Cyber risk and voluntary Service Organization Control (SOC) Audits
Review of Accounting Studies, Forthcoming
57 Pages Posted: 4 Jun 2020 Last revised: 8 Feb 2022
Date Written: February 7, 2022
Abstract
Firms routinely manage their financial reporting systems on external cloud platforms that are susceptible to cyberattacks and data integrity issues. Therefore, the American Institute of Certified Public Accountants developed a special type of voluntary audit called a "Service Organization Control" audit (SOC audit) that evaluates this risk. This study conducts one of the first systematic analyses of the benefits and costs of these voluntary audits. Using hand-collected data from public firms, I find that (1) 29 percent of firms in the S&P 500 (representing $10.9 trillion in market value) receive these audits; (2) business-model exposure to technology predicts a firm's decision to receive these audits; (3) the scope of these audits includes internal controls over data integrity; and (4) these audits are one of the largest predictors of the variation in audit-related fees, amounting to a $900,000 average annual increase in these fees at the firm level (by comparison, tax preparation fees average about $1.3 million). SOC audits are thus an important and concrete example of the broader social and governance mandates of new reporting frameworks, such as the SASB's Conceptual Framework.
Keywords: audit; big data; cloud computing; CSR; ESG; internal control
JEL Classification: M40, M49, O33
Suggested Citation: Suggested Citation