By Yanrong Zeng


In 2020, Congress passed the Holding Foreign Corporation Accountability Act (“HFCAA”) and required foreign governments to provide U.S. regulators with full access to the audit working papers to examine the financial integrity of foreign companies listed in the U.S. stock exchanges.[1] Otherwise, the HFCAA will delist these companies after three years. Audit working papers are broadly defined as first-hand information that provides all the factual basis for a company’s financial statements. [2] When the U.S. regulator expanded its extraterritorial oversight over foreign audit firms and companies,[3] the ambiguous definition of audit working papers opened the door to foreign governments’ concerns about information confidentiality, such as the position taken by Japan in 2003.[4]

The international framework requires overseas regulators to comply with the domestic laws before directly investigating or requesting auditing material.[5] The European Union chooses the principle of “full trust” to identify the audit supervision system of 10 countries (including China) as equivalent to the E.U.’s audit supervision system and fully trust the audit supervision results of foreign regulators.[6] In contrast, the United States is the first one to break through the traditional regulatory jurisdiction based on national borders and expand its regulatory capabilities in accordance with the principle of “long-arm jurisdiction.”[7]

China allows accounting firms to provide audit working papers to foreign regulators after redacting sensitive information during the cybersecurity screening and using appropriate regulatory cooperation channels.[8] Both methods are in line with common international practices.[9] On the other hand, U.S. regulators protect the interests of U.S. investors by requiring direct inspection and full disclosure of audit working papers. The U.S. regulator is concerned that Chinese auditing firms would remove harmful information in the original audit working papers.[10] Against the backdrop of the U.S.-China trade war and economic decoupling, some market watchers[11] and academics[12] in both the U.S. and China view the HFCAA as an ultimatum to the decade-long bilateral negotiation. An American scholar pointed out that the HFCAA “weaponized access to the U.S. capital market to punish the Chinese firms.”[13]

However, the fundamental disagreement over redaction is caused by the two countries’ different definitions of “national security information.” The Director of International Affairs at the U.S. Securities and Exchange Commission (“SEC”) recently stated, “Sensitive information pertaining to national security—and by that, I mean the ability for the state to cater to the protection and defense of its citizenry—should not be in the auditor’s files.”[14] In comparison, the Chinese definition includes a wide range of sensitive information relating to cybersecurity, data security, and protection of personal information.[15] Chinese regulators attach great importance to commercially sensitive information because most Chinese companies listed in the United States are pan-Internet companies focusing on online games and searches, education and chain operations, new energy, medicine, and high-end manufacturing.[16]

These pan-Internet companies have been adversely affected by Chinese law requiring cybersecurity review. “Security-related information” include personal privacy information from (1) online platform with more than 1 million users,[17] and (2) “critical information infrastructure” in the areas of public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, and defense technology.[18]

The new cybersecurity law was enacted in response to the July 2021 information breach caused by Chinese ride-hailing company Didi Global. Didi surged into the U.S. stock market with a nearly $70 billion pre-IPO valuation but chose not to hold any bell-ringing ceremony or official press release.[19] With 15 million active drivers and 156 million monthly active users globally, Didi is naturally closely regulated because of its scale.[20] Didi has demonstrated predictive capabilities based on big data and artificial intelligence. In 2015, Chinese government and Didi jointly released a statistical report that counted the workload of each governmental agency over a certain period and the addresses of everyone working in that department.[21]



[1]  See Holding Foreign Companies Accountable Act, Pub. L. No. 116-222, 134 Stat. 1063.

[2]  AU Section 339: a Working Papers, Pub. Co. Acct. Oversight Bd.,

[3]  International, Pub. Co. Acct. Oversight Bd.,

[4]  The Japanese Inst. of Certified Pub. Acct., Re: Public Company Accounting Oversight Board; Notice of Filing of Proposed Rules Relating to Registration System (File No. PCAOB-2003-03) (June 27, 2003), (“It is commonly understood that the Japanese law does not directly extend to include the laws and judicial proceedings of foreign countries, and accordingly, compliance of a foreign country’s law such as the Sarbanes-Oxley Act or the PCAOB requirements, would not constitute a ‘justifiable reason’”).

[5]  Multilateral Memorandum of Understanding Concerning Consultation and Cooperation and the Exchange of Information, IOSCO (May 2012), § 7(c) (“Assistance will not be denied based on the fact that the type of conduct under investigation would not be a violation of the Laws and Regulations of the Requested Authority”).

[6]  Commission Decision of 19 January 2011 on the Equivalence of Certain Third Country Public Oversight, Quality Assurance, Investigation and Penalty Systems for Auditors and Audit Entities and a Transitional Period for Audit Activities of Certain Third Country Auditors and Audit Entities in the European Union. Official Journal of the European Union.

[7] Since the PCAOB was established in the same year as Multilateral Memorandum of Understanding Concerning Consultation and Cooperation and the Exchange of Information.

[8] See Zhonghua Renmin Gongheguo Zhengquan Fa [Securities Law of the People’s Republic of China] § 177 (rev’d Dec. 28, 2019, effective Mar. 1, 2020),, (“Without the consent of the securities regulatory authority of the State Council and the relevant competent departments of the State Council, no entity or individual may provide documents and materials related to securities business activities to overseas countries without authorization”).

[9] Id.

[10] See id.

[11]  See Gangku Kejigu Baodie Beihou Fasheng le Shenme? Honghao: Qingxuehua Paoshou, Meigu Shenzhi Keneng Yaozhan [What Happened Behind the Plunge in Hong Kong Technology Stocks? Hong Hao: U.S. Stocks May Even Halve after Emotional Selling], Phoenix News, Mar. 14, 2022, Hereinafter Honghao.

[12]  See Connie Friesen, Re-Thinking US Policy on Engagement with Chinese Financial Institutions (May 2022) (M.A. dissertation, Harvard University),

[13]  Venkat Gundumella et. al, Great Power Competition and Chinese Assertiveness in the Covid World Order, SSRN, Apr. 9, 2021, at 10, or

[14] YJ Fischer, Director, Office of Int’l Affs., Sec. and Exch. Comm’n, Resolving the Lack of Audit Transparency in China and Hong Kong: Remarks at the International Council of Securities Associations (ICSA) Annual General Meeting (May 24, 2022),

[15] Wangluo Anquan Shencha Banfa [Network Security Review Measures] § 7 (promulgated by Cyberspace Administration of China et. al, Dec. 28, 2021, effective Fed. 15, 2022],

[16] Id.

[17] Wangluo Anquan Shencha Banfa [Network Security Review Measures, supra note 50.

[18] Guanjian Xinxi Jichu Sheshi Anquan Baohu Tiaoli [Critical Information Infrastructure Security Protection Regulations] § 2 (promulgated by St. Council, July 30, 2021, effective Sept. 1, 2021),

[19] Xiao Wenjie & Wang Shanshan, Gongsi Yanbao: Didi de Zhen Wenti [Company Research Report: The Real Problem of Didi], YiMagazine, Oct. 13, 2021.

[20] Id.

[21] Dashuju Jiemi: Gaowentian Buwei Jiaban Dabiping [Big Data Revealed: Ministries and Commissions Work Overtime in High Temperature Days], Xinhua Net, July 18, 2015,

Image Source: