Audit Firm Assessments of Cyber-Security Risk: Evidence from Audit Fees and SEC Comment Letters

Pierangelo Rosati; Fabian Gogolin; Theo Lynn

doi:10.1142/S1094406019500136

Audit Firm Assessments of Cyber-Security Risk: Evidence from Audit Fees and SEC Comment Letters

Pierangelo Rosati
, Fabian Gogolin
, Theo Lynn

Research output: Contribution to a Journal (Peer & Non Peer) › Article › peer-review

36 Citations (Scopus)

Abstract

This study investigates the impact of cyber-security incidents on audit fees. Using a sample of 5,687 firms, we find that (i) breached firms are charged 12% higher audit fees, and (ii) firms operating in the same industry of a breached firm are charged 5% higher fees. Finally, using a difference-in-difference regression on a propensity score matched sample, we provide evidence suggesting that auditors do not revise their audit risk assessment following a breach. Overall, these results suggest that the increase in audit fees in the year of a breach is only temporary, and that auditors include cyber-security risk in their audit risk assessment even before an incident occurs. Higher cyber-security risk is ultimately reflected in higher audit fees paid by auditees.

Original language	English
Article number	1950013
Journal	International Journal of Accounting
Volume	54
Issue number	3
DOIs	https://doi.org/10.1142/S1094406019500136
Publication status	Published - 1 Sep 2019
Externally published	Yes

Keywords

Audit risk
SEC comment letters
audit fees
cyber security

Access to Document

10.1142/S1094406019500136

Cite this

@article{6c4fd360d02545a0970b6da4f825195d,

title = "Audit Firm Assessments of Cyber-Security Risk: Evidence from Audit Fees and SEC Comment Letters",

abstract = "This study investigates the impact of cyber-security incidents on audit fees. Using a sample of 5,687 firms, we find that (i) breached firms are charged 12\% higher audit fees, and (ii) firms operating in the same industry of a breached firm are charged 5\% higher fees. Finally, using a difference-in-difference regression on a propensity score matched sample, we provide evidence suggesting that auditors do not revise their audit risk assessment following a breach. Overall, these results suggest that the increase in audit fees in the year of a breach is only temporary, and that auditors include cyber-security risk in their audit risk assessment even before an incident occurs. Higher cyber-security risk is ultimately reflected in higher audit fees paid by auditees.",

keywords = "Audit risk, SEC comment letters, audit fees, cyber security",

author = "Pierangelo Rosati and Fabian Gogolin and Theo Lynn",

note = "Publisher Copyright: {\textcopyright} 2019 Board of Trustees, Vernon K. Zimmerman Center, University of Illinois.",

year = "2019",

month = sep,

day = "1",

doi = "10.1142/S1094406019500136",

language = "English",

volume = "54",

journal = "International Journal of Accounting",

issn = "1094-4060",

publisher = "World Scientific Publishing Co. Pte Ltd",

number = "3",

}

TY - JOUR

T1 - Audit Firm Assessments of Cyber-Security Risk

T2 - Evidence from Audit Fees and SEC Comment Letters

AU - Rosati, Pierangelo

AU - Gogolin, Fabian

AU - Lynn, Theo

PY - 2019/9/1

Y1 - 2019/9/1

N2 - This study investigates the impact of cyber-security incidents on audit fees. Using a sample of 5,687 firms, we find that (i) breached firms are charged 12% higher audit fees, and (ii) firms operating in the same industry of a breached firm are charged 5% higher fees. Finally, using a difference-in-difference regression on a propensity score matched sample, we provide evidence suggesting that auditors do not revise their audit risk assessment following a breach. Overall, these results suggest that the increase in audit fees in the year of a breach is only temporary, and that auditors include cyber-security risk in their audit risk assessment even before an incident occurs. Higher cyber-security risk is ultimately reflected in higher audit fees paid by auditees.

AB - This study investigates the impact of cyber-security incidents on audit fees. Using a sample of 5,687 firms, we find that (i) breached firms are charged 12% higher audit fees, and (ii) firms operating in the same industry of a breached firm are charged 5% higher fees. Finally, using a difference-in-difference regression on a propensity score matched sample, we provide evidence suggesting that auditors do not revise their audit risk assessment following a breach. Overall, these results suggest that the increase in audit fees in the year of a breach is only temporary, and that auditors include cyber-security risk in their audit risk assessment even before an incident occurs. Higher cyber-security risk is ultimately reflected in higher audit fees paid by auditees.

KW - Audit risk

KW - SEC comment letters

KW - audit fees

KW - cyber security

UR - https://www.scopus.com/pages/publications/85072630650

U2 - 10.1142/S1094406019500136

DO - 10.1142/S1094406019500136

M3 - Article

SN - 1094-4060

VL - 54

JO - International Journal of Accounting

JF - International Journal of Accounting

IS - 3

M1 - 1950013

ER -

Audit Firm Assessments of Cyber-Security Risk: Evidence from Audit Fees and SEC Comment Letters

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this