The Impact of Audit Office Cybersecurity Experience on Nonbreach Client’s Audit Fees and Cybersecurity Risks

Abstract

This study investigates whether auditors’ experiences with their clients’ cybersecurity incidents affect their subsequent audits for nonbreach clients and help those clients reduce cybersecurity risks. We find that audit offices who have experience with cybersecurity-breached clients, ceteris paribus, charge higher audit fees from nonbreach clients. Additionally, the increased audit fees conditional on auditors’ cybersecurity experience are negatively associated with nonbreach clients’ future breach incidents. Such associations are found only in the Big 4 audit offices and offices with IT capability. This study offers timely insights for standard setters and important implications for both professionals and the academic literature by documenting the spillover effect of cybersecurity experience on subsequent risk assessments of nonbreach clients, while also confirming the effectiveness of engaging auditors in addressing cybersecurity matters.