Simply put, yes, blockchain companies should be audited. Many organizations rely on blockchain companies to perform key services in support of the user organization’s operations. Those services may include, but are not limited to, processing financial transactions, including crypto and Non-Fungible Tokens (NFTs), sharing medical data, supply chain, and logistics monitoring, and administration and execution of smart contracts. User organizations want to know blockchain services are secure and available while data remains confidential and private. Audits provide user organizations the validation and comfort they need surrounding the blockchain services.
Is Blockchain Secure?
Yes and no. The nature of blockchains makes them secure as they are a decentralized ledger where transactions are transparent, immutable, and secured using cryptography. Even a quick google search would make one believe blockchain is secure. For example, Investopedia.com states:
“Blockchains guarantee the authenticity and security of a record of data and generate trust without the need for a trusted third party. Companies within the industry include financial technology (fintech) companies, cryptocurrency miners, manufacturers of blockchain technology, and other kinds of companies.”
Blockchain technology, however, is not infallible. And, as the use and value of blockchain increase, blockchain companies will progressively become a target for hackers.
Cryptojacking and hacking of crypto exchanges is nothing new. The first known major breach was that of the Mt. Gox exchange in 2011 when the price of Bitcoin was $1 – $30. Put that in stark contrast to today when the price of Bitcoin is hovering around $40,00, but had a height of $66,000 back in November 2021.
The cryptocurrency market cap in 2013 was $1.6B compared to today at $64.5 B. This increase in market cap does not take into account the value of NFTs or the value of non-crypto currency data (e.g. medical data shared using blockchain technology). Most blockchain companies who share or process private or confidential data would consider it to be invaluable. A loss or breach of such data can be existential to any company.
What is Blockchain Auditing?
Regardless of technology and industry, audits of service organizations, including blockchain companies, have a common theme and expectation. To provide users with confidence that the services are secure, available, and that data is processed completely and accurately while remaining confidential and private. Other objectives may be covered in an audit, but most audits typically cover these objectives at a minimum.
A common means by which confidence is provided to user entities is through a SOC 1 or SOC 2 audit. If you’re interested in learning more and understanding the difference between SOC reports, have a look at what a SOC 1 report, a SOC 2 report, and the differences between a SOC 1 vs SOC 2. You can also read here to learn more about the risks blockchain poses for SOC audits.
The audit scope of any blockchain company depends on factors such as the type of blockchain network and the consensus mechanism used. An audit of a blockchain company using a private blockchain versus a public blockchain will have commonalities but also have differences. For example, access to blockchain nodes will be audited in either blockchain network type. However, in a private blockchain, nodes are centrally managed rather than distributed as in a public blockchain. Data residing on centrally managed nodes have a greater risk of unauthorized access and are susceptible to change.
Audits of blockchain companies using public blockchains (e.g. Bitcoin and Etherium) to deliver their services are performed over the components that interact with the blockchain. And not of the blockchain itself.
How Long Does a Blockchain Audit Take?
There is no simple answer. Every service organization is different and has different requirements resulting in different audit lengths. Several items impacting the length of an audit include application complexity, maturity of the control environment, size of the organization, and technology used. As discussed in the blog “How Long Does a SOC Examination Take?” a “SOC examination is typically one to three months for a Type I report and one to six to 12 months for a Type II report.”
Is a Blockchain Audit Mandatory or Required?
No, audits are not required. However, organizations relying on services provided by blockchain companies are asking for and demanding audits more and more. As use cases and acceptance of blockchain technology increases, blockchain companies should expect requests for audits to increase and be written into contracts.
Currently, blockchain is not regulated beyond the sale and transfer of cryptocurrency. However, it is a matter of time before regulation catches up. The US Securities and Exchange Commission (the SEC) monitors digital assets and has influence over crypto prices with talk of regulation. Additionally, as blockchain companies provide services that contain or interact with healthcare data, Electronic Protected Health Information (EPHI), Personal Identifiable Information (PII), or any other data that is meant to be private or confidential by regulation, blockchain companies will have to consider regulations that are already in effect. For example, General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and Health Information Technology for Economic and Clinical Health Act (HITECH).
It is not a matter of whether regulation is coming but rather when regulation comes.
Interest in cryptocurrencies and use cases for blockchain technologies are flourishing. Take, for instance, Bitcoin millionaires, which increased from 25,000 to 100,000 within the past year. Or, perhaps the growth in Non-Fungible Tokens (NFTs) trading. The trading growth in NFTs from 2020 to 2021 is unprecedented. Trading grew from $100M in 2020 to $22B in 2021. That’s a growth increase of 21,900%.
The value of blockchains has placed blockchain technology in the spotlight. Hackers and fraudsters are ever keen on exploiting security flaws to enrich themselves. Recently two individuals were arrested for alleged conspiracy to launder $4.5B in stolen cryptocurrency.
Today, audits are not required, but the need for auditing blockchain technologies is ever increasing. Even if audits are not required, blockchain companies are delving into areas where regulation already exists (e.g. GDPR, HIPAA, and HITECH). Blockchain companies will be called upon to show they are in compliance with such regulations. Furthermore, as organizations rely on blockchain companies in support of their operations they will begin to demand audits. User organizations want to know blockchain services are secure and available while data remains confidential and private.
Ben Burkett is an experienced auditor for Linford & Co. Starting his career at KPMG in 2002, Ben has extensive experience in the business of Information Technology (IT). As an auditor, he drove IT risk management and compliance efforts. As the head of an IT Project Management Office and a Technology Business Management (TBM) function, he sought to drive and maximize the value of IT.