A set of proposed cybersecurity rules from China has cast doubt over whether Hong Kong can serve as neutral ground to settle a dispute between Beijing and Washington over auditing rules, as the measures lay out stricter-than-expected restrictions about where auditors may park and back up sensitive data.
The draft rules, jointly published on November 10 by the Ministry of Finance and the Cyberspace Administration of China (CAC), said accounting firms must keep their audit working papers and relevant data within the territory of the People’s Republic of China (PRC).
Audit working papers, also known as audit documentation according to US accounting watchdog the Public Company Accounting Oversight Board, detail how accounting firms plan and execute audits of clients’ financial statements.
The proposed rules translate to additional cost and burden for accounting firms who will have to up their game to comply, experts said, while calling into question the role for Hong Kong and the “big four” global accounting firms.
“Hong Kong and mainland China are subject to different regulations, which means that if the data are backed up in Hong Kong, they can still be obtained by foreign entities in the region, and this is considered a risk according to China’s cybersecurity law,” said Shen Meng, director at Beijing-based investment firm Chanson & Company.
The draft rules apply to firms operating in mainland China, including those that have been hired by state-owned companies and financial institutions, as well as those involved in cross-border auditing.
Chinese authorities have long been reluctant to allow US regulators to inspect local accounting firms and access data concerning Chinese companies, citing national security concerns. As recently as January, the finance ministry and other government entities urged state-owned companies to let their contracts with the global big-four – PwC, Deloitte, KPMG and EY – expire.
Those firms did not immediately respond to the Post’s requests for comment on the draft rules.
More Hong Kong firms are getting their ESG reporting checked by auditors: survey
More Hong Kong firms are getting their ESG reporting checked by auditors: survey
But that role could be a “temporary measure at best,” Shen said. Hong Kong technically does not fall within the scope of the territory of the PRC, he added.
Liu Dian, associate researcher at Fudan University’s China Institute, said the new proposed cybersecurity rules complement China’s existing data security law and serve as “an important directive” on how financial institutions, such as accounting firms, should self-regulate in accordance with the law.
“The data security law is an overarching design,” he said. “It’s fundamental and directional.” The draft measures, in addition to signalling the country’s stance on data security, also make clear who is responsible, who is subject to regulations, and the scope of the regulations, he added.
China introduced its data security law in September 2021, requiring Chinese companies to classify their data based on relevance to national security.
“The restriction is tightened, as the responsibility has been placed on certified public accountant [CPA] firms on how they store and use the audit data and not just the audit papers like in the past,” said Clement Chan Kam-wing, chairman of The Hong Kong Association of Registered Public Interest Entity Auditors. The association’s members employ a combined 16,000 people and handle the auditing of all of Hong Kong’s more than 2,600 listed companies.
China aims to put auditors in cross hairs as national security concerns rise
China aims to put auditors in cross hairs as national security concerns rise
“According to the draft rules, all CPA firms doing audits of financial institutions, energy, telecommunications, transport, technology and national defence-related industries will need to up their game in ensuring data security and storage so that [data] will not be accessed by unauthorised users outside of China,” Chan said. This will add burden and cost for all accounting firms in both Hong Kong and mainland China.
However, the draft rules could leave room for further clarification, as they are open to public consultation until December 11.
There may be leeway in implementation following dialogue with the US, but it is not likely that all disagreements will be resolved, he added.
“Investors in China should accept that certain data may not be made available due to national security reasons,” he said. “Another missing point is whether Hong Kong can serve as the venue to examine such documents upon approval, as in the cases before.”
Additional reporting by Enoch Yiu