Authors: Diego Oliveira Farias (oliveiraf@tcu.gov.br), Eldon Teixeira Coutinho (eldonc@tcu.gov.br), Monique Louise de Barros Monteiro (moniquebm@tcu.gov.br), Tibério Cesar Jocundo Loureiro (tiberio.loureiro@tcu.gov.br)
1. Introduction
Blockchain technology originated in 2008 when an author codenamed Satoshi Nakamoto published the paper titled “Bitcoin: A Peer-To-Peer Electronic Cash System.” The publication presented an innovative combination of computing-related concepts – peer-to-peer (P2P) networks, cryptography, digital signature, hash functions, and a new consensus algorithm for distributed networks.
The Bitcoin network utilizes blockchain technology to process and record transactions securely, and performs online payments without needing a trusted third party. Transactions are validated and recorded in blocks stored in ledger format at network nodes. A “block” refers to the network state stored in sequential blocks containing transactions, hence the term blockchain.
One of the limitations of Bitcoin is that its blockchain only allows the sending of monetary transactions. In 2013, Vitalik Buterin, a former member of the Bitcoin community, proposed a platform for developing decentralized applications called Ethereum. This blockchain can run the so-called “Smart Contracts”, or computational codes (programs) that run autonomously and reliably on the blockchain.
1.1 Main features of Blockchain Technology
1.1.1. Hyper transparency and auditability
Blockchain transparency allows all network participants to see the history of transactions in real-time, increasing traceability. Users can thoroughly audit transactions, which is particularly important for government applications as much information from government programs must be public.
1.1.2. Distribution and decentralization
Decentralization refers to transferring control and decision-making from a centralized entity (individual, organization, or group) to a distributed network.
The blockchain network can be used as a database integration layer, allowing shared use between organizations and external collaborators, enabling a hyper-connected government.
1.1.3. Disintermediation
Blockchain technology introduces a new paradigm: the possibility for different parties to transact without the need to trust a central intermediary. Additionally, it reduces the need to implement complex reconciliation processes between the parties and reduces costs since it is possible to use smart contracts executed automatically according to predefined rules.
1.1.4. Availability
Since all participants have a local network copy, the ledger can be accessed through other nodes if one node becomes unavailable. That is, the blockchain is a resilient network with several shared copies of data so that public services that need this information can continue operating even if some nodes are unavailable.
1.1.5. Immutability and integrity
Blockchain uses cryptographic techniques to protect its records, including hash functions and digital signatures. This causes tampering to be noticed, as it is a mathematical violation of the blockchain.
This property ensures that the blockchain is an immutable record so that no entity can change past data without resulting in an alert to the network.
1.1.6. Irrefutability
One of the essential features of blockchain technologies is public key cryptography, which serves as a basis for authenticating network users. Digital signatures on transactions provide undeniable proof of who the sender of the message is (non-repudiation).
Figure 1 – Characteristics of Blockchain Technology
2. Blockchain, auditing, and control
The use of blockchain technology in public and private institutions will lead to the emergence of new assurance and audit services since both internal audit and external auditors can obtain real-time reports.
Furthermore, blockchain creates significant changes in the input-processing-output of an organization’s information. Thus, the information process cycle may change considerably how the auditor collects evidence, focusing more on assessing the reliability of the blockchain network than on evaluating the data itself.
The study carried out by the Federal Court of Auditors – TCU to verify how innovation in Blockchain can affect audit activity is discussed in more detail through various transformation aspects:
2.1. Continuous, real-time auditing
Distributed solutions improve the governance and transparency of public bodies, allowing immediate and unrestricted access to data for society and oversight bodies. The integration of auditing with operational processes enables continuous monitoring of public acts and expenditures. The use of blockchain reduces the time to obtain information and verify transactions. Auditors can leverage automation, analytics, and machine learning capabilities to alert management to suspicious transactions in near real-time.
2.2. Paradigm shift from sample-based auditing to data-based auditing
In an audit, one should delimit the sample to be examined and define the respective selection criterion, the period covered, and its size, and generalized conclusions from the selected sample embed a certain degree of uncertainty inherent in statistical calculations.
Blockchain can replace substantive tests based on samples since examining and testing the entire data universe within the observation period based on the ledger copy will be possible.
2.3. Automated audit
Blockchain transactions are transparent, secure, and reliable. Auditors can develop automated procedures to pull evidence directly from the blockchain, eliminating data reconciliation across multiple databases and reducing the risk of errors. This enhances the auditor’s job by enabling database queries, automation of reports, and automatic detection of fraud and irregularities.
2.4. New knowledge required for the auditor
Auditors should understand blockchain-specific risks and how the audited entity is implementing controls to address those risks. Professionals must gain expertise in distributed systems, networking, security, cryptography, key management, and technology processes.
The growing use of smart contracts will also require programming language knowledge to verify that business rules are being correctly coded. Blockchain increases the amount of information available, and auditors must plan how to collect evidence following the new formats resulting from this technology.
2.5. Introduction of new types of risks and fraud
To be able to provide the necessary level of confidence, audit processes need to go further in assessing the operational effectiveness of controls related to technology and cryptography. In addition, vulnerabilities in smart contracts are new points of attention for the auditor.
2.6. Compliance by Design
The term compliance by design arises from validating controls before implementing the blockchain solution, ensuring that the rules of what is allowed inside and outside the network comply with laws and legal regulations.
Thus, there will be a greater demand for auditors and auditees to participate in the application planning stage. Instead of acting to find irregularities, smart contracts will be written with the intention that they do not occur. It is much easier to incorporate aspects of governance, risk management, and controls from the beginning of a project than to adapt them after a problem is identified.
2.7. Need to validate off-chain information
When a blockchain records digital assets such as cryptocurrencies, it provides a secure and trusted source. However, when blockchain is used to record transactions from the physical world, there is no guarantee that a transaction will take place.
Lies recorded on the blockchain remain lies, leading to the question of how the auditor can guarantee the veracity of transactions recorded on the blockchain. Therefore, it will be up to the auditor to research mechanisms to reconcile transactions recorded in blockchain and real transactions, especially concerning how network participants initiate, process, and record transactions.
2.8. New challenges and opportunities
Even in an environment where the organization’s entire operation is recorded on the blockchain, auditor expertise is still required to select and perform audit tests. How the truth of transactions is found and how network governance is exercised are essential factors for the auditor to observe. Evidence collected from networks with adequate internal controls is more reliable than those with less effective controls. Audits are likely to become more information technology-oriented and more forward-looking, focusing on preventing wrongdoing, fraud, and corruption.
The use of blockchain applications by auditees increases transparent behavior by forcing them to disclose previously unrecorded transactions so that control bodies must prospect ways to maximize the value of information made available in real-time. Two possibilities are the use of analytics and artificial intelligence (AI).
3. Final considerations
Despite the enormous potential that we can envision for their applicability in control, Blockchain ecosystem technologies still present challenges to be overcome by the inspection community. Such challenges range from the need for continuous training and updating by auditors in the face of constant technological innovations in the area and regulatory adjustments that may be necessary to regulate the use of blockchain in auditing activities.
