He Jueyuan, a reporter from the Securities Times
May 10thJungleJackpotJourneyThe Ministry of Finance and the State Internet Information Office jointly issued the interim measures for the Administration of data Security of Accounting firms, which will enter into force as of October 1, 2024. The interim measures require that accounting firms should establish a data backup system. The audit working papers of accounting firms shall be stored in China in accordance with laws, administrative regulations and relevant provisions of the State.
The interim measures make it clear that the interim measures are mainly applicable to the establishment in China according to law.JungleJackpotJourneyAudit business-related data processing activities carried out by accounting firms, including providing audit services for listed companies and unlisted state-owned financial institutions or central enterprises; provide audit services for key information infrastructure operators or network platform operators with more than 1 million users; provide audit services for overseas listing of domestic enterprises. Accounting firms are not engaged in the above-mentioned three types of business, but the audit business involves important data or core data, and data processing activities shall also be carried out in accordance with the interim measures.
The interim measures require accounting firms to determine core data, important data and general data in accordance with the provisions of relevant laws and regulations and the standards for the classification and classification of industry data of the audited units. The auditee has the obligation to inform the core data and important data-related information in the audit materials of accounting firms by means of business appointment letters, confirmation letters, etc.
The interim measures make clear requirements for the storage, related logs and transmission of core and important data. In data storage, the information system for storing important data should implement the three-level and above network security level protection requirements, and the information system for storing core data should implement the four-level network security level protection requirements. In log management, it is required that the relevant logs related to core data should be retained for not less than three years, and the relevant logs involving important data should be retained for not less than one year. Among them, the retention time of the relevant logs that provide to others, entrust processing, and jointly deal with important data shall not be less than three years. General data shall be dealt with in accordance with the relevant provisions of the State, and there are no special requirements in the interim measures.
Up to now, 35 accounting firms in China have joined or established 28 international accounting networks, and the industry's foreign exchanges and cooperation are getting closer and closer. The interim measures stipulate that the audit working papers of accounting firms shall be kept in China in accordance with the relevant provisions. An accounting firm shall not include in the business agreement or similar contract similar provisions such as the provision of domestic project data by the accounting firm to overseas regulatory agencies. If the overseas regulatory authorities really need to obtain the domestic audit working papers due to regulatory needs, they shall obtain the domestic audit working papers in accordance with the regulations through the corresponding cross-border supervision cooperation mechanism, and the corresponding audit working papers shall go through the formalities of examination and approval when leaving the country.
The interim measures make specific requirements for accounting firms in the establishment of internal network security management system, network management resource investment, network security technical protection, network management account authority, and so on. guide accounting firms to provide a secure network environment for data security management. The interim measures make it clear that accounting firms should do a good job in information system security management and technical protection, set strict access control policies, and prevent unauthorized access.
The interim measures require accounting firms to establish a data backup system to ensure that the relevant audit working papers can still be accessed, accessed and used when the audit-related application systems are suspended or restricted due to external technical reasons. The encryption equipment shall be set up in the territory and the domestic team shall be responsible for operation and maintenance, and the key shall be stored in the territory. The accounting firm shall have the independent management authority of the network equipment and network security equipment in its audit business system, uniformly set up and maintain the system administrator account and staff account, and shall not set up an unrestricted and unmonitored super account, the administrator account shall not be handed over to the management and use of a third-party operation and maintenance organization.