With technology on the rise, blockchain has become an area of interest for companies looking to use the technology to bolster their own internal control systems.
The Commission of Sponsoring Organizations of the Treadway Commission (COSO), a joint-association of which the Institute of Internal Auditors is a member, has released a new paper, “Blockchain and Internal Control: The COSO Perspective,” looking at how the technology can effectively work with an organization’s internal controls system, and also addresses the risks that can come from the technology.
The paper, commissioned by COSO and sponsored by Deloitte, uses COSO’s 2013 “Internal Control — Integrated Framework” in conjunction to blockchain technology, and recommends organizations view blockchain through a COSO framework lens to better put the technology in the context of risk and compliance. The introduction of blockchain technology will have implications for five components of the Framework: control environment, risk assessment, control activities, information and communication, and monitoring activities.
Control Environment
Blockchain, as a technology, cannot change human nature or behavioral aspects of governance, but can still play a role in maintaining a strong control environment. Blockchain can execute and record transactions with minimal human intervention, providing an immutable and irreversible trail of evidence that can minimize reporting errors and fraud. With little human intervention, management decisions, ethics, and integrity may have less effects on blockchain processes. The technology can contribute to visibility and strengthen accountability within the organization.
Blockchain comes with risks, however, that an inexperienced management might fall prey to. A poorly governed blockchain may be open to exploitation, especially with the pseudo-anonymous nature of some blockchains. A decentralized blockchain may lead to having no bodies to hold accountable when something goes wrong. With the novelty of the technology, organizations may have a hard time finding competent personnel or even understand the technology themselves.
To mitigate some of these risks, the report recommends develop a code of conduct to validate members’ commitment to ethics and enforce accountability. Companies also need to pay special care to due diligence to establish criteria of parties with whom the organization will interact. Organizations also need to evaluate their own capabilities in effectively managing the technology, and to provide proper resources, either internal or outsourced.
Risk Assessment
Blockchain can create a more agile risk assessment program with real-time reporting. At the same time, the introduction of the technology can create more risk that will need to be accounted for.
Traditional risk assessments are entity-focused, but blockchain mandates that companies take a broader view regarding risk, especially pertaining to other parties within the blockchain network. The new technology can also open organizations up to more fraud, such as compromised data or collusion. The amount of data might be too much for organizations to manage, and auditors may lack appropriate evidence if the transaction audit trail is lost in an electronic environment.
Organizations can develop more robust risk assessments to consider the implications of blockchain. Using IT specialists with a deep understanding of the technology may be helpful to assess how the technology can be integrated with the organization’s existing structure. Organizations also need to stay on top of new regulations through legal counsel and the internal department.
Control Activities
A well-designed blockchain can enhance internal controls. The highly automated nature of blockchain can reduce the risks of traditional fraud, as it reduces human interaction. Blockchain can also eliminate traditional IT general controls unless the platform is abandoned, as the technology stores information across several nodes across the network. With real-time reporting, blockchain can also reduce untimely transaction processing.
The reliability of the underlying blockchain is dependent on the reliability of the underlying technology and business processes. A poorly implemented system can cause widespread issues. A consensus protocol of a blockchain sets the rules for transactions in the system, and with improper design and implementation, information recorded may be unreliable. The information recorded may be unreliable also if a member can manipulate the consensus protocol, or if the organization engages in off-chain transactions.
The implementation of blockchain can both positively and negatively affect an organization’s internal controls. To mitigate the risks and maximize the benefits, organizations should address risks with new procedures, with special attention paid to key aspects of the blockchain, including nodes, consensus protocols, private keys, and smart contracts.
Information and Communication
Blockchain can increase visibility of transactions and new avenues for communication with management such as through ad hoc real-time financial reporting. Blockchain can also act as a comprehensive shared database that acts as a foundation for decision-making and financial reporting that can increase the availability of the data. The shared ledger can also prevent data loss and increase visibility about data management.
Even with all the positives that blockchain may bring, leaders should be wary of a false sense of confidence that the data is always correct, that information will be available, and that people involved have been contacted. The information on the blockchain is only as good as what goes into it, however, and its reliability depends on the technology that it is built on. Without proper consideration to the input, blind reliance on blockchain can be very dangerous.
To prevent the risk of overconfidence, key stakeholders should be educated on how blockchain will be used in the business and that there is still a chance that the data will be unreliable. Leaders must establish an internal reporting system to report concerns. The system can make use of already existing reporting channels, such as a whistleblower hotline. Management should also make sure that communication among personnel can keep up with operational changes to the blockchain, and that data analytics measures are in place to identify and obtain relevant data. Conversations with internal and external auditors should also be ongoing to ensure that the data is auditable.
Enhancing Monitoring
The dynamic nature of blockchain allows the possibility of evaluations to be built into blockchain-enabled processes with the use of smart contracts or AI. The real-time data collection and analysis can catch problems closer to the time of occurrence, allowing more timely detection and resolution.
The sheer amount of data that blockchain can store can lead to information overload and raise challenges for adequate monitoring. Qualified personnel might also be hard to locate to install and maintain a proper monitoring system. The decentralization of the technology may lead to a lack of an established party responsible for executing monitoring controls, and with the ambiguous and fluid nature of regulation and laws surrounding blockchain, keeping up changes in respect to monitoring may be difficult.
To mitigate some of the challenges, computerized continuous monitoring techniques may help with the potential information overload. Ongoing evaluation also can ensure functionality of internal controls and regulatory compliance. An objective third party can evaluate whether internal controls are functioning and communicate deficiencies to management, who can pay special attention to the weak spots of the blockchain system identified by the third party. Agreements with outsourced service providers also must be closely monitored, as if unreliable data enters the blockchain from those sources, the entire integrity of the system may become compromised.
Blockchain is an exciting new technology that can bring value to various different aspects of the organization, but also introduces an entirely new set of risks with its implementation. The novelty of the field leads to problems of ambiguous and ever-changing legislation and acquiring highly-trained talent in the field. Organizations should carefully assess the costs and benefits of using blockchain, and ensuring proper implementation so as not to introduce more risk. 
Stephanie Liu is assistant editor of Internal Audit 360°