Blockchain A game changer for audit processes Deloitte Malta Audit Assurance
Blockchain: A game changer for audit processes
As blockchain grows out of just buzzwords, how does this technology say that many people speak when cultural paradigm?
Blockchain: Management process game changer 637 KB PDF Download infographic (PDF) 178 KB PDFIn recent weeks, information on blockchain has been flooded on the Internet. In combination with this, the value of cryptocurrencies, such as virtual currency Bitcoin, based on blockchain technology, is growing rapidly. Banks, financial services, social media, real estate, etc. are only one example of the use of blockchain technology to utilize basic functions that help improve business processes. Audit is no exception, and there are many benefits that can be realized in the audit process by adopting blockchain technology.
What is blockchain?
The simplest form can be considered a blockchain as a distributed ledger that contains the related details of all transactions processed so far. The effectiveness and genuineness of each transaction are protected by digital signatures (encryption). There is no central management on the blockchain, and anyone can use the computational ability of the dedicated hardware (node / cracker) to handle the transaction, and obtain a bitcoin reward for this service. Can do.
Let's take a look at the Infographic below, as if Peter in the United States want to pay 1 0-bitcoin (BTC) to Australian Jane. In order to accept this transaction, the node (minor) on the network needs to authenticate Peter's transaction (using the encryption hash function). In this process, the minor uses a ledger (blockchain) to determine if he has the 10 BTC he needs to pay. The blockchain contains information about all transactions recorded from Genesis, the first trading in history. In order to derive Peter's balance, the minor examines each transaction in the ledger, adds Peter's recipient, and subtracts what Peter was. If all verification processes are successful, minor will add a verified transaction to the blockchain and link to the previously verified blocks (block 53).
Hashing is a form of cryptographic security that is distinct from encryption. Whereas encryption is a two-step process of first encrypting and then decrypting a message, hashing condenses a message into an irreversible, fixed-length value (the hash).
Blockchain ledger explained
Figure 1 - Flow of a transaction in a blockchain environment. Taken from "Bitcoin by analogy" [1].
Public keys
To manage and verify identities (Peter and Jane in this example), blockchain uses public key cryptography. In this form of cryptography, there are two keys that are mathematically linked.
Public key: A public identifier that you can freely share with others. This is your identity on the blockchain.
Private key: A key that should never be shared with anyone.
Using these keys, miners solve mathematical functions to verify that the sender and receiver of a transaction match their declared source, and that the contents of the transaction have not been changed in the process.
But blockchain is not just used for cryptocurrencies, as in this example. The Harvard Business Review article "The Truth About Blockchains" suggests that "with blockchains, we can imagine a world in which contracts are embedded in digital code and stored in a transparent, shared database that is protected from deletion, tampering, or modification." In this world, every contract, every process, every task, every payment will have a digital record and signature that can be identified, verified, stored, and shared. Intermediaries such as lawyers, brokers, and bankers may no longer be necessary. Individuals, organizations, machines, and algorithms will be able to exchange and interact freely with little friction. This is the great potential of blockchain. [2]
What opportunities does blockchain bring to the audit process?
By design, blockchains are inherently resistant to tampering with stored data. Functionally, blockchains can act as an open, distributed ledger that can record transactions between two parties in an efficient, verifiable, and permanent manner. [2] The blockchain can be used as a source of verification for reported transactions. For example, instead of asking customers about bank transactions or sending confirmation requests to third parties, auditors can simply verify transactions on publicly available blockchain ledgers such as http://www. blockchain. info or http://www. blockexplorer. com. Automating this verification process can lead to cost reductions in the audit environment.
The era of meaningful testing based on samples will soon become challenging, as auditors will rely on blockchain technology to test the entire set of transactions within the monitoring period. This expansion of coverage will dramatically improve the level of assurance obtained in affected audit work.
Currently, it takes about 10 minutes to verify a low-value transaction, since in blockchain, the verification of one block is deemed adequate. The more blocks a transaction passes before it is considered verified, i. e., the further up the chain, the longer it takes for the related transaction to remain unchanged. Typically, a high-value transaction takes about an hour to verify (6 blocks). Unlike traditional financial transactions, which can take more than a month before the information is cleared. Real-time false verification This feature of blockchain may also have an impact on the verification process. Instead of end-of-period (or interim) evaluations, audit firms will be able to perform continuous online evaluations throughout the audit period.
Deloitte Deutschland predicts that fully automated controls may become a reality down the road of blockchain [3]. The evaluation of financial statement assertions, such as the existence, appearance, accuracy, and completeness of information, is one of the prime candidates for audit automation, with potential benefits in terms of timing.
What challenges does blockchain bring to the audit process?
Although blockchain promises more secure transactions, it cannot completely eliminate cases of fraud. In July 2017, unknown hackers managed to steal approximately $32 million of Ethereum, one of the most popular cryptocurrencies. The root cause of this fraud was not related to shortcomings in blockchain technology, but rather vulnerabilities in the software used to manage Ethereum wallets. The fraud was quickly identified, and the associated Parity vulnerability was mitigated accordingly to protect the remaining wallets.
This breach suggests that the successful implementation of blockchain will depend heavily on the security of the underlying environment. To be able to provide the required level of assurance, audit procedures need to be further shifted towards evaluating the operational effectiveness of internal IT controls.
Here are some concrete examples:
- If a company employee accidentally or intentionally sends bitcoins to a fraudulent or unauthorized address (recipient), there is currently no way to reverse this transaction [1]. Auditors should therefore assess whether there are effective automated controls to verify the transaction before it is executed.
- If a company encounters a phishing attack, there is no fraud department to report such incidents to, since there is no central authority on the blockchain [1]. Such a situation can also be a fraud risk. When faced with such a risk, auditors are required to determine whether their internal controls to prevent and detect phishing attacks are truly working effectively.
- If a private key is lost (e. g., due to software or hardware failure), the company loses access to the virtual currency (e. g., bitcoins) associated with that private key. These bitcoins are no longer accessible by anyone on the Bitcoin network and are effectively taken out of circulation forever [1]. Effective disaster recovery procedures or backup and recovery procedures would help to avoid such a situation. It is also expected that such loss mitigation procedures will be evaluated to verify whether they can be based on controls that address blockchain-related risks.
Although blockchain technology offers inherently secure properties, it is humans who code the software required to integrate and interface with the blockchain. Humans are flawed and corrupt. Under the requirements of the International Standards on Auditing (ISAs), auditors are expected to understand the specific risks to a company's financial statements arising from IT and how the company is addressing those risks through the implementation of IT controls. As blockchain technology is adopted, auditors will need to raise the bar by providing higher levels of assurance services in a more agile business environment and supporting: Meeting the expectations of stakeholders and business owners in this new world will require a different way of thinking about professional audits and additional expertise [4].
Conclusion
With the proliferation of the internet over the past few decades, we have experienced a quantum leap towards a digital world. Blockchain will be the next step in this evolution.
Although the blockchain design appears sound from a security perspective, the blockchain environment is still susceptible to various technical risks. Any efficiencies gained from audit automation are likely to be offset by new process requirements to address risks associated with the blockchain environment. Such developments will likely result in blockchain audits playing a more central role in providing reasonable assurance that the financial statements as a whole are free of material misstatements.
About the author
Sandro Psaila holds the position of IT Audit Manager in the Audit and Assurance service line at Deloitte Malta. He has over 15 years of practical knowledge and experience in the IT/Telecom industry, most of which have been in roles specializing in the areas of IT internal audit and revenue assurance. Pan