Now more than ever before, there has been an increased focus on how new technologies can improve existing business processes. Blockchain is one such technology. The unique capabilities of a blockchain can increase the transparency, record integrity, efficiency and effectiveness of transaction processing and recording.
To date, the adoption of blockchain has largely been within the financial technology (fintech) industry, focused on transacting cryptoassets. However, more organizations in more sectors—such as technology, media, and telecommunications; life sciences; health care; and manufacturing—are expanding and diversifying their blockchain initiatives. New use cases for blockchain technology that span across multiple industries continue to be identified. Organizations are seeing the potential in using the technology as a connecting platform that can enable many business processes, including the financial reporting process. A recent Deloitte survey revealed that 55 percent of executives identified blockchain technology to be a critical priority for their organizations.
Considering the potential changes that this technology may bring to business and operating environments—both as an enabler and as a driver—it is prudent to consider both the risks and benefits of using a blockchain and its impact on an organization’s internal control environment.
Why the board?
A key role of the board is to provide strategic oversight to help an organization navigate the implementation and use of new technologies such as a blockchain. While considering the adoption of this new disruptive technology, the board can assist management in evaluating the most advantageous use cases for the technology, as well as the new risks and threats that may arise from its use. Through ongoing communications with management, asking key questions, and staying abreast of new developments in blockchain technology and its use cases, a tech-savvy board can help management to successfully implement and maintain blockchain technologies.
What is a blockchain?
A blockchain is a distributed ledger (described below) that allows digital assets to be stored, transferred, and transacted in a real-time, immutable, or irreversible manner. Some elements common to most blockchains are:
• A distributed ledger, which is a book of records (similar to a general ledger) that can be accessed and updated by multiple parties.The distributed ledger is replicated across several systems, and each party has access in real time.
• Integration of a digital asset which refers to a digital record made using cryptography for verification and security purposes on a distributed ledger. The functionality of digital assets may include but are not limited to currency or medium of exchange; store ofvalue; specified utility or digitized investment.
• Use of cryptography and digital signatures to prove identity and authenticity and enforce read/write access rights.
• Consensus mechanisms that make it hard to change historical records and make it easy to detect when someone attempts to do so, leading to immutability of data recorded on the distributed ledger. While corrections are still possible, corrections will need to be reflected as adjustments rather than directly as corrections to an existing transaction.
A blockchain may be permissionless (a blockchain platform where anyone can access and contribute to the ledger) or permissioned (where access and the ability to contribute to the ledger are restricted and governed by specified criteria). Permissioned blockchains can be further categorized based on whether parties within the network are in a single organization (private, permissioned blockchain) or span across multiple organizations(consortium, permissioned blockchain).
When is a blockchain useful?
There is ever-increasing interest and investment in identifying new use cases for blockchain technology. In considering whether to implement blockchain, it may be helpful to consider whether the following conditions are present:
• There is a need for a structured repository of information.
• There are multiple parties to transactions to be recorded on individual ledgers.
• There is substantial manual data entry and tracking.
• There is a reconciliation-heavy process for managing the business and its relationships.
• There is some interaction or dependency between transactions created by different parties.
• There is a certain level of “mistrust” between parties engaging in transactions, meaning that one party may not accept the “truth”as reported by another party.
• There is no trusted intermediary or central gatekeeper to verify transactions (or, if one exists, it is inefficient).
• Stakeholders require different aggregations of reports and frequent ad hoc reporting.
In addition, it may be helpful to assess how other organizations have implemented blockchain into their processes. Some of the emerging use cases for blockchain technology beyond digital assets include using a blockchain to facilitate:
• Automation of business contracts through smart contracts
• Traceability of goods within a supply chain
• Movement of money internationally
•Direct settlement of transactions between two or more banks
•Automation of insurance claims processes
•Centralization of patient medical records across organizations
Key blockchain considerations
There is no doubt that blockchain can play a key role in transforming business processes. At the same time, the adoption of any new technology brings risks or threats associated with adoption. The board can play a key role in helping organizations navigate those risks and threats, as well as the opportunities, that may arise from the new technology. As boards provide oversight in management’s implementation of a blockchain, they may consider the following:
• The skill sets needed to oversee, implement, and maintain blockchain technology. For the board, it will be important to understand how a blockchain works at a sufficient level to provide appropriate oversight. Further, the board should be satisfied that the management team has an appropriate understanding of blockchain , critical in (1) identifying the most advantageous use of the technology; (2) developing internal controls that promote the effective implementation and operation of a blockchain; (3) monitoring the ongoing governance and health of the particular blockchain.
• Not all blockchains are created equal. The adoption of private permissioned blockchains within an entity may be similar to adopting any new technology. On the other hand, making a permissionless blockchain or a consortium permissioned blockchain a part of the system may bring an entirely different set of risks and concerns, as decision-making may be decentralized, leaving little room for individual influence, little individual accountability, and little control over governance. It is important that a company understands the governance structure of the particular blockchain in order to understand how potential issues will be resolved.
• Blockchain requires an effective system of internal control in order to operate effectively. While the technology has many benefits, it exposes the company to new risks. Implementing effective general information technology controls, business controls, and governance and monitoring controls can promote the effective operation of a blockchain and timely identification of deficiencies, and can mitigate risks.
• The integrity of data recorded on the blockchain will be dependent on (1) the integrity of data input not only by the organization, but also by others on the network; (2) the effectiveness of the blockchain validation and consensus mechanisms; (3) processes implemented by each party to promote the technology’s effective operation; and (4) controls implemented over outputs from the system.
• Despite its many functionalities, blockchain does not remove the need for management, accountants, or auditors, although it will affect what they do (and how they do it). The use of blockchain will transform management’s processes (including how transactions are recorded and the internal controls in place). As a result, it will be important to think through the evidence maintained to support transactions recorded on a blockchain and understand how internal and external auditors may be considering the technology’s potential.
• Blockchain and its use cases are still evolving. Some blockchain solutions implemented today may have to be redone in a few years’ time. However, if the industry or regulators clarify the needed functionalities of blockchains, digital assets, or programming languages, there is a better chance of stability over time.
• Blockchain adoption may not be a choice. Blockchain will likely have an impact on all organizations through direct or indirect investments in digital assets, creation of an independent permissioned blockchain, participation in an external permissioned blockchain, or other activities. Organizations may need to consider the need to implement blockchains not only to address business needs, but also to respond to expectations or demands from customers, suppliers, partners, and the government.
What can the board do to stay ahead?
Adopting new technologies such as a blockchain can be a daunting task, as steps taken to further integrate technology into current business processes may be met with resistance to change and discomfort due to unfamiliarity or uncertainty. Despite these factors, companies and their boards may need to become more digitally savvy and agile to maintain or grow market competitiveness. Uncertainties could highlight the need for board oversight of a company’s strategic decisions surrounding adoption of new technologies such as blockchain.
In helping companies navigate considerations related to blockchain, board members ought to remember that a blockchain, at its core, is simply a tool that should be focused on responding to an existing challenge associated with transacting, tracking, and recording shared data. As companies seek to adopt this technology, board members can emphasize to management the importance of (1) identifying a viable use case for the technology; (2) considering how it will integrate with current systems and processes; and (3) being agile and dynamic in order to adapt to changes in the evolving regulatory environment, once the technology has been implemented.
While board members need not be experts, having a basic level of tech literacy while also seeking out opportunities to learn more about emerging technologies can assist board members in navigating the adoption of disruptive technologies. This education should be ongoing, given the evolving nature of blockchain and other technologies. Boards may consider building intellectual agility by adding tech-savvy directors. In addition, existing committees such as the audit committee may be leveraged to take deep dives focused on understanding how a blockchain may affect processes such as financial reporting and internal controls.
Encouraging early and ongoing conversations with management surrounding the potential adoption of blockchains and related considerations can also help management stay ahead. Boards may ask for, review, and digest information about management’s considerations and conclusions surrounding the implementation of a blockchain, including understanding why it is the chosen solution.
While adopting a blockchain may come with challenges, new risks, and uncertainties, a well-developed plan that is agile and dynamic can assist boards and companies in navigating and successfully adopting this disruptive technology.
Examples of risks associated with blockchain
• Blockchain, similar to other technologies, is still vulnerable to information security and other cybersecurity risks.
• The regulatory environment surrounding blockchain and digital assets continues to evolve and may vary across jurisdictions, leading to uncertainty regarding regulatory requirements and increased regulatory risks.
• The pseudo-anonymity of the parties that transact on a blockchain, coupled with the lack of censorship or a centralized intermediary, poses a threat that the blockchain may expose organizations to fraud risks.
• The speed, immutability, and irreversibility of transactions recorded on the blockchain may leave organizations susceptible to risk of significant loss or error with no recourse.
• Blockchain technology will have to work seamlessly with legacy infrastructure. Failure to do so could result in poor experience, regulatory issues, and resulting reputational risks.
• With the increased transparency provided by a blockchain, data stored on a blockchain may be more susceptible to data confidentiality risks if appropriate controls are not implemented to mitigate such risks.
• Risks associated with blockchain can be evaluated and addressed through the use of COSO’s Internal Control-Integrated Framework. Deloitte in collaboration with COSO is developing a paper which will explore these issues and is planned for publication this summer.
Examples of blockchain benefits:
• Using a blockchain may result in reduced costs associated with transaction processing due to the elimination of third-party intermediaries.
• Blockchain may lead to greater efficiency, as the need to perform reconciliations between company records, transacting entity records, and intermediary records is eliminated.
• Blockchain may help to promote transparency, as the history of transactions is available, visible, and accessible by using appropriate tools.
• Promotes decentralization and trustlessness, as blockchain mechanisms may provide methods for all members of the network, who may not know or trust each other, to engage in transactions without an intermediary, as transaction validation is performed by the network.
• Transactions, once recorded on the blockchain distributed ledger, are hard to alter, thus providing an immutable record of transactions.
Questions for the board to consider asking:
1. How are blockchain-enabled processes changing the way our sector or industry does business?
2. How will a blockchain help improve business processes, contribute to strategic success, or respond to a current challenge that we face?
3. How will a blockchain be integrated (or work alongside) current IT systems?
4. What are the costs and benefits (or risks and rewards) of adopting a blockchain technology?
5. Do we have the right skill sets and resources to adopt a blockchain? If not, how might we attain them? If implemented, how will appropriate oversight be maintained post-adoption?
6. What is the impact of the current regulatory environment (tax, legal, or data privacy), and what is the outlook for the future? Are we prepared for the unknowns as we integrate the technology into our operations?
7. Given the collaborative nature of the blockchain technology, have we identified and engaged with parties who will be included within the network? Do we have a clear understanding of the governance structure for the particular blockchain?
8. Is the board prepared to oversee the implementation of a blockchain given its potential effects? If not, what steps do we need to take to get prepared?
9. What steps are we taking to maintain evidence to support our books and records for transactions recorded on the blockchain? Have we engaged with our auditors throughout the development and implementation of the technology to understand their views (for example, on the sufficiency of this evidence or internal controls)?