Abstract

As signals of internal control weaknesses, cyber security incidents can represent significant risk factors to the quality of financial reporting. We empirically assess the audit quality implications of data breaches for a large sample of US firms. Using a difference-in-difference approach based on a matched sample of breached and non-breached firms, we find no evidence that cyber-security incidents result in a decline in audit quality. Instead, we observe positive shifts in four widely-used proxies for audit quality. We document that breached firms (i) experience a decrease in abnormal accruals, (ii) are less likely to report small profits or small earnings increases, (iii) are more likely to be issued a going concern report, and (iv) are less likely to restate their financial statements in the two years following a breach. Our results indicate that auditors effectively offset increases in audit risk through additional substantive testing and audit effort. Our evidence supports the view that auditors have increased their audit risk awareness and put in place adequate procedures to deal with the consequences of cybersecurity incidents.