Internal controls that build on the information integrity and security of blockchain systems are necessary to preempt abuse.
Strong internal controls can prevent or identify vulnerabilities that can be exploited by others.
Articles Kitty Kay Chan, PHD, Tina Kim, CIA, CRMA, CISA, CPA Oct 09, 2023
When digital assets are recorded with well-designed blockchain technology, they become traceable, stamped with a particular DNA. Organizations are using the technology to prevent fraud and other abuse, facilitate the transfer of funds, and track important records.
Diamond company De Beers uses blockchain technology to track precious stones as they move along the supply chain from mining to sale as polished diamonds. The immutable characteristic of blockchain helps the company ensure that production is not linked to any human rights violations. Likewise, the California Department of Motor Vehicles is adopting blockchain technology to support digitization of its records. Its aim is to prevent car owners and dealers from masking the “faulty car” designations on vehicle titles by transferring ownership back and forth across state lines.
The growing complexity of global business transactions and the potential lack of trust between parties has accelerated the adoption of blockchain technology — but not without challenges. The surge in cryptocurrency-related scams has raised concerns about the use of blockchain as a tool for illegal activities.
The U.S. Federal Trade Commission announced that between January 2021 and March 2022, more than 46,000 people reported losses from crypto scams totaling over $1 billion. Crimes included sales of fake blockchain technology, use of blockchain to create counterfeit financial assets, and hacks into blockchain systems to steal from stakeholders.
When appropriately applied, blockchain technology enables secure, decentralized data storage and data sharing. However, adopting blockchain technology has inherent privacy, confidentiality, regulatory, and cryptographic risks, some of which may not exist in centralized systems. Internal audits play an important role in mitigating those risks; thus, internal auditors reviewing blockchain-based solutions must view them through the lens of potential vulnerabilities.
At a basic level, blockchain technology is designed to provide a secure digital environment for users to record, store, and share data, in which the information is not controlled by a single party and where any data, once recorded, cannot be altered. Hence, internal controls must ensure that the foundational elements of the blockchain system, such as its nodes, consensus mechanism, cryptographic algorithms, and off-chain transactions, work together to maintain only correct information, preempt unauthorized access to the system, and protect the privacy of participants (see “Blockchain Terminology”).
A comprehensive blockchain audit that involves technical analysis of the hardware and software as well as governance, risk management, and compliance review is crucial, but the time-consuming nature of such audits hinders their ability to provide timely information to fight the quickly evolving risks of blockchain-related activities. To address this challenge, auditors can adopt a more targeted approach that considers the specific method of deployment, the associated risks, and the relevant controls. This more focused strategy allows auditors to concentrate their efforts where they are needed and provide more timely insights.
Internal controls serve as the frontline of defense. Strong internal controls focused on safeguarding information integrity and security can prevent or identify vulnerabilities that can be exploited by others. While organizations may need to engage external technical partners to examine certain components of the blockchain system, auditors who understand the relevant internal controls can be routinely and actively involved. Internal auditors new to blockchain auditing can start with a checklist of the internal controls needed to safeguard each of the foundational elements of the blockchain system.
Review nodes to ensure information comes from reliable sources. Depending on their functionality, nodes can broadly be classified as full or light nodes. Full nodes, potentially a personal computer, can verify the system rules and maintain a full copy of the digital ledger. Light nodes, such as a digital wallet, maintain only a partial copy of the digital ledger and are not capable of verifying the system rules.
To ensure that information coming into the system is from a reliable source, auditors should examine whether policies and controls are in place to verify that the nodes are genuine. Internal audit should review the nodes’ software version, IP address, transaction history, reputation, and uptime to search for anomalies.
The genuine nodes of a specific blockchain use the official software associated with the blockchain system and should each have a unique IP address that is registered with the system. For a private blockchain system, genuine nodes should have received system access permission. Nodes with no activity for an extended period should raise red flags, as this could indicate a node that was created solely for the purpose of carrying out a fraud.
A node from a legitimate participant could still become an unreliable source if vulnerabilities in its software allow unauthorized actors to tamper with information. Thus, it is important to check that the software is the latest version and that all security patches are installed.
Check that recorded information is accurate and validated according to the consensus mechanism. In a blockchain system, information is recorded across the ledgers of all the nodes when it passes the consensus mechanism specific to the system. There are many types of consensus mechanisms.
To protect against Sybil attacks, in which scammers operate many fake nodes to create fake consensus, it is possible to incorporate a proof of work (PoW) or proof of stake (PoS) process as a part of the consensus mechanism. This is commonly used to deter the creation of fake nodes by making it costly to do so. For example, under PoW, nodes compete to solve mathematical puzzles to gain the right to validate a transaction and earn a fee for doing so. These calculations require substantial computing power, making it more expensive to create fake nodes.
A blockchain is an encoded, decentralized, append-only digital ledger that is maintained across a network of independent devices. Each blockchain is unique, but there are several foundational elements that make up every blockchain system.
Blocks: Individual data storage units in a blockchain. Once a new block is added to the chain, it is immutable, creating an append-only ledger where new information can be added, but recorded information cannot be modified.
Cryptographic algorithm: Helps safeguard the security of information in the blockchain system. Cryptography is used to render information immutable and create digital signatures that enable information sharing among designated parties only. Blockchain typically uses both hashing and asymmetrical algorithms for information security.
Nodes: Any computing device connected to the blockchain system, together creating a blockchain network.
Consensus mechanism: A set of protocols laying out how information, such as a financial transaction, health record, or status of a shipment, is verified and added to the system once a user initiates a transaction. The consensus mechanism provides the conditions under which the transaction can be verified, added to the block, and chained to the existing blocks.
To check for appropriate validation, auditors should confirm whether policies and controls ensure the blockchain system is operating in a way consistent with its consensus mechanism. For example, do the controls include PoS verification? Under PoS, only nodes that stake a certain amount of assets as collateral can enter a random draw to win the right and fee to validate a transaction.
The consensus mechanism will validate the transactions but does not check the correctness of the information submitted by the parties. Thus, it is crucial for auditors to examine the accuracy of the information through substantive testing, using supporting documents such as invoices and receipts.
Examine if controls are in place over the use of the cryptography. A hashing algorithm is the powerhouse behind blockchain that makes information immutable. In general, the hash algorithm transforms original information on a block into a hash value, which is a unique, incomprehensible, and highly irreversible text string. Each block on the same blockchain contains the hash value of the processor block. Any attempt to modify information on a block will create inconsistency among the hash values and break the chain.
Asymmetrical algorithms securely share information, using keys, among two parties. Each party holds a set of keys comprising a public key and a private key. Private keys should be kept confidential while public keys are sharable.
To send a monetary payment, a sender uses the recipient’s public key to encrypt the message. The sender can use his or her own private key to generate a digital signature. The recipient then uses a private key to decrypt the message and receive the payment. The recipient or anyone with the sender’s public key can view any digital signature and be assured the message is from the signee. Other common applications of asymmetrical algorithms include creating emails and virtual private network connections for secure communications.
Procedures should indicate how the use and management of the cryptography-related components will be reviewed and who will do so. Only authorized persons should review, test, and make changes to the cryptographic approach.
Reviewers should check that the hash and asymmetrical algorithms applied to the system are widely accepted and verify that the cryptographic approach adopted by the system is working as intended. A review of the keys can determine if they meet the expected properties of the cryptographic system, such as the right composition and length, and whether additional security measures like two-factor authentication have been incorporated into the cryptographic approach.
Key management is crucial for maintaining the system’s security and preserving information integrity. Processes should be in place to protect keys throughout their life cycle, including generation, registration, storage, distribution, installation, recovery, and disposal. The identity of key holders should be verified, and procedures for storing keys and generating lost keys should be clearly laid out.
Assess off-chain transactions to assure information is complete and reliable. As the name suggests, off-chain transactions are conducted outside the blockchain system. An example could be when one party sells its private key to another party outside of the blockchain system.
Unlike on-chain transactions, off-chain transactions are not validated through the consensus mechanism, but rather rely on third-party guarantors for verification. They may or may not be recorded in the system after they are completed. Off-chain transactions thus increase the system’s exposure to scams and illegal activities.
Internal auditors should check whether there are any off-chain transactions linked to the assets in the blockchain system being reviewed and determine the business justification for moving these parts of the transactions off-chain. To ensure the information recorded in the blockchain is complete and reliable, auditors should verify that appropriate policies and controls are in place to track off-chain transactions.
Internal auditors should be able to verify the parties involved, as well as the time and the amount of these off-chain transactions. Similar to working with on-chain transactions, auditors should verify the accuracy of the off-chain transactions by cross-checking with supporting documents such as invoices, receipts, and average industry prices of any products linked to the transaction.
There are many other controls and scenarios that auditors can investigate to help safeguard information integrity and security. For example, they can examine:
Blockchain-related products are new to many organizations but have been evolving at a fast pace. Internal controls with a focus on safeguarding information integrity and security make it possible to fight against blockchain crimes timely. Strong internal controls are thus a critical first line of defense — along with comprehensive audits conducted in partnership with external blockchain audit professionals.