Data breaches have reached unprecedented levels and a mounting chorus is calling for new regulation to curb this phenomenon. The list of companies that have suffered data breaches includes many of the world’s largest players: companies like Yahoo, Sony, Equifax and JP Morgan. Given the amount of consumer, proprietary and employee data currently stored online, cyber-security breaches represent one of the biggest risks that multinational corporations now face. Identifying patterns in the companies affected by the largest breaches would go a long way toward understanding its underlying determinants and mitigating this particular threat.
With this in mind, I undertook a study with several colleagues to investigate whether there is an association between a firm’s audit quality and cyber-security breaches. Specifically, we sought to find out if there is any connection between data breaches and audit quality.
Although audit standards do not explicitly require an evaluation of information security risk as part of the audit, auditors are required to evaluate a client’s overall business risk (i.e. the risk associated with the client’s survivability and profitability). In the era of “Cybergeddon,” business risk would presumably include cyber-security breaches, which could easily bring a large firm to its knees. While some may argue this is more of an IT concern, audit standards do encourage auditors to use IT specialists when the client’s business has complex systems and IT controls; the client replaces or makes significant changes to its IT systems; the client shares data extensively between systems; the client participates in electronic commerce; the client uses emerging technology; or significant audit evidence is only available electronically.
Since these conditions apply to most firms today, the quality of the auditor/audit process becomes a logical place to start the investigation. Higher quality auditors are better at detecting hidden risks, not only because they have stronger incentives to uncover these risks—including a desire to preserve their reputation or to lower their liabilities—but also because they have greater capabilities and resources such as personnel, training, and experience. Considering these argumBents, it is reasonable to investigate the association between audit quality and data breaches.
Although the results of our study are preliminary, they indicate a strong connection between audit quality and data breaches. As expected, we found that data breach firms are likely to be younger, high growth firms with significantly higher innovation risk. However, they are also more likely to have longer tenure auditors, who spend less time and effort developing the audit report, and who are paid more for non-audit services than audit services.
These results could potentially have serious ramifications for the most likely imminent cyber-security regulation, audit professionals and related academic literature. To date, academic literature on the subject has provided conflicting evidence about whether audit tenure, audit report lags, and the magnitude of audit vs. non-audit fees are good indicators of audit quality. Our results suggest that, at least in this unique setting, longer auditor tenure, shorter audit report lags, less audit fees and more non-audit fees are indicative of lower audit quality. While cyber-security risk is not yet an explicit risk factor that auditors look for, we document that higher audit quality is associated with less cyber-security risk. This in turn implies that multinationals could attenuate cyber-security risks by actively pursuing higher quality audits.
Anthony Holder is an Associate Professor in the School of Accountancy at the University of Denver’s Daniels College of Business. He received a PhD from the University of Cincinnati, his MACC from Wright State University and a BA from Park University.