How to Choose an Agency for Personal Information Protection Audits (Part II)

Posted by Written by Arendse Huld Reading Time: 7 minutes

A new set of guidelines defines the required professional capabilities, facilities, and personnel qualifications for institutions conducting personal information compliance audits. These standards offer valuable clarity for companies when selecting an auditor. In this article, we outline the key requirements for third-party auditors and share practical tips on how to choose the right one.

See here for Part 1: New Guidelines for Personal Information Protection Audits – Clarifying Requirements and Processes (Part I)

On May 26, 2025, the National Cybersecurity Standardization Technical Committee released two important guides for conducting personal information (PI) protection compliance audits in China. These guides follow the implementation of new regulatory requirements effective May 1, 2025, which mandate that companies processing certain volumes of PI must regularly audit their compliance with China’s data protection framework, including the Personal Information Protection Law (PIPL) and the Network Data Security Management Regulations.

Find Business Support
Get help conducting compliance audits, penetration tests, and computer security and impact assessments for improved cybersecurity in your China operations.

In part one of this article series, we focused on the first guide, which outlines general audit procedures for companies conducting PI compliance audits, whether by themselves or by entrusting a third-party audit agency. In the second part, we will focus on the second guide: the Cybersecurity Standard Practice Guide – Service Capability Requirements for Professional Institutions for Personal Information Protection Compliance Audits. 

This second guide is designed for professional institutions (hereinafter “audit agencies”) that companies may engage to carry out PI protection compliance audits on their behalf. It sets out standardized requirements for such institutions across five key dimensions: basic qualifications, management capabilities, professional skills, personnel competence, and facilities and equipment resources. The guide ensures that these organizations can reliably and independently perform audits that meet regulatory expectation and also serves as a benchmark for companies in selecting qualified audit providers.

DOING BUSINESS IN CHINA EXPLORE IN-DEPTH INVESTMENT AND BUSINESS GUIDES.
Explore vital economic, geographic, and regulatory insights for business investors, managers, or expats to navigate China’s business landscape. Our Online Business Guides offer explainer articles, news, useful tools, and videos from on-the-ground advisors who contribute to the Doing Business in China knowledge. Start exploring

General requirements for audit agencies 

Audit agencies must meet the following basic conditions in order to be able to conduct PI protection audits:

  1. Be registered in China, with independent legal person status, or a partner organization with compliance review qualifications;
  2. Have a legal representative, chairman, partners, senior management personnel, and personal information protection compliance auditors who are Chinese nationals and have no criminal record;
  3. Not be involved in any legal or litigation situations;
  4. Have no unprocessed administrative penalties related to cybersecurity and are not currently undergoing a cybersecurity review;
  5. Have previously implemented service projects or tasks such as inspection, testing, evaluation, and consulting related to personal information protection; and
  6. Has not received a notice from relevant departments due to problems with cybersecurity services, data security services, and personal information protection services in the past three years. 

The agency must also not have engaged in any of the following behavior that violates PI protection compliance audit services requirements: 

  1. One of its compliance auditors’ professional judgments did not adhere to the principle of integrity and honesty, and lacked fairness and objectivity;
  2. Failed to keep the personal information, trade secrets, confidential business information, and other such confidential information obtained while conducting the personal information protection compliance audit duties confidential in accordance with laws and regulations; or
  3. Entrusted the PI protection compliance audit to another institution. 

Importantly, audit agencies may also not conduct a PI protection audit for the same companies more than three times in a row. Please see our previous article on the requirements for conducting PI protection audits for information on the mandatory frequency of PI protection audits for different types of companies. 

Management requirements 

Audit agencies are required to adhere to certain management standards to ensure the integrity, independence, and effectiveness of PI protection compliance audits. These management requirements help standardize internal operations, safeguard sensitive data, and ensure that audit outcomes are objective and credible. The following table outlines the key categories and corresponding expectations for audit agencies conducting PI compliance audits: 

Management Requirements for PI Protection Audit by Audit Agencies
Category  Management requirement  Details 
1. Responsibility system  Establish an audit responsibility system  Define responsible departments, scopes, leaders, workflows, and coordination mechanisms. Include daily confidentiality, publicity, quality control, and self-inspections. 
2. Personnel management  Audit personnel management system 
  • Sign confidentiality agreements
  • Maintain work records
  • Regular training on PI protection, audit skills, policies, and security awareness 
3. Audit plan review  Audit plan review mechanism  Ensure clarity on the scope of PI processing, resources involved, and audit timeline appropriateness 
4. Documentation management  Work archive management system  Archive all audit materials, including contracts, kickoff meetings, plan/reports reviews, final meetings, authorizations, handover documents 
5. On-site supervision  Daily audit supervision mechanism  Monitor on-site activities: device usage, material access, notifications, audit implementation details 
6. Report review  Audit report review management  Evaluate the report’s scientific basis, completeness, evidence authenticity, and conclusion accuracy before delivering to the client 
7. Self-inspection  mechanism  Regular internal audit system  At least annually. Include project progress, report status, personnel behavior, device & site security, and safety management. Timely corrections and record-keeping required 
8. Change management  Audit change management mechanism  Communicate changes in advance, obtain client approval, evaluate impact on objectives/quality/system, and implement necessary corrective actions 
9. Communication & emergency  Communication and emergency response mechanism  Report PI security incidents promptly as per contract and national requirements. Assist with resolution and maintain proper records 
10. Code of conduct  Compliance audit code of conduct  Prohibited behaviors: 

  1. Conflict of interest
  2. Concealing issues or falsifying facts
  3. Operating beyond agreed scope
  4. Failing to protect confidentiality
  5. Unauthorized use of audit data
  6. Forcing use of specified products/services
  7. Unauthorized subcontracting
  8. Repeated audits by same institution/team
  9. Other harmful conduct 

Professional competencies 

There are a range of professional competencies that agencies must have in order to conduct PI protection compliance audits. Specific competency requirements include: 

  1. Knowledge of laws, regulations, and standards related to related to PI protection;
  2. Ability to identify the scope of PI processing activities;
  3. Ability to identify the type, level, scope, scale, form, and other aspects of PI;
  4. Ability to identify the purpose of PI processing activities, as well as the methods, systems, scope, and other parameters of PI collection, storage, use, processing, transmission, provision, disclosure, and deletion;
  5. Ability to identify the data processing relationship between PI processors and related parties, as well as the authorization, agreement, contract, and other agreed matters between PI processors and related parties;
  6. Ability to identify the adopted cybersecurity, data security, PI protection, and other measures, including but not limited to identity authentication, access control, authority management, data backup and recovery, data leakage prevention, encryption, de-identification, anonymization, and so on;
  7. Ability to detect PI processing activity, and use of detection tools to test the collection and use of PI by PI processors; and
  8. Understanding of the criteria for determining the content of PI protection compliance audits as specified in the Data Security Technology – Requirements for Personal Information Protection Compliance Audits, familiarity with the corresponding audit evidence and audit methods, and ability to develop a business guideline for PI protection compliance audits. 

Personnel requirements 

Audit agencies must meet certain personnel, facilities, and equipment requirements in order to be able to conduct PI protection audits. These include specific requirements for the number of auditors on staff and their experience levels. 

Specifically, audit agencies must have the following personnel on staff who must have signed a labor contract with the agency: 

  • At least 15 PI protection compliance auditors, of which: 
    • At least two are at a senior level; and
    • At least five are at an intermediate level.
  • A dedicated PI protection compliance audit leader with the competency of a senior PI protection compliance auditor, who is fully responsible for the audit work of the institution.

The experience and competency requirements for the different seniority levels are summarized in the table below. 

Criteria for PI Protection Compliance Audit Personnel
Criteria  Junior  Intermediate  Senior 
Experience  At least 2 years in PI protection-related work  At least 3 years in PI protection-related work  At least 4 years in PI protection-related work 
Legal and regulatory knowledge 
  • Understands key laws (e.g., Data Security Law, PIPL) and standards
  • Familiar with basic concepts
  • Can identify compliance risks under guidance 
  • Proficient in laws, regulations, and standards
  • Can independently analyze common compliance risks 
  • Mastery of complex legal frameworks
  • Ability to independently analyze complex scenarios and perform compliance gap analysis 
Audit professional skills 
  • Assists in audits under guidance
  • Supports tasks like data collection, documentation
  • Can identify basic risks 
  • Independently performs audits- Completes tasks per audit plan
  • Has led or participated in at least 5 large-scale PI audit projects 
  • Designs and optimizes audit processes- Leads full audit projects for large data processors (at least 10 million subjects)
  • Provides strategic, actionable recommendations 
Communication and coordination  Basic team collaboration skills 
  • Communicates with business/tech teams
  • Assists seniors in coordination 
  • Communicates across departments
  • Handles objections and aligns with senior management 
Leadership  NA  Basic project management and task allocation 
  • Manages audit team
  • Guides juniors and intermediates- Oversees audit execution 
Reporting and documentation  Assists in drafting basic documentation- Records audit info accurately 
  • Drafts working papers and preliminary reports
  • Manages documentation properly 
  • Authors high-quality final reports
  • Reviews and approves audit results
  • Ensures completeness and traceability 

Background checks must be conducted on all compliance auditors, and the results of the checks must be retained long-term and available for review by relevant certification and accreditation institutions. 

Requirements for facilities and equipment

In addition to personnel requirements, audit agencies must meet certain criteria for facilities and equipment. 

For instance, audit agencies must have a fixed office space that complies with the relevant regulations of quality management and is equipped with necessary fire and theft prevention measures, access control, video surveillance, and other security measures. 

Meanwhile, the equipment, facilities, and tools used by the audit agencies to conduct compliance audits must meet various requirements, including but not limited to: 

  1. Have the necessary software and hardware equipment to meet the needs of technical training, testing, and simulation testing;
  2. Be equipped with compliance audit equipment and tools that meet the needs of PI protection compliance audits; and
  3. Have strengthened security protection and anti-tampering functions for audit processes and records. 

Moreover, before compliance audit equipment and tools are put into use, their security and availability need to be verified and confirmed. During use, they also need to be regularly checked and continuously updated to ensure that the tools have legal copyrights and that the authorization is valid and in good operating condition. 

Considerations when choosing an audit agency 

When selecting an audit agency in China, foreign companies should prioritize agencies that demonstrate both regulatory compliance and strong operational integrity. It’s essential to verify that the agency is legally established in China, free from recent regulatory penalties, and maintains a stable team of qualified auditors. Given that audits may only be performed consecutively by the same agency up to three times, companies should also plan for periodic rotation to maintain audit independence.

Related Reading
Hong Kong’s Stablecoins Bill: What It Means and Why It Matters

Beyond basic eligibility, companies should look for agencies with a proven track record in PI protection and data compliance and assess whether the agency has sufficient technical infrastructure and internal management systems to support secure, high-quality audits. It is also advisable to confirm that the agency follows strict confidentiality practices and has protocols for handling incidents or disputes. Since the audit process will involve access to sensitive business and personal data, a thorough pre-engagement review—possibly including site visits or interviews—can help ensure that the agency’s practices align with your company’s internal compliance and security expectations. 

Just as importantly, companies should choose an agency with which they can communicate effectively. Since the audit process often requires collaboration, clarification of practices, and timely exchange of documents and information, strong communication and mutual understanding between the company and the audit team are critical to ensure the audit proceeds smoothly and avoids unnecessary delays or misunderstandings.

About Us

China Briefing is one of five regional Asia Briefing publications, supported by Dezan Shira & Associates. For a complimentary subscription to China Briefing’s content products, please click here.

Dezan Shira & Associates assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Haikou, Zhongshan, Shenzhen, and Hong Kong. We also have offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Dubai (UAE) and partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh, and Australia. For assistance in China, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.