Skip to main content

Cyber risk and voluntary Service Organization Control (SOC) audits

Abstract

Firms routinely manage their financial reporting systems on external cloud platforms that are susceptible to cyberattacks and data integrity issues. Therefore, the AICPA developed a special type of voluntary audit called a “Service Organization Control” audit (SOC audit) that evaluates this risk. This study conducts one of the first systematic analyses of the benefits and costs of these voluntary audits. Using hand-collected data from public firms, I find that (1) 29% of firms in the S&P 500 (representing $10.9 trillion in market value) receive these audits; (2) business-model exposure to technology predicts a firm’s decision to receive these audits; (3) the scope of these audits includes internal controls over data integrity; and (4) these audits are one of the largest predictors of the variation in audit-related fees, amounting to a $900,000 average annual increase in these fees at the firm level (by comparison, tax preparation fees average about $1.3 million). SOC audits are thus an important and concrete example of the broader social and governance mandates of new stakeholder-focused reporting frameworks, such as the SASB’s Conceptual Framework.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2

Notes

  1. https://www.cbsnews.com/news/60-minutes-jerome-powell-federal-reserve-economy-update-2021-04-11/

  2. One survey finds that 98% of large firms have contracts with technology service companies (Dell, 2020). Accounting information systems, loan servicing, payroll, tax processing, and data center storage are examples of business functions that firms outsource to such companies (e.g., Deloitte 2013; Hardy 2016).

  3. Section 2 elaborates on the AICPA’s SOC audit framework, and Section 3 discusses the data-collection process. Note that SOC audit reports are separate from financial statement audit opinions.

  4. AWS stores and processes data for many businesses through its pay-as-you-go cloud platform. Amazon’s 2018 10-K notes that AWS generated about $26 billion in revenue and $7 billion in operating income, representing about half of Amazon’s total operating income for that year.

  5. A few firms with very large SOC audit fees even discuss these fees in their proxy statement. For example, Google’s parent company Alphabet noted that it paid $6.2 million for SOC audits in 2018. Note that audit-related fees include SOC audit fees and are distinct from any tax and technology consulting fees paid to an audit firm, which are included in other line items on the proxy statement (e.g., De Simone et al. 2015). Section 4.2 provides more detail on this point.

  6. For more detail on these programs, see https://www2.deloitte.com/us/en/pages/technology/solutions/cloud-computing-training.html and https://www.ey.com/en_gl/news/2020/06/ey-announces-first-ever-virtual-corporate-mba-free-to-all-ey-people.

  7. Note that even if shareholders are not the primary end users of SOC audits, these audits may still add value to the firm. This is a consideration for future valuation research.

  8. Other studies on non-financial audits include Duflo et al. (2013, 2018), who examine corporate environmental audits in India.

  9. See https://www.sec.gov/ocie/announcement/risk-alert-network-storage and https://us-cert.cisa.gov/ncas/current-activity/2020/01/24/nsa-releases-guidance-mitigating-cloud-vulnerabilities.

  10. Before 2011, audit firms often used Statement on Auditing Standards No. 70 (SAS 70), Service Organizations, as a framework for their internal control audits of a client’s customer-relevant systems. However, SAS 70 was not intended for that purpose (like SOC audit reports, SAS 70 audit reports were not systematically made public). Thus, due to the absence of a better standard, audit firms were improperly using SAS 70, and companies used phrases such as “SAS 70 certified” to indicate that their customer-relevant controls were audited (AICPA, 2011). This led the AICPA to create the SOC framework.

  11. DeFond and Zhang (2014, p. 294) and Efendi et al. (2006) make a strong case for providing such evidence, given that we have limited research on auditors’ expertise and competencies in areas beyond financial statement audits. There is also no path to examine why public firms do or do not receive financial statement audits, because legislation explicitly mandates financial statement audits and eliminates variation in their adoption (e.g., Gerakos and Syverson 2015, 2017). This is not the case for SOC audits.

  12. Measuring the dollar value of SOC audits using stock market reactions is currently not possible given the non-public nature of these audits and other constraints.

  13. Given the confidential data often used in this literature (e.g., Bell et al. 2015) and the nature of my sample, it is beyond the scope of this study to explicitly test whether my findings significantly alter the inferences from prior studies.

  14. Prior studies use the terms audit, assurance, and attestation to mean a broad spectrum of client engagements. For consistency, I refer to SOC engagements as SOC audits.

  15. With the vast majority of firms in my sample not listing their SOC audit status online, a systematic analysis of a firm’s SOC audit disclosure strategy is beyond the goals of this study. This question is a potential path for subsequent research on SOC audits.

  16. Additional details about the sample were obtained through followups with the firms receiving SOC audits. Subsample approaches are also used by researchers in other settings, including venture capital investment (e.g., Kaplan & Strömberg 2003, 2004), debt contracts (e.g., Roberts2015; Roberts & Sufi 2009; Smith & Warner 1979), shareholder contracts (e.g., Nagar & Schoenfeld2021; Schoenfeld 2020), and supplier contracts (e.g., Costello 2013; Joskow 1987). See footnote 26 for the applicability of my findings to firms outside the S&P 500 index. For additional detail on the index, see http://us.spindices.com/indices/equity/sp-500.

  17. I nonetheless recompute this measure using only the business description section of the 10-K and find similar results in the subsequent analyses in terms of sign and statistical significance (the two measures are correlated at + 0.85).

  18. By comparison, for financial statement audits at public firms, explicitly modeling the benefits and costs of these audits is more difficult because there is no variation. As a result, most studies on financial statement audits take audit adoption as given (e.g., Gerakos & Syverson2015).

  19. The standard errors are robust to heteroscedasticity. I also find similar results when I cluster standard errors by the three-digit GICS industries. I tabulate the heteroscedasticity-robust standard errors due to the small number of GICS industries.

  20. Note that it is not appropriate to insert all the industry-fixed effects at the same time because this would only measure the industry effects relative to the one excluded industry. In any event, the inferences are unchanged when I include all the industry-fixed effects in a single regression that suppresses the intercept and drops all the other firm-level variables.

  21. Although case studies are relatively uncommon in audit research, they are common in other economics literatures, including the property rights literature (e.g., see the case studies in Alchian & Demsetz 1972 and Coase 1960) and the blockholder literature (e.g., see the case studies in Brav et al. 2008, 2015; Carleton et al. 1998; Holderness & Sheehan 1985; Klein & Zur 2009; and Smith1996).

  22. I omit an indicator variable for going concern audit opinions because no firms in the sample receive these opinions. I also do not include the indicator variable for firms that are data exposed, as this would necessitate a structural path model (given that business-model data exposure is likely a correlated channel for the demand for SOC audits, e.g., Greene 2002, p. 397).

  23. The ability to disaggregate these fees is a relatively recent innovation driven by new regulatory mandates and third-party datasets. In contrast, prior studies often aggregate all non-financial audit fees, making it difficult to disentangle the different services provided by audit firms (e.g., Frankel et al. 2002; Kinney & Libby 2002; Whisenant et al. 2003).

  24. I also tested whether audit-related fees are systematically lower for firms that have the same audit firm perform their financial statement audit and SOC audit by including an interaction term for this effect, but I did not find a significant difference across firms. This could be due to low power, since only a few companies have different audit firms perform their financial statement audit and SOC audit.

  25. Ge et al. (2017, Section 4) estimate this value by multiplying the difference in the percentage growth in audit fees from 2003 to 2014 for SOX 404-exempt versus non-exempt firms by the mean audit fee for SOX 404-exempt firms and then multiplying that value by 5,302, which represents the SOX 404-exempt firm-years in their 2007 to 2014 sample. One caveat is that these cost estimates are computed for firms that are smaller than the S&P 500 firms in my sample.

  26. Recall that as of mid-2019, the S&P 500 index accounts for about 82% of total market capitalization. It is an open question as to whether firms outside the S&P 500 adopt SOC audits at a similar rate. Preliminary evidence suggests they do: based on a random sample of 50 firms in the GICS information technology industry in the Russell 2000, which comprises the 2,000 smallest public firms, about 65% of these firms receive SOC audits. This comports well with the current sample of information technology firms, of which about 62% receive SOC audits. Also, the industry-fixed effects represent the 11 GICS industries. I cannot include GICS subindustry-fixed effects due to subindustries with only one firm.

References

  • Acemoglu, D., Makhdoumi, A., Malekian, A., & Ozdaglar, A. (2022). Too much data: Prices and inefficiencies in data markets. American Economic Journal: Microeconomics Forthcoming.

  • AICPA. (2011). New SOC reports for service organizations replace SAS 70 reports (https://www.aicpastore.com/Content/media/PRODUCER_CONTENT/Newsletters/Articles_2011/CPA/Feb/SOCReplaceSAS70Reports.jsp).

  • AICPA. (2017). Trust services criteria issued by the AICPA assurance services executive committee (https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-criteria.pdf).

  • AICPA. (2018). SOC for service organizations: information for service organizations (https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/serviceorganization-smanagement.html).

  • Alchian, A., & Demsetz, H. (1972). Production, information costs, and economic organization. American Economic Review, 62, 777–795.

    Google Scholar 

  • Allee, K., & Yohn, T. (2009). The demand for financial statements in an unregulated environment: An examination of the production and use of financial statements by privately held small businesses. The Accounting Review, 84, 1–25.

    Article  Google Scholar 

  • Altamuro, J., & Beatty, A. (2010). How does internal control regulation affect financial reporting? Journal of Accounting and Economics, 49, 58–74.

    Article  Google Scholar 

  • Aobdia, D. (2015). Proprietary information spillovers and supplier choice: Evidence from auditors. Review of Accounting Studies, 20, 1504–1539.

    Article  Google Scholar 

  • Ashbaugh, H., LaFond, R., & Mayhew, B. W. (2003). Do nonaudit services compromise auditor independence? further evidence. The Accounting Review, 78, 611–639.

    Article  Google Scholar 

  • Ashbaugh-Skaife, H., Collins, D. W., & Kinney, W. R. (2007). The discovery and reporting of internal control deficiencies prior to SOX-mandated audits. Journal of Accounting and Economics, 44, 166–192.

    Article  Google Scholar 

  • Badertscher, B., Jorgensen, B., Katz, S., & Kinney, W. (2014). Public equity and audit pricing in the united states. Journal of Accounting Research, 52, 303–339.

    Article  Google Scholar 

  • Ball, R., Jayaraman, S., & Shivakumar, L. (2012). Audited financial reporting and voluntary disclosure as complements: A test of the Confirmation Hypothesis. Journal of Accounting and Economics, 53, 136–166.

    Article  Google Scholar 

  • Bauer, A. M. (2016). Tax avoidance and the implications of weak internal controls. Contemporary Accounting Research, 33, 449–486.

    Article  Google Scholar 

  • Bauer, T. D., Estep, C., & Malsch, B. (2019). One team or two? Investigating relationship quality between auditors and IT specialists: Implications for audit team identity and the audit process. Contemporary Accounting Research, 36, 2142–2177.

    Article  Google Scholar 

  • Bell, T., Causholli, M., & Knechel, W. R. (2015). Audit firm tenure, non-audit services, and internal assessments of audit quality. Journal of Accounting Research, 53, 461–509.

    Article  Google Scholar 

  • Bell, T. B., Landsman, W. R., & Shackelford, D. A. (2001). Auditors’ perceived business risk and audit fees: Analysis and evidence. Journal of Accounting Research, 39, 35–43.

    Article  Google Scholar 

  • Bloomfield, R., Nelson, M., & Soltes, E. (2016). Gathering data for archival, field, survey, and experimental accounting research. Journal of Accounting Research, 54, 341–395.

    Article  Google Scholar 

  • BP. (2014). Drones provide BP with eyes in the skies (https://www.bp.com/en/global/corporate/news-and-insights/bp-magazine/drones-provide-bp-eyes-in-the-skies.html).

  • Brav, A., Jiang, W., Partnoy, F., & Thomas, R. (2008). Hedge fund activism, corporate governance, and firm performance. Journal of Finance, 63, 1729–1775.

    Article  Google Scholar 

  • Brav, A., Jiang, W., & Kim, H. (2015). The real effects of hedge fund activism: Productivity, asset allocation, and labor outcomes. Review of Financial Studies, 28, 2723–2769.

    Article  Google Scholar 

  • Carleton, W. T., Nelson, J. M., & Weisbach, M. S. (1998). The influence of institutions on corporate governance through private negotiations: Evidence from tIAA-CREF. Journal of Finance, 53, 1335–1362.

    Article  Google Scholar 

  • Carnes, R. R., Christensen, D. M., & Lamoreaux, P. T. (2019). Investor demand for internal control audits of large U.S. Companies: Evidence from a regulatory exemption for M&A transactions. The Accounting Review, 94, 71–99.

    Article  Google Scholar 

  • Cheng, M., Dhaliwal, D., & Zhang, Y. (2013). Does investment efficiency improve after the disclosure of material weaknesses in internal control over financial reporting? Journal of Accounting and Economics, 56, 1–18.

    Article  Google Scholar 

  • Chow, C. W. (1982). The demand for external auditing: Size, debt and ownership influences. The Accounting Review, 57, 272–291.

    Google Scholar 

  • Christensen, H. B., Hail, L., & Leuz, C. (2021). Mandatory CSR and sustainability reporting: Economic analysis and literature review. Review of Accounting Studies, 26, 1176–1248.

    Article  Google Scholar 

  • Coase, R. H. (1960). The problem of social cost. Journal of Law & Economics, 3, 1–44.

    Article  Google Scholar 

  • Coates, J. C., & Srinivasan, S. (2014). SOX After ten years: A multidisciplinary review. Accounting Horizons, 28, 627–671.

    Article  Google Scholar 

  • Costello, A. (2013). Mitigating incentive conflicts in inter-firm relationships: Evidence from long-term supply contracts. Journal of Accounting and Economics, 56, 19–39.

    Article  Google Scholar 

  • Davis, L. R., Ricchiute, D. N., & Trompeter, G. (1993). Audit effort, audit fees, and the provision of nonaudit services to audit clients. The Accounting Review, 68, 135–150.

    Google Scholar 

  • Davis, L. R., Soo, B. S., & Trompeter, G. M. (2009). Auditor tenure and the ability to meet or beat earnings forecasts. Contemporary Accounting Research, 26, 517–548.

    Article  Google Scholar 

  • De Simone, L., Ege, M. S., & Stomberg, B. (2015). Internal control quality: The role of auditor-provided tax services. The Accounting Review, 90, 1469–1496.

    Article  Google Scholar 

  • DeFond, M. L., & Francis, J. R. (2005). Audit research after Sarbanes-Oxley. Auditing: A Journal of Practice & Theory, 24, 5–30.

    Article  Google Scholar 

  • DeFond, M. L., & Jiambalvo, J. (1991). Incidence and circumstances of accounting errors. The Accounting Review, 66, 643–655.

    Google Scholar 

  • DeFond, M., & Zhang, J. (2014). A review of archival auditing research. Journal of Accounting and Economics, 58, 275–326.

    Article  Google Scholar 

  • DeFond, M. L., Raghunandan, K., & Subramanyam, K. (2002). Do non-audit service fees impair auditor independence? evidence from going concern audit opinions. Journal of Accounting Research, 40, 1247–1274.

    Article  Google Scholar 

  • Dell. (2020). Global data protection index (https://www.delltechnologies.com/en-us/data-protection/gdpi/index.htm).

  • Deloitte. (2013). COSO enhances its internal control–integrated framework (https://deloitte.wsj.com/riskandcompliance/files/2013/06/COSO_Internal_Control_Framework.pdf).

  • Deloitte. (2020). What is digital economy? (https://www2.deloitte.com/mt/en/pages/technology/articles/mt-what-is-digital-economy.html).

  • Dorantes, C. -A., Li, C., Peters, G. F., & Richardson, V. J. (2013). The effect of enterprise systems implementation on the firm information environment. Contemporary Accounting Research, 30, 1427–1461.

    Article  Google Scholar 

  • Doyle, J., Ge, W., & McVay, S. (2007). Determinants of weaknesses in internal control over financial reporting. Journal of Accounting and Economics, 44, 193–223.

    Article  Google Scholar 

  • Duflo, E., Greenstone, M., Pande, R., & Ryan, N. (2013). Truth-telling by third-party auditors and the response of polluting firms: Experimental evidence from India. The Quarterly Journal of Economics, 128, 1499–1545.

    Article  Google Scholar 

  • Duflo, E., Greenstone, M., Pande, R., & Ryan, N. (2018). The value of regulatory discretion: Estimates from environmental inspections in India. Econometrica, 86, 2123–2160.

    Article  Google Scholar 

  • Duguay, R., Minnis, M., & Sutherland, A. (2020). Regulatory spillovers in common audit markets. Management Science, 66, 3389–3411.

    Article  Google Scholar 

  • Efendi, J., Mulig, E. V., & Smith, L. M. (2006). Information technology and systems research published in major accounting academic and professional journals. Journal of Emerging Technologies in Accounting, 3, 117–128.

    Article  Google Scholar 

  • FASB. (2012). Cost-benefit analysis. https://www.fasb.org/jsp/FASB/Page/SectionPage&cid=1351027336339.

  • Feng, M., Li, C., McVay, S. E., & Skaife, H. (2015). Does ineffective internal control over financial reporting affect a firm’s operations? Evidence from firms’ inventory management. The Accounting Review, 90, 529–557.

    Article  Google Scholar 

  • Francis, J. R. (2006). Are auditors compromised by nonaudit services? Assessing the evidence. Contemporary Accounting Research, 23, 747–760.

    Article  Google Scholar 

  • Frankel, R. M., Johnson, M. F., & Nelson, K. K. (2002). The relation between auditors’ fees for nonaudit services and earnings management. The Accounting Review, 77, 71–105.

    Article  Google Scholar 

  • Ge, W., Koester, A., & McVay, S. (2017). Benefits and costs of Sarbanes-Oxley Section 404(b) exemption: Evidence from small firms’ internal control disclosures. Journal of Accounting and Economics, 63, 358–384.

    Article  Google Scholar 

  • Gerakos, J., & Syverson, C. (2015). Competition in the audit market: Policy implications. Journal of Accounting Research, 53, 725–775.

    Article  Google Scholar 

  • Gerakos, J., & Syverson, C. (2017). Audit firms face downward-sloping demand curves and the audit market is far from perfectly competitive. Review of Accounting Studies, 22, 1582–1594.

    Article  Google Scholar 

  • Gipper, B., Hail, L., & Leuz, C. (2020). On the economics of mandatory audit partner rotation and tenure: Evidence from PCAOB data. The Accounting Review, Forthcoming.

  • Gleason, C. A., & Mills, L. F. (2011). Do auditor-provided tax services improve the estimate of tax reserves? Contemporary Accounting Research, 28, 1484–1509.

    Article  Google Scholar 

  • Gow, I., Larcker, D., & Reiss, P. (2016). Causal inference in accounting research. Journal of Accounting Research, 54, 477–523.

    Article  Google Scholar 

  • Greene, W. (2002). Econometric analysis, 5h edn. Upper Saddle River: Pearson Education, Inc.

    Google Scholar 

  • Haislip, J. Z., Peters, G. F., & Richardson, V. J. (2016). The effect of auditor it expertise on internal controls. International Journal of Accounting Information Systems, 20, 1–15.

    Article  Google Scholar 

  • Hammersley, J. S., Myers, L. A., & Shakespeare, C. (2008). Market reactions to the disclosure of internal control weaknesses and to the characteristics of those weaknesses under section 302 of the Sarbanes Oxley Act of 2002. Review of Accounting Studies, 13, 141–165.

    Article  Google Scholar 

  • Hardy, Q. (2016). Why the computing cloud will keep growing and growing. The New York Times, December 25, 2016.

  • Harp, N. L., & Barnes, B. G. (2018). Internal control weaknesses and acquisition performance. The Accounting Review, 93, 235–258.

    Article  Google Scholar 

  • Hay, D. C., Knechel, W. R., & Wong, N. (2006). Audit fees: A meta-analysis of the effect of supply and demand attributes. Contemporary Accounting Research, 23, 141–191.

    Article  Google Scholar 

  • Holderness, C. G., & Sheehan, D. P. (1985). Raiders or saviors? The evidence on six controversial investors. Journal of Financial Economics, 14, 555.

    Article  Google Scholar 

  • Iliev, P. (2010). The effect of SOX section 404: Costs, earnings quality, and stock prices. The Journal of Finance, 65, 1163–1196.

    Article  Google Scholar 

  • Johnson, W. B., & Lys, T. (1990). The market for audit services: Evidence from voluntary auditor changes. Journal of Accounting and Economics, 12, 281–308.

    Article  Google Scholar 

  • Joskow, P. (1987). Contract duration and relationship-specific investments: Empirical evidence from coal markets. American Economic Review, 77, 168–185.

    Google Scholar 

  • Kaplan, S., & Strömberg, P. (2003). Financial contracting theory meets the real world: An empirical analysis of venture capital contracts. Review of Economic Studies, 70, 281–315.

    Article  Google Scholar 

  • Kaplan, S., & Strömberg, P. (2004). Characteristics, contracts, and actions: Evidence from venture capitalist analyses. Journal of Finance, 59, 2177–2210.

    Article  Google Scholar 

  • Kinney, W. R., & Libby, R. (2002). Discussion of the relation between auditors’ fees for nonaudit services and earnings management. The Accounting Review, 77, 107–114.

    Article  Google Scholar 

  • Kinney, W. R., & McDaniel, L. S. (1989). Characteristics of firms correcting previously reported quarterly earnings. Journal of Accounting and Economics, 11, 71–93.

    Article  Google Scholar 

  • Kinney, W. R., Palmrose, Z. -V., & Scholz, S. (2004). Auditor independence, non-audit services, and restatements: Was the U.S. Government Right? Journal of Accounting Research, 42, 561–588.

    Article  Google Scholar 

  • Klein, A., & Zur, E. (2009). Entrepreneurial shareholder activism: Hedge funds and other private investors. Journal of Finance, 64, 187–229.

    Article  Google Scholar 

  • Knechel, R., & Salterio, S. (2016). Auditing: Assurance and risk. Routledge.

  • Knechel, W. R., & Willenborg, M. (2016). Economics-based auditing research published in JAR. Journal of Accounting Research Virtual Issue.

  • Knechel, W. R., Krishnan, G. V., Pevzner, M., Shefchik, L. B., & Velury, U. K. (2013). Audit quality: Insights from the academic literature. AUDITING: A Journal of Practice & Theory, 32, 385–421.

    Article  Google Scholar 

  • Koh, K., Rajgopal, S., & Srinivasan, S. (2013). Non-audit services and financial reporting quality: Evidence from 1978 to 1980. Review of Accounting Studies, 18, 1–33.

    Article  Google Scholar 

  • Kowaleski, Z. T., Mayhew, B. W., & Tegeler, A. C. (2018). The impact of consulting services on audit quality: An experimental approach. Journal of Accounting Research, 56, 673–711.

    Article  Google Scholar 

  • Kreps, D. (1990). A course in microeconomic theory. Princeton University Press.

  • Larcker, D. F., & Rusticus, T. O. (2010). On the use of instrumental variables in accounting research. Journal of Accounting and Economics, 49, 186–205.

    Article  Google Scholar 

  • Lennox, C. S., & Pittman, J. A. (2011). Voluntary audits versus mandatory audits. The Accounting Review, 86, 1655–1678.

    Article  Google Scholar 

  • Leuz, C. (2018). Evidence-based policymaking: Promise, challenges and opportunities for accounting and financial markets research. Accounting and Business Research, 48, 582–608.

    Article  Google Scholar 

  • Leuz, C., & Wysocki, P. (2016). The economics of disclosure and financial reporting regulation: Evidence and suggestions for future research. Journal of Accounting Research, 54, 525–622.

    Article  Google Scholar 

  • Lim, C. -Y., & Tan, H. -T. (2008). Non-audit service fees and audit quality: The impact of auditor specialization. Journal of Accounting Research, 46, 199–246.

    Article  Google Scholar 

  • Lisowsky, P., & Minnis, M. (2020). The silent majority: Private U.S. firms and financial reporting choices. Journal of Accounting Research, 58, 547–588.

    Article  Google Scholar 

  • Lisowsky, P., Minnis, M., & Sutherland, A. (2017). Economic growth and financial statement verification. Journal of Accounting Research, 55, 745–794.

    Article  Google Scholar 

  • Liu, L. Y. (2022). Auditors’ cross-client learning: Evidence from data breaches. Working Paper. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3759027.

  • Loughran, T., & McDonald, B. (2016). Textual analysis in accounting and finance: A survey. Journal of Accounting Research, 54, 1187–1230.

    Article  Google Scholar 

  • Minnis, M. (2011). The value of financial statement verification in debt financing: Evidence from private U.S. Firms. Journal of Accounting Research, 49, 457–506.

    Article  Google Scholar 

  • Minutti-Meza, M. (2013). Does auditor industry specialization improve audit quality? Journal of Accounting Research, 51, 779–817.

    Article  Google Scholar 

  • Minutti-Meza, M. (2014). Issues in examining the effect of auditor litigation on audit fees. Journal of Accounting Research, 52, 341–356.

    Article  Google Scholar 

  • Mullainathan, S. (2019). Biased algorithms are easier to fix than biased people. The New York Times, December 6, 2019.

  • Nagar, V., & Schoenfeld, J. (2021). Shareholder monitoring and discretionary disclosure. Journal of Accounting and Economics, 72, 1–22.

    Article  Google Scholar 

  • Ogneva, M., Subramanyam, K. R., & Raghunandan, K. (2007). Internal control weakness and cost of equity: Evidence from SOX section 404 disclosures. The Accounting Review, 82, 1255–1297.

    Article  Google Scholar 

  • Palmrose, Z. -V. (1986). The effect of nonaudit services on the pricing of audit services: Further evidence. Journal of Accounting Research, 24, 405–411.

    Article  Google Scholar 

  • Rajgopal, S., Srinivasan, S., & Zheng, X. (2021). Measuring audit quality. Review of Accounting Studies, 26, 559–619.

    Article  Google Scholar 

  • Rice, S., & Weber, D. (2012). How effective is internal control reporting under SOX 404? Determinants of the (non-)disclosure of existing material weaknesses. Journal of Accounting Research, 50, 811–843.

    Article  Google Scholar 

  • Roberts, M. R. (2015). The role of dynamic renegotiation and asymmetric information in financial contracting. Journal of Financial Economics, 116, 61–81.

    Article  Google Scholar 

  • Roberts, M. R., & Sufi, A. (2009). Control rights and capital structure: An empirical investigation. Journal of Finance, 64, 1657–1695.

    Article  Google Scholar 

  • Roychowdhury, S., Shroff, N., & Verdi, R. S. (2019). The effects of financial reporting and disclosure on corporate investment: A review. Journal of Accounting and Economics, 68, 1–27.

    Article  Google Scholar 

  • Samuelson, P. A. (1948). Consumption theory in terms of revealed preference. Economica, 15, 243–253.

    Article  Google Scholar 

  • Schoenfeld, J. (2017). The effect of voluntary disclosure on stock liquidity: New evidence from index funds. Journal of Accounting and Economics, 63, 51–74.

    Article  Google Scholar 

  • Schoenfeld, J. (2020). Contracts between firms and shareholders. Journal of Accounting Research, 58, 383–427.

    Article  Google Scholar 

  • Schroeder, J. H., & Shepardson, M. L. (2016). Do SOX 404 control audits and management assessments improve overall internal control system quality? The Accounting Review, 91, 1513–1541.

    Article  Google Scholar 

  • SEC. (2012). Current Guidance on Economic Analysis in SEC Rulemakings. https://www.sec.gov/divisions/riskfin/rsfi_guidance_econ_analy_secrulemaking.pdf.

  • Shear, M. D., Perlroth, N., & Krauss, C. (2021). Colonial pipeline paid roughly $5 million in ransom to hackers. The New York Times, May 13, 2021.

  • Shipman, J. E., Swanquist, Q. T., & Whited, R. L. (2017). Propensity score matching in accounting research. The Accounting Review, 92, 213–244.

    Article  Google Scholar 

  • Simunic, D. A. (1980). The pricing of audit services: Theory and evidence. Journal of Accounting Research, 18, 161–190.

    Article  Google Scholar 

  • Simunic, D. A. (1984). Auditing, consulting, and auditor independence. Journal of Accounting Research, 22, 679–702.

    Article  Google Scholar 

  • Smith, M. (1996). Shareholder activism by institutional investors: Evidence from calPERS. Journal of Finance, 51, 227–252.

    Article  Google Scholar 

  • Smith, C., & Warner, J. (1979). On financial contracting: An analysis of bond covenants. Journal of Financial Economics, 7, 117–161.

    Article  Google Scholar 

  • Watts, R. L., & Zimmerman, J. L. (1983). Agency problems, auditing, and the theory of the firm: Some evidence. The Journal of Law and Economics, 26, 613–633.

    Article  Google Scholar 

  • Whisenant, S., Sankaraguruswamy, S., & Raghunandan, K. (2003). Evidence on the joint determination of audit and Non-Audit fees. Journal of Accounting Research, 41, 721–744.

    Article  Google Scholar 

  • Yoon, K., Hoogduin, L., & Zhang, L. (2015). Big data as complementary audit evidence. Accounting Horizons, 29, 431–438.

    Article  Google Scholar 

  • Zhang, I. X. (2007). Economic consequences of the Sarbanes–Oxley Act of 2002. Journal of Accounting and Economics, 44, 74–115.

    Article  Google Scholar 

  • Zhu, C. (2019). Big data as a governance mechanism. Review of Financial Studies, 32, 2021–2061.

    Article  Google Scholar 

Download references

Acknowledgements

I appreciate the helpful comments from Patricia Dechow (the editor), two anonymous referees, Wayne Guay, and seminar participants at the Accounting Insights Webinar, the AFAANZ Annual Conference, the CGECRS Workshop Series, Columbia Business School, Dartmouth College, the Hawaii Accounting Conference, the Securities and Exchange Commission, the Singapore Accounting Symposium, the University of Florida, the University of Illinois Symposium on Audit Research, and the University of Miami.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Jordan Schoenfeld.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

Appendix A: 2019 SOC 3 report for Google

Source: Alphabet Inc. Investor Relations

figure a

Appendix B: The AICPA’s trust services criteria

Source: AICPA (2017)

Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives. Security refers to the protection of i. information during its collection or creation, use, processing, transmission, and storage and ii. systems that use electronic information to process, transmit or transfer, and store information to enable the entity to meet its objectives. Controls over security prevent or detect the breakdown and circumvention of segregation of duties, system failure, incorrect processing, theft or other unauthorized removal of information or system resources, misuse of software, and improper access to or use of, alteration, destruction, or disclosure of information.  
Availability. Information and systems are available for operation and use to meet the entity’s objectives. Availability refers to the accessibility of information used by the entity’s systems, as well as the products or services provided to its customers. The availability objective does not, in itself, set a minimum acceptable performance level; it does not address system functionality (the specific functions a system performs) or usability (the ability of users to apply system functions to the performance of specific tasks or problems). However, it does address whether systems include controls to support accessibility for operation, monitoring, and maintenance.  
Processing integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives. Processing integrity refers to the completeness, validity, accuracy, timeliness, and authorization of system processing. Processing integrity addresses whether systems achieve the aim or purpose for which they exist and whether they perform their intended functions in an unimpaired manner, free from error, delay, omission, and unauthorized or inadvertent manipulation. Because of the number of systems used by an entity, processing integrity is usually only addressed at the system or functional level of an entity.  
Confidentiality. Information designated as confidential is protected to meet the entity’s objectives. Confidentiality addresses the entity’s ability to protect information designated as confidential from its collection or creation through its final disposition and removal from the entity’s control in accordance with management’s objectives. Information is confidential if the custodian (for example, an entity that holds or stores information) of the information is required to limit its access, use, and retention and restrict its disclosure to defined parties (including those who may otherwise have authorized access within its system boundaries). Confidentiality requirements may be contained in laws or regulations or in contracts or agreements that contain commitments made to customers or others. The need for information to be confidential may arise for many different reasons. For example, the information may be proprietary, intended only for entity personnel. Confidentiality is distinguished from privacy in that privacy applies only to personal information, whereas confidentiality applies to various types of sensitive information. In addition, the privacy objective addresses requirements regarding collection, use, retention, disclosure, and disposal of personal information. Confidential information may include personal information as well as other information, such as trade secrets and intellectual property.  
Privacy. Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives. Although the confidentiality applies to various types of sensitive information, privacy applies only to personal information. The privacy criteria are organized as follows: i. Notice and communication of objectives. The entity provides notice to data subjects about its objectives related to privacy. ii. Choice and consent. The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to data subjects. iii. Collection. The entity collects personal information to meet its objectives related to privacy. iv. Use, retention, and disposal. The entity limits the use, retention, and disposal of personal information to meet its objectives related to privacy. v. Access. The entity provides data subjects with access to their personal information for review and correction (including updates) to meet its objectives related to privacy. vi. Disclosure and notification. The entity discloses personal information, with the consent of the data subjects, to meet its objectives related to privacy. Notification of breaches and incidents is provided to affected data subjects, regulators, and others to meet its objectives related to privacy. vii. Quality. The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet its objectives related to privacy. viii. Monitoring and enforcement. The entity monitors compliance to meet its objectives related to privacy, including procedures to address privacy-related inquiries, complaints, and disputes.  

Appendix C: Types of service organization control audit reports

Report name Title and description (adapted from the AICPA)
System and Organization Controls for Service Organizations: ICFR (SOC 1) Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (ICFR). These reports are intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements. There are two types of reports for these engagements. Type 1 is a report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and implementation of the controls to achieve the related control objectives included in the description at a specific point in time. Type 2 is a report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design, implementation, and operating effectiveness of the controls to achieve the related control objectives included in the description over a minimum six-month period. Use of these reports is often restricted to the management of the service organization, user entities, and user auditors.
System and Organization Controls for Service Organizations: Trust Services Criteria (SOC 2) Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and theconfidentiality and privacy of the information processed by these systems. These reports can play an important role in: oversight of the an important organization, vendor management programs, internal corporate governance and risk management processes, and regulatory oversight. Similar to a SOC 1 report, there are two types of reports. Type 1 is a report on management’s description of a service
  organization’s system and the suitability of the design and implementation of controls at a specific point in time. Type 2 is a report on management’s description of a service organization’s system and the suitability of the design, implementation, and operating effectiveness of controls. Use of these reports is often restricted to the management of the service organization, user entities, and user auditors.
System and Organization Controls for Service Organizations: Trust Services Criteria for General Use Report (SOC 3) Trust Services Report for Service Organizations. These reports are designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing, integrity, confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report. Because they are general use reports, SOC 3 reports can be freely distributed.

Appendix D: Variable construction

This appendix provides the formula for each variable used in this study. Index i represents each firm. Financial data are taken from a firm’s most recent annual report or proxy statement as of mid-2019. Any logged variables in the analyses use the natural log. Data source AA = Audit Analytics; C = Compustat; HC = hand collected.

Variable Definition Source
SOC Auditi 1 if a firm receives a service HC
  organization control (SOC)  
  audit based on the procedure  
  defined in Section 3, 0 otherwise  
Audit Feesi Audit fees from the proxy statement AA
Audit-Related Feesi Audit-related fees from the proxy AA
  statement (note that audit-related  
  fees are distinct from any tax and  
  technology consulting fees, which  
  are included in different AA variables)  
Data Exposedi 1 if a firm’s annual report is in the top HC
  tercile of the sample’s firm-level  
  data exposure measure, computed  
  as the frequency count of analytics,  
  big data, cloud platform, database,  
  digital, and digitization divided by  
  the total number of words in the  
  annual report; 0 otherwise  
Total Assetsi Total assets C
Market Valuei Shares outstanding × stock price C
Leveragei Total debt ÷ total assets C
Loss Firmi 1 if net income is less than 0, 0 C
  otherwise  
ROAi Net income ÷ total assets C
Current Assets ÷ Total Assetsi Current assets ÷ total assets C
Quick Ratioi (Cash + cash equivalents + marketable C
  securities + accounts receivable) ÷  
  current liabilities  
Segmentsi Total business segments C
December Year Endi 1 if a firm’s fiscal year ends in C
  December, 0 otherwise  
Qualified Audit (Financials)i 1 if auditor issues a non-unqualified AA
  opinion on the financial statements,  
  0 otherwise  
Qualified Audit (Controls)i 1 if auditor issues a non-unqualified AA
  opinion on internal controls over the  
  financial statements, 0 otherwise  
Any Qualified Auditi 1 if auditor issues a non-unqualified AA
  opinion on either the financial  
  statements or internal controls over  
  the financial statements, 0 otherwise  

Rights and permissions

Springer Nature or its licensor holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Schoenfeld, J. Cyber risk and voluntary Service Organization Control (SOC) audits. Rev Account Stud (2022). https://doi.org/10.1007/s11142-022-09713-0

Download citation

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s11142-022-09713-0

Keywords

  • Audit
  • Big data
  • Cloud computing
  • CSR
  • ESG
  • Internal control

JEL Classification

  • M40
  • M49
  • O33