Blockchain technology - what is your organisation doing to exploit this innovation?
7 April 2020
Blockchain technology appeared in the late 2000s. Possibly the most well-known example of blockchain systems is the original cryptocurrency, Bitcoin.
Blockchains are protocols that allow entities to store and share transactional information in a controlled and systematic way, with undisputable integrity.
It is widely considered secure by design, since each block contains a timestamped hash (cryptographic record) of the previous transaction; the chain provides a robust record of transactions.
Blockchain is purported to offer greater transparency, enhanced security, and increased efficiency but what is the cost? Is it an enabler or a disrupter in your industry?
How do we audit it?
Let’s not forget, first and foremost this is an IT solution and as such it is subject to the same risks and controls. It can be implemented to suit many applications, which means each implementation will probably have a different set of risks and controls.
Don’t forget the who, what, why, where, when and how of internal controls.
Questions internal audit should ask:
- What does the organisation need (infrastructure, business, data, technology, security)?
- Who owns/develops/tests/manages/supports the technology?
- Do developers have the right level of expertise? How is the separation between development and production controlled?
- Is security considered as part of the design? Which standards are applied. Are they sufficient? Do they comply with regulation and the organisation’s policies?
- Is the application security tested at key points in the development cycle?
- How is privacy protected?
- How are we comfortable the data is secure? What are the policies, standards, good practice?
- What are the data flows? Why and how is it processed/handled? Does data go outside the organisation?
- Where do the servers sit? If cloud-based – who is responsible for which aspects of server security? Has this been defined? How is it managed? How is privacy legislation catered for?
- Is the blockchain public (permission-less)? Is this appropriate for the use?
- Has any control been relinquished to a third party?
- Who can write records to the chain?
- Can/does it interface to other systems? Why is this necessary? What are the security principles? How are vulnerabilities reduced?
- How is the integrity of data ensured when interfacing with other systems?
- What regulation/legislation applies and how is compliance demonstrated?
In addition, you need to consider:
- Is there succession planning, particularly where resources are scarce?
- Do management and the board have the knowledge/skills to lead organisations in implementing emerging technologies? If not, is training provided?
- How introduction of new technology should be reflected in existing risk management processes.
When planning the audit, you must decide where the most value is added – are you auditing the technology, or the transactions? Is the technology appropriate? Hypothetically a change could extend to a huge and costly volume of data, is this coverage needed?
Call to action
Specific blockchain actions you will need to consider:
- Does your organisation have access to the right technological/blockchain expertise?
- Is there appropriate user knowledge to run/manage the chain?
- As a blockchain is a chain of transactions, how do you manage historical data? How does this fit with the organisation’s retention and deletion policy? The whole idea of using blockchain technology is that the integrity of the transactions is undisputable.
- Do we need to validate the undisputable integrity?
- Is assurance provided in a different way now? Is it undisputable? In practice, escrow agreements are replacing more traditional reconciliations and controls.
- If blockchain is a new activity for your business, what is the governance around introducing it? You should also ask questions around the ongoing governance as the activity develops.
- Blockchain requires energy-intensive processing and large volumes of storage. Consideration should be given to any ecological policies or an organisation’s green agenda.
- As blockchain records are protected by cryptography, how will you access/view these to test controls?
Now having considered the above are you better equipped to advise your audit committee?
Wikipedia - Cryptocurrency
Blockgeeks – What is cryptocurrency
Bank of England – Digital currencies
Bank of England – What are cryptocurrencies
Wired – Guide to blockchain
Deloitte – An internal auditor's guidance to blockchain
Content reviewed: 12 March 2021