Cyber risk and voluntary Service Organization Control (SOC) audits
成果类型:
Article
署名作者:
Schoenfeld, Jordan
署名单位:
Utah System of Higher Education; University of Utah
刊物名称:
REVIEW OF ACCOUNTING STUDIES
ISSN/ISSBN:
1380-6653
DOI:
10.1007/s11142-022-09713-0
发表日期:
2024
页码:
580-620
关键词:
internal control weaknesses
HEDGE FUND ACTIVISM
Sarbanes-Oxley Act
nonaudit services
SHAREHOLDER ACTIVISM
corporate governance
fees
QUALITY
demand
FIRMS
摘要:
Firms routinely manage their financial reporting systems on external cloud platforms that are susceptible to cyberattacks and data integrity issues. Therefore, the AICPA developed a special type of voluntary audit called a Service Organization Control audit (SOC audit) that evaluates this risk. This study conducts one of the first systematic analyses of the benefits and costs of these voluntary audits. Using hand-collected data from public firms, I find that (1) 29% of firms in the S&P 500 (representing $10.9 trillion in market value) receive these audits; (2) business-model exposure to technology predicts a firm's decision to receive these audits; (3) the scope of these audits includes internal controls over data integrity; and (4) these audits are one of the largest predictors of the variation in audit-related fees, amounting to a $900,000 average annual increase in these fees at the firm level (by comparison, tax preparation fees average about $1.3 million). SOC audits are thus an important and concrete example of the broader social and governance mandates of new stakeholder-focused reporting frameworks, such as the SASB's Conceptual Framework.
来源URL: