Interim Measures for Data Security Management of Accounting Firms (Policy Forwarding)

Attachment

Interim Measures for data Security Management of accounting firms

Chapter 1   General provisions

Article 1 In order to ensure the data security of accounting firms and regulate their data processing activities, these Measures are formulated in accordance with laws and regulations such as the Certified Public Accountants Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, and the Personal Information Protection Law of the People's Republic of China.

Article 2 If an accounting firm established in accordance with the law within the territory of the People's Republic of China carries out the following audit related data processing activities, these Measures shall apply:

（1） Providing audit services for listed companies, non listed state-owned financial institutions, central enterprises, etc;

（2） Providing audit services for key information infrastructure operators or network platform operators with over 1 million users;

（3） Providing audit services for domestic enterprises going public overseas. The audit services conducted by accounting firms do not fall within the scope of the preceding paragraph, but if they involve important or core data, these measures shall apply.

Article 3 The data referred to in these Measures refers to any electronic or other record of information obtained from external sources or generated internally by accounting firms during the process of performing audit services.

Data security refers to taking necessary measures to ensure that data is effectively protected and legally utilized, as well as having the ability to guarantee sustained security.

Article 4 Accounting firms shall bear the main responsibility for data security and fulfill their obligations to protect data security.

Article 5 The Ministry of Finance is responsible for the data security supervision of accounting firms nationwide, while provincial (including Shenzhen and Xinjiang Production and Construction Corps) finance departments are responsible for the data security supervision of accounting firms within their respective administrative regions.

Article 6 The Institute of Certified Public Accountants shall strengthen industry self-discipline, guide accounting firms to enhance data security protection, and improve the level of data security management.

Chapter 2   Data management

Article 7 Accounting firms shall fulfill their data security management responsibilities in the following areas:

（1） Establish a sound data lifecycle security management system, and improve data operation and control mechanisms;

（2） Establish a sound organizational structure for data security management and clarify the responsibility mechanism for data security management;

（3） Implement data classification and grading management that is suitable for business characteristics;

（4） Establish a data permission management strategy, set data access and processing permissions according to the principle of minimum authorization, regularly review and retain data access records in accordance with relevant regulations;

（5） Organize data security education and training;

（6） Other matters stipulated by laws and regulations.

Article 8 The chief partner (chief accountant) of an accounting firm is the person in charge of data security of the firm.

Article 9 Accounting firms shall determine core data, important data, and general data in accordance with the provisions of laws and administrative regulations and the classification and grading standards of the industry data in which the audited entity operates.

Accounting firms and audited entities shall clarify the nature, content, and scope of core and important data in audit materials through business agreements, confirmation letters, and other means.

Article 10 Accounting firms shall comply with relevant national regulations when storing and processing core and important data. The information system storing core data should implement the requirements of four levels of network security protection.

Information systems storing important data must implement network security level protection requirements of level three or above.

If data aggregation and association are classified as state secrets, they shall be handled in accordance with relevant laws and administrative regulations on safeguarding state secrets.

Article 11 Accounting firms shall set up and enable access logging functions for information systems, databases, network equipment, network security equipment, etc. related to audit services.

For those involving core data, the retention time of relevant logs shall not be less than three years. For important data, the retention time of relevant logs shall not be less than one year; The retention time of relevant logs related to providing, entrusting, and jointly processing important data to others shall not be less than three years.

Article 12 Accounting firms shall clarify the operating procedures for data transmission. Encryption technology should be used during the transmission of core and important data to protect transmission security.

Article 13 Audit working papers shall be stored within the territory in accordance with laws, administrative regulations, and relevant national provisions. The relevant encryption devices should be installed within the country and operated and maintained by a domestic team, and the keys should be stored within the country.

Article 14 Accounting firms shall establish a data backup system. Accounting firms should ensure that they can still access, retrieve, and use relevant audit working papers in the event that audit related application systems are suspended or restricted due to external technical reasons.

Article 15 Accounting firms shall not include clauses such as providing domestic project information and data to overseas regulatory agencies in their business agreements or similar contracts.

Article 16 Accounting firms shall adopt technical means such as network isolation, user authentication, access control, data encryption, virus prevention, and illegal intrusion detection to timely identify, block, and trace relevant network attacks and illegal access, and ensure data security.

Article 17 Accounting firms shall establish a data security emergency response mechanism and strengthen data security risk monitoring. If risks such as data leakage and security vulnerabilities are discovered, remedial and disposal measures should be taken immediately. If a major data security incident occurs, resulting in the leakage, loss, theft, or tampering of core or important data, it should be reported to the relevant competent department in a timely manner.

Article 18 Accounting firms that provide personal information and important data collected and generated during their domestic operations to overseas entities shall comply with relevant national regulations on data export management.

Article 19 Accounting firms shall establish a hierarchical review mechanism for audit workpapers that are exported, and take necessary measures to strictly implement data security control responsibilities. For audit workpapers that need to be exported, approval procedures shall be handled in accordance with relevant national regulations.

Chapter 3   Network management

Article 20 Accounting firms shall establish a sound network security management governance structure, establish a sound internal network security management system, establish internal decision-making, management, execution, and supervision mechanisms, ensure that network security management capabilities are compatible with the professional services provided, and provide a secure network environment for data security management work.

Article 21 Accounting firms shall allocate network management technicians with corresponding professional skills according to the scale and complexity of their business activities, ensuring reasonable investment of network resources and funds.

Article 22 Accounting firms shall do a good job in information system security management and technical protection, take corresponding measures such as network physical isolation or logical isolation according to the level of data storage and processing, set strict access control policies, and prevent unauthorized access behavior.

Article 23 Accounting firms shall have autonomous management authority over network equipment and network security devices in their audit business systems, and shall uniformly set up and maintain system administrator accounts and staff accounts. They shall not set up unrestricted or unmonitored super accounts, and shall not hand over administrator accounts to third-party operation and maintenance institutions for management and use.

Accounting firms that join the international network and use the information systems of the international network shall take necessary measures to comply with national data security laws, administrative regulations, and the provisions of these Measures, and ensure the data security of the firm.

Chapter 4   Supervision and inspection

Article 24 The Ministry of Finance and provincial-level financial departments (hereinafter referred to as provincial-level and above financial departments) shall strengthen the sharing of data security supervision information among accounting firms with the same level network information departments, public security organs, and national security organs.

Article 25 Financial departments at or above the provincial level and online information departments at or above the provincial level shall conduct supervision and inspection of the data security situation of accounting firms. Public security organs and national security organs shall undertake the responsibility of supervising the data security of accounting firms within their scope of duties in accordance with the law.

Article 26 For accounting firms that undertake audit services in important fields such as finance, energy, telecommunications, transportation, technology, and national defense science and industry and meet the scope of Article 2 of these Measures, the financial departments at or above the provincial level shall pay special attention to their supervision and inspection work, and continuously strengthen daily supervision.

Article 27 Accounting firms shall cooperate with data security supervision and inspection carried out in accordance with the law, and shall not refuse, delay or obstruct. Article 28: If an accounting firm engages in data processing activities that affect or may affect national security, it shall conduct security reviews in accordance with the national security review mechanism.

Article 29 If relevant departments discover significant security risks in data processing activities carried out by accounting firms during the performance of data security supervision responsibilities, they may take regulatory measures such as interviews and orders for rectification within a specified period of time to eliminate hidden dangers.

Article 30 Accounting firms and related personnel who violate the provisions of these Measures shall be punished in accordance with the provisions of laws and administrative regulations such as the Certified Public Accountants Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, and the Personal Information Protection Law of the People's Republic of China; If it involves the responsibilities and authorities of other departments, it shall be transferred to the relevant competent department for handling in accordance with the law; If it constitutes a crime, it shall be transferred to the judicial organs for criminal responsibility in accordance with the law.

Article 31 If staff members of relevant departments neglect their duties, abuse their power, or engage in favoritism and fraud while fulfilling their responsibilities for data security supervision of accounting firms, they shall be held legally responsible in accordance with the law.

Chapter 5   Supplementary Provisions

Article 32 Accounting firms and related personnel conducting data processing activities involving state secrets shall be subject to the provisions of laws and administrative regulations such as the Law of the People's Republic of China on Guarding State Secrets.

Article 33 Accounting firms and related personnel shall comply with relevant laws and administrative regulations when conducting other data processing activities involving personal information.

Article 34 Accounting firms may strengthen the management of non audit business data in accordance with these Measures.

Article 35 These Measures shall be interpreted by the Ministry of Finance and the Cyberspace Administration of China. Article 36: These Measures shall come into effect from 2024