[Purpose]Recently, the importance of information protection has been emerged with the increasing number of cases of cyber security incidents toward companies. In this study, we examine whether there is relevant implication to the input of additional audit efforts from the auditor’s point of view, whose work includes checking additional efforts invested by companies to improve the level of information protection by linking them with internal control risks. [Methodology]A regression analysis was conducted based on a sample constructed from TS2000 and the information security disclosure portal sites. [Findings]Results of the study show that there is a positive (＋) relationship between the level of information protection (investment amount, manpower) and audit effort (fee, hour). In addition, there is a positive (＋) relationship between information protection investment per person and audit effort, but the higher amount of information protection investment among the amount of technology investment might influence relationship, which reminded us of the need to appropriately consider the size of investment and the size of manpower in information security. [Implications]This study contributes by suggesting that it is possible to study the accounting aspect in the field of information protection and, at the same time, contributes to the expansion of related literature. In addition, by selecting information protection rather than external intrusion (hacking) as a substitute for cyber security, it is differentiated from previous studies by showing that it is possible to identify a relatively small sample to conduct empirical tests. However, since the mandatory information security disclosure system is in its infancy and the sample was selected based on compulsory disclosure and voluntary disclosure, it did not cover the entire industry and various sizes of companies, so care must be taken in interpreting the results.