https://orcid.org/0000-0002-6070-0426
![Sample our Economics, Finance,Business & Industry journals, sign in here to start your access, latest two full volumes FREE to you for 14 days]({"type":"image" , "src" : "/sda/5931/TOC-Subject-Sample-2021-Economics-Finance-Business-Industry.jpg"})
ABSTRACT
As signals of internal control weaknesses, cyber security incidents can represent significant risk factors to the quality of financial reporting. We empirically assess the audit quality implications of data breaches for a large sample of US firms. Using a difference-in-difference approach based on a matched sample of breached and non-breached firms, we find no evidence that cyber-security incidents result in a decline in audit quality. Instead, we observe positive shifts in four widely-used proxies for audit quality. We document that breached firms (i) experience a decrease in abnormal accruals, (ii) are less likely to report small profits or small earnings increases, (iii) are more likely to be issued a going concern report, and (iv) are less likely to restate their financial statements in the two years following a breach. Our results indicate that auditors effectively offset increases in audit risk through additional substantive testing and audit effort. Our evidence supports the view that auditors have increased their audit risk awareness and put in place adequate procedures to deal with the consequences of cyber-security incidents.
Acknowledgements
The research work described in this paper was supported by the Irish Centre for Cloud Computing and Commerce, an Irish national Technology Centre funded by Enterprise Ireland and the Irish Industrial Development Authority, and by the Irish Institute of Digital Business. We thank Chris Hogan (Associate Editor), two anonymous reviewers, and the participants at the European Accounting Association Annual Meeting 2017 for their helpful comments and suggestions.
Supplemental Data and Research Materials
Supplemental data for this article can be accessed on the Taylor & Francis website https://doi.org/10.1080/09638180.2020.1856162
Appendix A. Variable Definitions
Appendix B. Regression Results: Audit Fee Model
Appendix C. Pearson Correlation Coefficients between Variables
Notes
1 This point may be particularly relevant for Big4 auditors as they are assumed to possess a higher level of expertise (Haislip et al., Citation2016) and are associated with higher quality audits (DeAngelo, Citation1981).
2 Becker et al. (Citation1998) point out that auditors are more concerned about income-increasing rather than income-decreasing accruals since auditors are more likely to be sued for allegedly allowing overstated earnings. Therefore, we also considered “signed” accruals as an additional analysis and results are consistent.
3 The control variables related to auditor characteristics were excluded from the model as they were outside the scope of our study.
4 This proxy for the effectiveness of internal control is consistent with the one used by Ettredge et al. (Citation2006), Doyle et al. (Citation2007a) and Blankley et al. (Citation2012) which are also based on a two-year window. Blankley et al. (Citation2012, p. 84) point out that a two-year approach is necessary as “there is a ‘sticky’ quality to internal controls so firms that received a material weakness in the future likely had weaker internal controls in the current year”. We also run all our regression models controlling for material weaknesses disclosed in the current year only to check the robustness of our results. Our conclusions were unaltered.
5 We also test our results using different thresholds i.e. 2 percent for small profit (Frankel et al., Citation2002; Carey & Simnett, Citation2006), and between 1 and 2 percent for small earning increase (Frankel et al., Citation2002; Ashbaugh et al., Citation2003; Carey & Simnett, Citation2006). Our results are robust to these alternative specifications.
6 A restatement is the alteration of previously audited financial statements due to errors, frauds or other causes (Stanley & DeZoort, Citation2007). As such, it represents a late manifestation of poor audit quality as errors or misreporting in the financial statement were not detected during the initial audit.
7 We use the model suggested by Blankley et al. (Citation2012) to estimate abnormal audit fees. In the model, the dependent variable is the natural logarithm of audit fees and the results suggest that larger (LTA), riskier (CR, CA_TA, LOSS, LEV, INTANG MATWEAK), and more complex (FOREIGN, SEG, MERGER) firms pay higher audit fees, while more profitable firms (ROA), and firms whose fiscal year end on December 31st pay lower audit fees. These results are consistent with Blankley et al. (Citation2012) and with prior literature on audit fees which suggests that audit fees depend on auditee’s size, complexity, risk, financial condition and internal controls (Simunic, Citation1980; Craswell, Francis, and Taylor, 1995; Gul & Goodwin, Citation2010; Gietzmann & Pettinicchio, Citation2014; Han et al., Citation2016; Rosati et al., Citation2019b). The regression results are reported in Appendix B.
8 SBNLs require “notification (1) in a timely manner (2) if personally identifiable information has either been lost, or is likely to be acquired, by an unauthorised person, (3) and is reasonably considered to com- promise an individual’s personal information” (Romanosky et al., Citation2011, p. 257). Since 2002, when the first SBNL was enacted California, 47 states Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted their own SNBLs (NCSL, Citation2017).
9 This is a standard practice in quantitative accounting studies as financial companies have different reporting requirements and the structure of their financial statement is difficult to compare with the one of non-financial firms (Fama & French, Citation1992; Dechow et al., Citation2012). The reported financial statements for banks, for example, are somewhat different from most companies as there are no accounts receivables or inventory to gauge whether sales are rising or falling (Francis & Wang, Citation2008). Also, as Gore et al. (Citation2001, p. 15) pointed out, “the accrual generating process in financial firms is fundamentally different from that in industrial and commercial firms”.
10 Rosati et al. (Citation2019b) adopts a more restrictive matching condition i.e. a maximum distance of three percent in the estimated score between breached and the corresponding matched firm. Even though such restrictive condition ensures more similarity between matched firms, it also causes a significant reduction in sample size. In order to preserve the size of our sample we opt for a Nearest-Neighbour approach. We also repeated our analyses using the more restrictive matching condition implemented in Rosati et al. (Citation2019b) which reduced our breached sample to 248. Our main conclusions were unaltered.
11 A Pearson correlation coefficient higher than 0.6 denotes a strong correlation which might bias the estimation of the regression coefficients (see Gujarati, Citation2003, Ch. 10 for further discussion).
12 This is based on the marginal effect associated with the regression coefficient.
13 The topics in the Comment Letters were identified on the basis of a proprietary taxonomy implemented in Audit Analytics. We define IT-related Comment Letters as those letters covering the topic ‘Data Protection and Security Breach’ as classified by Audit Analytics (Rosati et al., Citation2019b).
14 Cassell et al. (Citation2013) adopt a logistic regression to test their hypothesis. As an additional test, we performed the same analysis using a logistic regression and results are consistent.
15 Our approach is similar to the one adopted by Cassell et al. (Citation2013) who measure the variables that represent specific events or changes over a three-year window. This is justified by the fact that the SEC is required to review the 10-K filing of each registrant at least once every three years (see Section 408 paragraph (c) of the Sarbanes-Oxley Act). The SEC then issues a Comment Letter when a filing is found to be materially deficient or when further clarifications are needed. While Cassell et al. (Citation2013) focus on the extent of the comments received and the cost associated with Comment Letters, and therefore consider the events occurred in the previous three years which may have put the firm under the SEC spotlight, we consider a cyber-security incident as one of those events because it may signal potential internal control weaknesses and therefore attract higher regulatory scrutiny. In other words a cyber-security incident in year t may trigger a Comment Letter in year t+1 or t+2.
16 We limit the number of years pre- and post-incident as the longer the time period the higher the likelihood of a firm experiencing another breach.
17 One from Ernst&Young, KPMG and PricewaterhouseCoopers, and two from Deloitte.
18 The Securities and Exchange Commission (SEC) issued guidelines on the disclosure of cyber-risk in 2011 (SEC, Citation2011). However, specific regulatory requirements for cyber-security risk disclosure were only enacted on 26 February 2018 (SEC, Citation2018).