Internal Audit’s Introductory Guide to Cryptocurrency and Blockchain Auditing

While it’s unclear exactly what role cryptocurrency and blockchain will play in the future of business, digital assets and related technologies have endured. Internal auditors need to take note now and prepare for crypto and blockchain audits, rather than being caught off guard and introducing new risks.

Even if your organization isn’t familiar with cryptocurrency and blockchain — only three percent of attendees at a Wolters Kluwer Emerging Technologies webinar said they used blockchain technology — don’t assume that will always be the case.

Manufacturing companies, for example, may need to engage in blockchain to be part of their customers’ traceable supply chains. Banks may need to store digital assets for customers. E-commerce stores can accept certain types of crypto if enough customers want to pay that way.

So internal auditors should be proactive and work crypto and blockchain controls into their overall audit responsibilities. It may include auditing existing use, as well as investigating future use.

What is a crypto audit?

From an internal auditor’s perspective, a crypto audit is a review of an organization’s use of cryptocurrencies, such as Bitcoin and Ethereum, to ensure that proper controls are in place. While crypto assets have their own intricacies, a crypto audit is similar in many ways to a cash or currency audit.

The National Credit Union Administration Examiner’s Guide looks at cash-like instruments (e.g., gift cards and money orders) by determining “what types of cash-like instruments the credit union offers,” and by verifying “that management monitors and limits access to cash-like instruments and maintains an accurate overview of issued and unissued goods.”

Although this does not specifically refer to crypto, similar logic applies to a crypto audit. If you accept crypto as a form of payment from customers, for example, a crypto audit will likely include areas that verify transactions that match crypto holdings.

A crypto audit can also assess whether the right risks are being assessed if your organization uses crypto, such as being able to deal with the potential tax consequences of trading digital assets.

What is blockchain auditing?

Related to a crypto audit, a blockchain audit involves reviewing the controls for the organization’s use or assessment of blockchain technologies.

The good news is that a blockchain is theoretically easy to audit in the sense that accurate information about blockchain transactions should be readily available to all participants.

“The ledger is distributed among many participants in the network – it is not found in one place. Instead, copies exist and are updated simultaneously with every fully participating node in the ecosystem, explains the MIT Sloan School of Management.

But it’s not just about reviewing transactions. A blockchain audit also involves making sure the proper protocols are in place for blockchain use, such as proper security and compliance controls.

“Fortunately, looking at blockchain from the perspective of IT general controls (ITGCs) makes auditing blockchain more manageable and easier … The IT auditor can look at ITGCs (specifically access management, change management and data management/backup and recovery ) as the basis of a blockchain audit,” an ISACA paper notes.

3 Keys to Audit Cryptocurrency and Blockchain

Auditing cryptocurrency and blockchains doesn’t have to be much different than auditing other areas of a business. You may need to hire more staff who have experience with digital assets, as well as take a more proactive approach. In general, the process is similar to auditing other new areas such as the cloud or even existing financial practices, such as cash management.

To control crypto and blockchain effectively, consider the following:

1) Consider crypto and blockchain usage

The first step to crypto and blockchain auditing is to determine what your organization’s current and planned usage looks like. If you do not know whether your finance department manages, for example, cryptocurrencies, then it is difficult to put proper controls in place. You can also assess future use to get a sense of whether you have the right staffing in place to manage risk.

2) Identify top risks

Once you have a solid grasp of your organization’s use of crypto and blockchain, you can begin to identify the potential top risks involved.

For example, consider whether your finance team has the right tools needed to track crypto transactions as easily as any other asset.

“Because crypto investors often use multiple exchanges and wallets, it can be difficult to find data on every buy and sell event,” notes CoinLedger, a tax platform for crypto investors.

While your organization’s crypto usage is likely to differ from that of an individual investor, you still want to ensure that information about your crypto transactions is not captured in disparate systems.

Review the risks associated with security and understand that not all blockchains are created equal. Take action and work with IT managers to assess whether the blockchains you use and the associated cyber protocols keep your data secure.

These are just some of the many risks that can arise with the use of crypto and blockchain. Internal auditors should work with other departments to assess what the biggest risks look like in your organization and how they can be effectively managed.

3) Establish controls

After you’ve identified the biggest risks, establish better controls for crypto and blockchain usage. For example, you may want to work with the legal department to establish accountability controls for blockchain networks.

As the World Economic Forum notes, a “concern for participants at the outset is who has legal/regulatory responsibility in a permissioned network for cases such as data breaches or smart contract failures?”

If you don’t have adequate legal controls in place to deal with issues like these, you could end up amplifying existing risks.

Keep managers updated

Focusing on these areas can help your organization get the most out of these new tools while limiting potential downsides. However, internal audit teams should not be required to tackle these issues alone.

Managers, like other department heads, C-Suite and board members, should always be informed and kept up to date. Doing so can help internal auditors better understand crypto and blockchain risks and help other managers consider how to use these tools going forward.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *