Auditors’ Response to Cybersecurity Risk: Human Capital Investment and Cross-Clients Influence

Description

The digital economy has led to an ever-increasing stream of data. The World Economic Forum estimates that, by 2025, there will be 463 exabytes of data created each day. While the potential economic value of data is substantial, firms are also facing more and more challenges in cybersecurity. According to the cybercrime magazine, the worldwide cybercrime costs are expected to grow from $3 trillion US dollars in 2015 to $10.5 trillion by 2025. Due to the integrated nature between firms’ Information Technology (IT) and data control and their financial reporting controls, auditors also face the challenges brought by cybersecurity risk. Not only could client firms’ data breach directly affect their financial data, but firms’ cybersecurity deficiency could imply weakness of the internal control system for financial reporting. As a result, regulators worldwide stress the necessity for auditors to seriously consider cybersecurity risk in executing their risk assessment, tests of controls, and other relevant audit procedures (Veen 2016). The auditing standard AS5 explicitly requires that “the identification of risks and controls within IT is not a separate evaluation. Instead, it is an integral part of the top-down approach” in an integrated audit. The PCAOB board member, Kathleen M. Hamm, emphasizes the importance of the auditor evaluating the nature and extent of a cybersecurity breach and the potential impact on the client’s operations and financial statements. He also contends that the auditor should consider whether the breach indicates a deficiency in the client’s internal controls over financial reporting (Hamm2019).Given that the auditors are generally professional accountants who are not specialized in cybersecurity, it would be more efficient to seek advice and cooperation from IT experts. Regulatory institutions suggest using cybersecurity IT experts when auditors identify significant risks of material misstatements arising from cybersecurity problems (AAA 2015; AICPA 2018; ISCA 2018; CAQ 2020). Hence, it is timely and important to examine how auditors respond to client firms’ cybersecurity risks. Do auditors invest in cybersecurity personnel to increase their ability to embrace cybersecurity challenges? Do auditors play a role in facilitating their clients’ cybersecurity preparation? We intend to provide the first evidence on these questions by utilizing cybersecurity breaches as an exogenous shock to auditors’ assessment of cybersecurity risks. We will examine whether auditors respond to cybersecurity risks by investing more in cybersecurity IT human capital, as well as urging their non-breached clients to increase their cybersecurity IT hirings and cybersecurity disclosures.