Businesses and government agencies alike are pursuing blockchain’s promise of greater accuracy, trans-parency, and efficiency. Accounting firms are investing more than $3 billion a year on blockchain technology, while IBM predicts that two-thirds of all banks will have blockchain products by 2020. These organizations are attracted to blockchain’s ability to record relevant details of every transaction in a distributed network.
Like other new technologies, blockchain presents challenges and opportunities for internal auditors. Blockchain carries the typical IT risks such as unauthorized access and threats to confidentiality, but it also could impact traditional audit procedures. Yet, blockchain may enable auditors to be more innovative and efficient.
The New Risks
As with all new technologies, internal auditors need to assess the internal and external risks to business objectives posed by blockchain. One risk is a “51 per-cent,” or “‘majority rule,” attack. In this attack, a user introduces false data in the blocks to create a fraudulent transaction that most nodes on the blockchain accept as true. Hackers also could target endpoint vulnerabilities where people interact with the blockchain, which is when the data is most susceptible to attack.
Another risk is individuals in a supply chain who misuse data by manipulating a blockchain’s transparency and traceability features. Legal risks arise from the lack of standards and regulations for monitoring blockchains in diverse legal jurisdictions worldwide.
Against this backdrop, internal auditors should review whether their clients have established appropriate actions to mitigate risks, including the timelines and staff needed to deploy them. Auditors also should provide assurance on the risks associated with implementing blockchain such as technology interfaces with legacy systems and the adequacy of migration strategies.
Unlike traditional databases, blockchain applications maintain data in blocks, also known as a distributed ledger. These blocks are accessible to all users who are permitted to access them. Because a blockchain does not have a master copy of the database controlled by a database administrator, there is no single point of failure in the event of hacking. Instead, the ledger is replicated in many identical databases, each hosted by a different party. Any change carried out in one copy will simultaneously change all the records.
Notwithstanding blockchain’s security features, internal auditors should ask these questions while testing the system:
- How does blockchain allow different parties with distributed responsibilities in the network to access the ledgers when there is no central administrator?
- How fast and timely is data available as millions of transactions are written simultaneously? Were availability risks addressed at the design stage?
- How safe are the authorizations that allow users to read and write in the blocks? Are these confidentiality risks?
- How adequate are the cryptography arrangements in place to hide the database in the network to ensure completeness, integrity, and nonrepudiation of data?
- How robust are the validation controls and the roles allocated in view of limitations on reversing the transactions? Once blocks in a chain are secured through hashing, they cannot be reversed.
- How adequate are the arrangements over the audit trail when there is no centralized database?
- How adequate are the controls over the data backup and disaster recovery processes considering there are multiple copies of the blockchain and no single point of failure? Also, what arrangements are in place to recognize the node/ledger that could be used for backups?
Impact on Procedures
Blockchain has implications for financial statement audit procedures. Because data maintained in blockchains is available in real time, traditional sampling techniques used in financial statements may not be required. Internal auditors can provide assurance by using data analytics to scan the entire database. Additionally, conventional reconciliation and validating tasks may not be necessary because there should not be discrepancies in the financial statements in a shared ledger scenario.
Indeed, blockchain may render many current risks related to financial statement opinions obsolete. Auditors should be aware of the new risks and their impact on traditional audit procedures.
One example is the risk of auditing transactions captured in an immutable blockchain. During a financial audit in a blockchain environment, auditors will be able to assess whether the transactions recognized in the financial statements have occurred and relate to the entity. However, in doing so, they might overlook the audit evidence’s relevance, reliability, objectivity, and verifiability. This is because auditors could treat the acceptance of a transaction into a reliable blockchain as sufficient audit evidence. Likewise, blockchain might legitimatize certain off-ledger transactions or incorrectly classify the transactions, providing false assurance.
Blockchain may require internal auditors to allocate more resources to obtain assurance on the adequacy of controls in recording transactions. Moreover, auditors will continue to focus on issues related to other nonautomated key activities such as governance, risk management, monitoring, reporting, and evaluation. Indeed, value-for-money audits and other types of audits may grow as organizations seek to evaluate the costs and benefits associated with blockchain applications.
Opportunities for Audit
Blockchain may not completely redefine the rules of internal auditing, but it could provide new opportunities. First, auditors could lobby their clients to involve them during system development either as observers or advisors. This would help auditors understand the nuances of the blockchain operating environment from its inception, including its implementation challenges. Moreover, auditors may be able to suggest and determine the terms of reference for developing appropriate audit modules in blockchain-based systems.
Second, blockchain may encourage audit management to streamline and reorient its staff, while building the department’s capacity to provide quality services to clients. Staff members will need to be able to work with a range of new technologies. Conversely, by automating some tasks, internal audit functions may not need as many auditors as before.
Third, artificial intelligence may enable auditors to quickly process, extract, and identify risks up front using publicly available blockchain ledgers. This ability may make the audits more cost-effective. Also, auditors could use data mining to identify the highest risks such as frauds, resulting in more relevant audits.
Built to Thrive
As blockchain changes the way business is conducted globally, it presents an opportunity for internal auditors to migrate to a challenging, new operating environment. To get there, internal audit must evolve its procedures while staying focused on the risks that matter most to the organization. By monitoring blockchain developments, auditors can help the business thrive in the future.