Evaluating Blockchain Using COSO Free

Technology design, development, implementation, operations, maintenance, and risk assessment, to date, consider one company and its relationship to other parties that transact with the company such as customers and vendors. Therefore, when assessing the internal controls of a firm and its information systems using an established framework, management and auditors can focus on a system boundary that is fairly aligned with the company boundary. Even though electronic data interchange (EDI) and vendor managed inventory systems have enabled the integration of systems within a supply chain, these technologies enable companies to adequately identify the system boundary.

Blockchain technology and smart contracts, on the other hand, feature not only integration, but also process automation throughout the supply chain. Smart contracts initiated on blockchain technology can automate processes among trading partners (Dai and Vasarhelyi 2017). For example, once a smart contract is initiated, the payment will be automatically withdrawn and held in escrow until the goods are shipped. Once the smart contract receives data about the shipment of goods, the payment will be released to the seller without the customer having to approve, record, and initiate the payment. The transparency created through the use of a distributed ledger (a common record available to all blockchain participants) and smart contracts eliminates the need for reconciliations between trading partners. Consequently, the use of automated rules that reduce the need for explicit authorization, and the distributed ledger that eliminates the need for reconciliations, blur a company's system boundary. Further, when adding transactions to the distributed ledger a company has to rely on nodes owned/operated by separate parties for recording and processing transactions, which further blurs a company's system boundary. Therefore, all parties involved in a smart contract need good internal controls not only around their internal information systems, but also around the whole blockchain ecosystem/consortium.

Hence, this new approach to record keeping that combines a shared distributed ledger with process automation introduces several challenges to the current approach to corporate governance and internal control assessment. The primary challenge to corporate governance and internal control assessment introduced by blockchain technology is the shift in the focus from a single company to collaborative commerce (Stein Smith and Castonguay 2020). Therefore, when assessing the risks of blockchain technology and smart contracts, one should consider multiple party interactions and take a broader and holistic view of all trading parties. The contract terms in smart contracts are enforced by automating the processes between contracting parties; the processes enforcing contract terms can be initiated by a company other than the company assessing the internal controls. Hence, risk and control assessment should consider the entire ecosystem of companies and other parties interacting through smart contracts and blockchain (PwC 2019). Further, the automated enforcement of contract terms blurs the system boundary because there is no verification of transactions entering a company's information system. Therefore, before the technology is widely adopted, management, auditors, and regulators should address issues such as internal versus external controls for blockchain (PwC 2019), how blockchain technology will disrupt the existing governance requirements, and how the enhanced transparency can potentially equalize power structures within the governance of the company and the supply chains. The use of a distributed ledger system introduces additional challenges such as who should provide governance over the distributed ledger, what risk factors should be disclosed, who (which company) should disclose the risk factors, what internal controls should be established over the blockchain, and who should be responsible for enforcing these controls (Stein Smith and Castonguay 2020). Consequently, company management, auditors, and risk advisory divisions of audit firms would want to evaluate whether a company can still comply with the Sarbanes-Oxley Act of 2002 (SOX) and continue to use established frameworks in assessing controls and reporting the scope and adequacy of the internal controls in a blockchain environment. Furthermore, standard setters such as the AICPA would want to consider whether additional areas of focus should be defined for SOC reports specific to blockchain and/or smart contracts.

The existing internal control frameworks are developed with a focus on a single company perspective to assess governance, management, internal controls, and relationships with third parties. The proper maintenance of the blockchain ledger relies on all participants (transacting parties as well as processing nodes) adhering to common governance mechanisms and internal controls. Therefore, it is likely that companies may need to obtain some assurance that shows all parties to the blockchain are adhering to established common governance mechanisms and internal controls to demonstrate that the distributed blockchain ledger consisting of smart contracts is reliable as an accounting ledger. We evaluate whether additional concerns arise when the boundary of a company is blurred due to the use of blockchain and smart contracts. For this purpose, we examine the blockchain environment using the Committee of Sponsoring Organizations of the Treadway Commission's (COSO) integrated and COSO's enterprise risk management (ERM) frameworks and discuss additional issues that should be considered during internal controls and risk assessment of blockchain and smart contracts.

Traditionally, each company records business transactions in a ledger that is not accessible to others; hence, two transacting companies can document inconsistent or potentially fraudulent records in the individual ledgers. To assure one version of the truth between transacting parties, often a third party (e.g., bank or an auditor) verifies the transactions for each company involved, manifesting in a centralized trust mechanism. Potentially, blockchain technology can be used to maintain a shared distributed ledger to provide transparency of transactions where each company has its copy of a distributed ledger that is verified and validated by the network. When a transaction is initiated on the blockchain, each participant (each node) verifies the appropriateness of the transaction. The distributed trust mechanism (consensus mechanism) makes the transactions tamper-evident because transactions are validated by the nodes on the network before they are added as a new block (a set of shared records) on the blockchain. Which nodes on the network have the authority to add a set of transactions to a block will depend on whether the blockchain is permissioned (private) or permissionless (public). In permissioned blockchains, the nodes on the network are authorized by, and known to, the network. Hence, specific nodes will be explicitly approved to participate in verifying and validating transactions. In permissionless blockchains, any node is allowed to participate in verifying and validating transactions. There is increased interest in the use of permissioned and permissionless blockchains in auditing; however, the implications, opportunities, and challenges may differ between the type of blockchain used (Liu, Wu, and Xu 2019). We focus on blockchain consortiums that are a semi-private system where the participants are known to the network but use the distributed validation mechanism available in a public blockchain.

Blockchain technology has developed from merely providing a distributed ledger for cryptocurrencies (Peters and Panayi 2016), to offering higher-order functionality such as smart contracts that enable distributed computing supporting other asset classes (Fanning and Centers 2016; Swan 2015). Smart contracts are self-executing computer programs that automate and execute contract terms between trading companies. The idea of smart contracts (Szabo 1997) predates the idea of blockchain; however, the blockchain platform enables the use of smart contracts. Blockchain smart contracts can process complex financial applications (Swan 2015) and other data-intensive and real-time applications. Further, a smart contract can convert legal obligations into automated processes that rely on a distributed trust mechanism while enhancing transaction security and minimizing transaction costs. Smart contracts can enforce terms of the contract by converting and embedding the contract rules into computer algorithms and automate the process by triggering tasks based on a specified time, an event, or a set of events (e.g., title transferred when payment made [Kiviat 2015]; [Peters and Panayi 2016]; [Zheng, Xie, Dai, Chen, and Wang 2017]).

In this paper, we define a “smart contract initiator” as the company that develops and executes the algorithm on the blockchain. Even though all parties to a contract will agree on the terms of the contract, the smart contract initiator will develop the algorithm based on the agreed-upon rules of a legal contract that define the rights and obligations of the transacting parties and execute it on the blockchain. Consequently, it is likely that the company with the greatest stake in the blockchain consortium would be responsible for initiating the smart contract, as they have the greatest incentive for the contract to “work.” The rules embedded in the contract alleviate the risk of one of the companies not delivering their contract obligations. If they were to cheat other participants, those participants would simply leave and not transact with that party, preserving incentives to be fair given the increased transparency. The rules in smart contracts work on an “if-then-else” principle to specify how the terms of the contract should be executed (e.g., if the payment is made, then the title is transferred). Smart contracts are most useful when there are complex contracts involving various counterparties. The successful completion of one smart contract can serve as a trigger that starts another smart contract.¹ Therefore, one can view organizations running entirely on smart contracts.² This allows organizations to minimize transaction costs and minimize opportunities for fraud and errors by weaving a tapestry of transactions that have been assured by the network.

Various industries are currently exploring use-cases of smart contracts on a blockchain. Blockchain and smart contracts can add value and improve the following five areas in a supply chain context (Oracle/Deloitte 2018). First, product tracking throughout the supply chain; for example, physical markings of diamonds and gemstones can be stored in a distributed ledger to enable tracking and verification of precious stones throughout the supply chain. Second, digitization of supply chain documentation and online auto-verification; digital property records, titles of ownership, and/or encumbrances can be digitized and authenticated, validated, and transferred using blockchain. Third, rules-based monitoring; with the advent of the Internet-of-Things (IoT), automotive equipment manufacturers, parts distributors, dealerships, insurance providers, mechanics, and others could support the ability for equipment within the car to autonomously sense its own needs and communicate these needs to the rightful stakeholder. Fourth, settlement or reverse logistics based on rules-based monitoring; for example, product lifecycle from procurement, reclamation, recycling, and disposal can be seamlessly managed using smart contracts. Fifth, direct peer-to-peer settlement without the use of intermediaries; smart contracts and blockchain enable making a payment directly to a vendor without the use of a banking system (e.g., Bitcoin payment). Smart contracts enable a response to real-time events by connecting product components and various stakeholders without any human interaction throughout the supply chain. Next, we discuss challenges in evaluating internal controls based on the components of COSO's integrated and COSO's ERM frameworks.

COSO released the “Internal Control—Integrated Framework” in 1992. Since then, the framework has gained global acceptance as a leading framework for designing, implementing, and assessing internal controls (COSO 2013). Janvrin, Payne, Byrnes, Schneider, and Curtis (2012) recommend incorporating technology in the 1992 framework. Consequently, the updated version in 2013 recognizes the importance and interdependence of technology in companies and emphasizes the need to understand the technological environment when evaluating risks and controls. Landsittel and Rittenberg (2010) provide a good discussion of the history of COSO, the framework development process, and current and proposed projects. This widespread acceptance of the framework for internal controls over financial reporting assessments can be attributed to the introduction of the Sarbanes-Oxley Act in 2002. COSO (2013) defines internal controls as “the process, effected by an entity's board of directors, management, other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.” The framework identifies five components: (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring activities required to achieve the objectives set by the company. According to the framework, to minimize the risk of not achieving an entity's objectives, each of the five components and the relevant principles should be present, function, and operate together.

In 2017, the COSO board published an updated document titled “Enterprise Risk Management: Integrating with Strategy and Performance” recognizing the effects of enterprise risk management on strategic planning, hence, the company's growth and performance. The updated framework focuses on five components: (1) governance and culture, (2) strategy and objective setting, (3) performance, (4) review and revision, and (5) information, communication, and reporting (COSO 2017). Further, the update introduces 20 key principles within each of the five components creating a link to the internal control framework and eliminating the repetition of key aspects of internal control common to ERM.³

Table 1 details the challenges for evaluating internal controls of blockchain using the COSO integrated framework. The most significant challenges reside in the control environment, risk assessment, and control activities. Given the blurred system boundary, increased connectivity, automated contract execution, and the distributed ledger, defining the control environment in a blockchain scenario can be difficult. The autonomous nature of smart contracts can blur the control and ownership of the system. Therefore, understanding the control environment and board involvement can be different from establishing traditional supply chain integrations.

An assessment of controls related to governance should address to what extent the board of a specific company should be involved, and whether they have the authority to oversee certain aspects of the blockchain and smart contracts if the company is not the initiator of smart contracts. Blockchain is expected to increase transparency and eliminate the need for centralized trust between trading parties; however, risk assessment of blockchain and smart contracts to consider whether risks can be adequately assessed and an adequate risk response can be established will pose a major challenge to companies that are not smart contract initiators. In contrast to current technologies such as vendor-managed inventory systems, where a company is able to control access, set security protocols, and manage the process, a non-initiator company will have to depend on the development and execution of smart contracts without being able to verify the accuracy and potential biases of the algorithms that automate the process throughout the supply chain ecosystem.

In a recent survey (NC State and Protiviti 2019), board members indicate acquiring talent in short supply as a top ten risk. According to the survey, technology and innovation risks dominate the top ten risks, which suggests concerns related to principles three, four, and five in the control environment component of the COSO integrated framework and principle five in the governance and culture component of the ERM framework. In a blockchain context, companies will be challenged to acquire the right skillset not only for IT staff, but also for accounting, internal audit, and general management with the expertise required to develop proper protocols to manage risks. Therefore, companies will need the most guidance and new expertise in risk assessment and control activities. Companies will need to thoroughly evaluate the adequacy of policies and procedures and also consider whether new policies should be developed in the absence of a centralized trusted source in a transparent environment. See Table 1 for an explanation of challenges and a list of concerns related to each of the principles in the frameworks.

Table 2 details the COSO ERM framework components and the 20 principles. Given that these are more generic principles applicable to any company, companies may have to evaluate how to expand and apply these principles to a blockchain context. If a company is a mere participant and not the initiator of smart contracts,⁴ to what extent should the principles related to a company's governance and culture reflect smart contracts? What are good measures of the board's oversight of the strategy related to blockchain and smart contracts? Should there be an expert and/or committee on the board of directors? How should the company establish roles and responsibilities of blockchain and smart contracts that span supply chains if the company is not the initiator of a contract? If the company is a mere participant, what are acceptable staffing requirements for the company? The major challenge in the strategy and objective-setting component is identifying and analyzing the risks and the impact of risks on a company's business strategy if the company is not the initiator of a contract. If risks are set by the smart contract initiator or an alliance of companies, what would be the impact of risk on the company's risk appetite? The imposed risk on a company will also affect other principles related to risks such as evaluating alternative strategies and various risk levels.

Currently, smart contract developers are considering whether transaction data should be submitted to the blockchain similar to bitcoin transactions. Submitting transaction data can have serious confidentiality issues. Therefore, others suggest submitting a hash of the transaction (Vincent, Skjellum, and Medury 2020). Conceptually, having a distributed ledger assumes increased access to data. However, whether a company will have access to the data to evaluate concerns suggested in the review and revision component will depend on whether transaction data are submitted to the blockchain instead of merely the hash of a transaction. Consequently, companies will have to consider additional issues suggested in Table 2.

Information, communication, and reporting component concerns related to identifying and establishing performance metrics, and obtaining access to the data might pose a challenge for companies if they are mere participants in a blockchain coalition. Further, once the barrier to obtaining the data is overcome, the company will have to identify how to use the data, who should be held responsible for monitoring and responding to the performance issues, and what communication channels should be established and how to establish these channels. Once all of the above challenges have been addressed, companies will have to consider the reporting requirements of data pertaining to smart contracts, who is the audience, what aspects to be reported, how to obtain the transaction data from smart contracts, and how to maintain security, privacy, and confidentially of such reports.

Blockchain technology and smart contracts can improve transparency and information sharing, hence facilitate a single version of the truth. Despite this, internal controls assessment for a particular company can be challenging because the company may be just a participant and may not have any influence over how the technology and smart contracts are implemented. Consequently, most companies will have to accept the single source of truth without having any assurance of whether there are any preventive, detective, and corrective controls for creating, updating, and processing of transactions. Hence, a critical question that requires further exploration is whether existing frameworks designed to approach risk and controls from a single company perspective are appropriate in a blockchain and smart contract environment that spans multiple companies.

There are several areas of concern for the accounting and assurance profession that deserve further exploration and discussion. First, we should consider whether the governance of blockchain should be addressed in addition to the governance of the company. Who would be responsible for the governance and management of blockchain should be clearly defined and addressed holistically rather than at a participating company level. Lee and Green (2015) suggest taking a systems thinking approach (taking a holistic view) to ERM. Using this approach, one potential solution is for the blockchain coalition to hire auditors that provide assurance that spans the boundaries of any single company. Second, we should consider whether COSO's integrated and ERM frameworks, as is, can be applied to the blockchain at an industry or blockchain consortium level, and, if not, how should the framework be modified to fit an industry coalition? Third, regulators should consider the best way to perform and share audit and assurance services of a blockchain. For example, should a blockchain coalition perform a SOC audit of controls and share the information with the participating companies? Before recommending a SOC audit for a blockchain coalition, regulators will have to consider whether a competitor would want to provide an inside look at their controls, identify proprietary information using a SOC report, and decide if providing a SOC report for the coalition members is adequate. These considerations could potentially help standard setters and regulators to provide authoritative guidance.