DISCLOSURES OF CYBER EXPOSURE AND AUDIT FEES: EVIDENCE FROM ASEAN-4 BANKING

How to cite this paper: Karyani, E., Noveria, A., Faturohman, T., & Rahadi, R. A. (2023). Disclosures of cyber exposure and audit fees: Evidence from ASEAN-4 banking


INTRODUCTION
The banking world is evolving to become increasingly digital in reporting its financial statements, collecting funds from the public, and investing nationally and internationally.Fitch Ratings (2020) conducted a survey and found that online banking activities throughout the Association of Southeast Asian Nations (ASEAN) region had spiked sharply since the beginning of the pandemic.For example, Bank Rakyat Indonesia (Persero) Tbk. reported growth in internet banking activity of around 88% year on year (YoY) in the first quarter of 2020 (1Q20), and a similar trend occurred in many major banks in the Philippines and Malaysia.In addition to higher digital transactions, Singapore's three major banks reported a significant increase in digital account opening or use of "robo-advisory" financial planning services platforms over the same period.Unfortunately, technological improvements being developed and increasingly implemented in the banking industry have provided new opportunities for cyber fraudsters and hackers since the COVID-19 pandemic began.The Financial Industry Cybersecurity Report (FICR) reported that cybercrime was recognized as the second-highest source of economic abuse in global financial institutions (Uddin et al., 2020).According to Kopp et al. (2017), the financial sector is one of the most targeted sectors related to cybercrime because of its dependence on information and its central role in the credit intermediation process.Therefore, regulators require banks to identify and report their risk profile.
Accounting literature has intensively investigated pricing decisions or audit fees.Previous studies show that accounting firms charge fees to assess client characteristics, including risk, governance, daily operations, and long-term strategic business decisions (Wu,  A higher client business risk and potential client litigation risk will require greater auditor involvement by increasing effort or incurring an additional risk premium (Simunic, 1980).Higher client risk is associated with higher audit fees.Furthermore, the Standing Advisory Group (SAG) of the Public Company Accounting Oversight Board (PCAOB) emphasized the potential implications of cybersecurity for financial reporting and auditing (PCAOB, 2014).Financial statement audits are determined by how clients disclose cybersecurity risks and cyberattacks (Institute of Singapore Chartered Accountants [ISCA], 2018; Calderon & Gao, 2021).This raises the question of whether the cybersecurity risks published by companies are relevant to the audit of financial statements and what extent the role of the pandemic (crisis) period influences this relationship.
This study aims to broaden previous studies by associating cyber risk disclosure (CRD) with audit fees.The study is expected to fill the research gap related to the measurement method of risk disclosure and background setting.This research contributes to the literature in two ways.Firstly, our study contributes to the literature on audit fees by explicitly associating CRDs with the audit fees model.Our study extends the work of Calderon and Gao (2021), who examined the association between CRD and audit fees by going one step further during the COVID-19 pandemic.We also modified the CRD measurement based on a rule proposed by the Securities and Exchange Commission (SEC) in March 2022, which requires public companies to disclose cybersecurity 1 .Furthermore, this measurement is implied to an index obtained from the content analysis.Aldasoro et al. (2021) showed that the financial sector has been more frequently affected by cyber-attacks than most other sectors since the COVID-19 pandemic.Phishing attacks, for example, explicitly use uncertainty during COVID-19 to entice users to open fraudulent attachments or give hackers access to networks.
Secondly, to the best of our knowledge, our study is the first to examine the effect of a bank's CRD on audit fees in ASEAN-4 (Indonesia, Malaysia, Thailand, and the Philippines) emerging economies.Previous research linking auditor responses to cyber incidents focuses on the implications of cyber breaches, which imply an increased risk of internal control weaknesses and material misstatements (Rosati et al., 2019;Smith et al., 2019;Li et al., 2020).Audit costs are closely related to client risk characteristics, accounting method selection, day-today operational decisions, and long-term strategic business decisions (Bell et al., 2001).In addition, previous research mostly observes the effect of companies disclosing cyber risks on audit fees in developed countries (Moreira, 2019;Calderon & Gao, 2021;Li et al., 2020;Cheong et al., 2021).Meanwhile, this study focuses on ASEAN banks, which are the main targets of cyberattacks (A.T.Kearney, 2018).This is possible due to high digital connectivity, inversely proportional to low cybersecurity awareness, ever-increasing crossborder data transfers, and weak regulations (Hedrich et al., 2017).
Our tests are based on a sample of 63 banks in the 2015-2020 fiscal year.We reviewed disclosure decisions by managers after data breaches and used a more comprehensive keyword list approach to identify CRDs.We found that audit fees are related to the extent of disclosure, indicating that a bank's CRD is informative in determining the level of auditors' judgment.However, the governance of CRD does not significantly affect the audit rate.Therefore, this study examines the effect of this lagged variable on audit fees in an additional analysis.We found that the governance of the bank's CRD in the previous period increased current audit fees.Furthermore, the COVID-19 pandemic lowered audit fees for banks that disclose the total, causes, and impacts of cyber risk.Furthermore, our study adds analysis by replacing audit fees with audit tenure, suggesting that total and individual CRD (risk governance, causes, and impacts) do not affect audit tenure.This means that banks want to be audited by incumbent auditors with a better understanding of the firm's condition.
The remaining parts of the paper are structured as follows.Section 2 reviews the existing literature and develops our hypotheses.Section 3 describes the data and methodology used in this study.Section 4 presents the empirical results.Section 5 summarizes the findings and implications for the literature, regulators, and practitioners.The term "cyber risk" refers to "operational risks to information and technology assets that have consequences affecting the confidentiality, availability, or integrity of information or information systems" (Cebula et al., 2014, p. 2).As a result of the increasing number and severity of cybersecurity incidents since COVID-19, several financial regulators in ASEAN countries have issued guidelines regarding CRDs that public companies must submit to investors.The Financial Services Authority (Otoritas Jasa Keuangan -OJK) of Indonesia, has issued regulations comprising cyber incident response and recovery using components similar to those found in the Financial Stability Board (FSB) toolkit through Regulation No. 38/POJK.03/2016 on implementation of information and technology risk management by banks as amended by OJK Regulation No. 13/POJK.03/2020 and OJK Circular Letter No. 21/SEOJK.03/2017.Furthermore, OJK periodically evaluates banks' information technology involving cyber events as part of the operational risk assessment.Unfortunately, their annual reports have no specific requirements for disclosing cybersecurity risks or incidents.
The SEC Philippines requires public companies that have experienced cybersecurity breaches exposed to material cybersecurity risks, but may not have been the target of cyberattacks, must report accurately and promptly.It was regulated in the draft Guidance for Regulated Entities on Establishing and Maintaining a Cybersecurity Framework, published in December 2020 (SEC, 2020).Meanwhile, the Guidelines on Management of Cyber Risk (SC-GL/2-2016) issued by the Securities Commission (SC) Malaysia on October 31, 2016 (SC Malaysia, 2016), clearly regulates, among other things, the board of directors and senior management's role and responsibilities in building the cyber resilience of capital market entities.In addition, the guidelines regulate the requirements for reporting to SC Malaysia the occurrence of cyber incidents or breaches daily.Furthermore, the Thai Bankers Association (TBA) implemented the personal data protection guidelines for Thai banks (the "Guidelines") to facilitate banking sector operations in conformity with the Personal Data Protection Act 2019 (PDPA).The PDPA was Thailand's first comprehensive data protection law, published in the Royal Thai Government Gazette on May 27, 2019, with full implementation planned for June 1, 2022.
As the ASEAN securities markets play an increasingly important role in global investment strategies, the audit function and reliability of audited financial information are becoming increasingly important.Favere-Marchesi (2000) examined the Big Five (Big-5) audit mechanism in seven ASEAN countries.It was stated that audit fees, in addition to audit and client rotation, are mechanisms used by auditors to reduce threats to auditor objectivity.Audit fees refer to remuneration earned by accounting firms and auditors for providing professional services.Simunic (1980) introduced the theory underlying audit fees; the previous literature on the determinants of audit fees in emerging economies is mixed.that audit fees are strongly related to the level of auditor risk (auditor attributes) and client risk (client attributes).Thus, the greater the risk, the more complex the audit procedures that need to be carried out, and the greater the allocation of human and material resources invested.When the necessary human and material resources are unable to reduce audit risk, they may choose to collect a risk premium to avoid claims for damages or compensate for possible future losses.

Effect of CRD, governance, causes, and impact of cyber risk on audit fees
Previous studies linking auditor responses to cyber incidents focused on the implications of cyber breaches, implying an increased risk of internal control weaknesses and material misstatements being committed (Rosati et Li et al., 2020).The information asymmetry theory suggests that the level of risk disclosure can impact the audit fee, as it can impact the amount of work required by the auditor and the perceived level of risk associated with the company's operations.
Furthermore, the informativeness of corporate textual risk disclosures and cybersecurity incidents indicates a potential failure of internal control over financial reporting (Lawrence et al., 2018).In this case, the company's records may be altered, resulting in financial statement manipulation.Furthermore, more specific cybersecurity disclosures related to companies can improve audit quality, which the auditor responds to by increasing audit effort, ultimately increasing audit fees (Masoud & Al-Utaibi, 2022).Empirical findings show that companies with previous cybersecurity risk disclosures are more likely to experience financial reporting deficiencies, so the higher the audit quality requested, the higher the audit pricing.We also believe that auditors should charge higher fees from riskier clients if they can accurately assess a client's enterprise cybersecurity risks.
H1: CRD has a positive effect on audit fees.Furthermore, this study divides the level of risk disclosure into three criteria: governance, causes, and impacts of cyber risk.These criteria are based on previous research, surveys, and guidelines.As the threats to cyber risk become more complex, executives need to know whether overall governance decisions on cyber risk management are optimal and what the causes and potential impacts of cyberattacks are on the organization.
Previous studies show a significant relationship between the level of governance and audit fees.On the one hand, the association between governance and audit fees is positive.Governance proxied by the governance structure of the board of directors increases audit fees (Yang, 2015).Khalil et al. (2008) also stated that separating the two forces is positively related to the audit fees of companies listed in Canada.In line with the findings of a study in China, the supervisory authority of the board of directors is eroded if the two powers are consolidated into one.Therefore, the auditor increases the control risk estimate during the audit, which increases the audit fee (Ye, 2020).
On the other hand, Wu (2012) found that better company management will reduce the audit fees the company must incur.Concerning the results of previous studies, we estimated the negative relationship between the governance of CRD and audit fees.This is in line with Bhuiyan et al. (2021), stating that a risk committee determines audit pricing.Furthermore, a risk committee monitors all information to reduce uncertainty and improve the quality of the risk information (Aebi et al., 2012;Karyani et al., 2020).Audit pricing can be lower because of a board that guarantees the effectiveness of cyber risk management.According to agency theory, a higher level of corporate governance can reduce the company's agency costs and audit risk so audit costs are also reduced (Leventis & Dimitropoulos, 2010).Implementing good risk governance indicates strong internal control, which can reduce the scope of audit work, and auditors conduct less testing, resulting in a lower audit fee because they will take a lot of time to complete the audit work.The less audit processing time, the lower the audit fee charged to the company.
H2a: Governance of cyber risk has a negative effect on audit fees.
When a cyber incident occurs, the auditor must understand its nature and causes (ISCA, 2018).External auditors are also in charge of reviewing their clients' losses, claims, and obligations linked to the incident, as well as the final impact of the financial statements (Center for Audit Quality [CAQ], 2014).According to the risk-based approach theory, audit fees are determined based on the level of risk associated with the company's operations.When companies disclose the causes and consequences of significant cyber risks, such as losses and legal effects, auditors may need to devote more time and resources to assessing and testing the effectiveness of the company's cybersecurity controls.This increased effort and risk may lead to higher audit fees.
Consistent with the findings of Lawrence et al. (2018) that cybersecurity events may indicate weaknesses in internal financial reporting controls.Thus, regardless of their nature, cybersecurity breaches have potential implications for auditors who must assess their clients' cybersecurity risks.We expect increased audit fees because of increased efforts (Rosati et al., 2019;Li et al., 2020).Auditees pay higher fees in response to reports of increased cybersecurity threats.
H2b: Causes of cyber risk have a positive effect on audit fees.
H2c: Impacts of cyber risk have a positive effect on audit fees.

The moderating effect of the COVID-19 pandemic
The COVID-19 pandemic presents a unique opportunity to study how auditors respond to exogenous shocks in a client's operating environment.Due to the COVID-19 pandemic, auditors were also under pressure from clients to cut audit fees due to the economic slowdown during COVID-19.Krishnan and Zhang (2014) show that audit fees decreased during the global crisis due to negotiations.Similar to the crisis, clients negotiate more stringently during the pandemic, reducing audit fees.The impact of the COVID-19 pandemic has been the toughest challenge for auditors and their clients due to increased financial issues, litigation, and hacking (Albitar et al., 2021).In other words, the potential effect of COVID-19 on the association between CRD and audit fees is unclear.Therefore, the third hypothesis of this study is: H3: The COVID-19 pandemic affects the relationship between CRD (total and individual) and audit fees.

Sample selection and data collection
The final sample is 352 bank years of 67 commercial banks listed in four ASEAN countries from 2015 to 2020.It consists of 27 Indonesian banks, 5 Malaysian banks, 11 Thailand banks, and 14 Philippines banks.We excluded regional or rural banks because they have less technology infrastructure and fewer cybersecurity risks.Data were collected from the English versions of the annual reports on the bank's official websites and BankFocus (Bureau van Dijk -BvD).

Variables description
The CRD was measured based on the index proposed by Calderon and Gao (2021) and Li et al. (2018) using the content analysis method to collect CRD data.The questions used to obtain the CRD index are listed in Table 1.The CRD index for each bank year (CRDit) uses disclosure indexes.The disclosure is classified into three categories: 1) governance of cyber risk, 2) causes of cyber risk, and 3) impacts of cyber risk.These categories were separated into 17 sub-categories or 17 items or scores.IoT  Table 1 explains the three main components of the CRD index, which were then developed into 17 items.In comparison, Calderon and Gao (2020) used a Python program to extract CRD by counting the number of words (lnWords).Our study identified items using keywords in a hand-collected manner.The scoring method uses a value of 1 for items that are disclosed and 0 for items that are not disclosed.The disclosure index is assessed using a nonweighted approach to avoid subjective judgments by assuming all items in the checklist are equally important.Thus, the index formula was used to calculate the CRD area index by dividing the number of items disclosed (n) by the number of items that should be disclosed (k).The more items a bank discloses, the higher the index score it obtains.Banks with higher index scores indicate more comprehensive disclosure.The validity and reliability tests were conducted to determine whether the governance of the cyber risk index was "good" or "adequate" based on Cronbach's alpha value of 0.60-0.70(Clark & Watson, 1995).The study expects a negative relationship between cyber risk governance and audit fees.Meanwhile, the variables of total risk disclosure and the causes and consequences of risk are expected to be positively correlated with audit fees.
Furthermore, the control variables were used based on previous studies that include the bank's assets size (SIZE), leverage (LEV), non-performing loans (NPL), efficiency ratio (EFFIC), securities (SECUR), capital ratio (CAR), net loss (NLOSS), goingconcern audit opinion (GCO), Big Four auditors (BIG4), auditor tenure (INITIAL), and gross domestic product growth (GDPG).We expected a positive association between audit fees and SIZE, LEV, NPL, EFFIC, CAR, NLOSS, BIG4, INITIAL, and GDPG.Otherwise, audit fees are expected to negatively correlate with SECUR and GCO.The impact of control variables on audit fees has been well documented in previous studies (Fields et al., 2004; Calderon & Gao, 2021).

Empirical models and estimation methods
The following table provides a summary of the research variables used.Following the method used by previous researchers (Calderon & Gao, 2021; Li et al., 2020), we tested the effect of independent variables on dependent variables using the generalized method of moments (GMM).The GMM estimation technique avoids endogeneity problems by using the lag of the dependent variable as an instrument.Therefore, the research is expected to obtain consistent and unbiased results.Furthermore, the specification test of the dynamic panel data regression model consists of the Sargan test and the Arellano-Bond.The Sargan test is conducted to assess the instrument's validity with the criteria if the probability value of the J-statistic > 0.05, it means there is no endogeneity.In contrast, the Arellano-Bond test is used to see if autocorrelation exists in the model instrument used.The vi,t component is an aside assumed to have no autocorrelation, but the estimation in the first difference process is obtained (vi,t-vi,t-1), so E(vi,t, vi,t-1) does not need to be zero.However, for the next order to see the consistency of the GMM estimator, the assumption E(vi,t, vi,t-2) = 0 or the absence of autocorrelation between vi,t and vi,t-2 is still applied.

Cyber risk disclosure (CRD)
The average score and the validity test result used a significance level of 5% with an r-table of 0.097 (not tabulated).About 80% of firm-years have disclosures about bank boards taking over cyber risk and referring to any strategy/policy related to cyber risk management.However, almost none of the firm years conveyed information that cyber risk was caused by spear phishing, a man in the middle, trojans, and malware on mobile applications.The greatest cause of cyber risk is the attack on Internet of things (IoT) devices and data breaches.In addition, none of the banks disclosed cyber risks that impacted legal issues.Meanwhile, most cyber risks have implications for bank reputations.This is an important parameter receiving attention from global investors and regulators regarding reputational damage and intellectual property loss resulting from cyber incidents (Li et al., 2018).
The level of CRD in the sample shows an increasing trend from year to year (2015-2020) (not tabulated).This finding complements the study of Hilary et al. (2016), who did not find a significant increase in cybersecurity risk disclosure after a data breach, implying that cybersecurity risk disclosure in the risk factors and management discussion and analysis (MD&A) sections were not informative.Collectively, Malaysian banks performed well, with 48% of them mentioning cyber risk in their annual reports in 2018 and 2019.This was followed by 43% of banks in Thailand in 2020.The highest CRD rates for Indonesian and Philippine banks at approximately 30% were achieved in 2020.Thus, the highest CRD level in ASEAN-4 banking occurred in 2020.Finally, we excluded items that did not have a value or whose value was invalid, and the reliability test results show that Cronbach's coefficient value was 0.675.

Multivariate analysis
Table 3 reports the descriptive statistics of the sample from 2015 to 2020.It shows that the mean of audit fees was $204,802.22(corresponding to the natural logarithm value of 12,229).The average of the four CRD measures was 0.2441 (24.41%), 0.5671 (56.71%), 0.0730 (7.3%), and 0.0729 (7.29%) for the total risk disclosure, governance, causes, and effects of cyber risk, respectively.Risk governance (GCR) has the highest level of disclosure, which shows the concern of the board of directors or the board of possible cyber risks.However, the board's role was not followed by the disclosure of causes (CAUSE) and consequences (IMPACT) of corporate risk events.

Table A.1 (see Appendix) presents the Pearson correlation between audit fees and various CRD
measures of CRD.The correlation coefficient between the log of audit fees (lnAFee) and the three types of risk disclosure (CRD, GCR, and CAUSE) is significantly positive.In contrast, the consequences of cyber risk (IMPACT) are not significant.Moreover, Table A.1 also proves that it does not contain multicollinearity problems because the correlation value between independent variables was quite low (< 0.85).
Table 4 shows the coefficient value used to examine the association between lnAFee and all models indicated in columns 1-4.Panel A of Table 4 explains the model with no COVID effect, while Panel B of Table 4 includes the COVID variable.In general, the coefficient value of all the main independent variables is positive, which is in accordance with the prediction.Furthermore, the probabilities of the J-stat and AR(2) values for all the models are above the significance value (p > 0.05), which means that the equation results do not experience endogenous problems and are valid.Panel A of Table 4 reports that lnAfee is positively and significantly (Cronbach's alpha < 5%) associated with CRD, CAUSE, and IMPACT with coefficient values of 0.3352, 0.2871, and 0.4250, respectively.Meanwhile, Panel B of Table 4 shows that these three variables have a positive and significant effect on lnAFee with coefficient values of 0.7580, 0.0809, and 2.1729, respectively (H1, H2b, and H2c are rejected).This means there is a significant influence of total disclosure, disclosure of the causes, and the impact of cyber risk on audit fees.On the other hand, the GCR coefficient values for both panels are positive and insignificant (H2a is accepted), i.e., 0.0390 (Panel A) and 0.0809 (Panel B).Furthermore, the coefficients of the interaction variables CRD * COVID, CAUSE * COVID, and IMPACT * COVID are significantly negative (at the < 5% level), with values of -3.0570, -2.1643, and -0.9462.However, the coefficient value of GRC * COVID is negative and insignificant (p > 0.05).
Turning to the control variables, the regression results for Table 4 are consistent.lnAFee is significantly and negatively associated with capital ratio (CAR).On the contrary, it is significantly positively associated with bank size (lnSIZE) and big auditor (BIG4) (at < 5% level).The variables of leverage (LEV), efficiency ratio (EFFIC), net loss (NLOSS), and going concern opinion (GCO) are not significant for all the models (see Table 4).Panel A of Table 4 reports that several significant variables are NPL, securities investment (SECUR), and BIG4.
Panel B of Table 4, the p-values for SECUR, GCO, and BIG4 are also significant at the < 5% level.

Discussion
Our outcomes, shown in Table 4, follow our predictions and support agency theory, information asymmetry theory, and risk-based approach theory.These are due to the coefficients of the main variables (H1, H2b, and H2c) and the interaction variable being consistently significant.The total CRD, CAUSE, and IMPACT have a significant effect on audit fees (at the 5% level).Conversely, the GCR did not affect audit fees (p > 0.05).In accordance with the risk-based perspective, the auditor responds to the risks disclosed by the client through appropriate adjustments to the audit procedures.Auditors perceiving higher client risk will increase their audit effort, thereby determining higher fees.
Inconsistent with agency theory, the authors found that cyber risk governance did not affect the audit rate.It means that government agencies do not require additional assurance from auditors and are closely scrutinized by regulators.It also implies that auditors reduce their efforts; thus, good risk governance does not affect audit fees.Consistent with previous studies, we suggest two reasons.First, tight supervision by financial regulators (external governance) can partially substitute bank risk governance (internal governance).Strict regulatory oversight reduces audit risk and information asymmetry, potentially reducing the important role of corporate governance players such as the risk committee (Bryan & Klein, 2004;Boo & Sharma, 2008).Second, the board's primary responsibility for monitoring risk management may not be sufficient, in particular, to improve the monitoring of cyber risk (Shakhatreh & Alsmadi, 2021).Otherwise, Qawqzeh et al. ( 2021) and Al Sharawi (2022) stated that board members play an important role in external audits' high quality and fee levels.Finally, we conducted additional testing to determine whether the absence of this relationship will be different if it is associated with lag or lead effects (see additional tests).According to Simunic (1980), auditors can set the price audit services based partly on previous audit fees and current information on relevant factors.
Table 4 also reports that lnAFee was significantly affected by the interaction between the main variable and COVID-19 as a dummy variable (p > 0.05).Even though the relatively short period of the COVID-19 pandemic has been the representation of numerical data that can be tested, the pandemic has lowered audit fees for companies that disclose the total, causes, and impacts of cyber risk.In line with the results of previous studies, firms negotiate lower prices for audit services during the pandemic (Albitar et al., 2021; International Federation of Accountants [IFAC], 2020).Auditors can reduce their efforts to minimize engagement losses during the COVID-19 social distancing outbreak.Disclosure of cyber risk may have greater complexity and audit effort.Still, prudence and minimizing losses on the engagement make it difficult to perform the engagement under the technical and professional standards applicable to that price.In addition, lower audit operational costs (e.g., personnel salary and utility costs) reduce audit fee offerings.The study conducted by Al-Qadasi et al. (2022) and Harjoto and Laksmana (2022) found the opposite result.It is stated that public health restrictions during COVID-19 led to higher audit costs due to perceived audit risk and additional audit efforts to design new procedures.In addition, the threat of risk, complexity, and legal liability due to the pandemic can be compensated by charging higher audit fees.
Our regression results show those audit fees are significantly related to bank size, NPL, auditor size (BIG4), and going concern opinion.Audit fees are positively influenced by the firm and auditor size.Audit fees are higher for large banks due to greater audit complexity (Fields et al., 2004) and agency fees (Lyubimov, 2019).Banks audited by big auditors (BIG4) are charged higher fees due to premium audit services (Francis, 2004) as well as a higher reputation and audit market (Lyubimov, 2019).
According to Boo and Sharma (2008), banks that receive a going concern opinion (GCO) will pay higher fees to demonstrate a high-quality audit.Credit quality is the most widely owned asset by banks.The high level of non-performing loans owned by banks requires greater audit efforts and fees because the risk of default is higher than current loans.Conversely, banks need to maintain adequate capital levels (CAR) to fund their investments, fulfill depositor and lender obligations, and meet regulatory requirements set by regulators.A low capital ratio increases auditor effort, resulting in greater audit costs.However, proxies for clients' ability to pay (NLOSS), bank leverage (LEV), bank efficiency, and GDPG insignificant.

Additional test
Additional tests were performed to provide some additional evidence regarding our results.Firstly, we re-estimated all equations with lagged variables because of the lack of a dominant significant result for the cyber risk governance variable.Previous studies were proven to support the idea that audit fees are related to current and past events (Hribar et al., 2014), the potential lag or lead effects of cyber-security incidents (Rosati et al., 2019), and prior cybersecurity risks disclosure (Calderon & Gao, 2021).Table 5 shows that lnAFee was significantly affected by GCR lag and significantly negative GCR * COVID interactions.This means that the governance of the bank's CRD in the previous period increased the current audit fees.This audit fee was lower during the pandemic than during the non-pandemic period.We suggest that the governance of the bank's CRD requires additional assurance from the auditor based on a demand-based perspective.Hay et al. (2004) argue that the demand effect may cause risk committees to demand more audits to fulfill their responsibilities and protect their reputations against the dubious cyber risk reported by management.
Finally, we replaced audit fees with audit tenure.Although audit tenure and fees are related to audit quality, they measure different aspects of the audit process.Audit tenure indicates the length of working relationships between companies or issuers that use audit services at the same public accountant within a certain period of time.The longer audit engagement gives the auditor a deeper understanding of the company's operations, business risks, and systems, resulting in a more efficient audit process (Lee et al., 2009).Previous research also shows that informed company risk is very likely to be a factor in changing auditors (Nasser et al., 2006;Junaidi et al., 2016).
Different from the results of previous studies, our study found that total and individual CRDs (risk governance, causes, and impacts) did not affect audit tenure, as indicated in Table 6.During the COVID-19 pandemic, we failed to prove the effectiveness of this relationship.These findings are in-line study against auditor turnover which states that companies at high risk, as indicated by the information submitted, want to be audited by the same auditor because incumbent auditors have a better understanding of the company's condition (Sinason et al., 2009;Fairchild, 2008;Hategan et al., 2022).

CONCLUSION
This study investigates whether companies with cyber risk disclosure are charged higher audit fees.The study also examines whether the COVID-19 pandemic affected the association between cyber risk disclosure with audit fees.Cyber risk disclosure is proxied by total cyber risk disclosure, cyber risk governance, cyber risk causes, and cyber risk impacts.The results show that disclosure of total, causes, and impacts of cyber risk was significantly and positively associated with audit fees.In contrast, the governance of cyber risk disclosure affected audit fees after the lagged variable.This means that this type of disclosure affects audit fees in the following year.Further analysis shows that this audit fee was decreased during the COVID-19 pandemic.The results of another additional analysis examining the effects of cyber risk disclosure on audit tenure cannot be proved.
Some limitations in this study must be overcome in future research.First, we focused on the role of boards in cyber risk management and oversight as representatives of cyber risk governance.This proxy is considered less comprehensive because it focuses too much on several aspects that can increase the potential for bias (Pan, 2008).Second, using content analysis to explain cyber risk disclosure may not be comprehensive or sufficient.Experimental or interview-based studies may better explain 2012; Rosati et al., 2019; Smith et al., 2019; Yang et al., 2018; Musa et al., 2021).
Fields et al. (2004), Calderon and Gao (2021) Going concern opinion (GCO) Dummy variable equals 1 if the auditor issues a going-concern audit opinion in year t, and 0 otherwise Calderon and Gao (2021) Big-4 auditor (BIG4) Dummy variable equals 1 if a Big-4 auditor is used, 0 otherwise Calderon and Gao (2021) Auditor tenure (INITIAL) Dummy variable equals 1 if auditor tenure ≤ 2 years, 0 otherwise Calderon and Gao (2020) GDPG Gross domestic product annual growth World Bank (n.d.) Note: This table reports the operationalization of variables.The first column describes the variables used in this study, and how to measure them is shown in the second column.Meanwhile, the third column explains that the variables to be tested come from prior research.n -Fulfill item, k -Total item of disclosure.

Table 1 .
CRD index for assessing practices of cyber risk disclosure (Part 1)  Cyber risk/cyber risk  Policy/strategy  Cyber risk/IT risk/cyber security/cyber-attack/cyber-thread/IT  Fraud/data-theft/data corruption/cyber insurance/data breach  Management/control 1.3.Does the bank define cyber risk clearly? Cyber risk/cyber-attack/cyber thread/cyber security/data-theft/data corruption/data breach is 1.4.Does the bank identify cyber risk as a material item? Material/significant/important  Attack/fraud/thread/risk/terrorist/incident/security, cyber-based attack, IT (security/attack), data theft, phishing, data corruption, cyber insurance, data breach, crimeware, ransomware, and keylogger 2. Causes of cyber risks incidents A description of the causes of incidents 2.1.Malware  Malware 2.2.Phishing/spear phishing  Phishing/spear phishing 2.3.Spear phishing  Spear phishing

Table 1 .
CRD index for assessing practices of cyber risk disclosure (Part 2)

Table 2 .
Operationalization of variables

Table 3 .
Summary of statisticsThe table presents the summary statistics of the 352 firm years.