Do Auditors Price Breach Risk in Their Audit Fees?

• In Event: AIS and Auditing

Abstract

Data security breaches have been increasing in frequency and cost. Firms struggling to mitigate breach risk rely on different governance mechanisms for support. While the influences of internal firm actors (i.e., top management and the board of directors) on breach risk are explored in recent accounting information systems’ (AIS) research, much less is known regarding external governance actors. Consequently, we examine whether auditors, as an external governance mechanism, price breach risk into their fees.

Using a sample of breached firms ranging from 2004-2015, we adapt Houston et al.’s (2005) audit risk model to explore how auditors view audit risk related to breach risk in the periods surrounding an announced breach. We find consistent results suggesting that auditors price breaches in their fees. The results are driven by external breaches, further suggesting a difference in risk identified by the auditors relating to internal versus external breaches. Supplemental analyses indicate that board-level risk committees reduce the breach risk audit fee premium; however, this fee reduction goes away after a reported breach. Aggregate findings add to the security breach, corporate governance, and audit fee literatures.

Authors

• Julia L Higgs, Florida Atlantic University - Boca

• Robert E Pinsker, Florida Atlantic University - Boca

• Thomas Joseph Smith, University of South Florida