While cryptocurrencies like bitcoin have received the attention of investors and regulators, it is their underlying technology — the blockchain — that has the greatest potential to disrupt and reshape traditional business and financial processes and infrastructure. The excitement centers on blockchain’s ability to create a distributed ledger of transactions that is secure and can be publicly available in real time.
With blockchains, transactions can be logged, viewed, monitored, verified, and analyzed. For example, instead of a financial institution acting as an intermediary for the transactions, the blockchain technology, itself, takes on the role of a financial middleman, reducing or possibly eliminating many of the transaction fees and processing delays. Blockchains can enable automakers to track a vehicle from pre-production to sale. Similarly, the food industry is investing in blockchains as a possible solution for traceability and food safety. With blockchains gaining ground in a host of industries, internal auditors need to understand the technology and its audit implications.
Blockchain technology has been touted as a potential game-changer for businesses because of its ability to verify a transaction without a trusted third party. Blockchains and bitcoins are closely intertwined, because bitcoins represent an active, commercial application of a blockchain.
In the bitcoin infrastructure, the blockchain is a continuously growing log of currency transactions that is shared and stored on multiple nodes in a network. Blockchains take advantage of three technology concepts to create a robust, secure, and potentially anonymous distributed data structure: peer-to-peer networking, public key cryptography, and transaction verification methodologies.
Peer-to-Peer Networking A simple peer-to-peer (P2P) network consists of two or more computer systems connected together to share resources without the use of a separate server computer. P2P networking enables file-sharing services such as Napster, the pioneering music sharing service, and Skype, the internet telecommunications network. Based on P2P networking, a blockchain consists of a distributed network of computer nodes that maintain shared information. Each node in the P2P blockchain network participates in maintaining the security and accuracy of the information. Each node can store a complete copy of the blockchain — as is in the case of a bitcoin blockchain — or use other types of decentralized storage technologies to manage the data associated with the blockchain.
Public Key Cryptography Blockchain verifies digital identity using public key cryptography. For example, in the bitcoin blockchain, the digital wallets use public key cryptography to send and receive bitcoins securely. This type of cryptographic system uses a pair of public and private keys, where the public key is freely available and the private key is known only to the key owner. The owner uses both a private key and a public key to send and receive messages. Public key cryptography can authenticate a message, where a public key is required to view a message that was encrypted with the corresponding private key. Because the message can only be decrypted with its matching public key, the message is authenticated as created by the owner of the private key. Likewise, a person can use the owner’s public key to encrypt a private message, which can only be decrypted by the owner with his or her matching private key.
Transaction Verification Methodology A methodology must be in place to establish the legitimacy of a transaction within the recording node. The specific transaction verification methodology can vary across different implementations of blockchains. Because blockchain exists on a distributed network of computers maintaining shared information, trust is enabled by the collective record keeping by all nodes in the network. New blocks are added through verified nodes that ensure the integrity of values within a blockchain and prevent the tampering of values within a verified block.
For example, the bitcoin blockchain uses proof-of-work to verify transactions and to add a new block of transactions to the blockchain. This method is known as the bitcoin mining process and involves bitcoin miners competing to solve a computational-intensive problem. Solving this problem entails finding a hash number with special properties dependent on the contents of a specific block of bitcoin transactions in the blockchain. The hash number is used to validate the data of the current block and prevent the tampering of data in previously validated blocks. The first miner to successfully identify a valid hash number for the block is rewarded, and the block is then added to the blockchain.
New Ledgers and Contracts
Blockchains are closely associated with two technical innovations: distributed ledgers and smart contracts. A blockchain is a type of distributed ledger, which is a record of transactions maintained across different locations without the need of a central authority to maintain transaction integrity. Unlike a centralized ledger, a distributed ledger does not rely on a single, authoritative version. Instead, copies of the ledger are stored on multiple nodes, and each copy is complete and valid. The responsibility for maintaining the data integrity of the ledger is shared among the nodes through the consensus-building, verification process.
While a blockchain consists of a sequence or chain of blocks of transaction records, a distributed ledger does not necessarily require a chain structure. Additionally, distributed ledgers do not necessarily require proof-of-work for transaction verification and may use a different verification methodology.
Whereas a distributed ledger is associated with recording transactions, a smart contract is a method of establishing contracts. A smart contract is used to digitally establish a business relationship, including identifying the terms of an agreement, executing the agreed-upon terms, and verifying fulfillment of the agreement. Because a smart contract is typically implemented with blockchains, the contract cannot be modified or tampered with after it has been accepted into the blockchain. Additionally, every node in the distributed network validates the transactions associated with the contract. Smart contracts have been used to track items within a supply chain and to improve loan processing and insurance claim processing.
Five Recommendations for Auditors
|The Blockchain Audit
Internal auditors and the technology specialists they work with need to thoroughly understand how blockchains work and the risks involved with them. Auditors will be involved in auditing the technology associated with blockchains, as well as retrieving transactions from them. Moreover, because the software needed to maintain transactions in a blockchain is complex, auditors must provide assurance related to the system’s control environment. Their priority should be reviewing the robustness of computer nodes that are part of a blockchain network.
In addition, auditors should focus on testing controls directly related to blockchains. These controls include:
- Testing the availability of blockchain data from different nodes in the network.
- Ensuring the accuracy, completeness, and consistency of the data elements that are stored within the blocks.
- Verifying the identicalness of data obtained from different nodes in the network.
- For private blockchains, testing access controls to ensure that only authorized personnel can view or update the blockchain.
- Testing the process for adding new blocks to the blockchain.
- Verifying the immutability of the blockchain to provide assurance that attempts to modify previously approved blocks are unsuccessful.
One of internal audit’s roles is verifying and reconciling transactions (see “The Blockchain Audit” at right). Because transaction processing is at the core of blockchains, auditors can do five things to better understand the technology:
1. Understand that blockchains are a form of transaction-based data storage. The blockchain is a continuously growing link of blocks that are validated and secured through public key cryptography. In addition to transaction data, each block contains a link to the previous block in the chain, as well as a time stamp on when the block was created. Just as internal auditors have adapted their skills to retrieve data from enterprise resource planning and cloud computing systems, they will need to learn data retrieval methods to assess the data and controls of blockchains. For example, if an organization is using a blockchain to manage its supply chain, the internal auditor should be able to retrieve individual transactions from the blockchain to verify the accuracy and completeness of the blockchain.
2. Explore the implications to audit. Blockchains can have implications for developing appropriate audit procedures. With blockchains, a complete copy of the data is accessible at every node, enabling auditors to test the entire population of transactions instead of relying on sampling. During completeness testing, auditors should be able to trace transactions from the blockchain to the financial statements. For occurrence testing, the auditor may perform vouching procedures to verify that values on the financial statement are directly associated with transactions in the blockchain. In addition, a combination of tools related to data analytics and artificial intelligence could assist with fraud detection through pattern recognition across the entire transaction population. This capability could shift the focus of auditor responsibility toward the planning and investigation of anomalies.
3. Explore the implications to financial services. The financial services sector is actively identifying areas beyond bitcoin with blockchain implications. For example, financial institutions are exploring the use of blockchains and distributed ledgers for payment, clearing, and settlement activities. Blockchains could also be used as a platform for stock trading, which could minimize the need for stock brokers and a centralized stock exchange. Additionally, blockchains can manage the process of issuing shares of a company or taking a company public. In late 2015, Nasdaq announced that its Linq blockchain ledger technology was used to issue shares of a company to a private investor. Finally, blockchain technology is being used as a platform for managing shareholder proxy services such as proxy voting.
4. Explore the implications to supply chains. Supply chain management is a promising area for blockchain usage because blockchains can provide insights into the visibility and traceability of an item. This is particularly useful in cases where an item passes through numerous parties before it reaches the final customer. For example, in December 2017, IBM and Walmart announced they were participating in a blockchain alliance in China to enhance food tracking, traceability, and safety. Another example is the automotive supply chain, where blockchains can be used to track the transactions associated with a specific vehicle, such as production, ownership, financing, registration, insurance, and maintenance. As most organizations are part of some type of supply chain, auditors should be aware of possible internal projects related to blockchains for tracking information or physical assets. Auditors should seek opportunities to participate in prototype efforts to develop their technology skills. Such skills will benefit them when it is time to audit blockchain projects.
5. Embrace the reality that new technology will continuously change the skills of auditors. Internal auditors may need additional training to understand the technology and its implications, and internal audit departments may need to add expertise with these skills. This is especially important for internal auditors in organizations that are already implementing blockchain projects, as auditors may be tasked with evaluating the data controls associated with blockchains. With the conceptual understanding that blockchains represent a new type of data structure for storing and accessing information, traditional application and data controls related to input, processing, and output will still apply, albeit with certain adaptations. For example, a standard application control is that output reports should be protected from unauthorized disclosure. With all transactions potentially accessible on the blockchain, internal auditors may need to recommend additional controls related specifically to authorization, privacy, and confidentiality.
Controlling the Chain
Blockchain’s potential to revolutionize transaction processing rests with its ability to create a secure, trusted, distributed ledger of transactions that can be accessed without the overhead of a middleman or a centralized authority. Internal auditors will be responsible for recommending controls associated with organizational processes that use blockchains, including the acquisition, protection, delivery, and enhancement of the information assets stored within them. Moreover, traditional IT controls related to security, availability, processing integrity, privacy, and confidentiality will continue to apply. Internal auditors must understand the technical details of blockchains to recommend adaptations of traditional IT controls as their organizations adopt new blockchain-based innovations.