Cyber risk and voluntary Service Organization Control (SOC) audits

Review of Accounting Studies, Forthcoming

57 Pages Posted: 4 Jun 2020 Last revised: 5 Aug 2022

Date Written: February 7, 2022


Firms routinely manage their financial reporting systems on external cloud platforms that are susceptible to cyberattacks and data integrity issues. Therefore, the AICPA developed a special type of voluntary audit called a "Service Organization Control" audit (SOC audit) that evaluates this risk. This study conducts one of the first systematic analyses of the benefits and costs of these voluntary audits. Using hand-collected data from public firms, I find that (1) 29 percent of firms in the S&P 500 (representing $10.9 trillion in market value) receive these audits; (2) business-model exposure to technology predicts a firm's decision to receive these audits; (3) the scope of these audits includes internal controls over data integrity; and (4) these audits are one of the largest predictors of the variation in audit-related fees, amounting to a $900,000 average annual increase in these fees at the firm level (by comparison, tax preparation fees average about $1.3 million). SOC audits are thus an important and concrete example of the broader social and governance mandates of new stakeholder-focused reporting frameworks, such as the SASB's Conceptual Framework.

Keywords: audit; big data; cloud computing; CSR; ESG; internal control

JEL Classification: M40, M49, O33

Suggested Citation

Schoenfeld, Jordan, Cyber risk and voluntary Service Organization Control (SOC) audits (February 7, 2022). Review of Accounting Studies, Forthcoming, Available at SSRN: or

Jordan Schoenfeld (Contact Author)

Ohio State University (OSU) ( email )

Blankenship Hall-2010
901 Woody Hayes Drive
Columbus, OH OH 43210
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics