We have lately been researching the metaverse, decentralised finance, and blockchain technologies in general.

The world of blockchain is still dominated by mavericks in t-shirts. But with its adoption by big technology companies like Meta, Twitter, Adobe, Alibaba, and even bricks and mortar companies such as BHP and De Beers, it is set to at least be part of the business world going forward and possibly to dominate it. The Forbes list of the top 50 blockchain companies gives a great view of what big corporates are doing in this space.

To attempt to explain blockchain and associated technologies is beyond the scope of this blog post. Excellent influencers to listen to are Vitalik Buterin, Andreas Antonopoulos, Michael Saylor, and YouTube channels 99Bitcoins and Coinbureau.

This article aims to give a few steps that auditors or risk managers should consider when first assessing the risks around their company’s use of blockchain.

To start it is important to find out what is going on in your organisation with regards to blockchain and related technology. The more innovative areas of your business are likely to at least be investigating these technologies. There may also be areas that through client demand are starting to become involved.

Then research, research, research. I have found that these technologies are running ahead of the traditional education system, there are not yet that many courses or certifications available. To educate oneself I would suggest reading (fairly) technical books on the subject to figure out what is going on.

If you find your company is starting to adopt or even just research the use of blockchain I would suggest the first thing to review will be the management of private keys. Private keys are the keys to the kingdom in the blockchain. Access to all crypto assets is controlled using a private key, which is basically quite a long string of numbers and letters. The general rule of thumb is if you have this “number”, you have access to whatever assets it protects. Questions to assess whether private keys are securely managed could include:

  1. How were the keys created?
  2. Who had access to the keys when they were created?
  3. Are the keys stored in a secure location or key store?
  4. Who has access to the key store?
  5. What other controls are there in place around the key store? eg. physical and logical access measures.
  6. How many wallets exist? A wallet is merely an access point to the blockchain. A wallet uses the appropriate private key to access the blockchain.
  7. Who controls the wallets?
  8. How are the wallets protected when in use? Protections can include passwords in various formats.
  9. What backups of the private keys exist? If a private key is lost, then the associated crypto assets are lost forever.
  10. Who has access to the backups of the private keys?

It is my intention to provide further blogs in this area. From our research, the following will likely be of most interest to auditors and risk managers soon:

  • Smart contracts: Smart contracts are fundamental to the blockchain economy going forward and will likely be a very important area for providing assurance in future.
  • Decentralized Applications (DApps): These are applications built in the blockchain to provide one or other service. They make use of smart contracts to operate.
  • Decentralised finance (DEFI): These are DApps set up to provide decentralised finance solutions These applications currently include peer-to-peer lending services, liquidity pools, betting, insurance applications etc.
  • Decentralised autonomous organisations (DAOs): Smart contracts can be used to build decentralised organisations, which can do several things including providing the DEFI applications highlighted above. Understanding how a DAO runs and is governed will be fundamental for providing assurance over these structures in the future.

So that’s it, some points for thought and things to consider in the blockchain space. I will try and follow up this post with more blogs covering some of the topics I have introduced above.

Acusyne Consulting is a team of audit, risk, governance, and technical security consultants. We constantly seek better ways of doing our work, using research, industry best practice, and automation. Specialties include:

  • Information technology risk management
  • Information technology governance
  • Information technology general controls audits
  • Technical security audits (including cyber)
  • Application controls audits
  • Penetration testing
  • General internal audit (finance and operational auditing)