One of the advantages of having a computer auditor to support the audit of annual accounts is because he/she has the opportunity to visit clients and learn first-hand the technological concerns of those responsible for IT departments. In this article, we will address one of such issues that many have encountered. So, will it be necessary to audit blockchain-based environments?
Cryptocurrencies are a digital medium of exchange. The first cryptocurrency that began to operate was Bitcoin in 2009. Over the years, many others have appeared with different characteristics and protocols such as Ethereum, Litecoin, Ripple, Dogecoin, Dash, or Monero.
Therefore, bitcoin is in essence a new type of digital money that boasts of making payments safely, quickly, and freely around the planet. But what makes this form of payment safe? The blockchain.
Blockchain (or chain of blocks), could be defined as a shared database that works as a book for the record of purchase-sale operations or any other transaction. In this way, every transaction is saved in each of the machines connected to the network or that have been related to cryptocurrency. For each of the transactions, a contract is created and it is saved forever and in each node. This registry is where the main attractions of the blockchain reside:
- It allows you to carry out transactions of any type reliably and securely, without the need for an intermediary.
- The record is perpetual.
One great advantage this provides is the absence of an intermediary. Another advantage is that each new transaction implies a new record, without deleting the previous ones, with which the transaction is validated because it has saved all the transactions previously carried out.
So, if we have an automatically generated ledger that is immutable, perpetual, and global (the machines are spread throughout the geography), will the presence of a systems auditor be necessary to give confidence in an IT environment based on blockchain?
The answer is YES, because despite all the advantages of a blockchain-based system, and as indicated by ISACA (Information Systems Audit and Control Association), there are a series of risks, which require the figure of an auditor to give confidence in the environment:
- The software platform on which the blockchain runs affects the integrity of the data, that is, if the platform is not reliable, this fact directly affects the blockchain.
- No software is exempt from attack and therefore the infrastructure that enables blockchain is subject to all the usual threats and vulnerabilities. Throughout 2017, of the 41 recorded cases of blockchain attacks, 14 corresponded to vulnerabilities in the servers, either due to lack of configuration or design flaws.
- As in any infrastructure, it is necessary to verify the change procedure and the segregation of function and privileges in accessing data, since they are controls that directly affect the integrity of any system.
- Additionally, and from a not-so-technical point of view, an audit should also be included, to verify the risks involved in any type of unregulated operation.
All of the above highlights the need to create security standards or to adopt some already existing ones, within the traditional financial area and for an auditor to review the system, to offer confidence in environments of this type.