Blockchain and internal control: The COSO perspective
New risks and the need for new controls
The potential benefits of blockchain are clear: improved efficiency, reliability, and compliance. But the risks are just as glaring. A full understanding of blockchain related-risks and how to address those risks is needed if a company is going to responsibly put it to use. Knowing the COSO perspective is a great place to start.
The complex connection between blockchain and internal control
As blockchain becomes more mainstream, it is appropriate to focus on how this technology intersects with an entity’s internal control. With careful implementation and integration of blockchain, the distinctive capabilities of blockchain can be leveraged to create more robust controls for organizations. Further, blockchain-enhanced tools have the potential to promote operational efficiency and effectiveness, improve reliability and responsiveness of financial and other reporting, and improve compliance with laws and regulations. At the same time, blockchain creates new risks and the need for new controls. The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Internal Control—Integrated Framework (2013 Framework) provides an effective and efficient approach that can be leveraged to design and implement controls to address the unique risks associated with blockchain.
When an organization evaluates the use of blockchain through a COSO lens, it can enable the board of directors and senior executives to better understand the context and likely make more informed assessments of the technology’s potential and applicability with respect to internal control. This enables the organization to perform a detailed risk analysis and, in turn, develop appropriate control activities to address such risks, facilitating the effective adoption and use of blockchain.
This paper provides a guide for using the 2013 Framework to evaluate risks related to the use of blockchain in the context of financial reporting and to design and implement controls to address such risks. It is intended to help inform decisions regarding oversight, risks, and internal control over financial reporting (ICFR). It is not the aim of this paper to explain the intricacies of blockchain, nor detail technical differences between the major platforms. As such, this paper is expected to be of value to the various stakeholders involved in financial reporting within the context of their own environments.
Viewing blockchain from a COSO perspective
One of the more significant changes resulting from the use of blockchain relates to the hierarchy of the entity. While the highest level of the hierarchy expressed in the 2013 Framework is the entity level, drilling down to division, operating unit, and function, blockchain has the ability to create new collaborative units, spanning different entities, operating on a decentralized basis, but bound together with shared data (a decentralized database).
The three objectives of the 2013 Framework—operations, reporting, and compliance—may be heavily affected by blockchain in terms of how the objectives are achieved. In particular, many advocates believe that recordkeeping will be entirely transformed, leading to completely ad hoc, automated, and on-demand reporting and compliance activities. With those transformations, the role of management and management accountants, financial executives, and internal and external auditors may be subject to change.
The introduction of blockchain into the business environment will have implications for the five components of the 2013 Framework.
From shared ledgers and recordkeeping to overarching governance (perhaps leveraging smart contracts for oversight and cross-organization internal controls), blockchain can change the concept of an “entity” in an internal control environment and the related responsibilities and requirements.
Ten things to know about blockchain
The uses of blockchain will continue to develop and evolve, and expanded adoption will likely transform how businesses operate. Many have expressed guarded optimism about the potential effect of blockchain on internal control and financial reporting. As with any disruptive technology, there is a need for each organization, in its own specific context, to evaluate the challenges, better understand the related risks, and work together to determine the best course of action and remediate those risks.
As organizations are contemplating the use of blockchain, the following are 10 things to know about the technology:
The potential benefits of blockchain for internal control and financial reporting will be maximized only if those who understand and are responsible for financial reporting, internal controls, and auditing are actively involved in the discourse about blockchain and collaborate to advance the collective agenda.
Many of the changes that proponents attribute to the adoption of blockchain are not found in isolation; it is blockchain plus something that is most successful: for example, blockchain + artificial intelligence (AI), blockchain + Internet of Things (IoT), or blockchain + advanced analytics. As a foundational technology, blockchain has the potential to radically change the global digital business landscape, and that would, in turn, have significant impact on almost everything else.