Discussion of “Audit Firm Assessments of Cyber-Security Risk: Evidence from Audit Fees and SEC Comment Letters”

Abstract

The study by Rosati, Gogolin, and Lynn (in this issue) examines the impact of cyber-security incidents on audit fees. Using audit fee as a proxy for audit effort and risk, it takes 168 cyber-security incidents during 2005–2014 that are collected by the Privacy Rights Clearinghouse and documents that breached firms are charged higher audit fees. In addition, the authors find that the increase in audit fee is only temporary and exists during the [Formula: see text] to [Formula: see text] window surrounding the breach. Finally, this study also finds that the audit fee increases post SEC comment letters that are related to cyber-security incidents. Overall, my assessment of the paper is that it is well executed and well written. More importantly, it adheres well to its stated research question. The following are my written comments, which are based on my discussion of this paper at the 30th Annual TJIA Conference, regarding this paper’s contribution, framing, and empirical execution.