Accounting firms are beginning to wade into the use of blockchain technology for audits, but with caution as the technology spreads beyond the cryptocurrency space where it’s been used for digital assets like Bitcoin.
“I don’t know that blockchain is going to necessarily make things easier for auditors,” said Amy Steele, an audit and assurance partner at Deloitte & Touche LLP and co-chair of the AICPA Digital Assets Working Group, and a member of the Center for Audit Quality Emerging Technologies Task Force. “I do think it’s going to impact the audit profession and change things. With the use cases within an audit firm, a number of firms are looking at how blockchain can be used within the firm to synthesize the data that we have. I would say that’s still more within the ideation phase rather than the implementation phase.”
Some of Deloitte’s clients are investing more of their funds in blockchain technology, prompting the firm to experiment with the technology. “Externally to the audit, when we think about our clients that are in different blockchain use cases, we have surveyed a number of different companies,” said Steele. “What we’re hearing is there are more investment dollars going into blockchain technology. We’re seeing a number of use cases come out now that there is a broader recognition that blockchain goes beyond Bitcoin. We’re seeing a movement to additional uses, from physical asset traceability to supply chain, pharma, all the way through to digitizing identity. But I would say most of those are still in that idea phase, and we’re working to think through what are the implications if a company puts a supply chain blockchain into place. How does that now impact financial reporting and internal controls?”
There are risks with using blockchain. Even though it relies on distributed ledger technology that is supposed to make digital assets easier to track, there have been high-profile stories in the news about Bitcoin and other digital currencies being stolen by hackers or lost when an investor can’t keep track of their encryption key or digital wallet.
“There is a real risk around security of those private keys, and from an audit standpoint when we look at digital assets on a company’s books, one of the biggest risks is do they have the rights to those assets,” said Steele. “In a digital asset environment, generally the rights to that digital asset are driven by control of a private key, so if that key is lost or stolen that asset might not belong to the entity. It’s very important for auditors and management when they’re supporting their books and records to have appropriate controls and processes in place to validate that they do indeed own and have control of that private key.”
Beyond auditing, blockchain is likely to have an impact on financial reporting and internal controls. “When we think how blockchain is going to impact financial reporting, you have this shared environment with these shared participants, shared data and shared risk that ultimately are going to impact what each particular entity reports on their financial statements,” said Steele. “It’s a huge impact that it’s going to have on financial reporting. That dovetails into internal controls too because in today’s environment, we typically think of internal controls within an entity, or within a service organization. So I either as an entity have my own internal controls or I might use a payment processor to do payroll for me. I rely on their internal controls as it relates to my payroll, but it’s very much held within my controls. In a blockchain environment, the internal controls are going to be across organizations. So I might be in a blockchain with my customers, my suppliers, my competitors, and now I’m sharing internal controls with all of those parties. It’s going to be a very different environment with internal controls in how you come up with those internal controls, and how do you maintain them and monitor them. If there’s a deficiency, how do you mitigate that? It’s really working across organizations from both a financial reporting and internal controls perspective.”
Auditors will need to retain their professional skepticism, despite the automation promised by blockchain. “We’ve all seen the articles that say blockchain is going to replace the need for auditors, and I don’t think that’s the case,” said Steele. “I think in financial reporting and the capital markets, there are always going to be estimates and judgments that need the human challenge. I think that there are some unique audit risks and challenges that go beyond the blockchain. Even if you have a trusted environment, you’re still going to have some very unique challenges, and one is the existence of the particular digital asset. In today’s environment, for existence you would look to contracts and invoices. In a blockchain environment, you’re going to look to the particular blockchain. But there are very fundamental questions as to whether you can rely on the particular blockchain, and each digital asset has their own blockchain. How do you get comfortable with that blockchain? If an entity is using a custodian, there are questions around can I rely on that custodian because that custodian may or may not have a service auditor’s report. That custodian may not have the traditional protections that we’re used to in the traditional asset environment, so there are some big questions around existence.”
The question of which entity has control of a private key could be a thorny issue to solve. “How does an auditor get comfortable that they have control of that private key?” said Steele. “That’s probably one of the biggest challenges for management and auditors in this space is proving out that control of the key, and that they continue to have that key as of the point in time when we’re thinking about the financial statements.”
Valuations could also be difficult for blockchain assets, and auditors will need to be wary of running afoul of the law, as Bitcoin has a reputation for being used for activities such as money laundering, illicit drugs and human trafficking.
“This is a new asset class,” said Steele. “Not every digital asset is traded as frequently as a Bitcoin digital asset. There are some digital assets that are less frequently traded, so how do you value those? There are questions around how you get comfortable with market risks around potential manipulation if you don’t have the history of a digital asset. So there are a lot of questions around valuation and related parties, and illegal acts is a big area as laws and regulations change and evolve in this space. How do we audit that management is in compliance with those?”
It may also be difficult for an auditor to determine whether the parties to a transaction are too closely related. “In this environment you don’t necessarily know who the counterparty to a transaction is,” said Steele. “You’ll have digits who say who the counterparty is, but you don’t have a name, so how do you know if that’s a related party or not? There are some big challenges as it relates to counterparties there.”
She believes that companies and their auditors will need to make sure they have the appropriate internal controls in place. “It’s extremely important that there are strong controls around the protection of those private keys, and really balancing out how you safeguard those, having appropriate individuals within the organization that could access those in the event that they need to,” said Steele. “There’s an important balance there around protection and access of those private keys. Those are probably the biggest audit risks that we face, with valuation, related parties, illegal acts and internal controls.”