Potential of blockchain technology for financial auditing
September 2016 | EXPERT BRIEFING | FINANCE & ACCOUNTING
The blockchain (BC) is rising to prominence for immutable data services. One area where it is obvious that this distributed ledger technology will have deep business impact, if it succeeds, is financial auditing.
The BC is in its infancy and, much like the internet was in its early stages, it is still unknown to many non-experts. In short, the BC is the technological infrastructure component behind bitcoin, the virtual currency invented in 2008. Recently there has been more interest in the BC, than the application which once made it famous.
For a number of years now there has not been just one BC, there have different variants of this infrastructure. At its core every kind of BC is ‘just’ a distributed version of what is known as a ledger in accounting. It documents and stores transactions in their chronological order with a time-stamp, representing its meta data or relevant content. To make the BC tamper-proof it is stored in several copies of the valid version. Anyone who wants to forge its content would have to do it at different places at the same time and with a lot of computer power and effort.
The second mechanism that makes BC transactions relatively resistant to fraud is the so-called mining. Every transaction is digitally proven on its validity by several participating BC members – or miners. Miners are able to solve a complex mathematical puzzle which accompanies each transaction and achieve a cryptographic signature for the transaction called a ‘hash key’. This hash key is than combined with the hash key from the previous transaction block to achieve a new blockchain hash for the next valid block of transactions, and so on. Several miners have to agree in this way on the validity of each transaction block, what is called ‘consensus’, to create the valid chain of transaction blocks. The number of miners involved and the way miners reach this consensus differs in effort and speed for each BC variant. Publicly accessible BCs like Bitcoin and Ethereum reward their miner efforts in their particular virtual currencies. Private BC technology like ‘R3’ belongs to a closed group of banks with known and trusted miners and therefore can use less complex consensus mechanisms and leave incentives out.
Financial auditing proves that all enterprise transactions happening are documented in an accurate, verified and confirmed manner. Typical incidents in financial auditing which could be found automatically are cash recovery aspects like double spend, discount losses, open items, changes to bank accounts, incorrect or duplicate master data for customers of vendors, or missing tax IDs. The first BC use cases which evaluated the support of client auditing were Deloitte’s prototypes in 2015 using a concept called triple entry accounting (TEA).
The TEA concepts adds a third ‘assuring account entry’ to the double account to proof the transaction’s evidence. If the transaction itself is presumed to be correct, the later comparison of main book and subsidiary ledgers will get obsolete for the audit, because any manipulation of the original transactions could be identified on a changed BC signature of the transaction immediately.
Research for financial auditing shows that only parts of the data in the course of the transaction have to be collected at key points and stored in the BC; the BC creates a tamper-resistant audit trail that every auditor can trust, which identifies problems more quickly without deep analysis of transaction’s business content. In combination with analytics it could reduce manual and paper based effort in financial auditing dramatically. If all financial accounts were BC signed, illegal manipulation of administrators or persons responsible for master data management could also be immediately identified.
The first example of such a public BC use case for financial auditing is ‘Balanc3’, built in 2015 on Rubix supported by Deloitte. It uses TEA to link the general ledgers of participating enterprises, storing meta data on all relevant details of any transaction between them. The invoice in procurement, for example, works as a payment mechanism, as well as a digital receipt, once it has been released.
Securing the integrity of transactions and accounts between business partners built on BC technology has been the task for internal exchange solutions Linq from Nasdaq and T0 from Overstocks since winter 2015. Another professional case has been seriously tested on a large scale by IBM in its trade finance, which had about 4000 participating business partners on Bluemix/hyperledger in spring 2016 and is now ready to be launched.
Such shared BC-registries for accounts simplify the identification of fraudulent behaviour because only valid accounts of suppliers and customers can trigger transactions. Architectural differences in BC variants result in different assurance types of transaction data; some assure general existence and ownership of a transaction with encrypted public and private keys in real time. Others add assurance of the integrity, correctness and provenance of asset stored in the transaction with attributes for their distinct identification, like Everledger does for diamonds. Applied in financial accounting, this would lead to next level of assurance.
The third kind of BC assurance is realised with so called ‘smart contracts’, which are automated programme logics on the BC executed only but always when predefined parameters are fulfilled. This could automate extinctions and tax payments, for example, and would further reduce the work of financial auditing.
BC technology could reasonably improve the effectiveness and efficiency of auditing and help to foster the reliability of financial reporting. It could replace manual testing and samples of original volumes with automated BC-audit analytics on all transactions. Paper-based and extensive work procedures could be replaced by a simple comparison of BC signatures, releasing audit time for more complex analysis on manipulations like fraud on turnover taxes. The success of TEA solutions based on BC technology would have effects on financial software vendors and certified public accountants. As part of future solutions, it would simplify checks of accuracy of financial accounting.
In combination with automated reporting capabilities, auditors can rely on BC, trust it is built with the security of unchanged and immutable transactions and accounts without further checks. Fraudulent manipulations of transactions afterwards would be recognised immediately and could automate incident reporting and handling for these cases. This reduces costs of audit services, supports continuous auditing processes in enterprises, optimises auditing processes through reduced time and effort, and improves the quality of the auditor’s tasks.
Existing limitations are missing regulatory authentication procedures to save IDs of assets, persons or corporate bodies in BCs. It lacks standards and solutions according to legislation like the European data protection regulations. As yet, there are no standards for BCs, no broad professional knowledge and acceptance and no accrediting institutions. Performance issues for professional use of BCs are still unsolved.
So, BC as a distributed ledger technology will not replace human audit checks completely. It identifies fraud which changed transactions afterwards, not if the original transaction was fraudulent from the beginning. Examples of these remaining problems are identifiying weaknesses in processes like invoices rather than based on product orders, manual payments, or procurement payments without delivery. Adapting BC technology to financial auditing will remain uncertain until such time as it reaches the next level of maturity.
Karin Gräslund is Scientific Advisor at KuppingerCole. She can be contacted on +49 211 237 0770 or by email: email@example.com. Mario Gemein is M.A. Finance and Controlling, Wiesbaden Business School.
© Financier Worldwide