近年來資安危機對於個人、企業或是政府機關而言造成的損失日益增加,因此各方皆須提高公司資產安全意識及防範網路風險,但是隨著許多公司將其系統外包給服務提供商後,若服務供應商對於公司數據安全的保護措施不完善時,則容易發生公司不可控制的數據洩露事件,因此公司要求服務供應商提供之系統要能有效保護公司資訊不遭受到網路攻擊。但是對於客戶而言,客戶不瞭解服務提供商提供服務系統之內部控制有效性,因此客戶需要藉由公正第三方認證去證明服務提供商有採取措施來保護數據。對此美國註冊會計師協會有訂定與系統攸關之內部控制認證報告,稱為系統與組織控制報告(System and Organization Controls;SOC),旨在幫助服務供應商藉由通過SOC認證之訊號,建立客戶對服務系統內部控制有效性的信任。 本研究旨在探討公司自願性揭露完成SOC認證之價值攸關性。由於公司完成SOC認證資訊屬於自願性揭露資訊,因此本研究以標準普爾指數1500公司為樣本,人工蒐集公司網站及其他公司報告提及公司完成SOC認證之資訊,研究期間為2013年至2021年,研究模型則根據Gordon, Loeb, and Sohail (2010)提出以Ohlson (1995)和Feltham and Ohlson (1995)之股價評價模型為基礎修改後的模型。實證結果表明,自願揭露完成SOC認證有正向價值攸關性。再者,自願揭露完成SOC認證之正向價值攸關性在處於資安風險較高產業的公司中較強。;In recent years, the increasing cybersecurity threats have resulted in growing losses for individuals, businesses, and government agencies. Therefore, all parties must enhance their awareness of asset security and mitigate online risks. However, with many companies outsourcing their systems to service providers, there is a risk of uncontrolled data breaches if the service providers do not have adequate controls to protect company data. Hence, companies require service providers’ systems to be able to effectively safeguard information. However, customers may not understand the effectiveness of internal controls implemented by service providers. Therefore, customers need to rely on third-party certifications to verify that service providers have taken procedures to protect data. In this regard, the American Institute of Certified Public Accountants has established a certification report related to system and organization controls—System and Organization Controls (SOC). Its purpose is to assist service providers in establishing customer trust in the effectiveness of internal controls within their service systems through the signal of achieving SOC certification. The purpose of this study is to explore the value relevance of voluntary disclosure of companies that have completed SOC certification. As disclosing a company’s SOC certification information is voluntary, I manually collect SOC information from the websites and reports of the S&P 1500 companies. The sample period spans from 2013 to 2021. The research model is based on the valuation model originally proposed by Ohlson (1995) and Feltham and Ohlson (1995) and modified by Gordon, Loeb, and Sohail (2010). The empirical results indicate that voluntary disclosure of completion of SOC certification have positive value relevance. Furthermore, the positive value relevance of voluntarily disclosing SOC certification is stronger for companies in industries with higher cybersecurity risks.
