Risks of Blockchain on Service Organization Control (SOC) Assessments

Blockchain risks for SOC assessments

Blockchain technology is changing the way businesses around the world operate and provide services. Blockchain is currently most known for its association with cryptocurrencies, most notably, Bitcoin. The use of blockchain extends beyond cryptocurrencies as use cases flourish and major companies invest in blockchain technology. With new integrations and solutions in development, blockchain will disrupt many industries, including the Internet of Things (IoT), supply chain, healthcare, and finance to name a few. The full implication of blockchain technology on the world is not yet known.

What Are the Disadvantages of Blockchain Technology?

Service organizations embracing blockchain technology increase risk for both the service organization and their user entities. It is essential that service organizations understand those risks. As blockchain technology is relatively new, the risks and impact on the service organization’s achievement of its control objectives in a SOC 1 examination or its service commitments in a SOC 2 examination may not be well known or understood. How will blockchain affect audits?  How will blockchain affect service organizations and auditors? In this post, I will share several risks that service organizations, users, and auditors should consider.  The impacts of the blockchain risks to SOC 1 and SOC 2 examinations could be extremely detrimental if not managed properly.

What is Blockchain?

In its simplest form blockchain is a database. Unlike a traditional database, data is not stored in tables rather it is stored in blocks. Those data blocks are then chained together. Traditional databases house data on servers and the data is owned by a single or group of organizations. Blockchain, however, operates differently. Every data block is replicated and shared amongst all computers, or nodes, operating on the blockchain. Every data block is verified and confirmed by a majority of the blockchain nodes. Depending on the blockchain type, the node ownership and management vary.

The distributed nature of blockchain is the reason it is known as a decentralized ledger. Transparency and immutability of data are key features of the decentralized blockchain framework.

 

Types of Blockchain

What are the Types of Blockchain?

The type of blockchain utilized by service organizations is important to understand the risks inherent with the technology, as the risks differ based on the blockchain type used. Following are the four blockchain network types in use today.

Public Blockchain

A public blockchain is permissionless and can be used by anyone. Public blockchains are used by cryptocurrency platforms, such as Bitcoin. Individuals are able to buy, sell, and trade cryptocurrencies. Data is distributed to all full nodes on the blockchain which are controlled by anyone with internet access to the blockchain platform. Data transactions within a public blockchain are validated using a consensus method such as Proof-of-work (PoW) and Proof-of-Stake (PoS) to name a few.

Private Blockchain

Private blockchains are created by an individual or group of participants who know and trust one another. Private blockchain nodes exist within an isolated environment and are typically managed by a single or central organization. Data access is limited to selected participants based on assigned permissions. Assigned permissions are typically agreed to in participant contracts. Data validation is done by preauthorized identified nodes.

Federated or Consortium Blockchain

A federated or consortium blockchain is like a private blockchain except that it is not centrally managed by a single organization. Rather it is managed by a consortium or federation of organizations. Access to data is limited to participants within the federation and nodes are managed by the participant organizations. Data is validated by nodes distributed amongst the participants.

Hybrid Blockchain

As the name implies, a Hybrid blockchain takes a combination of features from both the public and private blockchain technology. Access to data varies and is based on participant agreements. Some data is unrestricted/public while other data is restricted/private.

Organizations typically choose to run private blockchains as they are often centrally managed and data is restricted and private.

 

Blockchain risks for SOC 1 & SOC 2 reports

What are the Blockchain Risks on a SOC 1 or SOC 2 Audit?

Organizations using blockchain in systems to provide services to user entities must understand the risks related to the blockchain as the risk may result in:

  1. Service organization’s failure to meet one or more of its control objectives, resulting in a potential misstatement of the user entity’s financial statements in a SOC 1 examination.
  2. Service organization’s failure to achieve one or more of its principal service commitments and system requirements in a SOC 2 examination.

The following risks, although not comprehensive, are the more significant risks related to blockchain that both service organizations and user entities should be aware of. See the Implications of the Use of Blockchain in SOC for Service Organization Examinations for additional risks and detail.

Access Control Mechanisms

Without appropriate access controls, the risk of unauthorized transactions or disclosure of confidential business or personal information may occur. Additionally, unauthorized access may result in unauthorized access to recorded transactions within the blockchain.

Cryptography is a key feature of blockchain technology and controls should be in place to manage risks for Cryptographic Key Management as:

  • Failure of managing, administering, or operating cryptographic keys may result in unauthorized or unauthenticated participants having read or write access to record transactions within the blockchain.
  • Participants who lose cryptographic keys won’t be able to access digital assets and records.  Without the crypto key digital assets (e.g., Bitcoin) cannot be accessed. In essence, the asset is gone.
  • Logging of attempted access or use of cryptographic keys may result in insufficient data to identify or respond to unauthorized access attempts.

If you’re interested in a bit more information regarding blockchain security risks have a read of Jaclyn Finney’s blog: “Understanding Blockchain: Security, Risks & Auditing Tips.”

Compliance with Laws, Rules, and Regulations

In permissionless/public blockchains data is public in nature placing challenges and risks for organizations to comply with privacy laws, rules, and regulations. For example, in a permissionless blockchain, all users have unrestricted read access to all records on the chain. Furthermore, users are allowed to hide their true identities and remain anonymous.

Consensus Mechanisms and Protocols

Consensus methodologies provide a means by which data and transactions are validated on the blockchain. The consensus methodology used impacts the scalability, speed, and costs of the blockchain. Regardless, of the consensus methodology used a few risks for consideration are:

  • Blockchains with fewer nodes have a greater risk of being the target of a “51% attack”.
  • Forks within blockchains may result in prior blocks becoming invalid.
  • Failure of consensus leads to corruption, loss of assets, or recording of inaccurate, incomplete, or duplicate transactions.
  • Use of weak encryption and hashing techniques and technology may result in unauthorized changes, destruction, or disclosure of information.

Data Ownership

The blockchain is a string of data blocks. Ownership of the data blocks is critical to know who is responsible for and possesses the data. Without agreements and definitions regarding ownership of data and transactions within private blockchains, owners may be denied access to their data and recorded transactions.

Oracles

Blockchains may be integrated with resources off the blockchain, as blockchains cannot directly access off-chain resources. Oracles play an intermediary role in gathering off-chain data and passing that data for use in the blockchain. A lack of oracle controls creates risks as controls may be insufficient to safeguard the security and processing integrity of controls resulting in incorrect data sent to smart contracts and/or improper execution of smart contracts.

Smart Contracts

Smart contracts are a blockchain feature extending the blockchain benefits beyond the confines of cryptocurrencies. Smart contracts are computer program rules used to process or execute transactions in accordance with defined agreements. If smart contracts are not developed, maintained, or managed appropriately, service organizations may have increased the risk that:

  • Smart contracts may execute incorrectly resulting in financial loss or inaccurate reporting of transactions.
  • Smart contracts may not function as intended due to coding errors or may not have all requirements to be legally enforceable.
  • Smart contracts may not be enforceable based on governing laws, regulations, and jurisdiction.

It is very important to have smart contracts developed correctly due to the immutable nature of blockchains. Modifying or updating smart contracts or related data within the blockchain is very difficult to do.

 

Auditor considerations for blockchain

Service Auditor Considerations

AICPA audit and attest standards require service auditors to have the skills and knowledge necessary to perform attestation engagements prior to accepting such engagements. Blockchain technology is relatively new and uses complex technology. Service auditors may lack the expertise necessary to assess the risks and evaluate the controls service organizations implement to mitigate blockchain risks.

Auditors may acquire the necessary knowledge to perform SOC assessments over blockchain technologies through formal education and experience. With blockchains consistently evolving, service auditors may require additional assistance and engage blockchain specialists to help with SOC assessments.

When evaluating auditors, service organizations ought to confirm the auditor is qualified to perform the SOC examination. For further information regarding what makes a qualified auditor, have a read of our blog Who can Perform a SOC Audit?

Summary

What are the advantages of Blockchain?  Well, many. This is why blockchain is disrupting industries, from healthcare to supply chains to real estate. As use cases are developing daily more industries are sure to become unsettled. The complexity of blockchain technology and the related impact on service organizations and user organizations cannot be ignored. Without a proper understanding of blockchain risks, the service organization’s operations and service delivery may result in risk going unmitigated.

What are the disadvantages of Blockchain? Blockchain technology is new and complex, increasing risk for organizations that use the technology. Without properly understanding the risks, service organizations may not be able to meet their control objectives in a SOC 1 examination or may not achieve their principal service commitments in a SOC 2. The impact of which may result in a qualified audit opinion.

If you would like to learn more or if you are interested in engaging our services for your upcoming audit, please feel free to contact me and the team of audit professionals here at Linford &Co.

Leave a Reply

Your email address will not be published. Required fields are marked *