Doctor of Philosophy (Ph.D.)
Degree Granting Department
Uday Murthy, Ph.D.
Lisa Gaynor, Ph.D.
Patrick Wheeler, Ph.D.
Terry Sincich, Ph.D.
Assurance, Audit Quality, Cybersecurity Incidents, Independence, Non-Audit Services, Voluntary Disclosure
The goal of this dissertation is to investigate the impact of the American Institute of Certified Public Accountants’ (AICPA) recently adopted cybersecurity risk management examination on investor perceptions and decisions. The dissertation implements a two-essay approach.
Essay 1 examines the effect of voluntary disclosures of joint or separate provisioning of cybersecurity risk management examinations on investor perceptions and decisions, and whether these effects differ when a subsequent cybersecurity incident occurs. Conducting a 2 x 2 between-participants experiment, I find that the negative signal of a subsequent cybersecurity incident reverses investors’ positive perceptions of auditor competence and increases investors’ sensitivity to potential independence impairments when the cybersecurity risk management examination is jointly provisioned, leading to lower perceptions of audit quality. I also find that investors are less willing to invest when the cybersecurity risk management examination is jointly compared to separately provisioned. My results provide important insights to regulators and standard setters who have raised concerns regarding the importance of addressing cybersecurity risk in the integrated internal control over financial reporting and financial statements audits and the potential for independence impairments from increased auditor performed non-audit services such as cybersecurity. My study also contributes to the non-audit services literature not only by examining a unique and emerging non-audit service not previously examined, but also by showing that non-audit services are perceived differently depending on whether a negative signal of non-audit service quality is present.
Essay 2 examines the effect of the type of cybersecurity assurance service on investor perceptions and decisions and whether these effects differ when a prior cybersecurity incident is reported. Conducting a 2 x 2 between-participants experiment, I find that investors are more willing to invest and have higher perceptions of management credibility when voluntary disclosures include a cybersecurity risk management examination compared to a less comprehensive cybersecurity assurance service. These findings are important because public company boards are increasingly looking to audit firms to provide cybersecurity assurance services. I also find that investors perceive cybersecurity risk management examinations to provide higher assurance quality regarding an organization’s ability not only to prevent future cybersecurity incidents, but also to recover from future cybersecurity incidents that are not prevented - a key risk management issue raised by regulators. My study also contributes to the voluntary assurance disclosure literature by examining investor reactions to management disclosures of alternative types of voluntary external cybersecurity assurance services, beyond a comparison of the absence or presence of external assurance reports provided by CPAs previously examined in other non-financial voluntary assurance settings. I also find that management’s choice to acquire a more comprehensive cybersecurity assurance service has a positive effect on investors’ perceptions of management credibility, which in turn has a positive effect on investors’ willingness to invest.
This dissertation contributes to the growing literature related to cybersecurity. Most of this work has been archival in nature and as such, has not been able to examine the effects of the AICPA’s recently adopted cybersecurity risk management examination reporting. Using an experimental method, I am able to examine important implications of voluntary cybersecurity risk management examination reporting and present opportunities for future research.
Scholar Commons Citation
Perols, Rebecca R., "Two Essays on the Impact of Cybersecurity Risk Management Examinations on Investor Perceptions and Decisions" (2019). Graduate Theses and Dissertations.