Panelists Discuss Limits of Current Audit Protocols As Applied to Blockchain By: Published Date: Oct 30, 2019 Speakers at the Foundation for Accounting Education’s Digital Assets Conference on Oct.29 said that while blockchain won’t be the end of auditors, applying old ways of thinking to this new technology will not be sufficient.Gerard Brennan, audit technologies director at crypto accounting consulting firm Lukka Inc., said that standard audit procedures are “woefully inadequate” when considering blockchain.For instance, he noted that auditing is based at least in part on the ” four eyes principle ,” that is, certain activities needing the approval or witness of more than one person.In contrast, he said, blockchain has “thousands of eyes looking at every transaction via the protocol code and the miners.” Meanwhile, many of the factors auditors look at when performing a systems audit simply don’t apply to blockchain.
“We said, ‘Let’s look at a typical system audit that includes computer operations, archiving, change management, passwords and access controls.Let’s see how they line up in blockchain.’ We found out most of them don’t even apply.
You don’t archive, generally, a blockchain.You don’t have computer operations.Change management is a consensus-based mechanism and automated.And you don’t have passwords, but keys,” he said.With this in mind, Brennan said, it’s easy to see why people initially think blockchain doesn’t need auditors.Yet he said there’s still ample room for things to go wrong, and that would necessitate an audit.For instance, imagine having a private blockchain that requires 41 of 80 dynamic nodes to approve every transaction before it’s added to the ledger.
“But it’s a hot day in August and only me and [moderator] Eric [Cohen] are there, and we say, ‘Ah, the hell with it, just put it on the blockchain anyway.’ We need controls to prevent that,” he said.One of the biggest emerging risk areas with blockchain, he said, are smart contracts , self-executing agreements that are meant to obviate the need for third-party enforcement.
However, one way people have begun manipulating them is by taking advantage of the European Union’s General Data Protection Regulation (GDPR), as well as more recent privacy laws passed in California.”I take Eric’s personally identifiable information and put it in a smart contract or transaction combination, and put it on their blockchain.And now, under GDPR and California privacy laws, I just ruined the blockchain, theoretically, and have to have a hard fork to take the data off because it’s an immutable record,” he said.Brennan also talked about the hack of the Decentralized Autonomous Organization, an investment firm run entirely on smart contracts and artificial intelligence with no human involvement in operations past the initial investment.
He said this organization fell victim to a technique called “re-entering” where “you start a program and, before the first program finishes, you start it again and that creates a vulnerability.” He said controls need to be put in place to prevent these sorts of things from happening, and auditors need to look for and evaluate these controls.So, for instance, to prevent Eric and him from bypassing the consensus mechanism on a private blockchain, it’s necessary to assure the agreed-upon number of dynamic voting nodes are present and vote to submit.To prevent re-entry attacks, it’s necessary to limit smart contract executions.To ensure that blockchains are in compliance with real-world laws, it’s necessary to assure that transactions with location stamps are not coming from certain countries.
However, such steps are not yet in the regulatory zone, or in official auditing standards.Jacob Sandoval, the branch chief of the Security and Exchange Commission’s Office of the Chief Accountant, noted that, in the meantime, the SEC has been in communications with a number of nongovernmental agencies such as the Securities Industry and Financial Markets Association regarding the growing digital asset sector.These communications have largely been about urging exchanges, brokers and others involved in this space to consider the questions of custody (who is responsible for these assets), control (who can determine their use) and existence (do these assets even exist?).This is because, he said, the SEC is very concerned about asset misappropriation.”We have all seen media mentions of misappropriated digital assets, lost private keys, destruction of wallets, and we seek to foster innovation that benefits investors,” Sandoval said.He also warned that auditors who want to perform engagements in the cryptocurrency world should be honest with themselves about their levels of understanding and expertise in this area, as not everyone has the appropriate skill set right now.
Doing such audits without the requisite knowledge of how digital assets work can only serve to undermine the public’s confidence in financial information.Felix Ramirez, the IT audit services leader at Citrin Cooperman, noted that sometimes even he finds it challenging to wrap his head around digital assets.
“There’s a lot of mathematical functions and theories involved.Even for me, with an undergrad in mathematics, …I still find it challenging to get through all the details related to crypto assets and the functions involved,” he said.
In order to focus, Ramirez said he doesn’t think too much about the blockchain itself, and instead concentrates on the private keys, which are the things that are needed to do anything with the digital asset.This is because that is where he sees the most risk, as hacking tends not to go after the blockchain itself but the keys.However, this conception leads to the question of who controls the asset, particularly where it concerns exchanges that hold custody of them.”When I go to Coinbase and they have their enterprise custody there, and there’s a fund with an account with them, how do I know these keys they hold, which take me to a particular set of crypto assets, really belong to that fund? How do I know that? How do I determine that is the totality of the funds, or the assets owned, by that fund?” he said.The straightforward answer might be to look on the blockchain.
But, said Ramirez, if someone tells him that they have five bitcoins, “there’s no place on the blockchain where you can go and see you own five bitcoins.” The blockchain is a record of transactions in and out of an account, and in order to determine that someone indeed has five bitcoins, that person will need to add and subtract every single transaction ever made in order to determine how much they have left.”Coinbase isn’t doing that all the time,” he said.”They have a record of account and their system, developed by them, which reads the blockchain and saves those balances, so when I go online, I don’t need to read the blockchain every time, but they need to keep it synchronized and that, as auditors, is something we must address.” He said he recently had a client who said they had a certain amount of digital assets in their wallet, but when he scanned the blockchain for those assets, the amount was different.After investigating, he realized that somewhere along the line the system was synchronized with incorrect information, which was then recorded on the client’s financial information.
Ramirez also pointed to problems with trust between the auditor and the client brought about by digital assets.A client controls a private key giving him control over a certain amount of digital assets.However, in order to prove that he does indeed control the private key, he would need to reveal it to the auditor, which would theoretically give the auditor the ability to take his money, which may be inconvenient for the auditor if the assets go missing by some other means.Neither the client nor the auditor, therefore, want this information revealed.
Maybe the auditor goes to the custodian then.The client can send instructions to the custodian to execute an instruction.
“The challenge for the auditor is if I go to the custodian to see those transactions, how do I know they were valid transactions authorized by the owner of these assets?” he said.”So we needed to do audits related to data analytics, controls over the systems of the account owner to validate that in fact these were valid transaction,” he said.One thing he said he likes in such situations is what he called ” zero knowledge protocol ,” which he described at its most simple as “tell someone you have something, but don’t tell them what.” But the final panelist, Robert Sledge, a partner at KPMG’s Department of Professional Practice, noted that there are still great challenges in proving the existence and exclusive ownership of a digital asset.He asked the audience to imagine auditing a client who says they have 10,000 bushels of grain.The auditor asks for evidence that the client has this grain, and the client takes the auditor to the farm and uses a key to open the silo.He asked: Is this enough to prove ownership? “They have a key, and they know they can go open [the silo], and no one has stopped them, and they opened the door and there was grain there,” he said.
“But the risk we’re wrestling with is: What if it was their brother’s key and their brother’s grain on their brother’s farm, and you’re auditing the older brother’s financial statements who doesn’t really have the grain but put the grain on the balance sheet, but you’re not engaged to audit the balance sheet of the younger brother, who has the grain silo.” In the physical world, he said, there are other procedures, such as looking through property tax records that could settle this matter.In the digital assets world, though, there’s far less to support such assertions.Even if one moved bitcoins from one account to another, he said, that doesn’t actually prove ownership.All it proves is that the person has a key.Did they steal it? Can other people use it? Are the transfers even being made from the account in question? Are the assets transferred the same ones referred to in the financial statement? Moving bitcoins from one account to another alone, he said, does not prove ownership.But he fears that other auditors who may not be as familiar with blockchain will simply assume that it does, and set a bad precedent.”I fear there’s always someone who will set the precedent, who will fall into that trap, and issue an audit opinion saying he saw the bitcoin move back and forth, but then the investors of that company go to claim the assets, that entity has no rights to the key, it’s disappeared somewhere and the company is gone.The only one left on the book is the auditor who said there were micro-transactions,” he said.
Sledge also expressed concerns that people are framing this entire issue the wrong way by focusing too much on blockchain itself and not enough around its specific uses.
“Blockchain is just a data structure, albeit one subject to a lot of creative thinking,” he said.”And so when we talk about auditing blockchain, I wonder, is that sort of like saying auditing database? That sounds a little funny.We should never talk about auditing database.We’d talk about how do we understand how this database is being used in business operations, what controls are around it, where is information stored, etc.So I think we have a very broad spectrum of uses of blockchain that exist today, and even broader uses in the future, so when we think of auditing it, I think we have to approach it as we would approach auditing databases and not necessarily say we have to wait for the PCAOB or AICPA to release a standard saying this is how you audit blockchain.” Click here to see more of the latest news from the NYSSCPA..
