The impact of audit firms’ characteristics on audit fees following information security breaches

Abstract

Given the importance of auditors’ assessing business risks and evaluating internal controls, we investigate whether an audit firm’s industry expertise, tenure, and size can help its auditors better understand external and internal threats faced by the client with less effort. Using reported information security breach incidents from 2004 to 2013, we find that, consistent with prior studies, audit fees are higher after the occurrence of an information security breach. However, such an association is negatively moderated when the audit firm has industry-specific expertise, longer experience with the client, and is one of the Big 4 firms. Our results suggest that because of their better knowledge about a specific industry, increased familiarity with the client’s operations, and more resources to understand a client’s vulnerabilities and/or information security policies and procedures, these auditors are more capable of assessing the potentially changing information security risks implied by the occurrence of information security breach incidents. Our results are robust to a variety of sensitivity checks.