I think it’s no surprise that your internal auditors are having trouble trusting blockchain. The technology is new and unfamiliar, and it brings a new way of thinking about controls. Many organizations don’t have the expertise to carry out solutions successfully or to test a blockchain-based project. With blockchain gaining in popularity in the financial services industry, it’s critical that audit teams understand what’s required to get comfortable with blockchain solutions.
Blockchain presents a challenge to the traditional audit approach, given there’s no practical way to use point-in-time forensic analysis—the standard audit tool. Assurance in a blockchain environment derives from irrefutable transaction history and integrity. So in essence, you have a system that has full integrity, that’s 100% accurate. Attempting to conduct a point-in-time forensic retrospective analysis is ineffective and wildly inefficient. This approach negates one of the benefits of implementing blockchain in the first place: the promise of increased administrative efficiency.
Of course, you still need blockchain audits to build confidence and assurance in the technology. But the audit itself will look very different. The standard approach will be replaced by a process that’s closer to auditing of transactions in real time, and this change will prove challenging for most internal audit departments.
The concept behind real-time auditing is to inspect transactions closer and closer to the point of occurrence, and there are many ways to accomplish this. In blockchain, it's a complicated process that requires a second underlying technology and tapping into the processing itself, in order to create the transparency that third parties require.
Real-time auditing eliminates the traditional concept of sampling. The purpose of sampling is to perform backward-looking assessments of segments of populations to draw conclusions about the rest of the population. Blockchain technology offers new assurance-related baselines that eliminate the need for sampling. In a blockchain ledger, you have an up-to-date, immutable historical record, so auditing in the blockchain environment requires a very different mindset and approach.
Regulators also grapple with the uncertainty surrounding blockchain. Driving the uncertainty is that blockchain is a technological concept, not an institutional product, and there are dozens of variants. If we looked at 20 of our clients who are deploying blockchain, we would find that they all resulted in different use case scenarios. This variation creates a significant regulatory challenge, since regulation in its simplest form is all about standardization. Until we see something closer to standardization in blockchain, we’re not likely to see meaningful regulatory standards emerge. But as the technology matures and variants are reduced, I think we’ll see a firmer foot put forward by regulatory bodies.
In the meantime, auditors of blockchain solutions will still be required to comply with existing regulations, such as AML and KYC. The only difference will be in how they go about meeting those requirements and providing the transparency regulators need to assure they are being met.
With all of that said, it should be no surprise to firms that your auditors should be involved from the start of any blockchain project. These types of change initiatives are driven by innovation groups that often operate independently. As a result, risk management, audit, and compliance may get involved far too late in the game, causing delays. We have a number of clients that made audit the final hurdle in deploying a proof of concept for blockchain. When this results in the audit, compliance, or legal departments not having their concerns heard in advance, projects grind to a halt. Internal oversight should be a partner in this process, not a holdup.
While blockchain is a novel technology generating a lot of hype and concern, it’s worth noting that other technologies faced similar challenges before they were widely adopted. Take chip cards. People did not trust this new technology until retailers took responsibility for in-store fraud. The fundamental issue was one of confidence and trust. Similarly, trust is a central issue—maybe the central issue—when it comes to blockchain. And in a world of blockchain solutions, getting your internal auditors’ trust is more important than ever.
Being hesitant about something new and different is completely natural. The processes and controls that a company uses to gain oversight and trust have taken years to develop. Blockchain threatens to shake all that up. But that’s a good thing. This technology has the potential to take those processes and controls to the next level. With the right approach, companies can create a blockchain-based system that has less chance for human error, provides immutable trust, and prepares their reporting systems for the future.
A. Michael Smith is a Partner at PricewaterhouseCoopers. Follow him on Twitter at @AmichaelPwC. All views expressed above are my own.
To join the conversation, visit this post on A. Michael's LinkedIn page.
A. Michael Smith
Internal Technology Audit Solutions Leader, PwC US