Blockchain, the distributed-ledger technology created for cryptocurrency, has already established a foothold as a next-gen settlement/payments technology and is being considered for a wide range of applications, from supply chains to the Internet of Things (IoT).
Protiviti has spent a considerable amount of time examining this disruptive technology from several angles. Of particular concern to me are the risks posed by its deployment and what internal auditors need to know to provide effective assurance.
Blockchain’s general risks are not unlike those associated with the deployment of any new technology: scalability, data privacy, jurisdictional issues and ensuring performance through service-level agreements (SLA). Jurisdictional issues can create a unique concern with blockchain because of the decentralized autonomous organizations (DAO) involved with the blockchain. In the event of a data breach or a legal dispute, where does jurisdictional responsibility reside, and how do organizations handle potentially conflicting laws and regulations across jurisdictional boundaries?
Several unique technical risks exist as well, including the following:
Account security – While blockchain technology provides excellent transactions in terms of consensus, immutability, provenance and finality, it does not provide account/wallet security. Credential and key management is crucial to protecting the digital assets stored on the blockchain.
Smart contracts – Smart contracts bridge the gap between the physical world and the digital world by encoding complex business, financial and legal arrangements onto the blockchain. These contracts, just like traditional business rules, are subject to errors in coding and in interpreting intended outcomes.
Business processes – Existing policies and procedures will need to be updated to accommodate blockchain protocols and integrate blockchain transactions into legacy systems.
Access and permissions – As with any automated system, most failures will occur at the hand-offs. No matter how secure the blockchain technology is, organizations will have to carefully consider who will have access to the data and encryption keys.
Lack of real-world enterprise testing – Blockchain was created as a platform for individuals, and its rapid evolution as an enterprise technology makes it inherently risky to stay ahead of the change curve. On the other hand, waiting for the technology to mature poses a strategic risk of disrupting established business models or disintermediating intermediary players within longstanding transaction cycles.
Speaking of strategic risks, organizations would be well advised to be careful when selecting a blockchain network. Not only could the choice of the underlying platform impose limits on the products or services that can be offered, but also, given the peer-to-peer nature of the technology, it is important to pick your partners carefully. Financial institutions have an added incentive to be careful, as some blockchain technology might make it difficult for them to comply with anti-money laundering regulations.
Blockchain certainly has the potential to enable numerous new digital solutions to many of the challenges large organizations face. Auditors must, however, take steps today to ensure that the blockchains of tomorrow are subject to the same high standards as all other business systems and processes.
How Should Internal Auditors Prepare for Blockchain?
Auditors should get involved early in the blockchain process. It is much easier to build adequate governance, risk management and controls in from the start than to retrofit them after a problem arises. Many blockchain initiatives will occur outside the traditional walls of the IT organization, so auditors must look beyond the traditional IT organization in assessing where blockchain is being utilized in their company.
To serve in this advisory role, auditors need to update their knowledge and skills so that they understand the basics of the technology and, specifically, the evolving governance challenges.
Once blockchain has been deployed, auditors must be prepared to assess whether effective automated controls are in place to validate transactions before they are executed and that the organization has effective disaster-recovery and loss-mitigation procedures in place in the event of, say, the loss of an encryption key.
And auditors may even eventually be required to verify blockchain protocols with triple-entry accounting, verifying blockchain ledger entries against existing double-entry accounting ledgers. The good news is the traditional financial-statement assertions of completeness, existence, rights and obligations, presentation and disclosure, and accuracy and valuation will still apply. But how we, as auditors, approach providing assurance for these assertions will evolve.
As colleagues have written in previous posts, this is, indeed an exciting time to be an internal auditor. I count innovations such as blockchain among the reasons for that. While some of the work being routinely performed today will become replaced by technology solutions, the place of those tasks will most certainly be taken by new and more strategic responsibilities. These new responsibilities will require auditors to adapt and expand their competencies – to the betterment of our organizations and the elevation of the internal auditing profession.