To keep up with today's digital transactions, internal auditors should learn about the many attributes of blockchain-based smart contracts.
On the Frontlines: Smart Contracts
Blogs Shaun Aghili, DBA, CIA, CRMA, CISA Jul 28, 2021
The origins of smart contracts can be traced back to the late 1990s, when Nick Szabo proposed the concept of blockchain-based smart contracts in an article, "Formalizing and Protecting Partnerships on Public Networks," published in the journal First Monday. A smart contract is a decentralized and secure program that uses a blockchain mechanism as its default decentralized execution framework because of its major privacy benefits. It represents an agreement that is automatically executable, semantically correct, secure, and enforceable.
In other words, a smart contract is an electronic protocol that implements and enforces contractual terms. Its main goal is to fulfill the conditions of the contract without any need for financial intermediaries such as a bank. Its other economic goals include reducing compliance and other related transactional costs. Internal auditors should understand and review how their organizations design and use such systems.
Smart contracts have many uses, including:
- E-commerce. Smart contracts may be used for facilitating trade between buyers and sellers without the need for a third party. Payment will be released by smart contract to the seller when the buyer has confirmed receipt of goods or services.
- Internet of Things and smart property. Smart contracts allow nodes on the internet to share or access digital properties without the need for a trusted third party.
- Digital rights management. Smart contracts can be applied to digital rights management tasks such as music ownership rights using blockchain technology. For example, smart contracts can enforce payments to music owners whenever their music is used for commercial purposes. Payment distribution between the multiple music owners also can be ensured.
Other possible uses of smart contracts include e-voting, mortgage payments, insurance claims processing, supply chain monitoring, and identity management. When designing a decentralized, distributed system, the organization should consider some characteristics of smart contracts.
Smart contracts are immutable. Once a smart contract has been deployed, it cannot be modified further. As such, if there is a flaw in a contract application's logic, this flaw cannot be rectified by a software patch.
Smart contracts are transparent. Records stored on the blockchain are accessible to everyone, and because the smart contract is a component of the blockchain, the smart contract source code can be viewed by anyone. Therefore, smart contracts should not implement methods and algorithms that need to be kept secret.
Information that relates to smart contracts is always available. Aside from the smart contract codes, all the blockchain users can view the value that the contract variable holds, its historical data, and all the related transactions of the contract. As such, smart contracts should not be used for storing private data and protected records.
Internal auditors should review whether appropriate controls are in place for smart contracts. Developers should use defensive programming strategies, such as checking protocols, measuring test coverage, enforcing continuous integration, and conducting security audits on the contract, to ensure that users cannot exploit bugs and vulnerabilities.
Also, developers should consider using a "kill switch," which is a piece of code that permanently deactivates a faulty smart contract. Implementing a smart contract kill option could ensure that all funds involved with the smart contract are transmitted to the contract owner and prevent users from dealing with the referred contract in the future. However, even if a smart contract is killed, the smart contract code and details will stay on the blockchain.
Smart contracts are a cost-effective and reliable method of implementing and managing an organization's contracts. Their transparency and autonomy can effectively reduce processing times and further automate tasks that previously required human interaction. As the organization's contract management and procurement tasks become increasingly automated, internal auditors should learn more about smart contracts' attributes, uses, and potential code vulnerabilities.
Aafreen Fathima Altaf Hussain is a blockchain technology graduate research student at the Concordia University of Edmonton in Alberta.
Temitope Oluwaseun Ipentan is a blockchain technology graduate research student at the Concordia University of Edmonton in Alberta.