Cyber risk and voluntary Service Organization Control (SOC) audits

Review of Accounting Studies, Forthcoming

57 Pages Posted: 4 Jun 2020 Last revised: 5 Aug 2022

Date Written: February 7, 2022

Abstract

Firms routinely manage their financial reporting systems on external cloud platforms that are susceptible to cyberattacks and data integrity issues. Therefore, the AICPA developed a special type of voluntary audit called a "Service Organization Control" audit (SOC audit) that evaluates this risk. This study conducts one of the first systematic analyses of the benefits and costs of these voluntary audits. Using hand-collected data from public firms, I find that (1) 29 percent of firms in the S&P 500 (representing $10.9 trillion in market value) receive these audits; (2) business-model exposure to technology predicts a firm's decision to receive these audits; (3) the scope of these audits includes internal controls over data integrity; and (4) these audits are one of the largest predictors of the variation in audit-related fees, amounting to a $900,000 average annual increase in these fees at the firm level (by comparison, tax preparation fees average about $1.3 million). SOC audits are thus an important and concrete example of the broader social and governance mandates of new stakeholder-focused reporting frameworks, such as the SASB's Conceptual Framework.

Keywords: audit; big data; cloud computing; CSR; ESG; internal control

JEL Classification: M40, M49, O33

Suggested Citation

Schoenfeld, Jordan, Cyber risk and voluntary Service Organization Control (SOC) audits (February 7, 2022). Review of Accounting Studies, Forthcoming, Available at SSRN: https://ssrn.com/abstract=3596065 or http://dx.doi.org/10.2139/ssrn.3596065

Jordan Schoenfeld (Contact Author)

University of Utah ( email )

1645 E. Campus Center
Salt Lake City, UT 84112
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
579
Abstract Views
2,864
Rank
88,744
PlumX Metrics