Is Operational Control Risk Informative of Financial Reporting Risk?

Transcription

1 Is Operational Control Risk Informative of Financial Reporting Risk? Alastair Lawrence Haas School of Business University of California at Berkeley Miguel Minutti-Meza University of Miami School of Business Administration Dushyantkumar Vyas Dept. of Management (UTM) & Rotman School of Management University of Toronto May 2014 ABSTRACT: This study provides evidence concerning the significance of assessing operational control risks as part of an integrative evaluation of internal controls. The current SOX regulatory framework in the U.S. requires assessments of the adequacy of financial reporting controls; however, assessments of operational controls are not mandated. In this study, we examine the implications of the current limited regulatory focus on controls over financial reporting from an investor perspective. We document two principal findings. First, using computer data breaches and an index-based risk measure to indicate operational control risk, we document a positive leading relation between operational control risk and near future financial reporting quality problems, inferred via restatements and SEC comment letters. Second, using audit fees as a proxy for audit risk, we find evidence that auditors already appear to incorporate operational risk in assessing audit risk. Collectively, we interpret our findings as suggesting that public assessments of operational control risks could inform investors in assessing financial reporting risk, and that requiring such assessments are not likely to be incrementally onerous. KEYWORDS: Operational controls; financial reporting quality; audit fees; data breaches. DATA AVAILABILITY: Breach data are available subject to the approval of the Identity Theft Resource Center. All other data are publicly available from the sources identified in the article. We have benefited from the comments of Dirk Black, Gus De Franco, Ole-Kristian Hope, Clive Lennox, Linda Myers, Steven Salterio, Wally Smieliauskas, Kevin Veenstra, Taylor Wiesen, Kun Yu, and workshop participants at the 2010 Midyear Meeting of the American Accounting Association Auditing Section (San Diego), the 2010 London Business School Transatlantic Doctoral Conference, and the 2010 Annual Meeting of the American Accounting Association (San Francisco). We thank the Identity Theft Resource Center for providing the breach data and Heather Li for the assistance with the textual analysis. A previous version of this paper was titled The Implications of Operational Control Risk for Audit Risk and SOX-Mandated Internal Control Assessments.

2 I. INTRODUCTION This study provides evidence concerning the significance of assessing operational control risks as part of an integrative evaluation of internal controls. Operational control risks have been overshadowed in the past decade as many firms have focused on strengthening financial reporting controls as defined in Section 404 of the Sarbanes Oxley Act of 2002 (SOX). Our study documents two main findings. First, we use publicly disclosed computer data breaches (often also referred to as cyber breaches or privacy breaches) and an index-based measure from firm s 10-K forms to proxy for operational control risk, and find that operational control risks are associated with near future manifestations of weaknesses in financial reporting quality such as restatements and receipt of comment letters from the Securities Exchange Commission (SEC). 1 In other words, investors could potentially use weaknesses in operational controls as precursors to financial reporting problems (i.e. indicators of financial reporting risk). Second, we infer by examining audit fees that auditors seem to incorporate operational control risk in their audit risk assessments. Our findings suggest that such assessments are already built into extant procedures, and accordingly, are not likely to be incrementally onerous. However, despite the apparent usefulness to investors, under the current SOX regulatory framework operational control risk is not directly translated into public control risk assessments. A comprehensive view of internal control includes controls over operations, financial reporting, and regulatory compliance. For example, the Committee of Sponsoring Organizations of the Treadway Commission (COSO 2013) recognizes that controls over operations are part of a comprehensive view of internal controls. COSO defines internal control as: 1 Data breaches are generally defined as the intentional or unintentional release of secure information to an untrusted environment. 1

3 a process, effected by an entity s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. The COSO framework (COSO 1992), originally published in 1992 and updated in 2013 (COSO 2013), is the most widely used standard for assessing the effectiveness of internal control in the U.S. The Securities and Exchange Commission (SEC) initially used the COSO framework as guidance that companies could use for compliance with SOX (Compliance Week 2012). Following the implementation of SOX the public focus on internal control has been primarily limited to financial reporting risks rather than operating and regulatory risks. The lack of external attention to controls over operations and regulatory compliance has been a concern among professionals and senior executives. Businesses could be susceptible to material control risks despite having a clean assessment of internal controls over financial reporting (e.g., Ernst & Young 2006). The narrow focus on financial reporting controls in recent years motivated COSO to issue a revised version of its framework. In an interview relating to the revised control framework (Tysiac 2012), the COSO Chairman David Landsittel explained that: some people because of the implementation of our framework under SOX 404 and SOX think of it as a financial reporting framework that really relates to published financial statements. But it s broader than that. We want to have the reader recognize more vividly the relevance and opportunities to adopt the framework as it relates to operations and compliance. This study focuses on the relation between operational control risk and financial reporting risk. Operational risk can be broadly defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events (BIS 2003). Operational risk can include fraud, security, privacy protection, legal risks, physical (e.g. infrastructure shutdown), and environmental risk. In general, sound strategies to mitigate operational risks are related to good management; however, as long as people, systems, and processes remain 2

4 imperfect, operational risk cannot be fully eliminated (Credit Suisse Group 2003). Operational risks impact client satisfaction, reputation and shareholder value, all while increasing overall business risk. Moreover, many underlying control platforms, such as system software, firm-level controls, and access controls, usually support entity-wide control activities (e.g., IFAC 2010). Higher levels of operational control risk caused by the underlying systems and procedures may also indicate higher levels of financial reporting and regulatory compliance control risks. We posit that weaknesses in internal controls are positively related to subsequently revealed weaknesses in financial reporting quality (i.e., restatements and SEC comment letters indicate financial reporting quality problems, which in turn increase financial reporting risk). We hypothesize a link between operational control risks and financial reporting risk for two reasons. First, operating and financial reporting activities rely on shared controls; therefore, weaknesses in the underlying systems and procedures would likely affect both financial reporting and operating activities. Second, weaknesses in one control area may reflect management s commitment to building a strong internal control environment as its attitude towards controls has pervasive effects on the actual control procedures throughout the organization (e.g., COSO 2009). In addition, we examine whether auditors risk assessments, as reflected in audit fees, are associated with operational control risk. Among several types of operational risks, computer data breaches have become pervasive and increasingly onerous. For instance, TJX Companies data breach of 45.7 million credit and debit card numbers in 2007 and the recent credit and debit card data breach of more than 110 million customers at Target have resulted in material losses to investors and may have been prevented with stronger operational controls. Reflecting the immense potential financial fallouts of such events, Target s stock price fell approximately 10 percent in the two months following 3

5 the breach disclosure, it announced the resignation of its Chief Information Officer, and equity analysts have cited privacy-breach related costs as the main reason for downgrading Target s shares in Further reflecting the economic importance of Target s data breach, recent media reports suggest that it might have been a contributory factor in the recent resignation of Target s Chief Executive Officer. Computer data breaches have become so prevalent in the past few years that on October 13, 2011 the SEC issued specific guidance CF Disclosure Guidance: Topic No. 2: Cybersecurity mandating that cyber breaches be disclosed in Management s Discussion and Analysis (MD&A) of the financial statements (SEC 2011). The guidance requires that firms now disclose material data breaches including a description of the property that was stolen, the likely financial effects, and the resulting future revenue and cost projections, if material. A review by BDO United States of the Form 10-Ks of the 100 largest publicly-traded U.S. technology companies released in 2012 revealed that 71% listed technology security or data breaches as risk factors this year, up from 57% last year and 44% who did so in 2010 (WSJ 2012). In this study we use data breach incidences that are publicly disclosed and an operational control risk index created through textual analysis of Form 10-Ks as our proxies for operational control risk. Data breaches are actual realizations of operational control risk and accordingly, we consider incidences of data breaches (cybersecurity attacks) to be strong ex post indicators of a 2 A report by the U.S. General Accountability Office (GAO 2007) highlights that available evidence indicates that data breaches occur frequently and under varying circumstances. The GAO report uses data from Privacy Rights Clearinghouse, Identity Theft Resource Center, and Attrition and notes our analysis of the three lists of data breaches maintained by these organizations indicated that at least 572 breaches were reported in the news media from January 2005 through December These breaches were reported to have affected more than 80 million records (GAO 2007, p. 11). A second GAO report examining data breaches by U.S. federal agencies, including the SEC, finds that despite steps taken to protect personal identifiable information (PII) at federal agencies, breaches continue to occur on a regular basis. During fiscal year 2012, federal agencies reported a record number of data breaches to the U.S. Computer Emergency Readiness Team. Specifically, 22,156 incidents involving PII were reported a substantial increase over the 15,584 incidents reported in fiscal year 2011 (GAO 2013, p. 2). 4

6 firm s operational control risk. The index measure is based on a framework developed by Deloitte Consulting for assessing operational risk (Deloitte 2011). We construct our index to pertain directly to operational control risk using information contained in Form 10-Ks. 3 Our empirical findings support the preceding discussion regarding the importance of operational control risks. Specifically, we document a significant positive leading relation between operational control risk and financial reporting risk. For example, using our data breach proxy, we find that firms with high operational risk are 1.39 times more likely to have an accounting restatement, and 1.46 times more likely to receive a SEC comment letter in the near future. Moreover, we find that both audit fees and auditor switches are increasing in operational control risks, suggesting that auditors increase their assessments of audit risk in the presence of operational control risks. Our results are robust to controlling for internal control weaknesses disclosed as per SOX Section 404, other determinants of financial reporting risks, and firm and industry characteristics. Our empirical evidence is also suggestive of a positive relation between operational control risk and SOX internal control weaknesses disclosures. This study contributes to the nascent stream of literature that relates internal controls over operations and regulatory compliance to audit risk and financial reporting controls (Li, Simunic, and Ye 2014; Altamuro, Gray, and Zhang 2014). In particular, Li et al. (2014) document a positive relation between environmental compliance risk and audit fees, while Altamuro et al. (2014) report a positive contemporaneous relationship between regulatory noncompliance of firms (that are regulated by the Food and Drug Administration) and earnings restatements. The findings reported in our paper complement those reported in the above-mentioned studies and collectively suggest that public assessments of operational control could inform investors in 3 Untabulated analyses indicate that the two proxies are significantly positively correlated are explained by size, complexity, and operating performance in a predictable manner. Section III discusses the measures in detail. 5

7 assessing financial reporting risk. This study also has normative implications for regulators focused on the role of internal controls and their effects on financial reporting quality. Although we do not study the costs of assessing such risks directly, our results pertaining to audit fees and auditor switches indicate that auditors already incorporate operational control risks in their testing and risk assessment procedures. However, we caution the readers that our findings do not necessarily imply a causal relation between operational control and financial reporting risk, but that manifestations of operational control weaknesses are a reflection of firm-wide internal control weaknesses that could result in financial reporting quality problems. This study also supports COSO s recent initiative to increase the emphasis on operational control risks, and we hope that it will encourage regulators to revisit the current regulatory framework over operational controls. Finally, our findings may be of interest to a wide audience, including firms, regulators and other researchers interested in the measurement, causes and consequences of operational risk. 4 The remainder of this paper is organized as follows. Section II provides the motivation and predictions. Section III describes the operational control risk measures, sample selection, and model specification. Section IV presents the results, Section V includes additional analyses, and Section VI concludes the paper. 4 The BIS Sound Practices for the Management and Supervision of Operational Risk remark that In the past, banks relied almost exclusively upon internal control mechanisms within business lines, supplemented by the audit function, to manage operational risk. While these remain important, recently there has been an emergence of specific structures and processes aimed at managing operational risk. (BIS 2003) Banking regulators require banks to hold capital against potential losses derived from operational risk. However, financial institutions have struggled in identifying and measuring operational risk, as well as determining the costs of operational risk (Jobst 2010). 6

8 II. MOTIVATION AND PREDICTIONS Extant literature In recent years, there has been a significant amount of research relating to internal controls. The extant literature has studied primarily firms and auditors assessment of controls over financial reporting, rather than controls over operations and regulatory compliance. This research investigates, inter alia, topics including the determinants of material weaknesses in controls over financial reporting (e.g., Ashbaugh-Skaife, Collins, and Kinney 2007; Doyle, Ge, and McVay 2007a) and the relations between: (i) financial reporting quality and internal controls over financial reporting (e.g., Doyle, Ge, and McVay 2007b; Ashbaugh-Skaife, Collins, Kinney, and LaFond 2008; Goh and Li 2011); (ii) audit fees and internal control over financial reporting (e.g., Hogan and Wilkins 2008; Hoitash, Hoitash, and Bedard 2008; Huang, Raghunandan, and Rama 2009); and (iii) management effectiveness and internal control over financial reporting (e.g., Feng, Li, and McVay 2009; Li, Peters, Richardson, and Watson 2012; Feng, Li, McVay, and Skaife 2014). Our paper seeks to address the question of whether regulatory imposed internal control assessments should pertain not only to financial reporting controls, but also to operating and regulatory compliance controls. However, as noted in point (i) of the preceding paragraph, the current internal control literature takes the investor perspective in assessing the impact of internal controls over financial reporting on financial reporting quality, but is generally silent about the role internal control over operations. Two recent but notable exceptions are studies by Li et al. (2014) and Altamuro et al. (2014) that examine the risk of environmental and regulatory noncompliance, respectively. While the study by Li et al. (2014) focuses on the impact of environmental noncompliance risk on audit fees, Altamuro et al. (2014) appeals to tone at the 7

9 top arguments and investigates the relation between regulatory noncompliance risk of firms in FDA-regulated industries and earnings restatements. Accordingly, we address this void in the literature by providing initial evidence concerning the significance of assessing operational control risks as part of an integrative evaluation of internal controls. Predicted association between operational and financial reporting risk Operational risk can be broadly defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events (BIS 2003). We consider operational control risk to be the risk of a material disruption to normal operations or a loss arising from operations that will not be prevented or detected on a timely basis by the company s internal control. Operational risk can include fraud, security, privacy protection, legal risks, infrastructure risk (e.g., plant shutdowns), and environmental risk. In general, sound strategies to mitigate operational risks are related to good management; however, as long as people, systems, and processes remain imperfect, operational risk cannot be fully eliminated (Credit Suisse Group 2003). Manifestations of operational risks impact client satisfaction, reputation and shareholder value. Operational risk is mitigated by investments in internal control systems and infrastructure. Many of these underlying control platforms, such as system software, firm-level controls, and access controls, usually support entity-wide control activities (e.g., IFAC 2010). Higher levels of operational control risk caused by the underlying systems and procedures may also indicate higher levels of financial reporting and regulatory compliance control risks. In COSO s framework (COSO 1992; COSO 2013) operational controls are a critical component of a system of internal control. Not only are operational controls important to the success of every business organization, through improving operational 8

10 efficiencies and supporting firm-wide goals, they also provide insights into the comprehensive view of the firm s internal control. We predict a positive leading association between manifestations of operational control risk and financial reporting quality. We outline the mechanisms underlying this predicted association below. First, many underlying control platforms, such as system software, firm-level controls, and access controls, usually support entity-wide control activities (e.g., IFAC 2010); in turn, higher levels of operational control risk caused by the underlying systems and procedures may also indicate higher levels of financial reporting and regulatory compliance control risks. For example, if a firm uses an all-inclusive software program that services operations and financial reporting processes (e.g., an Enterprise Resource Planning system that has several modules including financial reporting), weak software access controls pertaining to its operating functions could likely indicate similar access control issues with its financial reporting processes. 5 In other words, firms that operate in environments with high-control risk are likely to have high control risk throughout the organization. Hence, a discovery of higher levels of operational control risk would likely be associated with higher levels of financial reporting control deficiencies and result in financial reporting quality problems. For example, in recent years, the increasing operational risks associated with safeguarding sensitive client information (especially in industries such as banking, retail, and airlines) will be highly related to protecting the integrity of the financial reporting information given that the two types of information are significantly integrated. Supporting these arguments, The Analyst s Accounting Observer (2012) states that: 5 In additional analyses (Section V), we document a positive relation between operational control risk and weaknesses in internal control over financial reporting. 9

11 insufficient defences against cyberattacks might make the firm s reporting controls vulnerable as well. Cybersecurity isn t just about liability to customers whose personal profiles have been filched in a cyber-raid. If a firm s internal reporting mechanisms are compromised, it might be unable to complete its external reporting to shareholders, making cybersecurity an internal control issue. Second, the existence of larger operational control risks may reflect management s commitment to support a strong internal control environment. As management s attitude towards controls can have pervasive effects on the actual control procedures throughout the organization (Ge and McVay 2005; COSO 2009), higher levels of operational control risk could provide cues as to management s overall focus pertaining to internal control. Taking the foregoing considerations together, we expect that operational control risks will provide useful information concerning the extent of overall organizational control risk, including financial reporting control risks that manifest in lower observed financial reporting quality. We formally state our first prediction below. P1: There is a positive leading association between operational control risk and financial reporting quality. Predicted association between operational and audit risk Auditing Standard No. 8 on Audit Risk (PCAOB 2010) provides guidance for auditors consideration of audit risk and highlights that higher levels of control risk increase overall audit risk. While control risk in this standard refers to financial reporting control risk the risk that a misstatement due to error or fraud that could occur and that could be material will not be prevented or detected on a timely basis by the company s internal control it is important to point out that control risk is a function of the effectiveness of the design and operation of internal control. Recall that in COSO s framework, internal control encompasses financial 10

12 reporting controls, operational controls, and regulatory compliance controls. Accordingly, weaknesses in operational controls can increase control risk and overall audit risk. Thus, COSO s framework of internal control, combined with the Public Company Accounting Oversight Board s (PCAOB) current audit risk model, leads us to generate the following prediction concerning operational control risk and audit risk: P2: There is a positive association between operational control risk and overall audit risk. P1 and P2 together highlight a possible conundrum that while the auditors existing testing procedures are adequate to assess operational control risks, their clients do not undertake adequate prompt corrective action based on these assessments. This relation results from the fact that current regulations do not require auditors to suggest their clients take corrective action relating to financial reporting control risks despite the fact that they acknowledge the heightened audit risk and increase their own fees focusing only on financial reporting control risks for external public reporting purposes. III. OPERATIONAL RISK PROXIES, SAMPLE SELECTION, AND MODEL SPECIFICATION Computer data breaches We consider the actual realization of operational control risk to be one of the strongest and most reliable indicators of the existence of operational control risk. Accordingly, we use one such type of realization publicly disclosed computer data breach incidences as an ex post proxy for operational control risk. Occurrence of disclosed data breaches not only provide a rare opportunity for those external to the company to observe weaknesses in a firm s internal control over operations, but also represent one of management s top operational control concerns. 11

13 Among several types of operational risks, data breaches have become pervasive and increasingly onerous. 6 According to a report issued by the Ponemon Institute (2011), an organization dedicated to independent research on data protection, privacy, and information security policy, the estimated cost of a privacy breach reported by companies in 2010 was approximately $214 dollars per compromised customer record. 7 Moreover, research documents abnormal decreases in market values for public companies of over 500 basis points following a data breach (Campbell, Gordon, Loeb, and Zhou 2003). Data breaches have become so prevalent in the past few years that on October 13, 2011 the SEC issued specific guidance CF Disclosure Guidance: Topic No. 2: Cybersecurity mandating that cyber breaches be disclosed in Management s Discussion and Analysis (MD&A) of the financial statements (SEC 2011). The guidance requires that firms now disclose material data breaches including a description of the property that was stolen, the likely financial effects, and the resulting future revenue and cost projections, if material. Furthermore, the American Institute of Certified Public Accountants (AICPA 2012) Top Technological Initiatives survey indicates that securing the IT environment and managing and retaining data are the respondents top two technology initiatives in 2012 and have been among their top ten technology initiatives since Thus, a data breach reflects a deficiency of a fundamental operational control and provides us as researchers some insights to the strength of the firm s internal control over operations. A review by BDO United States of the Form 10-Ks of the 100 largest publicly-traded U.S. technology companies released in 2012 revealed that 71% listed 6 Companies recently breached include: AIG Inc., Apple Inc., CardSystems Solutions Inc., Citigroup Inc., ChoicePoint Inc., Heartland Payment Systems Inc., Las Vegas Sands Corp., Lockheed Martin, Michaels Stores Inc., Snapchat, Sony Corp., Target Corp., TJX Companies Inc., and Time Warner Inc. 7 This estimate includes direct costs from the privacy breach as well as an estimate for indirect costs which reflect a loss of current customers and potential future customers due the breach. However, the survey does not include companies that experienced breaches with more than 150,000 compromised records, and is subject to a non-response bias. 12

14 technology security or data breaches as risk factors this year, up from 57% last year and 44% who did so in 2010 (WSJ 2012). Our breach data is obtained with permission from the Identity Theft Resource Center (ITRC). In 2005, the ITRC started compiling a database of all the publicly reported breach disclosures in the United States for all organizations, public and private. According to the Identity Theft Resource Center (ITRC), the number of breach disclosures reported across all organizations, public and private, in the United States increased 201 percent from 157 breaches in 2005 to 472 breaches in In Appendix A we provide more information on U.S. breach notification laws and in Appendix B we provide an example of a corporate breach disclosure. The ITRC database includes information pertaining to the type of breach, the estimated date that the breach occurred, the date the breach was disclosed, and when available, the number of individual records that were compromised. The sample period begins in January 2005, as the sample is restricted by ITRC s data, and continues until fiscal year end 2012, including 2013 to calculate those variables that require data from fiscal year t+1. The total number of breaches reported by all organizations during calendar years 2005 to 2013, per the ITRC s records, is 3,632. Of those breaches, we identified 381 firm-years with breaches that pertain to public companies or subsidiaries of public companies that have necessary data availability for our dependent and control variables in COMPUSTAT and Audit Analytics. 8 Our sample also 8 The data breaches in our sample can be considered material given that they motivated the firms involved to issue a public disclosure and that they typically involve thousands of compromised records involving individual private information. As explained by a U.S. General Accountability Office report (GAO 2007, p. 2) the term data breach generally refers to an organization s unauthorized or unintentional exposure, disclosure, or loss of sensitive personal information, which can include personally identifiable information such as Social Security numbers (SSN) or financial information such as credit card numbers. Also a recent General Accountability Office report highlights why data breaches are important protecting personal identifiable information and responding to a data breach are critical because the loss or unauthorized disclosure of sensitive information can lead to serious consequences such as identity theft or other fraudulent activity and can result in substantial harm. While some identity theft victims can resolve their problems quickly, others face substantial costs and inconvenience in repairing damage to their credit 13

15 includes all other firms without breaches and available data for our dependent and control variables in COMPUSTAT and Audit Analytics in fiscal years 2005 to 2013 (30,734 observations). Table 1 describes our sample selection procedure. 9 Operational risk index Our second measure of operational control risk is an operational control risk index created through textual analysis of Form 10-Ks in the SEC EDGAR database. Our index is based on a framework developed by Deloitte Consulting for assessing operational risk (Deloitte 2011) 10. Deloitte s framework was designed for financial institutions. We modify it to make it more generally suitable to all types of companies. We scan the 10-K filings of all publicly-listed companies from 2004 to 2011 for companies disclosures of their responses to operational risk. In particular, we code companies response to operational risk through the following dimensions: (i) formalized risk management systems and controls, (ii) interaction between board and risk management, (iii) risk appetite, (iv) risk committee, (v) risk culture and oversight, (vi) chief risk officer, (vii) enterprise risk management, (viii) interaction between compensation and risk, (ix) data management, (x) formal risk reporting, and (xi) types of risk information reporting. Our text extraction program was able to extract 69,570 firm-year (or 10-K) observations from the SEC s EDGAR database. Appendix C provides details of our text extraction procedure and the specific items codified in the index. Merging the sample with operational risk index reduces it to 25,248 observations. An advantage of using an operational risk index is that it provides cross-sectional records. According to the Bureau of Justice Statistics, millions of American households have reported cases of identity theft (GAO 2013, p. 3). 9 There are 70 industries (2-digit SIC codes) included in our sample, but only 47 industries have observations with breaches in the period from 2005 to In terms of the total number of observations, 92.5 percent are from the industries with breaches. Financial firms (SIC codes 60-69) represent 145 out of the 381 breach observations in our sample. In Section V we describe several sensitivity analyses to mitigate the influence of industry effects. 10 Deloitte s annual risk management survey is a comprehensive periodic examination of risk management at financial institutions. The 2011 assessment was based on responses from 131 financial institutions around the world answering questions about their risk assessment processes. 14

16 variation for a large number of firms in our analyses. On the other side, it relies on general risk disclosures and has limited variation year-over-year and may be more indicative of the level of inherent control risk. Financial reporting quality and operational risk model Our first hypothesis predicts a positive leading association between operational control risks and financial reporting quality. We use two commonly employed measures of financial reporting quality: (i) financial statement restatements (Hribar and Jenkins 2004; Palmrose, Richardson, and Scholz 2004; Doyle et al. 2007b; Hennes, Leone, and Miller 2008; Coa, Myers, and Omer 2012; Chen, Cheng, and Lo 2013) and (ii) SEC Comment Letters (Ettredge, Johnstone, Stone, and Wang 2011; Robinson, Xue, and Yu 2011; Cassell, Dreher, and Myers 2013; Dechow, Lawrence, and Ryans 2014; Hribar, Kravet, and Wilson 2014). Restatements (RESTATE i,t,t+1 ) reflect adjustments for material errors in prior financial statements and SEC Comment Letters (SEC_COMMENT i,t,t+1 ) provide independent regulatory assessments on the extent to which company filings comply with Generally Accepted Accounting Principles (GAAP). Since Sarbanes-Oxley, the SEC s Division of Corporation Finance is mandated to review each registrant s filings once every three years. If the SEC identifies any concerns with the financial reporting they issue a comment letter (in private) to the registrant. Hence, the receipt of an SEC Comment Letter signals that the SEC s CPAs have identified concerns with the registrant s financial reporting. The registrant then has 10 business days to respond and the back and forth continues until the SEC s concerns are resolved. Since 2005, the SEC publicly discloses SEC Comment Letters (UPLOAD files) and registrants responses (CORRESP files) on EDGAR no earlier than 45 days (20 business days post 2011) 15

17 following the review completion. As the Division of Corporation Finance employs CPAs to review the financial statements, we believe that SEC Comment Letters are good indicators of a firm s financial reporting quality. Moreover, given that the vast majority of SEC Comment Letters result in prospective changes in financial reporting, there is very little overlap between restatements and the receipt of an SEC comment letter (Dechow et al. 2014). We use the following regression model to test our first prediction that there is a positive leading relation between operational control risk (BREACH i,t-δ and OPRISK_INDEX i,t-1 ) and financial reporting quality (RESTATE i,t,t+1 and SEC_COMMENT i,t,t+1 ). FRQ i,t,t+1 = β 0 + β 1 OPERATIONAL_RISK t-x + β 2 SOX404 i,t + β 3 SIZE i,t + β 4 FIRM_AGE i,t +β 5 LOSS i,t + β 6 SEGMENTS i,t + β 7 ACQ_VALUE i,t + β 8 GROWTH i,t + β 9 RESTRUCT i,t + β 10 LEVERAGE i,t + β 11 BIG4 i,t + β 12 SPECIALIST i,t + β 13 BREACH_RISK i,t + YEAR_FE + ε i,t (1) where, for firm i and years t-δ, t and t+1: FRQ i,t, t+1 = RESTATE t,t+1 or SEC_COMMENT t,t+1 ; RESTATE i,t,t+1 = 1 if the firm reported a material restatement in fiscal year t or year t+1, and 0 otherwise; SEC_COMMENT i,t,t+1 = 1 if the firm received an SEC Comment Letter in fiscal year t or year t+1, and 0 otherwise; OPERATIONAL_RISK t-x = BREACH i,t-δ or OPRISK_INDEX i,t-1 ; BREACH i,t-δ = 1 if the firm reported a privacy breach after releasing fiscal year t-1 s annual financial statements, but before releasing fiscal year t s annual financial statements, and 0 otherwise; OPRISK_INDEX i,t-1 = Score from operational control risk index in fiscal year t- 1, the calculation of the index is outlined in Appendix C; SOX404 i,t = 1 if the firm had a SOX 404 material internal control weakness over financial reporting in the fiscal year t, and 0 otherwise; SIZE i,t = Natural logarithm of the firm s market capitalization as of year t s fiscal year-end; FIRM_AGE i,t = Natural logarithm of one plus the number of years the firm has COMPUSTAT data as of year t s fiscal year- 16

18 end; LOSS i,t = 1 if net income before extraordinary items is less than zero in fiscal year t, and 0 otherwise; SEGMENTS i,t = Natural logarithm of one plus the number of operating and geographic segments as of year t s fiscal year-end; ACQ_VALUE i,t = The aggregate dollar value of acquisitions that the acquired company in the fiscal year t-1, scaled by market capitalization as of fiscal year-end t; GROWTH i,t = Quintiles of year-over-year sales growth in fiscal year t, and 0 otherwise; RESTRUCT i, t = The aggregate restructuring charges in the fiscal years t and t-1, scaled by market capitalization as of year t s fiscal year-end; LEVERAGE i,t = Debt divided by total assets as of year t s fiscal year-end; BIG4 i,t = 1 if the client has a Big 4 auditor in fiscal year t, and 0 otherwise; SPECIALIST i,t = 1 if the firm s auditor has the highest market share in the client s industry, measured using audit fees in fiscal year t, and 0 otherwise; BREACH_RISK i = The natural logarithm of the number of breaches in the firm s industry, to control for the inherent privacy breach risk of the firm s industry; and, YEAR_FE = Year fixed effects. Figure 1 further explains the variable measurement timeline. In line with our first prediction (P1), we expect positive coefficients on our operational risk proxies BREACH i,t-δ and OPRISK_INDEX i,t-1 if there is indeed a positive leading relation between operating control risks and future financial reporting quality. Figure 1 depicts the measuring period for the proxies used in our analyses. Given that we are examining the relation between operating control risks and future financial reporting quality, it is important to also control for financial reporting control risks to ensure that our findings are not simply reflecting the previously documented relation between financial reporting control risks and financial reporting quality (e.g., Doyle et al. 2007b). SOX404 i,t equals 1 if the firm had a SOX 404 material internal control weakness over 17

19 financial reporting in the fiscal year t, and 0 otherwise. 11 All other variables are defined in Equation (1) and control for other determinants of financial reporting quality (e.g., firm size, age, profitability, financial reporting complexity, restructuring, financial distress, etc.). Section V describes additional matched sample analyses to isolate the effect of operational control risk on financial reporting quality. Audit fees and operational risk model Next, we test our prediction that operational control risk increases the overall audit risk faced by external auditors. Following an extensive literature that documents a relation between total audit risk and audit fees (e.g., Pratt and Stice 1994; Bell, Landsman, and Shackelford 2002; Hay, Knechel, and Wong 2006; Hogan and Wilkins 2008; Stanley 2011) we use audit fees as a proxy for overall audit risk, controlling for known determinants of audit fees (i.e., client size and complexity). We model the determination of audit fees (LOGFEES i,t ) using the following regression specification: LOGFEES i,t = β 0 + β 1 OPERATIONAL_RISK i,t-x + β 2 SOX404 i,t + β 3 SIZE i,t + β 4 BIG4 i,t +β 5 ATURN i,t + β 6 EXPORT i,t + β 7 LEVERAGE i,t + β 8 ROA i,t + β 9 ABSEXTRA + β 10 LOSS i,t + β 11 ROA*LOSS i,t + β 12 SEGMENTS i,t + β 13 SPECIALIST i,t + β 14 DEC_YREND i,t + β 15 OPINION i,t + YEAR_FE + ε it (2) where, for firm i and year t: LOGFEES i,t = Natural logarithm of total audit fees in the fiscal year t; 12 ATURN i,t = Sales in fiscal year t divided by total assets as of fiscal year t s year-end; 11 In additional analyses, we obtain similar inferences as those documented in Tables 3 to 5, when we use a lagged indicator for SOX 404 internal control weaknesses (SOX404 i,t-1 ) measured as of fiscal year t-1 rather than as of fiscal year t. 12 In additional analyses, we obtain similar inferences as those documented in Table 5, when we use LOGFEES measured as of fiscal year t+1 rather than as of fiscal year t. 18

20 EXPORT i,t = ABSEXTRA i,t = ROA i,t = DEC_YREND i,t = OPINION i,t = Total sales from foreign segments scaled by total sales in the fiscal year t; Absolute value of extraordinary items in fiscal year t scaled by total assets as of fiscal t s year-end; Net income in the fiscal year t scaled by total assets as of fiscal year t s year-end; 1 if the company has a December 31 st year end in fiscal year t, and 0 otherwise; and, 1 if the company received an auditor going concern opinion, and 0 otherwise. All other variables are as described before. Our specification is a version of the approach followed by Hoitash et al. (2008) and Huang et al. (2009), modified by including OPERATIONAL_RISK i,t-x, to investigate the impact of operational control risk on perceived audit risk. Positive coefficients on BREACH i,t-δ and OPRISK_INDEX i,t-1 are consistent with our prediction P2. We control for other known audit fee determinants: firm size, Big 4 auditors, default risk, financial complexity, financial performance, auditor busy season, and qualified opinions (i.e., SIZE i,t, BIG4 i,t, ATURN i,t, EXPORT i,t, LEVERAGE i,t, ABSEXTRA i,t, ROA i,t, LOSS i,t, SEGMENTS i,t, DEC_YREND i,t, and OPINION i,t ). In addition to using audit fees to examine whether auditors seem to incorporate the heightened operational control deficiencies in their audit risk assessments, in robustness analyses, we also examine whether auditor switches are more pronounced for firms with higher operating control risks. IV. RESULTS Descriptive statistics Table 2 presents the descriptive statistics for our main sample. Column 1 presents the mean and standard deviation of all variables for the full sample of observations. Columns 2 and 3 presents the mean and standard deviation of all variables for the following subsamples: 19

21 BREACH i,t-δ =0 and BREACH i,t-δ =1. Column 4 reports t-tests of differences in means for all variables between the two. Our data contains 381 observations with BREACH i,t-δ =1. The operational risk index (OPRISK_INDEX i,t-1 ) has a mean of 3.48, with larger values indicating a comparatively higher operational control risk. The correlation between the two operational control risk proxies for is 0.07 and is statistically significant at the one percent level. The mean values of RESTATE i,t,t+1 and SEC_COMMENT i,t,t+1 in the full sample are and Comparing across breach and non-breach firms, breach firms have a higher incidence of both restatements and SEC comment letters than do non-breach firms. Also, breach firms have higher audit fees than do non-breach firms; however, we caution the reader that this effect could partly be explained by a difference in firm size between these two sub-samples. All other control variables have generally similar distributions to those reported in prior research studies that use these variables to explain financial reporting quality and audit risk. Financial reporting quality and operational control risk Table 3 reports logistic regression results for Equation (1), which tests the relation between operational control risk (BREACH i,t-δ and OPRISK_INDEX i,t-1 ) and future financial reporting restatements (RESTATE i,t,t+1 ). Consistent with our expectations, we find firms with higher operational control risk are more likely to have restatements in the future. Specifically, in Column (1) the coefficient on BREACH i,t-δ is (p < 0.05) indicating that breach firms are approximately 1.39 times more likely to have a restatement in fiscal years t or t+1 than are nonbreach firms. In Column (2) we use OPRISK_INDEX i,t-1 and find that the coefficient on this test variable is (p < 0.01). Comparing observations below and above the median OPRISK_INDEX i,t-1, firms above the median are 1.10 times more likely to have a restatement in fiscal years t or t+1 than firms below the median. These findings are robust to controlling for 20

22 material weaknesses in internal control over financial reporting reported as per SOX Section 404. The coefficient on SOX404 i,t is positive and significant (p <0.01) in Columns (1) and (2), confirming prior research that restatements are related to internal control weaknesses over financial reporting (Blankley, Hurt, and MacGregor 2012, Table 5). The control variables highlight that future restatements are higher for smaller and less profitable firms, and firms with Big 4 auditors and industry audit specialists. Table 4 reports the regression results when FRQ is measured using SEC Comment Letters (SEC_COMMENT i,t,t+1 ). Consistent with the findings in Table 3, the coefficient coefficient on BREACH i,t-δ in Column (1) is (p < 0.01) indicating that breach firms are approximately 1.46 times more likely to experience an SEC review with questions in fiscal years t or t+1 than are non-breach firms. In Column (2) we use OPRISK_INDEX i,t-1 and find that the coefficient on this variable is (p < 0.05). Comparing observations below and above median OPRISK_INDEX i,t-1, firm-year observations above the median approximately 1.09 times more likely to have a SEC Comment Letter in fiscal years t or t+1 than observations below the median. Unlike Table 3, the coefficient on SOX404 i,t is insignificant in Columns (1) and (2) suggesting that there is not a relation between financial reporting control risk and the receipt of future SEC Comment Letter reviews. Moreover, consistent with evidence in Cassell et al. (2013), the coefficient on other control variables highlight that SEC Comment Letters are more likely for larger, older, less profitable, and less financially complex firms. Overall, the results in Tables 3 and 4 provide support for P1 that there is a positive leading relation between operational control risks and future financial reporting quality. These findings also suggest that current operational control deficiencies can be used as cues for deficiencies in financial reporting. Accordingly, we 21

23 interpret these findings as suggesting that investors can benefit from public assessments of the quality of operational controls by auditors. Audit fees and operational risk results Table 5 examines whether the heightened audit risk for operationally risky firms is reflected in higher audit fees using the auditor fee regressions of Equation (2). Our principal finding in this analysis is that audit fees are increasing in both the operational control risk proxies. Specifically, the estimated coefficient on BREACH i,t-δ in Column (1) is (p < 0.01) and the coefficient on OPRISK_INDEX i,t-1 in Column (2) is (p < 0.01) highlighting that auditors recognize the heightened operational control risk. Moreover, we find that the control variables load in a predictable manner. Specifically, we find that audit fees are increasing in financial reporting control risk (SOX404 i,t ), firm size (SIZE i,t ), leverage (LEVERAGE i,t ), the amount of extraordinary items (ABSEXTRA i,t ), the number of business segments (SEGMENTS i,t ), specialist auditors (SPECIALIST i,t ) and with poor firm performance (LOSS i,t and ROA i,t ). The results show that operational control risk explains variation in auditors fees, and in turn, risk assessments. Overall, these results support our second main prediction (P2) that existing audit procedures help auditors assessment of audit risk in the presence of operating control risks, suggesting that mandating assessments over operating control risks is unlikely to be incrementally onerous for auditors Inferences are also robust to controlling for the probability of bankruptcy using the Zmijewski score, calculated as *(Net Income/Total Assets) *(Total Liabilities/Total Assets) *(Current Assets/Current Liabilities) in a sub-sample of non-financial firms as bankruptcy prediction models typically used in accounting studies do not apply to financial firms. 22

24 V. ADDITIONAL ANALYSES Association between operational and financial reporting control weaknesses A key inference of this study is that there is a positive relation between operating control risk and near future financial reporting quality. In Section II, we hypothesize that one reason for this relation is that weaknesses in firm-wide underlying control systems and procedures can manifest in high levels of operational control risk and deficiencies in financial reporting quality. To further understand the underlying mechanism the underlying mechanism of the relation between operational control risk and financial reporting quality, we examine whether there is a relation between operational control risks and deficiencies in specific internal controls that pertain to financial reporting (inferred through weaknesses reported under SOX Section 404). Specifically, we investigate whether operational control risks are related to weaknesses in internal control over financial reporting disclosed at year-end and with other firm characteristics associated with financial reporting risk (i.e., size, complexity, and auditor type). We estimate the following model of operational control risk: OPERATIONAL_RISK i,t = β 0 + β 1 SOX404 i,t + β 2 SIZE i,t + β 3 FIRM_AGE i,t + β 4 LOSS i,t + β 5 SEGMENTS i,t + β 6 LEVERAGE i,t +β 7 SPECIALIST i,t + β 8 BIG4 i,t + β 9 STD_ROA i,t + β 10 GROWTH i,t + INDUSTRY_FE + YEAR_FE + ε i,t (3) where, for firm i and year t: STD_ROA i,t = Standard deviation for annual ROA i,t in years t, t-1 and t- 2; and, INDUSTRY_FE = Industry (2-digit SIC code) fixed effects. All other variables are as defined before. We expect a positive coefficient on SOX404 i,t. We expect operational control risk to increase with size, complexity, income volatility, losses, and 23

25 growth. Accordingly, we expect positive coefficients on SIZE i,t, SEGMENTS i,t, STD_ROA i,t, LOSS i,t, and GROWTH i,t. The auditor type variables, firm age, and leverage can be associated with higher complexity but could also reflect cross-sectional variation in control risk. Finally, we expect operational risk to be related to industry (i.e., operational risk plays an important role in financial institutions as noted by Baxter, Bedard, Hoitash, and Yezegel 2013) and change over time (i.e., post-sox firms became increasingly more aware of control risks). We do not have directional predictions for SPECIALIST i,t, BIG4 i,t, LEVERAGE i,t, and FIRM_AGE i,t. In untabulated analyses, we find a positive and statistically significant association between SOX404 i,t and BREACH i,t (the coefficient on SOX404 i,t in Equation (3) using breaches as the dependent variable and estimated using logistic regression is with p<0.01). In addition, we find that the model has a pseudo-r 2 of 0.217, indicating that these determinants explain the incidence of breaches relatively well. We also find a positive and statistically significant coefficients (at the one-percent level) for SIZE i,t, and FIRM_AGE i,t.. These findings are qualitatively similar if we control for industry effects by including BREACH_RISK i,t, the natural logarithm of the number of breaches in the firm s industry. We also find a positive and statistically significant association between SOX404 i,t and OPRISK_INDEX i,t (the coefficient on SOX404 i,t in Equation (3) using the operational control index as dependent variable and estimated using OLS is with p<0.01). We find that the model has an adjusted R 2 of 0.359, indicating that these determinants explain the variation in our operational risk index relatively well. We also find positive and statistically significant coefficients (at the one-percent level) for all variables, except GROWTH i,t that is positive but not significant. (at the ten-percent level) and FIRM_AGE i,t that is negative and significant. (at the onepercent level). 24

26 Matched Sample analyses A potential criticism of our study is that the results could be confounded by firm characteristics that are correlated with both operational control risks and financial reporting problems. For example, one such potentially correlated variable is deficiencies in internal controls over financial reporting reported under SOX Section 404 (SOX404 i,t ). To better isolate the relationship between operational control risk, financial reporting quality, and audit risk, we conduct the matched sample analyses for Equations 1 and 2. We report both Propensity Score Matching (PSM) and simple attribute-based matching approaches. For the PSM analyses, we match BREACH i,t-δ =0 and and BREACH i,t-δ =1 observations using propensity scores estimated using the determinants model (Equation 3) including BREACH_RISK i,t-1. Similarly, we match firms with values above and below the median of OPRISK_INDEX i,t-1, transforming it into an indicator variable OPRISK(1/0) i,t-1. We also conduct analyses using a relatively simpler attribute-based matching approach. Specifically, we match firm-year observations with BREACH i,t-δ =0 and and BREACH i,t-δ =1 (and OPRISK(1/0) i,t-1 =0 and OPRISK(1/0) i,t-1 =1) on SIZE i,t-1, industry (2-digit SIC), and fiscal year. Table 6 summarizes the findings of our results using matched samples. For brevity, we only report the coefficients on our variables of interest BREACH i,t-δ and OPRISK(1/0) i,t-1. Panel A shows the results for the model that predicts restatements. Panel B shows the results for the SEC comment letter model and Panel C shows the results for the model predicting audit fees. The samples used in Columns (1) and (2) are comprised of observations matched on propensity score estimated using all variables as described above, and the samples used in Columns (3) and (4) are comprised of observations matched on propensity score estimated using all variables 25

27 SIZE i,t,, industry (SIC 2-digit), and year. Panels A-C show a positive association between the operational control risk proxies and indicators of financial reporting quality problems (restatements and SEC comment letter receipts) and audit risk (as reflected in audit fees), after controlling for reported SOX 404 deficiencies and other firm characteristics. 14 Association between auditor switches and operational risk In our main analyses, we provide some evidence that auditors increase their perception of audit risk in the presence of operating control risks. To provide further evidence in this regard, we examine whether auditor turnover is more pronounced in firms with higher operational control risk. In our sample we find that the incidence of auditor switches is nine percent; coded as one if there is auditor turnover in year t or t+1, and zero otherwise. In untabulated analyses, we find evidence that operational control risk is related to future auditor switches only using our control risk index and not the incidence of data breaches. We cautiously view this as additional evidence suggesting that auditors increase their perceived audit risk in the presence of operating control risks. Association between future audit fees and operational risk In the main analyses, we examine the relation between manifestation of operational control risks between fiscal year-ends t-1 and t, and audit fees in fiscal year t. A concern with using fiscal year t audit fees is that the audit firms might not have adequate response time to increase the audit fees due to discovery of heightened operational control risks prior to the fiscal 14 We match observations on the closest propensity score (estimated using logistic regression), without replacement and within common support. Results are qualitatively similar without including BREACH_RISK i,t as a determinant in the full model, or matching on the logarithm of total assets, industry and year. 26

28 t year-end. Hence, in untabulated robustness tests, we rerun the audit fees regressions using audit fees reported for fiscal year t+1, and find similar inferences. Mitigating the impact of industry effects A potential confounding factor in our analyses is the difference in operational control risk across industries, particularly between industries with and without breaches and between financial and non-financial firms. There are 70 industries (2-digit SIC codes) included in our sample, but only 47 industries have observations with breaches in the period from 2005 to In terms of the total number of observations, 92.5 percent are from the industries with breaches. Financial firms (SIC codes 60-69) represent 145 out of 381 breach observations in our sample. We mitigate the industry effects in our analyses by: (i) including BREACH_RISK i,t, the natural logarithm of the number of breaches in the firm s industry, as a control variable in our regression models, Equations (1) and (2) in Tables 3 to 6; (ii) estimating our regression models using a subsample of non-financial firms (excluding observations in SIC codes 60 to 69) for our two operational risk proxies, finding similar results (untabulated); (iii) estimating our regression models using a subsample of firms in industries with breaches (exclude observations in 23 SIC codes without breaches in years 2005 to 2012) for our BREACH i,t-δ risk proxy, finding qualitatively similar results; (iv) estimating our regression models including industry fixed effects, finding similar results (untabulated); and (v) including industry as a matching variable in our propensity score matching models. 27

29 VI. CONCLUSION This study provides evidence concerning the significance of assessing operational control risks as part of an integrative evaluation of internal controls. Using data breaches and a 10-K based index to indicate operational control risk, we document a positive leading relation between operational control risk and financial reporting quality problems, and show that operational control risk increases auditors perceived engagement risk. Due to the limitations and obvious weaknesses associated with using external proxies of operational control risk proxies compared to those actually observed by auditors, we believe our findings provide a lower bound estimate to the importance of assessing operational control risks. Collectively, we interpret our two main findings as evidence that public assessments of operational control quality by auditors, were they to be mandated, would result in significant benefits to investors who could use such disclosures as precursors for detecting near future problems in financial reporting quality. The study s inferences support the view that internal control assessments under SOX solely over financial reporting appear to overlook operational control risks that predict future financial reporting quality. Even though we do not directly study the costs of assessing operational control risks, our results pertaining to audit fees and auditor switches indicate that auditors already incorporate operational control risks in their testing and risk assessment procedures. Thus, it appears that requiring auditor assessments over operating control risks is unlikely to be incrementally onerous. Moreover, the findings also support COSO s revised internal control framework that emphasizes the importance of assessing internal control pertaining to operations and regulatory compliance, and we encourage regulators to revisit the current regulatory framework for operational controls. Finally, our findings may be of 28

30 interest to a wide audience, including firms, regulators and other researchers interested in the measurement, causes and consequences of operational control risk. 29

31 REFERENCES American Institute of Certified Public Accountants (AICPA) Top Technology Initiatives. AICPA, New York. Altamuro, J., J. Gray, and H. Zhang A commitment to compliance: An examination of financial and operational noncompliance for FDA-Regulated Industries. Working paper, Ohio State University. Ashbaugh-Skaife, H., D. Collins, and W. Kinney The discovery and reporting of internal control deficiencies prior to sox-mandated audits. Journal of Accounting and Economics 44 (1-2): ,,, and R. La Fond The effect of SOX internal control deficiencies and their remediation on accrual quality. The Accounting Review 83 (1): Association of Business Trial Lawyers Report (ABTL) Is your client prepared to comply with the data security notification laws? Spring Bank for International Settlements (BIS) Sound practices for the management and supervision of operational risk. Basel, Switzerland. Available at: Baxter, R., J. Bedard, R. Hoitash, and A. Yezegel Enterprise risk management program quality: Determinants, value relevance, and the financial crisis. Contemporary Accounting Research 30 (4) Bell, T., W. Landsman, and D. Shackelford Auditors perceived business risk and audit fees: Analysis and evidence. Journal of Accounting Research 39 (1): Blankley, A., D. Hurt, and J. MacGregor Abnormal audit fees and restatements. Auditing: A Journal of Practice & Theory 31 (1) California State Senate California SB Civil Code Section and State of California. Campbell, K., L. Gordon, M. Loeb, and L. Zhou The economic cost of publicly announced information security breaches: empirical evidence from the stock market. Journal of Computer Security 11(3): Cao, Y., L. Myers, and T. Omer Does company reputation matter for financial reporting quality? Evidence from restatements. Contemporary Accounting Research 29 (3) Cassell, C., L. Dreher, and L. Myers reviewing the sec s review process: 10-k comment letters and the cost of remediation. The Accounting Review 88 (6): Chen, X., Q, Cheng, and A. Lo Accounting restatements and external financing choices. Contemporary Accounting Research 30 (2): Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Integrated Framework. The Framework. New York, NY: COSO. 30

32 Internal Control Integrated Framework. Guidance on Monitoring Internal Control Systems. New York, NY: COSO Internal Control Integrated Framework. New York, NY: COSO. Compliance Week COSO Framework Overhaul Sparking Deeper Debates. April 24, Credit-Suisse Group Operational risks in financial services an old challenge in a new environment. Basel, Switzerland. Available at: Dechow, P., A. Lawrence, and J. Ryans SEC comment letters and insider sales. Working paper, University of California at Berkeley. Deloitte Global Risk Management Survey. New York, NY. Available at: UnitedStates/Local%20Assets/Documents/us_fsi_grms_ pdf Doyle, J., W. Ge, and S. McVay. 2007a. Determinants of weaknesses in internal control over financial reporting. Journal of Accounting and Economics 44 (1-2): ,, and. 2007b. Accruals quality and internal control over financial reporting. The Accounting Review 82 (5): Ernst & Young Leveraging value from internal controls. London, U.K. Ettredge, M., K. Johnstone, M. Stone, and Q. Wang The effects of firms size, corporate governance quality, and bad news on disclosure compliance. Review of Accounting Studies 16 (4): Feng, M., C. Li., and S. McVay Internal control and management guidance. Journal of Accounting & Economics 48 (2-3): ,,, and Skaife ineffective internal control over financial reporting and firm operations. Working paper, University of Pittsburgh. Ge, W., and S. McVay The disclosure of material weaknesses in internal control after the Sarbanes-Oxley Act. Accounting Horizons 19 (3): Goh, B, and D. Li Internal controls and conditional conservatism. The Accounting Review 86 (3): Hay, D., R. Knechel, and N. Wong Audit fees: A meta-analysis of the effect of supply and demand attributes. Contemporary Accounting Research 23 (1): Hennes, K., A. Leone, and B. Miller The importance of distinguishing errors from irregularities in restatement research: The case of restatements and CEO/CFO turnover. The Accounting Review 83 (6): Hogan, C., and M. Wilkins Evidence on the audit risk model: Do auditors increase audit fees in the presence of internal control deficiencies? Contemporary Accounting Research 25 (1):

33 Hoitash, R., U. Hoitash, and J. Bedard Internal control quality and audit pricing under the Sarbanes-Oxley Act. Auditing: A Journal of Practice & Theory 27 (1): Hribar, P. and N. Jenkins The effect of accounting restatements on earnings revisions and the estimated cost of capital. Review of Accounting Studies 9 (2-3): , T. Kravet, and R. Wilson A new measure of accounting quality. Review of Accounting Studies 19 (1): Huang, H-W., K. Raghunandan, and D. Rama Audit fees for initial audit engagements before and after SOX. Auditing: A Journal of Practice & Theory 28 (1): International Federation of Accountants (IFAC) New brooms sweep clean. New York, NY. Jobst, A The credit crisis and operational risk: Implications for practitioners and regulators. Journal of Operational Risk: 5 (2): Li, C., G. Peters, V. Richardson, and M. Watson The consequences of information technology control weaknesses on management information systems: The case of Sarbanes-Oxley internal control reports. MIS Quarterly 36 (1): Li, Y., D. Simunic, and M. Ye Corporate environmental compliance risk and audit fees. Working paper, University of Toronto. Palmrose, Z-V., V. Richardson, and S. Scholz Determinants of market reactions to restatement announcements. Journal of Accounting and Economics 37 (1): Ponemon Institute Annual Study: U.S. Cost of Data Breach. Ponemon Institute. Pratt, J., and J. Stice The effects of client characteristics on auditor litigation risk judgments, required audit evidence, and recommended audit fees. The Accounting Review 69 (4): Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 8: Audit Risk. Washington, DC: PCAOB. Robinson, J., Y. Xue, and Y. Yu Determinants of disclosure noncompliance and the effect of the SEC review: Evidence from the 2006 mandated compensation disclosure regulations. The Accounting Review 86 (4): Securities and Exchange Commission (SEC) CF Disclosure Guidance: Topic No. 2: Cybersecurity. Washington, DC: SEC. Stanley, J Is the audit fee disclosure a leading indicator of clients business risk? Auditing: A Journal of Practice & Theory 30 (3): The Accounting Analyst s Observer What Keeps The SEC Busy December 18, The Wall Street Journal (WSJ) Tech Company Worries Shift to Growth Issues. May 10,

34 Tysiac, K COSO Chair says updated framework is a refresh. Journal of Accountancy January 23, U.S. General Accountability Office Data breaches are frequent, but evidence of resulting identity theft is limited; however, the full extent is unknown. Washington, D.C: GAO. Available at: Agency responses to breaches of personally identifiable information need to be more consistent. Washington, D.C: GAO. Available at: 33

35 APPENDIX A Privacy breach laws As the U.S. Congress has yet to enact a federal law mandating breach notifications, since 2003, the majority of states have passed their own breach notification laws. California adopted the first privacy breach notification law, California SB 1386 (California State Senate 2003), on July 1 st, 2003, and since then other states have since adopted similar laws modeled after, but not the same as, the California law (ABTL 2007). The California laws specify that any entity that conducts business in California and licenses, maintains or owns computerized customer data, must notify law enforcement agencies and any Californian resident whose data has been acquired by unauthorized means. Moreover, if the breach involves more than 500,000 records, then a nation-wide media release must be made and hence, a public privacy breach disclosure by the company is mandatory. However, as the breach notification laws vary from state to state and companies generally do not disclose all the specific states that were affected by a breach, from a research perspective, it is difficult to determine whether a public disclosure by the company was voluntary or mandatory. Going forward, such a task should be easier once a federal notification law makes its way through congress. On the whole, given the various state laws state generally require the firm to disclose the breach to their clients, the majority of public breach disclosures are likely mandatory disclosures. Moreover, on October 13, 2011 the SEC issued guidance mandating that material cyber breaches be disclosed in the MD&A of financial statements (SEC 2011). In addition to state notification laws, the following U.S. legislation has implications for information privacy practices: the Health Insurance Portability and Accountability Act (HIPAA) mandates how health information should be protected; the Gramm-Leach-Bliley Act (GLBA) regulates the use of information obtained by financial institutions; the Family Educational Rights and Privacy Act (FERPA) governs the access to student educational records; the Fair and Accurate Credit Transactions Act regulates the disposal of consumer information; the U.S.A. Patriot Act mandates all U.S. businesses to disclose customer information to law enforcement initiatives; and The Identity Theft Penalty Enhancement Act sets forth that acquiring unauthorized personal information is a federal crime. 34

36 APPENDIX B Example of a privacy breach disclosure SAIC, INC. EWS RELEASE SAIC Addresses Possible Data Compromise (SAN DIEGO and MCLEAN, VA) July 20, Personal information of certain uniformed service members, family members and others was placed at risk for potential compromise while being processed by SAIC under several health care data contracts for military service customers, the company said today. SAIC remedied the security lapses upon learning of them and began working with the customers to mitigate any potential impact. Forensic analysis has not yielded any evidence that any personal information was actually compromised; however, the possibility cannot be ruled out. SAIC is notifying approximately 580,000 households, some with more than one affected person. "We deeply regret this security failure and I want to extend our apologies to those affected by it," Chairman and CEO Ken Dahlberg said. "We are concerned about the inconvenience and risk of potential compromise of personal information this may cause. The security failure is completely unacceptable and occurred as a result of clear violations of SAIC's strong internal IT security policies. In this instance, we did not live up to the high level of performance that our customers have learned to expect and demand from us. We let down our customers and the service members whom we support. For this, we are very sorry." The information was stored on a single, SAIC-owned, non-secure server at a small SAIC location, and in some cases was transmitted over the Internet in an unencrypted form. The contracts were with customers in the Departments of the Army, Navy, Air Force and Homeland Security. The work was being done in connection with TRICARE, the health benefits program for the uniformed services, retirees and their families. The personal information at risk varies by individual, but could include combinations of names, addresses, Social Security numbers, birth dates, and/or limited health information in the form of codes. The company is working closely with its government customers to mitigate any potential inconvenience or harm the possible compromise of personal information may cause. SAIC retained Kroll Inc. to provide services to affected individuals, including an Incident Response Center with extended hours, information resources, and credit and identity restoration services for any victims of related identity theft. These services will be provided at no cost to the government or the affected persons. The pre-tax cost of these services, which will be included in SAIC's financial results of operations for the three months ending July 35

37 APPENDIX B (continued) 31, 2007, is estimated to be in the range of $7 million to $9 million, excluding costs for credit restoration services if any related identity theft occurs. "Our focus is on offering services and support to those who may be affected by the potential compromise of their information," according to Arnold Punaro, Executive Vice President, the company official leading the support effort. The company has responded to this situation in a comprehensive way by taking the following actions: conducted a detailed forensic analysis of the server and data, which included assistance from some of the company's and the government's top experts in computer security; launched an internal investigation using outside counsel to determine exactly how this security failure occurred and placed a number of employees on administrative leave pending the outcome of the investigation; established a company-wide task force to ensure that the company responsibly addresses any adverse impact on the company's customers and any affected individuals; initiated a systematic, company-wide assessment to assure that such lapses do not exist elsewhere in the company and determine whether any changes in policy, methods, tools and monitoring are needed to make sure that such a lapse does not recur. SAIC is a leading provider of scientific, engineering, systems integration and technical services and solutions to all branches of the U.S. military, agencies of the Department of Defense, the intelligence community, the U.S. Department of Homeland Security and other U.S. Government civil agencies, as well as to customers in selected commercial markets. With more than 44,000 employees in over 150 cities worldwide, SAIC engineers and scientists solve complex technical challenges requiring innovative solutions for customers' mission-critical functions. SAIC had annual revenues of $8.3 billion for its fiscal year ended January 31, SAIC: FROM SCIENCE TO SOLUTIONS 36

38 APPENDIX C Operational risk index The following table outlines the construction of our operational risk index. We assess companies response to operational risk by searching the following data items (listed in the first column) in their Form 10-K filings. The second column provides the keywords that we look for in each sentence while performing the search. If the keywords are found in the same sentence of the 10-K then a value of 1 is assigned, and 0 otherwise. The index is calculated as the simple sum of the index components which is winsorized at the 1 and 99 percent levels. The text search is performed using 10-Ks downloaded from the Securities Exchange Commission s Electronic Data Gathering and Retrieval system (EDGAR) using a Python program. DATA ITEM Formalized risk management controls and systems Existence of risk governance model Formalized risk limits and controls Risk quantification Scenario analysis Causal event analysis Formal Risk management policy / framework Formal Risk documentation of policy and controls Risk management data integration Escalation of critical issues Risk methodologies Risk technology systems Existence of risk training programs Operational risk management systems Integration of risk and compliance systems Interaction between board and risk management Risk appetite Risk committee Existence of management risk committee Existence of board risk committee Review by risk committee KEYWORDS "risk" AND "governance" AND "model" "risk" AND ("limit*" OR "control*") "risk" AND "quant*" "scenario" AND "analy*" AND "risk" "causal event" AND "analy*" AND "risk" "risk" AND ("policy" OR "framework") "risk" AND "document*" "risk" AND "data" AND "integrat*" "critical" AND "issues" AND "escalat*" "risk" AND "method*" "risk" AND "system*" AND "technolog*" "risk" AND "training" "operational risk" AND "manag*" AND "system*" "risk" AND "compliance" AND "systems" "risk" AND ("manag*" OR "report*") AND "board" "risk" AND "appetite*" "risk" AND "committee" AND "manag*" "risk" AND "committee" AND "board*" "risk" AND "committee" AND "review*" 37

39 APPENDIX C (continued) Risk culture and oversight Organization recognizes a specific risk management culture Organization recognizes importance of risk oversight CRO Existence of CRO Management or board interaction with CRO ERM Existence of ERM Management or board involvement with ERM Interaction between compensation /incentives and risk Data management Data integrity issues Data governance Data management / maintenance Data controls / checks Data standards Data process architecture Risk data quality Formal risk reporting Risk reporting Risk dashboard Board received risk reporting Management received risk reporting CEO received risk reporting Types of risk information reporting Operational failures Sensitivity analyses Risk exceptions Business continuity Fraud risk IT risk Customer risk Privacy breaches Reputation risk "risk" AND "culture" "risk" AND ("oversight" OR "governance") "chief risk officer" OR "CRO" "chief risk officer" OR "CRO" AND ("board" OR "manag*) "enterprise risk management" OR "ERM" "enterprise risk management" OR "ERM" AND ("board" OR "manag*) "risk" AND ("compensation" OR "incentive") "data" AND ("integrity" OR "risk") "data" AND "governance" "data" AND ("manag*" OR "maintain*) "data" AND ("control*" OR "check*) "data" AND "standards" "data" AND "process" "data" AND "quality" "risk" AND "report*" "risk" AND "dashboard" "risk" AND "report*" AND "board" "risk" AND "report*" AND "manag*" "risk" AND "report*" AND "CEO" OR "chief risk officer" "operation*" AND ("failure*" OR "risk") "sensitivity" AND ("test" OR "analy*") AND "risk" "risk" AND "exception*" "business" AND "continuity" "fraud" AND "risk" ("IT" OR "Information Technology") AND "risk" "customer*" AND "risk" "privacy" OR "privacy breach OR "identity" OR "identity theft" "reputation" AND "risk" 38

40 APPENDIX D Variable definitions RESTATE i,t,t+1 = 1 if the firm reported a material restatement due to an error in fiscal year t or year t+1, and 0 otherwise; SEC_COMMENT i,t,t+1 = 1 if the firm received an SEC Comment Letter in fiscal year t or year t+1, and 0 otherwise; BREACH i,t-δ = 1 if the firm reported a privacy breach after releasing fiscal year t- 1 s annual financial statements, but before releasing fiscal year t s annual financial statements, and 0 otherwise; OPRISK_INDEX i,t-1 = Score from operational control risk index in fiscal year t-1, the calculation of the index is outlined in Appendix C; SOX404 i,t = 1 if the firm had a SOX 404 material internal control weakness over financial reporting during the fiscal year t, and 0 otherwise; SIZE i,t = Natural logarithm of the firm s market capitalization as of year t s fiscal year-end; FIRM_AGE i,t = Natural logarithm of one plus the number of years the firm has COMPUSTAT data as of year t s fiscal year-end; LOSS i,t = 1 if net income before extraordinary items is less than zero in fiscal year t, and 0 otherwise; SEGMENTS i,t = Natural logarithm of one plus the number of operating and geographic segments as of year t s fiscal year-end; ACQ_VALUE i,t = The aggregate dollar value of acquisitions that the acquired company in the fiscal year t-1, scaled by market capitalization as of fiscal yearend t; GROWTH i,t = Quintiles of year-over-year sales growth in fiscal year t, and 0 otherwise; RESTRUCT i, t = The aggregate restructuring charges in the fiscal years t and t-1, scaled by market capitalization as of year t s fiscal year-end; LEVERAGE i,t = Debt divided by total assets as of year t s fiscal year-end; BIG4 i,t = 1 if the client has a Big 4 auditor in fiscal year t, and 0 otherwise; SPECIALIST i,t = 1 if the firm s auditor has the highest market share in the client s industry, measured using audit fees in fiscal year t, and 0 otherwise; BREACH_RISK i = The natural logarithm of the number of breaches in the firm s industry, to control for the inherent privacy breach risk of the firm s industry; LOGFEES i,t = Natural logarithm of total audit fees in the fiscal year t; ATURN i,t = Sales in fiscal year t divided by total assets as of fiscal year t s yearend; EXPORT i,t = Total sales from foreign segments scaled by total sales in the fiscal year t; ABSEXTRA i,t = Absolute value of extraordinary items in fiscal year t scaled by total assets as of fiscal t s year-end; ROA i,t = Net income in the fiscal year t scaled by total assets as of fiscal year t s year-end; DEC_YREND i,t = 1 if the company has a December 31 st year end in fiscal year t, and 0 otherwise; OPINION i,t = 1 if the company received an auditor going concern opinion, and 0 otherwise; and, STD_ROA i,t = Standard deviation for annual ROA i,t in years t, t-1 and t-2. 39

41 FIGURE 1 Measurement timing of main variables End of Fiscal Year t-1 End of Fiscal Year t End of Fiscal Year t+1 Calculation of operational risk index using 10-K data OPRISK_INDEX i,t-1 If breach occurred: BREACH i,t-δ =1 Audit fees reported (LOGFEES i,t ) Audit fees reported (LOGFEES i,t+1 ) If restatement occurred RESTATE i,t,t+1 =1 If SEC comment letter received SEC_COMMENT i,t,t+1 =1 40