Blockchain and Internal Audit

By

Rahul Gupta

Characteristics of a Blockchain

A Blockchain is a digital ledger which is distributed and it has various characteristics which could bring out a change in wide range of industries:

Near real-time settlement

A blockchain offers near real-time transaction settlement, lowering the risk of non-payment by one party to the transaction.

Distributed ledger

The public history of transactions is kept on the peer-to-peer distributed network. A blockchain is widely distributed, highly accessible, and keeps a secure record of transaction evidence.

Irreversibility

A blockchain maintains a verified record of every transaction that has ever occurred on that blockchain. This prevents the item tracked by the blockchain from being spent twice.

Censorship resistant

A blockchain model’s economic principles give monetary incentives for independent parties to continue validating fresh blocks. This means that a blockchain can continue to develop in the absence of an “owner.” Censorship is also expensive.

What Are the Benefits?

The distributed nature of blockchain technology is an important advantage. In today’s capital markets, transferring value between two parties often needs the use of centralized transaction processors such as banks or credit card networks. These processors reduce counterparty risk for each party while centralizing credit risk with themselves by serving as a middleman.

Each of these centralized processors has its own independent ledger, and the parties involved rely on them to complete transactions correctly and securely. Transaction processors are paid to provide this service. A blockchain, on the other hand, allows members to interact with one another directly through a single distributed ledger, eliminating the need for centralized transaction processors.

Permissionless Blockchain

A permissionless blockchain is accessible to any future user. For example, the Bitcoin blockchain is a permissionless or public blockchain; anybody may participate as a node in the chain by agreeing to relay and validate transactions on the network and so donating their computer processor as a node. To join the blockchain, just download the software and bitcoin ledger from the Internet. Because the blockchain records every transaction ever done, it reflects the whole transaction history as well as all participants’ account balances.

This is an example of a transfer of bitcoin (BTC) from one individual to another. The underlying process comes into play when a bitcoin is send by the sending party and is received by the receiving party which helps in updating Bitcoin Blockchain with the help of process of “mining.

“An example of a bitcoin transaction which is a public/permissionless blockchain: peer-to-peer payment over the Bitcoin network.”1 Note: As per the knowledge Permissioned blockchains have protocols which are consensus in nature that may be similar to Figure 1 or they may vary from it as they are dependent on the agreement of the participants.

Evolution of Blockchain: Smart Contracts

Smart contracts represented a big leap in blockchain technology. Smart contracts are bits of computer code that are saved on a blockchain when they are performed under particular conditions. They enable counter-parties to automate previously manual operations via a third-party mediator. Smart-contract technology has the ability to improve firm operations by speeding them up, reducing operational errors, and increasing cost efficiency.

A smart contract, for example, might be used by two parties to join into a shared derivative contract to hedge the price of oil at the end of the year. Once the contract’s parameters are agreed upon, it is added to the blockchain, and the wagered monies are kept in escrow and registered on the blockchain. At the end of the year, the smart contract would read the oil price from a trustworthy source stated in the smart contract (known as an “oracle”), compute the settlement amount, and then send payments to the winning party on the blockchain.

Where Can Blockchain Be Applied?

Financial services

Several stock exchanges worldwide are testing a blockchain technology for the issuing and transfer of private securities. Furthermore, some bank groups are investigating use cases for trade financing, cross-border payments, and other financial activities.

Consumer and industrial products

Companies in the consumer and industrial sectors are investigating the use of blockchain to digitize and trace the origins and history of various commodity transactions.

Life sciences and healthcare

Blockchain is being investigated by healthcare institutions to ensure the integrity of electronic medical records, medical billing, claims, and other documents. Governments are investigating the use of blockchain to support asset registries such as land and business shares.

Energy and resources

Ethereum is being utilized to develop smart-grid technology, which will allow surplus energy to be traded as digital assets among customers.

Advantages of auditing a blockchain-based system

Robust analytics:

Complex analytics can be done reliably, and dashboards can be updated regularly, because information is maintained in a standardized and consistent manner across the permissioned blockchain.

Real-time auditing:

Rather of traditional sampling, blockchain-based systems can enable 100% population testing. Because all transactions, even those involving specific counterparties, are recorded on a shared ledger, blockchain transactions may be reviewed in real time as they occur. Internal audit departments, for example, can have a read-only node on the blockchain to monitor and flag transactions in real time, and they may be able to employ analytics to automate audits of routine transactions.

Shortened audit cycle:

Internal auditors frequently spend a significant amount of time gathering, organizing, and purifying data in order to create useful insights and audit areas of interest. Transaction data is kept on a blockchain in an organized and consistent manner, and it is accessible in real time. Access to this thorough, timely information may lead to a more educated and targeted risk assessment, reducing the time needed to plan the audit. Furthermore, rather than depending on process owners to supply supporting documentation for testing, internal auditors may track transactions throughout the blockchain on their own, thereby shortening the audit cycle even further.

Automated contractual enforcement:

Contract risk compliance (CRC) frequently necessitates a great deal of attention from internal auditors, as tracking adherence to specific contractual obligations is a very laborious and error-prone process. Smart contracts, which are designed to execute depending on predefined business circumstances, can help to speed up this process. CRC compliance may be nearly totally automated using a blockchain-based system that supports smart contracts, allowing auditors to transfer their attention from sample-based CRC testing to automated functionality testing, which is a higher-value job.

Trustworthy reconciliations with counter-parties:

Some reconciliation procedures may not need to be evaluated in a blockchain context since the data is consistent and trustworthy across entities, allowing internal auditors to focus on other audit subjects.

Rapid data recovery:

Data may be retrieved more quickly following a disruptive event due to the redundancy of ledgers held by each participant within the blockchain. Because of this one-of-a-kind characteristic, data retention and retrieval controls are classified as low risk.

“Implications of Blockchain on Five Components ”

Control Environment

Blockchain technology might be used to assist support an efficient control environment (e.g., by recording transactions with minimal human intervention). However, many of the values under this component deal largely with human conduct, such as management supporting integrity and ethics, which blockchain cannot analyses even with other technology. The bigger difficulty is how to manage the control environment as a result of an entity’s entanglement with other entities or people participating in a blockchain.

Risk Assessment

By fostering accountability, ensuring record integrity, and providing an irrefutable record (i.e., a person or organisation cannot dispute or challenge their part in authorising/sending a message or record), blockchain both generates new risks and helps to alleviate existing ones.

Control Activities

Blockchain can be used to aid in the facilitation of control activities. Blockchain and smart contracts have the potential to be a great tool for doing global business in an effective and efficient manner (e.g., by minimizing human error and opportunities for fraud). The collaborative characteristics of blockchain, on the other hand, might present additional complexity, especially when the technology is decentralised and there is no single entity accountable for the ICFR-compliant systems.

Information & Communication

The intrinsic characteristics of blockchain support better transaction visibility and data availability, and can open up new channels for management to convey financial information to important stakeholders more quickly and efficiently. One element that management should consider when using blockchain is the availability of information to support financial books and records, as well as the auditability of information traded on a blockchain.

Monitoring Activities

The promise of blockchain to enable more frequent, more detailed monitoring may significantly alter practice. Smart contracts and defined business standards, in conjunction with Internet of Things (IoT) devices, may change how monitoring is carried out.

Examples of how financial reporting and processes may change

Internal controls related to the control environment

The level of control that an entity may exercise in different blockchain ecosystems will change. In many circumstances, the entity will no longer have control. This will have an influence on how organisations think about and evaluate challenges in the control environment.

Reconciliations

Reconciliations will become more streamlined, efficient, and result in enhanced visibility for all parties to the transaction if a blockchain solution is used to respond to reconciliation-heavy regions (e.g., intercompany transactions). Confirmations Certain forms of confirmations may no longer be required with the capacity to do computations of transactions on the blockchain. However, there may be a greater need for further confirmations with possible new service suppliers.

Vendor and supplier approval

The application of blockchain technology may alter the nature of an organization’s interactions with vendors and suppliers (e.g., how transactions are processed, visibility to pricing, and reporting and transparency of information).

Third-party service providers

Blockchain solutions, like other technological solutions, may be controlled internally or supplied outside. The service organization is normally in charge of overseeing most externally supplied systems. Management can request a type 2 SOC 2 system and organization controls report, which includes information about “the fairness of the presentation of [third-party] management’s description of the service organization’s system, as well as the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description over a specified period.” As a result, demand for some type of SOC reporting in these situations is anticipated to rise.

Decentralised external systems

There may not be a single, centralized management to govern a certain blockchain in a blockchain world. Although the designers’ pre-established rules (protocol) and modifications brought about by stakeholder consensus can be conveyed, there may be no one external organization that can be held accountable for attaining the control objectives or held responsible when there are difficulties. “This lack of accountability is a major issue.”3 Without centralized administration, there may be no straightforward or easy method to engage a SOC auditor, and organizations must explore alternatives in the absence of SOC reports.

Integration of Digital Assets

Another distinction between blockchain and traditional technological solutions is the incorporation of digital assets into the system. Some blockchains have their own inbuilt digital payment or value that does not exist elsewhere and cannot be monitored in any other manner. Traditional systems can connect to banking or other financial systems; blockchain can be the system itself.

Electronic audit trail

The automated generation and existence of an electronic record of all transactions is a significant benefit of certain blockchains (i.e., an audit trail). However, there are additional issues in defining ownership and rights, and simply because a transaction is on a blockchain does not mean that the transaction is lawful for books and records reasons. Furthermore, it is conceivable that the evidence an auditor seeks is not on the chain itself (“on-chain”); but there may be enough context to obtain that information from other sources (“off-chain”), provided they exist and are easily accessible.

Work of internal and external audit

Given the underlying blockchain-enabled platform for implementing internal control, growing automation of controls and interfaces with other developing technologies may make the work of both external and internal auditors easier (e.g., AI, IoT). A blockchain-enabled internal control system may offer a more trustworthy internal audit environment on which external auditors may depend. Coordination of work and coverage attained by external and internal auditors might be improved.

Continuous real-time financial reports

More comprehensive and substantial continuous real-time financial reports will be conceivable, and may perhaps become the norm. Some parties may want to have access to a blockchain and generate their own ad hoc reports (while also having access to real-time data) rather than receiving agreed-upon, periodic reports from an institution.“Monitoring becomes the only control ‘after the fact’”

If internal environments are so streamlined that once a transaction enters the system, the end reporting is predetermined, one could argue that everything except monitoring is considered “before the fact”/transaction pre-processing, and the only controls required “after the fact”/post-processing are monitoring controls.

What are the new dangerous threats that emerged out by the use of Blockchain?

• Traditional risk assessments were entity-focused, but as blockchain use grows, firms will need to manage risks in a larger context. Entities, for example, may investigate the riskiness of other participants in the blockchain network and the ramifications for their own businesses. Furthermore, when blockchain monitoring methods are developed, varied risk appetites/risk tolerances among blockchain players may lead to conflict. In the case of specific blockchains, who is liable for risk management if no single body is in control, and how adequate responsibility is to be achieved, may pose issues.

• The implementation of a blockchain may expose organisations to new fraud schemes or provide new channels for existing fraud schemes. On the right sidebar, you can see several examples.

• The amount of data available in a blockchain-enabled environment may grow unmanageably large; attempting to manage too much data may result in data overload, compounding data governance issues. Smart contracts are both a potential risk and a valuable risk-mitigation tool. They self-execute and are difficult to delete once installed. As a result, if the effects are inadequately created or handled, they may result in inaccuracy or significant loss on a magnified scale. The deployment of a blockchain may provide difficulties in obtaining sufficient appropriate documentation to support transactions reported in an organization’s financial records (i.e., due to the loss of the transaction audit trail in an electronic environment).

• When organizations begin to utilize blockchains, there will be a period of transition. During this time, legacy systems, ERPs, or third-party cloud-based systems will perform front-end processing and data collection before interacting with a blockchain for additional processing or recording.

Although data on a blockchain is relatively safe and tamper-proof, it is nevertheless vulnerable to typical IT risks once it leaves the network.

The interface conveyance of data from upstream systems to a blockchain will be a vital control point in these new situations.

• Digital assets are a novel asset class with little or no prior experience and few comparable parallels in risk management and detecting unusual behavior. Businesses contemplating holding digital assets must also consider market volatility or a lack of market for some digital assets, cybersecurity issues connected to the preservation of private keys, accounting and financial reporting of such assets, and developing regulatory requirements.

Controls Over Key Aspects of Blockchain

Nodes

“A ‘node’ is a computer connected to a blockchain network.”5 Companies must have created rules that govern the activities of nodes that store database copies, perform transaction validation, work to prepare data for chain addition, or offer other services. Controls can be linked to the following objectives: • Ensuring there are enough active nodes to limit the chance of some coordinating to attack the system. Assuring that processing power is distributed equitably across all nodes in order to prevent the consensus mechanism from being misused.

• Experimenting with the availability of blockchain data from multiple network nodes.

• Verifying the consistency of data obtained from various network nodes.

• Before agreeing to add data to the chain, confirm that all nodes are performing the necessary validations.

• Monitoring and rewarding correct validations while punishing incorrect validations. (Note: Because of the large number of nodes on the network, an organisation may be unable to carry out duties in relation to a public blockchain.)

Consensus Protocols

Individual blockchain consensus mechanisms should be evaluated on a regular basis to ensure that: • Only the appropriate nodes are authorised to participate in consensus.

• Protocols have been adequately created and are operational.

• To combat fraud, appropriate incentives for following processes and penalties for failing to follow protocols have been implemented.

The three main kinds of consensus are proof-of-work, proof-of-stake, and majority vote.

Private Keys

Companies should take precautions to control access to their private keys. These controls will be determined by how these keys are stored (e.g., hot wallet or cold wallet). In some cases, businesses may hire a third-party custodian to help with key management or to handle the assets directly. Custodians may need many parties to have access to the private key, requiring numerous parties to approve transactions (multigeniture). It will also be critical to ensure that the company has considered adequate division of tasks so that those who authorise blockchain transactions do not have access to the organisation’s books and records.

Smart Contract

• Implement controls to validate the appropriateness of the design and implementation effectiveness of smart contracts, track changes and updates in a controlled manner, and ensure proper documentation and historical record to establish accountability to mitigate the risks associated with smart contracts.

• Implement controls over smart contract inputs, including inputs from blockchain oracles. Smart contract controls should give timely warnings and exception reports to guarantee that everything is running properly and that deviations and deviations are immediately reported to the right parties.

Mitigate the New Threats and Risks Associated with Blockchain Implementation

With the onset of new dangers and threats, organisations may need to consider the following to counter it and neutralise it:

• Given the vast volume of data handled on the blockchain and the high frequency with which these transactions are completed, computerised continuous monitoring tools, rather than traditional human procedures, should be used to do continuing analysis.

• Using ongoing evaluations to detect changes and upgrades in technology, as well as to confirm the presence and operation of internal control components.

• Identifying and acquiring talent with the necessary knowledge of an entity’s baseline control environment, blockchain technology, and best monitoring practices to:

1) assist in the design and implementation of appropriate monitoring controls and

2) assess the results and efficiency of such monitoring activities.

• Evaluating blockchain’s distinct properties, such as consensus protocols, smart contracts, and private keys, as well as aspects related to the blockchain’s ongoing health, governance, and overall reliability.

• Identifying persons who will be responsible for implementing monitoring controls and developing agreed-upon rules and processes for notifying shortcomings and taking corrective action within a consortium or private blockchain.

• Retaining an independent third party to evaluate consortium blockchains in some situations. A trusted middleman, for example, can gain access to personal information from individual firms in order to determine if the components are operational, analyse problems, and communicate deficiencies.

• Keeping track of service-level agreements with outsourced service providers and obtaining control reports from them. As previously stated, if untrustworthy data associated with these relationships enters the blockchain, the consequences may be severely affected, if not catastrophically so.

New Warehousing Policy

Global Risk Management Institute

International PG Diploma in Risk Management (Level 7)