Audit firm assessments of cyber-security risk: evidence from audit fees and SEC comment letters

This study investigates the impact of cyber-security incidents on audit fees. Using a sample of 5,687 firms, we find that (i) breached firms are charged 12 percent higher audit fees, and (ii) firms operating in the same industry of a breached firm are charged 5 percent higher fees. Finally, using a difference-indifference regression on a propensity score matched sample, we provide evidence suggesting that auditors do not revise their audit risk assessment following a breach. Overall, these results suggest that the increase in audit fees in the year of a breach is only temporary, and that auditors include cyber-security risk in their audit risk assessment even before an incident occurs. Higher cyber-security risk is ultimately reflected in higher audit fees paid by auditees