A game changer for audit processes?
As blockchain rises beyond being just another buzz-word, what impact will this technology, described by many as a cultural paradigm shift, have on the traditional audit and assurance process?
The internet has been flooded with information about blockchain over the last few weeks. Linked to this is the exponential increase in the value of cryptocurrencies - such as bitcoin, a virtual currency based on blockchain technology. Observers are claiming that blockchain is set to revolutionise many industries: banking, financial services, social media and real estate are just some examples of sectors that are evaluating the use of blockchain technology to benefit from the underlying characteristics which could help towards improving operational processes. Audit is no exception and there are several potential benefits which might be realised in the audit process through the rising adoption of blockchain technology.
What is blockchain?
In its simplest form, a blockchain can be considered to be a distributed ledger which contains the relevant details for every transaction that has ever been processed. The validity and authenticity of each transaction is protected by digital signatures (cryptography). In blockchain, there is no central administration and anyone can process transactions using the computing power of specialised hardware (nodes/miners) and earn a reward in bitcoins for this service.
Let us take an example where Peter in the United States wants to pay 10 bitcoins (BTC) to Jane in Australia. In order to accept this transaction, the nodes on the network (the miner) are required to authenticate Peter’s transaction (using cryptographic hash func- tions). In this process, miners will use their ledger (the blockchain) to determine whether he has the 10 BTC required for payment. The blockchain contains information about all the recorded transactions since genesis, the first transaction ever recorded. In order to derive Peter’s balance, the miners will go through every transaction in the ledger - add up the ones where Peter was a recipient and subtract the ones where Peter was a sender. Once all the validation processes are successful, the miners will add the verified transaction to blockchain and link it to the previous verified block (block 53).
To manage and verify identities (of Peter and Jane in our example), blockchain uses public key cryptography. In this form of cryptography, there are two keys that are mathematically linked together. • Public key: a public identifier that can be freely shared with others; this is your identity on the blockchain • Private key: a key that must never be shared with anyone. Using these keys, miners solve mathematical functions to verify that the transaction sender and receiver match with the stated sources and that the transaction content has not been modified along the way.
However, blockchain is not only used by virtual currencies, as in our example. The Harvard Business Review article, "The Truth About Blockchain", suggests “with blockchain, we can imagine a world in which contracts are embedded in digital code and stored in transparent, shared databases, where they are protected from deletion, tampering, and revision. In this world every agreement, every process, every task and every payment would have a digital record and signature that could be identified, validated, stored, and shared. Intermediaries like lawyers, brokers, and bankers might no longer be necessary. Individuals, organisations, machines and algorithms would freely transact and interact with one another with little friction. This is the immense potential of blockchain”.
What opportunities does blockchain bring to the audit process?
By design, blockchains are inherently resistant to modification of any stored data. Functionally, a blockchain can serve as an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way [2]. Blockchain can be used as a source of verification for reported transactions. An example might be where, instead of asking clients for bank statements or sending confirmation requests to third parties, auditors can easily verify the transactions on publically available blockchain ledgers such as http://www.blockchain.info or http://www.blockexplorer.com. The automation of this verification process will drive cost efficiencies in the audit environment.
The days of sample based substantive testing will soon be challenged, as auditors will resort to blockchain technology to test the whole population of transactions within the period under observation. This extensive coverage will drastically improve the level of assurance gained in affected audit engagements.
In blockchain, a transaction of low value currently takes approximately 10 minutes to be validated as a single block verification is deemed appropriate. The more blocks elapse before a transaction is considered as verified, i.e. the further in the chain, the more the related transactions are immutable. Typically a high value transaction will take approximately 1 hour to be verified (6 blocks). Contrast this with traditional financial transactions where information might take up to a month or more to be cleared. This pseudo real-time verification blockchain characteristic could also impact the audit process. Instead of assessments at year end (or interim), audit firms will be in a position to perform continuous online assessments throughout the period under audit.
Deloitte Deutschland envisages that, at the end of the blockchain road, fully automated audits may be a reality. The assessment of financial statement assertions such as existence, occurrence, accuracy and completeness of information, are amongst the prime candidates for audit automation as well as potential benefits from a timing perspective.
What challenges does blockchain bring to the audit process?
Although blockchain promises highly secure transactions fraud instances cannot be fully eradicated. In July 2017, an unknown hacker managed to steal nearly $32 million US dollars’ worth of Ethereum, one of the most popular virtual currencies. The root cause of this fraud was not related to deficiencies in the blockchain technology but, rather, due to a vulnerability within the software that was used to manage Ethereum wallets. The fraud was quickly detected and related parity vulnerability mitigated accordingly, to safeguard the remaining wallets.
This breach suggests that the successful adoption of blockchain is highly dependent on the security of the underlying environment. In order to be in a position to provide the necessary level of assurance, the Audit processes need to shift further towards the assessment of operating effectiveness of the internal IT controls.
To give some concrete examples: • If an entity’s employee accidentally or deliberately sends bitcoin to a wrong or unauthorised address (recipient), there is currently no way to reverse that transaction. Auditors are therefore required to assess whether effective automated controls are in place to validate transactions before they are executed. • If an entity experiences a phishing attack, there is no fraud department to which to report such an incident since in blockchain there is no central administration. This situation can also translate into a risk of fraud. When faced with such risk auditors will be expected to determine whether internal controls to prevent and detect phishing attacks are indeed operating effectively. • If a private key is lost (e.g. through a software or hardware malfunction) the entity loses access to any virtual currency (such as bitcoin) that is associated with this private key. These bitcoins will no longer accessible to anyone on the bit- coin network; they are effectively out of circulation, forever. Effective disaster recovery procedures as well as backup and restoration procedures would help to prevent such situations from occurring. Such loss mitigation procedures are also expected to be assessed to verify whether controls that address the risks associated with blockchain can be relied upon. Although blockchain technology offers inherently secure properties, it is humans that will be coding the necessary software to integrate and interface with blockchain. Humans are fallible and corruptible. In adherence with the requirements driven by the International Standards on Auditing (ISAs), auditors are required to understand the specific risks to an entity’s financial statements arising from IT, and how the entity is responding to these risks through implementation of IT controls. With the rising adoption of blockchain technology, auditors will need to raise the bar by providing increasingly complex assurance services in more agile business environments and in support of upcoming digital transformations. A different professional audit mindset and additional expertise will be required to satisfy the expectations of stakeholders and business owners in this new world.
Conclusion
With the proliferation of the internet over the last few decades, we have experienced exponential progression towards a digital world. Blockchain is set to be the next step on this evolution.
While blockchain’s design seems sound from a security standpoint, the blockchain environment is still susceptible to various technology risks. The efficiencies that will be gained through audit automation are likely to be balanced by the requirements for new procedures to address the risks associated with the blockchain environment. These developments will likely shape a blockchain audit where IT controls will gain a more pivotal role in providing a reasonable assurance that the financial statements as a whole are free from material misstatement. Sandro Psaila is a manager in Deloitte Malta Audit & Assurance. Due to the length of this article, references and illustrations are to be found in the full article online. For more information, please visit www.deloitte.com/mt/blockchain