By Sean Stein Smith, CPA, DBA

As blockchain is adopted and implemented in areas outside its initial uses connected to bitcoin and other cryptocurrencies, there is a growing need for clarification connected to the internal control and audit of blockchain. Put simply, if the data stored and maintained on a blockchain system is not thought of as secure, the functionality of the technology will decrease over time. Before attempting to analyze the trends and potential directions connected to blockchain internal controls, however, it is worth examining what should be the core components of blockchain controls.

Blockchain Control Considerations

First, the different buckets and categories of controls need to be distinguished from each other. Blockchain is a technology tool and system; like any technology platform the underlying software code must be secured and safeguarded. Since blockchain is still an emerging technology tool, the risk of underqualified coders and programmers being involved is not insubstantial. On top of the risk of simple errors, there is the risk that the information asymmetry in the marketplace could be seized upon by unethical actors. Instituting appropriate levels of control and security over which individuals have access to the code itself, how this coding language is updated over time, and how these updates are tested to ensure viability should form the foundation of any internal control conversation linked to blockchain. Such controls will require collaboration between audit firms and information technology professionals.

Second, the controls that are in place over application programming interface (API) points of contact between blockchain and other technology systems must be in place and modified to the unique characteristics of blockchain. Many of the prominent hacks and breaches that have occurred in the blockchain and cryptoasset space have not occurred directly on the blockchain itself, but have rather focused on the intersection points between blockchain and other platforms. As permissioned and consortium blockchain platforms become mainstream, this topic will only increase in importance. Specifically, as larger organizations develop and implement blockchain on a global basis, auditors and audit firms must understand the weak points in the entire network. I have included in this blog some of these issues and considerations that need to be taken into account.

What are the policies around how data is accessed, stored, and analyzed as it comes off the blockchain or reuploaded back onto the blockchain?

Not every organization will have the personnel or resources to implement and maintain the same levels of internal controls and policies around how data is treated, even if those policies are instituted by the organizing firms. While it is the responsibility of management to implement these controls policies, the audit profession must have the expertise to assess the quality and viability of the controls.

Is there a hot wallet access policy in place at the organization; if yes, does that involve a multisignature (multi-sig) wallet?

A multi-sig protocol requires that, to access information, multiple components of a signature or other access code must be combined, usually involving several different individuals. This reduces the risks inherent in a single “key person” at an organization, but it can also lead to issues with succession planning. Specifically, does the organization have a succession plan in place to maintain continuity of access to information stored on the blockchain platform? While the topic of succession planning for overall business continuity has become a front-burner issue at many organizations, blockchain access planning could fall through the cracks. Ensuring that there are multiple redundancies that can be activated in the event of key individuals leaving the organization is a responsibility of the organization, but it is something that auditors must be able to attest to and confirm.

Trends

It is always difficult to predict the path of technology, and it is even more difficult for a fast-moving and evolving technology such as blockchain. As blockchain develops and splinters into new and innovative directions, there is a responsibility for auditors and the profession at large to keep pace with the potential risks that accompany such rapid development. Several prominent trends do seem to be taking top position for attestation and audit professionals. First, securing the connection points between the blockchain and other technology systems, the points at which these systems interoperate with existing technology platforms, is essential. Second, the possibility of blockchain variations becoming mainstream will challenge the internal controls of organizations and redefine audit processes. To keep pace and to continue to provide insights and advice to clients, auditors and audit firms must continuously invest in training and education. Third, firms and practitioners should advocate for the development of specific blockchain and crypto insurance policies. Through this combination of efforts, the audit profession can keep pace with blockchain trends and do so in a fiduciarily responsible manner.

Sean Stein Smith, CPA, DBA, is a professor at the City University of New York – Lehman College in Bronx, N.Y. He can be reached at drseansteinsmith@gmail.com.

For more on technology advances and the accounting profession be sure to sign up for PICPA's online Technology for Public Accounting Conference on Jan. 7, 2021. Also, sign up for weekly professional updates on PICPA's blogs, podcasts, and discussion board topics by completing this form.