A framework for auditing blockchain

By: |
Published: January 9, 2019 3:34:03 AM

One has to reconcile with reality. People, in general, are sceptical towards technological changes, be these in their professional or personal lives. What they sometimes lack is vision, to see how these new technologies they are resisting could make their lives a bit easier.

Representative Image

One has to reconcile with reality. People, in general, are sceptical towards technological changes, be these in their professional or personal lives. What they sometimes lack is vision, to see how these new technologies they are resisting could make their lives a bit easier. Today, technological innovations can disrupt entire industries or more. Blockchain is one such technology that is pegged to modernise digital infrastructure, thereby helping in reorganising data and assets. Across industries, blockchain solutions have become the buzzword for solving complex problems due to blockchain being decentralised, distributed, traceable, immutable, validated and verifiable. To this effect, according to the Blockchain Enterprise Survey, almost 65% of large enterprises—defined as those who employ a minimum of 10,000 staff—are actively engaged in blockchain deployment. As mentioned, though blockchain solutions are helping solve problems across industries, what we are not equipped for are the risks interlinked with these solutions.

Smart contracts based on blockchain are expected to reduce cost of transactions across industries, hence enticing corporates and governments. Potential application of blockchain is not just limited to finance, it ranges across a variety of sectors, right up to making an agricultural supply chain more efficient. Today, businesses around the globe, from big to small across each industry, are spending significant time and resources on blockchain solutions. Governments across the world, too, are now leveraging blockchain and the many advantages it has to offer.

That blockchain technology presents major opportunities for several sectors is rather apparent; however, it is not a foolproof technology. Still at a nascent stage of deploying blockchain, many organisations across industries are unaware of growing threats that can impact its security. Recent incidents such as Parity hack, Enigma hack, Decentralised Autonomous Organisation (DAO) incident and Bitfinex breach have made it clear that attackers can exploit this technology.

For example, in the healthcare sector, blockchain technology can be used to streamline the sharing of electronic medical records between patients and healthcare providers. Here, unencrypted personal health information (PHI) published in global transactions may put the sensitive information at risk, leading to regulatory and legal concerns. Also, access to medical records requires a patient’s private key, and as the patient is the only owner of the key, losing it implies losing access to the entire medical data. Furthermore, blockchain technology’s irrevocability makes it difficult to implement the ‘Right to be Forgotten’, hence a patient would not be able to have the right for the erasure of his/her PHI. Such a scenario calls for an audit framework comprising: key generation and decommissioning, maintenance and governance, logging and auditing of key usage, management infrastructure, traceability and version control, and hash algorithm management.

Read Also| Third party apps: RBI permits card networks to offer tokenisation services

Also, there are risks pertaining to commercially sensitive data transactions on blockchain platform. For instance, on a public blockchain in supply chain, any member of the public can obtain a full copy of the whole transaction history and use it without restriction. In case of a private blockchain, the information is shared among all the participating nodes, but if competitors are present on the same blockchain, they may be able to discover the commercial-in-confidence information stored in the blockchain platform, thus putting sensitive data at risk. Lack of a governance model for blockchain, therefore, may lead to unresolved disputes over incorrect transactions or cross-border transaction flows.

Other concerns remain with respect to ownership, governance, dispute resolution, security and privacy around smart contracts, and the blockchain-based platforms themselves. The risks are amplified due to the absence of a central regulator or governing body to deal with disputes when they arise. Traditional models of audit fail to take into consideration many of the risks associated with blockchain-enabled processes, and hence the need for understanding the specific set of unique risks and development of an evolved auditing approach specifically for blockchain-enabled solutions.

To sum up, as blockchain continues to build significant momentum and the reality sets in, organisations cannot turn a blind eye to security and risk management any longer. While business executives are leading the way in utilising blockchain, they simultaneously need to re-examine processes and functions that have remained static for decades. Leveraging an effective audit framework could provide a solution to harness and mitigate a number of the unique risks that blockchain brings to the table.

(The author is partner, IT Advisory, KPMG in India)

Get live Stock Prices from BSE and NSE and latest NAV, portfolio of Mutual Funds, calculate your tax by Income Tax Calculator, know market’s Top Gainers, Top Losers & Best Equity Funds. Like us on Facebook and follow us on Twitter.

Switch to Hindi Edition