Cyber Risk and Voluntary Service Organization Control (SOC) Audits

Jordan M. Schoenfeld is Visiting Professor of Accounting at Dartmouth College Tuck School of Business, and Associate Professor of Accounting at the University of Utah Eccles School of Business. This post is based on his recent paper, forthcoming in the Review of Accounting Studies.

Modern firms routinely manage their financial reporting systems using third-party cloud computing and other enterprise technologies. This practice, while often facilitating cost reductions and remote work, puts the integrity of the financial statements at risk, especially given the threat of cyberattacks. Indeed, U.S. Federal Reserve Chairman Jerome Powell remarked in April 2021 that “The risk that we keep our eyes on the most now is cyber risk.”

In Cyber risk and voluntary Service Organization Control (SOC) Audits, forthcoming in the Review of Accounting Studies, I conduct one of the first systematic analyses of a special type of voluntary audit that evaluates firms’ susceptibility to cyber risks arising from the use of technology services such as the cloud. I start by assembling one of the first large-sample datasets on SOC audit reports, which require hand collection since they are not collected by the SEC. It is worth noting that the AICPA states that the purpose of a SOC audit is to help companies “that provide services to other entities build trust and confidence in the service performed and controls related to the services through a report by an independent CPA.” In other words, when companies provide services to entities such as another company, those services may impact the customer’s financial reporting processes. Thus, that customer and its financial statement auditor must evaluate the service company’s internal controls that are material to its customers. A service company’s financial statement and integrated internal control audits do not typically provide assurance on such controls.

SOC audits, being relatively new both in practice and the academic literature, merit an introduction as to how the scope of these audits compares to the scope of financial statement audits. I therefore use a novel feature of my data, namely that SOC audit reports often list the internal controls tested by the audit firm, to analyze the types of internal controls evaluated in SOC audits. I find that the scope of these audits typically includes controls over data security, data processing integrity, and data privacy. For example, Amazon Web Services (AWS) receives a SOC audit from Ernst & Young that evaluates 92 internal controls representing many processes within AWS, including cryptographic data transfers, software development, and data security.

I next assess a company’s decision to receive a SOC audit and use audit fees to assess the economic significance of this decision. Using a combination of cross-sectional firm-level data, I find that a company’s business-model exposure to managing data for its corporate customers is predictive of its decision to receive a SOC audit. To construct measures of this exposure, I use a linguistic measure derived from the annual report and a variety of industry indicators and company attributes. Overall, about 29 percent of firms in the S&P 500 receive SOC audits, representing $10.9 trillion in total market value.

I next examine whether audit fees vary as a function of SOC audits. Assuming managers choose rationally and adopt SOC audits only when their benefits exceed their costs, SOC audit fees can be used to measure the lower-bound value of the benefits of SOC audits. In the most stringent specification with industry-fixed effects and other firm-level variables known to be associated with the audit fee environment, I find a large and robust positive relationship between audit-related fees and SOC audits. Specifically, SOC audits are associated with a $900,000 or 70 percent increase in audit-related fees per year. To gauge the economic magnitude of this effect, the mean of audit-related fees in my sample is about $1.5 million per year, which suggests that SOC audits are one of the largest drivers of the variation in these fees. Assuming that the average blended hourly billing rate for SOC audits is about $300, the $900,000 in additional audit-related fees per year translates to 3,000 billable hours for a SOC audit. By comparison, the average company in my sample pays accounting firms about $1.3 million per year for 4,300 hours of tax services. A few firms with very large SOC audit fees even discuss these fees in their proxy statement. For example, Google’s parent company Alphabet noted that it paid $6.2 million for SOC audits in 2018. In dollar terms, firms appear to value SOC audits almost as much as they value having their taxes done.

Although the AICPA requires CPA firms to conduct SOC audits, one might ask whether CPA firms have the right expertise for this. To this end, it is worth noting that many audit firms directly educate their staff on technology and employ technology consultants. Deloitte’s Cloud Institute, for example, is widely used by its workforce, and Ernst & Young provides its staff an in-house “Tech MBA.”

The attention gap between SOC audits and other accounting services provides a meaningful context for appreciating this study’s large-sample analysis. For example, recent surveys of the audit literature tend to focus almost exclusively on financial statement audits and do not recognize the presence of SOC audits, which is a gap this study fills. In contrast to financial statement audits, SOC audits are intended primarily for the audit client’s corporate customers, not investors, which provides new empirical support for the longstanding proposition that audits facilitate relationships between firms and stakeholders. SOC audits are thus an important and concrete example of the broader social and governance mandates of new stakeholder-focused reporting frameworks, such as the SASB’s Conceptual Framework.

The observed link between SOC audits and audit-related fees also relates to prior studies that presume that the payment of non-audit fees prompts auditor-client economic bonding that encourages auditor concessions or shirking. SOC audits, however, are performed in accordance with the same independence requirements that apply to financial statement audits and should not drastically alter the nature of any conflicts of interest. My evidence is also some of the first to show that audit-related fees can consist of diverse types of independent audits. This is an important consideration for future audit research and may potentially help us understand why the evidence on the association between audit-related fees and financial statement audit quality is mixed. Given the growing importance of SOC audits as firms increasingly adopt new technologies and allow employees to work remotely (especially given how the pandemic has changed the way business is done), incorporating SOC audits into the financial reporting and valuation literatures could be a promising research endeavor.

The complete paper is available for download here.

Both comments and trackbacks are currently closed.