Companies are rapidly finding applications for blockchain technology, meaning internal auditors will need to assess those applications. To do so will require some foundational knowledge of how blockchain works and the risks associated with its use.
Cryptocurrencies, like Bitcoin and Ethereum, have their supporters and their naysayers. But no matter what you think about the usefulness of these virtual currencies, their rise has given us a technology that nearly everyone can agree will be invaluable to the future of finance and accounting: Blockchain.
While blockchain is a key enabler of cryptocurrencies, it has many other uses. Indeed, many financial institutions, online gaming companies, consulting firms, and other companies are already putting blockchain to use to track online transactions, create records of virtual assets, provide security for critical data, and many other applications. IBM, for example, is investing $200 million to research blockchain and its applications. Sherman Oaks, Calif.-based gaming company, Mythical Games, is using blockchain to verify the scarcity of digital assets contained in their online video games and to record and track ownership of such items by players.
As the use of blockchain becomes more widespread, internal auditors will increasingly come into contact with the technology. While that doesn’t necessitate a deep understanding of the sophisticated technology based on complex algorithms and elaborate encryption methods, internal auditors will need to have a basic understanding of blockchain so that they can speak the language of those who are using it and direct audits of processes where it is in use.
So What, Exactly, Is Blockchain?
Most descriptions of blockchain call it a technology that enables the creation of a secure digital ledger. So what does that mean? Blockchain is really just a way to structure and store information online so that it can’t be changed or faked without authorization. It does this by grouping the data into blocks, encrypting them in a special way, and distributing the encrypted blocks across a wide series of networks in the peer group. Each peer has a copy of the complete chain of data, making it impossible for one person or group to change the data without accessing all the other networks.
What makes blockchain so special is that this simultaneous distribution of the information across peer networks makes a central clearing house or central bank unnecessary. It keeps everyone honest because the information can’t be changed without everyone seeing that an unauthorized addition or change has been made. All records and activity are visible to all at all times.
According to Coinmonks, a non-profit educational site on all things crypto, “Data can only be added in the blockchain with time-sequential order. This property implies that once data is added to the blockchain, it is almost impossible to change that data and can be considered practically immutable.”
Here are some critical attributes of most blockchain systems that make it work:
- Peer-to-Peer Network (P2PN): The blockchain data is simultaneously distributed among all users. This is an important feature. There is no central repository to hack into or super-user that can make changes without others knowing about it.
- Encryption: Blockchain uses a sophisticated encryption system known as a “cryptographic hash.” A hash is a function that uses cryptography to transform any input data into a fixed-length output string of numbers and letters. For every input, an algorithm generates a completely different resulting hash or code. Hashing is how the data blocks are linked in a chain. A block is run through a cryptographic hashing function to create a hash. The hash is then added to the next block and run through the same algorithm to create a new hash that is pushed forward to the next block. The result of this encryption trick is that if the information is changed anywhere along the chain, it changes all the other blocks, which is then rejected during the verification process that will be explained below.
- Immutable Ledger: This attribute is closely related to the use of the hashing function. As just explained, it’s not possible to modify any block without changing the entire chain. So information can only be added to the blockchain in sequential order. It can’t be changed, making it “immutable,” which is a critical component of a publically accessible ledger.
- Consensus: Any given blockchain is not a group of just any data, there must be an existing agreement among users about what exactly can be added to the blockchain. This agreement is known as “consensus protocol.” Again, Coinmonks describes it best: “Any update made to the blockchain is validated against strict criteria defined by the blockchain protocol and added to the blockchain only after a consensus has been reached among all participating peers or nodes on the network.”
- Validation or Mining: Most people know that Bitcoin has an element to “mine,” the cryptocurrency, but they don’t know why. Mining is an essential element to make blockchain work. For cryptocurrencies, it is a way to entice others to do the validation work required to add new blocks to the chain, known as “proof of work.” New blocks are created with restrictions on their hash codes, meaning that only expected data will create hashes in an acceptable range. The “miners” run computers that test possible hash combinations before meeting the validation requirements, which is why they require lots of computing power.
Together, these attributes enable a distributed ledger that maintains its integrity, even without a central authority overseeing it. Quite clever, indeed.
Applications Beyond Cryptocurrencies
These unique attributes create a perfect tool to keep track of almost any type of information in a secure and decentralized way. It can allow individuals or organizations to make a transaction or just about any exchange of information that is recorded, indisputably, into a publically or organizationally available record. And when recordkeeping is involved, so too is internal audit. But auditors can’t just trust a “black box.” They must understand, at least on the topical level and with the trust of technicians, what is happening inside those records.
As Jim Pelletier, vice president of standards and knowledge at the Institute of Internal Auditors, writes in Internal Audit Magazine, “This explosion of new applications of blockchain technology will involve internal audit, as does anything that requires recordkeeping. The news media carries a new blockchain story almost daily, boards and investors want to know what their organizations are doing in this area, and business models involving transaction intermediaries risk being wiped out. Many of the issues surrounding this transformation are known, but many more are yet to be identified.” To be sure, blockchain is not a silver bullet for secure public transaction records.
Internal Controls for Blockchain
To address these new and increasing applications of blockchain, internal audit departments that oversee where it is in use will need to put some structures in place to ensure that is working properly, doing what it is supposed to do, and that the protocols that make it work are set up properly.
Among those structures are internal controls. To this end, a recent development could help. This month, an organization known as the Accounting Blockchain Coalition’s (ABC) Internal Control Working Group released a document outlining some internal control activities and actions to address threats and vulnerabilities to digital assets and blockchain transactions. The report, which ABC calls a tool, is intended to assist those who are considering a risk assessment of certain common processes associated with the use of blockchain technology.
As an example of potential blockchain controls, those to protect against collusion in multi-signature wallets include:
- Segregate access and execution duties with a rotation of roles every six months.
- Annual review of access controls and segregation of duties.
- Disaggregation of private keys/ seed phrases using an M of N-type strategy, with different entities holding each piece.
- Use two-factor authentication on all points of vulnerability.
“It is the first tool that takes a high-level approach at identifying the recommended procedures—in terms of internal control activities—and addresses the identified threats and vulnerabilities in an illustrative framework,” said the ABC in a statement on the release of the guide. “In other words, it doesn’t just point out possible threats and vulnerabilities in the use of a digital asset or blockchain technology. It provides generalized guidelines to mitigate the vulnerabilities.”
Not Without Risks
While blockchain, as we know it used in widespread cryptocurrencies like Bitcoin, is all but infallible, it doesn’t mean that it comes without risks as it is used in organizations, of course.
A report by Deloitte outlines some important risks associated with blockchain to consider. First, it raises a caution to those who ignore blockchain: “Enterprises that fail to conduct sufficient scenario planning and delay consideration of blockchain’s decentralization and tokenization risk being disintermediated or failing to seize the greatest business value from blockchain,”
And to be sure, blockchain is not infallible. As the Deloitte reports states: “While Blockchain encrypts key information, such as buyer and seller names and addresses to prevent unintentional informational leakage, this does not mean that data and associated metadata are inherently secure,” the report’s authors write.
For those aspects, internal auditors will need to be familiar with the technology and remain on their toes.