{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,14]],"date-time":"2026-03-14T01:47:33Z","timestamp":1773452853748,"version":"3.50.1"},"reference-count":55,"publisher":"American Accounting Association","issue":"2","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2019,6,1]]},"abstract":"ABSTRACT<\/jats:title>\n Data security breaches have been shown in the literature to negatively affect firm operations. Auditors serve as an important, external governance mechanism with respect to a firm's overall risk management protocol. Consequently, our study examines whether auditors price breach risk into their fees and if a firm's internal governance can mitigate the potential increases in audit fees. Using a sample of breached firms ranging from 2005\u20132014, we adapt the Houston, Peters, and Pratt (2005) model to explore how auditors view audit risk related to breach risk. We find that breaches are associated with an increase in fees, but the result is driven by external breaches. Our evidence suggests the presence of board-level risk committees and more active audit committees may help mitigate the breach risk audit fee premium. Additional evidence suggests that both past breach disclosures as well as future disclosures are associated with audit fees.<\/jats:p>","DOI":"10.2308\/isys-52241","type":"journal-article","created":{"date-parts":[[2018,8,24]],"date-time":"2018-08-24T20:48:07Z","timestamp":1535143687000},"page":"177-204","source":"Crossref","is-referenced-by-count":69,"title":["Do Auditors Price Breach Risk in Their Audit Fees?"],"prefix":"10.2308","volume":"33","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7490-8957","authenticated-orcid":true,"given":"Thomas J. (Tom)","family":"Smith","sequence":"first","affiliation":[{"name":"University of South Florida"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2698-5904","authenticated-orcid":true,"given":"Julia L.","family":"Higgs","sequence":"additional","affiliation":[{"name":"Florida Atlantic University"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5080-2496","authenticated-orcid":true,"given":"Robert E.","family":"Pinsker","sequence":"additional","affiliation":[{"name":"Florida Atlantic University"}]}],"member":"1112","published-online":{"date-parts":[[2018,8,1]]},"reference":[{"issue":"2","key":"2024082915321640500_i1558-7959-33-2-177-Abbott1","doi-asserted-by":"crossref","first-page":"17","DOI":"10.2308\/aud.2003.22.2.17","article-title":"The association between audit committee characteristics and audit fees","volume":"22","author":"Abbott","year":"2003","journal-title":"Auditing: A Journal of Practice & Theory"},{"key":"2024082915321640500_i1558-7959-33-2-177-AmericanInstituteofCertifiedPublicAccountantsAICPA1","article-title":"AICPA Unveils Cybersecurity Risk Management Reporting Framework","author":"American Institute of Certified Public Accountants (AICPA)","year":"2017"},{"key":"2024082915321640500_i1558-7959-33-2-177-AmericanInstituteofCertifiedPublicAccountantsAICPA2","article-title":"SOC for Cybersecurity: A Backgrounder","author":"American Institute of Certified Public Accountants (AICPA)","year":"2018"},{"issue":"3","key":"2024082915321640500_i1558-7959-33-2-177-Ashbaugh1","doi-asserted-by":"crossref","first-page":"611","DOI":"10.2308\/accr.2003.78.3.611","article-title":"Do non-audit services compromise auditor independence? Further evidence","volume":"78","author":"Ashbaugh","year":"2003","journal-title":"The Accounting Review"},{"issue":"April","key":"2024082915321640500_i1558-7959-33-2-177-Brumfield1","first-page":"60","article-title":"Business risk and the audit process","author":"Brumfield","year":"1983","journal-title":"Journal of Accountancy"},{"issue":"3","key":"2024082915321640500_i1558-7959-33-2-177-Carcello1","first-page":"365","article-title":"Board characteristics and audit fees","volume":"19","author":"Carcello","year":"2002","journal-title":"Contemporary Accounting Research"},{"key":"2024082915321640500_i1558-7959-33-2-177-CenterforAuditQualityCAQ1","article-title":"Understanding Cybersecurity and the External Audit","author":"Center for Audit Quality (CAQ)","year":"2016"},{"key":"2024082915321640500_i1558-7959-33-2-177-CenterforAuditQualityCAQ2","unstructured":"Center for Audit Quality (CAQ). 2017a. Request for Proposals for Academic Research in Auditing (2018). https:\/\/www.thecaq.org\/request-proposals-academic-research-auditing-2018 (last accessed December 19, 2017)."},{"key":"2024082915321640500_i1558-7959-33-2-177-CenterforAuditQualityCAQ3","article-title":"The CPA's Role in Addressing Cybersecurity Risk","author":"Center for Audit Quality (CAQ)","year":"2017"},{"issue":"4","key":"2024082915321640500_i1558-7959-33-2-177-Chai1","doi-asserted-by":"crossref","first-page":"651","DOI":"10.1016\/j.dss.2010.08.017","article-title":"Firms' information security investment decisions: Stock market evidence of investors' behavior","volume":"50","author":"Chai","year":"2011","journal-title":"Decision Support Systems"},{"issue":"2","key":"2024082915321640500_i1558-7959-33-2-177-Cohen1","doi-asserted-by":"crossref","first-page":"A26","DOI":"10.2308\/ciia.2008.2.2.A26","article-title":"Management's discussion and analysis: Implications for audit practice and research","volume":"2","author":"Cohen","year":"2008","journal-title":"Current Issues in Auditing"},{"key":"2024082915321640500_i1558-7959-33-2-177-Cook1","unstructured":"Cook, T., and D.Campbell. \n 1979. Quasi-Experimentation Design and Analysis Issues for Field Settings. Chicago, IL: Houghton-Mifflin Company."},{"issue":"5","key":"2024082915321640500_i1558-7959-33-2-177-Cook2","first-page":"18","article-title":"The liability crisis in the United States: Impact on the accounting profession","volume":"174","author":"Cook","year":"1992","journal-title":"Journal of Accountancy"},{"issue":"2-3","key":"2024082915321640500_i1558-7959-33-2-177-Feng1","doi-asserted-by":"crossref","first-page":"190","DOI":"10.1016\/j.jacceco.2009.09.004","article-title":"Internal control and management guidance","volume":"48","author":"Feng","year":"2009","journal-title":"Journal of Accounting and Economics"},{"issue":"2","key":"2024082915321640500_i1558-7959-33-2-177-Ferguson1","doi-asserted-by":"crossref","first-page":"429","DOI":"10.2308\/accr.2003.78.2.429","article-title":"The effect of firm-wide and office-level industry expertise and audit pricing","volume":"78","author":"Ferguson","year":"2003","journal-title":"The Accounting Review"},{"issue":"1","key":"2024082915321640500_i1558-7959-33-2-177-Fields1","doi-asserted-by":"crossref","first-page":"53","DOI":"10.1016\/j.jaccpubpol.2003.11.003","article-title":"An investigation of the pricing of audit services for financial institutions","volume":"23","author":"Fields","year":"2004","journal-title":"Journal of Accounting and Public Policy"},{"issue":"2","key":"2024082915321640500_i1558-7959-33-2-177-Firth1","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1111\/j.1911-3846.1997.tb00524.x","article-title":"Provision of nonaudit services by accounting firms to their clients","volume":"14","author":"Firth","year":"1997","journal-title":"Contemporary Accounting Research"},{"key":"2024082915321640500_i1558-7959-33-2-177-Francis1","doi-asserted-by":"crossref","unstructured":"Francis, J., and D.Wang. \n 2005. Impact of the SEC's public fee disclosure requirement on subsequent period fees and implications for market efficiency. Auditing: A Journal of Practice & Theory (25th Anniversary Supplement): 145\u2013160.","DOI":"10.2308\/aud.2005.24.Supplement.145"},{"issue":"3","key":"2024082915321640500_i1558-7959-33-2-177-GoodwinStewart1","doi-asserted-by":"crossref","first-page":"387","DOI":"10.1111\/j.1467-629X.2006.00174.x","article-title":"Relation between external audit fees, audit committee characteristics and internal audit","volume":"46","author":"Goodwin-Stewart","year":"2006","journal-title":"Accounting and Finance"},{"issue":"3","key":"2024082915321640500_i1558-7959-33-2-177-Gordon1","doi-asserted-by":"crossref","first-page":"567","DOI":"10.2307\/25750692","article-title":"Market value of voluntary disclosures concerning information security","volume":"34","author":"Gordon","year":"2010","journal-title":"Management Information Systems Quarterly"},{"issue":"1","key":"2024082915321640500_i1558-7959-33-2-177-Greiner1","doi-asserted-by":"crossref","first-page":"85","DOI":"10.2308\/ajpt-51516","article-title":"The relationship between aggressive real earnings management and current and future audit fees","volume":"36","author":"Greiner","year":"2017","journal-title":"Auditing: A Journal of Practice & Theory"},{"key":"2024082915321640500_i1558-7959-33-2-177-Gwebu1","article-title":"Data Security Breach Impact and Disclosure","author":"Gwebu","year":"2013"},{"key":"2024082915321640500_i1558-7959-33-2-177-Haislip1","article-title":"Do the Roles of the CEO and CFO Differ when it comes to Data Security Breaches? An Investigation of Top Management IT Expertise and Board-Level Technology Committees as Corporate Governance Mechanisms Preventing\/Detecting Security Breaches","author":"Haislip","year":"2016"},{"issue":"1","key":"2024082915321640500_i1558-7959-33-2-177-Heckman1","doi-asserted-by":"crossref","first-page":"153","DOI":"10.2307\/1912352","article-title":"Sample selection bias as a specification error","volume":"47","author":"Heckman","year":"1979","journal-title":"Econometrica"},{"issue":"3","key":"2024082915321640500_i1558-7959-33-2-177-Higgs1","doi-asserted-by":"crossref","first-page":"79","DOI":"10.2308\/isys-51402","article-title":"The relationship between board-level technology committees and reported security breaches","volume":"30","author":"Higgs","year":"2016","journal-title":"Journal of Information Systems"},{"issue":"4","key":"2024082915321640500_i1558-7959-33-2-177-Hines1","doi-asserted-by":"crossref","first-page":"59","DOI":"10.2308\/ajpt-51035","article-title":"Board risk committees and audit pricing","volume":"34","author":"Hines","year":"2015","journal-title":"Auditing: A Journal of Practice & Theory"},{"issue":"1","key":"2024082915321640500_i1558-7959-33-2-177-Houston1","doi-asserted-by":"crossref","first-page":"37","DOI":"10.2308\/aud.2005.24.1.37","article-title":"Nonlitigation risk and pricing audit services","volume":"24","author":"Houston","year":"2005","journal-title":"Auditing: A Journal of Practice & Theory"},{"issue":"1","key":"2024082915321640500_i1558-7959-33-2-177-Hribar1","doi-asserted-by":"crossref","first-page":"506","DOI":"10.1007\/s11142-013-9253-8","article-title":"A new measure of accounting quality","volume":"19","author":"Hribar","year":"2014","journal-title":"Review of Accounting Studies"},{"key":"2024082915321640500_i1558-7959-33-2-177-ISACA1","unstructured":"ISACA. 2012. COBIT (Control Objectives for Information and Related Technologies) 5. Rolling Meadows, IL: ISACA."},{"issue":"2","key":"2024082915321640500_i1558-7959-33-2-177-Krishnan1","doi-asserted-by":"crossref","first-page":"147","DOI":"10.2308\/ajpt-50372","article-title":"Client risk management: A pecking order analysis of auditor response to upward earnings management risk","volume":"32","author":"Krishnan","year":"2013","journal-title":"Auditing: A Journal of Practice & Theory"},{"issue":"1","key":"2024082915321640500_i1558-7959-33-2-177-Lawrence1","doi-asserted-by":"crossref","first-page":"139","DOI":"10.2308\/ajpt-51784","article-title":"Is operational control risk informative of financial reporting deficiencies?","volume":"37","author":"Lawrence","year":"2018","journal-title":"Auditing: A Journal of Practice & Theory"},{"issue":"2","key":"2024082915321640500_i1558-7959-33-2-177-Lennox1","doi-asserted-by":"crossref","first-page":"589","DOI":"10.2308\/accr-10195","article-title":"Selection models in accounting research","volume":"87","author":"Lennox","year":"2012","journal-title":"The Accounting Review"},{"key":"2024082915321640500_i1558-7959-33-2-177-Li1","article-title":"Are External Auditors Concerned About Cyber Incidents? Evidence from Audit Fees","author":"Li","year":"2017"},{"key":"2024082915321640500_i1558-7959-33-2-177-Mayhew1","doi-asserted-by":"crossref","unstructured":"Mayhew, B.\n \n 2005. Discussion of impact of the SEC's public fee disclosure requirement on subsequent period fees and implications for market efficiency. Auditing: A Journal of Practice & Theory (25th Anniversary Supplement): 161\u2013169.","DOI":"10.2308\/aud.2005.24.Supplement.161"},{"key":"2024082915321640500_i1558-7959-33-2-177-McKenna1","article-title":"Equifax Auditors are on the Hook for Data Security Risk Controls","author":"McKenna","year":"2017"},{"key":"2024082915321640500_i1558-7959-33-2-177-Morgan1","unstructured":"Morgan, S.\n \n 2016. Cybercrime costs projected to reach $2 trillion by 2019. Forbes (January 17). Available at: http:\/\/onforb.es\/1P91xQy"},{"key":"2024082915321640500_i1558-7959-33-2-177-NationalAssociationofCorporateDirectorsNACD1","article-title":"Cyber Threats Necessitate a New Governance Model","author":"National Association of Corporate Directors (NACD)","year":"2015"},{"key":"2024082915321640500_i1558-7959-33-2-177-OMalley1","first-page":"82","article-title":"Legal liability is having a chilling effect on the auditor's role","volume":"7","author":"O'Malley","year":"1993","journal-title":"Accounting Horizons"},{"key":"2024082915321640500_i1558-7959-33-2-177-PonemonInstitute1","unstructured":"Ponemon Institute. 2015. 2015 Cost of Data Breach Study: Global Analysis. Available at: http:\/\/www-01.ibm.com\/common\/ssi\/cgi-bin\/ssialias?htmlfid=SEL03094WWEN (last accessed October 6, 2016)."},{"key":"2024082915321640500_i1558-7959-33-2-177-PublicCompanyAccountingOversightBoardPCAOB1","unstructured":"Public Company Accounting Oversight Board (PCAOB). 2007. An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements. Auditing Standard 2201. Washington, DC: PCAOB."},{"key":"2024082915321640500_i1558-7959-33-2-177-PublicCompanyAccountingOversightBoardPCAOB2","article-title":"Identifying and Assessing Risks of Material Misstatement. Auditing Standard 2110","author":"Public Company Accounting Oversight Board (PCAOB)","year":"2010"},{"key":"2024082915321640500_i1558-7959-33-2-177-PublicCompanyAccountingOversightBoardPCAOB3","article-title":"Public Company Accounting Oversight Board Strategic Plan: Improving the Quality of the Audit for the Protection and Benefit of Investors","author":"Public Company Accounting Oversight Board (PCAOB)","year":"2013"},{"key":"2024082915321640500_i1558-7959-33-2-177-PublicCompanyAccountingOversightBoardPCAOB4","article-title":"Standing Advisory Group Meeting: Cybersecurity","author":"Public Company Accounting Oversight Board (PCAOB)","year":"2014"},{"key":"2024082915321640500_i1558-7959-33-2-177-PublicCompanyAccountingOversightBoardPCAOB5","article-title":"PCAOB Update\u2014Recent Activities and Next Steps","author":"Public Company Accounting Oversight Board (PCAOB)","year":"2016"},{"key":"2024082915321640500_i1558-7959-33-2-177-PublicCompanyAccountingOversightBoardPCAOB6","article-title":"Staff Inspection Brief. Preview of Observations from 2016 Inspections of Auditors of Issuers","author":"Public Company Accounting Oversight Board (PCAOB)","year":"2017"},{"key":"2024082915321640500_i1558-7959-33-2-177-PublicCompanyAccountingOversightBoardPCAOB7","article-title":"Technology and the Audit of Today and Tomorrow","author":"Public Company Accounting Oversight Board (PCAOB)","year":"2017"},{"key":"2024082915321640500_i1558-7959-33-2-177-SecuritiesandExchangeCommissionSEC1","article-title":"Corporate Finance Disclosure Document Topic No. 2: Cybersecurity","author":"Securities and Exchange Commission (SEC)","year":"2011"},{"key":"2024082915321640500_i1558-7959-33-2-177-SecuritiesandExchangeCommissionSEC2","article-title":"Commission Statement and Guidance on Public Company Cybersecurity Disclosures. Release Nos. 33-10459; 34-82746","author":"Securities and Exchange Commission (SEC)","year":"2018"},{"key":"2024082915321640500_i1558-7959-33-2-177-Shumsky1","unstructured":"Shumsky, T.\n \n 2016. Corporate judgment call: When to disclose you've been hacked. The Wall Street Journal (June 20). Available at: https:\/\/www.wsj.com\/articles\/corporate-judgment-call-when-to-disclose-youve-been-hacked-1474320689"},{"issue":"1","key":"2024082915321640500_i1558-7959-33-2-177-Simunic1","doi-asserted-by":"crossref","first-page":"161","DOI":"10.2307\/2490397","article-title":"The pricing of audit services: Theory and evidence","volume":"18","author":"Simunic","year":"1980","journal-title":"Journal of Accounting Research"},{"issue":"3","key":"2024082915321640500_i1558-7959-33-2-177-Stice1","first-page":"516","article-title":"Using financial and market information to identify pre-engagement factors associated with lawsuits against auditors","volume":"66","author":"Stice","year":"1991","journal-title":"The Accounting Review"},{"key":"2024082915321640500_i1558-7959-33-2-177-Sweeny1","article-title":"Rand study: Average data breach costs $200K, not millions","author":"Sweeny","year":"2016","journal-title":"Information Week (June 21)"},{"key":"2024082915321640500_i1558-7959-33-2-177-Wang1","article-title":"The Association Between Audit Fees, Audit Firm Industry Specialization and Audit Firm Tenure and the Possibility of Information Security Breaches","author":"Wang","year":"2015"},{"key":"2024082915321640500_i1558-7959-33-2-177-Wooldridge1","unstructured":"Wooldridge, J.\n \n 2010. Econometric Analysis of Cross Section and Panel Data. Cambridge, MA: MIT Press."},{"key":"2024082915321640500_i1558-7959-33-2-177-Yadron1","unstructured":"Yadron, D.\n \n 2014. Corporate boards race to shore up cybersecurity: Directors grapple with issues once consigned to teach experts. The Wall Street Journal (June 29)."}],"container-title":["Journal of Information Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/publications.aaahq.org\/jis\/article-pdf\/33\/2\/177\/9269\/isys-52241.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/publications.aaahq.org\/jis\/article-pdf\/33\/2\/177\/9269\/isys-52241.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,8,29]],"date-time":"2024-08-29T17:12:17Z","timestamp":1724951537000},"score":1,"resource":{"primary":{"URL":"https:\/\/publications.aaahq.org\/jis\/article\/33\/2\/177\/1137\/Do-Auditors-Price-Breach-Risk-in-Their-Audit-Fees"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,8,1]]},"references-count":55,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2018,8,1]]},"published-print":{"date-parts":[[2019,6,1]]}},"URL":"https:\/\/doi.org\/10.2308\/isys-52241","relation":{},"ISSN":["0888-7985","1558-7959"],"issn-type":[{"value":"0888-7985","type":"print"},{"value":"1558-7959","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018,8,1]]}}}