Blockchain is clearly on the minds of internal auditors. At this year's General Audit Management Conference in Las Vegas, no other topic solicited as many questions, most of which were fairly basic. There is a lot of hype around blockchain right now … What is it? What can it do? How can it be used? Is it really as unhackable as promised? While I believe the hype is well founded (otherwise you wouldn't see big companies investing millions in research), we're probably at least a few years from widespread use. That said, now is the time to get involved, get educated, and prepare for the near-term transition into this new technology.
What is it? To start with, blockchain is the underlying technology, meaning that Bitcoin (and others) represent one type of use of blockchain technology. Basically blockchain is a transaction record, peer to peer, that provides transparency, pseudo anonymity, and irreversibility. A computation provides proof that a transaction occurred and then a computer locks it in. The transactions are saved in blocks, and a new block is appended or "chained" to all of the pre-existing blocks (creating a chain) when it becomes full.
Traditionally, transaction history is stored in a database held by an intermediary or third-party authority (think of your bank storing your checking account activity). We must fully rely on the intermediary to store and protect some of our most precious data. In blockchain, the ledger is shared by everyone involved, not held by an intermediary. Therefore, attempts to manipulate a transaction once it is locked into a block is not possible, as changes will be verified against the (potentially) millions of copies of the ledger distributed (potentially) globally. The distributed ledger is unreadable unless you share your encryption key.
Given that there is a unique encryption key for each copy of the ledger, hacking is theoretically impossible. However, similar to the need to guard passwords, encryption keys must be secured as they can open the door to each individual's transactions on the chain. For example, while the Bitcoin blockchain has not been hacked, individuals have lost control of their encryption keys exposing their transactions or hackers have raided digital Bitcoin wallets through weaknesses in two-factor authentication via phone companies or email providers. In any case, it demonstrates that while the chain may be unhackable, there are a number of other security issues that will need to be considered. As in many cases, the weakness underlying many cybersecurity incidents is the human factor.
This foundational digital ledger begs the next question: what applications can be built on this technology? Consider basic transaction types such as sales, trades, payments, and inventory. For example, Maersk and IBM are starting a new company to facilitate the global supply chain presumably by creating end-to-end inventory tracking that cannot be manipulated. By leveraging blockchain to manage personal identification, the United Nations is experimenting with helping displaced people regain their identities. Utility companies are considering blockchain for a secure approach to trading renewable energy credits. Finally, banks are going all in: Financial service companies are looking at blockchain for a variety of uses, including securities settlements, foreign remittance, and commercial lending.
Why should internal audit care? This explosion of new applications of blockchain technology will involve internal audit, as does anything that requires record keeping. The news media carries a new blockchain story almost daily, boards and investors want to know what their organizations are doing in this area, and business models involving transaction intermediaries risk being wiped out. Many of the issues surrounding this transformation are known, but many more are yet to be identified.
Internal audit must be prepared to perform a detailed analysis of the technical architecture of the blockchain, a familiar task for internal audit functions that have been involved in systems development. Beyond that, internal audit must develop strategies for maintaining a sufficient level of transparency and verifying that the blockchain and related applications are performing as intended.
To start, consider that anything that involves record keeping could be impacted by this new technology. In this early stage, internal auditors need to be armed with enough knowledge to start asking the right questions as well as to begin to give the board comfort that internal audit is involved and assessing the risks.
That's my point of view. I'd be happy to hear yours.