecurity multi-level protection.
Where data, after aggregation and association, constitutes a matter of State secret, it shall be handled in accordance with the laws and administrative regulations on guarding State secrets.
Article 11. An accounting firm shall set up and enable an access-log recording function for the information systems, databases, network devices, network security devices and the like relating to audit engagements.
Where core data is involved, the relevant logs shall be retained for no less than three years. Where important data is involved, the relevant logs shall be retained for no less than one year; where the provision to others, entrusted processing, or joint processing of important data is involved, the relevant logs shall be retained for no less than three years.
Article 12. An accounting firm shall specify operating procedures for data transmission. Encryption technologies shall be used in the transmission of core data and important data to protect transmission security.
Article 13. Audit working papers shall be stored within the territory in accordance with laws, administrative regulations and the relevant provisions of the State. The relevant encryption equipment shall be set up within the territory and operated and maintained by a domestic team, and the keys shall be stored within the territory.
Article 14. An accounting firm shall establish a data backup system. An accounting firm shall ensure that, where the audit-related application system is suspended from use or restricted in use due to external technical reasons, it can still access, retrieve and use the relevant audit working papers.
Article 15. An accounting firm shall not include in an engagement letter or similar contract any clause to the effect that the accounting firm provides the data of domestic project materials to overseas regulatory authorities.
Article 16. An accounting firm shall adopt technical means such as network isolation, user authentication, access control, data encryption, virus prevention, and illegal-intrusion detection to promptly identify, block and trace the source of relevant network attacks and illegal access, so as to safeguard data security.
Article 17. An accounting firm shall establish a data security emergency-response mechanism and strengthen data security risk monitoring. Where risks such as data leakage or security vulnerabilities are discovered, the firm shall immediately take remedial and disposal measures. Where a major data security incident occurs that results in the leakage, loss, theft or tampering of core data or important data, the firm shall promptly report to the relevant competent department.
Article 18. Where an accounting firm provides overseas the personal information and important data that it collects and generates in its domestic operations, it shall comply with the relevant provisions of the State on the cross-border transfer of data.
Article 19. An accounting firm shall establish a level-by-level review mechanism for matters concerning the cross-border transfer of audit working papers, and take necessary measures to strictly implement the responsibility for data security control. For audit working papers that need to be transferred across the border, the firm shall go through the approval formalities in accordance with the relevant provisions of the State.
Chapter 3 Network Management
Article 20. An accounting firm shall establish a sound network security management and governance structure, establish and improve an internal network security management system, and establish internal mechanisms for decision-making, management, execution and supervision, so as to ensure that its network security management capacity is commensurate with the professional services it provides and to provide a secure network environment for data security management.
Article 21. An accounting firm shall, in accordance with the scale and complexity of its business activities, deploy network management technical personnel with corresponding professional skill levels, and ensure reasonable input of network resources and funds.
Article 22. An accounting firm shall properly carry out information-system security management and technical protection, take measures such as physical or logical isolation of the network according to the level of the data stored and processed, set strict access-control strategies, and prevent unauthorized access.
Article 23. An accounting firm shall have independent management authority over the network devices and network security devices in its audit business systems, uniformly set up and maintain system-administrator accounts and staff accounts, shall not set up unrestricted and unmonitored super accounts, and shall not hand over administrator accounts to a third-party operation-and-maintenance institution for management and use.
Where an accounting firm that has joined an international network uses the information systems of the international network to which it belongs, it shall take necessary measures to make them comply with the State’s data security laws and administrative regulations and the provisions of these Measures, so as to ensure the firm’s data security.
Chapter 4 Supervision and Inspection
Article 24. The Ministry of Finance and provincial-level finance departments (hereinafter collectively referred to as “finance departments at or above the provincial level”) shall strengthen information sharing on the supervision of the data security of accounting firms with the cyberspace administration departments, public security organs and State security organs at the same level.
Article 25. Finance departments at or above the provincial level and cyberspace administration departments at or above the provincial level shall carry out supervision and inspection of the data security of accounting firms. Public security organs and State security organs shall, in accordance with the law and within the scope of their duties, undertake the responsibility for supervising the data security of accounting firms.
Article 26. For accounting firms that undertake audit engagements in important fields such as finance, energy, telecommunications, transportation, science and technology, and national defense science, technology and industry, and that fall within the scope prescribed in Article 2 of these Measures, finance departments at or above the provincial level shall give priority attention in supervision and inspection and continuously strengthen routine supervision.
Article 27. An accounting firm shall cooperate with data security supervision and inspection lawfully carried out, and shall not refuse, delay or obstruct it.
Article 28. Where an accounting firm carries out data-processing activities that affect or may affect national security, it shall undergo a security review in accordance with the national security review mechanism.
Article 29. Where a relevant department, in the course of performing its data security supervision duties, finds that an accounting firm’s data-processing activities involve relatively high security risks, it may take supervisory measures against the accounting firm and the persons responsible, such as interviews and ordering rectification within a time limit, so as to eliminate hidden dangers.
Article 30. Where an accounting firm and relevant personnel violate the provisions of these Measures, they shall be dealt with and punished in accordance with the provisions of the Law of the People’s Republic of China on Certified Public Accountants, the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China and other laws and administrative regulations; where the matter involves the duties and powers of other departments, it shall be transferred to the relevant competent department for handling in accordance with the law; where a crime is constituted, the matter shall be transferred to the judicial organ for pursuit of criminal liability in accordance with the law.
Article 31. Where the staff of a relevant department neglect their duties, abuse their power, or engage in malpractice for personal gain in the course of performing the duty of supervising the data security of accounting firms, legal liability shall be pursued in accordance with the law.
Chapter 5 Supplementary Provisions
Article 32. Where an accounting firm and relevant personnel carry out data-processing activities involving State secrets, the provisions of the Law of the People’s Republic of China on Guarding State Secrets and other laws and administrative regulations shall apply.
Article 33. Where an accounting firm and relevant personnel carry out other data-processing activities involving personal information, they shall comply with the provisions of the relevant laws and administrative regulations.
Article 34. An accounting firm may, by reference to these Measures, strengthen the management of data relating to non-audit business.
Article 35. These Measures shall be interpreted by the Ministry of Finance and the Cyberspace Administration of China.
Article 36. These Measures shall come into force as of October 1, 2024.