While it’s unclear exactly what role cryptocurrency and blockchain will play in the future of business, digital assets and associated technologies have had staying power. Internal auditors need to take note now and prepare for crypto and blockchain audits, rather than getting caught off guard and introducing new risks.
Even if your organization isn't familiar with cryptocurrency and blockchain — only three percent of attendees at a Wolters Kluwer emerging technology webinar said they were using blockchain technology — don’t assume that will always be the case.
Manufacturing businesses, for example, might need to get involved with blockchain to be part of their customers’ traceable supply chains. Banks might need to store digital assets for customers. E-commerce stores might accept certain types of crypto if enough customers want to pay that way.
So, internal auditors should be proactive and work crypto, and blockchain controls into their overall auditing responsibilities. That can include auditing existing usage, as well as examining future usage.
What is a crypto audit?
From an internal auditor’s perspective, a crypto audit is a review of an organization’s use of cryptocurrencies, such as Bitcoin and Ethereum, to ensure that proper controls are in place. While crypto assets have their own intricacies, in many respects, a crypto audit resembles a cash or foreign exchange audit.
The National Credit Union Administration Examiner's Guide views cash-like instruments (e.g., gift cards and money orders) by determining “which types of cash-like instruments the credit union offers,” and by verifying “that management monitors and restricts access to cash-like instruments and maintains a precise record of issued and unissued items.”
While this does not specifically refer to crypto, similar logic applies to a crypto audit. If you accept crypto as a form of payment from customers, for example, then a crypto audit would likely include areas that verify transactions that align with crypto holdings.
A crypto audit might also assess if proper risks are being considered if your organization is using crypto, such as being able to handle the potential tax consequences of trading digital assets.
What is blockchain auditing?
Related to a crypto audit, a blockchain audit involves reviewing the controls of your organization’s use or consideration of blockchain technologies.
The good news is that a blockchain is theoretically easy to audit in the sense that accurate information on blockchain transactions should be readily available to all participants.
“The ledger is distributed across many participants in the network — it doesn’t exist in one place. Instead, copies exist and are simultaneously updated with every fully participating node in the ecosystem,” explains the MIT Sloan School of Management.
But it’s not just about reviewing transactions. A blockchain audit also involves making sure the proper protocols are in place for blockchain usage, for example proper security and compliance controls.
“Fortunately, looking at blockchain from the perspective of IT general controls (ITGCs) makes auditing blockchain more manageable and simpler… the IT auditor can look to ITGCs (specifically, access management, change management and data management/backup and restoration) as the foundation of a blockchain audit,” notes an ISACA article.
3 keys to audit cryptocurrency and blockchain
Auditing cryptocurrency and blockchains doesn’t have to be much different than auditing other areas of a business. You may need to bring on additional staff that has experience with digital assets, as well as take a more proactive approach. In general, the process is similar to auditing other emerging areas like the cloud or even existing financial practices, like cash management.
Consider the following to audit crypto and blockchain effectively:
1) Assess crypto and blockchain usage
The first step to crypto and blockchain auditing is to find out what your organization’s current and planned usage looks like. If you don’t know if your finance department manages any cryptocurrencies, for example, then it’s hard to put proper controls in place. You can also consider future usage to get a sense of whether you have the right staffing in place to manage risks.
2) Identify top risks
Once you have a good handle on your organization’s usage of crypto and blockchain, you can begin identifying the potential top risks involved.
For example, you might assess whether your finance team has the right tools needed to track crypto transactions as easily as any other asset.
“Because crypto investors often use multiple exchanges and wallets, it can be difficult to find data on every buying and selling event,” notes CoinLedger, a tax platform for crypto investors.
While crypto usage for your organization likely differs from that of an individual investor, you still want to make sure that information on your crypto transactions isn’t trapped in disparate systems.
Review the risks related to security and understand that not all blockchains are the same. Take action and collaborate with IT leaders to assess if the blockchains you’re using and the associated cyber protocols are keeping the data secure.
These are just a few of the many risks that can come about with crypto and blockchain usage. Internal auditors should work with other departments to assess what those top risks look like within your organization and how they can be effectively managed.
3) Establish controls
After you identify the top risks, establish better controls for crypto and blockchain usage. For example, you might want to work with your legal department to establish liability controls for blockchain networks.
As the World Economic Forum notes, one “consideration for participants at the outset is who holds legal/regulatory liability in a permissioned network for cases such as data breach or smart contracts errors?”
If you don’t have sufficient legal controls in place to handle issues like these, then you could end up amplifying existing risks.
Keep leaders in the loop
Focusing on these areas can help your organization get the most out of these new tools while limiting potential downsides. However, internal audit teams shouldn’t be required to tackle these issues alone.
Leaders, such as other department managers, the C-Suite, and board directors, should always be informed and kept in the loop. Doing so can help internal auditors better understand crypto and blockchain risks and help other leaders assess how to use these tools going forward.