Abstracts

The Marketing by the Big 4 of Big Data Analytics in the External Audit: Evidence and Consequences

We undertake grounded research into how the Big 4 audit firms are marketing audit engagements that utilize big data analytics (BDA). We show that the firms promote these audits by providing operational insights that will add value to their clients. This raises important questions about the source of this value-added. One reason BDA-enabled audits have proven to be an exception to the rule that auditors tend to lag in their adoption of emerging technologies is that they can piggyback on technologies developed for other uses. This inherent duality of BDA technology as both a source of compliance and of business intelligence necessitates a fundamental rethink of what an audit is, and how it is sold and consumed. What is at stake is the perception of what an audit provides to a client and how it is regulated and undertaken—and ultimately, how auditing is taught and researched.

Keywords: Big data analytics, external auditing, independence

You posted what? Analyzing determinants of social technology risk prevention

As organizations adopt newer technologies, they face many risk challenges. This study examines whether and how organizations proactively address the risks involved with one important newer technology – social technology – through the use of preventive controls. While some organizations strategically address social technology risks such as its rapid spread and ability for external factors to negatively impact reputation, operations, and finances, other organizations wait until a problem develops before considering these risks. Guided by Lenk, Krahel, Janvrin, and Considine (2019)’s Integrated Social Technology Strategy and Risk Management Framework, we conduct a survey of 160 accountants and corporate managers. Results identify several internal and external factors that impact whether organizations implement preventive social technology controls.  Our work intersects design science and behavioral science methodologies by examining how the artifact developed by Lenk et al. (2019) can be used to understand an important technology risk.

Keywords: social technology; social media; risk management; internal controls; preventive control activities; newer technologies

Decentralized Finance (DeFi) Assurance: Audit Adoption and Capital Markets Effects

Decentralized finance (DeFi) represents a large capital market where users conduct transactions primarily through digital smart contracts. These contracts are susceptible to cyber-attacks and coding errors that can result in significant financial losses, which has led to the emergence of smart contract audits to reduce information asymmetry and foster trust among DeFi service providers and users. Using a large hand-collected sample of these audit reports from DeFi service providers, we provide some of the first evidence showing that (1) these audits are pervasive, (2) the audit firm market is predominantly composed of new technical audit firms, (3) the scope of these audits can span a variety of contract features, and (4) the market reacts positively to the release of these audit reports, suggesting that these reports are value relevant. These findings highlight the demand for novel assurance services driven by blockchain technology.

Keywords: Auditing, Decentralized Finance, Smart Contract

Permission Blockchain in Action: Multiple case studies with Early-Adopters

Blockchain has the potential to fundamentally reshape how business data are initiated, collected, stored, disseminated, and used worldwide. However, the technology being relatively new, existing research in accounting has provided few empirical findings on the implications for accounting activities when early adopters implement blockchain. This paper explores blockchain adoption using the technology-organization-environment (TOE) framework. Our findings demonstrate that blockchain can address accounting issues in business, including in operations and supply chain settings. Our findings on technology align with those of Chittipaka et al. (2022) on blockchain’s adoption for trust, and those of Rogerson and Parry (2020) on data transparency. On organization, our findings link capacity to the technology’s capabilities, finding that the reduction in manual data management offered by the technology creates a driver for adoption in spite of what appears to be organizational barriers. On the external task environment, despite an apparent lack of proven blockchain cases, the technology is more likely to be adopted where there is a lack of visibility or where complexity hampers decision-making.  

Keywords: Permissioned blockchain, Applications of blockchain, Business problems to solve, Impact for accounting activities

Development of a Framework of Key Internal Control and Governance Principles for Robotic Process Automation (RPA)

Although robotic process automation (RPA) usage is growing rapidly in accounting, concerns are emerging regarding the internal controls and overall governance structure surrounding RPA. To help address these concerns, we use a design science research approach and work with a Fortune 500 company to develop an RPA governance framework. The framework consists of four governance areas and 14 control requirements, which help maximize the benefits and minimize the risks associated with the use of RPA. We validate that the framework is useful and generalizable to many organizations by presenting the framework to and subsequently interviewing and surveying 86 professionals at different organizations, including internal and external auditors, chief audit executives at several multinational corporations, academics, accounting and finance professionals, and other RPA stakeholders. Their feedback suggests the framework is successful in achieving its objectives.

Keywords: Robotic Process Automation (RPA); internal controls; governance; framework

The Effect of the Remote Workforce on Firms' Cybersecurity Risk Disclosures and Incidents

The outbreak of the COVID-19 pandemic forced most of the workforce to work from home to avoid infection. Especially, this sudden shift might increase firms’ cybersecurity risks. This study investigates whether the sudden shift to a remote working environment due to the pandemic affects firms’ cybersecurity risk disclosure and incidents. Using 186 firms that offered work from home before the pandemic, we find that over pre and during the pandemic firms that allowed remote working before the pandemic are more likely to suffer cybersecurity incidents and disclose more cybersecurity risks related to a remote working environment than firms that did not. However, after the sudden shift due to the pandemic, the difference in the likelihood of experiencing a cybersecurity incident and disclosing cybersecurity risk disclosures between the two groups decreased significantly. The findings suggest positive associations between remote work and cybersecurity risks, and risk factor disclosures reflect changes in the cybersecurity risks firms face. 

Keywords: remote working; cybersecurity; cybersecurity disclosure

The Impact of Cybersecurity Risk Management Strategy Disclosure on Investors’ Judgments and Decisions

In March 2022, the Securities and Exchange Commission (SEC) proposed the mandatory reporting of cybersecurity risk management policies for public companies. This study aims to explore the potential impact of cybersecurity risk management strategy disclosure on nonprofessional investors. Using a 4 x 1 between-participants experimental design, we examine whether investors’ perceptions and decisions would change if the company disclosed cybersecurity self-assessment, assurance, and insurance. We find that investors increase their likelihood of investment if cybersecurity assurance is disclosed when the company follows the NIST cybersecurity framework. In addition, we find that investors perceive cybersecurity assurance services from third parties as providing long-term benefits to the company. Our study contributes to regulators, practitioners, and stakeholders concerned about the potential impact of cybersecurity risk management strategy disclosures on nonprofessional investors.   

Keywords: cybersecurity disclosure, self-assessment, assurance, insurance, investment decisions, nonprofessional investors. 

The Costs of Disclosing Firm-Specific Cybersecurity Risk Disclosures

The potential adverse effects of cybersecurity risks on firm value and operations necessitate stakeholders to understand firms' cybersecurity risks. However, there have been persistent concerns that firms disclose mostly industry-generic cybersecurity risks (e.g., boilerplate) and withhold firm-specific risks. Using a novel measure of firm-specific disclosures, we first document that firms' cybersecurity risk disclosures contain more generic cybersecurity risk factors than firm-specific ones. Then we identify potential costs of firm-specific cybersecurity disclosure - adverse market reactions, increased likelihood of cybersecurity breaches, and higher audit fees. To respond to the increasing cybersecurity issues and encourage more informative cybersecurity risk disclosures, regulators issued guidances on cybersecurity risk disclosures in 2011 and 2018. We test whether these guidances have been effective and find that while firms increased their disclosures of industry-generic cybersecurity risks, the amount of firm-specific cybersecurity risk disclosures has remained the same even after the SEC's guidances. 

Keywords: cybersecurity risks; firm-specific risk disclosure; disclosure quality; SEC guidance

Board Roles Required for IT Governance to become an Integral Component of Corporate Governance

Digital transformation is fundamentally changing how organizations create and deliver business value, with IT leveraged to improve business processes and controls. The pervasive effects of digitization upon risk exposures and performance requires boards’ prudent and integrated consideration of the resultant IT opportunities and risk exposures. However, IT governance research suggests that boards’ governance of IT is more commonly delegated and relegated to management and committees than integrated as part of their corporate governance practices. In response, our study contributes timely and structured understanding of boards’ roles and the mechanisms required for IT governance to become an integral component of corporate governance.

Keywords: organizational roles; corporate governance; IT governance; digital transformation

Does cybersecurity maturity level assurance improve cybersecurity risk management in supply chains?

This study uses analytical models to investigate whether required cybersecurity assurance for supply chain partners will induce them to improve their cybersecurity management. Our findings suggest that if a supplier decides its preferred security maturity level before knowing what level a contract requires, the supplier is more likely to input more effort to improve its cybersecurity management. We also show that a buyer can improve the suppliers’ security responsibility by imposing a reduced contractual price or a fine when a security breach occurs. Lastly, publicizing whether a supplier meets or fails to meet the requirement may harm the buyer’s profit if the supplier can re-sell the product/service with a lowered price and is aware of publicizing such information in advance. Our findings uncover the role played by cybersecurity maturity level assurance and provide practical implications.

Keywords: cybersecurity assurance, cybersecurity maturity model, analytical model

Artificial Intelligence Co-Piloted Auditing

In this study, we propose the concept of artificial intelligence co-piloted auditing, emphasizing the collaborative potential of auditors and foundation models, such as LaMDA, DALL-E, and GPT-4, in the auditing domain. We imagine an audit setup where auditors’ capabilities are enhanced through artificial intelligence, facilitating optimal outcomes across a variety of audit tasks. To exemplify the potential of this co-piloted audit paradigm, we illustrate a systematic finetuning approach of foundation models using chain-of-thought prompting that enables instruction learning, in-context learning, and sequential reasoning. We demonstrate the potential of co-piloted auditing, by fine-tuning GPT-4 using OpenAI’s ChatGPT interface towards three different audit tasks namely financial ratio analysis, text mining, and journal entry testing. We provide a detailed description of the formulated prompt protocols and the corresponding responses generated by ChatGPT, ensuring reproducibility. Our findings underscore the transformative role of foundation models in reshaping the future of auditing and advocate for continued exploration in this area. We envision this work as an initial step towards the widespread implementation of co-piloted auditing, paving the way for more efficient, accurate, and insightful audit procedures.

Keywords: Auditing, Machine Learning, Deep Learning, Foundation Models, ChatGPT, Bard.

Fair value measurement of cryptocurrency: maximizing observable inputs with exogenous variables

To answer the need for reporting and disclosure of cryptocurrency holdings in compliance with the new FASB accounting standard update for cryptocurrency fair value measurement (FASB Proposed Accounting Standards Update exposure draft, March 23, 2023), this paper develops a modeling process for reporting entities to measure the market value of cryptocurrencies with limited or no observable transactions. In this modeling process, we factor in the economics of the target asset, including its asset trait, market participants’ attention and sentiment, and the credibility and quality of the exchange it can be traded in. We also construct an illiquidity discount adjustment to measure the length and severity of illiquidity. The application of exogenous variables, such as asset classification based on asset documentation and market participants’ attention and sentiment measurement with online media textual analytics, allows us to maximize the observable input in the fair value measurement as required in the accounting standards (FASB ASC 820 and FAS 157). 

Keywords: Cryptocurrency, fair value measurement, classification, investors’ attention, sentiment analysis, exogenous variables, illiquidity discount.

Empirical Analysis of Liquidity Demographics for Crypto Assets

This paper adopts the methodology developed by the SEC (2018) to empirically determine thresholds for liquidity for crypto assets. We use two approaches to determine liquidity levels measured as the Average Daily Volume (ADV). The first is the number of crypto asset units traded and the second is the dollar amounts traded. The results indicate that the distribution of liquidity demographics is not affected by the addition of crypto assets with extremely low unit prices, but the distribution is changed by the high number of units traded when the ADV is measured in dollar amounts. This paper contributes to the accounting literature and the practice by developing a methodology to measure liquidity demographics for crypto assets. The results of the analysis could be used as possible guidance to determine the “threshold” needed to distinguish whether a crypto asset is traded in an active or inactive market in fair value measurement.

Keywords: fair value measurement, thinly traded crypto asset, inactive market

Government ESG Reporting in Smart Cities

Governments shoulder the responsibility of pursuing a variety of sustainability objectives, the consequences of which may not be discernable in traditional reporting frameworks. Environmental, social, and governance (ESG) reporting would be a valuable addition to the existing financial, service, and infrastructure aspects of government reporting. While reportable data may be difficult to measure, smart city development strategies dovetail with technology that facilitates sustainability reporting. This paper proposes a framework of government ESG reporting based on smart city technology. We envision the stages of Government ESG reporting, discuss how smart cities could facilitate ESG reporting, and illustrate potential avenues of analysis using an exogenous source of New York City vehicular mobility data as an example. This research sheds light on an under-examined topic, offers a perspective on how an ESG dimension could be added to government reporting, and explores how sustainability data could help inform government ESG reporting. The paper can serve as guidance for regulators on leveraging data for reporting, assurance, and monitoring.

Keywords: ESG, Government Reporting, Smart Cities, Big Data, Mobility data