In this episode of CPA Conversations, Dr. Sean Stein Smith, assistant professor at the City University of New York – Lehman College, joins us to talk about some of the most pressing aspects in the area of blockchain, such as the status of its adoption and implementation, the importance of internal controls to its sustainability, and its role in shaping organizations’ succession plans.
By: Bill Hayes, Pennsylvania CPA Journal Managing Editor
On today's episode, we seek to answer some of the most pressing questions out there about blockchain, namely how widespread its adoption and implementation is becoming, the ins and outs of designing an internal control system to ensure its sustainability, and what its effect can be on the viability of an organization's succession plan. To address these points, we are joined by Dr. Sean Stein Smith, assistant professor at the City University of New York – Lehman College in Bronx, New York.
Can you give us a status on the adoption and implementation of blockchain at this point? How widespread is it, or can we expect it to be, in the somewhat immediate future?
[Stein Smith] Really sort of the first overarching thing that I would point out is that even though 2020 has been obviously a year without precedent, it actually has been quite good for the blockchain and broader crypto asset space in terms of the actual dollars being put to work in the space and the firms being involved in these areas. So to answer your actual question there, I would say that as we end 2020, go into 2021, with a high level of confidence that in 2021 and going forward blockchain and crypto are going to continue to become more of the mainstream conversation. As has been highlighted in 2020 by Fidelity, Vanguard, JP Morgan, Black Rock, Black Stone, all actively moving into the area and, by almost default, basically pushing blockchain and crypto out of the fringe and more into the mainstream markets accounting finance conversation.
How important is applying internal controls to the long-term sustainability of the blockchain system?
[Stein Smith] A common thought and way of analyzing blockchain that I've seen and that I still am seeing, and a way of analyzing it that is incorrect, is that as we get blockchain more on-boarded at companies, interwoven into their current processes and their current workflows, that the internal controls at the firm don't have to be as high a priority going forward. Actually, the opposite is going to be true. Because, as we get more blockchain, more automation, more IT overall into the internal processes of firms, arguably the real sort of focus and the importance of good, comprehensive controls on the information being added onto the blockchain, being exported off of it, and then also accounts ultimately being used are only going to become more important going forward.
What would you say are some of the considerations that have to be kept in mind when designing an internal control system for blockchain?
[Stein Smith] Let me boil it down to my top three or four here. The first thing to always keep in mind is that in order to build out good internal controls on blockchain, around the blockchain and crypto assets, you have to have the in-house expertise to actually have that work.
If you don't have it – and there is no firm out there, either in the blockchain space or in other areas, who has all of the expertise – a good first step, which I think is true for any IT conversation, is to always know what you don't know. And to then have that opportunity to talk to experts. After we have that backdrop outline, then really the main pain points in terms of internal controls are not normally on the actual blockchain proper. They are almost always on those on-ramps and those off-ramps.
Or the access portals, the upload windows, and the exporting tools that let folks add new information or then export data back off of the blockchain. Then to wrap it up here, having the expertise is good, having the controls in place on those off ramps and those off ramps, which are where the bulk of hacks and other blockchain breaches have happened, all that is excellent. But you also then have to have a plan in place at the company to make sure that as the technology evolves and changes, and as the firm itself evolves, grows, and all the rest, the IT in place is able to be updated also.
You talked about the expertise in this area and the scarcity of this expertise in CPA firms. It would seem that part of the reason firms and organizations don't implement blockchain technology, is going to be that fear of the new. They don't know how it works and, therefore, how can they set up internal controls on something they don't understand in full? So how important is it for organizations to learn more about this technology, whether it's to institute in their own firm or work with companies that have?
[Stein Smith] I am obviously very pro-crypto, pro-blockchain. So obviously my answer is always that it's critical. But analyzing from a subjective point of view, or even from an angle where there are still some questions as to how it's going to help the firm, I would argue that if all of the biggest firms in the world – Walmart, JP Morgan, Toyota, FedEx – are embracing blockchain, I'd say maybe 2023 that is all going to have trickled down to almost every single firm out there.
Even if your firm or your current batch of external clients aren't building out their own private blockchains, odds are I would say within the next 18 months or so, that firm and/or organization is going to have to be interacting with and actually dealing with firms that are part of their own blockchain, or part of some other external blockchain.
I mentioned it sort of matter-of-factly in the intro: the succession planning angle. But it's something I haven't really seen addressed before. So, blockchain and its effect on succession planning: what's the connection or the concern there?
[Stein Smith] I would say that the two pain points there in terms of blockchain and then also trying to bring back the crypto asset angle here too, is that really there are all these obstacles right now though to get blockchain to work, to actually get crypto to work.
But ultimately, all of these tools and applications aren't any different in terms of the controls and the planning at that institutional level from any other way to access information. It's awfully easy and it's awfully, I would say, tempting to hand over the whole on-boarding of the blockchain and crypto to either one individual or a team of individuals at the firm.
While obviously that's going to be easier at first, it, I think, really quickly has to be interwoven into how the other IT and how the other access to information is managed at the firm. In other words, even though we're talking about blockchain and about crypto assets maybe, we have to treat it and actually try to manage it exactly the same as we do every other access point to either all our internal data or our external client data.
What future trends do you think we should be keeping an eye on as it relates to blockchain and attestation and audit professionals? Where is the technology heading, and where is the profession heading at the same time?
[Stein Smith] Wow. How much time do you have? I would say that at a highish level here, we are very, very quickly moving beyond the introduction to blockchain, blockchain 101, how does it work at firms? Now, obviously, there are still firms out there who are more experts in this area versus others. But I would say that now we are almost ready to move into that tier two of actually, okay, fine, so we understand blockchain, we understand how it fits into our current IT processes, and also where it probably isn't always going to be the perfect solution. Okay, great. How do we actually start to operationalize some of the upsides in terms of the data transparency, traceability, and then make sure that, as we're doing that, our information is actually accurate.
So I would say now we are moving off of how to get blockchain to operate in concept or how to get it to work at first. And then also now we are trying to move forward, and obviously there are some obstacles to this, but I would say now the big trend out there for auditing assurance services around blockchain at large is, okay, fine, how do we actually confirm that everything is working as it is advertised?