Blockchain offers a drastically new way to record, process, and store financial transactions and information, and has the potential to fundamentally change the landscape of the accounting profession and reshape the business ecosystem. In this article, we introduce two types (i.e., permissionless and permissioned) of blockchain and lay out their technological features. We further discuss implications of blockchain to auditing and elaborate on opportunities and challenges of the two types of blockchain to auditors. We conclude by making specific recommendations for auditors to adapt, adjust, and elevate themselves to the role of strategic partners in blockchain implementation.
JEL Classifications: M15; M41; M42; O14; O33; O55.
Known as the underlying technology for cryptocurrencies such as Bitcoin, blockchain has been regarded as one of the most important disruptive technologies after the internet (Swan 2015; Yermack 2017). It has wide-ranging implications for data processing, transmission, storage, and security (Brandon 2016; Gross, Hemker, Hoelscher, and Reed 2017), and has the potential to create a new ecosystem for the handling of accounting information (Dai and Vasarhelyi 2017; Kokina, Mancha, and Pachamanova 2017). Although blockchain technology is still in its infancy, the Big Four accounting firms and many financial institutions have already noticed blockchain's potential and actively engaged in its experiments, development, and investments (Bajpai 2017). Deloitte, for instance, took the first step in launching a blockchain initiative in 2014 (Deloitte 2016). Ernst & Young (EY) became the first advisory firm to accept Bitcoin for its services in 2017 and, more recently, rolled out a number of applications and services to facilitate the commercial use of blockchain technology across the enterprise (EY 2017). KPMG has partnered with Microsoft in joint projects that use cases that apply blockchain technology to business propositions and processes (KPMG 2017). PWC launched its digital asset services using blockchain technology in 2016 and planned to adopt blockchain in live production systems by 2020 (PWC 2017).
In this paper, we introduce blockchain and lay out possible impacts of blockchain on accounting and auditing practices. We also make recommendations for strategies and action plans for auditors involved in the ecosystem of accounting information.
II. BLOCKCHAIN ILLUSTRATION
Blockchain System versus Traditional System
A blockchain is essentially a public ledger, where groups of transactions or events are recorded and stored in a chain-like data structure (Simoyama, Grigg, Bueno, and Oliveira 2017). These transaction groups are called blocks and are ordered on the chain by transaction time. Later blocks are appended to the end of the chain, while maintaining the hash of the previous block (Crosby, Pattanayak, Verma, and Kalyanaraman 2016). We use Figure 1 to compare a fund transfer transaction in traditional digital ledgers and blockchain systems. Panel A presents a traditional digital ledger system, where a sender initiates a request for a fund transfer to an intermediary, i.e., a bank. The bank then examines the legitimacy of the request including the sufficiency of funds and the transaction limit. If the bank approves the request, money will be transferred from the sender's bank to a receiver's bank. At the same time, the sender's bank records the transaction in its ledger and notifies the sender. Finally, the receiver's bank records the money transfer in its ledger and notifies the receiver. Notably, the involvement of intermediaries could cause delays in the transaction, as well as errors and discrepancies across different ledgers from different parties.
Panel B illustrates how a blockchain works for the same transaction. In this new system, an individual who wants to transfer funds creates an encrypted message containing information about the amount and the recipient's network address. The message is broadcasted to the entire network, where other members compare the amount with the sender's most recent balance recorded in the blockchain and examine the validity of the message. If the message is verified, the transaction is executed, and a new block containing the transaction is appended to the end of the blockchain. Unlike traditional fund transfers, no financial intermediary is involved in this process to validate, or approve the transaction, which is often referred to as decentralization.
Basic Technological Features of Blockchain
Compared to the traditional centralized transaction system, blockchain technology comes with several technological features:
Cryptographic. Transactions recorded on a blockchain are encrypted using public-private key pairs. Using the example from Figure 1, the message containing the money transfer information is encrypted using the sender's private key and then broadcasted to the entire network.
Real-Time. Because transactions are posted to the blockchain nearly as soon as they occur, blockchain technology provides nearly real-time transaction records and reconciliation of accounts.
Hosting of Smart Contracts. Blockchain accommodates smart contracts by embedding programming code. These programs can execute transactions and create corresponding ledger entries when certain contract conditions are triggered. Self-executing smart contracts allow timing of ownership transfers from one party to another in a decentralized environment (Kosba, Miller, Shi, Wen, and Papmanthou 2016).
III. TWO TYPES OF BLOCKCHAIN
Permissionless and Permissioned Blockchain
As blockchain technology has evolved, two types of blockchain have emerged: permissionless and permissioned blockchain (Zheng, Xie, Dai, Chen, and Wang 2018). A permissionless blockchain is best described as one that enables records to be “shared by all network users, updated by miners, monitored by everyone, and owned and controlled by no one” (Swan 2015, 1).1 With a permissionless blockchain, such as Bitcoin, any entity (individual or organization) can use its computers or mobile devices to join the network. A permissionless blockchain has the benefit of decentralization and has been backed by the success of several widespread applications including the cryptocurrency Bitcoin. However, it has drawbacks. For example, a permissionless blockchain, such as Bitcoin, has a speed limit in processing large volumes of transactions, which constrains its large-scale application as compared to the existing payment systems such as Visa and Mastercard. What's more critical is its privacy protection, and business owners have concerns that distributed ledgers might compromise business secrets.
A permissioned blockchain refers to a type of blockchain with restrictions in its membership and control procedures. In such a blockchain, such as Ripple, an intrinsic configuration defines the participants' roles in which certain members can access, write information on the blockchain, or approve admission of new members. Because different members have different access-control authorizations, a permissioned blockchain is deemed as partially decentralized. On one hand, with appropriate deployment of access-control layers, a permissioned blockchain has a greater potential to maintain privacy and fit business governance needs than a permissionless blockchain (AICPA and CPA Canada 2017). On the other hand, a centralized agency with override privileges is allowed in a permissioned blockchain and might undermine the credibility of the blockchain.
Technological Features Distinct between Permissionless and Permissioned Blockchain
Permissioned and permissionless blockchains differ in their underlying properties. We further discuss the distinct features below.
Trustlessness and Immutability
Trustlessness means no participant needs to rely on the honesty of others. In permissionless blockchain, intermediaries or central authorities are not needed, and transaction records remain immutable once added to the blockchain (Crosby, Pattanayak, Verma, and Kalyanaraman 2016). Any attempt to alter one or a few copies of the blockchain will be futile as it would cause these copies to be inconsistent with all other copies in the network.
A permissioned blockchain is not completely trustless. Transactions could be rolled back by a centralized agency with override authority. Transaction records could also be reversed if the majority of the members choose to do so. Therefore, the trustlessness of a permissioned blockchain relies on the credibility of the centralized agency and the architecture of the consensus protocol.
Distributed Consensus and Transparency
In permissionless blockchains, each participant in the network maintains an identical copy of the blockchain. Consensus is achieved by synchronizing all copies constantly, which ensures that data are transparent, correct, and up to date. Although users release no identity information during transactions, these transactions are traceable and visible in the entire network. Transaction records can be accessed and accurately reconstructed at any time.
A permissioned blockchain does not offer absolute transparency. The master copy of transaction records is not distributed to all participants. Instead, some participants may only have a part of the copy. Whether certain information is restricted or accessible to certain participants depends on the access-control configuration. Given the confidentiality protection from these access restrictions, permissioned blockchains will be more suitable in business environment (AICPA and CPA Canada 2017).
IV. ENTERPRISE USE CASE AND IMPLICATIONS
According to coinmap.org, 15,004 businesses in the world accept Bitcoin as a form of payment for their goods and services.2 For example, the board of directors of Overstock has approved up to 50 percent of their sales revenue to be paid in cryptocurrencies such as Bitcoin. At the end of 2018, Overstock held $2.4 million worth of Bitcoins and reported them as other current assets. Besides Bitcoin acceptance, many companies have realized blockchain's potential power to boost their business (Stratopoulos and Wang 2019). For example, FedEx is using blockchain to track high-value cargo and plans to extend this functionality to almost all of its shipments. IBM creates a “Food Trust Blockchain” including nine partners such as Nestlé and Dole. Also, in response to worldwide food contamination outbreaks, retail giant Walmart is tackling food safety in the supply chain using blockchain technology (Kamath 2018).
Organizations implementing blockchain with smart contracts may improve compliance effectiveness and risk management. For example, smart contracts could facilitate organizations' adherence to various laws and regulations (Pilkington 2016; Wild, Arnold, and Stafford 2015; OECD 2018). Pre-defined alerting schemes could be implanted in blockchain to identify suspicious transactions in a timely manner. They could also be used to monitor an organization's financial health and aid decision-makers to design new control mechanisms (Psaila 2017).
Blockchain Creates Business Information Ecosystems
Blockchain technology is not only an information system in a single company for a set of transactions, but is an infrastructure for business communities (Ito, Narula, and Ali 2017; Sheldon 2018). As more individuals and organizations join a blockchain network, a large community of stakeholders, such as companies, investors, auditors, tax authorities, and regulators, comprise an ecosystem with information transferring and sharing. In permissionless blockchains where there is no centralized authority, the enlargement of a blockchain will make the information in the network more secure. According to the 51 percent attack rule, only when a group of miners controls an absolute majority of the computer power on blockchain can they alter the transaction record. A large community makes it infeasible for a few entities to dominate the network and manipulate the content of the ledger. Figure 2 presents a blockchain network with its stakeholders forming a new business ecosystem.
Moreover, a set of different blockchains could be linked together to form a blockchain consortium, which further promotes information sharing and cross-examination in a larger base. With close to a real-time information sharing configuration, the records on the blockchain could be exposed to scrutiny by more cross-chain participants. This provides third parties an even broader scope to scrutinize reliability of business transactions.
Cost of Implementation
Based on cost-benefit analyses, organizations will decide whether, to what extent, and how they will adopt blockchain (Appelbaum and Smith 2018). We provide a list of explicit and implicit costs of adoption for organizations to consider:
Cost of implementing and maintaining a blockchain.
Repetition and competition between an existing ERP system and a blockchain.
Reconciliation between records on a blockchain, other reports, and physical existence.
Potential information leakage to outsiders, including business competitors and customers.
Obstruction from managers due to externality of increased transparency.
V. IMPLICATIONS FOR AUDITING
New Business to Auditors
At the application level, blockchain brings new business to auditors, such as reviewing certain transactions and verifying the existence of digital assets, and attesting to consistency between information on a blockchain and in the physical world. These new tasks could be challenging, particularly when there are no centralized authorities on the blockchain. Auditors need to leverage their expertise in IT system audits to invent novel methods to accomplish verification of ownership. As we discussed in the previous section, different types of blockchain have their advantages and limitations. In Table 1, we provide a list of opportunities and challenges audit firms need to face in permissionless and permissioned blockchains, with more focus on the latter.
Moreover, blockchain could fundamentally change the auditing process. As a complete record of transactions is stored on a blockchain, auditors will no longer need to request, and wait for trading parties to provide, data and documents. In addition, blockchain will surpass the traditional audit sampling process, and allow continuous audits for any “on-chain” transactions in any specific period. The adoption of blockchain will free up resources that were previously expended on evidence collection and verification.
Shift from Testing of Transactions to Testing of Controls
Despite aforementioned efficiency gains from blockchain adoption, it is important to note that the transaction record stored on the blockchain does not necessarily assure the reliability of organizations' financial reports. For example, an “on-chain” transaction still could be executed between related parties, linked to some unobservable “off-chain” agreement or fraudulent transaction (AICPA and CPA Canada 2017). Therefore, what is critical is the effectiveness of internal controls surrounding blockchain. When auditors encounter a specific blockchain, they need to examine clients' incentives, as well as blockchain code quality, protocol changes, and power allocation among peers. After all, the focus of auditors will not be testing transactions directly, but instead testing these controls to obtain appropriate assurance that the transactions hosted on the blockchain are accurate. We use Table 2 to present possible impacts of blockchain on both internal and external auditing practices.
Recommendations and Perspectives
Blockchain technology brings tangible challenges to the audit industry and calls for strategic transformation in this area (Coyne and McMickle 2017; Lin and Liao 2017). Audit firms' comprehensive knowledge about business operations and governance will position them as critical advisors to organizations approaching these new technologies (ICAEW 2017; Raj 2017; Smith 2017; Rapoport 2018). To prepare for the changes brought by this disruptive technology, auditing professionals need to adjust, and elevate themselves to the role of strategic partner (Karajovic, Kim, and Laskowski 2019). In the current stage, auditors should consider the following initial steps to adapt to the new environment:
Acquire competency in blockchain technology and governance of blockchain. Auditors should be able to assess the costs and benefits of adopting specific blockchains, and provide advice on blockchain implementation for their clients (Sheldon 2019). Audit firms could reach this goal by adjusting their hiring and training strategy.
Actively participate in blockchain development with emphasis on risk control. Auditors should consider stepping forward to influence and lead implementation of blockchain. Audit firms should shift their focus to assess the effectiveness of risk management and advise on solutions and assurance for internal control.
Rapidly growing technology brings enormous opportunities to auditors. In order to promote high-quality services, auditors should consider the following long-run prospects:
Move to continuous auditing. Blockchain applications make it feasible to conduct continuous auditing due to real-time access to transaction records (Smith 2017).
Grow the advisory function. With resources freed from traditional evidence collecting and testing, audit firms should consider applying appropriate data analytics in blockchain, and expand advisory services such as control design, change management, and blockchain governance (ICAEW 2017).
Miners are users with extensive computational resources that can be used for transaction validation purposes.
Retrieved on June 18, 2019.
Kean Wu is the corresponding author.
Editor's note: Accepted by Lisa Milici Gaynor.