Financial Statement Audits and Data Breaches

Abstract

Financial statement audits for public companies require auditors to test the internal controls over the client’s information systems that are material to the financial reporting process. Given the increasingly integrated nature of corporate data and control systems, a standard audit may have a positive effect on client firms’ other information systems, such as those that help prevent data breaches. In this paper, I provide evidence on whether and how auditors help prevent data breaches. Using plausibly exogenous improvements in auditing due to regulatory inspections and auditors’ cross-client learning, I find a decreased likelihood of data breaches among these auditors’ clients. Institutional insights gathered from interviews with accounting firm partners and industry professionals suggest two mechanisms for the role of auditors in preventing data breaches: the provision of relevant information and incentives for internal controls. Collectively, the findings provide evidence that improving accounting information systems can have a positive impact on nonaccounting systems. This paper was accepted by Ranjani Krishnan, accounting. Funding: I gratefully acknowledge financial support from Columbia Business School, the University of Chicago Booth School of Business, the Deloitte Foundation, and the Bradley Fellowship awarded by the Stigler Center for the Study of the Economy and the State. Supplemental Material: The data files are available at https://doi.org/10.1287/mnsc.2023.01357 .