How to Comply with SOX and Statutory Audit in China: 2026 Guide
For US-listed companies with China subsidiaries or Foreign Private Issuers (FPIs) operating in China, the dual burden of Sarbanes-Oxley (SOX) compliance and China statutory audit creates a complex overlapping compliance landscape. According to the 2025 PCAOB inspection report, China-based entities of US-listed companies accounted for 22% of all material weakness findings, with internal control deficiencies over revenue recognition and intercompany transactions being the most frequently cited. This guide provides a practical framework for integrating SOX 404 compliance with China’s statutory audit requirements, reducing duplication of effort while satisfying both regulatory masters.
Understanding the Dual Compliance Landscape
SOX compliance (particularly Section 404 — management assessment of internal controls) and China’s statutory audit serve different regulatory purposes but share a common foundation: the need for reliable financial reporting and effective internal controls. The challenge for FIEs is that the two regimes have different scopes, different testing standards, and different timelines.
| Dimension | SOX 404 (US) | China Statutory Audit |
|---|---|---|
| Governing body | PCAOB (Public Company Accounting Oversight Board) | Ministry of Finance / CICPA |
| Scope | Internal controls over financial reporting (ICFR) — entity-level and process-level | Financial statement audit with risk assessment of internal controls |
| Reporting standard | AS 2201 (PCAOB auditing standard) | CAS 1101–1131 (China auditing standards) |
| Control framework | COSO 2013 (required or strongly recommended) | China Basic Standard for Enterprise Internal Control |
| Testing approach | Control-level testing — design effectiveness and operating effectiveness | Substantive testing with control reliance optional |
| Timeline | Fiscal year-end plus 60–90 days for management assessment; year-end plus 90–120 days for auditor attestation | Year-end plus 6 months statutory deadline; typically completed within 3–4 months |
SOX Compliance Requirements for China Subsidiaries
China subsidiaries of US-listed companies are typically included in the group-level SOX compliance programme. The parent company’s SOX scoping assessment determines which China entities are considered significant — based on revenue, asset, or income contribution — and therefore require entity-level SOX compliance procedures.
- Entity-level controls (ELCs): China subsidiaries must demonstrate effective entity-level controls across all five COSO components. Key ELC areas include: tone at the top (code of conduct, whistleblower hotline in Chinese), risk assessment procedures (regulatory change tracking, FX risk management), and monitoring activities (quarterly control self-assessments, internal audit function).
- Process-level controls (PLCs): For significant China entities, process-level controls must be documented and tested for each significant transaction cycle. The most commonly scoped cycles for China subsidiaries are: revenue (especially export and intercompany sales), procurement (third-party supplier management), payroll (statutory social insurance and housing fund compliance), treasury (multi-currency cash management, intercompany loans), and financial reporting (CAS-IFRS reconciliation, statutory filing compliance).
- IT general controls (ITGCs): SOX requires testing of IT general controls for all systems that support significant financial processes. For China subsidiaries, this includes: ERP system (access controls, change management, data backup), banking systems (payment approval workflows, user access management), and payroll systems (integration with social insurance platforms).
- Management review controls (MRCs): Management review controls over significant estimates and judgments are subject to SOX testing. For China entities, common MRC areas include: impairment assessments (fixed assets, goodwill, inventory), warranty provisions, tax provision calculations (including uncertain tax positions), and transfer pricing adjustments.
China Statutory Audit Requirements
The China statutory audit is a separate legal requirement that applies to all FIEs regardless of whether they are also subject to SOX compliance. The statutory audit is conducted under China Auditing Standards (CAS) and results in a statutory audit report submitted to SAMR and used for CIT filing.
- Engagement requirements: The statutory audit must be performed by a CPA firm registered with the CICPA and licensed to conduct audit work in China. The Big Four (PwC, Deloitte, EY, KPMG) all operate licensed China practices, but many FIEs use top-tier Chinese firms (Pan-China, Shinewing, Dahua, Ruihua) for cost efficiency.
- Scope of work: The statutory audit covers the balance sheet, income statement, cash flow statement, statement of changes in equity, and notes to the financial statements — all prepared under CAS. The auditor expresses an opinion on whether the financial statements present fairly, in all material respects, the financial position and performance of the FIE.
- Statutory audit report formats: Chinese audit reports follow a mandated format that includes: the audit opinion, basis for opinion, key audit matters (for listed entities and some larger FIEs), and the auditor’s responsibilities section. The report is issued in Chinese; an English translation is typically included for the parent company.
- Mandatory audit committee requirements: Since the 2021 revisions to the Securities Law, FIEs that are listed companies or subsidiaries of listed companies are effectively required to maintain an audit committee with independent oversight of the statutory audit process. The audit committee should: pre-approve the statutory audit engagement, review the audit plan, discuss significant findings with the auditor, and review the management letter.
Key Differences Between SOX and CAS Audit Standards
While SOX 404 and the China statutory audit share a common interest in financial reporting reliability, there are important differences that FIE compliance teams must navigate:
| Area | SOX 404 Approach | China Statutory Audit Approach | Practical Implication for FIEs |
|---|---|---|---|
| Control documentation | Extensive: narratives, flowcharts, risk-control matrices, test scripts | Auditor prepares working papers; FIE provides evidence only | FIE must maintain its own SOX documentation; statutory auditor may not review it |
| Control testing frequency | Annual testing of all key controls; roll-forward testing permitted in limited cases | Control reliance is optional; most statutory auditors use substantive approach | FIE may need dual work papers — SOX test scripts and statutory evidence packages |
| Deficiency classification | Three categories: control deficiency, significant deficiency, material weakness | No formal deficiency rating system; auditor reports material misstatements | SOX control deficiencies that are not material for statutory audit still require remediation for SOX purposes |
| Remediation deadline | Must remediate material weaknesses before year-end for clean SOX opinion | Post-year-end remediation acceptable for next year’s audit | SOX timeline drives earlier remediation than statutory audit would require |
| Auditor independence rules | PCAOB ethics rules — strict limitations on non-audit services | CICPA ethics rules — similar but with some differences in permitted services | FIE must ensure statutory auditor is also SOX-compliant for independence |
Practical Integration Strategy
The most efficient approach for FIEs subject to dual SOX and statutory audit requirements is to build a single integrated compliance programme rather than maintaining separate workstreams.
- Unified control framework: Adopt COSO 2013 as the common internal control framework. Map the China Basic Standard for Enterprise Internal Control components to the COSO framework (as demonstrated in the table above). This creates a single set of controls documentation that serves both SOX and statutory audit needs.
- Common risk assessment: Combine the SOX scoping assessment with the statutory audit risk assessment. Identify entity-level and process-level risks that are material under both regimes. For risks that are unique to one regime (e.g., SOX-specific ITGC risks, statutory-specific filing deadline risks), handle them as exceptions to the common assessment.
- Shared testing calendar: Align the SOX testing calendar with the statutory audit fieldwork schedule. Ideally, the SOX control testing is completed before the statutory audit fieldwork begins, so the statutory auditor can rely on the SOX testing results where the control approaches overlap.
- Coordinated auditor communication: For FIEs that use different firms for SOX (global auditor) and statutory audit (local practice), establish a structured communication protocol. The global SOX auditor should share relevant scoping assessment results, control testing results, and deficiency findings with the statutory auditor (with appropriate confidentiality safeguards). This reduces redundant documentation requests on the FIE finance team.
- Single management letter tracking: Maintain a single, combined management letter that tracks all control deficiencies and audit recommendations from both the SOX and statutory audit processes. This gives management a complete picture of remediation priorities and prevents any finding from falling through the cracks.
Documentation and Evidence Requirements
Dual compliance means dual documentation requirements. The following checklist covers the documentation that an FIE should maintain to satisfy both SOX and statutory audit requirements:
- Process narratives and flowcharts: Document each significant transaction cycle with a written narrative and corresponding flowchart. Include: transaction initiation, authorisation, execution, recording, and reconciliation steps. Identify control points, control owners, and control frequency.
- Risk-control matrices: For each significant process, prepare a risk-control matrix (RCM) that maps financial statement risks to specific control activities. Include: the control objective, control description, control type (preventive/detective), control frequency, and testing approach.
- Test scripts and results: For SOX-tested controls, maintain test scripts that document: the sample selection methodology, sample size, testing procedures, test results (pass/fail), and conclusions. Include evidence references that link to the actual documentation examined.
- Evidence packages: For each control test, maintain an evidence package containing the actual documents examined (invoices, contracts, approval forms, bank statements, reconciliation reports). The evidence should be indexed to the corresponding control in the RCM.
- Deficiency analysis: For each control deficiency identified, maintain: a description of the deficiency, root cause analysis, compensating controls assessment, financial impact quantification, remediation action plan, and remediation evidence.
Common Compliance Gaps and How to Close Them
The PCAOB’s 2025 inspection findings and China’s CICPA audit quality monitoring reports reveal recurring compliance gaps at China-based entities of US-listed companies:
| Gap | SOX Implication | Statutory Implication | Remediation Approach |
|---|---|---|---|
| Inadequate segregation of duties in China finance teams | Material weakness if in a key control area | Increased substantive testing; delayed audit clearance | Implement system-based SOD controls; add review-level approvals |
| Incomplete CAS-IFRS reconciliation documentation | Control deficiency in period-end close process | Adjusted or modified statutory audit opinion | Standardised reconciliation templates with mandatory sign-off |
| Seal/chop management weaknesses | Entity-level control deficiency | Fraud risk flagged in management letter | Electronic seal management system with usage audit trail |
| Transfer pricing documentation gaps | Significant deficiency in tax control process | Enhanced CIT audit risk; potential penalties | Annual TP documentation review with external TP advisor |
| Intercompany reconciliation delays | Control deficiency in period-end process | Qualified audit opinion on intercompany accounts | Monthly intercompany confirmation with 30-day reconciliation SLA |
By proactively addressing these common gaps — which the PCAOB and CICPA both identify as priority areas for 2026 inspections — US-listed companies with China subsidiaries can reduce their compliance risk exposure and achieve both a clean SOX opinion and an unqualified statutory audit report.
Where to Go From Here
Based on what you just read:
- Ready to act? Read a step-by-step guide to integrating SOX and statutory audit in China
- Still comparing? See a side-by-side comparison of dual-compliance audit firms
- Need numbers? Try an interactive calculator for your FIE dual-compliance readiness score
How to Comply with SOX and Statutory Audit in China: 2026 Guide — first published on China Gateway 360. Last updated: July 2026.
