Blockchain is a hot topic. A recent survey conducted by Deloitte found that 34% of 1,000 global companies had already implemented a blockchain system and another 41% expect to deploy blockchain in the next year. Banks and healthcare lead the way in adopting blockchain and the most common processes being adapted to blockchain outside of client/ patient records are supply chain, contract management, and voting.
Internal audit cannot avoid thinking about and planning for blockchain, that train is coming full steam ahead. The biggest questions are how to educate yourself about blockchain, how to identify and assess risk, and how to know if process controls in this new blockchain world are designed effectively and efficiently.
I believe that all Internal Auditors should educate themselves about blockchain, not just your IT auditors. If your organization intends to manage some or all its business on blockchain then it's no longer just the IT auditors’ scope, financial auditors need to understand the risks and controls in keeping financial transactions in the blockchain, operational auditors need to understand how blockchain replaces parts of workflow and process and the IT auditors need to understand the security and API frameworks that accompany blockchain. There are lots of educational courses and materials out there that cover the basics to how to build a simple blockchain application and even in-depth security courses.
If your organization is still in the 41% who plan to deploy blockchain, get involved in those early discussions. Ask questions about how they have vetted their ‘proof of work’ system which is required to validate transactions. This is often more expensive and less efficient than companies expect. Knowing the volume of transactions per second (TPS) that will be validated and added to the blockchain and the computing power necessary to do so may exceed many organizations expectations.
How does your organization intend to handle privacy? Current US regulations restrict full anonymity of customer records because there is a requirement to confirm customers are not on any list of known or suspected terrorist organizations. How does your organization plan to balance that with GDPR and other global privacy rules?
Evaluating susceptibility to cyberattacks is another concern. Heard of a 51% attack? If not, you might want to take a side trip and watch Silicon Valley (season 5 episode 8) to see what happens when you rely on a distributed network to protect your data. It only takes a single ‘owner’ to have 51% control of the blockchain.
And of course, there are simply the risks of your first line business owners not fully understanding the new systems and process, not transitioning the intent and scope of original key process and financial controls to the new way of conducting business, and not having the tech-savvy to know the difference that could have a major impact to your organizations.
If your organization is on the bullet train to deploying blockchain, it's worthwhile to start asking these questions now so that Internal Audit is adding value upfront in the design and planning of your organization's new frontier and future.