Authors: Sara Dehaiman Alqahtani

Abstract:

This study investigates the effects of cybersecurity breaches on critical audit outcomes, specifically focusing on auditor changes, engagement partner rotations, and the issuance of going concern opinions. Utilizing an extensive dataset of U.S.-based firms spanning from 2006 to 2023, the research employs propensity score matching (PSM) to address selection bias and control for confounding variables. The analysis reveals that, contrary to conventional expectations, firms that experience cybersecurity breaches are less likely to change their audit firms and engagement partners. Additionally, these breached firms are less likely to receive going concern opinions from their auditors. However, an exception is noted within the technology sector, where breached firms show a higher propensity to switch auditors, potentially to demonstrate a commitment to enhanced cybersecurity measures. The findings suggest a strong preference for continuity in auditor-client relationships following cybersecurity incidents. This preference underscores the importance of auditors' existing knowledge of a firm's systems and controls, which is deemed valuable during periods of heightened risk. The study extends the existing literature by moving beyond the well-documented impact of breaches on audit fees to explore other significant dimensions of the auditor-client relationship. It challenges the traditional assumption that increased risk from breaches leads to higher auditor turnover or more conservative audit opinions, highlighting instead a tendency towards maintaining stability. Methodologically, the research leverages PSM to create a balanced comparison between breached and non-breached firms, ensuring robustness in the findings. Logistic regression analyses further substantiate the associations between breaches and audit outcomes, controlling for various firm-specific characteristics such as size, financial performance, and industry classification. Supplemental analyses explore additional factors, including litigation risk, breach frequency, and industry-specific responses, providing a nuanced understanding of the dynamics at play. The study’s main contributions are threefold. First, it broadens the scope of research on cybersecurity breaches by examining their impact on auditor changes and going concern opinions, areas previously underexplored. Second, it offers empirical evidence that breached firms tend to retain their auditors and engagement partners, suggesting that continuity is valued over potential audit quality improvements through auditor changes. Third, it highlights sector-specific behaviors, particularly within the technology industry, where breaches do lead to higher auditor turnover, indicating industry-specific risk management strategies. Implications of this research are significant for auditors, clients, and regulators. Auditors may need to enhance their risk assessment frameworks to better incorporate cybersecurity risks, ensuring that audit practices remain robust in the face of evolving cyber threats. Clients should evaluate the benefits of retaining existing auditors against the potential advantages of engaging new auditors who might offer fresh perspectives and specialized cybersecurity expertise. Regulators might consider updating auditing standards to more explicitly address cybersecurity risks, ensuring that such threats are adequately reflected in audit procedures and disclosures. Overall, this study provides a comprehensive analysis of how cybersecurity breaches influence audit outcomes, revealing a preference for auditor continuity and questioning whether current auditing frameworks sufficiently account for cyber risks. By highlighting these trends, the research calls for a reassessment of audit practices and regulatory standards to better address the complexities introduced by the increasing prevalence of cyber threats in the digital age.

Keywords: cybersecurity breaches, auditor changes, engagement partner rotations, going concern opinions, auditor-client relationships, audit risk assessment

Procedia PDF Downloads 0