SUMMARY
This article summarizes “Tracking Tangible Asset Ownership and Provenance with Blockchain” (Sheldon 2022), which introduces auditors to the risks of using blockchain’s shared repository to track assets in the physical world. The underlying challenge is keeping the status of tangible assets aligned with their digital representations on a blockchain. In response, the summary focuses on the parties, technologies, and processes that make this task complex. The summary begins with an overview of how blockchain can be used to track tangible assets, then discusses four stages of tracking tangible assets with blockchain: (1) design and governance of a blockchain, (2) asset creation, (3) asset transfer, and (4) asset retirement. Based on the risks highlighted in these four stages, the summary presents a framework of risk considerations and control objectives that auditors can use to evaluate the extent to which a blockchain serves as a reliable repository for tracking tangible assets.
I. INTRODUCTION
Although blockchain gained notoriety for allowing users to send digital tokens (assets) directly to one another in an online environment (e.g., Bitcoin), more recent use cases show that the technology can also be used to track the ownership and provenance of tangible assets (e.g., Higginson, Nadeau, and Rajgopal 2019). For example, Walmart uses blockchain to track the provenance of certain foods, allowing it to quickly identify the origin and distribution of potentially hazardous items and/or batches (Hyperledger 2020b). Everledger departs from food and instead uses blockchain to track the origin and authenticity of diamonds, wine and spirits, and luxury goods (e.g., designer handbags) (Austin 2020). Finally, Honeywell Aerospace uses blockchain in its marketplace for used airplane parts and attaches digital recertification documents to items listed on its blockchain-based platform (Hyperledger 2020a). In each of these examples, the companies track the origin and movements of tangible assets using unique digital tokens on a blockchain that represent those tangible assets.
Using blockchain in this manner has powerful implications for the auditing profession, as it gives auditors access to the real-time history of a tangible asset that has been verified, validated, and agreed upon by owners of digital tokens and tangible assets, exchange counterparties, and other stakeholders in the blockchain ecosystem. As such, it also provides support for (1) a tangible asset’s origin and authenticity, (2) an owner’s claims to the tangible asset, and (3) key accounting documentation about the tangible asset (e.g., purchase date and cost) (Hoare 2015). When implemented correctly, the status of the tangible asset remains closely aligned with its digital token counterpart on a blockchain (i.e., in terms of condition, location, owner, etc.). However, any reporting that is dependent upon digital tokens presents a series of new risks that auditors must consider.
In June 2023, the Public Company Accounting Oversight Board (PCAOB) released “Spotlight: Inspection Observations Related to Public Company Audits Involving Crypto Assets” (Public Company Accounting Oversight Board (PCAOB) 2023b). Here, a crypto asset is defined as “an asset secured through cryptography that resides on a distributed ledged based on blockchain technology” and can include (but is not limited to) “virtual currencies, coins, or tokens” (PCAOB 2023b, 3). With regards to its review of public company audits, the PCAOB “identified deficiencies where the auditor did not perform procedures to evaluate the sufficiency and appropriateness of audit evidence obtained over the existence, valuation, and the rights and obligations of crypto assets recorded at year end” (PCAOB 2023b, 4). As a result, the PCAOB called for “greater focus by auditors on the identification and assessment of the risks of material misstatement to the financial statements associated with crypto assets” (PCAOB 2023b, 4). Given the PCAOB’s findings, there is a pressing need for auditors to be more informed about the risks and audit implications of various blockchain crypto assets, including tokens used to track tangible assets.
Sheldon (2022) introduces managers and auditors to the risks of using digital tokens on a consortium’s permissioned blockchain to track the provenance of tangible assets in the physical world.1 In doing so, Sheldon (2022) develops a framework of risk considerations and control objectives that managers and auditors can use to evaluate the extent to which a permissioned consortium blockchain serves as a reliable repository for tracking tangible assets (i.e., managers for implementation and usage of the blockchain and auditors for assessment of the blockchain).2,3 To develop this framework, Sheldon (2022) evaluates four distinct stages of tracking a tangible asset’s provenance with blockchain. Based on the resulting framework, the reliability of a blockchain to track tangible assets improves as more control objectives are achieved to mitigate the identified risks. The current study summarizes and expands upon key audit takeaways from Sheldon (2022).
II. ROLE OF BLOCKCHAIN
Traditionally, the owner of a tangible asset maintains the sole record of its provenance, requiring subsequent buyers to either trust this record or independently validate the seller's claims. Blockchain presents an alternative way to maintain a tangible asset’s provenance by recording changes to its status (i.e., ownership, condition, or location) in a shared repository that is verified, validated, and agreed-upon by consortium participants.4 These same participants maintain the blockchain and thus the record of a tangible asset’s provenance and are incentivized to behave honestly given potential legal recourse (including the cost of litigation) as well as the risk of losing access to the blockchain and/or business partnerships enabled by the blockchain.5 Additionally, blockchain can integrate with the physical world using Internet-of-Things (IoT) devices such as radio frequency ID (RFID) tags and sensors. These devices provide data to the blockchain to help ensure the status of a tangible asset remains synchronized with its digital token counterpart, which is typically in the form of a nonfungible token (NFT).6 As such, to maintain alignment between the physical and digital (blockchain) worlds, any changes to the status of a tangible asset must be quickly and reliably submitted to the blockchain. Furthermore, in order for the NFT to be updated, real-world events must be observed and then communicated in a way that convinces blockchain participants that the event occurred as reported.
Blockchain also offers configurable features that help maintain a reliable record of tangible assets. For example, consortium participants can predefine protocols that stipulate the evidence necessary to verify and validate new entries to the blockchain repository (e.g., a trusted human must observe and report transactions that involve a physical exchange). Furthermore, blockchain protocols can stipulate the proportion of participants needed to reach a consensus for a transaction to be validated and added to the repository (Warburg, Wagner, and Serres 2019). It is essential to carefully define the evidence needed to verify and validate transactions, as well as the requirements for consensus, as transactions added to the blockchain repository are difficult to alter or delete.7
Although numerous blockchain consortiums exist for tracking tangible assets, details on these implementations remain scarce. Sheldon (2022) therefore delineates and examines the four stages of tracking tangible assets with blockchain, then develops a framework of risk considerations and control objectives relevant to each stage.
III. STAGES AND EVALUATION FRAMEWORK
The risks discussed (along with several others) throughout this section appear in Table 1 alongside control objectives that Sheldon (2022) proposes managers and auditors can use when evaluating the extent to which a consortium’s permissioned blockchain serves as a reliable repository for tracking tangible assets.
Summary of Control Objectives and Risks Considerations When Using Blockchain to Track Tangible Assetsa
CO # . | Control Objective Description (Controls Provide Reasonable Assurance That…) . | Risk Considerations . |
---|---|---|
Stage One: Design and Governance Considerations | ||
1.1 | …the consortium has a charter in place that is agreed to by all original and subsequent network participants and member organizations. The charter should address technical details about the blockchain and any relevant processes used to support blockchain operations. | As part of initiating a blockchain consortium, the originating member organizations should develop and agree to a charter that includes key technical details about the blockchain and the processes used to support the operation of the blockchain. Any subsequent member organizations should also be required to adhere to the charter. For purposes of this study, the most relevant technical details and processes to define in the charter include: Technical Details: - What types of permissioned access rights exist on the blockchain (e.g., verify the occurrence of events/transactions, submit transactions, validate transactions and participate in the consensus to add transactions to the repository, and/or maintain a copy of the blockchain repository)? - Which network participants may possess certain permissioned access rights (or combinations of permissioned access rights)? - Which oracles are allowed to provide the blockchain with exogenous data (or what are the criteria for selecting an oracle)? - What are the acceptable forms of evidence to verify and validate the creation/transfer/retirement of a tangible asset? - What is the minimum level of consensus required to record events/transactions to the blockchain repository? - What attributes must be assigned to each nonfungible token used to represent a tangible asset (e.g., asset name, asset identification tag, serial/model number, creation date, creation location, picture, etc.)? - Which attributes of a nonfungible token are visible to network participants and which attributes remain private to specific parties? - What data standards must be followed when assigning/attaching information to nonfungible tokens (i.e., for interoperability purposes)? Supporting Processes: - What is the process to provision permissioned access rights (i.e., request, approve, and implement), and who has the authority to request, approve, and/or implement these access rights? - What is the process to design, test, and implement smart contracts? Who has the authority to approve and deploy new smart contracts? - What is the process to retire smart contracts that are no longer used/relevant? - When should smart contracts be audited, how should they be audited, and who may perform these audits? - What is the process to recertify the quality/condition of a tangible asset and attach this recertification to the respective nonfungible token (including who is allowed to perform recertifications for different assets)? Note that recertification can be performed as part of a periodic valuation assessment of the asset, when there is a major change to the asset, and/or when the asset is about to be transferred/sold. Additional considerations include: • How is the recertification expert identified (and agreed to by the seller and buyer if recertification is part of a transfer/sale)? • Is the recertification performed by an expert that is credentialed to perform the task? • What happens if the owner/seller/buyer disagrees with the expert’s conclusion that the asset qualifies as recertified? - What is the process to resolve discrepancies between the physical world (i.e., who possesses the tangible asset) and the blockchain (e.g., who controls the tangible asset’s nonfungible token)? - What is the process to amend the original consortium charter, including how many member organizations must approve such changes? |
1.2 | …the (level of) permissioned access granted to network participants remains appropriate. | Permissioned abilities should be reviewed for reasonableness while also considering the processes implemented to address: - How the permissioned access rights of new network participants are authorized and granted - How changes to permissioned access rights for existing network participants are authorized and granted/removed - How the permissioned access rights of terminated network participants are removed The following risks/practices should be considered: - Is there a concentration of higher-power permissioned access (e.g., voting in the consensus) shared among too few network participants? - Do network participants maintain higher power permissioned access than necessary to perform a role (e.g., it might not be appropriate for network participants who provide certification records to vote in the consensus)? - Should network participants with permissioned access to verify the creation or sale/transfer of a tangible asset be restricted from other permissions, such as submitting this transaction to the blockchain or participating in its consensus vote? - Should network participants with permissioned access to validate the creation or sale/transfer of a tangible asset (i.e., participate in its consensus vote) be restricted from other permissions, such as submitting this transaction to the blockchain or verifying the transaction? |
1.3 | …smart contracts deployed to the blockchain are subject to a formal design, development, testing, approval, and release process. | Smart contracts may be used for critical events on the blockchain, such as minting nonfungible tokens and acting as an escrow agent that holds the buyer’s and seller’s assets as part of an exchange agreement. Once deployed, smart contracts are difficult to modify, and once executed, the resulting movement of assets is nearly irreversible. As such, any smart contract deployed on the consortium blockchain should be subject to a robust design, development, testing, approval, and release process. This applies whether the smart contact will be used for a single event such as a sale or used for many events such as the minting of nonfungible tokens. |
1.4 | …smart contracts are retired/blocked when they are no longer applicable to the consortium’s operations. | As operations change, it is likely that legacy smart contracts will need to be replaced by new smart contracts that are more tailored to the current environment. By calling smart contracts that are no longer relevant, users are exposed to the risk that the smart contract does not adhere to current regulatory/contractual agreements and that assets might be transferred to an unintended party. As such, there should be a process in place to either block smart contracts that are no longer relevant or to maintain a listing of smart contract addresses that should no longer be called. |
Stage Two: Asset Creation | ||
2.1 | …when a tangible asset is created, it is attached to a secure asset identification tag that uniquely identifies the tangible asset. | - Considering the need to uniquely identify the asset, is an appropriate asset identification tag used to convey the information stored on the tag (e.g., barcode, QR code, RFID/near-field communication tag)? - Has the asset identification tag been attached to the asset in a way that it cannot be inappropriately removed (or would such tampering be evident and flagged)? - What safeguards have been implemented to ensure the data stored/presented on the asset identification tag cannot be inappropriately modified or copied and placed on another asset identification tag (e.g., spoofing an RFID tag)? |
2.2 | …only authorized network participants or oracles (1) verify the creation of a tangible asset and (2) submit evidence of this event to the smart contract used to mint the asset’s nonfungible token. | - Which network participants and oracles are authorized to verify the creation of a tangible asset and submit evidence of its creation? - How is the creation of the tangible asset observed, and is this persuasive in the unique circumstances? Evidence of this observation might include one or more of the following: • A live or recorded video of the creation • A neutral third party observing the creation • Live observation of the creation by network participants - How is this observation communicated to the blockchain (i.e., does the device used to observe the transaction interface directly with a blockchain node, or does the observation get communicated through an intermediary that should also be evaluated for security purposes)? - Are the devices used to observe the transaction protected from unauthorized access or use (i.e., physical access to the device and logical access to its data and software)? - How do the smart contract parties ensure that details of the physical creation are routed to the correct smart contract? |
2.3 | …network participants validate the creation of a tangible asset using approved forms of evidence. | - What forms of evidence submitted to the blockchain are network participants allowed to use in order to validate the creation of different types of tangible assets? - How are network participants forced to use approved forms of evidence in order to validate the creation of a tangible asset? |
2.4 | …network participants must reach the required level of consensus on the tangible asset’s creation before the smart contract will mint the asset’s nonfungible token. | - Given the number of network participants who vote in the consensus and the type(s) of evidence required to validate the creation of the tangible asset, it would be appropriate to revisit: • Is a lower level of required consensus offset by requiring higher quality and/or more objective forms of evidence? • Are lower quality and/or less objective forms of evidence (as used in validation) offset by requiring higher levels of consensus? - How does the smart contract that mints the asset’s nonfungible token enforce the required level of consensus (as defined in the charter) among authorized network participants that the tangible asset has been created before minting the nonfungible token? • Any failure to enforce this consensus could result in the minting of unauthorized nonfungible tokens. |
2.5 | …the smart contract accurately assigns all required attributes to the nonfungible token upon its minting (e.g., asset name, identification tag number/reference, serial/model number, creation date/location, and picture). | - What attributes about the tangible asset does the smart contract require prior to minting its nonfungible token? For example: • Asset name • Asset identification tag reference • Serial/model number • Creation date/location • Picture of the asset - How does the smart contract ensure that the required attributes are accurately recorded and assigned to the nonfungible token? - Details about the tangible asset’s inception will be more prone to error or inaccuracies the longer it takes to assign these attributes to the nonfungible token, potentially leading to challenges in defending the asset’s authenticity at a later point in time. - In certain situations, it might be appropriate to obtain records of licenses, inspections, and/or certification of the manufacturing plant or other origin of the asset to further demonstrate the authenticity of the asset (and attach these records to the respective nonfungible token). • What party is responsible for submitting these licenses/inspections/certifications to the blockchain (or is responsible for making this information available to authorized network participants upon request)? • How are any licenses/inspections/certifications attached to the specific nonfungible token? |
2.6 | …the asset identification tag is serviced regularly. If the tag must be replaced, the legacy tag is decommissioned and the new tag is associated with the respective nonfungible token. | - How long is the asset identification tag expected to be in service as compared to the expected useful life of the tangible asset? - What procedures have been implemented to ensure the asset identification tag is routinely serviced before it becomes unreadable due to damage or loss of power (i.e., if the tag is active and has its own power source)? - What procedures are in place to replace the asset identification tag if it becomes unreadable, and how will the new tag be associated with the respective nonfungible token? - What are the procedures in place to retire the legacy tag, such that it is completely decommissioned (i.e., so it does not later send out signals after being replaced)? |
2.7 | …IoT devices used to track tangible assets adhere to the same controls as asset identification tags and also maintain secure network connectivity, data storage, and configurations. | IoT devices used to track different aspects of the tangible asset (e.g., location, orientation, and surrounding temperature/humidity) should adhere to the same considerations as provided in Control Objectives 2.1 and 2.6. Furthermore, the following risks/practices should also be considered: - For IoT devices with network interface capabilities, what safeguards have been implemented to protect the device from the risks and threats faced by other internet-connected devices (e.g., cyberattacks, loss of control of the device, unauthorized changes to stored data)? - How have IoT devices been configured to capture the intended occurrence? - What measures have been taken to ensure the IoT device stores data securely? - How does the IoT device transmit collected information completely and accurately to an intermediary device or directly to the blockchain? |
Stage Three: Asset Transfer | ||
3.1 | …longer-lived tangible assets that are prone to deterioration are recertified (quality/condition) by an expert when the asset experiences a significant change and/or prior to a transfer/sale of the asset, and this recertification is attached to the respective nonfungible token. | - Is there a recertification of the longer-lived tangible asset when a significant change is made to the asset and/or prior to any sale/transfer of the asset in accordance with the consortium’s charter? - What party is responsible for uploading the recertification record to the blockchain (or is responsible for making the recertification available to authorized network participants upon request)? - How is this recertification record/status attached to the respective nonfungible token? |
3.2 | …if an expert is recertifying the quality/condition of a tangible asset and determines that the tangible asset should be retired, this status is attached to the respective nonfungible token and/or the token is burned. | - What party is responsible for uploading the retirement record to the blockchain (or is responsible for making the retirement record available to authorized network participants upon request)? - How is this retirement record/status attached to the respective nonfungible token, and does this burn (i.e., destroy) the nonfungible token? - If the expert determines that the asset should be retired, is this status submitted to the smart contract used to facilitate the exchange and thus trigger the return of the payment and the nonfungible token to their original owners (and possibly burn the nonfungible token in the process)? |
3.3 | …only authorized network participants or oracles (1) verify the transfer of a tangible asset and (2) submit evidence of this event to the smart contract used to transfer the asset’s nonfungible token. | - Which network participants and oracles are authorized to verify the transfer of a tangible asset and submit evidence of its transfer? - How is the transfer of the tangible asset observed, and is this persuasive in the unique circumstances? Evidence of this observation might include one or more of the following: • A live or recorded video showing the delivery of the tangible asset to a specific location/party • A neutral third party observing the sale/transfer • Live observation of the sale/transfer by network participants • The recipient scanning the asset’s ID tag to acknowledge possession • A GPS device attached to the tangible asset showing it arrived at a specific location - How is this observation communicated to the blockchain (i.e., does the device used to observe the transaction interface directly with a blockchain node, or does the observation get communicated through an intermediary that should also be evaluated for security purposes)? - Are the devices used to observe the transaction protected from unauthorized access or use (i.e., physical access to the device and logical access to its data and software)? - How do the smart contract parties ensure that the results of the physical transfer are routed to the correct smart contract? |
3.4 | …network participants validate the transfer of a tangible asset using approved forms of evidence. | - What forms of evidence submitted to the blockchain are network participants allowed to use in order to validate the transfer of different types of tangible assets? - How are network participants forced to use approved forms of evidence in order to validate the transfer of a tangible asset? |
3.5 | …network participants must reach the required level of consensus on a tangible asset’s transfer before the smart contract will transfer the asset’s nonfungible token. | - Given the number of network participants that vote in the consensus and the type(s) of evidence required to validate the transfer of the tangible asset, it would be appropriate to revisit: • Is a lower level of required consensus offset by requiring higher quality and/or more objective forms of evidence? • Are lower quality and/or less objective forms of evidence (as used in validation) offset by requiring higher levels of consensus? - How does the smart contract that transfers the asset’s nonfungible token enforce the required level of consensus (as defined in the charter) among authorized network participants that the tangible asset has been transferred before releasing the nonfungible token? • Any failure to enforce this consensus could result in the unauthorized transfer of nonfungible tokens. |
3.6 | …the smart contract used to enable the transfer is configured to simultaneously release the payment and nonfungible token when the required conditions are met. Otherwise, the payment and nonfungible token are returned to their original owners. | - How is the smart contract set up to collect sufficient payment from the buyer and the correct nonfungible token from the seller? - What is the trigger event for the smart contract to release the payment to the seller and the nonfungible token to the buyer (see Control Objective 3.3 for evidence to determine whether this event happened)? - When does the trigger event need to happen by? • What happens to the payment and nonfungible token held in escrow if the trigger event does not occur (or is not reported to the smart contract) by this time? |
Stage Four: Asset Retirement Outside of Recertification Procedures | ||
4.1 | …if a tangible asset has reached the point of retirement outside of a transfer or recertification event, this status is attached to the respective nonfungible token and/or the token is burned. | - What processes are in place to determine whether the tangible asset should be retired? - How does the owner upload the retirement record to the blockchain (or make the retirement record available to authorized network participants upon request)? - How is this retirement record/status attached to the specific nonfungible token, and does this cause the nonfungible token to be burned (i.e., destroyed)? |
CO # . | Control Objective Description (Controls Provide Reasonable Assurance That…) . | Risk Considerations . |
---|---|---|
Stage One: Design and Governance Considerations | ||
1.1 | …the consortium has a charter in place that is agreed to by all original and subsequent network participants and member organizations. The charter should address technical details about the blockchain and any relevant processes used to support blockchain operations. | As part of initiating a blockchain consortium, the originating member organizations should develop and agree to a charter that includes key technical details about the blockchain and the processes used to support the operation of the blockchain. Any subsequent member organizations should also be required to adhere to the charter. For purposes of this study, the most relevant technical details and processes to define in the charter include: Technical Details: - What types of permissioned access rights exist on the blockchain (e.g., verify the occurrence of events/transactions, submit transactions, validate transactions and participate in the consensus to add transactions to the repository, and/or maintain a copy of the blockchain repository)? - Which network participants may possess certain permissioned access rights (or combinations of permissioned access rights)? - Which oracles are allowed to provide the blockchain with exogenous data (or what are the criteria for selecting an oracle)? - What are the acceptable forms of evidence to verify and validate the creation/transfer/retirement of a tangible asset? - What is the minimum level of consensus required to record events/transactions to the blockchain repository? - What attributes must be assigned to each nonfungible token used to represent a tangible asset (e.g., asset name, asset identification tag, serial/model number, creation date, creation location, picture, etc.)? - Which attributes of a nonfungible token are visible to network participants and which attributes remain private to specific parties? - What data standards must be followed when assigning/attaching information to nonfungible tokens (i.e., for interoperability purposes)? Supporting Processes: - What is the process to provision permissioned access rights (i.e., request, approve, and implement), and who has the authority to request, approve, and/or implement these access rights? - What is the process to design, test, and implement smart contracts? Who has the authority to approve and deploy new smart contracts? - What is the process to retire smart contracts that are no longer used/relevant? - When should smart contracts be audited, how should they be audited, and who may perform these audits? - What is the process to recertify the quality/condition of a tangible asset and attach this recertification to the respective nonfungible token (including who is allowed to perform recertifications for different assets)? Note that recertification can be performed as part of a periodic valuation assessment of the asset, when there is a major change to the asset, and/or when the asset is about to be transferred/sold. Additional considerations include: • How is the recertification expert identified (and agreed to by the seller and buyer if recertification is part of a transfer/sale)? • Is the recertification performed by an expert that is credentialed to perform the task? • What happens if the owner/seller/buyer disagrees with the expert’s conclusion that the asset qualifies as recertified? - What is the process to resolve discrepancies between the physical world (i.e., who possesses the tangible asset) and the blockchain (e.g., who controls the tangible asset’s nonfungible token)? - What is the process to amend the original consortium charter, including how many member organizations must approve such changes? |
1.2 | …the (level of) permissioned access granted to network participants remains appropriate. | Permissioned abilities should be reviewed for reasonableness while also considering the processes implemented to address: - How the permissioned access rights of new network participants are authorized and granted - How changes to permissioned access rights for existing network participants are authorized and granted/removed - How the permissioned access rights of terminated network participants are removed The following risks/practices should be considered: - Is there a concentration of higher-power permissioned access (e.g., voting in the consensus) shared among too few network participants? - Do network participants maintain higher power permissioned access than necessary to perform a role (e.g., it might not be appropriate for network participants who provide certification records to vote in the consensus)? - Should network participants with permissioned access to verify the creation or sale/transfer of a tangible asset be restricted from other permissions, such as submitting this transaction to the blockchain or participating in its consensus vote? - Should network participants with permissioned access to validate the creation or sale/transfer of a tangible asset (i.e., participate in its consensus vote) be restricted from other permissions, such as submitting this transaction to the blockchain or verifying the transaction? |
1.3 | …smart contracts deployed to the blockchain are subject to a formal design, development, testing, approval, and release process. | Smart contracts may be used for critical events on the blockchain, such as minting nonfungible tokens and acting as an escrow agent that holds the buyer’s and seller’s assets as part of an exchange agreement. Once deployed, smart contracts are difficult to modify, and once executed, the resulting movement of assets is nearly irreversible. As such, any smart contract deployed on the consortium blockchain should be subject to a robust design, development, testing, approval, and release process. This applies whether the smart contact will be used for a single event such as a sale or used for many events such as the minting of nonfungible tokens. |
1.4 | …smart contracts are retired/blocked when they are no longer applicable to the consortium’s operations. | As operations change, it is likely that legacy smart contracts will need to be replaced by new smart contracts that are more tailored to the current environment. By calling smart contracts that are no longer relevant, users are exposed to the risk that the smart contract does not adhere to current regulatory/contractual agreements and that assets might be transferred to an unintended party. As such, there should be a process in place to either block smart contracts that are no longer relevant or to maintain a listing of smart contract addresses that should no longer be called. |
Stage Two: Asset Creation | ||
2.1 | …when a tangible asset is created, it is attached to a secure asset identification tag that uniquely identifies the tangible asset. | - Considering the need to uniquely identify the asset, is an appropriate asset identification tag used to convey the information stored on the tag (e.g., barcode, QR code, RFID/near-field communication tag)? - Has the asset identification tag been attached to the asset in a way that it cannot be inappropriately removed (or would such tampering be evident and flagged)? - What safeguards have been implemented to ensure the data stored/presented on the asset identification tag cannot be inappropriately modified or copied and placed on another asset identification tag (e.g., spoofing an RFID tag)? |
2.2 | …only authorized network participants or oracles (1) verify the creation of a tangible asset and (2) submit evidence of this event to the smart contract used to mint the asset’s nonfungible token. | - Which network participants and oracles are authorized to verify the creation of a tangible asset and submit evidence of its creation? - How is the creation of the tangible asset observed, and is this persuasive in the unique circumstances? Evidence of this observation might include one or more of the following: • A live or recorded video of the creation • A neutral third party observing the creation • Live observation of the creation by network participants - How is this observation communicated to the blockchain (i.e., does the device used to observe the transaction interface directly with a blockchain node, or does the observation get communicated through an intermediary that should also be evaluated for security purposes)? - Are the devices used to observe the transaction protected from unauthorized access or use (i.e., physical access to the device and logical access to its data and software)? - How do the smart contract parties ensure that details of the physical creation are routed to the correct smart contract? |
2.3 | …network participants validate the creation of a tangible asset using approved forms of evidence. | - What forms of evidence submitted to the blockchain are network participants allowed to use in order to validate the creation of different types of tangible assets? - How are network participants forced to use approved forms of evidence in order to validate the creation of a tangible asset? |
2.4 | …network participants must reach the required level of consensus on the tangible asset’s creation before the smart contract will mint the asset’s nonfungible token. | - Given the number of network participants who vote in the consensus and the type(s) of evidence required to validate the creation of the tangible asset, it would be appropriate to revisit: • Is a lower level of required consensus offset by requiring higher quality and/or more objective forms of evidence? • Are lower quality and/or less objective forms of evidence (as used in validation) offset by requiring higher levels of consensus? - How does the smart contract that mints the asset’s nonfungible token enforce the required level of consensus (as defined in the charter) among authorized network participants that the tangible asset has been created before minting the nonfungible token? • Any failure to enforce this consensus could result in the minting of unauthorized nonfungible tokens. |
2.5 | …the smart contract accurately assigns all required attributes to the nonfungible token upon its minting (e.g., asset name, identification tag number/reference, serial/model number, creation date/location, and picture). | - What attributes about the tangible asset does the smart contract require prior to minting its nonfungible token? For example: • Asset name • Asset identification tag reference • Serial/model number • Creation date/location • Picture of the asset - How does the smart contract ensure that the required attributes are accurately recorded and assigned to the nonfungible token? - Details about the tangible asset’s inception will be more prone to error or inaccuracies the longer it takes to assign these attributes to the nonfungible token, potentially leading to challenges in defending the asset’s authenticity at a later point in time. - In certain situations, it might be appropriate to obtain records of licenses, inspections, and/or certification of the manufacturing plant or other origin of the asset to further demonstrate the authenticity of the asset (and attach these records to the respective nonfungible token). • What party is responsible for submitting these licenses/inspections/certifications to the blockchain (or is responsible for making this information available to authorized network participants upon request)? • How are any licenses/inspections/certifications attached to the specific nonfungible token? |
2.6 | …the asset identification tag is serviced regularly. If the tag must be replaced, the legacy tag is decommissioned and the new tag is associated with the respective nonfungible token. | - How long is the asset identification tag expected to be in service as compared to the expected useful life of the tangible asset? - What procedures have been implemented to ensure the asset identification tag is routinely serviced before it becomes unreadable due to damage or loss of power (i.e., if the tag is active and has its own power source)? - What procedures are in place to replace the asset identification tag if it becomes unreadable, and how will the new tag be associated with the respective nonfungible token? - What are the procedures in place to retire the legacy tag, such that it is completely decommissioned (i.e., so it does not later send out signals after being replaced)? |
2.7 | …IoT devices used to track tangible assets adhere to the same controls as asset identification tags and also maintain secure network connectivity, data storage, and configurations. | IoT devices used to track different aspects of the tangible asset (e.g., location, orientation, and surrounding temperature/humidity) should adhere to the same considerations as provided in Control Objectives 2.1 and 2.6. Furthermore, the following risks/practices should also be considered: - For IoT devices with network interface capabilities, what safeguards have been implemented to protect the device from the risks and threats faced by other internet-connected devices (e.g., cyberattacks, loss of control of the device, unauthorized changes to stored data)? - How have IoT devices been configured to capture the intended occurrence? - What measures have been taken to ensure the IoT device stores data securely? - How does the IoT device transmit collected information completely and accurately to an intermediary device or directly to the blockchain? |
Stage Three: Asset Transfer | ||
3.1 | …longer-lived tangible assets that are prone to deterioration are recertified (quality/condition) by an expert when the asset experiences a significant change and/or prior to a transfer/sale of the asset, and this recertification is attached to the respective nonfungible token. | - Is there a recertification of the longer-lived tangible asset when a significant change is made to the asset and/or prior to any sale/transfer of the asset in accordance with the consortium’s charter? - What party is responsible for uploading the recertification record to the blockchain (or is responsible for making the recertification available to authorized network participants upon request)? - How is this recertification record/status attached to the respective nonfungible token? |
3.2 | …if an expert is recertifying the quality/condition of a tangible asset and determines that the tangible asset should be retired, this status is attached to the respective nonfungible token and/or the token is burned. | - What party is responsible for uploading the retirement record to the blockchain (or is responsible for making the retirement record available to authorized network participants upon request)? - How is this retirement record/status attached to the respective nonfungible token, and does this burn (i.e., destroy) the nonfungible token? - If the expert determines that the asset should be retired, is this status submitted to the smart contract used to facilitate the exchange and thus trigger the return of the payment and the nonfungible token to their original owners (and possibly burn the nonfungible token in the process)? |
3.3 | …only authorized network participants or oracles (1) verify the transfer of a tangible asset and (2) submit evidence of this event to the smart contract used to transfer the asset’s nonfungible token. | - Which network participants and oracles are authorized to verify the transfer of a tangible asset and submit evidence of its transfer? - How is the transfer of the tangible asset observed, and is this persuasive in the unique circumstances? Evidence of this observation might include one or more of the following: • A live or recorded video showing the delivery of the tangible asset to a specific location/party • A neutral third party observing the sale/transfer • Live observation of the sale/transfer by network participants • The recipient scanning the asset’s ID tag to acknowledge possession • A GPS device attached to the tangible asset showing it arrived at a specific location - How is this observation communicated to the blockchain (i.e., does the device used to observe the transaction interface directly with a blockchain node, or does the observation get communicated through an intermediary that should also be evaluated for security purposes)? - Are the devices used to observe the transaction protected from unauthorized access or use (i.e., physical access to the device and logical access to its data and software)? - How do the smart contract parties ensure that the results of the physical transfer are routed to the correct smart contract? |
3.4 | …network participants validate the transfer of a tangible asset using approved forms of evidence. | - What forms of evidence submitted to the blockchain are network participants allowed to use in order to validate the transfer of different types of tangible assets? - How are network participants forced to use approved forms of evidence in order to validate the transfer of a tangible asset? |
3.5 | …network participants must reach the required level of consensus on a tangible asset’s transfer before the smart contract will transfer the asset’s nonfungible token. | - Given the number of network participants that vote in the consensus and the type(s) of evidence required to validate the transfer of the tangible asset, it would be appropriate to revisit: • Is a lower level of required consensus offset by requiring higher quality and/or more objective forms of evidence? • Are lower quality and/or less objective forms of evidence (as used in validation) offset by requiring higher levels of consensus? - How does the smart contract that transfers the asset’s nonfungible token enforce the required level of consensus (as defined in the charter) among authorized network participants that the tangible asset has been transferred before releasing the nonfungible token? • Any failure to enforce this consensus could result in the unauthorized transfer of nonfungible tokens. |
3.6 | …the smart contract used to enable the transfer is configured to simultaneously release the payment and nonfungible token when the required conditions are met. Otherwise, the payment and nonfungible token are returned to their original owners. | - How is the smart contract set up to collect sufficient payment from the buyer and the correct nonfungible token from the seller? - What is the trigger event for the smart contract to release the payment to the seller and the nonfungible token to the buyer (see Control Objective 3.3 for evidence to determine whether this event happened)? - When does the trigger event need to happen by? • What happens to the payment and nonfungible token held in escrow if the trigger event does not occur (or is not reported to the smart contract) by this time? |
Stage Four: Asset Retirement Outside of Recertification Procedures | ||
4.1 | …if a tangible asset has reached the point of retirement outside of a transfer or recertification event, this status is attached to the respective nonfungible token and/or the token is burned. | - What processes are in place to determine whether the tangible asset should be retired? - How does the owner upload the retirement record to the blockchain (or make the retirement record available to authorized network participants upon request)? - How is this retirement record/status attached to the specific nonfungible token, and does this cause the nonfungible token to be burned (i.e., destroyed)? |
Source: “Summary of Control Objectives and Risk Considerations When Using Blockchain to Track Tangible Assets” from the appendix in Sheldon (2022). Reprinted with permission.
Any references to “smart contracts” in the Control Objectives and Risk Considerations should be considered interchangeable with “decentralized applications” (or DApps), which are applications on a blockchain built by combining several smart contracts. Furthermore, all Control Objectives are novel to using a blockchain to track tangible assets, other than Control Objectives #2.1 and #2.7, which were included to more fully demonstrate how risks related to existing technologies/processes need to be addressed when using blockchain in this manner.
a This table is structured in the format used by Sheldon (2021) for Table 1. The final framework benefitted from feedback provided by a Big 4 practitioner who is currently working on designing and implementing that firm’s blockchain product.
Stage One: Design and Governance Considerations
The first stage considers essential elements of the consortium’s charter, which include (among others) granting privileged access to the blockchain and implementing/retiring short software programs on the blockchain known as smart contracts.8
Consortium Charter
A charter establishes governance and operational specifics about a consortium and its blockchain and is agreed upon by all participants. The charter should define types of permissioned access rights to the blockchain, identify who may possess these rights, set criteria for selecting oracles,9 define acceptable forms of evidence to verify and validate the creation/transfer/retirement of a tangible asset, and establish the minimum level of consensus for recording transactions to the blockchain repository. For NFTs, the charter should outline the attributes required for each token (e.g., tangible asset’s name, ID tag, serial/model number, creation date, and creation location) and stipulate data standards for assigning/attaching information to NFTs. The charter must also detail the processes for requesting, approving, and implementing logical access for new and transferring employees; removing access from transferred and terminated employees; designing, testing, and implementing new smart contracts; resolving discrepancies between the physical and digital worlds; and amending the charter. Due to their widespread implications, the discussion of risks related to provisioning permissioned access and implementing/retiring smart contracts as presented with stage one in Table 1 are of significant importance.10
Audit Implications
Stage one covers a broad range of design and governance considerations, all of which should be detailed in the consortium’s charter. Given the pervasive nature of these issues (e.g., access rights, program design and deployment, charter amendments), stage one stands to impact each of the Financial Statement Assertions as defined by the Public Company Accounting Oversight Board (PCAOB) (i.e., Existence or Occurrence, Completeness, Valuation or Allocation, Rights and Obligations, and Presentation and Disclosure) (Public Company Accounting Oversight Board (PCAOB) 2023a). Although audit procedures already exist to address several of the risks identified in stage one (e.g., internal control evaluations of permissioned access rights, access provisioning, and changes to programs), audit teams should consider the use of blockchain specialists when reviewing blockchain-specific items such as the composition of NFTs, the development and deployment of smart contracts, and how to resolve discrepancies between the physical and digital worlds.11
Stage Two: Asset Creation
The second stage considers the use and maintenance of identification (ID) tags, including those that are part of the IoT, and the creation of a tangible asset and its associated NFT. ID tags can be attached to (1) a tangible asset, (2) a tangible asset’s packaging, or (3) a tangible asset’s shipping container. Given the heightened risk that a tangible asset can be separated from its ID tag when the tag is attached to the packaging or shipping container, Sheldon (2022) focuses on tangible assets that can be directly attached to an ID tag.
Verify and Validate Creation of Tangible Assets
The creation of tangible assets must be observed and communicated to the blockchain in a way that convinces participants the event occurred as reported (Appelbaum and Nehmer 2020). Key considerations include who is authorized to verify a tangible asset's creation, the observation method, and the evidence of creation submitted to the blockchain. Evidence might include live or recorded videos, third-party certification, or direct observation by participants (Campbell, Omietański, and Southwell 2018; Appelbaum and Nehmer 2020). Security of any smart devices involved in observation, and the route the evidence takes to reach the blockchain, are also relevant (Sheldon 2019). Once evidence of creation is submitted, participants must validate it against the charter-specified types of permissible evidence. Strict requirements on the quality of evidence submitted could help mitigate risks of error or fraud. Finally, an appropriate level of consensus among participants should be required to validate the tangible asset’s creation.
Assign Attributes to NFTs
Smart contracts should ensure that essential attributes of a tangible asset are assigned to its NFT during minting (i.e., creation). Relevant attributes might include the tangible asset’s name, ID tag number/reference, serial/model number, and creation date/location (De Poli 2021). In some scenarios, it may also be necessary to inspect or certify a manufacturing facility to demonstrate the authenticity of a tangible asset’s origin. Blockchains like International Business Machines (IBM) Food Trust track certifications proving a facility’s legitimacy and compliance with industry standards (International Business Machines (IBM) 2019). Authorized parties should submit such certifications to the blockchain and include details such as the date, period covered, and duration of validity. It is also important to establish how these certification details are accurately recorded, submitted to the blockchain, and associated with a specific NFT.
Asset ID Tags
Asset ID tags, critical for linking tangible assets with their NFTs, come in various forms such as (among others) one-dimensional barcodes, QR codes (Baum n.d.), RFID and near-field communication tags (Dai and Vasarhelyi 2016), synthetic DNA (e.g., Everledger),12 and quantum dot security inks (e.g., Ubiquitous Quantum Dots).13 Each method offers varying capacities for information storage and asset identification. Key considerations include whether the data stored on the tag uniquely identifies the tangible asset, whether the data can be altered in an unauthorized manner, and whether the tag can be fraudulently copied or transferred to a different tangible asset.
Maintaining Asset ID Tags and IoT Devices
Tangible asset ID tags must be regularly maintained throughout the asset's lifespan, and procedures should be in place to ensure continuous association between the tangible asset and its NFT. Special considerations for RFID and near-field communication tags include their power source, as active tags might deplete power (i.e., from batteries), which disrupts information sharing. If a tag needs replacement, procedures should exist to decommission the old tag and link the new one to the associated NFT. Devices other than ID tags can also help accumulate details about a tangible asset throughout its life. For example, IoT devices such as sensors and smart devices can be used to monitor tangible assets as well as gather a breadth of information about the asset for a more detailed provenance (Dai and Vasarhelyi 2017). However, IoT devices with network connectivity face risks such as cyberattacks, unauthorized data alterations, and loss of control (Dai, Zheng, and Zhang 2019; National Institute of Standards and Technology 2019). Thus, tangible asset custodians should implement internal controls for IoT device protection. Finally, proper device configuration is essential to ensure reliable data recording, storage, and transmission to a blockchain (Sheldon 2021).
See Appendix A for an example of a tangible asset moving through stage two.
Audit Implications
Stage two addresses creating an NFT to represent a specific tangible asset and using technology to ensure the status of the tangible asset is initially aligned with its NFT. Here, auditors will need to apply newly developed procedures to demonstrate a proper link between the digital and physical worlds in support of the following assertions: Existence or Occurrence (i.e., the NFT is minted upon creation of the tangible asset) and Rights and Obligations (i.e., the newly minted NFT is routed to the proper owner who also holds the tangible asset). Addressing these issues also helps provide support for the origin and authenticity of the tangible asset and thus the Valuation or Allocation assertion. Although typical auditors will be able to gain an understanding of how a consortium addresses the issues raised in stage two, blockchain specialists will likely be needed to evaluate the processes in place to (1) verify and validate the creation of tangible assets, (2) assign attributes to NFTs, and (3) maintain tangible asset ID tags and IoT devices.
Stage Three: Asset Transfer
The third stage examines elements of a transfer, which Sheldon (2022) assumes are assisted by smart contracts on the blockchain (i.e., as opposed to relying on the good faith of the buyer and seller to send the NFT and payment to the other party upon completion of the physical transfer).
Smart Contract Assisted Transfer
Smart contracts can act as escrow services in transfers, where the seller sends the NFT and the buyer sends digital payment (i.e., cryptocurrency) to the smart contract. Once the physical transfer is verified and validated, the smart contract releases the NFT and payment to respective parties. Here, it is important to consider how the smart contract collects accurate payment and the applicable NFT and how the release trigger event is verified and validated (i.e., the event that convinces participants the transfer occurred in the physical world). Additionally, the smart contract should have a defined period during which it can execute, and, if it does not execute by the established deadline, the escrowed payment and NFT should be returned to their original owners.
Asset Recertification
Following significant changes or prior to a sale/transfer, an asset valuation expert should recertify the condition of long-lived tangible assets. Guidelines from the consortium's charter should outline this process and include details on selecting an appropriate expert and how to resolve any disagreements about the recertification. Evidence of the recertification should be attached to the respective NFT on the blockchain. In the event a tangible asset is deemed retired before a sale/transfer, this status should be communicated to the smart contract facilitating the exchange, prompting the return of payment and the NFT to the original owners.
Verify and Validate the Transfer of a Tangible Asset
The process to verify and validate the transfer of a tangible asset is similar to the process used to verify and validate its creation. However, beyond using live or recorded videos, third-party certification, or direct observation by participants, transfers can also be verified when the recipient scans the tangible asset’s ID tag (i.e., to acknowledge possession) or when a global positioning system (GPS) device shows the tangible asset arrived at the desired location (Christidis and Devetsikiotis 2016; Campbell et al. 2018; Appelbaum and Nehmer 2020).
See Appendix A for an example of a tangible asset moving through stage three.
Audit Implications
Stage three addresses transferring assets and thus ensuring that any transfers of the tangible asset result in the same transfer of the NFT (and vice versa). Here, auditors will again need to apply newly developed procedures to demonstrate a proper link between the digital and physical worlds in support of the following assertions: Existence or Occurrence (i.e., the tangible asset represented by the NFT exists and was transferred on the date recorded on the blockchain); Completeness (i.e., all transfers of the tangible asset are properly recorded); and Rights and Obligations (i.e., the holder of the NFT actually has the rights to the underlying tangible asset). As with before, addressing these issues also helps provide support for the recorded provenance of the tangible asset and thus the Valuation or Allocation assertion. It is likely that auditors will need to use blockchain specialists to evaluate the processes in place to (1) associate a tangible asset’s recertification with its NFT, (2) verify and validate that technology (e.g., IoT and smart devices) operated correctly in recording the transfer of tangible assets, and (3) verify that smart contracts were designed and operated correctly to assist with the transfer.
Stage Four: Asset Retirement Outside of Recertification Procedures
Asset retirement was discussed in stage three, asset transfer, as part of the recertification procedure. Still, there will be circumstances in which a tangible asset needs to be retired outside of recertification procedures. Although owners should be proactive and update a tangible asset's status to retired on the blockchain when apparent, they may be reluctant to do so as it indicates the tangible asset has no value in future exchanges. Therefore, retirement procedures should define how frequently a tangible asset should be assessed for potential retirement, the process of documenting retirements on the blockchain, the method of attaching a retirement record or status to an NFT, and the approach to burning (i.e., destroying) the respective NFT upon retirement.
Audit Implications
Stage four addresses retiring assets and thus ensuring that any retirements of the tangible asset result in the same retirement of the NFT (and vice versa). Here, auditors can rely on many of the procedures performed in support of stage three but will need to evaluate any additional procedures used by the consortium to retire a tangible asset (and its NFT) outside of a periodic recertification event. Based on the specific circumstances, auditors can determine whether the use of blockchain specialists is necessary.
IV. DISCUSSION AND CONCLUSION
When evaluating a blockchain used to track tangible assets, the audit implications highlighted throughout this article argue that auditors will need to use the work of blockchain specialists to apply new procedures to address the Existence or Occurrence, Rights and Obligations, and Valuation or Allocation Financial Statement Assertions. That said, Sheldon (2022) also argues that some traditional audit procedures will remain applicable, such as inspecting an asset’s physical condition (and applying valuation adjustments) and periodically confirming the existence/custody of an asset. Sheldon (2022) also acknowledges the complexities in using blockchain to track tangible assets and concedes that the technology might only be practical in situations (1) when it is important to demonstrate the authenticity/origin of an asset and/or (2) when an asset will be sold/transferred several times throughout its life. It is also worth noting that the use of blockchain and smart contracts as described in this study can aid in other areas of accounting, such as enforcing technical standards like Accounting Standards Codification (ASC) Topic 606, Revenue from Contracts with Customers. See Appendix B for a detailed example.
The processes, risks, and control objectives explored in this study can serve as a blueprint for managers and auditors to assess the reliability of a consortium’s permissioned blockchain to track tangible assets, whereby reliability should increase when the consortium addresses more of the identified risks and implements controls to achieve the proposed control objectives. As these blockchains are typically customized to the specific needs of a consortium, a variety of these blockchains will inevitably exist. Therefore, it is not possible to be overly prescriptive in the framework provided by Sheldon (2022). Still, the identified processes, risks, and control objectives should be relevant across most versions of these blockchains and the diverse types of tangible assets they are designed to track. As asset tracking technologies advance and unique circumstances arise, the framework provided in Sheldon (2022) will continue to provide a relevant baseline for evaluating the extent to which a consortium’s permissioned blockchain serves as a reliable repository for tracking tangible assets.
REFERENCES
APPENDIX A
Illustrative Example of a Tangible Asset Moving Through Stages Two and Three
Figure A1 provides an example of a tangible asset moving through stage two, asset creation. Here, assume a drone manufacturer produces a new unit. Upon completion, the manufacturer attaches an RFID tag to the drone that records the official product name, serial number, model, and RFID tag reference. An authorized neutral party observes (verifies) the drone being built at a specific production facility, scans the RFID tag to collect product details, submits evidence about the creation and product details to the blockchain, and specifies the smart contract being used to mint the drone’s NFT. Blockchain participants then review the provider and submitted evidence to determine whether the creation is valid (per the consortium charter). Once participants reach consensus on a valid creation, the specified smart contract mints the drone’s NFT and assigns it key details about the drone (e.g., RFID tag reference, serial number, and creation date). Finally, the RFID tag and other devices used to track and monitor the drone are regularly serviced.
Example of Stage Two: Asset Creationa
Source: Figure 1 from Sheldon (2022). Reprinted with permission.
Assume a drone manufacturer produces a new unit. Upon completion, the manufacturer attaches an RFID tag to the drone that records the official product name, serial number, model, and RFID tag reference. An authorized neutral party observes (verifies) the drone being built at a specific production facility, scans the RFID tag to collect product details, submits evidence about the creation and product details to the blockchain, and specifies the smart contract being used to mint the drone’s NFT. Blockchain participants then review the provider and submitted evidence to determine whether the creation is valid (per the consortium charter). Once participants reach consensus on a valid creation, the specified smart contract mints the drone’s NFT and assigns it key details about the drone (e.g., RFID tag reference, serial number, and creation date). Finally, the RFID tag and other devices used to track and monitor the drone are regularly serviced.
a Numbers appearing in ten-point stars are control objectives (as listed in Table 1) that relate to the associated part of the asset creation stage.
Example of Stage Two: Asset Creationa
Source: Figure 1 from Sheldon (2022). Reprinted with permission.
Assume a drone manufacturer produces a new unit. Upon completion, the manufacturer attaches an RFID tag to the drone that records the official product name, serial number, model, and RFID tag reference. An authorized neutral party observes (verifies) the drone being built at a specific production facility, scans the RFID tag to collect product details, submits evidence about the creation and product details to the blockchain, and specifies the smart contract being used to mint the drone’s NFT. Blockchain participants then review the provider and submitted evidence to determine whether the creation is valid (per the consortium charter). Once participants reach consensus on a valid creation, the specified smart contract mints the drone’s NFT and assigns it key details about the drone (e.g., RFID tag reference, serial number, and creation date). Finally, the RFID tag and other devices used to track and monitor the drone are regularly serviced.
a Numbers appearing in ten-point stars are control objectives (as listed in Table 1) that relate to the associated part of the asset creation stage.
Once a tangible asset and its NFT are created, the owner might choose to transfer these to a new owner. As such, Figure A2 provides an example of a tangible asset moving through stage three, Asset Transfer. Here, assume the drone from Figure A1 is sold to a new owner. Prior to the sale, an authorized expert (per the consortium charter) recertifies the quality/condition of the drone and attaches this recertification to the respective NFT. An authorized neutral party then observes (verifies) the physical transfer of the drone, submits evidence about the transfer to the blockchain, and specifies the smart contract being used to transfer the drone’s NFT. Blockchain participants then review the provider and submitted evidence to determine whether the transfer is valid (per the consortium charter). Once participants reach consensus on a valid transfer, the specified smart contract releases the NFT to the buyer and payment to the seller (see Figure A3 for further details on how the smart contract operates).
Example of Stage Three: Asset Transfera
Source: Figure 2 from Sheldon (2022). Reprinted with permission.
Assume the drone from Figure A1 is sold to a new owner. Prior to the sale, an authorized expert (per the consortium charter) recertifies the quality/condition of the drone and attaches this recertification to the respective NFT. An authorized neutral party then observes (verifies) the physical transfer of the drone, submits evidence about the transfer to the blockchain, and specifies the smart contract being used to transfer the drone’s NFT. Blockchain participants then review the provider and submitted evidence to determine whether the transfer is valid (per the consortium charter). Once participants reach consensus on a valid transfer, the specified smart contract releases the NFT to the buyer and payment to the seller (see Figure A3 for further smart contract details).
a Numbers appearing in ten-point stars are control objectives (as listed in Table 1) that relate to the associated part of the asset transfer stage.
Example of Stage Three: Asset Transfera
Source: Figure 2 from Sheldon (2022). Reprinted with permission.
Assume the drone from Figure A1 is sold to a new owner. Prior to the sale, an authorized expert (per the consortium charter) recertifies the quality/condition of the drone and attaches this recertification to the respective NFT. An authorized neutral party then observes (verifies) the physical transfer of the drone, submits evidence about the transfer to the blockchain, and specifies the smart contract being used to transfer the drone’s NFT. Blockchain participants then review the provider and submitted evidence to determine whether the transfer is valid (per the consortium charter). Once participants reach consensus on a valid transfer, the specified smart contract releases the NFT to the buyer and payment to the seller (see Figure A3 for further smart contract details).
a Numbers appearing in ten-point stars are control objectives (as listed in Table 1) that relate to the associated part of the asset transfer stage.
Detail on Use of Smart Contract in Sale of Tangible Asset
Source: Figure 3 from Sheldon (2022). Reprinted with permission.
Note that in either outcome (i.e., two events on the furthest right), both the tangible asset and its NFT reside with a single owner.
Detail on Use of Smart Contract in Sale of Tangible Asset
Source: Figure 3 from Sheldon (2022). Reprinted with permission.
Note that in either outcome (i.e., two events on the furthest right), both the tangible asset and its NFT reside with a single owner.
This brief hypothetical drone creation and transfer process involves many of the risks presented in stage two, asset creation, and stage three, asset transfer. To help associate points in the asset creation and transfer process to relevant control objectives and risk considerations, Figures A1 and A2 include several ten-point stars that contain control objective numbers. These numbers can be used to locate the associated control objective and risk considerations as more fully detailed in Table 1.
APPENDIX B
Example of Using Blockchain and Smart Contracts to Enforce ASC Topic 606
The processes examined in this study can also be applied to achieve technical accounting standards. For example, using smart contracts in the manner discussed throughout this study (i.e., as part of asset exchanges) can help to enforce proper revenue recognition practices under ASC Topic 606, Revenue from Contracts with Customers. Per ASC Topic 606, “The core principle of the guidance is that an entity should recognize revenue to depict the transfer of promised goods or services to customers in an amount that reflects the consideration to which the entity expects to be entitled in exchange for those goods or services” (Financial Accounting Standards Board (FASB) 2014, 2). The Financial Accounting Standards Board (FASB) defines five steps to achieve this principle: (1) identify the contract(s) with a customer, (2) identify the performance obligations in the contract, (3) determine the transaction price, (4) allocate the transaction price to the performance obligations in the contract, and (5) recognize revenue when (or as) the entity satisfies a performance obligation (FASB 2014). Firms that use blockchain in the manner described in this study have the benefit of using smart contracts to facilitate exchanges with third parties, which forces both the buyer and seller to codify the sales contract into executable instructions that align well with ASC Topic 606.14 For example, a smart contract would be established between the parties identified in the contract (step 1) for a specific performance obligation (here, selling a single tangible asset) (step 2). The smart contract would also be programmed to execute based on specific evidence that the performance obligation had been satisfied (e.g., notice from a smart device that the asset was delivered to the customer’s facilities). The agreed-upon transaction price would be apparent by the market value of the cryptocurrency submitted to the smart contract by the buyer (i.e., by referencing a cryptocurrency exchange such as Coinbase), which would also be visible to the seller (step 3).15 As this is for a single product, there would not be an allocation of the transaction price among performance obligations (step 4). Finally, when the blockchain receives notice that the tangible asset has been delivered to the customer (e.g., the customer uses a smart device to scan the tangible asset’s barcode upon arrival, which simultaneously sends a notice to the blockchain that the asset has been delivered), the performance obligation to deliver the tangible asset will be satisfied and the smart contract will automatically execute and release payment to the seller and the NFT to the buyer. By using smart contracts such as this, the blockchain maintains a record of the performance obligation that satisfied the contract, the date/time of this event, and the assets exchanged in the event (i.e., the NFT and digital payment). Refer to Figure A3 for a detailed illustration on how a smart contract functions in sales transactions.
A blockchain consortium is a group of trusted entities with a common purpose that create (or participate in) a blockchain to advance that purpose; the blockchain is permissioned when it requires explicitly granted authorizations to control who can read and write to the blockchain (Liu, Robin, Wu, and Xu 2022). Permissioned blockchains are appealing in a business setting (American Institute of Certified Public Accountants and the Chartered Professional Accountants of Canada 2017; Dai and Vasarhelyi 2017; Lewis 2018; Warburg, Wagner, and Serres 2019), as evidenced by the prominent permissioned blockchains currently being used to track tangible assets (e.g., International Business Machines (IBM) Food Trust and Everledger).
The framework proposes control objectives but not control activities or testing procedures to evaluate control activities, as auditors would need to identify/develop these based on the unique blockchain implementation.
Sheldon (2022) refers to blockchain as a distributed transaction “repository” rather than “ledger” to convey the fact that it tracks details about tangible assets beyond simple exchanges (i.e., debits and credits). The notion of a distributed transaction repository remains consistent with terminology used in a recent publication from the International Organization of Standards (International Organization of Standards (ISO) 2020).
Blockchain consortiums typically have specific use cases. In this study, the participating parties have a vested interest in working collectively to demonstrate and maintain a reliable provenance for a specific tangible asset (class). It will therefore be a decision for consortium members to determine when (or if) it is allowable to transfer one of these tangible assets to a party outside the consortium, as it is possible that the provenance of this tangible asset will not be reliably maintained for future exchanges and events once transferred outside the consortium. Future research should consider ways to alleviate this limiting factor of consortium blockchains.
I thank an anonymous reviewer for highlighting that this risk of being viewed as an honest actor holds true in other economic transactions as well and is not unique to blockchain.
An NFT is a digital token on a blockchain that can “identify something or someone in a unique way” (Ethereum Foundation 2022).
In the event consensus is not achieved, the transaction will be rejected by the consortium. If it is indeed an appropriate transaction that is missing required evidence to submit to the blockchain, the transaction will have to be reinitiated in a manner that the required evidence of occurrence is obtained and submitted to the blockchain. In the event consensus is not achieved on an appropriate transaction that includes all required evidence, the impacted party can attempt to reinitiate the transaction and/or raise the issue with the consortium’s governing board.
Smart contracts are short software programs on a blockchain that are typically used to either (1) create or destroy digital tokens or (2) act as an escrow service in the exchange of digital tokens (Lewis 2018). Any references to “smart contracts” throughout this study should be considered interchangeable with “decentralized applications” (DApps), which are applications on a blockchain built by combining several smart contracts.
Oracles are third parties that provide external data to a blockchain. Relevant to this article, such data might include coordinates from global positioning systems, bar code data from scanning devices, or environmental data from smart sensors (Sheldon 2021).
I thank an anonymous reviewer for questioning whether blockchain consortiums are legally enforceable contracts. Legality in the blockchain space is an evolving field, and for the time being, it is preferable to keep consortiums limited to a single legal jurisdiction so as to avoid conflicting laws. In establishing blockchain consortiums, participants should seek the help of legal counsel to ensure the consortium charter is legally enforceable in the target jurisdiction. Further matters will largely be a function of contract law (i.e., enforcing the charter and smart contacts). Interested parties should remain attuned to the evolution of contract law applied in blockchain settings.
References to “blockchain specialists” throughout this study are assumed to be parties external to the audit firms with strong working knowledge of NFTs, smart contracts, blockchain verification and validation protocols, IoT and smart devices, and how to resolve discrepancies between the physical and digital worlds. These specialists would need to work alongside IT audit teams to ensure any procedures performed are defendable from an audit perspective.
For more information on Everledger, see https://www.everledger.io/
For more information on Ubiquitous Quantum Dots, see https://ubiqd.com/security/
Although the blockchain space is still relatively new and rules/regulations continue to evolve, smart contracts are (in general) legally enforceable in the U.S. if they meet the following requirements of contractual agreements: (1) the agreement must include an offer, the parties involved must accept the offer, and each party must be offered something of value (i.e., consideration), (2) the terms of the contract are legally permissible, and (3) the type of agreement entered into must be legally eligible for electronic signatures (Herpy 2022).
Determining the agreed-upon transaction price becomes more complicated if the transaction does not involve cryptocurrency with a readily observable market value. For example, if two digital assets are exchanged in a barter (e.g., two NFTs that represent digital art), a transaction price is less likely to be observable.