Cyber risk and voluntary Service Organization Control (SOC) Audits

Review of Accounting Studies, Forthcoming

57 Pages Posted: 4 Jun 2020 Last revised: 8 Feb 2022

See all articles by Jordan Schoenfeld

Jordan Schoenfeld

University of Utah; Dartmouth College - Tuck School of Business

Date Written: February 7, 2022


Firms routinely manage their financial reporting systems on external cloud platforms that are susceptible to cyberattacks and data integrity issues. Therefore, the American Institute of Certified Public Accountants developed a special type of voluntary audit called a "Service Organization Control" audit (SOC audit) that evaluates this risk. This study conducts one of the first systematic analyses of the benefits and costs of these voluntary audits. Using hand-collected data from public firms, I find that (1) 29 percent of firms in the S&P 500 (representing $10.9 trillion in market value) receive these audits; (2) business-model exposure to technology predicts a firm's decision to receive these audits; (3) the scope of these audits includes internal controls over data integrity; and (4) these audits are one of the largest predictors of the variation in audit-related fees, amounting to a $900,000 average annual increase in these fees at the firm level (by comparison, tax preparation fees average about $1.3 million). SOC audits are thus an important and concrete example of the broader social and governance mandates of new reporting frameworks, such as the SASB's Conceptual Framework.

Keywords: audit; big data; cloud computing; CSR; ESG; internal control

JEL Classification: M40, M49, O33

Suggested Citation

Schoenfeld, Jordan and Schoenfeld, Jordan, Cyber risk and voluntary Service Organization Control (SOC) Audits (February 7, 2022). Review of Accounting Studies, Forthcoming, Available at SSRN: or

Jordan Schoenfeld (Contact Author)

Dartmouth College - Tuck School of Business ( email )

Hanover, NH 03755
United States

University of Utah ( email )

1645 E. Campus Center
Salt Lake City, UT 84112
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics