Financial Reporting and Controls
Any blockchain solution designed and deployed for a supply-chain business network should consider the requirements of participants’ financial reporting, internal controls, as well as their stakeholders - for any business case to be successfully addressed. When combined with more traditional forms of business bookkeeping, blockchain information can help companies support the preparation of timely and reliable financial statements.
It is important to address the many challenges that may exist when an organisation relies on information obtained from a blockchain and the underlying technology as part of its financial reporting process and system of internal control. Not all of the relevant controls operate within the company’s legal structure or in a verifiably reliable environment; these challenges are amplified as most companies’ professionals have limited experience using blockchains and may not recognise potential implications to financial reporting activities.
Relevance of financial reportingWhen and to whom are considerations for the financial reporting process and financial statement audit during blockchain deployment relevant?
Relevance: Who and when
This topic is relevant to the organisation’s managers and leaders responsible for financial reporting (including CFO, CAO, board of directors, audit committee), external auditors, internal auditors, regulators, IT/cryptography/ cyber security personnel, advisors and other third-party service providers, and relevant end-users. This topic is relevant during the design phase and then revisited along the way during deployment.
It is imperative to engage all relevant stakeholders with requisite expertise early. While financial reporting and audit considerations and their implications aren’t typically what project managers or deployment managers primarily get involved with, this toolkit encourages a holistic approach. The implications to the financial reporting process should not be an afterthought, rather they should be among the considerations set right from the initial scoping and strategy phase of blockchain implementation.
Start with considering if there’s an appropriate blockchain use case for a particular organisation and then get the right people in the room at the very beginning. The discussion is not just in the IT department; others such as accounting, audit, even the audit committee, should know what’s involved. Have the dialogue up front because blockchain adoption is going to have such a profound impact on all the parties in financial reporting.
Amy Steele, Partner, Deloitte & Touche LLP
The importance of financial reporting considerations
Any design and deployment of a blockchain supply chain solution should consider management’s responsibility for the financial reporting process (maintaining books and records, establishing a system of internal control and producing financial statements). Blockchain deployment may impact financial reporting in various ways depending on the use case. For example, settling transactions with digital assets or relying on data exchange on a blockchain to support an accounting estimate. This is true regardless of whether a blockchain is used to fundamentally change how transactions are settled or simply increase information transparency; a careful assessment of the supply chain design can identify unique considerations or necessary changes to management’s financial reporting process (including a system of internal control). Management’s assessment may also identify unique risks and forms of evidence that an external auditor may consider having an effect on their ability to conduct an audit of the financial statements under professional standards.
External auditor engagement
An external auditor is typically engaged to perform an audit or assurance engagement under the standards issued by an authoritative body such as the International Auditing and Assurance Standards Board and other bodies in specific countries such as the American Institute of Certified Public Accountants in the US. Examples of audit and assurance engagements are a financial statement audit, a sustainability assurance engagement, and an assurance engagement on compliance with laws and regulations.
Nevertheless, by designing a blockchain solution well, management’s financial reporting process may benefit from a reliable blockchain to help automate activities such as reconciliation with counterparties in use cases for trade finance, product tracking, or payments to transportation providers.
It is important to establish what the accounting treatment will be for blockchain-based transactions before the system’s recordkeeping and data- collection requirements are finalised. This starts with management understanding any relevant guidance and consulting with experts. It may also be a good idea to then engage regulators regarding the proposed accounting as the accounting treatment can be complex and will have a significant influence on how the systems are designed and what data needs to be collected.
It is important to work with internal and external auditors, along with relevant stakeholders, to determine what aspects (e.g. management’s risk assessment process, system internal control) may be impacted by a blockchain-based supply chain and avoid potential pitfalls or deficiencies in the design of the supply chain before it goes into production. This will also help the auditor understand the risks, identify the need for specialists, determine the impact on audit scope, and consider the use of specialised audit tools.
Design and deployment considerations
The following figure lists key design and deployment considerations for individuals involved in the financial reporting process. It is illustrative only and not all-inclusive but can be a helpful guide as an agenda of meetings or aid as a conversation tool among various stakeholders concerned with financial reporting and financial statement audits; significant regulatory, technological and professional hurdles may remain before management determines blockchain solutions are appropriate to incorporate within the financial reporting process and ready when the solution scales up.
These considerations can help identify issues to address during the design phase, but they also can help determine areas of potential risks in the financial statements that will be further assessed by management for their system of internal control and the external auditor for audit procedures.
Reliability of the blockchain system and node network
The reliability of a blockchain system is foundational for the trusted recording and immutability of data (including digital assets) recorded to the blockchain. When speaking about reliability, it is important to recognise that management is responsible for the design and operation of the blockchain, including the system of internal control.
When deploying a blockchain solution, a company will need to assess the risks and adequacy of controls over all aspects of the blockchain solution, not just the technology they are implementing internally to participate in the blockchain. This might include risks associated with the blockchain ledger system, or how the blockchain network operator performs its responsibilities. That assessment of third party risk should drive how the company responds when designing its own controls to ensure those risks are mitigated.
Tim Davis, Principal, Deloitte & Touche LLP
Controls over the blockchain system will come from numerous sources (as summarised below) at all technology layers – node network, services, and application layers, etc - but will typically be consolidated at the organisation or other entity managing the permissioned blockchain (see Figure 14.2). Consider whether management and auditors will need access to the nodes or customised nodes to perform activities and procedures for internal controls.
These controls, including those in a shared system of internal control, will typically fall into the following categories:
- Internal controls at the organisation node level in particular logical access controls, and data entry validation and approval, including private key management
- Internal controls at the entity managing the permissioned blockchain, in particular, controls over how blockchain participant nodes are added or removed, the reliability of the “oracle” that provide off-chain data, and controls over monitoring the health/safety of the blockchain
- Internal controls inherent to the blockchain technology itself (e.g. consensus mechanism), including cryptography
- General information technology controls (GITC) supporting the nodes at the master node (blockchain network operator) and participating node levels (blockchain business network participants), including smart contracts
Management will typically need to identify and evaluate Service Organisation Controls (SOC) reports (e.g. ISAE 3402, SOC1) as part of their evaluation of internal controls over financial reporting because there are typically numerous third parties within a shared system of internal control who are responsible for the controls discussed above. For example, a global supply chain system (blockchain network operator) that utilises a cloud service provider may need to provide its users with a SOC report that encompasses the evaluation of controls at the cloud service provider and others within the technology solution stack.
As the external auditor considers internal controls, they will need to evaluate controls over the blockchain system itself as well as the controls over the implementation at the organisation node level to which they are the external auditor. The external auditor will typically need to test internal controls relevant to certain risks when auditing blockchain solutions in the context of a financial statement audit. This is because the substantive evidence alone may not be sufficient to address the certain risks when a blockchain solution is relevant to financial reporting.
A Service Organisation Controls (SOC) report
The data maintained in permissioned blockchains (those likely to be deployed for supply chain business networks) are highly dependent on controls that are either inherent to the operation of the blockchain digital ledger or dependent on the administration by the blockchain node network operator and the technology infrastructure it is based on. As such, a company’s management (and their external auditors) will look for evidence that those controls are designed and operating effectively and that is typically satisfied via the transmission of Service Organisation Controls (SOC) reports.
Managers of each participant’s financial reporting process typically consider the relevant controls of a service organisation as a component of their system of internal control. In this example (see Figure 14.2), an assurance engagement is conducted together or separately for each layer of the stack, and their report is transmitted to management (and subsequently to their auditor) of the blockchain business network participant.
In Scenario 1, separate auditors perform their audit procedures for each layer of the stack and each SOC report will include Complimentary User Entity Controls (CUECs) that the management of the layer above needs to consider in the design of its controls.
In Scenario 2, a single auditor performs their procedures for each layer of the stack and incorporates their results in a single SOC report (also includes CUECs). This would typically be the scenario if the blockchain network operator runs the master node from its own on-premise technology.
Underlying rights to initiate exchange of digital assets
It may be challenging to understand the underlying rights and obligations associated with blockchain solution. This relates to the form of access to the blockchain - to initiate data exchange (information sharing) or convey ownership or partial ownership of a digital asset (i.e. cryptocurrency).
For supply chain use cases that involve digital assets (e.g. transaction settlement for shipments received), access may require the use of a private key. The control or knowledge of private key material is a strong indicator of ownership (who has the rights to convey ownership) for the associated digital asset. Consider how private key management will be designed and the tools that may be necessary for management to govern the control or knowledge of their private keys as part of their system of internal control. Also, consider how management may demonstrate control or knowledge of their private keys in the context of a financial statement audit without revealing the contents of the private key.
How traditional financial reporting activities may change
Some traditional financial reporting activities may be changed or replaced in a blockchain based system. For example, management may need to design procedures and tools to enable a reconciliation – which may include a reconciliation of monetary value – between blockchain records and the company’s internal books and records. Consider if the company’s management and personnel have the right technology to effectively interface between a blockchain and their legacy accounting systems. Also consider if they have the technical expertise to design and perform the controls for a reconciliation as well as other necessary accounting and financial reporting activities.
In the context of the financial statement audit, consider if the external auditor also has the blockchain tools and expertise to conduct an effective audit considering evidence that may be obtained from both on-chain and off-chain sources.
Evolution of the industry
Markets will naturally change as blockchain-based systems are adopted across industries, enable new products and services, and new customer behaviours. As this change occurs, legal and regulatory frameworks will evolve. Consider how management can monitor the changes in rules and guidelines to ensure their organisation remains compliant.
Valuation challenges for financial reporting
The quantity and characteristics of the monetary value of a transaction or balance at a point in time may be represented on the blockchain where a fair value model may be applied through the code logic of a smart contract. Consider that inputs for the fair value model may come from another blockchain supply-chain business network for interoperability or an off-chain source (i.e. oracle). These inputs, in addition to the smart contract, may come from a shared system of internal control that management will need to rely upon. Also, consider if the supply-chain business network has agreed upon the attributes that contribute to value creation in transactions recorded to the blockchain. These attributes may include product location, status of transport and quality of finished product, for which management’s internal controls and the external auditor’s procedures will need to be designed.
Identify fraud risks and related party transactions
Blockchain adoption may facilitate new and unforeseen business models, legal structures, contract terms, transaction flows, and relationships. Within this new ecosystem, consider how management will be able to identify and monitor related-party transactions. Additionally, new or modified fraud risks in financial reporting have the potential to emerge and should be considered for management’s design of fraud prevention and detection controls.
Independence requirements for service providers
A professional requirement for external auditors, and their affiliates, is to remain independent from their audit clients. Blockchain ecosystems add complexity to the assessment of auditor independence. Management and external auditors should be aware of the planned roles of entities in the blockchain ecosystem (for all technology layers – blockchain, node network, services and application layers) and evaluate whether the external auditor or its affiliates have provided prohibited non-audit services related to the blockchain ecosystems to other participants that could impact the external auditor’s independence with respect to its audit client. Consider the nature and scope of services provided by external auditors who may be obligated to remain independent of more participants in the ecosystem.