Cyber risk and voluntary Service Organization Control (SOC) audits

Abstract

Firms routinely manage their financial reporting systems on external cloud platforms that are susceptible to cyberattacks and data integrity issues. Therefore, the AICPA developed a special type of voluntary audit called a “Service Organization Control” audit (SOC audit) that evaluates this risk. This study conducts one of the first systematic analyses of the benefits and costs of these voluntary audits. Using hand-collected data from public firms, I find that (1) 29% of firms in the S&P 500 (representing $10.9 trillion in market value) receive these audits; (2) business-model exposure to technology predicts a firm’s decision to receive these audits; (3) the scope of these audits includes internal controls over data integrity; and (4) these audits are one of the largest predictors of the variation in audit-related fees, amounting to a $900,000 average annual increase in these fees at the firm level (by comparison, tax preparation fees average about $1.3 million). SOC audits are thus an important and concrete example of the broader social and governance mandates of new stakeholder-focused reporting frameworks, such as the SASB’s Conceptual Framework.

“The risk that we keep our eyes on the most now is cyber risk.” – U.S. Federal Reserve Chairman Jerome Powell, April 2021¹

1 Introduction

Modern firms routinely manage their financial reporting systems using third-party cloud computing and other enterprise technologies.² This practice, while often facilitating cost reductions and remote work, puts the integrity of the financial statements at risk, especially given the threat of cyberattacks. Therefore, the American Institute of Certified Public Accountants (AICPA) developed a special type of voluntary audit that evaluates this risk, namely Service Organization Control audits (“SOC audits”). Recent surveys of the audit literature do not recognize the presence of SOC audits (e.g., DeFond & Zhang 2014; Knechel & Willenborg 2016) despite longstanding calls from regulators and accounting standard setters to conduct detailed empirical analyses of firms’ financial reporting processes (e.g., FASB 2012; SEC 2012). To fill this gap in the literature, this study conducts one of the first systematic analyses of the benefits and costs of these voluntary audits.

Understanding the benefits and costs of audit adoption is central to all audit literature. The benefits and costs of voluntary audits include factors that are hard for outside researchers to measure directly, such as management’s assessment of business and reputation risks. Prior studies on voluntary audit adoption therefore take a two-pronged approach that exploits the voluntary nature of the audit: (1) they directly estimate some (but not all) benefits and costs of the audit; and (2) they conjecture that the (unmeasurable) benefits and costs systematically correlate with measurable factors and test if a firm’s choice to receive an audit is explained by these factors (e.g., see the analyses of voluntary audit adoption in Allee & Yohn 2009, Table 6; Lennox & Pittman2011, Table 6; Lisowsky & Minnis 2020, Table 5; and Minnis 2011, Section 4.2). This is the well-established revealed preference approach in economics (Samuelson, 1948), where the variation in the audit choice itself is used to indirectly estimate the variation in the unmeasurable benefits and costs of the audit.

Following the framework above on voluntary audit adoption, I start by assembling one of the first datasets on SOC audit reports, which require hand collection since they are not collected by the SEC. Before turning to the data, it is worth noting that the AICPA states that the purpose of a SOC audit is to help companies “that provide services to other entities build trust and confidence in the service performed and controls related to the services through a report by an independent CPA” (AICPA, 2018). In other words, when companies provide services to entities such as another company, those services may impact the customer’s financial reporting processes. Thus, that customer and its financial statement auditor must evaluate the service company’s internal controls that are material to its customers. A service company’s financial statement and integrated internal control audits do not typically provide assurance on such controls (Section 2 provides more detail on this point). Note that SOC audit adoption is voluntary, and the term service organization simply refers to any company that provides a service to its customers.³

SOC audits, being new to the literature, merit an introduction as to how the scope of these audits compares to the scope of financial statement audits. I therefore use a novel feature of my data, namely that SOC audit reports often list the internal controls tested by the audit firm, to analyze the types of internal controls evaluated in SOC audits. I find that the scope of these audits typically includes controls over data security, data processing integrity, and data privacy. For example, Amazon Web Services (AWS) receives a SOC audit from Ernst & Young that evaluates 92 internal controls representing many processes within AWS, including cryptographic data transfers, software development, and data security.⁴ Appendix A provides direct excerpts from a SOC audit report, and Section 4 provides a more systematic analysis of these results for the sample.

Having demonstrated the scope of SOC audits, I next assess a company’s decision to receive a SOC audit and use audit fees to assess the economic significance of this decision. Using a combination of cross-sectional firm-level data, I find that a company’s business-model exposure to managing data for its corporate customers is predictive of its decision to receive a SOC audit. To construct measures of this exposure, I use a linguistic measure derived from the annual report and a variety of industry indicators and company attributes. Overall, about 29% of firms in the sample receive SOC audits, representing $10.9 trillion in total market value. To put these results in perspective using other settings where management’s decision to receive an audit is not explicitly mandated by legislation, about 23 to 37% of private firms elect to receive financial statement audits depending on the sample (Lisowsky & Minnis 2020, Table 3; Minnis 2011, Table 3).

I next examine whether audit fees vary as a function of SOC audits. Assuming managers choose rationally and adopt SOC audits only when the audits’ benefits exceed their costs, SOC audit fees can be used to measure the lower-bound value of the benefits of SOC audits. In the most stringent specification (with industry-fixed effects and other firm-level variables known to be associated with the audit fee environment), I find a large and robust positive relationship between audit-related fees and SOC audits. Specifically, SOC audits are associated with a $900,000 or 70% increase in audit-related fees per year. To gauge the economic magnitude of this effect, the mean of audit-related fees in my sample is about $1.5 million per year, which suggests that SOC audits are one of the largest drivers of the variation in these fees. Assuming that the average blended hourly billing rate for SOC audits is about $300, the $900,000 in additional audit-related fees per year translates to 3,000 billable hours for a SOC audit. By comparison, the average company in my sample pays accounting firms about $1.3 million per year for 4,300 hours of tax services (De Simone et al. 2015). In addition, integrated internal control audits around financial reporting are estimated to cause a 30% increase in annual financial statement audit fees (Ge et al. 2017), whereas SOC audits are associated with a 70% increase in annual audit-related fees. The economic benefit of SOC audits thus appears to exceed at least $900,000 on average, which is comparable to other more well-researched corporate accounting services.⁵

Although the AICPA requires CPA firms to conduct SOC audits, one might ask whether CPA firms have the right expertise for this. To this end, it is worth noting that many audit firms directly educate their staff on technology and employ technology consultants (e.g., Bauer et al. 2019). Deloitte’s Cloud Institute, for example, is widely used by its workforce, and Ernst & Young provides its staff an in-house “Tech MBA.”⁶ Nonetheless, one should not think of auditors as being technologically superior to management. Rather, auditors’ expertise is in evaluating controls. Just as management is the expert on their own financial statements, management is the expert on their own service offerings, and it is their job to implement good controls over them. Moreover, just as financial statement audits do not guarantee against fraud and misstatements, SOC audits do not guarantee against data breaches and other problems, and audit firms typically cannot be held liable for such events. It is also implausible to expect to observe whether companies confidentially hire audit firms to perform other types of non-financial audits. Thus, my evidence on non-financial audits is conservative, as it pertains only to SOC audits. Section 5 elaborates further on these points.

This study makes several contributions to the audit literature. Recent surveys of the audit literature tend to focus almost exclusively on financial statement audits and do not recognize the presence of SOC audits, which is a gap this study fills (e.g., DeFond & Zhang 2014; Knechel et al. 2013; Knechel & Willenborg 2016; Rajgopal et al. 2021). In contrast to financial statement audits, SOC audits are intended primarily for the audit client’s corporate customers and not investors, which provides new empirical support for the longstanding proposition that audits facilitate relationships between firms and stakeholders (e.g., Watts & Zimmerman1983).⁷ SOC audits are thus an important and concrete example of the broader social and governance mandates of new stakeholder-focused reporting frameworks, such as the Sustainability Accounting Standards Board’s (SASB) Conceptual Framework (e.g., Christensen et al. 2021).

My findings also complement studies that analyze a firm’s choice to receive voluntary audits. Lennox and Pittman (2011), for example, use private firms to test who voluntarily receives financial statement audits, with a key advantage being that such voluntary audit adoption allows for the analysis of the benefits and costs of these audits. Several other studies also examine voluntary financial statement audit adoption in private firms (e.g., Allee & Yohn 2009; Duguay et al. 2020; Lisowsky & Minnis 2020; Lisowsky et al. 2017; Minnis 2011). These studies, however, do not analyze SOC audit adoption. Moreover, analyzing voluntary audit adoption in public firms has proved difficult given the regulated nature of these firms, with SOC audit adoption now one of the first exceptions to this issue.⁸

In addition, although accounting textbooks emphasize that internal controls play a key role in many parts of a firm’s business model (Knechel & Salterio, 2016), prior research on internal controls focuses mainly on the audits of controls over the financial reporting process. Ge et al. (2017) estimate the fees for Sarbanes-Oxley Section 404 (SOX 404) integrated internal control audits. Carnes et al. (2019), Hammersley et al. (2008), Iliev (2010), Ogneva et al. (2007), and Zhang (2007) examine whether investors perceive value in SOX 404 audits. Cheng et al. (2013), Feng et al. (2015), and Harp and Barnes (2018) find that effective SOX 404-related controls relate to corporate investment, operational, and acquisition decisions. Leuz and Wysocki (2016), DeFond and Francis (2005), Coates and Srinivasan (2014), and Roychowdhury et al. (2019) further survey the SOX 404 literature and conclude that SOX 404 has had a variety of consequences for firms. However, these studies do not analyze SOC audits, and there are substantive differences in the economics of SOC audits and financial statement audits. Most notably, SOC audits are voluntary, focused on a company’s service offerings, performed in accordance with their own standards set by the AICPA, and intended for a different audience or end user than financial statement audits. It is therefore not surprising that SOC audits differ from financial statement audits in their adoption rates and scope. My evidence thus broadens our understanding of firms’ internal control environments and the role played by audit firms in these environments.

The observed link between SOC audits and audit-related fees also relates to prior studies that presume that these fees represent heightened auditor-client conflicts of interest (e.g., Knechel et al. 2013, p. 401–402). Bell et al. (2015, p. 462), for example, posit that the “economic bonding from non-audit fees prompts auditor concessions or shirking.” SOC audits, however, are performed in accordance with the same independence requirements that apply to financial statement audits and should not drastically alter the nature of any conflicts of interest (AICPA, 2017). My evidence is also some of the first to show that audit-related fees can consist of diverse types of independent audits. This is an important consideration for future audit research and may potentially help us understand why the evidence on the association between audit-related fees and financial statement audit quality is mixed: some studies find no association (e.g., Ashbaugh et al. 2003; Bell et al. 2015), some find a positive association (e.g., Davis et al. 2009), and some find a negative association (e.g., Frankel et al. 2002; Kowaleski et al. 2018; Rice and Weber2012).

My findings also support theoretical and institutional arguments for the importance of SOC audits. First, Kreps (1990, p. 763–764) argues that a firm’s financial statement audit may not meet the needs of all stakeholders and there may be a demand for supplemental audits of other parts of the firm. Whether such audits are pervasive in practice is an empirical question that this study pursues. Second, the Committee of Sponsoring Organizations (COSO) explicitly advises the corporate clientele of technology service companies to obtain a SOC audit of the service company (Deloitte, 2013). This study shows that firms are in fact receiving and relying on these types of audits. Third, SOC audits relate to the concerns expressed by the SEC, the National Security Agency, and economists over the security risks created by cloud-based technologies (e.g., Acemoglu et al. 2022; Mullainathan2019).⁹ This study shows how companies and audit firms are adapting to these risks.

Finally, my focus on providing descriptive economic magnitudes for SOC audits is motivated in part by the recent accounting methodology critiques of Bloomfield et al. (2016), Gerakos and Syverson (2017), Gow et al. (2016), Leuz (2018), and Leuz and Wysocki (2016), all of whom make a strong case for gathering new data because it can reveal key institutional features that otherwise go unrecognized in the literature.

The remainder of this study is organized as follows. Section 2 motivates the empirical analysis. Section 3 describes the sample. Section 4 provides the empirical results. Section 5 compares SOC audits to financial statement audits. Section 6 concludes.

2 Institutional background and hypothesis development

Corporate use of external third-party technology creates strong links between technology service companies and their corporate clientele’s financial reporting systems. Figure 1, for example, shows how Capital One manages checking account balances and other key financial information at Amazon Web Services (AWS), or “the cloud.” In this situation, the integrity of Capital One’s financial statements depends on the integrity of the customer-facing systems at AWS. Therefore, Capital One and its financial statement auditor will require assurance regarding AWS’s internal controls over Capital One’s data, which are beyond the purview of AWS’s financial statement and integrated internal control audits. Rather than AWS allowing each of its customers to disruptively audit the controls over its customer-facing systems, AWS instead hires Ernst & Young to audit these controls and issue a SOC audit report intended for AWS’s corporate clientele.

Fig. 1

An Example of Corporate Use of Technology Service Companies. This figure shows how Capital One uses Amazon Web Services and exemplifies how technology service companies can pose financial reporting risks to their corporate clientele. Source: Amazon Web Services

SOC audits, being relatively new to the literature, require a brief primer. The SOC audit framework emerged in 2011 from the AICPA’s release of SSAE 16, Reporting on Controls at a Service Organization, and was significantly revised in 2017 by SSAE 18 and the AICPA’s Trust Services Criteria (TSC). The term service organization refers to any company that provides a service to its corporate clientele. The corporate clientele of such service companies are called “user entities” in the AICPA standard. The TSC are criteria for SOC attestation engagements that evaluate the internal controls over the security, availability, processing integrity, confidentiality, and privacy of technology systems (Appendix B details these criteria). The AICPA requires CPA firms to conduct SOC audits.¹⁰

Similar to financial statement audits, management determines the controls that are in scope and tested for SOC audits. If an audit firm does not design or operate SOC-related controls at a client, it is appropriate for that audit firm to perform both a financial statement audit and a SOC audit at the client. Both Alphabet and Amazon, for example, use Ernst & Young for their financial statement and SOC audits. Appendix C summarizes the types of SOC audit reports.

Due to the demand for audits arising from diverse companies and stakeholders, audit firms possess a variety of specializations and expertise, directly educate their staff in technology, and employ technology consultants (e.g., Bauer et al. 2019; Deloitte 2020; Johnson & Lys 1990; Minutti-Meza 2013). As a result, there is reason to believe that audit firms can acquire the technical expertise required to perform SOC audits, but exactly what controls these audits evaluate in practice is an open question. My first conjecture is that these audits evaluate customer-relevant internal controls at the client that are distinct from the client’s controls over its own financial reporting processes. The detailed nature of SOC audit reports enables me to investigate this question using descriptive analyses (this hypothesis does not lend itself to traditional econometric testing):

Hypothesis 1: SOC audits evaluate customer-relevant internal controls that are critical to the proper functioning of the audit client’s service offerings.

Understanding the benefits and costs of audit adoption is central to all audit literature. The economic benefits and costs of voluntary audits include factors that are hard for outside researchers to measure directly, such as management’s assessment of business and reputation risks. As a result, it is standard practice for researchers to evaluate the benefits and costs of a voluntary audit by building reduced-form empirical models of audit adoption rates across firms (e.g., see the analyses of voluntary audit adoption in Allee and Yohn (2009), Table 6; Lennox and Pittman (2011), Table 6; Lisowsky and Minnis (2020), Table 5; and Minnis (2011), Section 4.2). This is the longstanding revealed preference approach where the variation in the audit choice itself is used to indirectly estimate the variation in the unmeasurable benefits and costs of the audit (e.g., Samuelson 1948). Exploiting audits that are voluntary in nature, this framework tests whether a firm’s choice to receive an audit is systematically explained by a variety of measurable factors that are thought to correlate with the benefits and costs of that audit. I adopt this same framework for SOC audits.

Unlike financial statement audits at public firms, the SEC does not mandate SOC audits for such firms, which suggests that the SEC has not determined that the benefits of SOC audits systematically outweigh their costs. Managers themselves must therefore weigh the benefits that come with SOC audits against such costs as the audit fee and lost sales if some corporate customers decide to only use service companies that receive SOC audits. I argue that these benefits and costs can be proxied for in large part by a firm’s business model and product market exposure (Hypothesis 3 below further analyzes costs using audit fees). Theoretically, it is not clear how SOC audit adoption will materialize in practice. If the benefits of SOC audits are not tilted toward certain classes of firms, there may be no systematic patterns in their adoption rates. By contrast, if the cost of SOC audits is very small, their adoption rates may be very high across all classes of firms (and vice versa). Economic magnitudes are also not possible to determine ex ante. Understanding the adoption rates of SOC audits can give insight into their economic significance and purpose.¹¹ These considerations lead to the second hypothesis, stated in the null form:

Hypothesis 2::

SOC audit adoption does not exhibit significant systematic patterns across firms.

To the extent that the evidence for Hypothesis 2 shows that not all firms receive SOC audits, this implies that some firms perceive that the fees related to SOC audits exceed their benefits. Determining the economic magnitude of these fees requires an explicit empirical test, which is informative to conduct for several reasons. Perhaps most crucially, it can provide a lower-bound average dollar value of the benefits of SOC audits, assuming managers choose rationally and adopt SOC audits only when their benefits exceed their costs. It can also provide insight into how much auditor effort goes into SOC audits since higher fees typically signify more audit hours worked on an audit. It can also help us understand how the benefits and costs of SOC audits compare to other more well-researched accounting services, such as financial statement audits and corporate tax management. It can also shed light on whether or not some of the SOC audit procedures are subsumed by integrated financial statement audits (or vice versa). For example, a test of audit fees can potentially determine whether firms gain efficiencies or synergies between their SOC audit and financial statement audit. It could be that a service organization’s own financial reporting processes run on the same or different set of systems than those used by its customers that are evaluated for a SOC audit. Fees can also be informative about whether or not the market for SOC audits, as part of the broader market for audit services, is economically significant and worth considering in subsequent audit research.¹²

Examining the SOC audit fee environment is also important since prior studies commonly suppose that heightened audit-related fees represent heightened auditor-client conflicts of interest (e.g., Knechel et al. 2013, p. 401–402). However, prior studies have not investigated whether audit-related fees consist of diverse types of independent audits, such as SOC audits, that are performed in accordance with the same independence requirements that apply to financial statement audits (AICPA, 2017). This could potentially help us understand why the evidence is mixed on the association between audit-related fees and financial statement audit quality: some studies find no association, others find a positive association, and still others find a negative association (e.g., Ashbaugh et al. 2003; Frankel et al. 2002; Gipper et al. 2020; Koh et al. 2013; Kowaleski et al.2018).¹³

The above considerations lead to the third hypothesis, stated in the null form:

Hypothesis 3::

SOC audits are not significantly associated with a company’s audit fee environment.

3 Collecting the SOC audit data

Unlike financial statement audit opinions, public companies are not obligated by law to receive SOC audits or publicly release SOC audit reports, and SOC audit reports are not collected by the SEC or other data providers at the current time. I therefore assemble a novel hand-collected sample of SOC audit reports by focusing on S&P 500 firms, as the process of determining whether a firm receives a SOC audit is labor intensive. When data collection began, the S&P 500 index accounted for about 80% of total market capitalization, indicating that these firms represent the vast majority of public firms in terms of market value. I must also focus on a recent year because the current SOC framework has been in place only since 2017. For precedents on this approach in the audit literature, Frankel et al. (2002) and Simunic (1980) use one year of data due to the labor required to collect information on audit fees, Bell et al. (2015) use data from only one audit firm for one year, and Lennox and Pittman (2011) use two years of data.¹⁴

With the S&P 500 firms as of mid-2019 as my sample, I use the following procedure to determine whether a firm receives any type of SOC audit: (1) I directly use a firm’s website to determine whether it makes a SOC audit report publicly available from 2018 onward; (2) if I find no SOC audit report in step one, I directly contact that firm’s investor relations department and inquire whether it received a SOC audit from 2018 onward. This approach resulted in an answer for all firms, with about 12% of the sample’s SOC status determined in step one and 88% determined in step two.¹⁵ To help insure against type I errors, I performed step two on a sample of firms for which I had already determined the existence of a SOC audit in step one, and all these firms confirmed that they indeed receive SOC audits. Importantly, the sample represents a deep cross-section of firms that vary by industry, size, and other factors. Schoenfeld (2017, p. 57), who also analyzes only S&P 500 firms, notes that S&P’s decision to include a firm in the index is not strategic and does not reflect any private belief about that firm (index additions typically occur after acquisitions of index firms).¹⁶

I denote firms that receive SOC audits as “SOC Audit” firms. One potential limitation of the data is that although all firms communicated to me whether they receive SOC audits, some firms were more forthcoming with detail about their audits than others (SOC audit reports can contain sensitive information about corporate systems). In some cases, I obtained all of a company’s SOC audit reports with all their accompanying worksheets specifying the controls tested. In other cases, companies told me that they received a SOC audit but would not divulge whether it was a SOC 1 or 2 audit (or both) or the audit opinion. In some of these cases, I was told that I would need to establish a valid vendor account with the company to retrieve its SOC audit report in its entirety, which I cannot do for ethical reasons. Due to these data constraints, the subsequent analyses do not cut on whether firms receive SOC 1 or SOC 2 audits. Although this masks some of the audit heterogeneity, both types of audits are fundamentally similar in that they pertain to customer-relevant controls and supplement integrated financial statement audits.

After assembling the sample, I link each firm to data in Compustat and Audit Analytics. I also construct a firm-level business-model data exposure measure using a firm’s most recent annual report as of mid-2019, computed as each annual report’s frequency count of the terms analytics, big data, cloud platform, database, digital, and digitization, divided by the total number of words in the annual report. I then denote firms as being data exposed if their value for this measure falls in the top tercile of the sample. In generating this measure, I use all sections of the annual report because Loughran & McDonald (2016, Section 2.1) emphasize that parsing annual reports by sections can create “systemic errors” given the inconsistencies in how firms use section headers and HTML/XML tags. Also, based on a manual reading of several annual reports, information on firms’ business-model exposure to data can appear in many sections of their annual reports.¹⁷ The variables are described further in Section 4 and Appendix D.

4 Hypothesis testing and empirical results

4.1 Testing Hypothesis 1: SOC audit scope

Since there is limited research on the nature of SOC audits, Hypothesis 1 examines the scope of the work performed by audit firms in SOC audits. This hypothesis does not lend itself to hypothesis testing using standard econometric methods. Instead, the evidence for this hypothesis is based directly on the SOC audit reports and accompanying audit-level detail collected from the firms in the sample. Recall that a novel feature of SOC audit reports is that the audit opinion is often accompanied by a worksheet containing all the internal controls that managers identify as in-scope for the audit and descriptions of all the tests performed by the audit firm and the outcome of those tests (this differs from financial statement audits, where researchers observe only the audit opinion).

Based on the direct examination of the SOC audit reports in the sample, Table 1

Table 1 Descriptions of Internal Controls Evaluated for Service Organization Control Audits

documents the types of internal controls that companies commonly designate as in-scope for their SOC audits. The internal controls included in this table represent the controls that appear at least ten times in the corpus of SOC audit reports. The internal control descriptions, which can vary across firms, have been modified for clarification and conciseness and to remove any identifying information. Table 1 shows that these controls pertain to the delegation of authority over data-related processes, physical and virtual access rights over data, cryptographic and encryption protocols, network security configuration, external vulnerability threats, vendor policies, data storage, login protocols, and coding environments. I next briefly discuss a few of these controls in more detail.

Consider internal control three in Table 1 over cryptographic custodians. Data encryption is a security process that guards against data misappropriation by encoding data using an encryption key, thereby rendering the data scrambled or useless to any entity without the correct decryption key. The decryption keys are often known by a small number of cryptographic custodians, and the decryption keys and custodians are often cycled out every few months. A strong key management system includes policies on the key lifecycle and physical and logical access to the key servers. In one SOC audit report from the sample, the auditor tested the controls over cryptographic custodians by inquiring, of the cryptography manager, whether the roles and responsibilities for cryptographic custodians were formally documented and agreed to by those individuals. The auditor then selected a sample of employees from the group of cryptographic custodians, evaluated their access to systems that store or use encrypted data, and reconciled their inspected roles and responsibilities to internal company policy and documentation.

Next, consider internal control four in Table 1 over two-factor authentication. Two-factor authentication ensures that users attempting to access an account are who they claim they are, and is usually implemented using a cellphone application, USB drive, fingerprint, or voice scan. In one SOC audit report from the sample, the auditor tested this control by interviewing system managers to ensure that the client requires users to use two-factor authentication to access the network. Then, the auditor inspected the authentication configuration to determine that authentication to the firm’s internal network from remote locations required two-factor authentication. In another control related to log in, the auditor inspected the system configurations, observed an engineer attempt to login to a physical host without the appropriate access, tested a large sample of logins to physical hosts, and inspected the client’s firewall settings to ensure that the firewall was operational.

Next, consider internal control 16 in Table 1 over maintaining separate production and development coding environments. Developing software is a continuous process, and the main reason to not mix the production and development coding environments is that development requires testing and debugging. One wrong line of code can disable or corrupt an entire enterprise system. In one SOC audit report from the sample, the auditor tested this control by interviewing software managers to ensure the client had policies in place to maintain separate coding environments for production and development. Then, the auditor selected a large sample of coding changes migrated from the development environment to the production environment and inspected the deployment channels to determine whether the production and development environments were in fact kept separate.

Using Amazon and Google as short case studies (Section 4.2 provides additional case evidence), both firms receive a SOC audit from Ernst & Young for several of their services across many geographic regions (physical technology is often distributed geographically). Someone familiar with Amazon Web Services (AWS, Amazon’s cloud service) would recognize many of these services. For example, among 114 service lines, AWS’s popular Elastic Compute Cloud is included, as is its data storage service Simple Storage Service. Google likewise receives a SOC audit of Gmail, Google Calendar, and Google Cloud, among many of its other services. Other companies in the SOC audit sample include Facebook, Goldman Sachs, Oracle, and Salesforce.

To further put the nature of the internal controls evaluated during SOC audits in perspective, Fig. 2 provides a word cloud that illustrates the terminology in the corpus of the SOC audit reports that I obtained (specifically, the list of internal controls identified by management and tested by the auditor). I include only the top 40 words and omit common stop words such as and and the. The word sizes are proportional to their frequency in the corpus of the SOC audit reports. Consistent with the prior evidence, Fig. 2 shows that the words access, customer, and data occur the most frequently in the reports, while words such as key and security are also commonly found in the reports.

Fig. 2

Word Cloud for Service Organization Control Audit Reports. This figure provides a word cloud summary created from the corpus of SOC audit reports in the sample. The 40 most frequently occurring words are included (omitting stop words such as and and the), and the word sizes are proportional to their frequency in the corpus of reports

Overall, the evidence in this section is consistent with Hypothesis 1 that the controls evaluated for SOC audits relate to the client’s customer-relevant technology-related systems. The evidence also shows that the scope of SOC audits largely supplements the internal control framework created by COSO, which centers on the controls over the recognition of revenues and expenses at the audit client as opposed to the client’s customers (e.g., Altamuro & Beatty 2010; Schroeder & Shepardson 2016; Yoon et al. 2015).

4.2 Testing Hypothesis 2: SOC audit adoption rates

Prior studies on voluntary audit adoption often take a two-pronged approach that (1) estimates some (but not all) benefits and costs of the audit, and (2) builds a reduced-form empirical model of audit adoption that tests whether adoption is systematically correlated with these benefits and costs (e.g., Allee & Yohn 2009; Chow 1982; Lennox & Pittman 2011; Lisowsky & Minnis 2020; Minnis 2011). This is the longstanding revealed preference approach where the variation in the audit choice itself is used to indirectly estimate the variation in the unmeasurable benefits and costs of the audit. Following this framework, Hypothesis 2 predicts that a company’s decision to adopt or not adopt a SOC audit is driven mainly by the nature of that company’s business model.

Specifically, companies that derive benefits from collecting and processing large amounts of data from corporate customers will likely need to design and enforce complex internal controls over data security and processing integrity. Thus, companies in technology and other data-driven industries are good candidates for realizing benefits from SOC audits. By contrast, firms that do not collect large amounts of data may forgo a SOC audit due to its cost. As a result, industry classifications are good proxies for the benefits and costs of SOC audits.¹⁸

Table 2 provides an industry breakdown of the prevalence of SOC audits. Consistent with the expectations above, about 62% of firms in the information technology industry (e.g., Salesforce) receive SOC audits. Other industries with a large fraction of firms that receive SOC audits include communication services (e.g., Facebook) at 48%, financials (e.g., Goldman Sachs) at 48%, and healthcare (e.g., United Health Group) at 30%. By contrast, SOC audits are relatively less common but still existent in the materials industry at 8% of firms, the utilities industry at 11%, and the energy industry at 11%. Note that some companies in these industries operate trading desks that require sensitive data from their customers, and potentially feed data directly into their customers’ supply chain systems (e.g., BP 2014; Zhu 2019). A recent ransomware attack at Colonial Pipeline, a prominent oil pipeline operator, exemplifies the important role played by technology at such firms (Shear et al. 2021).

Table 2 Industry breakdown of service organization control audits for S&P 500 firms in 2019

Table 3 provides the market share among audit firms for SOC audits by industry and overall in the sample. Note that if an audit firm does not design or operate SOC-related controls at a client, it is appropriate for that audit firm to perform both a financial statement audit and a SOC audit at that client. Indeed, about 85 percent of companies that receive SOC audits have the same audit firm perform both their financial statement audit and their SOC audit, suggesting that there is a convenience or economies of scale in using the same audit firm (perhaps because of existing relationships with management, etc.). This is similar to how most companies hire the same firm to do their financial statement audit and taxes (De Simone et al. 2015). Table 3 shows that among the four largest accounting firms, E&Y has the highest SOC audit market share at 29.5%, followed by PwC at 22.6%, and Deloitte and KPMG both at 18.5%. Smaller audit firms perform 11% of the SOC audits in the sample. Among these 11% of companies, about half also hire smaller audit firms to perform their financial statement audits. The within-industry market shares for SOC audits are relatively similar to those observed for financial statement audits, suggesting that companies perceive it as costly to use different audit firms for different types of audits, or that any industry-specific financial statement audit expertise translates to industry-specific SOC audit expertise.

Table 3 Audit firm market share for service organization control audits for S&P 500 firms in 2019

Table 4 shows that overall, about 29% of firms in the sample receive SOC audits, and the firms that receive SOC audits are significantly larger and more data exposed than firms that do not receive SOC audits. To put these results in perspective using other settings where management’s decision to receive an audit is not explicitly mandated by legislation, about 23 to 37% of private firms elect to receive financial statement audits depending on the sample, a rate that generally increases with firm size (Lisowsky & Minnis 2020, Table 3; Minnis 2011, Table 3); and 13% of SOX 404-exempt firms elect to receive audits of internal controls over financial reporting (Ge et al. 2017, Section 3). Firms that receive SOC audits also have significantly lower leverage and more current assets as a proportion of overall assets. The full sample is relatively comparable on the dimensions of ROA and business segments. There are also significant differences in audit and audit-related fees across SOC audit adopters and non-adopters, which are examined further in Section 4.3.

Table 4 Descriptive statistics for service organization control audits for S&P 500 firms in 2019

With firm size being one of the key differences between SOC audit adopters and non-adopters, Table 5 partitions firms into size and SOC audit adoption quartiles by industry. Each cell in Table 5 listed under “Total Assets” reports the number of firms in each size quartile that receives a SOC audit and, in parentheses, that number scaled by the total number of firms in the given industry. For example, in the row labeled “Communication Services,” there are 23 total firms in that industry, 11 of which receive SOC audits. Two of these 11 SOC audit adopters fall into the smallest size quartile for the industry and represent 40 percent of the total number of firms in that quartile. I find that while the relation between firm size and SOC audit adoption is positive in some industries, it is non-monotonic in other industries. While size likely proxies for the amount of data managed by a firm and thus its demand for a SOC audit, these results do not support the idea that size is the dominant driver of SOC audit demand. To more critically examine the relation between firm characteristics and SOC audit adoption, I construct a reduced-form empirical model of SOC audit adoption conditional on several variables motivated by past studies and the institutional setting. Specifically, I include industry factors, firm size, and the variables from Table 3 of DeFond and Zhang (2014) that have been linked to other attributes of a firm’s audit environment, such as leverage and profitability (e.g., DeFond & Jiambalvo1991; Doyle et al. 2007; Hay et al. 2006; Kinney & McDaniel 1989). To better accommodate fixed effects, I use linear probability models in this analysis, although all the results are similar in terms of statistical significance using logit and probit models. The initial regression is specified as follows:

$$ \begin{array}{@{}rcl@{}} SOC \ Audit_{i} &=& \alpha + \beta_{1} Industry_{i} + \beta_{2} Log(Assets)_{i} + \beta_{3} Leverage_{i} \\ &&+ \beta_{4} Loss \ Firm_{i} + \beta_{5} ROA_{i} + \beta_{6} \frac{Current \ Assets}{Total \ Assets}_{i} \\ &&+ \beta_{7} Quick \ Ratio_{i} + \beta_{8} Segments_{i} + \beta_{9} December \ YE_{i} + \epsilon_{i},\\ \end{array} $$

(1)

where index i represents the firm, SOC Audit represents an indicator variable for whether firm i receives a SOC audit, and Industry represents firm i’s GICS industry or subindustry depending on the test. Appendix D provides the exact formulas for all the variables.

Table 5 Industry and Firm Size Sorts of Service Organization Control Audits for S&P 500 Firms in 2019

Table 6, column 1 shows that including all the industry-fixed effects and the other variables explains about 20% of the variation observed in the prevalence of SOC audits. This finding compares well to Table 6 of Minnis (2011) and Table 5 of Lisowsky and Minnis (2020), whose empirical models of financial statement audit adoption in private firms explain about 23% and 20% of the variation, respectively. Table 6, column 1 also shows that SOC audit adoption is explained in part by firm size as measured by the log of total assets (1% level) and the ratio of current assets to total assets (10% level). Table 6, column 2 shows that after controlling for industry, SOC audit adoption is significantly positively associated with business-model exposure to data (1% level).¹⁹

Table 6 Service organization control audit adoption model for S&P 500 firms in 2019

Given the dominant role played by firms’ industry membership in explaining the adoption of financial statement audits (Lisowsky & Minnis 2020, Table 3), I next more critically examine the relation between SOC audit adoption and industry membership. I regress the SOC audit adoption indicator variable on the industry indicators one at a time after controlling for other firm characteristics, which lets the baseline or base case probability of a SOC audit equal the conditional average of the SOC audit variable with the other variables.²⁰ Table 6, columns 3 through 6 include the two largest positive and negative statistically significant industry coefficients from these tests. Table 6, columns 3 and 4 show that a firm is 37.4% more likely to receive a SOC audit if it is in the information technology industry and 20.2% more likely to receive a SOC audit if it is in the financials industry (1% level for both). There is no significant result for the communications industry, which could be due to low power since this industry has only 23 firms in total. Table 6, columns 5 and 6 show that there is a negative association between SOC audits and the consumer staples industry at 20.5% (5% level) and the energy industry at 19.6% (5% level). All these coefficients are also statistically different from when compared pairwise to each other (1% level). These findings further support the idea that firms’ business models are key drivers of the net benefit of SOC audit adoption.

The GICS industries accommodate a variety of new subindustries such as data processing. To further test Hypothesis 2, Table 7 regresses the prevalence of SOC audits on several specific subindustries that likely derive the most net benefit from SOC audits due to their business model. As before, I insert the industry indicators one at a time, which lets the base case probability of a SOC audit equal the conditional average of the SOC audit variable after controlling for other firm characteristics. Table 7 shows that SOC audit adoption is significantly associated with data processing services at a 47.2% increased likelihood (1% level), internet services and infrastructure at a 71.7% increased likelihood (1% level), application software at a 52.8% increased likelihood (1% level), investment banking at a 60.9% increased likelihood (1% level), internet marketing at a 57.2% increased likelihood (5% level), and information technology consulting at a 32.0% increased likelihood (10% level). The economic magnitude of the result for internet services and infrastructure is the largest among the industries and subindustries.

Table 7 Service organization control audit adoption by subindustry for S&P 500 firms in 2019

Overall, the observed SOC audit adoption rates support Hypothesis 2 and the notion that the benefits and costs of SOC audits derive largely from firms’ business models. The magnitudes of these findings are also economically meaningful, ranging from about a 20 to a 70% increase in SOC audit adoption rates for a sample whose mean SOC audit adoption rate is 29%.

A potential limitation of the prior analysis is that regressions alone cannot tell us exactly what managers are thinking and why some firms that appear to be good candidates for SOC audits do not receive them. I therefore supplement the large-scale empirical analysis with two short case studies based on interviews with managers.²¹ Consider two companies in the sample that produce electronics, Apple and Texas Instruments (TI). Apple receives a SOC audit but TI does not. Apple explained that it receives a SOC audit in part because many external media distributors compute their revenue based on data received directly from Apple, such as the number of song streams and movie rentals purchased, for which these distributors pay Apple a cut. Apple also operates several enterprise computing systems and software products used by corporate clientele. By contrast, TI explained that it does not receive a SOC audit because it operates more in the wholesale electronics space and does not typically operate technology systems directly linked to those of corporate clientele. Another example of similar firms with different SOC audit decisions is Goldman Sachs and SunTrust. Goldman explained that it receives a SOC audit in part because it operates the technology behind trading platforms and other services used by hedge funds and other corporate clientele whose financial reporting systems are exposed. By contrast, SunTrust is more focused on its savings and loan business and lacks a deep portfolio of technology-based service offerings. These findings further support the idea that the benefits and costs of SOC audits derive from firms’ business models.

4.3 Testing Hypothesis 3: SOC audits and the audit fee environment

Given that not all firms receive SOC audits, the costs of SOC audits likely outweigh their benefits for some firms, and vice versa. Hypothesis 3 therefore analyzes whether SOC audits are associated with audit fees and audit-related fees. Audit fees consist of fees paid to an audit firm for performing an integrated financial statement and SOX 404 audit. By contrast, audit-related fees consist of fees paid to an audit firm for audit services that are beyond the scope of an integrated financial statement audit, including SOC audits. Therefore, SOC audits should not be associated with audit fees unless the procedures for a SOC audit substitute (by way of overlaps in testing, knowledge spillovers, etc.) for some of the financial statement audit procedures. There is potentially some indirect evidence of this in Liu (2022), who finds that the quality of a company’s financial statement audit is associated with the likelihood of a data breach at that company. There is also evidence of audit spillover effects related to firms’ disclosure choices, tax strategies, and operational consulting engagements (e.g., Ball et al. 2012; Bell et al. 2001, 2015; Davis et al.1993; Dorantes et al. 2013; Koh et al. 2013; Lim and Tan 2008; Palmrose1986; Simunic 1984; Whisenant et al. 2003). Bauer (2016), for example, finds an association between a company’s tax strategy and internal control weaknesses.

Firm size and other factors can contribute to audit fees, and prior research has relied on good empirical models for explaining audit fees. Specifically, Table 3 of DeFond and Zhang (2014) recommends several variables to include in such a model. The subsequent audit fee regressions include these variables, industry-fixed effects, and the indicator variable for SOC audit adoption (I cannot include firm- and year-fixed effects given the sample’s composition).²² As in prior research on audit fees, I assume there is no systematic omitted factor that is significantly correlated with both SOC audits and audit fees (I cannot test this condition). Also note that propensity score matching is inappropriate for this setting (e.g., Gow et al. 2016; Larcker & Rusticus 2010; Shipman et al. 2017). A feature of using the indicator variable for SOC audit adoption is that it accommodates any non-linear association between SOC audits and audit fees. The audit fee regression is specified as follows:

$$ \begin{array}{@{}rcl@{}} Log(Audit \ Fees)_{i} &=& \alpha + \beta_{1} SOC \ Audit_{i} + \beta_{2} Log(Assets)_{i} + \beta_{3} Leverage_{i} \\ &&+ \beta_{4} Loss \ Firm_{i} + \beta_{5} ROA_{i} + \beta_{6} \frac{Current \ Assets}{Total \ Assets}_{i} \\ &&+ \beta_{7} Quick \ Ratio_{i} + \beta_{8} Segments_{i} + \beta_{9} December \ YE_{i}\\ &&+ \sum \beta_{n} Industry \ FE + \epsilon_{i}, \end{array} $$

(2)

where index i represents the firm, Log(Audit Fees) represents the natural log of financial statement audit fees from Audit Analytics, SOC Audit represents an indicator variable for whether firm i receives a SOC audit, and the industry-fixed effects represent the 11 GICS industries. The main coefficient of interest is β₁. Following Ashbaugh-Skaife et al. (2007), DeFond et al. (2002), and Doyle et al. (2007), I control for log of total assets because smaller firms may require less audit work; leverage because debt may necessitate audit work around covenant compliance; ROA, loss firms, the ratio of current to total assets, and the quick ratio because firms in financial distress may require more audit work; segments because more complex firms may require more audit work; and December fiscal year end. Appendix D provides the exact formulas for the variables.

Table 8, column 1 shows that there is no significant association between SOC audit adoption and audit fees at conventional levels (p > 0.1), consistent with there being no systematic spillovers or overlap between financial statement audits and SOC audits. In any event, the audit fee regression explains about 56% of the variation in audit fees, which suggests that this regression is well-specified compared to prior research (see Section 2.3.2 and footnote 42 of DeFond and Zhang 2014). To put this in perspective, regressions of commonly used measures of audit quality often explain about five to ten percent of the variation in these measures.

Table 8 Service organization control audits and audit fees for S&P 500 firms in 2019

I next examine the more likely candidate for capturing SOC audit fees—audit-related fees, which consist of fees paid to audit firms for audit services beyond the financial statement audit. Audit-related fees are distinct from any tax and technology consulting fees paid to an audit firm, which are included in different variables provided by Audit Analytics that draw from different line items on a firm’s proxy statement (e.g., De Simone et al.2015).²³ To test whether SOC audits are associated with audit-related fees, I replace audit fees in Eq. 2 with audit-related fees as follows:

$$ \begin{array}{@{}rcl@{}} Log(Audit\text{-}Related \ Fees)_{i} &=& \alpha + \beta_{1} SOC \ Audit_{i} + \beta_{2} Log(Assets)_{i} \\ &&+ \beta_{3} Leverage_{i} + \beta_{4} Loss \ Firm_{i} + \beta_{5} ROA_{i} \\ &&+ \beta_{6} \frac{Current \ Assets}{Total \ Assets}_{i} + \beta_{7} Quick \ Ratio_{i} \\ &&+ \beta_{8} Segments_{i} + \beta_{9} December \ YE_{i}\\ &&+ \sum \beta_{n} Industry \ FE + \epsilon_{i}, \end{array} $$

(3)

where index i represents the firm, Log(Audit-Related Fees) represents the natural log of audit-related fees from Audit Analytics, SOC Audit represents an indicator variable for whether firm i receives a SOC audit, and the industry-fixed effects represent the 11 GICS industries. The main coefficient of interest is β₁, and I include the same firm variables as in Eq. 2.

Note that Eq. 3 will likely render lower-bound estimates of SOC audit fees, as audit-related fees often comprise only the fees a company pays to its financial statement audit firm. In any companies where different accounting firms conduct SOC and financial statement audits, audit-related fees may understate the fees paid for SOC audits. As a result, Eq. 3 is a conservative test. This data limitation is common in the audit fee literature and biases against finding a result for SOC audit fees.

Table 8, column 2 shows that SOC audits are significantly positively associated with audit-related fees (1% level). Specifically, I observe about a 69% increase in audit-related fees per year for firms with SOC audits after controlling for size, industry-fixed effects, and other factors. Table 8, column 3 shows that this finding translates to approximately $900,000 in additional audit-related fees per year (1% level). To put the economic magnitudes of these results in perspective, the average audit-related fee in my sample is about $1.5 million per year, meaning that SOC audits are an economically large component of total audit-related fees. Thus, large audit-related fees should not necessarily be construed as evidence of heightened auditor-client conflicts of interest, as SOC audits are performed in accordance with the same independence requirements that apply to financial statement audits (AICPA, 2017).²⁴ In addition, $900,000 can be thought of as the lower-bound average dollar value of the benefits of SOC audits, assuming managers choose rationally and adopt SOC audits only when their benefits exceed their costs.

To further put the above results in perspective, Ge et al. (2017, Section 4) find that firms exempt from SOX 404 internal control audits saved on aggregate $388 million in audit fees from 2007 to 2014, which translates to about $49 million per year.²⁵ By comparison, if the 146 firms in my sample that receive SOC audits pay on average $900,000 per year for these audits, firms in the S&P 500 alone pay about $131 million for SOC audits per year on aggregate. Also, companies in my sample pay accounting firms about $1.3 million per year for 4,300 hours of corporate tax services, assuming an average blended hourly billing rate of $300 (De Simone et al.2015, p. 746). Assuming the same billing rate for SOC audits, the $900,000 in additional audit-related fees per year corresponds to approximately 3,000 billable hours for a SOC audit. In addition, Ge et al. (2017, Section 4) find that SOX 404 audits are associated with about a 30% increase in financial statement audit fees per year, and Minutti-Meza (2014) and Badertscher et al. (2014) document that the litigation exposure derived from auditing public firms is associated with a 20% increase in financial statement audit fees per year.²⁶ Overall, these findings suggest that SOC audits represent an economically large component of the audit fee environment, which is an important consideration for future audit research.

In a few instances of particularly large SOC audit fees, I find that companies explicitly discuss these fees in their proxy statement. For example, Google’s parent company Alphabet noted that it paid $6.2 million for SOC audits in 2018. However, not all firms disaggregate their SOC audit fees in this way. These specific findings further corroborate that SOC audits are economically valuable to firms.

4.4 Additional evidence on the nature of SOC audits

The next analyses are motivated by related findings from prior research. I start by testing whether SOC audits are associated with the attributes of a company’s financial statement audit. Managers responsible for the decision to receive a SOC audit may also oversee some of their firm’s internal controls over financial reporting. As a result, SOC audit adoption may relate to the attributes of financial statement audits. For example, a firm with weak internal controls over financial reporting may not seek a SOC audit for fear that it would yield an unfavorable result. Such spillover effects are evident in other settings, such as corporate tax planning and financial reporting (e.g., De Simone et al. 2015; Francis 2006; Gleason and Mills 2011; Kinney et al. 2004). Table 9, columns 1 through 3 therefore regress the SOC audit indicator variable on indicator variables for whether a firm, in its most recent financial statement audit as of mid-2019, received a qualified opinion on its internal controls over financial reporting, a qualified opinion on its financial reports, or a qualified opinion on either its internal controls or its financial reports. After controlling for the variables in Table 6 and industry-fixed effects, Table 9, columns 1 through 3 show that there are no significant associations between SOC audit adoption and deficiencies in financial statement audits.

Table 9 Additional tests of service organization control audits for S&P 500 firms in 2019

I next test whether SOC audits are more prevalent in firms whose financial statements are audited by the four largest accounting firms (Deloitte, Ernst & Young, KPMG, PwC). DeFond & Zhang (2014, p. 301) argue that given client heterogeneity, these firms likely have economies of scale and expertise in different domain areas (e.g., Aobdia 2015; Haislip et al. 2016; Minutti-Meza 2013). If any single accounting firm is particularly competent in SOC audits, it may be more likely than other firms to suggest SOC audits to their financial statement audit clients, which could result in a correlation between a company’s financial statement auditor and its decision to receive a SOC audit. This issue is particularly salient in the SOC audit setting because an accounting firm is commonly permitted to perform both a financial statement and SOC audit at a single client. Table 9, columns 4 through 7 regress the indicator variable for a SOC audit on indicator variables representing a company’s financial statement auditor and the control variables from Table 6. I do not find significant coefficients for any of the individual accounting firms.

5 Comparing SOC audits to financial statement audits

I next synthesize the results by comparing SOC audits to financial statement audits. Given this study’s focus and sample composition, I center the analysis on the audit environment for public firms. Note first that SOC audit reports are separate from integrated financial statement audit reports that opine only on a client’s financial statements and controls over revenue and expense recognition. Table 10 summarizes this discussion.

Table 10 Comparison of SOC audits to financial statement audits for public firms

Conceptually, SOC audit reports and financial statement audit reports are similar in that both represent an independent evaluation of specific processes within a firm. However, unlike financial statement audits, SOC audits are intended mainly for the audit client’s customers, not investors. While the AICPA requires that CPA firms conduct SOC audits, a traditional CPA would likely not be able to perform these audits effectively. Indeed, many accounting firms now educate their staff on SOC-related technologies. For example, Deloitte’s Cloud Institute is widely used by its workforce, and Ernst & Young offers its staff an in-house “Tech MBA” (footnote 6 provides more detail on these programs).

SOC audit reports and financial statement audit reports are also similar in that they are of interest to multiple classes of end users and stakeholders. For example, financial statement audit reports are useful to shareholders, lenders, and regulators. SOC audit reports are useful to companies and their financial statement auditors, and may help the audit client differentiate itself from competitors in the product market, potentially adding value to the firm for shareholders. SOC audits differ from financial statement audits in that public companies are not mandated by legislation to receive them; rather, SOC audit adoption is voluntary.

SOC audit reports also do not guarantee against client data breaches and other internal control failures, just as financial statement audit reports do not guarantee against client fraud or misstatements. It is ultimately management’s responsibility to run their firm appropriately, and audit firms typically cannot be held liable for such events absent negligence or fraud on their part. In addition, SOC audits are not designed to advise a client on how to avoid data breaches and internal control failures; rather, the auditor’s expertise is in evaluating controls. In fact, as with financial statement auditors, SOC auditors are required to maintain their independence by not advising their clients on specific operational decisions.

6 Conclusion

Corporate use of external enterprise technologies, such as cloud computing, puts the integrity of firms’ financial statements at risk, especially given the threat of cyberattacks. As a result, the AICPA developed a special type of voluntary audit that evaluates this risk, namely SOC audits. This study conducts one of the first systematic analyses of these audits. Using hand-collected data from public companies, I find that 29 percent of firms in the S&P 500 (representing $10.9 trillion in market value) receive these audits. I also find that business-model exposure to managing customer data predicts SOC audit adoption rates across firms, and the scope of these audits includes customer-relevant internal controls over data security and processing integrity. For the companies that adopt SOC audits, these audits are one of the largest predictors of the variation in audit-related fees, amounting to an economically significant $900,000 average annual increase in these fees and rivaling the average cost of corporate tax services. SOC audits are thus an important and concrete example of the broader social and governance mandates of new stakeholder-focused reporting frameworks, such as the SASB’s Conceptual Framework.

The attention gap between SOC audits and other accounting services provides a meaningful context for appreciating this study’s large-sample analysis. Such efforts are supported by the recent accounting methodology critiques of Bloomfield et al. (2016), Gerakos and Syverson (2017), Gow et al. (2016), Leuz (2018), and Leuz and Wysocki (2016), all of whom make a strong case for gathering new data because it can reveal key institutional features that otherwise go unrecognized in the literature. Indeed, recent surveys of the audit literature do not recognize the presence of SOC audits, which is a gap this study fills (e.g., DeFond & Zhang 2014; Knechel & Willenborg2016).

Understanding the benefits and costs of audit adoption is central to all audit literature. This study embraces the precedent set by prior studies on voluntary audit adoption that evaluate the benefits and costs of an audit using audit adoption patterns across firms (e.g., Allee & Yohn 2009; Lennox & Pittman 2011; Lisowsky & Minnis 2020; Minnis 2011). Given the growing importance of SOC audits as firms increasingly adopt new technologies and allow employees to work remotely (especially given how the pandemic has changed the way business is done), incorporating SOC audits into the financial reporting and valuation literatures could be a promising research endeavor.

Appendices

Appendix A: 2019 SOC 3 report for Google

Source: Alphabet Inc. Investor Relations

Appendix B: The AICPA’s trust services criteria

Source: AICPA (2017)

Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives. Security refers to the protection of i. information during its collection or creation, use, processing, transmission, and storage and ii. systems that use electronic information to process, transmit or transfer, and store information to enable the entity to meet its objectives. Controls over security prevent or detect the breakdown and circumvention of segregation of duties, system failure, incorrect processing, theft or other unauthorized removal of information or system resources, misuse of software, and improper access to or use of, alteration, destruction, or disclosure of information.
Availability. Information and systems are available for operation and use to meet the entity’s objectives. Availability refers to the accessibility of information used by the entity’s systems, as well as the products or services provided to its customers. The availability objective does not, in itself, set a minimum acceptable performance level; it does not address system functionality (the specific functions a system performs) or usability (the ability of users to apply system functions to the performance of specific tasks or problems). However, it does address whether systems include controls to support accessibility for operation, monitoring, and maintenance.
Processing integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives. Processing integrity refers to the completeness, validity, accuracy, timeliness, and authorization of system processing. Processing integrity addresses whether systems achieve the aim or purpose for which they exist and whether they perform their intended functions in an unimpaired manner, free from error, delay, omission, and unauthorized or inadvertent manipulation. Because of the number of systems used by an entity, processing integrity is usually only addressed at the system or functional level of an entity.
Confidentiality. Information designated as confidential is protected to meet the entity’s objectives. Confidentiality addresses the entity’s ability to protect information designated as confidential from its collection or creation through its final disposition and removal from the entity’s control in accordance with management’s objectives. Information is confidential if the custodian (for example, an entity that holds or stores information) of the information is required to limit its access, use, and retention and restrict its disclosure to defined parties (including those who may otherwise have authorized access within its system boundaries). Confidentiality requirements may be contained in laws or regulations or in contracts or agreements that contain commitments made to customers or others. The need for information to be confidential may arise for many different reasons. For example, the information may be proprietary, intended only for entity personnel. Confidentiality is distinguished from privacy in that privacy applies only to personal information, whereas confidentiality applies to various types of sensitive information. In addition, the privacy objective addresses requirements regarding collection, use, retention, disclosure, and disposal of personal information. Confidential information may include personal information as well as other information, such as trade secrets and intellectual property.
Privacy. Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives. Although the confidentiality applies to various types of sensitive information, privacy applies only to personal information. The privacy criteria are organized as follows: i. Notice and communication of objectives. The entity provides notice to data subjects about its objectives related to privacy. ii. Choice and consent. The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to data subjects. iii. Collection. The entity collects personal information to meet its objectives related to privacy. iv. Use, retention, and disposal. The entity limits the use, retention, and disposal of personal information to meet its objectives related to privacy. v. Access. The entity provides data subjects with access to their personal information for review and correction (including updates) to meet its objectives related to privacy. vi. Disclosure and notification. The entity discloses personal information, with the consent of the data subjects, to meet its objectives related to privacy. Notification of breaches and incidents is provided to affected data subjects, regulators, and others to meet its objectives related to privacy. vii. Quality. The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet its objectives related to privacy. viii. Monitoring and enforcement. The entity monitors compliance to meet its objectives related to privacy, including procedures to address privacy-related inquiries, complaints, and disputes.

Appendix C: Types of service organization control audit reports

Report name	Title and description (adapted from the AICPA)
System and Organization Controls for Service Organizations: ICFR (SOC 1)	Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (ICFR). These reports are intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements. There are two types of reports for these engagements. Type 1 is a report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and implementation of the controls to achieve the related control objectives included in the description at a specific point in time. Type 2 is a report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design, implementation, and operating effectiveness of the controls to achieve the related control objectives included in the description over a minimum six-month period. Use of these reports is often restricted to the management of the service organization, user entities, and user auditors.
System and Organization Controls for Service Organizations: Trust Services Criteria (SOC 2)	Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and theconfidentiality and privacy of the information processed by these systems. These reports can play an important role in: oversight of the an important organization, vendor management programs, internal corporate governance and risk management processes, and regulatory oversight. Similar to a SOC 1 report, there are two types of reports. Type 1 is a report on management’s description of a service
	organization’s system and the suitability of the design and implementation of controls at a specific point in time. Type 2 is a report on management’s description of a service organization’s system and the suitability of the design, implementation, and operating effectiveness of controls. Use of these reports is often restricted to the management of the service organization, user entities, and user auditors.
System and Organization Controls for Service Organizations: Trust Services Criteria for General Use Report (SOC 3)	Trust Services Report for Service Organizations. These reports are designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing, integrity, confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report. Because they are general use reports, SOC 3 reports can be freely distributed.

Appendix D: Variable construction

This appendix provides the formula for each variable used in this study. Index i represents each firm. Financial data are taken from a firm’s most recent annual report or proxy statement as of mid-2019. Any logged variables in the analyses use the natural log. Data source AA = Audit Analytics; C = Compustat; HC = hand collected.

Variable	Definition	Source
SOC Auditi	1 if a firm receives a service	HC
	organization control (SOC)
	audit based on the procedure
	defined in Section 3, 0 otherwise
Audit Feesi	Audit fees from the proxy statement	AA
Audit-Related Feesi	Audit-related fees from the proxy	AA
	statement (note that audit-related
	fees are distinct from any tax and
	technology consulting fees, which
	are included in different AA variables)
Data Exposedi	1 if a firm’s annual report is in the top	HC
	tercile of the sample’s firm-level
	data exposure measure, computed
	as the frequency count of analytics,
	big data, cloud platform, database,
	digital, and digitization divided by
	the total number of words in the
	annual report; 0 otherwise
Total Assetsi	Total assets	C
Market Valuei	Shares outstanding × stock price	C
Leveragei	Total debt ÷ total assets	C
Loss Firmi	1 if net income is less than 0, 0	C
	otherwise
ROAi	Net income ÷ total assets	C
Current Assets ÷ Total Assetsi	Current assets ÷ total assets	C
Quick Ratioi	(Cash + cash equivalents + marketable	C
	securities + accounts receivable) ÷
	current liabilities
Segmentsi	Total business segments	C
December Year Endi	1 if a firm’s fiscal year ends in	C
	December, 0 otherwise
Qualified Audit (Financials)i	1 if auditor issues a non-unqualified	AA
	opinion on the financial statements,
	0 otherwise
Qualified Audit (Controls)i	1 if auditor issues a non-unqualified	AA
	opinion on internal controls over the
	financial statements, 0 otherwise
Any Qualified Auditi	1 if auditor issues a non-unqualified	AA
	opinion on either the financial
	statements or internal controls over
	the financial statements, 0 otherwise