Cyber risk and voluntary Service Organization Control (SOC) Audits

57 Pages Posted: 4 Jun 2020 Last revised: 16 Nov 2021

See all articles by Jordan Schoenfeld

Jordan Schoenfeld

University of Utah; Dartmouth College - Tuck School of Business

Date Written: November 15, 2021

Abstract

Firms routinely manage their financial reporting systems on external cloud platforms that are susceptible to cyberattacks and data integrity issues. Therefore, the American Institute of Certified Public Accountants developed a special type of voluntary audit called a "Service Organization Control" audit (SOC audit) that evaluates this risk. This study conducts one of the first systematic analyses of the benefits and costs of these voluntary audits. Using hand-collected data from public firms, I find that (1) 29 percent of firms in the S&P 500 (representing $10.9 trillion in market value) receive these audits; (2) business-model exposure to technology predicts a firm's decision to receive these audits; (3) the scope of these audits includes internal controls over data integrity; and (4) these audits are one of the largest predictors of the variation in audit-related fees, amounting to a $900,000 average annual increase in these fees at the firm level (by comparison, tax preparation fees average about $1.3 million). SOC audits are thus an important and concrete example of the broader social and governance mandates of new reporting frameworks, such as the ISSB's Value Reporting Framework and FASB's ESG framework.

Keywords: audit; big data; cloud computing; CSR; ESG; internal control

JEL Classification: M40, M49, O33

Suggested Citation

Schoenfeld, Jordan and Schoenfeld, Jordan, Cyber risk and voluntary Service Organization Control (SOC) Audits (November 15, 2021). Tuck School of Business Working Paper No. 3596065, Available at SSRN: https://ssrn.com/abstract=3596065 or http://dx.doi.org/10.2139/ssrn.3596065

Jordan Schoenfeld (Contact Author)

Dartmouth College - Tuck School of Business ( email )

Hanover, NH 03755
United States

University of Utah ( email )

1645 E. Campus Center
Salt Lake City, UT 84112
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
291
Abstract Views
1,771
rank
136,588
PlumX Metrics