Are External Auditors Concerned about Cyber Incidents? Evidence from Audit Fees

• In Event: Auditor Assessment of Risk & Professional Skepticism

Abstract

Firms and regulators alike have recognized the importance of addressing cyber risks and cyber incidents. In this paper, we investigate whether external auditors respond to cyber incidents by charging higher audit fees when there is no explicit requirement from the regulators regarding cybersecurity. Using hacking data from 2010 to 2015, we find that external auditors increase audit fees in the year that their client firms experience a security breach. Our results hold after a set of robustness tests including propensity score matching, change model, difference in difference, and different model specifications. In addition, we find some supporting evidence that external auditors differentiate cyber risks across industries. Collectively, findings in this paper suggest that external auditors are concerned about cyber risks and the implications of cyber incidents despite there being no specific mandatory requirements for them to address these risks, potentially alleviating regulators’ concerns about whether these risks are being addressed.

Authors

• He Li, Rutgers Business School

• Won Gyun No, Rutgers, The State University of New Jersey

• Jefim Boritz, University of Waterloo