blockchain audit, risk & governance and audit.pdf · problems and is single source of truth....
TRANSCRIPT
Blockchain – Audit, Risk & GovernanceShailesh Kumar Churiwala9999294554
Open Discussion
Blockchain seems to solve many problems and is single source of truth.
Does it mean that it can be blindly relied upon?
Does it still require auditing?
Open Discussion
Why Blockchain needs auditing?:
For transition from traditional system to Blockchain, the historical data needs to be audited.
The source codes need to be verified for smart contracts / auto executing contracts.
Controls over granting access controls to network (permissioned)
Leakage of confidential information
Ensure correctness of data
Open Discussion
Why Blockchain needs no auditing?
Data is visible at real time
Data is not editable once recorded
Transactions can be auto executed with predefined logics
Transactions are irreversible
Open Discussion
Blockchain is another type of database technology.
It is like many companies share a common database.
Traditional database needs to be audited and so is the Blockchain !!
Open Discussion
The use of blockchain platforms will not remove audits nor the need for
an independent auditor.
It will TRANSFORM the way in which auditors extract, test and analyse
data.
Layering blockchain technology with audit analytics could yield
standardised, sophisticated audit routines and analysis that enable near
real-time evaluation of transactions across the blockchain.
Real Time Audit
• The science of continuous audit has been limited to enterprise internal audit and reporting up until now
• Auditchain enables enterprises to provide stakeholders and regulators with the highest levels of audit assurance through decentralized consensus
• Auditchain proposes to embody an ecosystem that includes a blockchain protocol and an open source library of accounting smart contracts sufficient to capture, process, audit and report enterprise data and performance data on a real time continuous basis under a continuous independent audit exceeding current accounting, audit and control standards.
• A public facing and/or permission based presentation layer proposes to render in real time, at the close of every block; balance sheet, income statement, cash flow and statement of changes in stockholders’ equity reports that has the capacity to far exceed the reliability of existing reporting standards.
Auditchain
• Decentralized Continuous Audit and Reporting Protocol Ecosystem “DCARPE™”
• Continuous audit is evolving in theory and practice. Its practice is limited mainly to internal reporting controls. The application of jurisdictionally compliant accounting treatment to transactions and reporting system risk controls occurring in most business processes is now theoretically possible concurrently within and subject to a decentralized continuous audit environment pursuant to SSAE 18(12) and IASE 3402 standards through the use of configurable “Ricardian” type smart contracts(6)(7). Such contracts, as proposed in this paper, do not hold custody of value but instead execute commands for how legal conditions and value are treated based on a fixed or evolving arrangement.
• DCARPE™ implementation leverages the self-auditing state of a blockchain with these additional layers of high extensibility specifically for the development and deployment of decentralized enterprise applications designed to offer stakeholders with real time presentation of financial, operational, development and network statistics reporting every block.
Auditchain
New Risks To Consider
New Risks to Consider
Strategic Risks
Early adoption vs adopt until the technology matures.
Right network to participate in
Choice of the underlying platform
Integration with legacy infrastructure.
Reputation risk
Reputational risk: Blockchain technology is part of core infrastructure and will have to work seamlessly with legacy infrastructure. Failure to do so could result in poor client experience and regulatory issues.
New Risks to Consider
Regulatory risk:
Uncertainty around the regulatory requirements related to blockchain applications.
The type of participants in the network
Whether the framework allows domestic or cross-border transactions
This could also include cross-border regulations related to privacy and data protection.
Risk - 1
• The board does not have the requisite experience or subject matter knowledge to exercise oversight related to internal control.
Control Activity
• Board members retain industry experts in order to advise on risks present within the industry for which the entity operates with respect to Blockchain technology.
Audit / Implementation Consideration
• Review the value analysis performed by BOD before implementation of Blockchain.
• Technical expertise to be a criteria for evaluation of independent directors.
New Risks to Consider
New Risks to Consider
Risk - 2
• Management adopts valuation methodology that is not in compliance with accounting guidance.
Control Activity
• Management has adopted a valuation methodology using reliable pricing data that is in compliance with accounting standards.
Audit / Implementation Consideration
• Review the accounting polices adopted by the management
• Review the control over reconciliation and adjustment entry passed by management to convert Blockchain financials to regulatory financials.
New Risks to Consider
Risk - 3
• Fraud Risk (Financial Statement)
Control Activity
• Management fails to report digital assets in their custody or reports digital assets that they do not have rights & obligations to.
Audit / Implementation Consideration
• Re-compute the balance of assets on the basis of data available on Blockchain.
• Ensure the completeness of data on Blockchain basis the subsequent blocks added to the network.
New Risks to Consider
Risk - 4
• Fraud Risk (Misappropriation of assets)
Control Activity
• Segregation of custody of private key shards such that no one person is able to recreate and/or gain sole custody of private key's.
Audit / Implementation Consideration
• Controls over granting private key is to be monitored by BOD.
• Private key should be given in encrypted form.
New Risks to Consider
Risk – 5
• Unauthorized changes are made to the core Blockchain technology / protocol
Control Activity
• Public Blockchains (e.g. Bitcoin / Ethereum) - Control is not relevant, as the nature of the protocol does not allow a single entity to modify the established rules in consensus without gaining sufficient support by the miners.
• Permissioned Blockchains - Members of the consortium have adopted a governance structure to ensure that changes to the network are authorized.
Audit / Implementation Consideration
• Change management procedures have been adequately followed.
Governance for blockchain
Governance for Blockchain
The following five factors will guide the definition and stand-up of an Governance for Blockchain
• Strategy
• People
• Governance
• Process Data
• Technology
Governance for Blockchain
You talking to CFO on Blockchain
“This is ridiculously ambiguous,” he complained.
Do I really need to be thinking about this now?
24 | Copyright © 2018 Deloitte Development LLC. All rights reserved.
Financein a
DigitalWorld
TM
Multiple Writers
If you’re trailing competitors in terms of cost, or want to leapfrog to new performance levels, blockchain could be an effective strategy
Whether “sooner” makes sense for your business depends on how efficiently you’re managing finance processes today.
Sooner or later, you should come to grips with that
What finance processes can blockchainsimprove?
26 | Copyright © 2018 Deloitte Development LLC. All rights reserved.
Financein a
DigitalWorld
TM
Multiple WritersProcure-to-pay, accounts receivable, accounts payable, general ledger, reconciliation, and even payroll.
Blockchains can be used to improve almost any finance process
Why are we talking only about business blockchains?
28 | Copyright © 2018 Deloitte Development LLC. All rights reserved.
Financein a
DigitalWorld
TM
Multiple Writers
Public blockchains that support cryptocurrencies like Bitcoin are an entirely different thing
They’re designed to improve transaction processing.
Business blockchains are set up by a single company or a group of companies where participants are specified and known
Finance can generate significant value from business blockchains without having anything to do with digital currencies
Some people say blockchains are largely free of risk. Is that true?
30 | Copyright © 2018 Deloitte Development LLC. All rights reserved.
Financein a
DigitalWorld
TM
Multiple Writers
A shared ledger is visible only to participating organizations and access to data on the blockchain is restricted by users
Blockchains enable trust through transparency..
Yes.
How does blockchain fit with ERP?
32 | Copyright © 2018 Deloitte Development LLC. All rights reserved.
Financein a
DigitalWorld
TM
Multiple WritersMajor ERP vendors are making significant investments to integrate blockchain technology into their platforms.
The relationship between ERP and blockchain is evolving
Why is this more secure than the tools I already have?
34 | Copyright © 2018 Deloitte Development LLC. All rights reserved.
Financein a
DigitalWorld
TM
Multiple WritersThe permanent and irreversible nature of blockchains greatly reduces the possibility of fraud and errors.
Blockchain is not a magic bullet in terms of risk reduction, but it does have significant benefits in how the technology operates.
What Next?
What next? – New Opportunities !
• CA’s in practice and industry should embrace blockchain.
• CA’s should learn how it will impact the business/firm/profession.
• CA’s with technology based audit expertise would be preferred.
• Blockchain offers a huge opportunity to CA’s to position themselves as forward thinking and cutting edge.
• New opportunities shall emerge.
What next? – New Opportunities !
• Smart contracts
• Parties to smart contracts may engage
• CA’s to verify the business logic of the smart contract.
• Access granting administrator
• For a permissioned blockchain, CA’s may be perfect candidate to serve
• As a central access granting administrator
• Service auditors of consortium blockchain
• CA’s may act as trusted and independent 3rd
party to provide assurance
• Primarily effectiveness and robustness of the architecture
38 | Copyright © 2018 Deloitte Development LLC. All rights reserved.
Financein a
DigitalWorld
TM
Team
Assign a team to stay on top of blockchain developments in Finance. Include both technical and business people.
Read
Develop a reading list that includes both skeptics and evangelists. Blockchain is moving fast. Keep up.
Trading Partners
Meet with a few of your major trading partners to find out how they’re thinking about blockchain opportunities.
Monitor
Monitor what leaders are doing in your industry.
Smart Small
If you’re going to start, start small.
THINK BIG ….VERY BIG…..START SMALL!!
What Next? – To Do List !
39