The blockchain is a disruptive technology, and its implications are not fully understood yet. Here is how the blockchain could change the audit world.
For better or worse, the blockchain is generally associated with Bitcoin. No surprise there as it was specifically developed to support Bitcoin. However, leaving the merits of cryptocurrencies aside for the moment, it is blockchain that is now being identified as a technology that will disrupt all industries, with global companies continuing to invest in new applications.
While IBM predicts that 66 percent of all banks will have commercial blockchain products by 2020, the potential applications are not limited to finance. In fact, according to a Market and Markets report, the blockchain technology market will be worth more than $2 billion by 2021.
What makes the technology so attractive to investors? How does the blockchain work?
“The blockchain is a distributed ledger that is comprised of “blocks” that each have data. This data can be currency information, protected healthcare information, or any sensitive information, and these blocks make up the blockchain. To make this distributed ledger, the data must be mined by a person who sets up a computer to identify transactions and convert them into a digital item called a hash. When the data is converted into a hash, it then provides assurance that it occurred, non-repudiation. The hash also can provide completeness and accuracy of the transaction from one organization to another organization, or person to person,” said Avani Desai, Principal Privacy Leader and EVP of Schellman & Company, Inc., an independent security, privacy, and standards compliance assessor.
It is these qualities that make auditing an ideal use case for the blockchain.
“When you look at those three things--non-repudiation, completeness, and accuracy—those are the core principles that auditors are focused on providing reasonable assurance. So, now with the blockchain, there is no more reasonable assurance—there is 100% assurance,” said Desai.
Audits come in many forms, whether it is a financial audit, compliance and regulatory audits or security audits and blockchain tech can be used for all, claimed Schellman’s Desai.
She is certainly qualified to confirm this fact, given that she is a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Internal Auditor (CIA), Cloud Security Alliance (CSA) Certificate of Cloud Security Knowledge (CCSK), Certified Information Privacy Professional (CIPP), ISO 27001 Lead Auditor, and Project Management Professional (PMP).
“When you think of an audit, you are performing an examination of the financial statements—or, in the case of a compliance or regulatory audit, you’re examining a set of requirements or standards. Also, you’re typically are selecting accounts, activities, to confirm accuracy through supporting evidence. With the blockchain, that evidence is there through the transaction—then ultimately, the hash. Blockchain allows the auditor to make a judgement based on the transaction via the entire population—they don’t have to just make a judgement based on the evidence or the sample,”said Desai.
Sample testing will no longer be required but instead every transaction is verified by analyzing the entire blockchain in a manner that is currently impossible or at least labor intensive.
Data Analytics Ties It All Together
If blockchain technology is used then it will resolve problems inherent in current audit processes. Companies facing a pending audit will not be able to reverse engineer documentation in bulk to satisfy compliance, as every action is time stamped and shared with all members of the blockchain, given that editing previous entries is not possible.
“As I mentioned with the financial audit, security and compliance audits will see the introduction through data analytics, which will be necessary because the data rendered available by blockchain will be immense. The use of data visualization will allow auditors to not only provide assurance over the systems, but it will also allow consulting firms to assist with planning and decision making,” said Desai.
In fact, auditors of the future will incorporate several new skill sets to verify audit integrity.
“The work of the auditor will transform accordingly to become more of an analyst [role] that will read and interpret the data recorded on the blockchain, while providing assurance that the blockchain itself is secure. Auditors will also ensure that the technology around the blockchain, such as the data centers and point of sales system, are understood and secure,” said Desai.
In addition, identity verification and links between responsible blockchain members are confirmed.
“Compliance auditors will also assist with handling of identities—those of either individuals, organizations, or corporations—and how to link these identities with assets. Additionally, traceability, which is defined as the potential to ensure provenance of goods as they move through the global supply chain, or to locate information, money and digital assets at any given moment, will allow auditors to trace what happens with an asset over time while, at the same time, providing proof of transactions in real time,” added Desai.
100% Audit and Compliance Assurance
As Desai pointed out, there are several problems that are difficult to solve with traditional audit methods but blockchain has the potential to solve all of them.
“One big problem was that auditors have never been able to provide 100% assurance—that is why we always hear auditors talk about “reasonable” assurance instead. Sample selection methodology is common among most audit testing, which means that auditors typically just select a sample within the audit period and hope that their sample will show if there are any issues,” said Desai.
However, blockchain technology will now render more effective audits, she added.
“For example, the balances between accounts will be observable in real time with time stamping features—whatever transaction is recorded is tagged with the exact time it was carried out. By using a hash code, a unique alphanumeric signature that corresponds to one single transaction, the work of auditors will be made much simpler by solutions that will connect the payments done by one company to the corresponding entry in their suppliers' book-keeping. The same hash will be found, both on the side of the payer and the side of the receiver, proving that a specific transaction occurred between them. Blockchain technologies will also allow auditors to access proof for all transactions with all suppliers and clients at once. Therefore, the famous accounting principle of double entry will be broadened to irrefutable proof of the corresponding entries and exits of companies interacting with the one being audited,” said Desai.
When such a program is initiated, ‘fudging the numbers’ will no longer be possible and everyone involved in the blockchain is accountable for their entries. Unfortunately, despite investment in blockchain technology, audit programs of this nature are still at the theoretical stage.
Desai predicts that the next step will be the global collaboration of regulators, auditors, companies, and compliance officers, all exchanging experiences on the development and implementation of blockchain. She predicts a Blockchain Regulatory World Summit involving the global contributors to this technology.
In conclusion, when this technology is rolled out, there is no doubt that it will be more efficient and less prone to manipulation but what about the role of the auditor?
“Blockchain technologies are still in their infancy and have not yet reached the maturity we see with other technologies being used in these processes. Because it’s so new, it’s difficult right now to implement this technology for operation on a larger scale,” said Desai.
She also recommends that auditing professionals take action.
“Right now is the ideal time for those auditors who want to be at the forefront of their profession to learn the details of how blockchain will change their audit testing and programs—not only that, but they should also begin contributing to blockchain’s development. Because this technology will also eventually change requisite job skills, this interdisciplinary new job description will be an opportunity for professionals to be both competent in auditing and programming,” said Desai.
Good advice for all who expect blockchain to impact their industry and bear in mind that the blockchain is considered disruptive technology that will impact all industries. It is NOT limited to those involved in cryptocurrencies or fintech. Consider possible applications for your company. Are you prepared to take on the challenge of a new methodology for multiple departments?