Blockchain: An Introduction for CPAs
Copyright © 2020 by
DeltaCPE LLC
All rights reserved. No part of this course may be reproduced in any form or by any means, without
permission in writing from the publisher.
The author is not engaged by this text or any accompanying lecture or electronic media in the
rendering of legal, tax, accounting, or similar professional services. While the legal, tax, and accounting
issues discussed in this material have been reviewed with sources believed to be reliable, concepts
discussed can be affected by changes in the law or in the interpretation of such laws since this text
was printed. For that reason, the accuracy and completeness of this information and the author's
opinions based thereon cannot be guaranteed. In addition, state or local tax laws and procedural rules
may have a material impact on the general discussion. As a result, the strategies suggested may not
be suitable for every individual. Before taking any action, all references and citations should be
checked and updated accordingly.
This publication is designed to provide accurate and authoritative information in regard to the subject
matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal,
accounting, or other professional services. If legal advice or other expert advice is required, the services
of a competent professional person should be sought.
—-From a Declaration of Principles jointly adopted by a committee of the American Bar Association
and a Committee of Publishers and Associations.
Course Description
Blockchain is essentially an accounting technology, and it enables the collaborative creation of a
universal ledger with capabilities going beyond traditional book-keeping systems. The emergence of
blockchain signals a fundamental change in how data, information, and assets can be authorized,
recorded, processed, reported and stored. With the growing adoption of this world-changing
technology, accountants and auditors with a strong knowledge of blockchains are already increasingly
in demand, as an intricate understanding of the technology and its impact is required to provide
appropriate guidance.
The focus of this course is to explain blockchain technology, specifically, how it could transform
methods to secure information, accounting processes, and auditing procedures. This course offers a
detailed examination of the blockchain technology model including blockchain features, consensus
models, smart contracts, and types of blockchains. To truly appreciate the value of this technology, we
need to understand the current accounting and auditing landscape and hurdles, which are addressed
in the second part of this course. Finally, it discusses the implications of blockchains to the accounting
and auditing profession.
Field of Study Accounting Level of Knowledge Overview Prerequisite None Advanced Preparation None
Table of Contents Introduction 1
Learning Objectives 1
I. What is Blockchain Technology? 2
The Language of Blockchain 2
A World without Middlemen 5
DLT: Distributed Architecture 5
Blockchain: A Self-Regulating Ecosystem 7
The Future of Record-Keeping 9
Triple-Entry Accounting 9
Tamper-Proof Record 10
Self-Executing Agreement 20
Illustration: Crypto Transactions on a Blockchain 22
Review Questions - Section 1 23
Types of Blockchains 25
Public Blockchains 27
Private Blockchains 29
Hybrid Blockchains 34
Whether to Deploy Blockchain Solutions 35
Review Questions - Section 2 37
II. How Blockchain will Enhance the Accounting and Auditing Professions 38
Foundation of Accounting Principles 38
The Value of Accounting 38
The Development of Accounting Discipline 39
The Role of Auditor 42
The Functions of Intermediaries 44
Review Questions - Section 3 46
Obstacles of the Current Practice 48
A Burden on Business 48
Inherent Limitations of Financial Audits 50
Erosion of Confidence: Audit Deficiencies 57
The Potential Impact on the Accounting and Auditing Professions 61
Enhancement of Book-Keeping Systems 61
Transformation of Auditing Practices 63
Review Questions - Section 4 72
Appendix A: Blockchain Decision Tree 74
Appendix B: Blockchain’s Impacts on Auditing Practices 75
Answers to Review Questions 76
Review Questions - Section 1 76
Review Questions - Section 2 80
Review Questions - Section 3 82
Review Questions - Section 4 84
Glossary 88
Index 89
1
Introduction The creation of blockchain technology opens the door to revolutionary possibilities. It combines the
power of the Internet with the security of cryptography to offer, for example, cheaper and faster
payment options than those offered by traditional financial services businesses, without a trusted third
party. It is important to first understand how blockchains work before it becomes clear what they can
offer to accounting and auditing. As adoption becomes more widespread, accountants and auditors
should be getting on board. This course goes into well researched and newbie-friendly reflections
about the most important blockchain concepts by addressing the following frequently asked
questions:
• How does a distributed ledger differ from traditional databases?
• What are the components of a blockchain ecosystem?
• How does blockchain work?
• What does trustless mean in blockchain technology?
• What are the benefits of blockchain technology?
• How does triple-entry accounting work?
• What is a blockchain wallet?
• How is consensus reached in a blockchain?
• What is a 51% attack?
• What are blockchain forks?
• What are smart contracts?
• What are the different types of blockchains?
• How can block chains reshape accounting and auditing practices?
This course provides guidance to these, and many more, questions connected to this topic. It explains
block chain fundamentals and how this technology will enhance many of the core businesses of the
accounting and auditing profession.
Learning Objectives After completing this course, you will be able to:
• Recognize the technical terms associated with blockchain
• Identify the key components of blockchain technology and how they function
• Identify different types of blockchains
• Recall basic accounting and auditing principles
• Recognize how blockchains could reshape accounting and auditing practices
2
I. What is Blockchain Technology? As you will learn, Blockchains can function as constantly growing distributed ledgers where companies
record their transactions directly into activity registers. Distributed ledger technology (DLT) has many
advantages, including increased security in trustless environments, and has been successfully
implemented in a variety of industries. The Big 4 accounting firms are developing skills required to
understand and audit blockchain technology as clients start switching portions of their business onto
blockchain-based infrastructure.
This chapter defines the high-level components of a blockchain network architecture, including
distributed ledgers, cryptography, and consensus protocols. It also explains how blockchains have
profoundly changed the current organizational and technological infrastructure required to create
trust and revolutionize record-keeping systems.
The Language of Blockchain
Blockchains facilitate the digital transformation of business and social ecosystems. The growing
popularity and prevalence of technology is clear. Worldwide spending on blockchain solutions is
projected to grow from $1.5 billion in 2018 to $11.7 billion by 20221. Spending by the U.S., the largest
regional spender on blockchain solutions, is expected to reach $4.2 billion by 2020.2
The world of blockchain introduces many technical terms. Newcomers might be baffled by crypto
jargon. Knowing the vocabulary is essential to understanding. To help ease you into this landscape, we
created this section to introduce common terms and phrases relevant to blockchain technology.
Address: An address is basically a destination where a user sends and receives digital currency. It is
similar to a bank account. An address usually includes a long series of letters and numbers.
Algorithm: A process or set of rules to be followed in calculations or other problem-solving operations.
Altcoins: Altcoin is a blended word, derived from “alternative” and “coin”, and refers to any digital
currency that is not bitcoin.
Bitcoin: Bitcoin is both a concept (technology or movement) and a currency. As a concept, Bitcoin is
capitalized. The unit of the currency, bitcoin, is lowercase.
1 Blockchain statistics are from “Blockchain - Statistics & Facts,” statista, with values as accessed on December 22, 2019. 2 Blockchain statistics are from “Worldwide spending on blockchain solutions,” statista, with values as accessed on December 26, 2019.
3
Blockchain: A blockchain is a digital, decentralized ledger, consisting of a series of blocks. A block is
simply a group of cryptocurrency transactions that have been verified. Blockchain technology is used
for recording transactions made with cryptocurrencies, such as bitcoin, and has many other
applications.
Consensus Mechanism: A method to authenticate and validate a set of values or a transaction without
the need to trust or rely on a centralized authority. It allows each participant to trust the network as
they know each transaction will follow rules they ratified when the network launched. For example,
when a transaction is made, if all nodes on the network agree that it is valid on a blockchain, they have
a consensus.
Cryptocurrency: A cryptocurrency is a digital currency that relies on cryptography. Bitcoin, for
example, leverages cryptography in order to verify transactions.
Cryptography: Cryptography, the process of encoding and decoding information, is used to verify and
secure transactions on a blockchain.
Digital Signature: Digital signature provides validation and authentication in the same way signatures
do, in digital form; ensuring the security and integrity of the data recorded onto a blockchain.
Distributed Ledger: A distributed ledger is a system of independent computers (peer-to-peer) that are
simultaneously recording data. Identical copies of the recording are kept by each computer. Blockchain
is a distributed ledger that was originally created to keep track of all bitcoin transactions.
Double-Spending: Double-spending is the attempt to send cryptocurrency to two separate locations
at the same time. For example, this could happen if a cryptocurrency user tries to purchase something
with a coin she or he has already spent. Bitcoin was the first to implement a solution that protects
against double-spending by verifying each transaction added to a blockchain to ensure that the coins
for the transaction had not previously been spent.
Hashing: Hashing involves taking plain-text and converting it to a hash value of fixed size by a hash
function. This process ensures the integrity of the message as the hash value on both the sender’s and
receiver’s side should match if the message is unaltered.
Mining: Mining is the computer process of validating information, creating a new block and recording
that information into a blockchain.
Node: Blockchain is spread over network computers. Each user actively on the network is a node.
Peer-to-Peer: A connection between two or more computers without using a centralized third party
as an intermediary. Most cryptocurrencies operate on a peer-to-peer network.
4
PoA: Acronym for “proof of authority”, a reputation-based consensus algorithm, leveraging the value
of identity rather than staking digital assets. The principle behind this reputation mechanism is the
certainty of a pre-approved validator’s identity.
PoS: Acronym for "proof of stake”. A consensus mechanism, used to validate transactions recorded
on certain blockchains, is based upon a user’s proof of stake (how many units they have) in a
blockchain. Proof of stake is a common alternative to a proof of work protocol.
PoW: Acronym for "proof of work”. A consensus mechanism is used to validate transactions recorded
on certain blockchains. It generally requires the production of proof of complex cryptographic
computations and large amounts of computing power in order to validate transactions.
Private Key: Similar to a password to access one’s account, a private key is a string of letters and
numbers known only by the owner that allows them to spend their cryptocurrency. Thus, private keys
must never be revealed to anyone but the owner.
Public Key: A string of letters and numbers that allows cryptocurrency to be received.
Wallet (Virtual Wallet): Electronic device or online service that allows a user to receive
cryptocurrencies, store them, and send them to others.
5
A World without Middlemen
DLT: Distributed Architecture
“Distributed ledger technology is one such innovation that has been cited as a means of transforming
payment, clearing, and settlement (PCS) processes, including how funds are transferred and how
securities, commodities, and derivatives are cleared and settled.”
Finance and Economics Discussion Series Divisions of Research & Statistics and Monetary Affairs
Federal Reserve Board, Washington, D.C.
While blockchain technology was initially a means to create bitcoin, a global cryptocurrency, it is also
the foundation of most modern cryptocurrencies. The most popular and widely used cryptocurrency
is bitcoin; however, there are more than 2,300 cryptocurrencies in circulation3.
The term “blockchain”, is used because it describes a growing list of records, i.e. blocks, that are linked
to form a chain. Although it is true that blockchain is often associated with DLT, these words are not
interchangeable. There are other types of DLT that do not rely on a “chain of blocks”. DLT makes
blockchain distinct from a traditional centralized database that has one authoritative database
maintained by a trusted third party. The following figure shows the relationship between
cryptocurrency, blockchain, and DLT.
Source: Created based on “The Future of Blockchain: Applications and Implications of Distributed Ledger
Technology,” Chartered Accountants Australia and New Zealand.
DLT is a consensus database of replicated, shared, and synchronized data among the participants of a
decentralized network. Unlike a centralized system (e.g. banks, government), there is no central
administrator function or a single point of control. Elimination of the need for a central authority or
3 Data on cryptocurrency market valuations are from “Cryptocurrency Market Capitalizations,” CoinMarketCap, with values as accessed on November 28, 2019.
Distributed ledger technology
(DLT)
A system of independent computers
simultaneously recording, sharing and
synchronizing data
Blockchain Specific distributed ledger solutions
that facilitate functionality
Other
DLTs
Cryptocurrencies and other platforms supported by
blockchain
Bitcoin, Ethereum,
and other platforms
6
intermediary to process, validate or authenticate transactions is a major advantage of DLT as it
significantly reduces the cost involved in having the presence of a trusted third party. This
characteristic is particularly critical for financial services, an industry in which reputable middlemen
(intermediaries) are widely used to create trust and decrease risk as discussed in “The Functions of
Intermediaries”.
Lesson Note: Cost-saving is a potential benefit of DLT, especially for the loan market as it would allow
participants to reduce processing delays and operational costs.
Moreover, every participant in the network has a synchronized copy, allowing for local control of data
and transparency. For example, participants can all see and confirm that a transaction has occurred
and has been recorded, all at the same time. Instead of housing and maintaining separate records
based on receipts and invoices, companies can create a distributed ledger of transactions among a
network of participants in an automated, transparent, and auditable manner.
Source: “The Difference Between Blockchain & Distributed Ledger Technology”, Tradeix, accessed on November
28, 2019.
Finally, companies have the potential to eliminate manual intervention and processes used to gather
and share data which could improve the regulatory reporting and audit processes as well. The
distributed nature of the technology enhances transparency because every participant in the network
can access the history of transactions or confirm new transactions; every change is viewable and
traceable. Therefore, this technology could offer more secure, efficient and transparent accounting.
7
Companies have the following common motivations behind efforts to develop and deploy DLT
arrangements4:
✓ Reduce complexity (especially in multiparty, cross-border transactions)
✓ Improve end-to-end processing speed and availability of assets and funds
✓ Decrease need for reconciliation across multiple record-keeping infrastructures
✓ Increase transparency and immutability in transaction record-keeping
✓ Improve network resiliency through distributed data management
✓ Reduce operational and financial risks
The following table identifies the major differences of a distributed ledger and centralized ledger.
Distributed Ledger Centralized Ledger
• Consensus on data
• Immutable
• Distributed
• Decentralized
• Peer-to-Peer
• Cryptographic validation
• Cryptographic authentication and authorization
• Resiliency and availability increase with node
count
• Internal and external reconciliation required
• No restrictions
• Single point of failure
• Single point of control
• Unnecessary gateways and middlemen
• Cryptographic must be added as afterthought
• Actions are done on behalf of others
• Backup must be set up manually
Source: International Research Journal of Engineering and Technology (IRJET), “BlockChain Technology
Centralised Ledger to Distributed Ledger,” Volume: 04 Issue: 03 | Mar -2017.
Blockchain: A Self-Regulating Ecosystem
Blockchain is a type of distributed ledger that creates a peer-to-peer network, which establishes a
means for transacting and enables recording, transferring, tracking, authenticating, and storing of
digital assets. Blockchain is often referred to as a “trustless” system because it provides a secure and
decentralized ledger of all transactions across a network without the need for trusted intermediaries
by using three principal technologies, which is a significant innovation in traditional record-keeping:
1. Distributed Ledger enables a decentralized exchange of trusted data
2. Cryptography enforces the authentication and confidentiality of transactions
3. Consensus mechanism ensures correct sequencing of transactions on a blockchain
Each technology is explained in “The Future of Record-Keeping”.
4 Information collected through interviews with industry stakeholders is from “Distributed ledger technology in payments, clearing, and settlement,” Finance and Economics Discussion Series 2016-095. Washington: Board of Governors of the Federal Reserve System.
8
Lesson Note: To gain control over a peer network, a person attempts to gain a disproportionately large
influence by creating a large number of nodes or accounts. The technical term for this is a “Sybil”
attack.
While it is true that blockchain technology is often associated with cryptocurrencies, its scope is much
wider than monetary assets and the financial sector. There is more than one use for blockchain. Every
business and industry can benefit from the revolutionary technology of distributed ledgers. Different
applications can be built in a large variety of sectors such as trade and commerce, healthcare, and
government. KPMG identifies some examples of industries that blockchain will likely disrupt.
A Wide Variety of Blockchain Use Cases
Telecommunication
Blockchain can streamline the internal operations of the telecom
industry such as billing, roaming, network function virtualization
management, digital asset transactions, mobile money, and identity-as-
a-service.
Healthcare
Blockchain has use cases in the healthcare/pharmaceutical sector to
improve electronic medical records, and for facilitating new drug
development and medical innovation.
Banking
Blockchain can be used for derivative trading to connect potential buyers
and sellers on a decentralized network to update the information on a
continuous basis.
Media
Blockchain can help in maintaining the database of digital rights to avoid
copyright issues, use smart contracts for payment of media owners and
track the ownership of concert tickets.
Retail
For food safety, blockchain can allow consumers to track the origin of
food items and enforce transparency in the food supply chain from farm
origination details to the storage of food in retail stores.
Automotive
Blockchain can help the automotive industry in product life cycle
management thus tracking the full history of a vehicle from pre-
production to sale.
Source: KPMG, “Auditing Blockchain Solutions”, 2018
Blockchain, a breakthrough technology, allows Bitcoin to transfer and secure the integrity of
transactions and non-repudiation of payments by means of cryptographic techniques. It has received
ever-growing attention from researchers and industry. The next sections explain the following key
benefits of blockchain technology and how it can enhance today’s accounting and auditing practices.
✓ Triple-Entry Accounting
✓ Tamper-Proof Record
✓ Self-Executing Agreement
9
Lesson Note: The term "Triple-Entry Accounting" refers to a system proposed by Ian Grigg, financial
cryptographer, and described in his paper “Triple Entry Accounting” published in 2005.
The Future of Record-Keeping
Many industries have used blockchain to secure all types of records; from land transactions to financial
information. The most common types of records kept on blockchain include:
✓ Public records (e.g. property register)
✓ Financial information
✓ Business transactions
✓ Medical records
✓ Identity management
✓ Management activities
✓ Contracts
Blockchain does not only apply to documents. It can be used with any kind of digital asset, such as
video files, images, and email backups. This course focuses on the accounting and auditing aspects.
Triple-Entry Accounting
Companies have relied on double-entry accounting to gather information and maintain control over
their operations. This accounting method and the audited financial statements serve as valuable tools
for management, shareholders, governments and tax authorities. However, in its current state,
double-entry accounting has its limitations and can be circumvented. Although many proposed
solutions exist, one widely discussed alternative method is triple-entry accounting, an extension of the
double-entry system, enhanced by adding a third blockchain layer, a distributed ledger. Triple-entry
accounting improves the traditional double-entry accounting system by having all accounting entries
involving third parties cryptographically secured by a third entry.
A triple-entry accounting system is similar to the double-entry system except that there is a third layer,
using blockchain technology, embedded onto it. Triple-entry accounting has the potential to increase
the transparency, traceability, and efficiency of the process of accounting for transactions. Every
transaction would have a corresponding third entry that was verified by a blockchain. As parties create
transactions, the blockchain technology will use a consensus process to validate each new transaction,
create a third entry, and then post it to a shared (public) ledger. The following figure shows an example
of how blockchain creates a third entry linked to participants.
10
Company A’s Books Company B’s Books
Debits Credits Debits Credits
500 500
2,000 2,000
Blockchain Technology:
Distributed (Public) Ledger
Company A Company B
-500 500
-2,000 2,000
For example, if Company A records debits of $500 and $2,000 to account for cash received from
Company B for previous sales on account, Company B also records credits of $500 and $2,000 to
account for cash paid to Company A. When payments are made to Company A, new blocks are created
which are linked to all previous blocks in the chain, maintaining transaction history. Since the blocks
are visible to Company A and B in the public ledger, both companies are able to immediately see the
update. Therefore, both companies can confirm transactions without a need for a trusted party since
the public ledger (the third entry) ensures a match between payable and receivable.
In summary, Blockchain, a distributed ledger, allows companies to record their transactions directly
into a shared register as demonstrated in the diagram. Blockchain offers the possibility to use it to
generate trust, security, and transparency among people and entities that do not necessarily know
each other and to provide more business opportunities in areas where governing authority and
intermediaries exist. The next section explains how blockchain technology takes over the functions
performed by a trusted party.
Tamper-Proof Record
Tamper-proof, or immutability, is the ability for a blockchain ledger to create and store a permanent,
immutable, signed, and time-stamped record of identity, ownership, transactions or contractual
commitments. Although there have been a few incidents of hacking of digital currencies that rely on
blockchain technology, the unique way in which the information is stored and updated makes it very
secure as shown below.
CryptographyHashing Process
Consensus Mechanism
Tamper-Proof
11
Lesson Note: Although most publications on blockchain technology consider blockchain ledgers to be
immutable, there are situations in which a blockchain can be compromised. This is known as a 51%
attack and is discussed in detail later.
Consensus Mechanism
Blocks contain records of transactions or other data, which together form a blockchain. Each block is
cryptographically connected using a complex mathematical algorithm, known as a consensus
mechanism. Consensus mechanisms require a majority of nodes to agree on whether:
1. A new block is valid and appropriate for inclusion in the ledger; and
2. The ledger and its history is correct based on the consensus rules
Consensus mechanisms authenticate and validate a set of values or a transaction without the need to
rely on a centralized authority. The calculation results in an alphanumeric string that is put on the next
block. The process is then repeated for each bundle of transactions that are aggregated together; the
number of blocks will increase, and the chain will continue to grow over time.
In simple words, a block is a group of transactions on blockchain that have been verified. If a
transaction violates one of the rules the network agreed on (consensus), the transaction will be
considered invalid. Consensus helps keep inaccurate or potentially fraudulent transactions out of the
database and ensures a correct sequencing of transactions on a blockchain. For instance,
cryptocurrencies are secured via a consensus mechanism to prevent “double-spending”; spending the
same money twice. Two concensus-based validation processes must be carried out:
1. Ownership of the cryptocurrency; and
2. Sufficiency of cryptocurrency in the spender’s account
As defined, the spender of the cryptocurrency needs to prove the ownership of the private key in order
to initiate a transaction. To ensure that the spender has a sufficient balance in his/her account, every
transaction is verified against the spender’s account (“public key”) in the public ledger. Although no
personal information is shared, the transaction is validated and recorded via this consensus protocol.
There are different kinds of consensus mechanism algorithms which work on different principles.
Following is a brief discussion of the most commonly used mechanisms in the context of
cryptocurrencies.
1. Proof of Work
2. Proof of Stake
3. Proof of Authority
12
Proof of Work
Proof of Work (PoW) is a consensus protocol used to validate transactions recorded on blockchains
and generally requires the production of proof of complex cryptographic computations. It is a function
used to confirm transactions before they can be accepted by network participants. Mining, the process
of validating (confirming) transactions and adding them (a new block) to a blockchain, limits the
possibility of malicious entities manipulating a blockchain and falsifying transactions by:
✓ Verifying the legitimacy of a transaction by solving a mathematical puzzle, which is called a
hash function (discussed in the next section).
To include a transaction in the next block, a miner needs to know the cryptographic hash value
of the last recorded block. This hash value must be referenced to create/add a new block.
✓ Releasing newly-created cryptocurrencies (e.g. bitcoin) to reward the first miner who
generates a new block as “block reward”.
A successful miner is the one who beats everyone else in this game and solves this
mathematical puzzle. After finding the hash of the last recorded block, a miner announces it to
the network for the other nodes to verify and creates a new block with the transactions.
Bitcoin is the most well-known crypto with a PoW consensus-building algorithm. Other examples
include Litecoin, Bitcoin Cash, and Monero. Mining requires a special program, which helps miners
compete with their peers in solving massive mathematical puzzles as the input of each block becomes
larger over time (a more complex calculation). It also requires large amounts of computing power in
order to solve the puzzles (validating transactions) and earn rewards.
Lesson Note: As of November 28, 2019, the Bitcoin network accounts for roughly 0.21% of global
electricity use. Over the course of a year this is equal to around 69.59 TWh or terawatt-hours of energy
consumption5. The closest comparison for electricity consumption is the country Austria.
Mining pools are groups of collaborating miners who agree to share block rewards according to their
contributed mining hash power. There are various bitcoin mining pools across the globe and they
compete to be the next to find a valid block hash. In 2019, China mined the most bitcoins. With bitcoin,
the reward for mining a block is now 12.5 bitcoins. To keep bitcoin's inflation in check, every 4 years
on average (210,000 blocks), the reward granted to bitcoin miners is cut in half. This process is referred
to as a “halving”.
As explained, mining requires a vast amount of computing resources, which consume a significant
amount of electricity. Thus, PoW makes it extremely challenging to alter any aspect of the chain
because such an alteration would require re-mining all subsequent blocks. However, there are
5 Bitcoin energy consumption statistics are from the Cambridge Bitcoin Electricity Consumption Index (CBECI), with values as accessed on November 28, 2019.
13
different ways a blockchain can be attacked. A 51% attack, commonly known as majority attack, refers
to an attack on a blockchain where a single entity or group of organizations control more than 50% of
the mining power (hash rate). As a result, the attacker is able to interfere with the validation process
and manipulate the public ledger by:
Invalidating ongoing transactions (denial-of-service)
Intentionally omitting an event
Preventing other miners from mining (selfish mining)
Changing the sequence of transactions
Reversing transaction history (double-spend)
In May 2018, a group of malicious miners controlled 51% of the hash rate in Bitcoin Gold to falsify the
currency’s ledger and defraud (double-spending) at least $18 million worth of cryptocurrency from
online exchanges. A selfish mining attack (block withholding attack) is also an attack on the integrity
of the blockchain network. It is a strategy used by miners to increase their rewards by intentionally
withholding a validated block from being released to the network. They attempt to mislead other
miners to continue mining already validated transactions, reducing the number of miners doing real
mining work.
The following table summarizes the characteristics of PoW.
Goal Advantages Disadvantages
To provide a barrier to
publishing blocks in the form
of a computationally difficult
puzzle to solve to enable
transactions between
untrusted participants.
• Difficult to perform denial
of service by flooding
network with bad blocks.
• Open to anyone with
hardware to solve the
puzzle.
Computationally intensive
(by design), power
consumption, hardware
arms race.
Potential for 51 % attack
by obtaining enough
computational power.
Source: National Institute of Standards and Technology, “NISTIR 8202 Blockchain Technology Overview,”
accessed on November 24, 2019.
Proof of Stake
Proof of Stake (PoS) is another consensus protocol used to validate transactions on blockchains based
on a user’s stake. PoS evolved as a low-cost, low-energy consuming alternative to PoW algorithm. In
a PoS system, the act of validating transactions and creating new blocks is called “forging”. A validator
(forger) validates block transactions based on his or her stake by proving ownership of a certain asset
(e.g. a certain number of cryptocurrency units). In other words, validators must first put their own
assets at stake in order to take part in the forging process.
When selecting validators, the blockchain network usually looks at all participants and chooses
amongst them based on their ratio of stake to the overall amount of cryptocurrency staked. Thus, if
14
an individual had 38% of the entire network stake they would be selected 38% of the time; those with
2% would be selected 2% of the time. Since validators have staked their own money, theoretically,
they are incentivized to validate the right transactions. If they validate a fraudulent transaction, they
lose their holdings as well as their rights to participate as a forger in the future. A validator is paid a
transaction fee for his/her validation services by the transacting parties. Cryptocurrencies such as
Eos, Dash, and Tron utilize a PoS consensus mechanism.
The following table summarizes the characteristics of PoS.
Goal Advantages Disadvantages
To enable a less
computationally intensive
barrier to publishing blocks,
but still enable transactions
between untrusted
participants.
• Less computationally
intensive than PoW.
• Open to anyone who
wishes to stake
cryptocurrencies.
• Stakeholders control the
system.
Stakeholders control the
system.
Nothing to prevent the
formation of a pool of
stakeholders to create a
centralized power.
Potential for 51 % attack
by obtaining enough
financial power.
Source: National Institute of Standards and Technology, “NISTIR 8202 Blockchain Technology Overview,”
accessed on November 24, 2019.
The following figure summarizes the differences between PoW and PoS.
Proof of Work Proof of Stake
Miners compete with one another using
computational power
There is no competition. The validator is
selected based on his/her stake.
The probability of mining a block is
determined by how much computational
work is done by the miner
The probability of validating a block is
determined by how large of a stake a
person holds
A reward is given to the first miner who
solves the puzzle
There is no block reward. The validator
collects transaction fee
Source: Hackernoon, “Consensus Mechanisms Explained: PoW vs. PoS”, accessed on December 4, 2019.
Proof of Authority
Proof of Authority (PoA), more recent than both PoW and PoS, was proposed by Gavin Wood (co-
founder and former CTO of Ethereum) in 2017. PoA, a reputation-based consensus algorithm,
leverages the value of identity rather than staking digital assets. The principle behind the reputation
mechanism is the certainty of a pre-approved validator’s identity. Nodes must have their identities
proven and verifiable within the network. The lower the reputation, the less likelihood of being able
15
to validate a block. In order to ensure the efficiency and security of the network, the group of validators
usually remains fairly small (25 or less). Although the conditions may vary from system to system,
there are three basic requirements to become a validator:
1. The identity must be formally confirmed with the ability to cross-reference such information
(e.g. address, phone number) in a public domain (public notary database)
2. The process of becoming a validator must be difficult to reduce the risks of selecting
questionable validators and incentivize the position and long-term commitment
3. The validator approval process must be consistent (standard) to ensure that all candidates
have an equal chance
Since PoA is designed to be less computationally intensive than PoW and has a limited number of
validators, it has the following advantages:
✓ The computational resources required for solving complex mathematical tasks (validating a
block) is far lower than PoW and PoS. Thus, a PoA network has a low requirement of
computational power, requiring significantly less power consumption.
✓ PoA has a high transaction rate as its transaction time is significantly faster than the
transaction time of PoW-based networks. Hence, it provides better performance.
✓ The interval of time it takes to validate blocks is predictable, unlike PoW and PoS consensuses
where this time varies.
The following figure summarizes the main pros and cons of PoA.
Pros Cons
Using PoA eliminates the possibility of an
attack since the validators are checked at the
stage of obtaining authority and are reliable.
With the use of PoA, decentralization is not
possible since a limited circle of people can
participate in block validation
It is an energy-efficient solution compared to
other consensus mechanisms
Although PoA can be used in public
blockchains, it is usually applied in private
blockchains requiring permission
Fast transaction processing Reputation cannot always keep participants
from malicious actions. If the reward for
fraud is more valuable than the authority, a
participant can harm the system
A new block is created in just 5 seconds, the
fees are extremely low, and network scaling
can occur horizontally, combining several
networks into one
16
Source: Changelly, “A Complete Guide to the Proof of Authority (PoA) Algorithm”, accessed on December 26,
2019.
The Concept of Forking
Changes to a blockchain network’s protocol and data structures are called forks. As a result of a fork,
a blockchain diverges into two potential paths forward, either with regards to a new rule (e.g.
validating transactions) or a transaction’s history. Reasons for effecting such a change/fork can occur
for various reasons, including:
• Add new functionality (e.g. making improvements)
• Correct security issues (e.g. addressing security risks)
• Reverse transactions (e.g. malicious transactions)
Forks are divided into two categories:
1. Hard forks
2. Soft forks
A hard fork creates a permanent split in blockchain because the changes (e.g. consensus protocols,
mining algorithm, block size) make the previous version of the chain incompatible. In other words,
non-upgraded nodes can no longer validate transactions created by upgraded nodes that follow newer
consensus protocols. Such changes are not backward compatible resulting in two versions of a
blockchain existing at the same time. That is, if one group of nodes continues to follow old rules while
the other nodes follow new rules, a permanent split can occur.
The following figure demonstrates a hard fork example that results from incompatible changes.
In the cryptocurrency world, a hard fork usually happens when groups of miners and developers
cannot agree on the change to the software. For example, a group of Bitcoin developers decided to
increase the block size limit from 1MB to 8MB. Since their proposal was not accepted by the majority
of users, they created a hard fork on Bitcoin to release Bitcoin Cash. Bitcoin continues to follow its
previous protocols. Bitcoin Cash, a new cryptocurrency, is generated based on new rules. The two
cryptocurrency systems will continue to develop simultaneously on parallel tracks.
For a soft fork, non-updated nodes can continue to transact with updated nodes within a soft fork.
This is because the blockchain features are still compatible (backward compatible) with the previous
Follow Old
Rules
Follow Old
Rules
Follow Old
Rules
Follow New
Rules
Follow New
Rules
Follow New
Rules
Blocks
from non-
upgraded
nodes
Blocks
from
upgraded
nodes
17
version of the chain which does not result in a duplication of the blockchain. For example, Segregated
Witness (SegWit), a Bitcoin protocol upgrade, is a soft fork designed to increase block capacity by
removing (“segregating”) digital signature (“witness”) data from transactions.
Hashing Process
Hashing is a process that converts an input of letters and numbers into an encrypted output of a fixed
length. The main use of a hash function is to verify the authenticity of a piece of data. A hash, a unique
fixed-length 32-byte identifier for every block, is the backbone of the blockchain network. It is
generated based on the information present in the block header. The use of a fixed-length output
drastically enhances the security of the data. If a hacker attempts to decrypt the hash, he or she cannot
tell how long or short the input is simply by looking at the length of the output.
Each block includes a timestamp and a link to a previous block through its hash, creating a literal
blockchain going back to the very beginning. In other words, the chain is “unbreakable” because the
hashing process of a new block always includes meta-data from the previous block’s hash output.
Therefore, it is nearly impossible to tamper with the stored information after it has been validated and
connected to a blockchain. If attempted, the subsequent blocks in the chain would reject the
attempted modification since their hashes would not be valid.
As blockchain uses the hashing process to link data items to each other, this technology makes it
challenging to tamper with a single record since a hacker would need to change the block containing
that record as well as those linked to it to avoid detection. The following graphic demonstrates how
the hash value is carried over to the next block in the chain to make the blockchain network generally
immutable.
Source: National Institute of Standards and Technology, “NISTIR 8202 Blockchain Technology Overview,”
accessed on November 24, 2019.
Cryptography
The records on a blockchain are secured through cryptography, the process of enforcing
authentication, data confidentiality, and data integrity, as opposed to those systems where the
transactions are channeled through a centralized trusted entity. Cryptography is the technique of
disguising and revealing, otherwise known as encryption and decryption, data through complex
18
mathematics. Thus, the information can only be viewed by the intended recipients. This cryptographic
technique allows each block to be broadcast to participants in the network in an encrypted form so
that the transaction details are not made public.
Asymmetric cryptography is also known as public key cryptography. According to the National
Institute of Standards and Technology, asymmetric cryptography enables a trust relationship between
users who do not know or trust one another by providing a mechanism to verify the integrity and
authenticity of transactions while at the same time allowing transactions to remain public. It uses a
pair of keys; public and private keys to encrypt and decrypt data, respectively. The following graphic
demonstrates how asymmetric encryption works.
Source: Medium, “Understanding Encryption, Signing and Verification,” accessed on December 2, 2019.
In regard to cryptocurrencies, each participant on a blockchain network has a set of cryptographic
keys:
1. Public Key, similar to an account number, is made available to everyone on the network to
serve as an address on a block chain network to receive, for example, bitcoins as well as to
verify a digital signature validating the identity of the sender. An address is an identifier, an
alphanumeric string of 26-35 characters, representing a possible destination for a bitcoin
payment. A typical bitcoin address, beginning with the number 1, 3 or bc1, looks like:
1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2
2. Private Key, similar to a secret PIN or password to an account, is used to create a digital
signature for a transaction. It is uniquely linked to the owner and known only to the
participants in a transaction. The signature prevents the transaction from being altered by
anybody once it has been issued. Since a private key grants a cryptocurrency user ownership
of the funds on a given address, it allows a user to access his or her cryptocurrency. Thus, the
private key must remain secure because anyone with it can access (spend) funds.
Since cryptocurrencies do not exist in any physical shape or form, public and private keys are stored in
a cryptocurrency wallet. A crypto wallet is a software program that:
✓ Stores private and public keys used for cryptocurrency transactions;
✓ Interacts with various blockchains to enable users to send and receive cryptocurrency; and
19
✓ Monitors users’ balances in each cryptocurrency resulting from various transactions.
There are two types of cryptocurrency wallets:
1. Hot wallet is located in a device connected to the Internet (whether hosted or entity-
controlled). It allows users to send cryptocurrency to another address and to obtain an up-to-
date snapshot of all the entity’s recent cryptocurrency transactions and balances.
2. Cold wallet (cold storage) means generating and storing the private keys in an offline
environment (away from the Internet) since the online environment is very vulnerable to
hacking.
The basic distinction between the two is that hot wallets are connected to the Internet, while cold
wallets are kept offline. Since funds stored in a hot wallet are more accessible in comparison to funds
in a cold wallet, they are more vulnerable to hacking and phishing. In other words, cold wallets usually
maintain higher levels of security than hot wallets. There are different choices of cold wallets, such as
a hardware wallet or a paper wallet.
• Hardware wallets are located on a USB or other device. The entity’s private and public keys
are generated in the device when it is offline by using a random number generator.
• Paper wallets are a paper record of the entity’s private keys and related information. When
the entity’s computer or other devices and printer are offline, software is used to generate a
set of private and public keys and related addresses for its cold wallet.
In the asymmetric method, anyone can encrypt messages using the public key, but only the holder of
the paired private key can decrypt. That is, a person can encrypt a message using the receiver’s public
key, but it can be decrypted only by the receiver's private key. Security relies on the secrecy of the
private key. Each transaction is protected through a digital signature. The sender and the recipient
interact directly with each other and there is no need for verification by a trusted third-party.
Identifying information is also encrypted. If a record is altered, the signature will become invalid and
the peer network will know right away that something has happened. Early notification is critical to
preventing further damage.
The private key must be backed up and protected from accidental loss. Private keys are like physical
dollar bills. If they are lost, they cannot be recovered; the funds are forever lost, too. The holders,
unfortunately, lose the ability to sell or transfer the crypto funds attached to those keys.
20
Self-Executing Agreement
“A smart contract is a computerized transaction protocol that executes the terms of a contract. The
general objectives are to satisfy common contractual conditions.”
Nick Szabo, Cryptographer
Another important benefit of certain blockchains is that they can create “smart contracts”. Although
the concept of a smart contract was first introduced in 1994 by Nick Szabo, it was only with blockchain
technology that smart contracts were able to facilitate and verify the performance of a contract.
An “oracle” is a way for smart contracts to interact with external data sources (real-world occurrences)
such as payment completion, insurance policy, pricing data, and medical records. It basically draws
data from outside the blockchain environment. The insertion of external data triggers smart contract
executions, meaning that the smart contract reads the data and acts accordingly; execution or non-
execution. Thus, it is essential that data from the oracle is accurate. For example, the insertion of
wrong data could trigger a property transfer without a payment.
Based on the type of data collected and on the interaction with the external world, oracles have been
categorized as:
1. Software oracles extract data from online sources (websites) such as prices of commodities,
weather information, and flight schedule.
2. Hardware oracles obtain information directly from physical objects through sensors. A
primary example is the use of Radio Frequency Identification (RFID) tags within a logistic
framework.
3. Inbound oracles take data from outside of a blockchain. They reflect a set of “if” scenarios
associated with data from the external world. For example, “if an asset reaches a certain price,
a sale is triggered.”
4. Outbound oracles allow smart contracts to send data to the outside world. For example, an
oracle takes the payment confirmation from the smart contract and sends it to the warehouse
that automatically unlocks the storage unit for a customer.
Smart
Contract
Oracle Real-World
Occurrences
Data: Pricing Data
Data: Insurance Policy
21
Smart contracts are self-executing because they constitute lines of codes (e.g. pre-defined rules)
around an agreement that automate the contracting process and enable monitoring and enforcement
of contractual promises. Transactions are self-verifiable and tamper-proof. Therefore, unlike a
traditional contract where parties need remedial action through the legal system, self-executed smart
contracts eliminate the need for middlemen and keep the system conflict-free. For example, money
can only be sent from Alice to Bob if the conditions of an agreement are met: 1) date equals “January
1, 2020”, and 2) “Bob’s balance is less than 10 bitcoin”. If these conditions are met, the smart contract
executes itself to produce the output.
Since smart contracts enable decentralized automation by facilitating, verifying or enforcing the
negotiation or performance of a contract, they allow people to exchange anything of value, such as
money, shares, or property in a transparent manner. The Real Estate industry has experienced many
notable advantages of smart contracts. For example, the act of buying and transferring ownership of
property remains a tedious and lengthy process. These transfers typically need to be reviewed and
confirmed by multiple third parties such as escrow agents, lawyers, and governmental bodies.
Ethereum, a decentralized platform, utilizes smart contracts and as a result, it could be used to
automatically transfer homeownership to a buyer, and the funds to a seller, after a deal is agreed upon
without needing a third party to execute it on their behalf. Because the process is simplified, both the
buyer and the seller can save money and time.
Lesson Note: Management is responsible for establishing controls to ensure that the smart contract
source code is consistent with the intended business logic. An auditor should consider management’s
controls over the smart contract code.
Smart contracts are also beneficial in the cases of manual operations and lack of automation. For
instance, claim processing usually takes a significant amount of resources and time in insurance
administration. The use of smart contracts simplifies and streamlines processes by automatically
triggering payments for claims when certain agreed upon conditions between the company and the
customer are met.
The following table summarizes the differences between traditional contracts and smart contracts.
Traditional Contracts Smart Contracts
• 1-3 Days
• Manual remittance
• Escrow necessary
• Expensive
• Physical presence (wet signature)
• Lawyers necessary
• Minutes
• Automatic remittance
• Escrow may not be necessary
• Fraction of the cost
• Virtual presence (digital signature)
• Lawyers may not be necessary Source: PwC, “How Smart Contracts Automate Digital Business?”, 2016
22
Illustration: Crypto Transactions on a Blockchain
The following example demonstrates how blockchain technology allows for payments to move from
one party to another without going through a central or commercial bank.
Both Alice and Bob use a bitcoin wallet to make transactions. A wallet is specialized software that
calculates the balance of the user by keeping track of all incoming and outgoing payments.
All transactions are verified by network nodes through cryptography and recorded in a public
distributed ledger. Anyone with bitcoin can participate in the network, send and receive bitcoin, and
even hold a copy of this ledger. A bitcoin or a transaction cannot generally be changed, erased, copied,
or forged as everybody would know.
When Alice clicks ‘send’ in her wallet, the transaction gets propagated across the network. That is, she
broadcasts a message with the transaction that she wants to make to all the miners in the network as:
“Alice owns one bitcoin that lives at this address (insert bitcoin address). Alice wishes to send this
bitcoin to Bob at this address (BTC address)”.
While Alice publicly announces her intention, she must also securely send Bob the private key that
enables Bob to unlock the transaction and prove he is now the rightful owner. While the Bitcoin
network can always see the public address, it can never see the private key.
Within seconds most of the network knows about this transaction and Bob sees a new pending
transaction. In that transaction, Alice provides the miners with Bob's address and the number of
bitcoins she would like to send, along with a digital signature and her public key. The signature is made
with Alice's private key and the miners can validate that Alice, in fact, is the owner of those coins. Once
miners validate the transaction via the consensus mechanism protocol, they add the transaction to
the blockchain (hashing process). Now Bob will see in his wallet that the transaction is confirmed. It
means that by now it is recorded in the blockchain and cannot be reversed.
If Alice or Bob wanted to falsify a transaction, they would have to compromise the majority of
participants. This is much harder than compromising a single participant. Alice cannot claim that she
never sent a bitcoin/digital token to Bob because her ledger would not agree with everyone else’s.
Bob cannot claim that Alice gave him two bitcoins/tokens as his ledger would be out of sync.
23
Review Questions - Section 1
1. What is a basic feature of a blockchain platform?
A. A need for middlemen
B. Single point of control
C. Peer-to-peer network
D. Use of symmetric cryptography
2. Which of the following describes a potential attack on a peer network, where a person attempts
to gain control over the network by creating a large number of accounts?
A. Botnets
B. Sybil attack
C. Distributed denial-of-service
D. IP spoofing
3. What is the method that prevents “double-spending” in cryptocurrency exchanges?
A. Encryption
B. Block reward
C. Halving
D. Consensus algorithm
4. What is Proof of Work (PoW)?
A. A process of encoding and decoding information
B. A destination where a user sends and receives digital currency
C. A software program used to store private and public keys
D. A consensus protocol used to confirm transactions and produce new blocks to the chain
5. All of the following conditions must be satisfied in order to become validators in PoA EXCEPT:
A. Their identities need to be confirmed
B. High performance computer hardware is required
C. Eligibility is difficult to obtain
D. The selection process is standard
24
6. What is the term that describes a permanent split in a blockchain resulting from a change in
protocol and data structures?
A. 51% attack
B. Double-spending
C. Selfish mining
D. Hard fork
7. What is a change to blockchain protocol that is backward-compatible?
A. Soft fork
B. Hashing
C. Mining
D. Hard fork
8. What is the method that secures blockchain transactions by assuring the authentication and
confidentiality?
A. Hot wallet
B. Firewall
C. Cold storage
D. Cryptography
9. What does asymmetric encryption use?
A. Public keys only
B. Private keys only
C. Proof of Work
D. Public and Private keys
10. Which of the following describes an alphanumeric string of 26-35 characters that represents a
possible destination for a bitcoin payment?
A. Hash
B. Address
C. Wallet
D. Digital Signature
11. Which of the following techniques enables automation of the contracting process by facilitating,
verifying or enforcing the negotiation or performance of a contract?
A. Proof of Work
B. Smart contract
C. A stealth address
D. Hashing algorithm
25
Types of Blockchains
Blockchain networks can be classified based on their permission models, which determine who can
maintain blocks. In the current ecosystem, the market has three types of blockchains:
1. Public (Permissionless) blockchains
2. Private (Permissioned) blockchains
3. Hybrid blockchains
To better understand the characteristics and constraints of each type, one should be familiar with the
concept of the Scalability Trilemma described by Vitalik Buterin (the founder of Ethereum). The
trilemma refers to the trade-offs between three properties: decentralization, scalability, and security.
In other words, because it is difficult to achieve all three properties at the same time, trade-offs are
almost inevitable.
“Blockchain systems have to trade-off between different properties. And it’s very hard for them to
have three things at the same time, where one of them is decentralization. The other is scalability,
and the third is security”.
Vitalik Buterin, The Founder of Ethereum
Blockchain can achieve at most two of the three properties. If the focus is placed only on two of them,
the last property will considerably decrease, the result being a blockchain that could be more
centralized, less secure, or slow (non-scalable). The Scalability Trilemma can be a useful comparative
framework to measure blockchains against each other.
The Scalability
Trilemma Developed by
Vitalik Buterin
Decentralization
The Degree of Diversification
in Ownership
Scalability
The Capacity of the Network
Security
The Level of Defensibility
26
Advantage Disadvantage
Decentralization • It keeps in line with the
philosophy of blockchain
technology, to put the power in
the hands of the community
• More decentralized typically
means more secure. Unlike client-
server models, there is no single
point of failure that can be
exploited
Consensus algorithms like PoW
require a vast amount of
resources to maintain the
network, which steadily increases
over time
It compromises on performance
and speed, which is problematic
for use cases which require high
throughput
Because there is no central
moderator, any eventual disputes
need to be resolved by the
community
No single point of failure means
that the network does not rely on
a centralized server. As such, it is
difficult to shut down a
decentralized blockchain that is
being used for destructive
purpose
Scalability • A high degree of scalability
ensures that applications run at an
optimal speed while supporting a
high volume of transactions
• High levels of scalability makes an
application less likely to break
down if user demand is much
greater than originally assumed
The primary drawback of high levels of
scalability is related to the security
implications that may arise. As the
network increases, it becomes more
difficult and costly to implement
proper security measures
Security The main advantage of strong security
is that the blockchain network is less
vulnerable to attacks. A blockchain
with robust security is ideal for use
cases where data security and
integrity is paramount. This is
especially the case for enterprise-
grade applications, financial services
platforms, supply chains, and
confidential data.
Maintaining high levels of security
usually puts a strain on performance,
speed, and scalability, as a significant
portion of computing power and
resources need to be allocated. As a
result, network latency is increased
and throughput is significantly
reduced, which may deter potential
users.
Source: Modex, “A Brief Overview Of The Scalability Trilemma,” accessed on November 26, 2019.
27
Public Blockchains
Public (permissionless) blockchain networks allow every participant to submit transactions and add
entries to the ledger as no permission is required to join the network. The operation is like the public
internet, where anyone can participate. In other words, any participants can read and write to the
ledger. Thus, to prevent manipulation and protect the integrity of data, blockchain applies consensus-
based validation mechanisms (e.g. proof of work).
Although no personal information is shared and identifying data is encrypted, each participant has a
public address that theoretically could be traced back to an IP address or exchange account (through
proper network analysis). For this reason, transactions are not entirely anonymous, but they are
pseudonymous. The vast majority of cryptocurrencies currently in circulation are based on public
blockchains (e.g. Bitcoin, Bitcoin Cash, Ethereum, and Litecoin). However, public blockchains have
limited applications in the financial industry due to the public nature of transactions and limited
functionality support at a protocol level.
Public blockchains have no single owner. They are far more decentralized than a private
(permissioned) system because anyone can join the network. However, scalability is the trade-off,
meaning that public blockchains are usually slower than private blockchains. This is because of the
computational power required to maintain public blockchains and assure consensus. Consequently, as
the volume of transactions and the number of individuals joining the network increases, the longer it
takes to process these transactions (e.g. validation), especially during peak hours.
Bitcoin, in its current form, can process approximately seven transactions per second. Ethereum can
handle 20 transactions per second. Comparable traditional centralized payment systems, such as VISA,
MasterCard, and PayPal, offer significantly higher transactions per second. For instance, VISA handles
150 million transactions per day, averaging roughly 1,700 transactions per second6. PayPal currently
processes 193 transactions per second. Finally, the costs of processing a transaction usually increase
as the network’s usage rises7.
6 Data on Bitcoin and VISA transactions speed statistics are from “Bitcoin vs. Bitcoin Cash: What is the Difference?,” Investopedia, with values accessed on November 26, 2019. 7 Data on Ethereum and PayPal are from “Transactions Speeds: How Do Cryptocurrencies Stack Up To VISA or PayPal?”, howmuch.net, with values as accessed on December 26, 2019.
28
Real-World Case: A Peer-to-Peer Electronic Cash System
“What is needed is an electronic payment system based on cryptographic proof instead of trust,
allowing any two willing parties to transact directly with each other without the need for a trusted
third party. Transactions that are computationally impractical to reverse would protect sellers from
fraud…. The system is secure as long as honest nodes collectively control more CPU power than any
cooperating group of attacker nodes.”
Satoshi Nakamoto, The Founder of Bitcoin
Bitcoin, the first permissionless blockchain, is public and open to all. It permits the transfer of currency
online, directly, and independent of central control. Bitcoin, an example of convertible virtual
currency, is used for retail purchases and investments. For example, it can be digitally traded between
users and can be purchased for, or exchanged into, U.S. dollars, Euros, and other real or virtual
currencies. Many merchants (e.g. Internet, real-world places) accept bitcoin as payment today
including:
✓ Overstock.com is the first major online retailer to accept bitcoin
✓ Microsoft accepts bitcoin payments for a variety of digital content
✓ Dell allows customers to buy computers and hardware with bitcoin
✓ DISH Network, the first subscription model pay-TV provider to accept bitcoin, added Bitcoin Cash
as a payment option
✓ Expedia accepts bitcoin for hotel bookings
Bitcoin remains the most well-known and widely used cryptocurrency, accounting for 72% of the
market8. This is the only type of virtual currency that has the potential to compete with traditional
currency.
In late 2019, there were about 18 million bitcoins in circulation. This number changes about every 10
minutes when new blocks are mined. Currently, each new block adds 12.5 bitcoins into circulation,
and 144 blocks per day are mined on average. So, the average amount of new bitcoins mined per day
is 1,800 (12.5 x 144) 9.
8 Data on cryptocurrency market valuations are from “Cryptocurrency Market Capitalizations,” CoinMarketCap, with values as accessed on September 20, 2019. 9 Data on bitcoin statistics are from “How Many Bitcoins Are There?,” Buy Bitcoins Worldwide, with values as accessed on December 26, 2019.
29
Private Blockchains
Private (permissioned) blockchains restrict access regarding who can perform different activities on
the network. The system operates similarly to a privately maintained database that is controlled by
giving read privileges to outsiders. For example, the owner (a single authority or an organization) of a
private blockchain has the ability to dictate who can and cannot become part of its network. That is,
only authorized participants are allowed write and read privileges.
Transaction processing and extension of the blockchain is performed by a set of known and accepted
nodes. Each participant of a private network knows the identity of the counterparty on the other side
of a transaction. This feature is critical to financial services due to anti-money laundering and know-
your-customer (“KYC”) considerations. Private blockchains also use consensus models (e.g. proof-of-
stake) for publishing blocks.
Since the participation is limited and controlled, private blockchains have a number of advantages over
public networks such as greater scalability, lower transaction costs, increased privacy, and less
vulnerability to malicious attacks. A private blockchain typically can process much higher transaction
volumes at higher speeds because, unlike public blockchains, it does not require significant
computational resources. For example, XRP is the cryptocurrency used by the Ripple payment
network. Built for enterprise use, XRP aims to be a fast, cost-efficient cryptocurrency for cross-border
payments. The Ripple platform is designed to allow fast and cheap transactions.
Private blockchains can also be for internal enterprise use, such as auditing and database
management. There are also some applications in the public sector, such as government budget or
government-industry statistics, which are usually managed by the government but can be made
available for the public to view.
Private blockchains may also be used by organizations that need to more tightly control and protect
their information. For instance, certain private blockchains require all members to be authorized to
send and receive transactions. In this case, members are not anonymous or pseudo-anonymous. This
feature discourages fraudsters since they can be identified. Thus, private blockchains can be beneficial
when transaction-processing nodes need to be known to comply with regulations. Other examples of
private blockchains include asset management. The most known examples of private blockchains are
Hyperledger Fabric and R3 Corda.
The following table summarizes the differences between the public and private blockchains.
30
Characteristics Public (Permissionless) Private (Permissioned)
Access Open and Transparent Access Authorized Members Only
Read Open to Anyone Authorized Members Only
Write Anyone Authorized Operators Only
Performance Slower Faster
Scalability Limited Scalability Highly Scalable
*Consensus Proof-of-Work (Mining) or
Proof-of-Stake
Proof-of-Stake or
Pre-approved participation
Transaction Cost Higher Low
Access Control Same Access Level for All
Participants
Full Control over Members
Access
Identify Anonymous or Pseudo
Anonymous Known
*: The concept of consensus is explained in “A Self-Regulating Ecosystem”.
Source: Business Blockchain HQ, “Blockchain Fundamentals,” accessed on November 12, 2019.
The following table identifies a list of opportunities and challenges auditors face in permissionless and
permissioned blockchains.
Opportunities Challenges
Permissionless • Examine transaction record on
blockchain;
• Develop novel audit process on
blockchain transactions;
• Verify the consistency between
items on blockchain and in the
physical world.
No reversal of erroneous
transactions;
No centralized authority to verify
the existence, ownership, and
measurement of items recorded
on blockchain;
Data retrieval due to clients’ loss of
private key;
No centralized authority to report
cyberattacks.
Need to be proficient in various
blockchain technologies;
Difficult to reach consensus rules
among all participants, when
acting as an organizational agent;
Audit transaction linked to a side
agreement that is ‘‘off-chain’’;
Tackle the situation when central
authority has the power to
Permissioned • Develop guidelines for blockchain
implementation;
• Leverage industry knowledge and
experience to offer advice for best
practices for blockchain consensus
protocols;
• Leverage business networks to
form permissioned blockchain
based on market demand;
31
• Act as planner and coordinator of
potential participants of a
blockchain;
• Leverage their expertise on IT
auditing to audit internal control of
blockchain, including data integrity
and security;
• Offer independent rating services
to a specific blockchain;
• Act as administrator of blockchain.
override information on
blockchain;
Cope with change of consensus
protocol in a blockchain.
Source: American Accounting Association, “How Will Blockchain Technology Impact Auditing and Accounting:
Permissionless versus Permissioned Blockchain”, Current Issues in Auditing Vol. 13, No. 2 Fall 2019.
Real-World Case: Blockchain for the Financial Industry
Quorum is an enterprise-focused, open-source version of Ethereum created by J.P. Morgan. Quorum
is designed to address specific challenges to blockchain technology adoption within the financial
industry and supports blockchain transactions amongst a permissioned group of known participants
J.P. Morgan
Quorum, developed by J.P. Morgan, offers an enterprise-focused and permitted blockchain. It will
become the first distributed ledger platform available through Azure Blockchain Service, allowing J.P.
Morgan and Microsoft customers to build and scale blockchain networks in the cloud. The principle of
Quorum is to apply cryptography to prevent all except those parties to the transaction from seeing
sensitive data. The solution involves a single shared blockchain and a combination of smart contract
software architecture and modifications to Ethereum. Quorum Whitepaper provides a high-level
overview of the Quorum blockchain platform:
Built on Ethereum
• First mover advantage. In production since July 2015
• 50,000 + unit tests, Security Audits, Bounty Program
• Largest Ecosystem of Developers, Tools DApp’s
• Public Ethereum blockchain protect over $1B + Ether
Simple Privacy Design
• Supports both private and public transactions and smart contracts
Single Blockchain Architecture
32
• All public and private smart contracts and state derived from a single, common, complete
blockchain of transactions validated by every node in the network
• Private smart contract state validated by parties to contract only
• Best of both worlds…every node validating the list of transactions while only exposing details of
private transactions and contracts to relevant parties
High Performance
• Able to process dozens to hundreds of transactions per second, depending on system
configuration; enough to support institutional volumes
Source: J.P. Morgan, Quorum: A permissioned implementation of Ethereum supporting data privacy, 2016
Consortium Blockchains
As explained, a private blockchain is managed by a single entity. Consortium (federated) blockchains
are private blockchains deployed for a group of organizations/individuals to share data in a
trustworthy environment. They restrict participation in the network to users permitted by agreed-
upon administrators. Consortium blockchains are also known as semi-decentralized blockchains
because the consensus process is controlled by pre-defined nodes or a set of participants on the
network.
Features of Consortium Blockchains
✓ Permissioned
✓ Semi-decentralized
✓ Required multi-party consensus
Like private blockchains, consortium blockchains offer certain advantages such as lower transaction
costs, shorter processing times and better privacy protection. Consortium blockchains are usually
associated with enterprise use where a group of organizations, such as multiple banks, operate a
shared ledger. Consortium blockchains are also an optimal solution for developing a network for all
supply chain participants.
For example, the supply chain in the jewelry industry is long and complicated. The industry is
vulnerable to fraudsters as jewels and precious metals change hands so many times. It involves many
parties such as miners, certifiers, insurers, regulators, shipping companies, designers, manufacturers,
retailers, and customers. Blockchain technology (e.g. TrustChain, Everledger) has empowered the
traceability and transparency of all stages of the global supply chain.
33
Real-World Case: Authenticated Provenance of Diamonds
The following case was extracted from Everledger, Press release, February 2019.
Transparency is one of the hottest topics in the jewelry industry. In 2015, Everledger developed a
blockchain solution, Provenance Proof Blockchain, to help prevent fraud and illicit trading. Provenance
Proof Blockchain enables transparency by securely tracing the journey of every stone from mining to
consumer. That is, every transaction and hand-over adds an entry to the blockchain, resulting in a
record, providing transparency into the complete journey of a gemstone, from the mine to the end
consumer.
This technology uses physical nanolabels, which are inserted in emeralds, so they can be traced back
to the exact mine. A combination of both a physical tracer (Emerald Paternity Test) and digital ledger
(Provenance Proof Blockchain), enables even more transparency. All processes, including the
registration and the upload of data, can be done with a smartphone. This ensures that the use of the
Provenance Proof Blockchain is an inclusive solution, convenient for all types and sizes of stakeholders
– artisanal miners, small-scale cooperatives, large companies, and any size of cutters and treaters,
dealers, wholesalers, gem labs, manufacturers, jewelry brands, retailers, and end consumers.
Working with a range of stakeholders across the diamond supply chain including diamond
manufacturers and downstream retailers, Everledger has since encrypted the provenance of over 2
million diamonds in a short three years.
Mine Rough Assort Planning Laser Cutting
Polishing Polishing QC Certification Store/Consumer
34
Hybrid Blockchains
Hybrid blockchains combine the best of public and private blockchains. For example, they offer the
critical features of public blockchains such as decentralized, secure, transparent and immutable. They
also have the privacy benefits of private blockchains by restricting users’ ability to access the network,
view, or change transactions. That is, only a selected section of data or records can be permitted to go
public, keeping the rest confidential in the private network. The main advantage is that a company has
better control over what it wants to accomplish. In particular, a company has the flexibility to design
an infrastructure based on the use case as different types of users can be assigned with different levels
of access and rights. For instance, privacy and transparency features can be tailored to classes of users,
actions, or categories of information. As demonstrated in the following figure, the private feature
ensures that sensitive data is secure while its public feature makes it verifiable and transparent.
Source: Kapoor, “What are Blockchain Benefits and Trends in 2019?”, Hacknoon, accessed on November 30, 2019
35
Whether to Deploy Blockchain Solutions
The increasing enthusiasm could potentially bias an objective evaluation about whether or not to
invest in this technology. Blockchain technology solutions may be suitable if the activities or systems
require features such as10:
✓ Many participants
✓ Distributed participants
✓ Want or need for lack of trusted third party
✓ Workflow is transactional in nature (e.g., transfer of digital assets/information between
parties)
✓ A need for a globally scarce digital identifier (i.e., digital art, digital land, digital property)
✓ A need for a decentralized naming service or ordered registry
✓ A need for a cryptographically secure system of ownership
✓ A need to reduce or eliminate manual efforts of reconciliation and dispute resolutions
✓ A need to enable real-time monitoring of activity between regulators and regulated entities
✓ A need for full provenance of digital assets and a full transactional history to be shared
amongst participants
In general, deploying blockchain can only be practical when multiple mistrusting entities want to
collaborate and change the state of a system but cannot settle on an online trusted third party. The
risk is that a company decides to adopt blockchain technology because it is intriguing without reflecting
on whether it is suitable for its business. The strengths, weaknesses, opportunities and threats (SWOT)
analysis provided below summarizes the advantages and disadvantages of this technology.
10 The blockchain application of considerations are from “NISTIR 8202 Blockchain Technology Overview,” National Institute of Standards and Technology, accessed on November 24, 2019.
36
SWOT Analysis of the Adoption of Blockchain
Positive Negative
Internal Strengths Weaknesses
✓ Fast and low-cost money transfers
✓ No need for intermediaries
✓ Automation (by means of smart
contracts)
✓ Accessible worldwide
✓ Transparency
✓ Platform for data analytics
✓ No data
loss/modification/falsification
✓ Non-repudiation
Scalability (discussed in “Types of
Blockchains”)
Low performance (discussed in
“Types of Blockchains”)
Energy consumption (discussed in
“Consensus Mechanism”)
Reduced users’ privacy
Autonomous code is “candy for
hackers”
Need to rely on external oracles - No
intermediary to contact in case of
loss of users’ credentials
Volatility of cryptocurrencies
Still in an early stage (no “winning”
blockchain, need of programming
skills to read code, blockchain
concepts difficult to be mastered)
Same results achieved with well-
mastered technologies
External Opportunities Threats
✓ Competitive advantage (if efforts to
reduce/hide the complexity behind
blockchain are successful, or in case
of diffusion of Internet of Things)
✓ Possibility to address new markets
(e.g., supporting car and house
sharing, disk storage rental, etc.)
✓ Availability of a huge amount of
heterogeneous data pushed in the
blockchain by different actors
Could be perceived as
unsecure/unreliable
Low adoption from external actors
means lack of information
Governments could consider
blockchain and smart contracts
“dangerous”
Medium-long term investment
Not suitable for all existing processes
Customers would still consider
personal interaction important
Source: Future Internet, “Blockchain and Smart Contracts for Insurance: Is the Technology Mature Enough?,”
2018.
Appendix A provides a blockchain decision tree to help individuals determine if blockchain technology
is suitable for a development initiative.
37
Review Questions - Section 2
1. Which of the following statements is TRUE regarding public blockchains?
A. Privileges are used to control who can read the blockchain
B. Provide greater efficiency; transactions are processed faster
C. Designed to cater to enterprise requirements
D. Have no single owner; are visible to anyone
2. Which of the following platforms has the highest degree of scalability?
A. Bitcoin
B. VISA
C. Ethereum
D. PayPal
3. Cloud Inc. considers deploying a blockchain platform. Cloud Inc. needs to control who can read
and write on its blockchain. Which type of blockchain best fits Cloud Inc.’s need?
A. Public
B. Private
C. Consensus less
D. Permissionless
4. Which cryptocurrency is operated on a private blockchain?
A. Bitcoin
B. Ripple
C. Bitcoin Cash
D. Litecoin
5. What is a feature of a consortium blockchain?
A. Open to the public
B. Required multi-party consensus
C. Centralized
D. Permissionless
38
II. How Blockchain will Enhance the
Accounting and Auditing Professions “The blockchain technology is the most important advance in recordkeeping since the invention of
double-entry bookkeeping in Florence, Italy in 1494”
The Economist Magazine
Blockchain is essentially an accounting technology, which dramatically changes the way we create,
send, receive, track, validate, update and store transactions. It has the potential to offer absolute
certainty over the ownership and history of assets and reduce the costs of maintaining and reconciling
ledgers. Specifically, it could create a secure and immutable history of transactions that is easily
traceable to enhance audit-ability and transparency.
To appreciate the value of this technology, we need to understand current accounting and auditing
practices. This chapter explains the concept of accounting, the auditor’s responsibilities, and the
functions of middlemen. It also discusses the challenges facing the accounting and auditing professions
and blockchains can enhance many of the core activities of the accounting and auditing professions.
Foundation of Accounting Principles
The Value of Accounting
“Accounting is the art of recording, classifying and summarizing in a significant manner and in terms
of money, transactions and events, which are, in part at least, of a financial character and
interpreting the results thereof”.
American Institute of Certified Public Accountants
The history of accounting is thousands of years old and can be traced to ancient civilizations such as
China, Babylonia, Greece, and Egypt. Accounting was used to keep records regarding the cost of labor
and materials used in building great structures like the Pyramids11. All entities have resources such as
money, labor, raw materials, equipment, buildings, and factories. Therefore, the entity must record
the details of business transactions in a systematic, orderly, and logical manner in order to track and
analyze its assets, liabilities income, and expenditures, and answer the following basic questions:
• What are the costs of purchasing company assets (e.g. property, machines, equipment)?
11 Information on the history of accounting are from “Financial Accounting -I,” Chandra Shekhar.
39
• How much does it cost to create the products/services?
• How much is spent on overhead (e.g. rent, insurance, utilities)?
• What is the cost of managing employees (e.g. salaries, commissions, benefit programs)?
• How much is receivable from customers to whom goods/services were sold on credit?
• How much is payable to suppliers as a result of credit purchases?
• Are there any amounts that have been outstanding for a long time?
• Are there any loans outstanding and if so, what is their nature and when will they be repaid?
• What is being leased and when will the lease(s) end?
• Is revenue increasing or decreasing year-over-year? Why?
• Is cash flow positive or negative each month?
Accounting information is valuable because decision-makers can use it to measure the business
activities and the financial outcomes of different alternatives. For instance, management uses
accounting information to analyze business performance and make decisions. Creditors examine a
company’s financial statements to assess the company’s ability to repay a loan. Prospective investors
are interested in evaluating the investment characteristics of a company such as risk, return, and
growth. The American Accounting Association states that accounting is the process of identifying,
measuring and communicating economic information to permit informed judgments and decisions by
users of the information.
The Development of Accounting Discipline
Book-Keeping System
“Book-keeping is the science and art of correctly recording in the books of account all those business
transactions that result in the transfer of money or money’s worth”.
R.N. Carter
The need for recording business transactions in a systematic and clear manner gives rise to book-
keeping. Book-keeping, concerned with record-keeping of business events and maintenance of books
of accounts, provides the basis for accounting. The objectives of book-keeping include:
1. Maintaining a permanent, complete, and accurate record of all the business transactions
2. Keeping records of income, expenses, assets, and liabilities to help to assist in decision making
3. Tracking the activities of customers and suppliers (e.g. the amount due)
4. Ascertaining recorded transactions on the financial statements to show the business
performance
5. Determining tax basis and obligations by recording all business transactions
The activities of book-keeping include recording in a journal, classifying and summarizing financial
data, posting to the general ledger and balancing accounts. All business transactions are initially
40
recorded in a book of original entry (journal), in accordance with the double-entry accounting system
used in modern financial accounting, and then posted to the general ledger. A general ledger, the king
of all books, tracks all of the information needed to prepare financial statements including assets,
liabilities, equity, revenue, and expenses.
Lesson Note: The first known description of double-entry book-keeping was first published in 1494
A.D. by Lucas Paciol who was an Italian merchant.
Double-entry accounting means that each transaction is recorded in at least two accounts where the
total debits always equal the total credits. It allows companies to maintain records reflecting what
they own and owe, and have earned and spent for a given period of time. Under double-entry
accounting, all transactions fit into a simple equation:
Assets = Liabilities + Equity
The following table illustrates how the nature of entry affects the financial position of a company.
Account Type Normal Balance Debit Credit
Assets Debit I
Liabilities Credit I
Equity Credit
For example, when a company borrows money from a bank, the company's assets will increase and its
liabilities will increase by the same amount. A financially healthy company usually maintains a
consistent ratio of assets to liabilities. A sudden increase in this ratio may indicate that liabilities such
as long-term debt was hidden in off-balance-sheet entities or entries.
41
Example: Double-Entry Accounting
Johnson Architectural Company has assets of $800,000, obligations of $500,000, and owner's equity
of $300,000. The accounting equation is:
Assets = Liabilities + Equity
$800,000 = $500,000 + $300,000
If at the end of the reporting period, the firm derived a net income of $100,000, the accounting
equation becomes:
Assets = Liabilities + Equity
$900,000 = $500,000 + $400,000
If $50,000 was then used to pay creditors, the accounting equation becomes:
Assets = Liabilities + Equity
$850,000 = $450,000 + $400,000
By using the double-entry system, the accuracy of the accounting can be proven through the
preparation of a trial balance. A trial balance is a statement which displays debit balances and credit
balances of all accounts in the general ledger. The agreement of the debit and credit totals of the trial
balance gives assurance that:
• Equal debits and credits have been recorded for all transactions
• The calculation of the account balances in the trial balance has been performed correctly
However, the equality of totals in debt and credit does not necessarily mean that the accounting
process has been error-free. Serious errors may have been made, such as failure to record a
transaction or posting a debit or credit to the wrong account. Examples of common errors that may
cause a trial balance to be out of balance include:
Posting a debit as a credit, or vice versa
Failing to post part of a journal entry
Incorrectly determining the balance of an account
Recording the balance of an account incorrectly in the trial balance
Omitting an account from the trial balance
Making a transposition or slide error in the accounts or the journal
42
Management Assertions
The preparation of financial statements is management's responsibility. For example, a Controller is
responsible for establishing and maintaining internal control that will initiate, record, process, and
report transactions consistent with management's assertions embodied in the financial statements.
Whenever management issues financial reports, management is making the following assertions:
✓ Existence or occurrence: The assets, liabilities and shareholders' equity balances of the
company exist at a given date. For example, management asserts that inventories in the
balance sheet are available for sale.
✓ Completeness: All transactions and accounts that should be presented in the financial
statements are included. For example, management asserts that all purchases of goods are
recorded and included in the financial statements.
✓ Valuation or allocation: The amounts of assets, liabilities, equity, revenue, and expenses
included in the financial statements are appropriate. For example, management asserts that
property is recorded at historical cost and that such cost is systematically allocated to the
proper accounting period.
✓ Rights and obligations: The company holds or has ownership rights or usage rights over the
assets, and liabilities are obligations of the company at a given date. For example,
management asserts that amounts capitalized for leases in the balance sheet represent the
cost of the company’s rights to leased property and that the corresponding lease liability
represents an obligation of the company.
✓ Presentation and disclosure: The components of the financial statements are properly
classified, described and disclosed. For example, management asserts that obligations
classified as long-term liabilities in the balance sheet will not mature within one year.
The Role of Auditor
“The origin of the word audit relates it to hearing, and traces of this early usage, signifying the
hearing by proper authorities of accounts rendered by word of mouth, still linger in such phrases as
hearing witnesses and examine witnesses included in some dictionary definitions of audit.”
The American Institute of Certified Public Accountants
The use of double-entry accounting, a system of checks and balances, helps identify whether or not
errors have been made in recording transactions. The double-entry system may solve the problem of
managers knowing whether they could trust their own books. However, each company represents
their version of a transaction independently of the other. For instance, Enron represented transactions
in a way best suiting itself. Whether intentionally fraudulent or accidental, multiple participants in a
transaction can get out of sync since there are no checks and balances between entities. Companies
43
are expected to share their financial information with stakeholders such as the audit committee,
shareholders, lenders, and regulatory bodies. This raised the question of how external parties could
trust management and the company’s books.
One of the primary objectives of an audit is to provide trust among its intended parties. It focuses on
both the truth of the records and the question of whether or not the statements were faithfully
prepared from those records. Auditing is generally defined as a systematic process of objectively
obtaining and examining evidence in respect of certain assertions about economic events, to ascertain
the degree of correspondence between those assertions and established criteria and to report the
results to interested parties.
Auditors, independent guarantors of financial information, validate a company’s transactions and
verify the integrity of accounting entries (e.g. sales, expenses) as shown in the table below. They must
follow auditing standards to form an opinion as to whether the financial statements are free of
material misstatement, whether caused by error or fraud.
Revenues = Accounts receivable are from the sale of merchandise, or the performance
of services for a customer or a client
Expenses = Accounts payable result from expenditures necessary to conduct business
operations (e.g. rent expense cost of goods sold)
Net Income = Revenues − Expenses
The Sarbanes-Oxley Act (SOX) imposed stringent requirements on external auditors in their evaluation
of internal controls over financial reporting (ICFR). Specifically, it requires auditors to perform an
independent audit of ICFR and to issue a report including two opinions — one on management's
assessment and one on the effectiveness of ICFR. To form the opinion, the auditor must gather
appropriate and sufficient audit evidence by performing audit procedures. Examples of audit
procedures include:
• Interviewing appropriate personnel at all organizational levels
• Re-calculating recorded amounts for accuracy (e.g. depreciation schedule)
• Confirming the existence of balances with third parties (e.g. cash, sales, receivables, debt,
liabilities, investments)
• Re-performing procedures or controls (e.g. bank reconciliation, 3-way matching)
• Observing the operation of an internal control procedure being performed
• Inspecting the company’s documentation (e.g. records, reports, operating manuals)
Lesson Note: Audit evidence contains both information that supports and corroborates management's
assertions regarding the financial statements or ICFR and information that contradicts such assertions.
Since auditors are the trusted professionals who perform testing to obtain sufficient evidence to opine
and attest to the existence, accuracy, and completeness of transactions as well as the presentation of
44
related information in financial statements, they must be independent from the client and parties that
have an interest in the results shown on the financial statements so that the audit opinion will not be
influenced by any relationship between them.
In summary, audited financial statements are a cornerstone of business as investors’ willingness to
commit their capital depends on confidence that financial statements have not been manipulated.
Therefore, all companies that wish to access the U.S. capital markets must obtain an audit of financial
statements.
The Functions of Intermediaries
“Traditionally, finance, as we know, has always been dominated by intermediaries such as banks,
governments and central authorities as a means to establish ‘trust’ for any storage or exchange of
value.”
XinFin Organization
Trust, the root of “promise to pay,” is vital to the conduct of all businesses. Trust is difficult to gain;
therefore, we need to rely on a central authority or intermediary (middlemen) that acts as the
implicitly trusted mediator maintaining every transaction. In other words, assuring trust between
participants depends on the existence of an intermediary who maintains and updates a ledger in a
system.
A financial intermediary simply connects two parties in a financial transaction. For example, banks
allocate funds from savers to borrowers. We trust that banks will provide us with accurate information
and access to the deposits on request. Similarly, for a syndicated loan, a form of loan business in which
two or more lenders jointly provide loans for a single borrower (e.g. corporation, sovereign
government), one bank is usually appointed as the trusted third party to manage the loans (e.g.
maintaining the register of lenders, administrating loans, and keeping all the records). However, in a
global economy, creating and maintaining trust in the system has become increasingly time-
consuming, expensive, and inefficient.
Examples of common financial intermediaries include:
Stock Exchanges: Stock exchanges act as an agent by facilitating the trading of securities and stocks
and disseminating information. For example, they provide confirmation of trade terms, clearing, and
settlement. They charge a brokerage fee to each party which is its profit. Notable stock exchanges
include NASDAQ, New York Stock Exchange (NYSE), and Shanghai Stock Exchange (SSE). In the
45
aggregate, NASDAQ processed about 9.9 million executed securities trades daily, valued at $69.3
billion.12
Depository Institutions: Depository institutions accept currency deposits, offer various payment
services ranging from the interbank association (e.g. operate ATM, clear checks) and point of sale to
credit/debit card network and an electronic funds transfer system. There are three major types of
depository institutions including commercial banks, savings and loans/savings banks, and credit
unions. The Federal Deposit Insurance Corporation (FDIC) insures deposits in banks and thrift
institutions for at least $250,000. As of June 2019, there were 4,630 FDIC-insured commercial banks
in the U.S13.
Insurance Companies: According to the National Association of Insurance Commissioners, the basic
concept of insurance is that an economic device transfers risk from an individual to a company and
reduces the uncertainty of risk via pooling. On a contractual basis, the insurer will guarantee payment
for an uncertain unfortunate event. The insured pays a premium to the insurer at regular intervals in
exchange for protection related to that uncertain future occurrence. Insurance companies (the
insurer) pool customers together (e.g. corporations, individuals) with the goal to mutually bear the
burden of losses if an unfortunate event occurs. They collect funds (premiums) for policies and provide
policy benefits.
12 Average daily volume and value were calculated using 2016 data on U.S. retail and wholesale PCS systems and were approximated based on the number of business days in the year. See Committee on Payment and Market Infrastructures (2016), Statistics on Payment, Clearing and Settlement Systems in the CPMI Countries, with values as accessed on November 8, 2019. 13 The commercial bank statistics is from “Statistics At A Glance,” the Federal Deposit Insurance Corporation, with values accessed on November 11, 2019.
46
Review Questions - Section 3
1. What is the concept that an increase or decrease in one account must be offset exactly by an
increase or decrease in another account?
A. Conservatism
B. The going concern assumption
C. Double-entry accounting
D. The monetary measurement concept
2. According to the rules of debit and credit, which of the following statements is TRUE?
A. Increases in asset, liability, and owners’ equity accounts are recorded by debits
B. Decreases in asset and liability accounts are recorded by credits
C. Increases in asset and owners’ equity accounts are recorded by debits
D. Decreases in liability and owners’ equity accounts are recorded by debits
3. Which of the following management assertions indicates that the amount of revenue and expense
included in the financial statements is appropriate?
A. Existence
B. Completeness
C. Valuation
D. Rights and obligations
4. What is the process of objectively obtaining and examining evidence in respect of certain
assertions about economic events?
A. Cost accounting
B. Risk assessment
C. Auditing
D. Management accounting
5. As an independent guarantor of financial information, what is an auditor's primary consideration
regarding internal control?
A. Whether the control reflects management's philosophy and operating style
B. Whether the control affects management's financial statement assertions
C. Whether the control provides adequate safeguards over access to assets
D. Whether the control enhances management's decision-making processes
47
6. Which of the following entities usually serves as a financial intermediary?
A. The Internal Revenue Service
B. A public accounting firm
C. New York Stock Exchange
D. A community college
48
Obstacles of the Current Practice
A Burden on Business
Cost Implications of Internal Control
Currently, to prevent, detect, and correct financial irregularities, companies rely on a system of checks
and balances, otherwise known as internal controls. However, internal controls require resources that
incur a cost for the company. For example, a reconciliation process, a comparison of specific sets of
data to other sources, identifies discrepancies that need to be investigated (e.g. detecting
unauthorized changes or omission of transactions). The reconciliation process may involve multiple
systems and records requiring participation from employees, vendors, and multiple departments. This
task often affects daily accounting operations due to the manual labor it takes to conduct and
document periodic reviews and follow-ups.
Segregation of duties is another example of an internal control that could be costly. Although
segregation of duties is often considered a key internal control, hiring additional employees is not
always feasible, especially for smaller companies. Moreover, the segregation of duties may lead to
overstaffing if it is not well established. Finally, it is important to know that more is not necessarily
better in the case of internal controls, especially when the costs of implementing and performing the
controls exceed the benefits and the risks are low. For example, a rigid implementation may cause a
slowdown in the operation of the business by increasing bureaucracy and reducing productivity.
Audit Compliance
Auditors may ensure the validity and credibility of financial information and compliance with
regulations; however, an independent audit is an expensive monitoring tool. For example, SOX
drastically impacted the cost of, and time needed to complete, a quality audit. SOX also specifies
what is required of the auditors in an audit of a public company. Auditors are required to design and
perform various audit procedures to obtain sufficient appropriate audit evidence. These procedures
can be time-consuming and laborious, especially when manual reviews are required and paper
documentation has to be obtained.
For instance, audit confirmations are usually performed to obtain evidence from third parties about
management assertions including the existence of cash balances and the completeness of accounts
payable. According to the auditing standards (AU 326 Audit Evidence), when using external
confirmation procedures, the auditor usually performs the following procedures:
1. Determines the information to be confirmed or requested;
2. Selects the appropriate confirming party;
49
3. Designs the confirmation requests, including ensuring that requests are properly directed to
the appropriate confirming party and state that responses are to be sent directly to the
auditor;
4. Sends the requests, including follow-up requests when applicable, to the confirming party;
and
5. Evaluates whether the results of the external confirmation procedures provide relevant and
reliable audit evidence or whether further audit procedures are necessary.
Confirmation is often considered time-consuming because the average turnaround of paper
confirmations takes four to eight weeks. It can be also costly and manually intensive because of the
resources required in preparation, mailing, receipt, and follow-up. It is estimated that paper
confirmations cost as much as $70 per confirmation. This figure can increase depending on staff rates
and the amount of follow up work required on lost or inaccurate confirmations as well as investigating
any exceptions14. Limitations of confirmations are addressed in “Reliability of Audit Evidence”.
In general, the cross-party verification process can be costly as the audit fee is usually determined by
the amount of time the auditor spends conducting the audit. The larger the organization’s budget and
the more complex its operations, the more time the audit will take and the higher the audit cost. The
Financial Education & Research Foundation (FERF) 2018 survey reveals increases in audit fees, with
public companies reporting an average increase of 4.1%. Private companies reported an average
increase of 5.6%. The average audit of a public company took almost 34,000 hours of work. For a
private company, it took about 1,395 hours. Audit costs could be a significant burden to some
organizations if audit fees continue to increase. The following tables summarize the survey results.
2018 Audit Fee Survey
(Based on the 2017 Filing Year)
Survey Respondents Average Audit Fees Median Audit Fees
Large Accelerated $11,010,871 $6,973,000
Accelerated $727,056 $415,000
Non- Accelerated $161,101 $128,371
Private company $138,658 $71,775
Nonprofit organization $91,619 $45,000
Source: Financial Education & Research Foundation (FERF), 2018 Audit Fee Survey
14 Information about the estimate cost of paper confirmation are from “How Inefficiencies Increase the Risk of Confirmation Fraud,” Confirmation.com, 2015.
50
2018 Audit Fee Survey
Survey Respondents
Average Hour Average Rate
2017 2016 2017 2016
Public company 34,003 32,508 $248 $225
Private company 1,395 1,754 $191 $180
Note: Nonprofit organizations reported flat fees.
Source: Financial Education & Research Foundation (FERF), 2018 Audit Fee Survey
Inherent Limitations of Financial Audits
The Association of Certified Fraud Examiners (ACFE) reveals that financial audits are the most common
anti-fraud control put in place, with nearly 80% of organizations in its study opting for such audits.
However, only 4% of fraudulent activities are detected by external auditors15. This indicates that most
organizations may misunderstand the nature of financial audits and, therefore, place too much
reliance on the audits. It is important to understand that financial audits are not designed to search
for fraud in the accounting records. Thus, they are not aimed at preventing and detecting fraudulent
activities. Moreover, the auditor is not expected to, and cannot, obtain absolute assurance that the
financial statements are free from material misstatement due to fraud or error. This is because there
are limitations of an audit, such as reliability of audit evidence and the nature of audit procedures. This
section examines some of the challenges in the current audit practice.
15 Statistics about common anti-fraud controls and fraud detection methods are from “Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse,” The Association of Certified Fraud Examiners.
51
Reliability of Audit Evidence
According to the auditing standards (AU 326 Audit Evidence), audit evidence is all the information used
by the auditor in arriving at the conclusions on which the audit opinion is based and includes the
information contained in the accounting records underlying the financial statements and other
information. The reliability of audit evidence is influenced by its source and nature and is dependent
on the individual circumstances under which it is obtained.
• Physical examination
• External documents
• Confirmation
• Re-calculation
• Re-performance
• Observation
• Internal documents with effective controls
• Analytical procedures with sufficient data
• Inquiry
• Internal documents with poor controls
As noted, audit evidence in the external form received directly by the auditor such as legal
representation letters and bank confirmations may be more reliable than evidence generated
internally by the entity. For example, the auditor may seek direct confirmation of receivables by
communication with debtors. However, confirmation is often considered a relatively low-benefit
procedure since it only requires routine effort and even less thought. According to the auditing
standards (AU 330 The Confirmation Process), confirmations have interception and alteration risks and
source of the response risks. That is, fraudsters can circumvent the audit confirmation process in the
following ways:
Company provides the account statement, contact name and contact information (e.g. false
mailing addresses, phone numbers, fax number)
Company directs/influences the auditor’s authentication process
Auditor’s limited ability to authenticate documents and signatures
According to a survey of over 150 accounting firms, almost all of the mailing addresses for
confirmations are provided to the auditor by the client or taken directly from client-provided bank
statements16. The risk associated with any client-provided documentation is that fraudsters can easily
create a fake statement (e.g. names, addresses, and phone numbers) and manipulate the document
by using a scanning machine to deceive the auditor.
16 Information about the estimate cost of paper confirmation are from “Guide to Electronic Confirmations,” Boomer Consulting, Inc.
Rel
iab
ility
of
Evid
ence
High
Low
High
52
Moreover, the manager may direct the auditor to send confirmations to a dishonest vendor who is
willing to fraudulently complete the confirmation responses, in hoping to avoid detection. As a result,
the auditor cannot be certain of the accuracy and completeness of information, even though the
auditor has performed audit procedures to obtain assurance that all relevant information has been
obtained.
Finally, photocopies, facsimiles, filmed, digitized or other electronic documents are acceptable audit
evidenced depending on the controls over their conversion and maintenance. Although an audit rarely
involves the authentication of documentation, documents can be falsified or forged with limited
possibility for authentication and traceability. Since the auditor is neither trained or expected to be an
expert in the authentication of documents, information may appear valid when it is not.
The ACFE identifies the following top eight concealment methods used by fraudsters17:
1. Created fraudulent physical documents (55%)
2. Altered physical documents (48%)
3. Created fraudulent transactions in the accounting system (42%)
4. Altered transactions in the accounting system (34%)
5. Altered electronic documents or files (31%)
6. Destroyed physical documents (30%)
7. Created fraudulent electronic documents or files (29%)
8. Created fraudulent journal entries (27%)
More than half of the concealment methods (1, 2, 5, 6, and 7) are related to falsification or
manipulation of physical/electronic documents. Apparently, this type of technique was successfully
carried out by Parmalat executives who committed the largest cash and investment confirmation
fraud. However, it is not the only case of confirmation fraud used to steal cash or falsify financial
records. In case after case, confirmation procedures are shown to be easily manipulated, especially
when the process is simple to circumvent.
17 Statistics about concealing fraud are from “Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse,” The Association of Certified Fraud Examiners.
53
Examples of Confirmation Fraud
Satyam
“Asia
Enron”
2008-2009
To make the company’s performance appear far more profitable to investors,
former senior officials at Satyam created false invoices and forged bank statements
to inflate the cash balances. For example, the former senior managers created more
than 6,000 phony invoices to be used in Satyam’s general ledger and financial
statements. The employees also falsified bank statements to reflect payment of the
sham invoices. This resulted in inflated cash and bank balances of up to $1.44 billion,
understated liabilities about $300 million and non-existent accrued income of $86
million.
Kmart
2005-2006
The SEC brings this accounting fraud action as the result of the improper recognition
of vendor “allowances” by Kmart with the knowledge and involvement of
representatives of several of the company’s major vendors, including Eastman
Kodak Company, Coca Cola Enterprises Inc. and PepsiCo Inc.’s wholly-owned
subsidiaries, Pepsi-Cola Company and FritoLay, Inc. Representatives of these
vendors participated in the pulling forward of allowances by cosigning false or
misleading accounting documents, executing side agreements, and, in some
instances, providing false or misleading third party confirmations to the company’s
independent auditor, PwC18.
Ahold
2005-2006
With respect to the fraud at U.S. Foodservice (USF), Ahold's wholly-owned
subsidiary, USF executives also provided, or assisted in providing, Ahold's
independent auditors with false and misleading information by, for example,
persuading personnel at many of USF's major vendors to falsely confirm overstated
promotional allowances to the auditors in connection with year-end audits19.
Parmalat
“European
Enron”
2003
The fraud involved an off-shore company called Bonlat Financing, which was
registered in the Cayman Islands. Parmalat involved a phony letter, purportedly
from Bank of America, that declared Bonlat to be in possession of assets that
included 3.95 billion euros supposedly held by Bank of America. As part of the audit
procedures, Grant Thornton, received a confirmation on Bank of America letterhead
from Parmalat confirming the existence of the account for Bonlat. Bank of America
later stated the confirmation of a forgery. Investigators believe that the
confirmation was forged with the use of scanners by Parmalat finance officers.
18 Information about Kmart’s confirmation fraud are from the SEC litigation case: Securities and Exchange Commission v. John Paul Orr, Michel J. Frank, Albert M. Abbood, Darrell J. Edoquist, David C. Kirkpatrick, David N. Bixler, Thomas L. Tayler and Randall M. Stone. 19 Information about Ahold’s confirmation fraud are from the SEC Press Release 2004-144.
54
Nature of Audit Procedures
Use of Sampling
Due to a large number of transactions occurring throughout the year, it is nearly impossible for
auditors to identify and verify each transaction. Therefore, to perform the audit efficiently and cost-
effectively, auditors usually use sampling techniques to limit the number of transactions and balances
selected for testing. According to the auditing standards (AU 350 Audit Sampling), audit sampling
refers to the selection and evaluation of less than 100% of the population of audit relevance such that
the auditor expects the items selected (the sample) to be representative of the population. However,
selective testing involves judgment regarding the areas to be tested and the nature, timing, and extent
of the tests to be performed. Even with good faith and integrity, mistakes and errors in judgment can
happen.
Moreover, sampling risk is the risk that the auditor's conclusion based on a sample may be different
from the conclusion reached if the entire population were subjected to the same audit procedure.
According to the auditing standards (AU 350 Audit Sampling), sampling risk can lead to two types of
erroneous conclusions:
1. Assessing Too High (Audit Efficiency): When the assessed control risk is higher than the actual
operating effectiveness of the control, the auditor will generally increase testing to
compensate for the perceived ineffectiveness of the control. Similarly, if the auditor initially
concludes that a material misstatement exists based on the sample when, in fact, it does not,
the performance of additional audit procedures will ordinarily lead the auditor to the correct
conclusion. While these situations affect audit efficiency since additional (and perhaps
unnecessary) audit procedures are performed, the audit is still effective as the correct
conclusions are generally reached.
2. Assessing Too Low (Audit Effectiveness): The assessed control risk is lower than the actual
operating effectiveness of the control which could lead to insufficient testing. Or the auditor
concludes that a material misstatement does not exist based on the sample when, in fact, it
does. This type of erroneous conclusion is more damaging than the first type because it affects
audit effectiveness and is more likely to lead to an inappropriate audit opinion.
There is always a probability that a fraudulent transaction is not included in the auditor’s sample and
therefore remains undetected. Thus, testing of less than 100% of a population always increases the
risk that a misstatement will not be detected.
Risk of Fraud
Double-entry accounting allows companies to maintain a complete record of all business transactions
over any given period of time. However, it is still vulnerable to fraud. There is a close association
between financial statement frauds and corporate failures and collapses. Financial statement fraud
55
(“cooking the books”) is a scheme in which individuals deliberately carry out any of the following acts
in order to create a rosy picture of the company's financial position, performance, and cash flows:
1. Altering documents (e.g. records, terms) to manipulate outcomes or hide unusual transactions
2. Creating fictitious transactions and false journal entries to manipulate operating results
3. Deliberately applying biased assumptions and judgments to estimate accounting balances
4. Making unsupported adjustments to amounts reported in the financial statements
5. Misapplying accounting principles relating to classification and presentation, or disclosure
For example, Enron used the following accounting gimmicks to create a rosy picture of its financial
performance:
Failure to properly record and disclose investments in special purpose entities (SPEs),
contingent liability for SPEs’ debt, and the SPEs’ dealings with them
Improper recognition of revenue that increased its reported net income
Inadequate disclosure of and accounting for related-party transactions
Incorrect accounting for its own stock that was issued to and held by SPEs
There is always the possibility that management or others may not provide, intentionally or
unintentionally, accurate and complete information, including information that has been requested
by the auditor. Since fraud often involves sophisticated and carefully organized schemes designed to
conceal it, audit procedures used to gather audit evidence may not detect an intentional misstatement
that involves, for example, management override and collusion to falsify documentation as discussed
in “Reliability of Audit Evidence”.
Real-World Case: Touting Bogus Revenues
The following case is extracted from the SEC Press Release 2017-62 and SEC litigation case: Securities
and Exchange Commission vs. Notis Global, Inc. (f/k/a Medbox, Inc.), Vincent Mehdizadeh, Bruce
Bedrick, Yocelin Legaspi, and New-Age Investment Consulting, Inc.
The SEC charged a California-based company and its founder with falsely touting “record” revenue
numbers to investors and claiming to be a leader in the marijuana industry while some of its earnings
came from sham transactions with a secret affiliate.
Medbox was a self-described leader in the marijuana consulting industry. It provided marijuana
consulting services and claimed to sell vending machines known as “Medbox” devices capable of
dispensing marijuana on the basis of biometric identification. Vincent Mehdizadeh was Medbox’s
founder, COO, and majority shareholder.
Mehdizadeh executed the scheme in a series of actions. He created a shell company called New-Age
Investment Consulting to carry out illegal stock sales and used the proceeds from those sales to boost
Medbox’s revenue. He transferred 226,000 Medbox shares under his control to New-Age. Then, he
drafted bogus documentation to paper up the transaction and create the false appearance that New-
56
Age had paid or provided services valued at $552,000. In truth, New-Age had paid nothing for those
shares. He allegedly issued press releases headlining the phony revenues as record earnings to
legitimize itself as a viable commercial operation when in fact nearly 90% of the company’s revenue
in the first quarter of 2014 stemmed from sham transactions with New-Age.
Specifically, Mehdizadeh misled Medbox’s auditor in connection with his 2012, 2013 and first quarter
2014 audit or quarterly review work when he signed January and March 2014 management
representation letters falsely representing that:
Medbox’s financial statements were fairly presented in conformity with GAAP;
There were no material transactions that had not been properly recorded in the books and records
underlying the financial statements;
He had no knowledge of any fraud or suspected fraud involving Medbox’s management that would
have a material effect on the company’s financial statements; and
Related-party transactions and related accounts receivable or payable had been properly recorded
or disclosed in the financial statements.
Mehdizadeh knew that the foregoing statements and omissions to Medbox’s auditors were false and
did not make those false statements and omissions through ignorance, mistake, or accident
Mehdizadeh allegedly acknowledged in a text message that “the only thing we are really good at is
public company publicity and stock awareness. We get an A+ for creating revenue off sheer will but
that won’t continue.”
The SEC charged Medbox and Mehdizadeh with falsely touting “record” revenue numbers to investors
and claiming to be a leader in the marijuana industry while some of its earnings came from sham
transactions with a secret affiliate. Mehdizadeh agreed to pay more than $12 million in disgorgement
and penalties and agreed to be barred from serving as an officer or director of a public company or
participating in any penny stock offerings.
Timeliness of Financial Reporting
The audit function usually occurs after weeks, months and even quarters of the year have passed. The
relevance of information and its value tends to weaken over time. Thus, the auditor’s ability to
definitively validate and confirm the transactions becomes a borderline untenable effort. Moreover,
because there is a balance between the reliability of information and its cost, the users of financial
statements expect that auditors form an opinion within a reasonable period of time for reasonable
costs.
57
Erosion of Confidence: Audit Deficiencies
As discussed, an independent audit of financial information is required to give users (e.g. investors,
creditors) confidence that the information can be trusted. In other words, investors can only trust
financial markets if they trust their auditors. In particular, the auditors’ assessment of the company’s
financial condition.
As a result of a series of financial reporting scandals, the U.S. public lost some of its trust in auditing
and financial reporting. For example, the collapse of the energy trading firm Enron focused attention
on the issue of auditor independence. Enron’s external auditor, Arthur Andersen, was paid $27 million
for non-audit services and $25 million for audit work from Enron. The quality of Arthur Andersen’s
audit work for Enron was impaired by conflicts of interest between fulfilling its professional
responsibilities and keeping its largest client by agreeing with Enron’s management. Arthur Andersen
was indicted on one count of obstruction of justice resulting from an investigation that Andersen
shredded working papers related to the Enron case.
Arthur Andersen was also the external auditor of WorldCom (now MCI). In 2002, WorldCom incorrectly
recorded certain operating expenses as capital expenditures, effectively overstating net income. It
admitted the total amount by which it had misled investors over the previous 10 years was almost $75
billion. The scandal is one of the largest scandals in the history of the U.S. Finally, the former chief
executive and the former chief financial officer of Tyco stole more than $150 million through a series
of unethical business practices involving stock fraud, unauthorized bonuses and falsified expense
accounts. PwC was the external auditor of Tyco.
The U.S. Congress responded to declining public confidence and the failure of the auditing profession
to prevent or detect fraudulent behavior (e.g. Enron, WorldCom) by passing the Sarbanes-Oxley Act,
aimed at enhancing accountability for both management and auditors. The Sarbanes-Oxley Act and
the creation of the Public Company Accounting Oversight Board (PCAOB) ended the era of self-
regulation by the audit profession.
Public accounting firms must register with the PCAOB and be subject to inspection every three years
(one year for large firms) and must adopt quality control standards. Inspections are designed to
identify whether there are deficiencies in how the accounting firm performs public company audits
and whether there are weaknesses in its quality controls over public company auditing20. Violations of
the PCAOB’s rules are deemed to be violations of the Securities Exchange Act of 1934 and are subject
to the same penalties.
The law increased both the cost of an audit and audit quality. Whether this occurred in a linear
relationship remains in question. After more than a decade of inspections, the PCAOB should have
20 Information about objectives of an inspection is from “A Guide to PCAOB Inspections”, Center for Audit Quality.
58
enhanced audit quality and decreased audit deficiency rates. Deficiencies were of such significance
that auditors had not obtained sufficient appropriate audit evidence to support their opinion.
However, the audit deficiency rate of the Big 4 public accounting firms does not reflect the expected
improvement. According to the recent PCAOB annual inspection results21, the Big 4 had an average
overall audit deficiency rate of 31% in 2017. That is, one out of every three audits is not performed
properly by the largest public accounting firms. KPMG’s deficiency rate has increased every year since
2009.
Lesson Note: It is important to know that the PCAOB takes a risk-based, directed sample approach
targeting several significant risk factors. Thus, the high average deficiency rate can be partially
attributed to the difficult nature of the inspected audits such as fair value of financial instruments and
revenue recognition
21 Data on statistics about the PCAOB’s annual inspection are from the Public Company Accounting Oversight Board - Firm Inspection Reports, with values as accessed on November 14, 2019.
24%29%
38%
22%24% 27%
49%
20%20%
31%
50%
24%
DELOITTE E&Y KPMG PWC
The PCAOB Annual Inspection: Audit Deficiency Rate
2015 2016 2017
59
Real-World Case: Significant Audit Failures
KPMG
The following case is extracted from the SEC Press Release 2017-142.
KPMG has agreed to pay more than $6.2 million to settle charges that it failed to properly audit the
financial statements of an oil and gas company, resulting in investors being misinformed about the
energy company’s value.
In 2011, KPMG was hired as the outside auditor for Miller Energy Resources and issued an unqualified
audit report despite the fact that its key oil and gas assets were grossly overstated. KPMG and the
engagement partner John Riordan:
Failed to properly assess the risks associated with accepting Miller Energy as a client and
Failed to properly staff the audit, which overlooked the overvaluation of certain oil and gas
interests that the company had purchased in Alaska the previous year.
Among other audit failures, KPMG and Riordan did not adequately consider and address facts known
to them that should have raised serious doubts about the company’s valuation, and they failed to
detect that certain fixed assets were double-counted in the company’s valuation.
“Auditing firms must fully comprehend the industries of their clients. KPMG retained a new client and
failed to grasp how it valued oil and gas properties, resulting in investors being misinformed that
properties purchased for less than $5 million were worth a half-billion dollars,” said Walter E. Jospin,
Director of the SEC’s Atlanta Regional Office.
Crowe LLP
The following case is extracted from the SEC Press Release 2018-302.
The SEC filed settled charges against national audit firm Crowe LLP, two of its partners, and two
partners of a now-defunct audit firm for their significant failures in audits of Corporate Resource
Services Inc., which went bankrupt in 2015 after the discovery of approximately $100 million in
unpaid federal payroll tax liabilities
The SEC's order against Crowe finds that its audit team identified pervasive fraud risks in connection
with its 2013 audit of Corporate Resource Services yet:
Failed to include procedures designed to detect the company's undisclosed payroll tax obligations;
Failed to properly identify and audit the company's related-party transactions;
Failed to obtain sufficient appropriate audit evidence to respond to these fraud risks, support
recognition of revenue, and otherwise support the audit opinion;
Failed to evaluate substantial doubt about the company's ability to continue as a going concern;
and
60
Failed to conduct a proper engagement quality review.
Crowe's engagement partner, Joseph C. Macina, and engagement quality reviewer, Kevin V. Wydra,
caused Crowe’s audit failures. In addition, Crowe was not independent as a result of an ongoing direct
business relationship with Corporate Resource Services. The audit deficiencies occurred despite the
involvement of Crowe's national office, which was aware of the high-risk nature of the engagement
and the inability to obtain appropriate evidence.
A related order finds that Mitchell J. Rubin and Michael Bernstein, former partners at Rosen, Seymour,
Shapps, Martin & Co., LLP, engaged in fraud and performed a highly deficient audit of Corporate
Resource Services' 2012 financial statements, which amounted to no audit at all, and that Bernstein
caused the firm to lack the required independence when he failed to comply with partner rotation
requirements.
"The audit standards are designed to ensure that public accounting firms have reasonable procedures
to identify and respond to illegality and issues that pose material risks to the integrity of an issuer's
financial statements," said Anita B. Bandy, Associate Director in the Division of Enforcement. "As set
out in our order, the pervasive audit failures of Crowe and these accountants left investors with a
misleading picture of Corporate Resource Services' financial condition."
The SEC's orders find that:
1. Crowe violated the audit requirement and accountant reporting provisions of the federal
securities laws and that Macina and Wydra caused those violations.
2. Rubin and Bernstein violated the antifraud provisions and caused violations of the audit
requirement and accountant reporting provisions of the federal securities laws.
3. Crowe, Macina, Wydra, Rubin, and Bernstein caused Corporate Resource Services to violate the
issuer reporting provisions of the federal securities laws.
4. Crowe, Macina, Wydra, Rubin, and Bernstein engaged in improper professional conduct.
61
The Potential Impact on the Accounting and
Auditing Professions
Blockchain technology has the potential to impact all record-keeping processes, including the way
transactions, are processed, authorized, recorded and reported. For example, the application of smart
contracts allows financial transactions to be executed automatically. The tamper-proof nature of the
technology reduces the need for manual reconciliations. Moreover, methods for obtaining sufficient
appropriate audit evidence will be improved. This section addresses how blockchain technology could
potentially revolutionize industries.
Enhancement of Book-Keeping Systems
Simplifying Reconciliation
In a market with many transacting parties, each company generally manages multiple vendors and
business partners and must reconcile multiple documents to validate and confirm the authenticity and
accuracy of its transactions. Average transaction costs, including reconciliation, can run into
thousands of dollars, especially for large organizations. Reconciliation involves comparing the
company’s records to the records or systems of other institutions and vendors to ensure they match
before issuing payments. When differences are identified, they need to be researched which could
lead to manual corrections and additional approvals before payments can be processed. Therefore,
the reconciliation within and among the various parties or accounts can be very time-consuming.
As explained in “Triple-Entry Accounting”, the third entry, independent entry, allows both parties to
record transactions through a complex system of consensus and validation. That is, the book-keeping
entries of both parties are corresponding, consistent, and matched because the universal ledger is
shared identically and permanently with every participant. The permanent record reduces the chances
for fraud, thus making records more trustworthy and reduces the need for separate reconciliation
efforts.
Improving the Financial Reporting Process
Because all transactions and entries can be logged, viewed, and monitored by all participants in the
ledger in real time on blockchain, it is highly unlikely that transactions would be manipulated. The
time-delay between entry posting and review could be significantly reduced. Thus, material
misstatements, omissions and duplication of transactions, and accounting errors or irregularities could
be promptly identified and corrected as they occur or could be prevented. For instance, employees
will find it very difficult to tamper with payment records since transactions are time-stamped and
verified by a distributed network of computers. As risks of fraud are decreased, the trustfulness of
financial information is increased, which could increase trust with stakeholders (e.g. auditors,
shareholders).
62
Moreover, in the unpredictable and rapidly changing business world, companies are overwhelmed
with information from an array of sources and pressure from regulatory requirements. For example,
the complexity of international business activities, increased legal demands, and shorter SEC deadlines
intensify the level of stress within the accounting department. As a result, closing the books has
become a very error-prone process. Regardless of company size or complexity, the financial close
process requires tremendous time and resources for most companies. Most companies spend at least
one week to gather the numbers and at least one week to analyze the results. For instance, the closing
periods range from one day for a small accounting department to 24 days for the large companies.
The following table lists examples of how blockchain improves accounting processes.
Process Pre-Blockchain Blockchain-Enabled Accounting
Reconciliation of
Accounts
Time-consuming process of obtaining
both internal and external
documentation and manually
comparing two sets of data
Streamlined process − all information
is on blockchain and approved by the
organization and counterparties in
real-time
Preparation of
Internal Ad Hoc
Reports
Majority of time spent verifying that
information is correct and matches
other sources within the organization
Less time spent verifying −
transactional information is available
to any members of the network and
more time can be spent on advice
and advisory activities
Closing of Books at
Month, Quarter,
and Year-End
Occupies a large amount of internal
accounting time to 1) get the
necessary information to close the
books and 2) run reports to ensure
entries and information are posted
correctly
Possible to imagine scenarios where
financial statements, fed from the
blockchain, are updated every day,
making periodic closes a routine and
less painful process
Source: The CPA Journal, “Blockchain Basics and Hands-on Guidance,” accessed on November 22, 2019.
63
Transformation of Auditing Practices
Although auditing procedures have improved, redundancies and inefficiencies still exist. Confirmation,
re-performance, and review of documents can be burdensome, manually intensive tasks. As explained
in “Inherent Limitations of Financial Audits”, these procedures are usually costly, consume a lot of
resources and do not guarantee that there are no discrepancies in the accounting information.
Combined with external verifications and multiple reporting requirements, audit procedures often
result in duplications of effort and wasted time. Moreover, there are inherent weaknesses in the use
of sampling techniques (e.g. insufficient sample size, sample inadequacy) as discussed earlier. This
section explains how blockchain could fundamentally change the auditing process.
Financial Audits
Reliability of Data
Several features of blockchain technology allow auditors to automate audit processes of mainly
transaction-based accounts in income statements. For example, blockchain allows users to record
transactions or any digital interaction among a network in a secure, transparent, and auditable way.
When a company pays an outstanding invoice, the invoice is validated and approved by the consensus
mechanism. Then, the invoice is recorded as paid and information is broadcasted to the blockchain
network. Any manipulation, such as altering the history of transactions, will break the chain and alert
all parties on the network of anomalies in real-time. This technology makes it difficult to tamper with
transaction records and easier to investigate violations. Thus, immediate detection of fraudulent
activities becomes possible.
Audit Methodology
Currently, trial balances, journal entries, sub-ledger extracts, account reconciliations and supporting
spreadsheet files are provided to an auditor in a variety of electronic and manual formats. In a
blockchain world, auditors can have read-only access to automatically verify and validate transactions
on a company’s ledger for reporting or other regulatory purposes. This technology offers an
opportunity to streamline audit processes and makes it feasible to conduct continuous auditing
because of real-time access to transaction records.
64
Source: IBSIX, “Blockchain Technology and It’s Potential to Disrupt Accounting”, accessed on December 4, 2019.
In addition, supporting documentation, such as invoices, contracts, and purchase orders, are
encrypted and securely stored or linked to a blockchain. Since all entries are instantly visible and nearly
impossible to alter, confirmation of the existence or accuracy of transactions becomes less necessary.
Blockchain may replace random sampling by auditors, by making it easier and more effective to:
✓ Test 100% of all transactions by using code
✓ Generate an exception report identifying any discrepancies or inconsistencies
In general, blockchain-enabled digitization, such as smart contracts, enables auditors to deploy more
automation, analytics, and machine-learning capabilities. For example, not only could any unusual
activities be detected but also relevant parties could be automatically notified of the occurrence on a
real-time basis. The technology allows auditors to focus on transactions that cannot be automatically
verified and also reduces the time necessary to complete the audit work and audit costs by allowing
auditors to spend more time exercising their professional judgment. The following table summarizes
how blockchain technology improves audit productivity.
Audit Procedure Traditional Method Blockchain-Enabled Audit
Observation
Observe the performance of
control activities (e.g. counting
inventory)
Use blockchains or process mining
to verify workflows
Inquiry
Seek information through
informal inquiries and formal
written responses
Monitor processes and controls,
identify process violators for
examination
Confirmation Verify account balances with
external parties
Link data streams using blockchain
applications
Inspection of records or
documents
Pull samples of records and
trace/verify/match
Evaluate entire datasets in
Enterprise Resource Planning (ERP)
using blockchain
65
Inspection of tangible
assets
Physical inventory, walk-
though
RFID tagging
Recalculation
Extract and recalculate figures
to verify
Monitor all data and run
calculations automatically at
intervals desired
Re-performance Re-perform procedures to
Verify
Automatically replicate all
transactions and identify exceptions
Analytical procedures Scanning and statistics Filter real-time data with continuity
equations and statistics
Source: The audit procedures comparison of traditional manual procedures and blockchain-enabled audit is
modified based on Appelbaum and Nehmer from the CPA Journal, “Blockchain Basics and Hands-on Guidance,”
accessed on November 22, 2019.
Appendix B summarizes blockchains’ impact on auditing practices.
Application of Professional Judgment
As explained, when companies move to a blockchain infrastructure, an immutable audit trail is
created. Because of the immutability, altering or omitting accounting data becomes extremely
difficult, blockchain is expected to reduce reliance on auditing for testing financial transactions and
eliminate certain auditing procedures. However, blockchain can never replace audits. For instance,
auditors will still need to apply professional judgment and perform audit procedures on accounting
estimates, assumptions and other judgments made by management, even if the underlying
transactions are recorded in a blockchain. Examples of common accounting estimates or judgments
include:
• Expected lives and salvage values of long-term assets
• Warranty claims
• Obligations for pension benefits
• Losses from bad debts and asset impairments
Risks and Controls of Crypto Transactions
Since major cryptocurrencies use transparent public blockchains, understanding the nature of
cryptocurrency is crucial to being able to evaluate the risk implications. Although each of these
cryptocurrencies has its own unique characteristics, most cryptocurrencies have the following
characteristics:
• Supply and demand is the key determinant of cryptocurrency prices; no single party
(government or otherwise) regulates its use
• The value can change by the hour; a high volatility. For example, an investment that may be
worth thousands of U.S. dollars today might be worth only hundreds tomorrow.
66
• The system is not operated by a central authority (not centrally controlled), its state is
maintained through distributed consensus
• Transactions and balances are recorded on a distributed digital ledger (blockchain)
• Transfers can be done with minimal processing fees without the need for a trusted third-party,
allowing users to avoid the steep fees charged by traditional financial institutions
• Transactions are irreversible; once the participant provides confirmation, the transaction is
initiated and no one is able to stop that transaction
• The personal data security is enabled by public-private key cryptography
• Ownership of cryptocurrency units can be proved exclusively cryptographically
• The use of cryptography provides a mechanism for securely encoding the rules of a
cryptocurrency system (e.g. prevents “double-spending”, resists counterfeiting)
While blockchain and other systems could ultimately make authenticating and verifying a transaction
more automated, ICFR involves considerations beyond the integrity of software systems. For example,
auditors must have an understanding of matters related to cryptocurrency, including its financial
reporting implications, and identify and assess risks of material misstatement in financial statements
related to cryptocurrency transactions and balances. Examples of conditions or events that may give
rise to a risk of material misstatement in cryptocurrency transactions and balances include22:
The company does not have sufficient controls over cryptocurrency transactions.
The cryptocurrency wallet (if applicable) has not been accounted for.
The company loses a private key and can no longer access the related cryptocurrency.
An unauthorized party gains access to the company’s private key and steals its cryptocurrency.
The company misrepresents ownership of a private key and the related cryptocurrency.
The company sends cryptocurrency to an incorrect address and it cannot be recovered.
The company enters into and records a cryptocurrency transaction with a related party that
cannot be identified due to the potential anonymity of parties to blockchain transactions.
There are significant delays in processing cryptocurrency transactions at the end of a period.
Events or conditions make it difficult to determine the value at which a cryptocurrency should
be recorded for financial reporting purposes.
22 Examples of matters to consider when identifying and assessing risks of material misstatement in cryptocurrency is adapted from “Audit Considerations Related to Cryptocurrency Assets and Transactions” Chartered Professional Accountants of Canada, 2018
67
Thus, entities must have controls in place to mitigate the risks and safeguard cryptocurrency
transactions. Examples of internal controls include:
✓ Establish clear lines of responsibilities related to wallet creation and monitoring.
✓ Apply two-factor or multi-factor authentication to access to a wallet.
✓ Implement policies and procedures requiring private keys to be created and safeguarded in a
controlled environment. Private keys are always backed up. Backups might be located on
separate electronic devices or paper wallet.
✓ Establish appropriate segregation of duties. For example, the individual who monitors
cryptocurrency assets should not be involved in initiating the cryptocurrency transactions.
✓ Implement policies and procedures requiring both a careful review of each address before
sending and the use of a checksum.
✓ Implement policies and procedures related to valuations of cryptocurrency for financial
reporting.
✓ Assign responsibilities within the entity for identifying, recording, summarizing, and disclosing
related-party transactions, including cryptocurrency transactions.
✓ Implement procedures to monitor cryptocurrency transactions in the days before and after
financial reporting dates to determine that transactions are recorded in the appropriate
period.
Finally, auditors need to address the following assertions associated with using blockchain technology,
which enables the existence of cryptocurrency:
All cryptocurrency transactions are captured and appropriately
reflected in the financial statements and footnotes.
Completeness,
Presentation and
Disclosure
Cryptocurrency is sent to a correct address. Rights
Only authorized parties obtain access to the entity’s private key. Existence, Rights
All cryptocurrency transactions with a related party can be identified. Accuracy, Completeness,
and Disclosure
All cryptocurrency transactions are measured at an appropriate value. Valuation
All cryptocurrency transactions at the end of a period are processed
on a timely basis. Cut-off
Considerations of Fraud and Error
“Blockchain does not magically make information contained within it inherently trustworthy. Events
recorded in the chain are not necessarily accurate and complete. Recording a transaction on a
blockchain does not alleviate the risk that the transaction is unauthorized, fraudulent, or illegal.”
68
PCAOB 2018 Speech: 43rd World Continuous Auditing & Reporting Symposium
The acceptance of a transaction to a blockchain may satisfy certain financial statement assertions such
as the occurrence of a transaction; however, this does not necessarily assure the legitimacy,
correctness or nature of the transaction or the reliability of a company’s financial reporting. For
instance, in a bitcoin transaction for a product, the auditor can easily verify that the transfer of bitcoin
is recorded on a blockchain. However, the auditor may or may not be able to determine that the
product was delivered by only evaluating information on a blockchain. According to the Chartered
Professional Accountants of Canada, a transaction recorded in a blockchain may still be:
Unauthorized, fraudulent or illegal
Executed between related parties
Linked to a side agreement that is “off-chain” (e.g. process or transaction external to the
distributed ledger)
Incorrectly classified in the financial statements
There is always a need for auditors to identify the risk of inaccurate or fraudulent information, evaluate
controls, assess transactions for evidence of fraud or classification errors and opine on whether the
financial statements are fairly stated.
Real-World Case: The Mega-Hack of Bitcoin
Mt. Gox was one of the largest cryptocurrency exchanges in the world before it filed for bankruptcy in
2014. About 70% of all bitcoin transactions were handled by Mt. Gox at its peak performance. There
were a series of attacks between 2011 and 2014. In 2011, unknown hackers allegedly used staff
credentials from a Mt. Gox auditor's compromised computer to:
Artificially alter the nominal price of a bitcoin to fraudulently drop to a single cent on the Mt. Gox
exchange
Used the exchange's software to sell them all nominally, creating "ask" selling orders at artificially
reduced price
Illegally obtain the private keys (kept in hot wallets) of Mt.Gox clients and transfer an estimated
2,000 bitcoins from customer accounts on the exchange
On February 7, 2014, Mt. Gox halted all bitcoin withdrawals due to transaction malleability. Mt.Gox
issued a press release on February 10, 2014 stating that:
“A bug in the bitcoin software makes it possible for someone to use the Bitcoin network to alter
transaction details to make it seem like a sending of bitcoins to a bitcoin wallet did not occur when in
fact it did occur. Since the transaction appears as if it has not proceeded correctly, the bitcoins may be
resent.”
69
On February 24, 2014, Mt. Gox suspended all trading and then the website went offline. On February
28, 2014, Mt. Gox filed for bankruptcy protection in Tokyo. During Tokyo press conference called to
announce the bankruptcy, Mark Karpelès, former CEO of Mt. Gox stated:
"We had weaknesses in our system, and our bitcoins vanished. We've caused trouble and inconvenience
to many people, and I feel deeply sorry for what has happened."
About 750,000 of its customers’ bitcoins, as well as 100,000 of its own bitcoins, were stolen. The total
loss constituted around 7% of all bitcoins available, worth around $473 million near the time of the
filing.
The following excerpts were from Mark Karpelès first media interview with the Wall Street Journal
since the Tokyo press conference when Mt. Gox filed for bankruptcy in February 2014:
Q: What were your mistakes?
A: Security. Not just security on the system, but in the office. We had some cases where a stranger
sneaked in and took things away. We also have at least one former employee stealing the company’s
data.
Q: What else did you do wrong?
A: Management. I was too busy and couldn’t lay out an adequate corporate structure. I wish I had five
of me, as I was too busy with meetings with banks, lawyers and business partners. That was all painful,
I wish I had more time to do engineer-type of work.
Q: Why didn’t you hire experienced professionals?
A: We tried, but we didn’t have money and also often they turned us down. A former Financial Services
Agency bureaucrat approached us once last year, but he declined our offer at the end.
Q: When did you find out that the bitcoins were gone, and how did you feel about it?
A: A few days before we filed for bankruptcy. And we learned as we checked our storage when repairing
the system to deal with malleability attacks. I always worried about ‘What if all the bitcoins were
gone?’ Since that actually happened, I have gone through many sleepless nights. Scared, frustrated
and angry—-so many emotions were occupying my mind.
In March 2019, the Tokyo District Court found Mark Karpelès guilty of falsifying electronic records to
inflate Mt. Gox's holdings by $33.5 million, but innocent on charges of embezzlement and breach of
trust. He was sentenced to two and half years and suspended for four years.
New Role of the Auditor
Because of blockchain’s potential to significantly shift the audit model, an evolving role for the auditor
is inevitable. There is always the risk of unidentified errors or vulnerabilities. For example, a blockchain
does not operate as intended because of coding errors when developed, or changes (intentional or
unintentional) made after a blockchain is deployed. Therefore, auditors need experience; not only
accounting and auditing but also coding and data analytics. They should also have a strong skill set,
70
including understanding technical language, the functions of a blockchain, and key IT control domains
around development, security, change management and operations.
According to KPMG, blockchain solutions and their implementations pose risks and opportunities
(audit areas) which include the following:
Framework
Modules Risk Areas Audit Areas
Key Ownership
and
Management
• Accidental loss of stored cryptographic
keys resulting in inability to claim asset
ownership
• Inability to change cryptographic
private keys shared with other
participants for legitimate business
needs
• Unsecure or unencrypted storage,
transmission and use of cryptographic
private keys
✓ Key generation and
decommissioning
✓ Key maintenance and governance
✓ Logging and auditing of key usage
✓ Key management infrastructure
✓ Key traceability and version
control
✓ Hash algorithm management.
Interoperability
and Integration
• Misinterpretation or misuse of data
sent by disparate blockchain platforms
• Security issues of Application Program
Interface (API) used for integrating
blockchain platform with enterprise
system
• Data quality and legacy issues when
interfacing with legacy systems.
✓ Interface/API documentation
review
✓ Data mapping and integration
✓ Data validation checks and rules
✓ Intermediary platform and
protocols
✓ Interoperability connectors and
plugins
✓ Secure interfaces and API review.
Consensus
Mechanism
• Uncontrolled changes, majority hash
rate attack or hijack by a coalition of
dishonest counterparties
• Inconsistencies due to forking issue
creating two versions of groups and
ledgers
• Inaccurate timestamps when
connecting to a node to alter a node’s
network time counter.
✓ Consensus protocol design
✓ Consensus change control
procedure
✓ Review of consensus rules
✓ Transaction log and audit trail
✓ Consensus override handling
✓ Consensus hijack monitoring.
Heterogeneous
regulatory
compliance
• Unencrypted Personally Identifiable
Information (PII), Patient Health
Information (PHI) or Financial data
published in global transactions
✓ Country specific laws
✓ Industry regulatory compliance
✓ Cross-border privacy regulations
✓ Platform compliance standards
✓ Data sensitivity in transaction
blocks
71
• Differing privacy, regulatory and
compliance requirements for cross-
border data flow
• Inability to remove or change sensitive
or confidential data impacting ‘right to
be forgotten’ principle.
✓ Data classification standards.
Access and
Permissions
Management
• Corporate data stored on blockchain is
discoverable without explicit
authorization
• Privilege escalation through confused
deputy problem to misuse the authority
• Misconfigured restrictions and insecure
deserialization by authorized user on
permissioned blockchain.
✓ Group and user permissions
✓ Roles and level of access
✓ Discretionary access control
✓ Enrollment and termination
procedures
✓ Segregation of duties and conflict
of permissions.
Infrastructure
and Application
Management
• Inconsistent development and
unsecure coding practices for
blockchain platform and application
• Lack of Software Development Life
cycle (SDL) processes, adequate testing,
and documentation
• Security vulnerabilities related to
development, configuration,
implementation, and deployment.
✓ Software development life cycle
✓ Platform and application
documentation
✓ Secure coding principles and
development practices
✓ Bug tracking and application
patching
✓ Cybersecurity testing.
Network and
Nodes
Governance
• Lack of intermediary or governing body
to settle and resolve asset, identity or
transaction disputes
• Network centralization, collusion, spam
and unauthorized controlling of
network operations
• Unclear accountability of blockchain
functioning, information protection,
transaction validations.
✓ Governance and dispute
resolution
✓ Network compliance and node
reputation checks
✓ Single point of failure analysis
✓ Network monitoring and spam
analysis
✓ Data leakage prevention
mechanism.
Source: KPMG, “Auditing blockchain solutions”, 2019.
72
Review Questions - Section 4
1. According to the Association of Certified Fraud Examiners (ACFE), what is the most common
concealment method?
A. Altered electronic documents or files
B. Created fraudulent journal entries
C. Destroyed physical documents
D. Created fraudulent physical documents
2. All of the following are the inherent limitations of an audit EXCEPT:
A. Reliability of audit evidence
B. Timeliness of financial reporting
C. Use of sampling techniques
D. Control design deficiency
3. Confirmation is most likely to be a relevant form of evidence with regard to assertions about
accounts receivables when the auditor is primarily concerned about which of the following
assertions?
A. Classification
B. Existence
C. Valuation
D. Presentation and Disclosure
4. Johnny, controller of EMX Inc., paid a friend $5,000 for the use of the friend’s name and address
as the contact information for the accounts payable audit confirmations. The auditor sent the
confirmations to the friend’s address and received back official-looking confirmations that
“verified” EMX’s account. Johnny committed which of the following fraudulent activities?
A. Business email compromise
B. Billing scheme
C. Confirmation fraud scheme
D. Financial identity theft
5. The risk that an auditor concludes, based on the sample selection, that a material misstatement
does not exist when, in fact, such misstatement does exist is referred to as:
A. Control risk
B. Sampling risk
C. Detection risk
D. Inherent risk
73
6. Blockchain technology has the potential to enhance the CPA profession in all of the following ways
EXCEPT:
A. Enhancing the financial close process
B. Reducing the need for audit confirmations
C. Eliminating audit procedures on accounting estimates
D. Simplifying the reconciliation process
7. All of the following events increase the risk of material misstatement in cryptocurrency balances
EXCEPT:
A. Losing a private key that cannot be recovered
B. Unable to identify transactions with related parties
C. Applying two-factor authentication to obtain access to a wallet
D. Unauthorized party gaining access to a private key
8. Cryptocurrency that is sent to a correct address is related to which management assertion?
A. Classification
B. Presentation
C. Valuation
D. Rights
74
Appendix A: Blockchain Decision Tree The U.S. Department of Homeland Security (DHS) Science & Technology Directorate has been
investigating blockchain technology and has created a flowchart to help one determine whether a
blockchain may be suitable for a development initiative. The flowchart is reproduced by the National
Institute of Standards and Technology and published in “NISTIR 8202 Blockchain Technology
Overview”.
75
Appendix B: Blockchain’s Impacts on
Auditing Practices The following table is created based on American Accounting Association, “How Will Blockchain
Technology Impact Auditing and Accounting: Permissionless versus Permissioned Blockchain”, Current
Issues in Auditing Vol. 13, No. 2 Fall 2019.
Audit Practices Blockchain’s Impact
Internal
Audit
External
Audit
Evidence
gathering
• Whole-population investigation replacing the
traditional sampling approach;
• Direct access to transaction history.
X X
Transaction
validation and
verification
• Real-time transaction validation by a community
of miners;
• Record verification and maintenance by all users.
X X
Compliance
evaluation
• Built-in compliance with most recent standards,
regulations, and laws;
• Instant presentation of the underlying regulation
to an operator;
• Immediate detection of violations.
X
Transaction
reconciliation
• Automating reconciliation (if transactions take
place between parties within a single blockchain
network);
• Instant settlement;
• Reduction of time spent on reconciliation and
increased efficiency.
X
X
Financial
reporting
• Near real-time financial reporting;
• No errors;
• Less prone to fraud.
X X
Planning and
advising
• Providing complete, accurate records for auditors
to quickly spot problems, prioritize plans, and find
long-term patterns.
X
Decision
support
• Offering reliable and timely information stored in
blockchain to perform analytics;
• Predicting the consequences of actions;
• Facilitating smart contracts by embedded
analytical models (i.e., to identify trends).
X
76
Answers to Review Questions
Review Questions - Section 1
1. What is a basic feature of a blockchain platform?
A. Incorrect. Blockchain, a decentralized structure, eliminates the need for middlemen to
transfer information among participants.
B. Incorrect. In a decentralized system, there is no single point of control since the control is
shared between various independent entities.
C. Correct. Blockchain is a type of distributed ledger that creates a peer-to-peer network, which
establishes the means for transacting, and enables recording, transferring, tracking,
authenticating, and storing of digital assets.
D. Incorrect. Asymmetric (not symmetric) cryptography, known as public-key cryptography, is
one of the key components of blockchain technology.
2. Which of the following describes a potential attack on a peer network, where a person attempts
to gain control over the network by creating a large number of accounts?
A. Incorrect. Botnets, derived from “robot network”, are networks of compromised computers
controlled by remote cybercriminals without owners’ knowledge and consent.
B. Correct. Sybil Attack is a type of attack seen in peer-to-peer networks in which a person
creates and operates multiple accounts (identities) in order to gain a disproportionately
large influence.
C. Incorrect. A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt
normal traffic of a targeted server, service or network by overwhelming the target or its
surrounding infrastructure with a flood of Internet traffic.
D. Incorrect. IP spoofing is a technique used to gain unauthorized access to machines, whereby
an attacker illicitly impersonates another machine by manipulating IP packets. An attacker
convinces a system that it is communicating with a known, trusted entity and provides the
attacker with access to the system.
3. What is the method that prevents “double-spending” in cryptocurrency exchanges?
A. Incorrect. Encryption is the process of converting plaintext into a data stream (ciphertext) that
protects the confidentiality of digital data.
B. Incorrect. Block reward refers to the cryptocurrency rewarded to miners when they validate
and create a block.
77
C. Incorrect. Halving refers to a reduction in the block reward given to miners once a certain
number of blocks have been mined.
D. Correct. Cryptocurrencies are secured via a consensus algorithm to prevent “double-
spending”. Such mechanism authenticates and validates a set of values or a transaction
without the need to rely on a centralized authority.
4. What is Proof of Work (PoW)?
A. Incorrect. Cryptography, the process of encoding and decoding information, is used to verify
and secure transactions on a blockchain.
B. Incorrect. An address is basically a destination where a user sends and receives digital
currency. It is similar to a bank account.
C. Incorrect. A crypto wallet is a software program that stores private and public keys used for
cryptocurrency transactions.
D. Correct. Proof of Work (PoW) is a consensus protocol used to validate transactions recorded
on blockchains and generally requires the production of proof of complex cryptographic
computations. It is a function used to confirm transactions before they can be accepted by
network participants.
5. All of the following conditions must be satisfied in order to become validators in PoA EXCEPT:
A. Incorrect. Identities must be formally confirmed with the ability to cross-reference such
information (e.g. address, phone number) in a public domain (public notary database).
B. Correct. The computational resources required for solving complex mathematical tasks
(validating a block) is far lower than PoW and PoS. Thus, it requires significantly less power
consumption.
C. Incorrect. The process of becoming a validator must be difficult to reduce the risks of selecting
questionable validators and must incentivize the position and long-term commitment.
D. Incorrect. The validator approval process must be consistent (standard) to ensure that all
candidates have an equal chance.
6. What is the term that describes a permanent split in a blockchain resulting from a change in
protocol and data structures?
A. Incorrect. 51% attack refers to a potential attack on a blockchain by an individual or group of
miners controlling more than 50% of the network's mining hash rate or computing power.
B. Incorrect. Double-spending is the attempt to send cryptocurrency to two separate locations
at the same time; spending the same money twice.
78
C. Incorrect. Selfish mining is a strategy used by miners to increase their rewards by intentionally
withholding a validated block from being released to the network.
D. Correct. A hard fork creates a permanent split in a block chain because the changes (e.g.
consensus protocols, mining algorithm, block size) make the previous version of the chain
incompatible.
7. What is a change to block chain protocol that is backward-compatible?
A. Correct. For a soft fork, non-updated nodes can continue to transact with updated nodes.
This is because the blockchain features are still compatible (backward compatible) with the
previous version of a chain which does not result in a duplication of a blockchain.
B. Incorrect. Hashing involves converting plain-text to a hash value of fixed size by a hash
function.
C. Incorrect. Mining is defined as the computer process of validating information, creating a new
block and recording that information into a blockchain.
D. Incorrect. A hard fork creates a permanent split in a blockchain because the changes (e.g.
consensus protocols, mining algorithm, block size) make the previous version of the chain
incompatible. In other words, such changes are not backward compatible.
8. What is the method that secures blockchain transactions by assuring authentication and
confidentiality?
A. Incorrect. A hot wallet is located in a device connected to the Internet (whether hosted or
entity-controlled). It allows users to send cryptocurrency to another address and to obtain an
up-to-date snapshot of all the entity’s recent cryptocurrency transactions and balances.
B. Incorrect. A firewall is a system designed to prevent unauthorized access to or from a private
network.
C. Incorrect. Cold storage is the act of generating and storing one’s private keys in an offline
environment.
D. Correct. Cryptography is the process of enforcing authentication, data confidentiality and
data integrity of transactions via quorum structures.
9. What does asymmetric encryption use?
A. Incorrect. Unlike symmetric encryption, asymmetric encryption encrypts and decrypts the
data using two separate yet mathematically connected cryptographic keys. These keys are
known as a public key and a private key.
B. Incorrect. Asymmetric encryption uses two keys; public and private keys, to encrypt plain text.
79
C. Incorrect. Proof of Work is a consensus protocol used to validate transactions recorded on
certain blockchains that generally requires the production of proof of complex cryptographic
computations that require large amounts of computing power in order to validate
transactions.
D. Correct. Asymmetric cryptography, also known as public key cryptography, uses public and
private keys to encrypt and decrypt data, respectively.
10. Which of the following describes an alphanumeric string of 26-35 characters that represents a
possible destination for a bitcoin payment?
A. Incorrect. Hash is a mathematical function or algorithm that ciphers a given input into a fixed-
size alphanumeric strand known as a hash value.
B. Correct. An address is an identifier, an alphanumeric string of 26-35 characters, that
represents a possible destination for a bitcoin payment.
C. Incorrect. Wallet is a software program used to store cryptocurrency private keys.
D. Incorrect. Digital signature provides validation and authentication in the same way signatures
do, in digital form; ensuring the security and integrity of the data recorded onto a blockchain.
11. Which of the following techniques enables automation of the contracting process by facilitating,
verifying or enforcing the negotiation or performance of a contract?
A. Incorrect. Proof of Work (PoW) is the original consensus algorithm in a blockchain network. It
is an algorithm used to confirm transactions and produce new blocks to the chain.
B. Correct. Smart contracts constitute lines of code intended to digitally facilitate, verify, or
enforce the negotiation or performance of a contract.
C. Incorrect. A stealth address is a vital part of Monero's inherent privacy. It requires the sender
to create a random, one-time address for every transaction on behalf of the recipient so that
different payments made to the same payee are unlinkable.
D. Incorrect. A hashing algorithm is a cryptographic hash function. It is a mathematical algorithm
that maps data of arbitrary size to a hash of a fixed size. It's designed to be a one-way function,
infeasible to invert.
80
Review Questions - Section 2
1. Which of the following statements is TRUE regarding public blockchains?
A. Incorrect. Private (permissioned) blockchains restrict access regarding who can perform
different activities on the network. Public (permissionless) blockchain networks allow every
participant to submit transactions and add entries to the ledger as no permission is required
to join the network.
B. Incorrect. Scalability is the trade-off, generally making public blockchains slower than private
blockchains and traditional central payment systems. This is because of the computational
power required to maintain public blockchains and assure consensus.
C. Incorrect. Private blockchains, such as Hyperledger Fabric, are designed to cater to enterprise
requirements. Public blockchains have limited applications due to the public nature of
transactions and limited functionality support at a protocol level.
D. Correct. Public (permissionless) blockchain networks allow every participant to submit
transactions and add entries to the ledger as no permission is required to join the network.
Public blockchains have no single owner. They are far more decentralized than a private
(permissioned) system.
2. Which of the following platforms has the highest degree of scalability?
A. Incorrect. Bitcoin, in its current form, can process approximately seven transactions per
second. Scalability is the trade-off of public blockchains. This is because of the computational
power required to maintain public blockchains and assure consensus.
B. Correct. VISA offers significantly higher transactions per second, processing 150 million
transactions per day, averaging roughly 1,700 transactions per second.
C. Incorrect. In its current state, Ethereum, a public blockchain, can handle around 20
transactions per second.
D. Incorrect. PayPal currently processes 193 transactions per second.
3. Cloud Inc. considers deploying a blockchain platform. Cloud Inc. needs to control who can read
and write on its blockchain. Which type of blockchain best fits Cloud Inc.’s need?
A. Incorrect. Public blockchain networks allow every participant to submit transactions and add
entries to the ledger as no permission is required to join the network. The operation is like the
public internet, where anyone can participate. In other words, any participants can read and
write to the ledger.
81
B. Correct. Private blockchains restrict access regarding who can perform different activities on
the network. The system operates similarly to a privately maintained database that is
controlled by giving read privileges to outsiders.
C. Incorrect. In the current ecosystem, the market has three types of blockchains: 1) public 2)
private and 3) hybrid. Blockchain technology always applies a consensus mechanism to
authenticate and validate transactions without the need to rely on a centralized authority.
D. Incorrect. Permissionless blockchains are also known as public blockchains. Since Cloud Inc.
needs to control who can join the network, a private (permissionless) blockchain that places
restrictions on who is allowed to participate in the network and in what transactions would be
the most appropriate for Cloud Inc.
4. Which cryptocurrency is operated on a private blockchain?
A. Incorrect. Bitcoin is operated on an open, public blockchain. Anyone is free to download the
bitcoin blockchain and begin mining operations in exchange for mining fees and block rewards.
B. Correct. Ripple runs on a private blockchain. Ripple (Labs) Inc., the company behind Ripple
(XRP), decides who may act as a transaction validator on its network.
C. Incorrect. Bitcoin Cash is also an example of a public blockchain. There is no barrier to entry
to use it.
D. Incorrect. Litecoin is operated on a public blockchain network which allows every participant
to submit transactions and add entries to the ledger.
5. What is a feature of a consortium blockchain?
A. Incorrect. Consortium blockchains are private blockchains deployed for a group of
organizations/individuals to share the data in a trustworthy environment.
B. Correct. The consensus process is controlled by pre-defined nodes or a set of participants on
the network.
C. Incorrect. Consortium blockchains are also known as semi-decentralized blockchains because
they are granted to a group of approved organizations/individuals.
D. Incorrect. Consortium blockchains restrict access regarding who can perform different
activities on the network.
82
Review Questions - Section 3
1. What is the concept that an increase or decrease in one account must be offset exactly by an
increase or decrease in another account?
A. Incorrect. Conservatism is a prudent reaction to uncertainty to try to ensure that uncertainty
and risks inherent in business situations are adequately considered. Thus, a gain contingency,
for example, is not recorded in the financial statements. If the probability of realization is high,
the contingency is disclosed in the notes.
B. Incorrect. Accounting is based on the assumption that the accounting unit or entity is engaged
in continuous and ongoing activities. The accounting unit or entity is assumed to remain in
operation into the foreseeable future to achieve its goals and objectives. This assumption is
referred to as the going concern (or continuity) assumption.
C. Correct. Double-entry accounting is a method of accounting that recognizes the duality of a
transaction such that any change in one account also causes a change in another account.
D. Incorrect. The monetary unit assumption requires that financial information be measured and
accounted for in the basic monetary unit of the country in which the enterprise is located. The
monetary value of an economic event or transaction, determined at the time it is recorded, is
not adjusted for subsequent changes in the purchasing power of the monetary unit.
2. According to the rules of debits and credits, which of the following statements is TRUE?
A. Incorrect. Asset accounts usually have debit balances. Unlike asset accounts, both liability and
owners’ equity accounts generally have credit balances. Therefore, to increase both liability
and owners’ equity accounts, we credit these accounts instead of debiting them. To increase
asset accounts, we debit these accounts.
B. Incorrect. Asset accounts usually have debit balances and liability accounts usually have credit
balances. To decrease asset accounts, we credit them. However, we debit liability accounts to
record a decrease.
C. Incorrect. Asset accounts usually have debit balances and owners’ equity accounts usually
have credit balances. To increase asset accounts, we debit them. However, to increase owners’
equity accounts, we credit them.
D. Correct. Liabilities and owners’ equity accounts usually have credit balances. Therefore, to
decrease liability and owners’ equity accounts, we debit them.
3. Which of the following management assertions indicates that the amount of revenue and expense
included in the financial statements are appropriate?
83
A. Incorrect. The assertion of existence is the assertion that the assets, liabilities, and
shareholders' equity balances appearing on a company's financial statements exist at a given
date.
B. Incorrect. The assertion of completeness is an assertion that the financial statements include
every item that should be included in the statement for a given period.
C. Correct. The assertion of valuation is the statement that the asset, liability, equity, revenue,
and expense amounts included in the financial statements are appropriate.
D. Incorrect. This is the assertion that the company holds or has ownership rights or usage rights
over the assets, and liabilities are obligations of the company at a given date.
4. What is the process of objectively obtaining and examining evidence in respect of certain
assertions about economic events?
A. Incorrect. The Institute of Management Accountants defines cost accounting as “a systematic
set of procedures for recording and reporting measurements of the cost of manufacturing
goods and performing services in the aggregate and in detail.”
B. Incorrect. Risk assessment is a process for identifying and assessing risks that may affect
organizations from achieving objectives.
C. Correct. Auditing is generally defined as a systematic process of objectively obtaining and
examining evidence in respect of certain assertions about economic events, to ascertain the
degree of correspondence between those assertions and established criteria and report the
results to interested parties.
D. Incorrect. Management accounting as defined by the IMA is “a profession that involves
partnering in management decision making, devising planning and performance management
systems, and providing expertise in financial reporting and control to assist management in
the formulation and implementation of an organization's strategy.”
5. As an independent guarantor of financial information, what is an auditor's primary consideration
regarding internal control?
A. Incorrect. Management's philosophy and operating style is just one factor in the control
environment of internal control.
B. Correct. An auditor's primary concern is whether a specific control affects financial
statement assertions. Much of the audit work required to form an opinion consists of
gathering evidence about the assertions in the financial statements. These assertions are
management representations embodied in the components of the financial statements.
Controls relevant to an audit are individually or in combination likely to prevent or detect
material misstatements in financial statement assertions.
84
C. Incorrect. Restricting access to assets is only one of many physical controls, which constitute
the control activities of internal control.
D. Incorrect. Many controls concerning management's decision-making process are not relevant
to a financial audit.
6. Which of the following entities usually serves as a financial intermediary?
A. Incorrect. The Internal Revenue Service, a U.S. government agency, collects taxes and enforces
tax laws.
B. Incorrect. A public accounting firm provides accounting, auditing, and tax services to their
clients.
C. Correct. New York Stock Exchange acts as an agent by facilitating the trading of securities
and stocks and disseminating information.
D. Incorrect. A community college is an example of a not-for-profit organization, which does not
earn any profits for its operation.
Review Questions - Section 4
1. According to the Association of Certified Fraud Examiners (ACFE), what is the most common
concealment method?
A. Incorrect. About 31% of fraudsters altered electronic documents or files to cover their crimes.
B. Incorrect. Only 27% of fraudsters created fraudulent journal entries to conceal their schemes.
C. Incorrect. About 30% of fraudsters destroyed physical documents to conceal the misdeeds.
D. Correct. About 55% of fraudsters created fraudulent physical documents to cover their
crimes.
2. All of the following are the inherent limitations of an audit EXCEPT:
A. Incorrect. The reliability of audit evidence is influenced by its source and nature and is
dependent on the individual circumstances under which it is obtained. For example, there is
always the possibility that management or others may not provide, intentionally or
unintentionally, accurate and complete information.
B. Incorrect. The audit function usually occurs after weeks, months and even quarters of the year
have passed. The relevance of information and its value tends to weaken over time. Thus, the
85
ability to definitively validate and confirm the transactions by these auditors becomes a
borderline untenable effort.
C. Incorrect. There is always a probability that a fraudulent transaction is not included in the
auditor’s sample and therefore remains undetected. Thus, any sample of less than 100% of a
population always increases the risk that a misstatement will not be detected.
D. Correct. Control design deficiency is one of the limitations of internal controls. Because of
such limitations, there is a risk that material misstatements will not be prevented or
detected on a timely basis.
3. Confirmation is most likely to be a relevant form of evidence with regard to assertions about
accounts receivables when the auditor is primarily concerned about which of the following
assertions?
A. Incorrect. Limited classification information is received through confirmation.
B. Correct. A confirmation primarily addresses whether the third party replying to the
confirmation agrees that a debt exists as of a certain date.
C. Incorrect. Although confirmations provide limited information on valuation, they do not
directly assess collectability which determines the proper amount to be reported in the
financial statements.
D. Incorrect. Confirmations are of limited assistance in the determination of whether the account
of the financial statements is properly classified, described and disclosed.
4. Johnny, controller of EMX Inc., paid a friend $5,000 for the use of the friend’s name and address
as the contact information for the accounts payable audit confirmations. The auditor sent the
confirmations to the friend’s address and received back official-looking confirmations that
“verified” EMX’s account. Johnny committed which of the following fraudulent activities?
A. Incorrect. Business email compromise involves taking over an email account or spoofing an
email address in order to initiate theft via unauthorized ACH or wire transfers.
B. Incorrect. Billing scheme is a fraudulent disbursement scheme in which a person causes his or
her employer to issue a payment by submitting invoices for fictitious goods or services, inflated
invoices, or invoices for personal purchases.
C. Correct. Johnny circumvented the confirmation process by directing the auditor to send
confirmations to a friend who fraudulently completed the confirmation responses.
D. Incorrect. Financial identity theft is related to ID thieves taking out loans or credit cards using
a victim’s information. The victim often receives a lender’s letter stating that he/she has not
repaid a loan that he/she did not take.
86
5. The risk that an auditor concludes, based on the sample selection, that a material misstatement
does not exist when, in fact, such misstatement does exist is referred to as:
A. Incorrect. Control risk is the risk of a material misstatement in the financial statements arising
due to absence or failure in the operation of relevant controls of the company.
B. Correct. Sampling risk arises from the possibility that, when a test of controls or a
substantive test is restricted to a sample, the auditor's conclusions may be different from
the conclusions he/she would reach if the test were applied in the same way to all items in
the account balance or class of transactions.
C. Incorrect. Detection risk is the risk that the auditor will not detect a material misstatement
that exists in an assertion. For example, the substantive tests fail to detect misstatement.
D. Incorrect. Inherent risk is the susceptibility of an assertion to a misstatement, due to error or
fraud, that could be material, individually or in combination with other misstatements, before
consideration of any related controls.
6. Blockchain technology has the potential to enhance the CPA profession in all of the following ways
EXCEPT:
A. Incorrect. The technology makes it possible to imagine scenarios where financial statements,
fed from blockchain, are updated every day, making periodic closes a routine and less painful
process.
B. Incorrect. Supporting documentation, such as invoices, contracts, and purchase orders, are
encrypted and securely stored or linked to blockchain. Since all entries are instantly visible and
nearly impossible to alter, confirmation of the existence or accuracy of transactions becomes
less necessary.
C. Correct. Auditors will still need to perform audit procedures on accounting estimates,
assumptions and other judgments made by management, even if the underlying
transactions are recorded in a blockchain.
D. Incorrect. In blockchain, the book-keeping entries of both parties are corresponding,
consistent, and matched because the universal ledger is shared identically and permanently
with every participant. The permanent record reduces the chances for fraud, thus making
records more trustworthy and reduces the need for separate reconciliation efforts.
7. All of the following events increase the risk of material misstatement in cryptocurrency balances
EXCEPT:
A. Incorrect. The loss of a private key gives rise to the risk of a material misstatement if the effect
of the loss is not properly accounted for.
87
B. Incorrect. The inability to identify transactions with related parties will affect the accuracy of
assets and completeness of disclosures.
C. Correct. Risks of unauthorized access to a hot wallet may be reduced by the use of two-
factor authentication to obtain access to a wallet.
D. Incorrect. An unauthorized party may steal the entity’s cryptocurrency. As a result, the entity
may no longer be able to access the cryptocurrency linked to that key. Such events increase
the risk of material misstatement if the effect of the loss is not properly accounted for.
8. Cryptocurrency that is sent to a correct address is related to which management assertion?
A. Incorrect. The assertion of classification means that the entity records all the transactions in
the proper accounts.
B. Incorrect. The assertion of presentation indicates that the components of the financial
statements are properly classified, described and disclosed.
C. Incorrect. The assertion of valuation is the statement that the amounts of crypto assets
included in the financial statements are appropriate.
D. Correct. A feature common to all blockchains is that once a transaction is confirmed on the
blockchain, it is irreversible, and ownership rights are established. If cryptocurrency is sent
to an incorrect address, the entity no longer has ownership rights over the crypto assets.
88
Glossary Algorithm: A process or set of rules to be followed in calculations or other problem-solving operations.
Altcoins: Any cryptocurrency other than bitcoin. Bitcoin was the first cryptocurrency, and all coins that
came after it are considered bitcoin alternatives.
Authentication: The process of proving the counterparty identities and the existence of assets via
private and public keys.
Block: A block represents multiple transactions or records grouped together on a block chain.
Blockchain: A digital ledger that records all related transactions since its inception.
Consensus Mechanism: A method to authenticate and validate a set of values or a transaction without
the need to trust or rely on a centralized authority.
Cryptography: A process of encrypting and decrypting information.
Distributed Ledger: A public ledger, or record of transactions, that exists on a peer-to-peer network
instead of being kept by a central authority.
Double-Entry System: System of accounting in which every transaction and event affects at least two
accounts.
Double-Spending: The attempt to send the same cryptocurrency to two separate locations at the same
time.
Hash: A hash is created by a hashing algorithm and links blocks together on a blockchain.
Mining: The act of verifying blocks on a blockchain to earn a reward, usually cryptocurrency.
Peer-to-Peer: A connection between two or more computers without using a centralized third party
as an intermediary.
Public Key: The public address where other wallets send transaction values.
Private Key: The encryption key uniquely linked to the owner and known only to the parties involved
in a transaction. It is secretly held in a digital wallet.
Wallet: An electronic device or online service used to store cryptocurrency.
89
Index
audit evidence, 53 Bitcoin, 30 Blockchain, 11 Cold wallet, 19 Consensus mechanism, 11 Cryptography, 18 Distributed ledger technology, 5 Hardware wallet, 19 Hash, 17 Hot wallet, 19 Hybrid blockchain, 36 Mining, 12
oracles, 21 Paper wallet, 19 Private (permissioned) blockchain, 31 Private key, 18 Proof of Stake, 13 Proof of Work, 12 Public (permissionless) blockchain, 29 Public key, 18 sampling risk, 56 smart contracts, 21 Tamper-proof, 10 Triple-entry accounting, 9