Auditors’ Perceptions Regarding Cybersecurity and Cybersecurity-Related Materiality
通过访谈2023年和2025年的审计师,发现后者更倾向于考虑超出直接财务影响的定性因素,但仍对如何整合这些因素感到不确定,对审计事务所、监管机构和未来研究有启示。
SYNOPSIS In 2023, the PCAOB announced that it would examine how auditors evaluate their client’s cybersecurity-related materiality judgments and compliance with the SEC’s enhanced cybersecurity disclosure rules. These rules require decision-makers to think about materiality more broadly than what is typically required in financial reporting contexts where the focus is on direct financial statement impacts. We interview auditors to examine how they perceive their role with respect to cybersecurity and the factors they consider when making cybersecurity-related materiality judgments. We find that, relative to auditors interviewed in 2023, auditors interviewed in 2025 were more likely to consider factors beyond those having relatively immediate, direct, and easily quantifiable financial statement impacts. However, we also find that auditors continue to experience uncertainty about how to incorporate qualitative factors into their cybersecurity-related materiality judgments. We discuss implications for audit firms, regulators, and future research. Data availability: Data are available from the authors upon request. JEL Classifications: M40; M41; M42; C83.