Q. Is internal audit ready for blockchain?

A. Blockchain technology offers the promise of “a safe, transparent, rapid and affordable digital solution to many government challenges” (Policy Horizons, 2016). However, this same technology also poses challenges and opportunities to internal auditors wishing to provide maximum value to their organizations, whether governmental or otherwise. In order to rise to the challenges and capitalize on the opportunities, internal audit departments must be able to place auditors – well trained on both blockchain technology and on all blockchain projects right from their inception.

To assess its readiness for blockchain, first consider the function of internal auditing. Internal auditing “is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations” (IIA, 2017). Internal auditors accomplish this activity through the use of a systematic, disciplined approach to evaluate and improve effectiveness and efficiency. To deliver this value to organizations, there are three major areas of focus for internal auditors:

1. Governance is “the combination of processes and structures implemented ... to inform, direct, manage, and monitor the activities of the organization toward the achievement of objectives” (IIA, 2017). The governance framework includes ethics and values, organizational performance, and accountability – as well as the communication of risk and control activities within the organization and information technology strategy.
    
2. Risk management refers to the assessment of risks that directly relate to, and impact the achievement of, an organization’s mission and objectives. This process includes understanding an organization’s appetite for risk, the analysis of fraud risks, and a focus on technology risks as they apply to the achievement of an organization’s mission and objectives. Risk management also involves an assessment of the processes involved in the assessment and communications of risk.
    
3. Controls are implemented to help mitigate risk and are the processes for assuring achievement of an organization’s objectives in operational effectiveness and efficiency; reliable financial reporting; and compliance with laws and regulations.

In order to provide this independent, objective assurance, internal auditors assess the adequacy and effectiveness of the management control framework that has been established by management. This is done to provide boards, audit committees, and senior management with an objective appraisal and assessment of the adequacy and effectiveness of governance, risk management, and control activities.

Furthermore, the methodologies and tools for providing this assurance have been developed and form the professional standards by which internal auditors perform their work. Although blockchain technology is new, this is not the first time a new technology has been developed. Thus, it will require internal auditors to employ new approaches to assessing this new technology using well established professional standards to ensure adequate assurances can continue to be made.

Blockchain technology is coming rapidly and, at least in Canada, many levels of government are already on board. As an example, the Toronto-based Blockchain Research Institute has recently been granted “support from the federal government, the Ontario provincial government, and the City of Toronto, in addition to the University Health Network in Toronto, the Bank of Canada, and the Federal Institute on Governance” (Kovacs, 2017). Indeed, Policy Horizons Canada (2016), in a brief on blockchain technology, stated that it “could facilitate payments, benefits distribution, identification, record keeping and certification to name a few.”

Although blockchain is the technology that allowed the creation of cryptocurrencies (such as Bitcoin or Ether), it is not itself a cryptocurrency. Rather, blockchain technology is used to enable the existence of these cryptocurrencies in the same way that TCP/IP (transmission control protocol/internet protocol) is used to enable the existence of online shopping sites such as Amazon (Iansiti & Lakhani, 2017). In the case of both technologies, the full range of possible applications is exceptionally diverse. In simpler terms: blockchain technology enabled the creation of cryptocurrencies in the same way that steel girders enabled the creation of skyscrapers. Skyscrapers could not exist without steel girders but these same girders can be used to build longer bridges and other structures previously not possible.

So, what is revolutionary about blockchain-based applications (blockchains) from the internal audit point of view? They quite simply require a change in the way organizations and individuals think about where we find the “truth” about transactions and information. Up until the advent of blockchains, the only way to establish one version of the truth was to designate a system of record for specific ledgers. A system of record was thought of as “the place where there is a definitive value for some unit of data” (Inmon, 2003). Just as someone with one watch always knows what time it is and someone with two watches is never quite sure, a system or record ensures you always have one truth. Systems of record live on one system, within a specific organizational structure, and are subject to one governance and control structure.

Iansiti and Lakhani (2017) explain how blockchain is different as follows:

“In a blockchain system, the ledger is replicated in a large number of identical databases, each hosted and maintained by an interested party. When changes are entered in one copy, all the other copies are simultaneously updated. So as transactions occur, records of the value and assets exchanged are permanently entered in all ledgers.”

In a blockchain, there is no longer one specific system, within one specific organizational structure, where the “truth” resides. Instead, there is a permanent shared ledger that provides all interested parties or stakeholders with exactly the same “truth” simultaneously. Now the governance, risk management, and control mechanisms are sometimes associated with the blockchain, not with a specific system or organization. Think of it this way: in your private home, you get to set the rules for building and using a pool but when you move to a condominium, the condominium association holds that power.

The full impact of this change – from all applications having a system of record to some applications using blockchains – are still being discovered, but one can identify several obvious implications for internal audit. First of all, internal auditors will need to access information in new formats. Essentially, there will be a new technical environment where critical information is created and stored and internal auditors must be able to access information contained in this environment. Internal auditors will also need to maximize the value of “real-time” information; the value of sampling will have to be re-evaluated when the use of data analytics, on continuous information, is technically feasible. Another consideration is that internal auditors will sometimes need to work collaboratively across organizations. There are public blockchains, such as Ethereum, that applications may be run on and that have preexisting governance structures, but there are also private/consortium blockchains that are only open to identified stakeholders. Each of these blockchains will have their own governance structure, one that may involve a number of stakeholders across multiple organizations. Internal auditors from these multiple stakeholders will need to work together to ensure all their requirements are met. Finally, internal auditors will need to understand that some work being routinely performed today will become redundant. For example, with a shared ledger there will no longer be any requirement to reconcile differences between systems of record. Instead, there will be one version of the truth and all stakeholders will have access to it.

This background leads us to examine some of the issues regarding what internal audit departments need to consider in preparing themselves for this new technology. In order for internal auditors to provide objective assurance and insight on the adequacy and effectiveness of governance, risk management, and internal control processes in environments utilizing blockchains, the internal auditors must fully understand what they are being asked to deal with.

In support of this objective, internal auditors should consider the following:

1. Internal auditors must possess “the knowledge, skills, and other competencies” needed to perform their individual duties. (IIA, 2017) Therefore, before adopting blockchain, internal audit departments should start training some of their people on blockchain. Internal auditors today are quite familiar with systems of record and their governance, risk management, and controls. In order to effectively deal with blockchain-based applications, they must first understand the basics of the technology and, in particular, the evolving area of governance.
    
2. Internal auditors must be involved at the planning stage of blockchain-based applications. All systems must have adequate governance, risk management, and controls, and it is much easier to build these in right from the start than to retrofit them after a problem has been identified.
    
3. Internal audit departments must include continuous auditing as part of their standard audit methodology, if they have not done so already. Blockchain-based applications provide real-time access to information; continuous auditing will allow internal auditors to use this real-time access to transactions to increase the value they bring to their organizations.
    
4. As a profession, internal auditors are prudent. This prudence has served the profession well and is relied upon by clients. Unfortunately, there are times when this trait can result in a slow approach in adopting new technologies. It is important that internal auditors prepare themselves such that they can meet the demands of their clients while maintaining their professional standards.
    
5. The relevant standards bodies will need to cooperate in determining the optimum approach to ensuring that blockchain-based applications not only deliver the business value promised but also do such in a manner consistent with prudent and effective governance. Although there is a growing consensus that blockchains can offer significant value to large organizations, due diligence must still be performed to ensure that such applications are the best choice for a specific objective.
    
6. One of the key strategic advantages that internal auditors have is their knowledge of the business and organization they support. This knowledge will be critical when it comes to supporting the implementation of blockchain for, without this knowledge, adequate assessment of the governance, risk, and control environment will be difficult to provide.

Blockchain certainly has the potential to enable numerous new digital solutions to many of the challenges governments and other large organizations face. We must, however, take the necessary steps today to ensure that the blockchains of tomorrow are subject to the same high standards as all other business systems and processes. Otherwise, we risk that potential being unrealized.

References

Iansiti, M., & Lakhani, K. R. 2017. The Truth About Blockchain. Harvard Business Review, 95(1): 118–127.
https://hbr.org/2017/01/the-truth-about-blockchain

IIA. 2017. International Standards for the Professional Practice of Internal Auditing. Lake Mary, FL: The Institute of Internal Auditors (IIA).
https://na.theiia.org/standards-guidance/

Inmon, B. 2003. The System of Record in the Global Data Warehouse. Information Management, May 1, 2003. Accessed August 23, 2017:
https://www.information-management.com/news/the-system-of-record-in-the-...

Kovacs, M. 2017. Blockchain Research Institute Gains Support from Three Levels of Government and Private Sector. IT World Canada, June 12, 2017. Accessed August 23, 2017:
http://www.itworldcanada.com/article/blockchain-research-institute-gains...

Policy Horizons. 2016. Blockchain Technology: Brief. Ottawa: Policy Horizons Canada, Government of Canada.
http://publications.gc.ca/site/eng/9.828823/publication.html