As blockchain has transcended beyond a buzz word, a lot of research is being performed on the impact this shift in cultural paradigm will have on traditional audit process. Facilitating audit and improving accountability is one of the major benefits of blockchain technology.
The major current use of blockchain appears to be in the field of cryptocurrency. Three types of entities determine the state of a blockchain namely bank or consortium of banks in a financial ledger or the insurance agencies in an insurance registry, etc. and external users who do not participate in the consensus but would like to verify whether the data is correct. The third party consists of the auditors and regulators. The benefits of external auditability of blockchain aligns it with Web 2.0 which shifts applications from being service centric to user centric.
When using blockchain, accountability is verified as a part of timestamps established by the system. This allows every user to confirm whether the service operates in the intended way. If the service fails the verification process, then the user has proof of malicious behavior which could be used to hold the service accountable. The ability of each user to choose a trust model that operates within their comfort zone such as a full node, a lightweight node, a non custodial multisignature wallet or as a trusted third party provides bitcoin a substantial advantage. This causes the users of the blockchain to trust it rather than trusting the processors of blockchain. This increased trust causes increased third party development and integration of this technology.
Another useful feature of blockchain is to verify authenticity of each recorded statement. Non repudiation is achieved with a combination of digital signature and public key infrastructure. The public key infrastructure is important to prevent anyone, including the blockchain maintainers, from backdating the transactions and to ensure that verification of authenticity is not widely dependent on security of utilized public key system.
Audits can come in many forms. They could be in the form of financial audits, compliance and regulatory audits and blockchain technology can be applied to all of them. An audit generally involves examination of the financial statements, or in case of compliance or regulatory audit, of a set of requirements or standards. The audit team is generally trying to select accounts or activities to confirm accuracy with supporting proofs of evidence. With blockchain, the evidence lies in the transaction i.e. the hash. Blockchain allows users to take judgements based on all transactions that have occured in past and not just based on some random samples. This increases the assurance the auditors can give to the public regarding the audit result.
Data Analytics in the picture
Blockchain technology will solve many problems with the current audit structure. Companies will not be able to change their records or reverse engineer their financial documents for audit purposes. Data analytics will come into the picture since visualizing the data without the use of data analytics will be difficult owing to the large amount of data that will be provided by blockchain. The data will also allow consulting firms to assist in planning and making critical decisions required for the development of the company.
In the near future, auditors will need to cultivate new skills to confirm audit integrity. Auditors will have to develop into analysts who read the data provided by the blockchain and verify the sanctity of the chain. Auditors who handle compliance issues will, in future, have to assist with handling identities so as to confirm how assets are linked to individuals, organizations or companies. Additionally, traceability of raw materials as they move through the a company’s supply chain across the world will allow auditors to trace what happens with an raw material or even the end product produced by a company over time while at the same time providing proof of transactions.
Bitcoin from an Audit perspective
Whenever, we send a bitcoin, the associated hash does not only refer to the transaction but also provides us the audit trail that we need in order to perform audit. Some of the details that it provides us are:
- Did the transaction really occur?
- Does the balance exist?
- Do we own the bitcoin?
- How is the balance viewed? Let us assume that it is viewed in BTC.
- Is the balance and transaction cut off period recorded in the correct period.
- How will the transaction be presented and disclosed.
Since no rights or obligations arise due to the transaction, the situation is simpler. A payment either happens or it doesn’t. In most cases, a public key, a digital signature and a Pay2PubKey Hash is all that is required to verify the new bitcoin transaction at a basic level.
The balances between accounts will be observable in real time. Hash code which is specific to a single transaction will be used to verify the transaction by auditors. The unique alphanumeric signature shall connect the payment done by one company and the corresponding entry in the supplier’s records as well. This same hash shall prove that the transaction did occur between the individual parties at the time stamped point. With such proof fudging the numbers will become impossible.
What opportunities does Blockchain bring to the auditing process?
Blockchain can be used to serve as a distributed ledger which can be used by two parties to record transactions in a verifiable and permanent way. For example instead of asking clients for bank statements or sending confirmation requests to third parties, auditors can log onto a website and confirm the transactions on publically available blockchains. The automation of this process can increase cost efficiency within the audit process.
This can also bring about a major change in sample based testing. Instead the auditors can access the whole database to test the whole population of transactions within the period under observation. This extensive coverage will ensure tremendous improvement in level of trust obtained from audit process.
In blockchain, a low value transaction takes a lot time to be validated as a single block verification is deemed enough. The more blocks elapse before a transaction is verified, the more it becomes immutable. Typically a high value transaction can be verified within 1 hour (i.e. 6 blocks). The traditional financial transactions take a month or more to be verified. This quick turn around time in blockchain verification, allows transactions to be confirmed intermittently through a period instead of final end of year assessments or audits. This benefit could be easily applied to assessing ‘smart’ audits of financial and risk positions of banks and other financial services clients.
Technology based company, Redcloud is currently making use of the blockchain concept to build a payment gateway in Africa which will enable banks from different countries to transact with each other. A lot of african companies are providing payment and financial solutions that are isolated from any kind of network. These banks can’t access Swift since it is too expensive and loads of microfinance banks cannot currently perform international remittance. The company believes that this payment gateway can be used to enable African remittances between countries such as Egypt and Africa. The project is currently at a proof of concept stage and also needs necessary regulatory and legal framework before becoming a reality. However, the basis has been
Risks associated with Blockchains:
Although blockchain promises high security transactions, failure and lapses are possible anywhere. In July 2017, there was a case wherein an unknown hacker managed to remove $32 million US dollars worth of Ethereum currencies. The problem did not lie in the underlying technology but in the software that was used to manage ethereum wallets. The issue was managed and the vulnerability mitigated to safeguard the wallets.
The breach highlights the importance of security of underlying environment. In order to provide necessary level of assurance, audit process needs to shift towards assessment of operating effectiveness of internal IT controls. Some examples of cases wherein these internal controls are required as follows:
For example, when an entity’s employee accidentally transfers bitcoin to wrong party, currently there is no way to reverse that transaction. In such a case, auditors are required to confirm whether there are automated ways to validate transactions before they are executed.
If an organization experience phishing attack, there is no central authority within the blockchain technology where such incidents can be reported. This could lead to a potential gap which could lead to a fraudulent behavior. When faced with such risk, auditors will need to confirm whether authorities exist to prevent and detect such phishing attacks and ensure that the system is operating efficiently.
Another example could be a situation wherein if a user loses a private key, they lose access to all their cryptocurrency. These coins will then become out of reach for all users and will go out of circulation. Some disaster recovery procedure and restoration facility will ensure that such situations can be prevented. The loss mitigation processes also would have to be verified by auditors to ensure that they work and can be relied upon.