Blockchain security risk assessment and the auditor

• Author: Jonathon Holladay,Chula G. King,Barbara S. White
• Published date: 01 April 2020
• DOI: http://doi.org/10.1002/jcaf.22433
• Date: 01 April 2020

BLIND PEER REVIEW

Blockchain security risk assessment and the auditor

Barbara S. White

1

| Chula G. King

1

| Jonathon Holladay

2

1

Department of Accounting and Finance,

The University of West Florida, Pensacola,

Florida

2

College of Business, The University of

West Florida

Correspondence

Chula G. King, Department of Accounting

and Finance, The University of West

Florida.

Email: cking@uwf.edu

Abstract

A blockchain is an Internet-based peer-to-peer system that forms a network of

independent and connected computers that simultaneously record and verify

transactions. This peer-to-peer system focuses on who owns the information

and how that information is transferred. Blockchains offer significant advan-

tages over traditional databases where users can delete, modify, and change

records. The advantages include improved efficiencies, lower costs, enhanced

transparency, and an immutable audit history of all transactions. The advan-

tages, however, are not without significant risks. The risks include technologi-

cal risks, data security risks, interoperability risks, and third-party vendor

risks. Because of the inherent advantages in blockchains, auditors are being

called upon to provide assurance services to clients who use blockchains and

to advise clients on blockchain technology. Therefore, auditors must be

equipped with the knowledge and expertise of not only blockchain technology,

but also the assessment of risks inherent in blockchain technology.

KEYWORDS

auditor, blockchain, risk assessment

1|INTRODUCTION

When an audit is conducted of a publicly traded entity,

the CPA is required to audit not only the financial state-

ments, but also the underlying internal controls. The

audits of publicly traded companies must be conducted

in accordance with standards promulgated by the Public

Company Accounting Oversight Board (PCAOB, 2017).

AS 2201, An Audit of Internal Control Over Financial

Reporting That Is Integrated with An Audit of Financial

Statements, focuses on the requirements that an auditor

must follow when the “auditor is engaged to perform an

audit of management's assessment of the effectiveness of

internal control…that is integrated with an audit of the

financial statements”(PCAOB, 2007). Auditor assessment

of risk is a key element in the evaluation of the

effectiveness of internal control. In assessing risk, the

auditor should to consider possible changes to both the

internal and external environments that could render the

existing internal controls ineffective. One such change

that could have a significant impact on internal controls

is the utilization of a blockchain for business processes.

In its most simple form, a blockchain is a type of

distributed ledger. A distributed ledger uses indepen-

dent and connected computers to verify and record

transactions. This network of computers offers the

significant advantage of replacing the intermediaries

or those who provide checks and balances on the

inputting, processing, and validation of data and trans-

actions, with peer-to-peer interactions. However, in

many business settings, the checks and balances pro-

vided by intermediaries are a key component to effec-

tive internal controls. Therefore, in auditing internal

controls of an entity that is utilizing a blockchain,

the auditor must be cognizant of the technologies

Correction added on March 28, 2020, after first online publication:

Article category updated from Editorial Review to Blind Peer Review.

Received: 24 June 2019 Revised: 27 September 2019 Accepted: 15 November 2019

DOI: 10.1002/jcaf.22433

J Corp Acct Fin. 2020;31:47–53. wileyonlinelibrary.com/journal/jcaf © 2020 Wiley Periodicals, Inc. 47