Using the staggered adoption of data breach disclosure (DBD) laws, this paper studies the impact of mandatory disclosure of adverse corporate events on audit fees. DBD laws increase the frequency of disclosed cyber incidents, which adversely impacts firms’ financial condition and operations; this could result in a higher risk of misstatement and reputation loss for auditors. Consistent with this hypothesis, we find that auditors charge higher fees after the adoption of DBD laws. We also find that the increase in audit fees is more pronounced in firms with higher cyber risk and greater auditor reputational concerns. Furthermore, governance mechanisms and resources that are available to auditors can mitigate the rise in audit fees. Robustness tests suggest that the effect is not driven by realized cyber incidents and other contemporaneous events. Overall, our study provides evidence that the mandated disclosure regulation significantly affects audit pricing.
Read full abstract