What auditors need to know about blockchain

The implications of blockchain and other disruptive technologies for many legal areas have been addressed by a variety of regulators. While much attention has been focused on the pronouncements by bodies such as the US Securities and Exchange Commission, other regulators have been looking at these matters as well. A recent speech by a member of the Public Company Accounting Oversight Board (PCAOB) discusses implications of such technology for auditing, accounting and investors.

As noted on the PCAOB’s website, the PCAOB is a nonprofit corporation established by Congress to oversee the audits of public companies in order to protect investors and the public interest by promoting informative, accurate and independent audit reports. The PCAOB also oversees the audits of brokers and dealers, including compliance reports filed pursuant to federal securities laws, to promote investor protection.

On November 2, 2018, PCAOB Board Member Kathleen M. Hamm gave a speech titled “Mexican Mangos, Diamonds, Cargo Shipping Containers, Oh My! What Auditors Need to Know about Blockchain and Other Emerging Technologies: A Regulator’s Perspective.” Although just a statement of Ms. Hamm’s own views and not necessarily those of other PCAOB board members or staff, her remarks provide useful insight to how the PCAOB may view how auditing procedures and financial reporting will need to address the challenges of blockchain and other disruptive technologies.

Ms. Hamm identified emerging technologies as an area that was a “strategic imperative” for the PCAOB to address. She focused primarily on blockchain technology but also noted such areas as robotic process automation, big data analytics and artificial intelligence. She cited experts as expecting worldwide spending on blockchain technology to be $1.5 billion this year, double the amount spent last year, and to reach almost $12 billion by 2022. As an illustration, she discussed how Walmart has piloted blockchain technology to track sliced Mexican mangos from farms, packing houses, brokers, import warehouses and processing facilities ultimately to Walmart stores, reducing the time it took to track a specific shipment back to the farm from almost a week to just 2.2 seconds. She noted how Maersk, the world’s largest container shipping company, is testing blockchain to track globally its cargo and related documents in near real-time, and how London-based Everledger uses blockchain to digitally track diamonds. She raised the prospect that “blockchain could be revolutionary” if companies, instead of using manual processes for account reconciliation, deployed blockchain technology “automatically, in near real-time, reconciling not only internal ledgers but also external ledgers.”

Faced with developments like these and countless new technologies that offer the promise of improving audit quality, Ms. Hamm addressed the question of “what auditors need to know.”

First, “the advent of emerging technologies does not change the fundamental financial reporting framework.” She explained:

“If an emerging technology is being used to meet financial reporting or internal control requirements established by the federal securities laws, then auditors need to understand the design and implementation of that technology. And at the risk of stating the obvious: For audits of public companies and broker-dealers, PCAOB standards still apply.

“In the case of blockchain, if an audit client uses it for business or operational activities, the auditor must understand the information systems, including the related business processes, relevant to financial reporting and how the use of blockchain affects the client’s flow of transactions.”

Second, “[b]lockchain does not magically make information contained within it inherently trustworthy.”:

“Events recorded in the chain are not necessarily accurate and complete. Recording a transaction on a blockchain does not alleviate the risk that the transaction is unauthorized, fraudulent, or illegal. Blockchain also does not address threats that parties to a transaction are related, or that side agreements exist that are not reflected in the chain. And nothing in the technology ensures proper classification of transactions in the financial statements.”

“Moving beyond blockchain to other emerging technologies,” Ms. Hamm raised some additional points:

1. She stressed that “auditors must be clear-eyed about the new challenges that these technologies create. For example, many of these applications require systematic access to quality data. Clients may be reluctant to provide their auditors unfettered access to such data for control and security reasons. Here is where an auditor’s strong cybersecurity posture may go a long way to lessen those concerns.”
2. She noted as another challenge “the risk that the technology does not operate as intended due to coding errors when developed, or intentional or unintentional changes made after the technology is deployed. Audit firms, therefore, should have robust controls in place around developing and testing tools before deployment and strong change-management processes for tools that are in use.”
3. Last, she noted that “in changing environments, computer code underlying complex technology can degrade over time, becoming less responsive. As a result, processes should be in place to continuously monitor and confirm that the output of an application remains consistent with expectations.”

Ms. Hamm also discussed the “five broad principles” she applies when thinking about emerging technology:

“First, when used for matters within our [pur]view, as regulators, we are not here to pick winners and losers in the race for innovation through the use of emerging technology. Let ideas compete.

“Second, as regulators, we should not inappropriately impede creativity. We should be open-minded and prepared in appropriate circumstances to use our regulatory tool kit – guidance, experimental sandboxes, and, possibly under the right circumstances, no-action relief – to remove inappropriate hurdles to new, creative uses of technology. . . .

“[Third,] When an innovation offers the potential to reinforce or enhance a public policy object, we as regulators should be open to removing barriers as appropriate. If the proposed solution offers the potential to drive audit quality forward, you have my attention. If a proposed solution reinforces one or more of the three pillars of the federal securities laws – investor protection, market integrity, or effective capital formation – I want to know more.

“[Fourth,] I am particularly impressed by emerging technology that builds regulatory requirements and cybersecurity into solutions from the start, rather than bolting them on after the fact.

“A fifth principle: To be most effective, as technology around financial reporting and auditing continues to evolve, stakeholders – including investors, preparers, boards, audit committees, auditors, regulators, and academics – should actively participate in that development, sharing their unique perspectives.”

In sum, Ms. Hamm concluded: “Mexican mangos, diamonds, cargo shipping containers and beyond, blockchain and other emerging and disruptive technologies offer immense promise; not only to change financial reporting, but also auditing and assurance activities” — developments that portend “exciting times” ahead for auditing and financial reporting.

Ms. Hamm’s remarks offer useful guidance to how the PCAOB may be likely to view the challenges posed to auditing and financial reporting by blockchain and other disruptive technologies. Companies whose operations are being transformed by such technologies would be well advised to take note of her views in this area.