An Examination of the Audit Implications of Third-Party Risk

Filosa, Jessica Rose

23 May 2024

Doctor of Philosophy / This study explores whether companies that engage in outsourcing suffer negative audit-related consequences. Outsourcing exposes companies to third-party risk, which is the risk associated with outsourcing IT systems and/or business operations to external companies. Publicly traded companies in the United States are required to file a financial report with the Securities and Exchange Commission each year that includes a discussion of significant risks the company faces. I use this disclosure to identify companies that reveal third-party risk as a major threat to their organization and use machine learning to develop a measure that distinguishes companies exposed to third-party risk from those that are not. Using this measure, I examine whether companies exposed to third-party risk arrangements are more likely to suffer from low quality internal controls, to experience a cybersecurity incident, or to pay higher fees to their external auditor. The results do not show an association between my measure of third-party risk and the likelihood that a company reports a problem with internal controls. However, I do find that companies exposed to third-party risk are more likely to experience a cybersecurity incident. Lastly, I find that companies exposed to third-party risk pay higher fees to their external auditors in the initial year that this risk appears in their annual report. Overall, these results provide initial empirical evidence on the existence and consequences of third-party risk. The findings may be of interest to accounting professionals and managers who are in the early stages of learning to identify and manage their third-party risk exposure. Regulators may also benefit from this study as they contemplate updating the auditing standards related to outsourcing.

third-party risk

outsourcing

internal control

cybersecurity

audit fees

operational efficiency

The modelling of accident frequency using risk exposure data for the assessment of airport safety areas

Wong, Ka Yick

January 2007

This thesis makes significant contributions to improving the use of Airport Safety Areas (ASAs) as aviation accident risk mitigation measures by developing improved accident frequency models and risk assessment methodologies. In recent years, the adequacy of ASAs such as the Runway End Safety Area and Runway Safety Area has come under increasing scrutiny. The current research found flaws in the existing ASA regulations and airport risk assessment techniques that lead to the provision of inconsistent safety margins at airports and runways. The research was based on a comprehensive database of ASA-related accidents, which was matched by a representative sample of normal operations data, such that the exposure to a range of operational and meteorological risk factors between accident and normal flights could be compared. On this basis, the criticality of individual risk factors was quantified and accident frequency models were developed using logistic regression. These models have considerably better predictive power compared to models used by previous airport risk assessments. An improved risk assessment technique was developed coupling the accident frequency models with accident location data, yielding distributions that describe the frequency of accidents that reach specific distances beyond the runway end or centreline given the risk exposure profile of the particular runway. The application of the proposed methodology was demonstrated in two case studies. Specific recommendations on ASA dimensions were made for achieving consistent levels of safety on each side of the runway. Advances made in this study have implications on the overall assessment and management of risks at airports.

387.7362