Fortifying the Nonbreached: Auditors’ Role in Cybersecurity Risk Management

Abstract

SUMMARY We examine how auditors’ experience with client cybersecurity breaches influences their oversight of nonbreached clients. We find that auditors with breach experience are more likely to issue internal control material weakness (ICMW) opinions, reflecting heightened sensitivity to control risks and improved detection of latent vulnerabilities, as these opinions are often issued to firms that subsequently experience breaches. Conversely, clean opinions issued by breach-experienced auditors are associated with fewer future breaches, suggesting stronger risk assessments. These auditors also enhance cybersecurity risk disclosures. Cross-sectional analyses show that these effects are shaped by auditor type, board independence, and the presence of IT-related weaknesses. Interview evidence further supports that breach exposure increases auditors’ attentiveness to cybersecurity risks and informs risk assessments for other clients. Collectively, our findings highlight how cybersecurity breach experience enhances auditors’ vigilance and oversight, providing evidence of cross-client learning and adaptive audit behavior in response to evolving digital risks. Data Availability: Data are available from public sources noted in the article.