As organizations leverage emerging technologies, particularly the distributed ledger environment of blockchain, they may face new questions from auditors in pursuit of sufficient evidence.
A growing number of organizations are giving serious thought to how they can leverage blockchain in their businesses. According to Deloitte’s 2019 global blockchain survey, 53% of respondents say the technology has become a critical priority for their organizations, up 10 percentage points from the prior year, while 83% say they see compelling uses for it.
Blockchain may have gotten its start as a means of transacting digital currency, but its potential to disrupt commerce is already playing out in several sectors. From financial services to pharmaceuticals and fashion, blockchain is transforming supply chains and providing transparency and visibility that change the way work is carried out.
Uses are emerging to trace physical assets, manage diverse supply chains, and facilitate global finance, cross-border payments, and remittances. New ecosystems are springing up to develop blockchain solutions to create innovative business models.
In addition to blockchain, analytics and artificial intelligence are driving new functionality and insight. Data is proliferating and populating tools and dashboards in ways that are transforming industries, making them more resilient, effective, and valuable.
Within audit, these evolving technologies are driving new opportunities to harness data and generate insights that can facilitate improvements in audit quality. Auditors are obtaining vast datasets from many new sources, rapidly bypassing or accelerating many traditional methods of collecting, organizing, analyzing, preparing, and assessing information. Auditors are more equipped than ever to see the bigger picture, enabling them to leverage their professional skills to bring new value to audits.
Blockchain Meets Audit
Blockchains are decentralized, distributed ledgers that maintain a permanent and immutable record of transaction data. Each block in a chain contains cryptography to link and secure blocks chronologically, so data contained within the blockchain cannot be overwritten.
From an audit perspective, blockchains offer a combination of efficiency and integrity, when data is input correctly and the blockchain is implemented and operates effectively, reducing the opportunity for human error and enabling auditors to obtain and assess data representing 100% of transactions rather than rely on sampling. Combined with analytics and AI, auditors can more readily identify anomalies, which facilitates more productive audits.
As auditors gain new insights, they may also have new questions about business risks and internal controls. To the extent an organization is engaged with a blockchain that extends across multiple enterprises, audit teams may ask how internal controls contemplate shared risks. The design of such controls is likely to be of interest to auditors.
To answer these kinds of questions, organizations may need to consider providing auditors with evidence of internal control design and effectiveness at their counterparties in a blockchain. This might be similar to reports organizations currently provide on service organization controls (SOC) when they rely on third parties for services that are material to financial statements.
As an example, if an organization is a participant in a blockchain that is managing raw materials in a supply chain, it will contain critical information regarding inventory that will be important to a financial statement audit. The blockchain may be housed by a cloud service provider, so an auditor may have questions about the chain of assurance from the cloud service provider to the business network operator to the counterparty in the blockchain.
Evolving Risk Profiles
The auditor may seek to understand the specific risks to the organization as it participates in that blockchain and what controls are in place to mitigate those risks. While blockchains may address some inherent supply chain risk companies have managed historically, they represent a significant change to the risk profile that auditors may consider as part of their risk assessments, audit planning, and testing.
Consider permissionless blockchains, such as those used by Bitcoin and other similar digital assets. These kinds of blockchains are not operated or controlled by a single enterprise, which may introduce new audit risks.
In such an environment, auditors may have questions about how an organization assesses the security, stability, and reliability of a blockchain and the data it contains. That may necessitate an analysis of the blockchain’s mechanisms and cryptography. To the extent such a blockchain contains a small number of participants, auditors may also have questions about the risk of collusion within the blockchain to commit fraud.
By contrast, a permissioned blockchain is one with a designated business network operator that is responsible for controlling and operating the blockchain. In the banking sector, for example, a permissioned settlement blockchain may be established by a consortium of participants who use it as a way to facilitate trade finance, letters of credit, and other types of commercial lending.
With a designated operator, auditors can focus their questions on a single entity, evaluating their controls, business continuity planning, security measures, and other potential risks. This is one reason organizations are demonstrating a preference for permissioned blockchains.
More Audit Questions
Beyond internal controls, auditors may have any number of questions associated with blockchains as they seek to obtain sufficient evidence to support their audit opinions. Auditors may want to understand the business effects, such as whether obligations to all parties in a shared database are clearly defined and monitored.
Auditors may also inquire about blockchain governance, including consensus mechanisms, participant input and control, and IP ownership and management. Tax considerations may arise, such as indirect taxes, income sourcing, reporting requirements, owners, substance, and jurisdiction planning. Cyber risks are also likely to be top of mind, whether they are assessing a permissionless or permissioned environment.
Audit firms are beginning to unveil proprietary technologies that may assist auditors in efficiently analyzing different types of digital assets, and it may extend to supply chain tracking, digital rights management, real estate title transfer, and other forms of real-world asset digitization that would otherwise be difficult to audit. The technologies can combine with human talent to improve audit quality.
The accounting profession is considering challenges that may arise in accounting for and auditing digital assets under current professional standards, and the American Institute of Certified Public Accountants has formed a working group to develop non-authoritative guidance for financial statement preparers and auditors on how to account for and audit digital assets. The first version of the practice aid provides nonauthoritative guidance on classification, recognition, measurement, and other issues related to digital assets.
Given the continued evolution of blockchain and other advanced technology, audit evidence looks significantly different in a digital environment than it did a generation ago. Organizations may need to consider how they establish proper control and support their books and records as they digitize assets representing significant line items on their balance sheets.