Role of Internal Audit in Blockchain Adoption

Role and responsibilities of internal audit function are likely to expand in important ways with increasing acceptance of blockchain applications in organizations. Internal audit managers need to adopt appropriate methods to validate the functioning of blockchain networks and whether ledger versions are updating properly at all ends with appropriate security consistently.
Performing internal audit in blockchain environment will require a good technological expertise of internal auditor.
The internal auditor may find challenged to adapt quickly – but seeing the opportunity to take a leadership role in helping their organizations absorb and apply this new technology. Internal auditor can help entities in preparing for blockchain adoption.
Irrespective of the applications used, the blockchain implementation requires something more than technological expertise. There is need for documenting business case for blockchain, demonstrating superiority of blockchain over traditional database; potential cost savings; revenue enhancements; and identifiable enhancement in control and compliance environment.
Internal audit’s association in implementation stage shall focus mainly on concerns pertaining to governance, security, audit policies and procedures, and other risk management and control issues. The extent of internal audit’s involvement would depend on usage of blockchain technology developed internally or adopting the technology from third-party sources.

There are four angles to focus for effective internal audit in blockchain environment:

1.Resources and human capital

Blockchain adoption will require certain adjustments in human and organizational resources needed for internal audit to continue meeting its responsibilities.

For blockchain adoption, internal audit managers would be recruiting candidates with certain technical skills such as coding or cybersecurity, in addition to understanding of internal audit or accounting and finance. Till the time these resources are adequately available, the use of outside firms with specialized skills may pitch in to fill the gap in availability of duly skilled resources.

Since blockchain technologies are still emerging, no single or mix of specialties is ideal for every organization. Thus, there is always a challenge of engaging the best technology may become redundant shortly. Thus, a regular orientation toward technology / advanced analytics may be effective for current and future internal auditors as business processes become increasingly automated.

Internal audit managers should continue to recruit people with sound critical thinking and problem-solving capabilities and strong communication skills. Specialized training on the specific blockchain application would be required for new hires and existing staff in internal audit.

2.Risk identification

When preparing for blockchain adoption, accurate and thorough identification of risks is an essential starting point. Specific risks associated with technology will vary from one use to other. However, certain risk areas would be applicable to most blockchain implementations. These include:

• Client Data Security: Lot of attention is being paid on protecting the confidentiality of personal health and financial information and countries are making regulations for the same [like European Union’s General Data Protection Regulation (GDPR)]. In today’s globally connected economies, organizations of all sizes and types could find themselves exposed to GDPR issues. Internal audit needs to play important role in examining existence and adequacy of confidentiality protections necessary to accommodate blockchain adoption (in accordance with regulatory requirements).

• Degree of Complexity of the Network: The inherent risk in blockchain network would depend on the number of nodes on the network, the presence or absence of backup nodes, and management assessment on desirability of backup systems.

It is necessary to address the risk emanating from network complexity as:

1. A network failure would have substantial impact on a blockchain-based business process
2. The algorithm used in conduct and recording of transaction directly affects many other factors, including block structure, storage needs, and security risk.

• Network Structure: With more entities getting added to a blockchain, the number of points at which the blockchain interacting with non-blockchain networks increase leading to enhancement in associated risk of security breaches or other vulnerabilities. Degree of variations in the connected networks’ security protocols amplifies the risk exposure.

• Contracts: As contracts increase in complexity when there are more participants and instructions / milestones are recorded in greater details. Also there is greater possibility of error. Identifying and quantifying related risks would be difficult risk assessment challenges for any internal auditor.

• Coding: The use of recognized code development methodologies, coupled with validation that the code performs the necessary functions as required, can be useful in accurately identifying and quantifying this risk. The risk assessment should also consider possibility of a mischievous actor to infiltrate the contract code during development, implementation, or maintenance.

[This list is only a starting point as the purpose of this discussion is not to produce an exhaustive risk identification checklist, but rather to point out certain types of risk that could be considered unique to blockchain technology. Complete risk assessment for blockchain adoption would necessarily include the full spectrum of general technology related risks, with particular attention to cyber-security risk.]

3.Control procedures

At the time of implementing a blockchain application, internal audit need to evaluate the processes, risks, and controls related to that application to validate that the controls are adequate and effective (as per their review and testing).

Certain control elements to be developed are:

• Data Management: Internal audit to perform the following:

1. Understand the types of data recorded in each block of the chain, review the appropriate volumes (or throughput) and transaction speeds (or latency) for handling that data.
2. Examine that controls should also exist to verify that the consensus algorithm – the actual code that validates each ledger entry in the blockchain – is appropriate for the blockchain’s intended purpose and is functioning as designed.
3. Validate that the structure of individual blocks allows for data to be securely encrypted and such structures are in place, properly employed, and functioning.
4. Evaluate existence of adequate controls at the transition points where the blockchain interacts with other, conventional business systems as the handoffs or transition points in blockchain are vulnerable to failure or errors

• Data Storage: Internal audit need to develop procedures for evaluating and validating basic data storage controls and verifying that relevant business continuity plans and resources are in place. Verification of data storage related controls is necessary on account of:

1. Volume of data that can be stored within each block in the blockchain can vary, this variable needs to be defined, with adequate controls put in place.
2. Basic data storage controls – either on-site or in the cloud – also must be established.
3. A blockchain’s distributed ledger is stored on multiple nodes – presumably in diverse locations – disaster recovery and business continuity issues are alleviated to some degree.

• Blockchain Access: Controlling access to the blockchain is a critical area of concern especially for private or permissioned blockchains, in which a central administrator limits access to authorized users only. The adequacy and implementation of blockchain access controls need to be evaluated and verified by internal audit in view of the following:
• Access control is essential for transaction security by means of public and private keys / password – essentially large integer numbers that are represented using a series of letters and numbers.
• Most private blockchains are likely to grant different users varying levels of access permission, depending on their function.
• Each company or consortium will need to define the permission levels to meet its own requirements, but permissions and access are always areas of concern in any IT audit process.

4. Risk management and mitigation

Introduction of blockchain technology creates need for additional cybersecurity enhancements including:

• Applying recognized cybersecurity practices to the validation of permitted nodes,
• Validating effective cybersecurity practices in developing smart contracts; and
• Managing the necessary external interactions that will be involved in the process.

Internal audit should have access to resources that are capable of evaluating the structure of blocks themselves to verify that they are indeed indisputable; have necessary cryptography features; functioning; and secure.

At a broad level, possible considerations for internal audit include:

• Governance: Governance includes issues such as password security guidelines, defining standard operating procedures for adding and removing nodes, and various digital signature components and verification algorithms.
• Risk Management: Risk management encompasses the password storage and security, contract monitoring for code errors and tampering, interaction with non-blockchain entities, and off-chain data storage.
• Control Procedures: These include managing network access, specific network actions, node agreement, ordering and execution of transactions, and the maintenance of current block versions and content.

Most organizations – particularly listed entities (or those answerable to large groups of stakeholders) –would require auditing and reporting regularly to demonstrate that systems are functioning as intended. These activities also need to be incorporated into the long-term internal audit strategy and plan.