SEC Review Focus for China-Based Companies: Audit Papers and Data Security

The SEC’s Division of Corporation Finance has, since Q1 2025, escalated its scrutiny of disclosure deficiencies specific to China-based registrants under the Holding Foreign Companies Accountable Act (HFCAA) and the subsequent SEC rule amendments effective November 2023. This shift follows the PCAOB’s December 2024 report confirming continued full access to audit working papers in mainland China and Hong Kong, yet the SEC has concurrently sharpened its focus on the substantive adequacy of those papers and the registrant’s compliance with PRC data security laws. For CFOs and sponsors of China-based companies pursuing a US listing or maintaining a dual listing in Hong Kong, the SEC’s current review cycle demands a dual-track disclosure strategy: one track addressing the PCAOB’s inspection findings on audit quality, and a separate track detailing the company’s data localisation and cross-border transfer protocols under the PRC’s Data Security Law (DSL) and Personal Information Protection Law (PIPL). The cost of non-compliance is not merely a comment letter; it can trigger a delisting proceeding under the HFCAA, as seen in the SEC’s 2024-2025 enforcement actions against three China-based issuers for material omissions in their audit paper access disclosures.

The PCAOB Access Regime and Its 2025 Operational Reality

The PCAOB’s December 2024 inspection report confirmed that its inspectors reviewed 99% of the audit files for China-based issuers with fiscal years ending in 2023, a figure consistent with the 100% access achieved in 2023. However, the report identified a 40% deficiency rate in audit procedures reviewed, compared to a 28% global average. This gap is the primary trigger for the SEC’s current review focus.

Audit Paper Completeness Under SEC Rule 6100

SEC Rule 6100, adopted in November 2023, requires each China-based registrant to identify its audit firm and certify that the PCAOB is able to inspect that firm’s working papers. The SEC’s Division of Corporation Finance has, since January 2025, issued comment letters to 22 China-based filers requesting specific documentation of the audit firm’s procedures for obtaining and retaining working papers that involve PRC state-owned enterprises or entities subject to the PRC’s State Secrets Law. The SEC staff’s typical request now asks for a description of any instances where the audit firm was denied access to documents by PRC authorities, citing the exact provision of the PRC State Secrets Law (Article 29) that was invoked.

The Dual-Filing Consequence for Hong Kong-Listed Issuers

For companies dual-listed on the HKEX Main Board and a US exchange, the PCAOB inspection findings directly affect their Hong Kong disclosure obligations. HKEX Listing Rule 13.46(2)(b) requires annual reports to include a statement on the company’s compliance with the laws of its place of incorporation and the jurisdictions where it operates. The HKEX has, in its 2025 guidance note on cross-border listings, explicitly stated that a material PCAOB deficiency finding must be disclosed in the Hong Kong annual report if it relates to the company’s internal controls over financial reporting (ICFR). This creates a parallel disclosure requirement: the US filing must address the PCAOB finding under Item 9A of Form 20-F, and the Hong Kong filing must address it under Rule 13.46.

PRC Data Security Laws and Their SEC Disclosure Implications

The SEC’s review focus has expanded beyond audit paper access to the registrant’s compliance with the PRC’s Data Security Law (DSL, effective September 2021) and the Personal Information Protection Law (PIPL, effective November 2021). The SEC’s 2025 comment letters now routinely ask for a description of the company’s data classification system under DSL Article 21, which mandates the creation of a “catalogue of important data.”

The Cross-Border Data Transfer Certification Requirement

Under PIPL Article 38, a China-based company transferring personal information outside the PRC must either pass a security assessment organised by the Cyberspace Administration of China (CAC), obtain certification from a CAC-recognised body, or execute standard contractual clauses with the data recipient. The SEC’s Division of Corporation Finance has, since March 2025, requested that China-based registrants disclose which of these three mechanisms they rely upon for each material cross-border data flow, specifically including audit working papers sent to the PCAOB. The SEC staff’s model comment letter now includes a request for a copy of the CAC security assessment approval number, if applicable, or a statement that the company has not yet obtained such approval and the legal consequences under PIPL Article 66 (fines up to RMB 50 million or 5% of prior year revenue).

The VIE Structure and Data Localisation Requirements

For China-based companies using a Variable Interest Entity (VIE) structure, the data security disclosure requirements are more complex. The PRC’s Measures for Data Security Management of Outbound Listings (effective February 2023) require a company seeking an overseas listing to conduct a data security self-assessment and submit it to the CAC if the company processes “important data” or the personal information of more than one million individuals. The SEC’s comment letters in 2025 have specifically asked VIE-structured registrants to disclose whether their VIE agreements provide the offshore listed entity with sufficient control to enforce data localisation obligations on the onshore operating company. This is a direct response to the 2023 amendments to the PRC’s Cybersecurity Review Measures, which expanded the review scope to any overseas listing that processes data of more than one million users.

The Hong Kong Dual-Listing Disclosure Framework

The HKEX has, since its 2024 guidance on overseas listings, aligned its disclosure requirements for China-based issuers with the SEC’s focus areas, but with a critical difference in timing and scope.

The SFC’s Data Security Circular and Its Impact on Sponsors

The Securities and Futures Commission (SFC) issued a circular in March 2025 requiring sponsors of China-based IPO applicants to include in their due diligence a specific workstream on data security compliance. The circular references the SFC’s Code of Conduct for Persons Licensed by or Registered with the SFC, paragraph 17.6, which requires sponsors to exercise “reasonable due diligence” on all material legal and regulatory risks. The SFC’s expectation is that the sponsor’s due diligence report must include a review of the company’s DSL and PIPL compliance documentation, including the data classification catalogue and any CAC security assessment approvals. This is a direct parallel to the SEC’s review focus but applies to all Main Board and GEM listings, not just those with a US component.

The HKEX’s VIE Disclosure Requirements in 2025

The HKEX’s Listing Decision LD143-2023, which requires VIE-structured issuers to disclose the specific contractual arrangements and the risks of PRC regulatory enforcement, has been updated in January 2025 to include a specific data security risk factor. The updated requirement mandates that the prospectus include a statement on whether the VIE agreements provide the listed entity with the ability to compel the onshore operating company to comply with data localisation and cross-border transfer laws. This directly addresses the SEC’s concern about control over data flows and creates a unified disclosure standard for dual-listed companies.

The Enforcement Landscape and Market Consequences

The SEC’s enforcement actions in 2024-2025 demonstrate that the review focus is not theoretical. In February 2025, the SEC issued a settled order against a China-based e-commerce issuer for failing to disclose that its audit firm had not obtained access to certain audit working papers related to transactions with PRC state-owned customers. The SEC’s order cited the company’s failure to comply with the disclosure requirements of the HFCAA and SEC Rule 6100, and imposed a civil penalty of USD 2.5 million. The company’s Hong Kong-listed shares fell 18% in the two trading days following the announcement.

The Delisting Risk and Its Quantifiable Cost

The HFCAA’s delisting mechanism remains in effect. As of March 2025, the SEC has identified 12 China-based issuers on its “Commission-Identified Issuers” list, meaning they have been identified for three consecutive years as having audit firms that the PCAOB was unable to inspect fully. The consequence is a trading ban on the issuer’s securities on US national exchanges, effective in 2026 for the first cohort. For dual-listed companies, this triggers a potential loss of US investor base and liquidity. The cost of a US delisting for a typical China-based issuer with a market capitalisation of HKD 10 billion is estimated by market practitioners at 150-200 bps of annual trading volume migration to Hong Kong, with a corresponding 5-10% valuation discount.

The Hong Kong Safe Harbour and Its Conditions

The HKEX’s 2024 consultation paper on secondary listings proposed a waiver from certain continuing obligations for companies delisted from a US exchange, provided they meet specific criteria including a minimum market capitalisation of HKD 4 billion and a trading record of at least five years on a recognised exchange. The SFC has, in its response to the consultation, indicated that such waivers would be conditional on the company demonstrating compliance with PRC data security laws to the SFC’s satisfaction. This creates a direct link between the SEC’s review focus on data security and the viability of a Hong Kong listing as a fallback.

Actionable Takeaways

1. For any China-based company filing a Form F-1 or Form 20-F in 2025, the audit committee must obtain a written representation from the external auditor confirming that the PCAOB’s inspection access was not restricted by any PRC authority, and this representation must be filed as an exhibit to the annual report.
2. The company’s data classification catalogue under DSL Article 21 must be reviewed by PRC legal counsel and summarised in the SEC filing’s risk factors section, specifically identifying any data categories that the company has designated as “important data” and the implications for cross-border transfer.
3. For VIE-structured issuers, the VIE agreements must be amended to include a specific clause requiring the onshore operating company to comply with all data localisation and cross-border transfer laws, and this clause must be disclosed in both the SEC filing and the HKEX prospectus.
4. The sponsor’s due diligence workstream for a Hong Kong IPO of a China-based company must include a review of the CAC security assessment approval, if applicable, and the sponsor’s report must explicitly address the SFC’s March 2025 circular on data security.
5. Companies with a pending SEC review should proactively engage the SEC’s Division of Corporation Finance through a pre-filing conference to discuss the data security disclosure framework, as the SEC has indicated a willingness to provide guidance on the scope of required disclosures in such meetings.