laitimes
return

Finance and Accounting [2024] No. 6

author:Zhonghui Xinda
Finance and Accounting [2024] No. 6

Notice on the issuance of the "Interim Measures for Data Security Management of Accounting Firms".

Finance and Accounting [2024] No. 6

To the finance departments (bureaus) and internet information offices of all provinces, autonomous regions, and municipalities directly under the Central Government, the finance bureaus and internet information offices of the Xinjiang Production and Construction Corps, and the Shenzhen Municipal Finance Bureau:

In order to implement the relevant requirements of the "(Guo Ban Fa [2021] No. 30), strengthen the data security management of accounting firms, and standardize the data processing activities of accounting firms, we have formulated the "Interim Measures for Data Security Management of Accounting Firms", which are hereby issued and are requested to be followed.

Attachment: Interim Measures for Data Security Management of Accounting Firms

Ministry of Finance, Cyberspace Administration of China

April 15, 2024

The relevant responsible persons of the Ministry of Finance and the Cyberspace Administration of China answered reporters' questions on the issuance of the "Interim Measures for Data Security Management of Accounting Firms".

May 10, 2024 Source: Accounting Division

Recently, the Ministry of Finance and the Cyberspace Administration of China jointly issued the Interim Measures for the Data Security Management of Accounting Firms (Cai Kuai [2024] No. 6, hereinafter referred to as the "Interim Measures"), which will come into force on October 1, 2024. Relevant responsible persons of the Ministry of Finance and the Cyberspace Administration of China answered reporters' questions on the relevant issues of the "Interim Measures".

Q: What is the background and significance of the formulation of the Interim Measures?

A: First, implement relevant legal requirements. The Interim Measures fully implement the legal requirements of the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law and other legal requirements, which are the refinement of the relevant provisions on national network and data security management in the CPA industry, provide a basis for accounting firms to carry out data security management activities, and help promote the institutionalization and standardization of data security management in the CPA industry.

The second is to implement the requirements of the relevant documents of the State Council. The "Opinions of the General Office of the State Council on Further Standardizing the Order of Financial Auditing and Promoting the Healthy Development of the CPA Industry" (Guo Ban Fa [2021] No. 30) emphasizes that it is necessary to accelerate the construction of the basic system of the CPA profession and follow up and improve the relevant system regulations in a timely manner. In line with the development trend of the digital economy, the Interim Measures further improve the basic institutional system of the CPA industry.

The third is to implement the relevant requirements of financial and accounting supervision. The Interim Measures establish a horizontally coordinated and vertically linked industry data security regulatory mechanism, clarify the responsibilities of the financial department, the internet information department, the public security organs, the state security organs and other parties, ensure effective connection, strengthen information sharing, and promote cross-regional, cross-departmental and cross-level coordinated supervision.

Q: What is the process of formulating the Interim Measures?

A: On the basis of an in-depth analysis of the current situation and needs of data security management in the CPA industry, the Ministry of Finance, together with the Cyberspace Administration of China, drafted the first draft of the Interim Measures, conducted on-site research on some accounting firms, and organized special discussions between accounting firms and data security experts to form a draft of the Interim Measures for comments.

In November 2023, the two departments jointly solicited opinions from local finance departments, internet information departments, accounting firms, and the public. The feedback generally believes that the Interim Measures are comprehensive, clear and instructive, which will help strengthen the data security management of accounting firms and standardize the data processing activities of accounting firms. At the same time, some of the feedback proposed some specific amendments. We have carefully sorted out all the feedback, fully absorbed and adopted it, and revised and improved the draft for comments on the basis of repeated discussions and soliciting opinions from relevant departments.

Q: What are the main contents of the Interim Measures?

Answer: The "Interim Measures" mainly include five aspects: first, the general provisions, which mainly clarify the basis, applicable objects, and responsible subjects; The second is data management, which mainly includes overall responsibility, responsible personnel, data classification and grading, log management, data transmission management, data encryption management, data backup, business agreement, technical protection means, daily security monitoring, data export, etc.; The third is network management, which mainly includes network management system, resource investment, access control, system account management, etc.; Fourth, supervision and inspection, mainly including information sharing, daily inspection, key inspection objects, safety review, administrative supervision measures, administrative penalties and other content; Fifth, supplementary provisions.

From the specific content, the content is mainly standardized in six aspects:

The first is to clarify the applicable objects. The Interim Measures are mainly applicable to the data processing activities related to audit business carried out by lawfully established accounting firms in China, including the provision of audit services for listed companies and unlisted state-owned financial institutions or state-owned enterprises; Provide audit services for critical information infrastructure operators or network platform operators with more than 1 million users; Provide audit services for domestic enterprises to list overseas. Accounting firms that do not engage in the above three types of business, but whose audit business involves important data or core data, should also carry out data processing activities in accordance with the Interim Measures. Data includes any records of information obtained externally and generated internally, either electronically or otherwise, in the course of the accounting firm's audit operations.

The second is to standardize the classification and grading of data. The Interim Measures require accounting firms to determine core data, important data and general data in accordance with the provisions of relevant laws and regulations and the standards for the classification and grading of industry data of the audited entity, and make clear requirements for the storage, relevant logs and transmission of core data and important data. The audited entity has the obligation to inform the accounting firm of the core data and important data related information in the audit materials through the business agreement, confirmation letter, etc. In terms of data storage, information systems that store important data should implement the requirements of level 3 or above network security level protection, and information systems that store core data should implement level 4 network security level protection requirements. In terms of log management, it is required that the relevant logs involving core data shall be retained for no less than three years, and the relevant logs involving important data shall be retained for no less than one year, of which the relevant logs provided to others, entrusted for processing, and jointly processed shall be retained for no less than three years. When it comes to general data, it shall be handled in accordance with relevant national regulations, and the Interim Measures do not make special requirements.

The third is to standardize the management of manuscripts. Up to now, 35 accounting firms in mainland China have joined or established 28 international accounting networks, and the industry has become increasingly close to foreign exchanges and cooperation. The Interim Measures stipulate that the audit working papers of accounting firms shall be stored in China in accordance with relevant regulations. An accounting firm shall not include in the business agreement or similar contract similar clauses such as the provision of domestic project information and data by the accounting firm to overseas regulatory authorities. If an overseas regulatory authority truly needs to obtain domestic audit working papers due to regulatory needs, it shall obtain them through the corresponding cross-border regulatory cooperation mechanism in accordance with laws and regulations, and the corresponding audit working papers shall go through approval formalities when leaving the country. Accounting firms shall establish a step-by-step review mechanism for the export of audit working papers, and implement data security management and control responsibilities.

Fourth, strengthen network management. The Interim Measures set out specific requirements for accounting firms to establish internal network security management systems, investment in network management resources, network security technical protection, and network management account authority, and guide accounting firms to provide a secure network environment for data security management. Accounting firms shall establish rules and regulations and effectively implement them to ensure that network security management capabilities are commensurate with the professional services provided; Do a good job in information system security management and technical protection, set up strict access control policies, and prevent unauthorized access.

Fifth, focus on safety and controllability. The Interim Measures require accounting firms to establish a data backup system to ensure that they can still access, retrieve and use relevant audit working papers in the event that the use of audit-related application systems is suspended or restricted due to external technical reasons. Encryption devices shall be set up within the territory of the country and shall be operated and maintained by the domestic team, and the keys shall be stored within the territory. Accounting firms shall have the authority to independently manage network equipment and network security equipment in their audit business systems, uniformly set up and maintain system administrator accounts and staff accounts, and shall not set up super accounts that are not restricted or monitored, and shall not hand over administrator accounts to third-party operation and maintenance institutions for management and use.

Sixth, consolidate regulatory responsibilities. The Interim Measures clarify the regulatory responsibilities of the financial authorities, internet information departments, public security organs, and state security organs for data security of accounting firms. Finance departments at the provincial level or above and internet information departments at the provincial level or above are to carry out oversight and inspections of accounting firms, and public security organs and state security organs are to undertake data security oversight duties for accounting firms within the scope of their duties in accordance with law. Accounting firms shall cooperate with lawfully carried out data security oversight and inspections.

Q: How to implement the Interim Measures?

Answer: First, intensify publicity and guidance. All levels of finance and internet information departments should attach great importance to it, actively publicize it, guide accounting firms to establish and complete data security management systems and ensure effective implementation, and truly increase the level of data security management of accounting firms. The second is to intensify supervision and inspection. All relevant departments shall, in accordance with their regulatory duties, implement relevant requirements such as routine supervision, key inspections, and security reviews of data security management of accounting firms, and strictly deal with accounting firms that have violated the rules in accordance with law. The third is to strengthen coordination and cooperation. All relevant departments should strengthen the sharing of regulatory information, strengthen communication and coordination, improve and improve the working mechanism, form a joint work force, and conscientiously do a good job in the implementation of the "Interim Measures".

Source: Ministry of Finance. Image source: Unsplash. The content of this article is for general information purposes only and is not intended as formal auditor, accounting, tax or other advice, and we cannot guarantee that such information will remain accurate in the future. No person should act on the basis of the information contained herein without having due regard to the relevant circumstances and obtaining appropriate professional advice. The articles reproduced in this issue are for academic exchange purposes only. The original copyright of the article or material belongs to the original author or original copyright owner, and we respect copyright protection. If you have any questions, please contact us, thank you!

Previous: Audit case: The tax bureau levies individual income tax at 8% of the after-tax profits
Next: Audit case: The tax bureau took action against the company and shareholders after the tax deregistration