March 15, 2018
How do you validate the new technology and provide confidence to your internal audit, compliance, and risk teams?
There’s no question blockchain is gaining momentum. Look at the $1.1 billion of startup investment over the last two years, according to CB Insights. Or the 36 percent of financial services executives who say their organizations will make significant investments in the technology over the next three years, according to PwC’s 2017 Digital IQ Survey. Or the steep uptick in blockchain patents and applications, which is only expected to continue.
But for the technology to gain real traction, the industry and early adopters—like financial and healthcare institutions—must contend with a number of challenges. These include data security and privacy, a limited pool of technical specialists, and applying regulatory and compliance requirements to a new technology. While those challenges should ultimately be addressed as the technology matures, one stumbling block usually is not on the radar of innovators who are experimenting with blockchain in their organizations. It’s what I call the audit challenge.
And while the term I’ve coined may not be familiar, the issue is very real for corporate development teams that find their blockchain proof-of-concepts stalled. They’ve spent months establishing a business case, testing approaches, and proving their concepts to speed up settlement, improve accuracy, or lower processing costs. But instead of moving forward to realize these benefits for their organizations, they’re stopped short by internal audit (IA)—or legal, compliance, or another risk function because these functions are unable to satisfactorily audit the blockchain. Regardless of the degree of confidence in the technology itself, there will always be a need for testing and confirming that the system is working as intended. This need is especially true in the United States which has a long history of consumers struggling to embrace technology innovation when matters of finance or healthcare are concerned (chip cards, anyone?).
Now, if you know even a little about blockchain, you realize that this is somewhat ironic. After all, what makes the distributed virtual ledger technology so revolutionary is that it doesn’t require a centralized certifying authority and provides irrefutable transaction history and integrity.
So, why the need to validate the blockchain?
Audit is the process that produces confidence for all interested parties in any operational process. The term “interested parties” covers a lot of ground and includes an organization’s board of directors, risk committees, regulators, and so forth. Many of these people lack the technical sophistication to blindly trust innovations in technology and the current legal and risk environment makes blind trust an unacceptable risk for them. There will always be a need for an independent function to provide assurance, or confidence, for all key stakeholders in any operational process.
What’s stopping internal auditors?
Okay, so you have to prove your blockchain application works, just as you do every other technology-based system. Why, then, does blockchain pose such a challenge for internal auditors? In my work with innovation and strategy teams who are developing blockchain solutions for their organizations, I see four main issues:
- Blockchain is relatively new. The first implementation is less than a decade old, and most applications are not very mature. In contrast, the systems that management currently relies on have been tested for decades and have specific guidance and principles to allow IA teams to gain comfort with them. Audit teams may not yet have the expertise or guidance to know how to fully gain comfort with a system that puts trust in advanced cryptographic algorithms. Learning takes time.
- These controls are different. Because the technology is new, it requires a new way of thinking about controls. Auditors might welcome the change, but it’s their job to ask the difficult questions: Who controls the blockchain? Who gets access? Where are the servers, and what physical and digital controls exist? Who monitors activity? Is the technology in fact doing what it claims to do? More importantly, how can you assess this claim when traditional approaches to auditing have never considered technology of this kind?
- Technical expertise is rare. Few IT departments have relevant blockchain experience. In fact, in our 2017 Global Digital IQ Survey, some 86 percent of financial services executives said that their organizations haven’t yet developed necessary blockchain skills. And even fewer companies have IA teams with enough expertise to provide any sort of assurance around the technology and the associated work. Most IA teams are always looking for technical expertise, but finding these resources can be tough.
- It got a rough start. Although the first prominent use of blockchain was bitcoin, the two are not synonymous. To those who haven’t paid close attention, the whole topic may seem dicey, given some early issues with digital currency. This perception creates a bias against the technology. Almost every time I speak on the topic, a large number of attendees don’t realize that blockchain is a much larger topic than just bitcoin.
Trust and verify your blockchain
Those issues aren’t going away anytime soon, which is why I’m so optimistic about a new solution PwC developed that addresses the challenge. Our solution provides real-time, transaction-level assurance that is blockchain variant, use case, and industry agnostic. It encompasses an assessment of the blockchain infrastructure and the transaction-level processing associated with the business use case, and it provides the necessary transparency and optics to meet the assurance needs of key stakeholders.
How do we do this? We combine a risk and controls framework and continuous auditing software that enables us to see into the blockchain engine and transliterate the processing into traditional audit and control evidence and reporting. This stage is the next one in the evolution of the audit profession as auditing via the computer becomes auditing by the computer. This trend is expected to become more prominent as artificial intelligence and other automation technologies continue to push auditing into a true real-time process.
Our solution isn’t theoretical; it’s something we are implementing with organizations today in which we enable audit activity on, for example, a proprietary private equity platform. Such implementations allow us to review and confirm the validity of transactions in real time. And this is significant: Reviewing what happens in real time, rather than testing selectively after the fact, is a significant departure from current audit techniques.
Our experience with partnering companies illustrates why now is an exciting time. Blockchain is rewriting the rules for all kinds of transactions—and that requires changes across an organization. For solution developers and strategists, that means anticipating audit concerns at the earliest stages of development. For internal auditors and other risk and compliance professionals, it entails learning about and embracing new approaches to assurance. At PwC, we have embraced these changes and are moving confidently into the new age of audit.