Cybersecurity is an ongoing concern for managing an evolving information technology (IT) control environment. In addition to costs related to investigation, remediation, and reputation, cyber incidents also impact costs related to the audit of internal controls. Companies that have a cyber incident may have a higher risk for a control deficiency. Or, for companies that find they have a control deficiency, they must test remediation of control deficiencies to assess their effectiveness.
In June 2020, Natura & Co [NTCO] was the target of a cyber incident at one of its subsidiaries. Following the incident, Natura found a material weakness in their IT general controls, which they remediated before the year-end. And between 2019 and 2020, Natura’s audit fees rose from 14.3 million reais to 73.3 million reais; a growth of over 500%.
The cyber incident wasn’t the only material event that had an impact on Natura’s audit fees. The company acquired Avon Products for 1.7 billion reais. The acquisition increased assets by three times and revenues by 2.5 times. The company also changed its audit firm from KPMG to PwC. Though other events contributed to the impact on Natura’s fees, overall, there is evidence that cyber incidents have had a clear impact on audit fees.
Between 2015 and 2019, companies that experienced a cyber breach saw audit fees increase by 4.2%. Though, the impacts fluctuate on a year-to-year basis and depends on the type of breach.
The analysis only looks at companies that disclose audit fees during both the year prior to the incident and the year of the incident; it excludes instances where a company disclosed multiple incidents during the same year. This reduced the number of incidents from 482 to 414.
We found that the change in audit fees following a cyber incident was unusually low during 2016, at just 0.8%. Upon further review, the unusually low change in fees related to three breaches: Altaba (formerly Yahoo!), Alibaba, and eBay. All three companies had significant business changes following the breach that contributed to lower fees:
- Altaba’s fees were lower because the largest portion of the company – Yahoo! – had been acquired by Verizon;
- Alibaba’s fees were lower because their prior year fees included costs related to the company’s massive IPO; and
- eBay’s fees were lower because of the company’s exit from PayPal and the sale of the company’s Enterprise segment.
Excluding these three cases, fees associated with 2016 cyber incidents would have been 5.2% higher.
On average, companies that experienced unauthorized access cyber incidents saw their audit fees decrease following the incident. 49% of companies that experienced unauthorized access incidents saw their audit fees decrease or stay the same.
Alternatively, companies that experienced phishing incidents saw their audit fees increase by more than 7% following an incident. Phishing attacks that lead to monetary losses are often associated with personnel control deficiencies, specifically, issues with segregation of duties.
As we can see, companies must consider additional costs associated with cyber incidents.
Interested in our content? Be sure to subscribe to receive our email notifications.