Are external auditors concerned about cyber incidents? Evidence from audit fees

TY - JOUR

T1 - Are external auditors concerned about cyber incidents? Evidence from audit fees

AU - Li, He

AU - No, Won Gyun

AU - Efrim Boritz, J.

N1 - Funding Information: The authors thank the University of Waterloo Centre for Information Integrity and Information Systems Assurance, the China Scholarship Council, and the School of Accounting at Southwestern University of Finance and Economics (SWUFE) for supporting this project. In addition, the authors are grateful to the editor, two anonymous reviewers, seminar participants at SWUFE, and participants at the 2017 American Accounting Association Midyear Meetings of the Auditing and the AIS/SET sections and the 2017 International Symposium on Accounting Information Systems for constructive suggestions that improved the paper. Publisher Copyright: © 2020, American Accounting Association. All rights reserved.

PY - 2020/2

Y1 - 2020/2

N2 - While the importance of addressing cybersecurity is widely acknowledged, there is no explicit requirement by regulators or standard setters for auditors to do so. This paper investigates (1) whether external auditors respond to cyber incidents by charging higher audit fees, (2) whether they anticipate and price material cybersecurity risk before cyber incidents occur, and (3) whether increases in audit fees for firms experiencing a cyber incident in the current period are associated with subsequent cyber incidents. We find that only cyber incidents are associated with increases in audit fees and that the association is driven by more severe incidents. We also find that increases in audit fees are smaller for firms with prior cybersecurity risk disclosure after 2011 when the SEC issued cybersecurity disclosure guidance. Finally, larger increases in audit fees for firms experiencing cyber incidents in the current period are associated with a lower likelihood of subsequent cyber incidents.

AB - While the importance of addressing cybersecurity is widely acknowledged, there is no explicit requirement by regulators or standard setters for auditors to do so. This paper investigates (1) whether external auditors respond to cyber incidents by charging higher audit fees, (2) whether they anticipate and price material cybersecurity risk before cyber incidents occur, and (3) whether increases in audit fees for firms experiencing a cyber incident in the current period are associated with subsequent cyber incidents. We find that only cyber incidents are associated with increases in audit fees and that the association is driven by more severe incidents. We also find that increases in audit fees are smaller for firms with prior cybersecurity risk disclosure after 2011 when the SEC issued cybersecurity disclosure guidance. Finally, larger increases in audit fees for firms experiencing cyber incidents in the current period are associated with a lower likelihood of subsequent cyber incidents.

KW - Audit fees

KW - Cyber incident

KW - Cybersecurity

KW - Cybersecurity risk disclosure

KW - Hacking

UR - http://www.scopus.com/inward/record.url?scp=85082119381&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85082119381&partnerID=8YFLogxK

U2 - https://doi.org/10.2308/ajpt-52593

DO - https://doi.org/10.2308/ajpt-52593

M3 - Article

SN - 0278-0380

VL - 39

SP - 151

EP - 171

JO - Auditing

JF - Auditing

IS - 1

ER -