For Wizard Kim - W3D2
tkrmaslatwbha81
Ch7-10.docx7. Information and Communication Chapter Summary
Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of internal control. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is the means by which information is disseminated throughout the organization, flowing up, down, and across the entity. It enables personnel to receive a clear message from senior management that control responsibilities must be taken seriously. External communication is twofold: it enables inbound communication of relevant external information and provides information to external parties in response to requirements and expectations.
Principles relating to the Information and Communication component
13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
15. The organization communicates with external parties regarding matters affecting the functioning of internal control.
Principles
Approaches
13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
Creating an Inventory of Information Requirements Obtaining Information from External Sources
· Obtaining Information from Non-Finance Management
· Creating and Maintaining Information Repositories
· Using an Application to Process Data into Information
· Enhancing Information Quality through a Data Governance Program
· Identifying, Securing, and Retaining Financial Data and Information
14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
Communicating Information Regarding External Financial Reporting Objectives and Internal Control Communicating Internal Control Responsibilities
Developing Guidelines for Communication to the Board of Directors
Principles Approaches
· Reviewing Financial and Internal Control Information with the Board of Directors
· Communicating a Whistle-Blower Program to Company Personnel
· Communicating through Alternative Reporting Channels
· Establishing Cross-Functional and Multidirectional Internal Control Communication Processes and Forums
15. The organization communicates with external parties regarding matters affecting the functioning of internal control.
Communicating Information to Relevant External Parties Obtaining Information from Outside Sources
· Surveying External Parties
· Communicating the Whistle-Blower
Program to Outside Parties
· Reviewing External Audit
Communications
Uses Relevant Information Principle 13. The organization obtains or generates and uses relevant, quality information to
support the functioning of internal control.
Points of Focus
The following points of focus highlight important characteristics relating to this principle:
· Identifies Information Requirements—A process is in place to identify the information required and expected to support the functioning of internal control and the achievement of the entity's objectives.
· Captures Internal and External Sources of Data—Information systems capture internal and external sources of data.
· Processes Relevant Data into Information—Information systems process and transform relevant data into information.
· Maintains Quality throughout Processing—Information systems produce information that is timely, current, accurate, complete, accessible, protected, and verifiable and retained. Information is reviewed to assess its relevance in supporting the internal control components.
· Considers Costs and Benefits—The nature, quantity, and precision of information communicated are commensurate with and support the achievement of objectives.
Approaches and Examples for Applying the Principle Approach: Creating an Inventory of Information Requirements • Identifies Information Requirements • Captures Internal and External Sources of Data
Processes Relevant Data into Information Maintains Quality Throughout Processing • Considers Costs and Benefits
Extensive information is available to management and comes from a wide variety of sources. For information to be relevant, it must be directly aligned to management's needs and responsibilities for overseeing external financial reporting and monitoring the internal control system. A process for identifying information requirements and building an inventory enables management to focus attention on information that directly supports its needs.
To achieve this, financial management defines common categories and types of information that are aligned to external financial reporting objectives and related risks as specified by management. From these categories, financial management identifies relevant information from both internal and external sources that are best suited to management's needs. Financial management creates an inventory of information and maps each item to one or more members of management that have a role in external financial reporting. This inventory is then used to assign responsibility to personnel for gathering the required information.
The following diagram illustrates key categories and types of information senior management may require in support of external financial reporting objectives:
Example: Evaluating Business Activities to Identify Information Requirements
Over the past year, a network of healthcare providers, NetHealth, has experienced significant growth in the number of patient visits. This has created challenges at the medical offices in capturing adequate information for the central processing group. The central processing group relies on adequate information to track and record information on patient visits, which in turn is used to update insurance reimbursement limits and to bill patients and insurance companies.
The management organization overseeing NetHealth recognizes that timely, relevant information is needed to support control activities and keep each physician office in the network up-to-date on patient activities,
insurance arrangements, and billing and collection activities. Consequently, the COO has hired an advisor to interview members of the central processing group, receptionists, nurses, doctors, and others who work in physicians’ offices across the network. From these interviews, the advisor provided the following:
· Summary of the end-to-end activities of typical patient visits
· Identification of the information requirements to be gathered during each visit
· Definition of roles and responsibilities for information gathering to allow the central processing group
to update patient records and process bills accurately and in a more timely fashion
· Identification of data flow challenges that were impacting financial transaction processing and control
activities
Management is now developing guidelines for gathering information during patient visits. To reduce the costs of distributing the guidelines to each office in the network, the IT manager is building a section on the network's website where the guidelines will be available and where updates and comments can be posted.
Example: Maintaining Data Flow Diagrams, Flowcharts, Narratives, and Procedures Manuals
The management at Rahmany Marine Group has effectively adopted the use of narratives, flowcharts, data flow diagrams, and procedures manuals to document the end-to-end process flows that support the corporate internal control and financial reporting. These documents are produced so that information about these processes can be easily understood by users throughout the company, including the IT team, finance and accounting specialists, systems developers, support personnel, and auditors. This documentation allows these personnel and other users to identify the source of data, responsible personnel, storage locations, source systems, relevant transformation processes and quality checks, and the primary users.
The data flow diagram below illustrates part of the company's purchasing cycle. (Note: The following data flow diagram does not depict a complete account of all the information needs for the example. It does depict the flow of information at a high level, but keep in mind that additional detailed specifics would be included in corresponding narratives, or additional flow diagrams or flowcharts would show a level deeper.)
Approach: Obtaining Information from External Sources
Identifies Information Requirements
• Captures Internal and External Sources of Data • Processes Relevant Data into Information Maintains Quality Throughout Processing Considers Costs and Benefits
Finance personnel often rely on publications, events, and other information from external parties to gather information relevant to performing their responsibilities. The sources of data and information vary depending on the specific role and responsibilities of the individual. Sources of information may include:
· Subscriptions to industry publications and regulatory updates
· Participation in industry conferences, trade shows, and other events
· Regular communications, both verbal and electronic, with suppliers, customers, or third-party service
providers
· Membership and participation in relevant organizations
· Subscription to third-party mailing lists and social media feeds (e.g., podcasts and blogs) that pertain to
the industry and company
· Industry research reports
· Peer industry calls and financial fillings
Finance personnel evaluate the external information gathered and incorporate significant events, trends, and changes into their day-to-day financial reporting or related internal control responsibilities. In addition, finance personnel ensure that any announcements about changes to current accounting standards or regulatory requirements are summarized, reviewed, and disseminated to the others within the external financial reporting organization.
Example: Gathering Information from External Sources
J.J. Power Utility Corp. offers a learning and development program that includes guidelines and funding for finance and accounting personnel to attend external training and conferences. These activities help employees achieve their ongoing professional educational requirements, maintain their relevant certifications, and develop new skills. The external training also provides information about new or changed accounting, disclosure, and internal control requirements, as well as best practices important to J.J. Power Utility's business. To supplement the external training sessions, finance and accounting personnel also subscribe to relevant accounting publications.
Accounting and finance personnel meet regularly with the internal audit department to review and update internal accounting and control policies and procedures based on the information gathered. In addition, they meet with the CFO to pass on any new information and to discuss the impact on financial reporting and policies and procedures. Accounting and finance managers update policies and procedures to reflect the impact of the new information.
Example: Capturing Information through Electronic Data Interchange
Mandela & Co., a distributor of electronics products, engages in tens of thousands of high-volume, low-dollar transactions with customers and suppliers. Historically, sales orders and invoices for purchasing transactions have been entered and validated through a combination of manual and semi-automated processes.
To reduce time, costs, and errors caused by human intervention, management has implemented electronic data interchange (EDI) to replace the original process. Relevant information about key business transactions is now
automatically populated into the company's ERP system, and automated validation checks are in place to confirm that information is transmitted completely and accurately. As well, the information generated through the EDI process is also available to production managers, order management, and billing personnel, which allows them to perform control activities to support proper end-to-end transaction processing, including creating the corresponding accounting entries.
Approach: Obtaining Information from Non-Finance Management
• Identifies Information Requirements • Captures Internal and External Sources of Data Processes Relevant Data into Information • Maintains Quality Throughout Processing Considers Costs and Benefits
External financial reporting objectives are impacted by non-financial activities that occur throughout the business. Information about new events, changes, or significant trends is needed to support accounting, disclosure, and internal control activities. Therefore, senior accounting and finance personnel meet at least monthly with management and personnel in other areas of the business—such as operations, human resources, compliance, and product development. During these meetings, information is gathered verbally and in writing on business events and trends. Topics may include:
· New or lost significant customers, suppliers, or other stakeholders
· Rate and impact of employee turnover
· Unexpected trends, whether negative or positive
· Indications of unethical or improper behavior
· Budget versus actual and forecast expectations
· Contractual, compliance, or regulatory issues
· Customer or supplier complaints
· Findings from internal audit reports
Accounting and finance personnel summarize the information gathered and meet with the appropriate member of senior management to evaluate the impact on the financial statements, internal control effectiveness, or changes needed to policies and procedures.
Example: Conducting Quarterly Interviews of Operations and Other Management
Juan Fernandez is the chief accounting officer of Friesens Fresh Foods, a perishable food supplier company. He is responsible for evaluating inventory reserve balances as part of the monthly close process.
Significant changes in purchase commitments, inventory usage trends, product configuration preferences, and cycle count results have impacted the judgments and estimates made in applying the inventory reserves policies. Consequently, Mr. Fernandez now obtains and reviews reports from the company's ERP system to identify unusual or unexpected trends, changes in balances or volumes of transactions, and other relevant details. He then meets monthly with department heads of customer service, procurement, inventory management, and logistics (who oversee third-party warehouses) to collect additional information about customers, products, inventory, and balances.
Based on these meetings, Mr. Fernandez reviews inventory reserve policies, documents key data points that impact prior estimates, and prepares an updated analysis supporting inventory reserve requirements. The CFO of Friesens then reviews and approves the analysis as part of her review of the related journal entries during the month-end closing cycle.
Example: Obtaining Operating Information for Financial Reporting
Laccona Electronics, a manufacturer of electrical equipment and components, is responsible for complying with environmental regulations associated with the company's manufacturing processes, including handling raw materials and operating production plants. Laccona's customer contracts include provisions for monetary damages in cases where products are determined to be unsatisfactory as a result of compliance audits performed by environmental agencies. In addition, if the audits are unsatisfactory—that is, they indicate any non- compliance with regulations—Laccona may incur significant fines.
Arlene Gomez, the company controller, obtains monthly reports on operational and compliance metrics from the chief operating officer. In addition, she reviews periodic internal audit reports on the company's adherence to policies and procedures related to environmental compliance. She uses this information to assess reserve requirements or disclosures associated with damages provisions. Finally, she summarizes relevant information and meets with the CFO quarterly to determine whether changes in accounting estimates and financial statement disclosures are needed.
Approach: Creating and Maintaining Information Repositories
• Identifies Information Requirements • Captures Internal and External Sources of Data • Processes Relevant Data into Information • Maintains Quality Throughout Processing Considers Costs and Benefits
Senior management establishes a policy for handling information that is gathered, produced, and shared throughout the company. The policy is designed to facilitate the efficient capture, use, and reuse of relevant information supplied to management and personnel across the company.
Management and employees in external financial reporting roles follow procedures for identifying and categorizing information. These procedures require that attributes about each piece of information be recorded before the information is accepted into the repository. The attributes may include:
· Information owner
· Expected users
· Sources (including systems and people)
· Criticality
· Frequency
· Process supported
· Retention period
The information repositories are subject to control activities that help ensure the completeness, accuracy, security, validity, and lack of redundancy of the information.
Example: Using a Data Warehouse to Facilitate Access to Information
International Food Distributors has recently completed an enterprise-reporting project to identify and inventory information used across the company for external financial reporting and related internal control. The results of the project were used by the chief information officer and chief financial officer to design a company-wide data warehouse and reporting tools that would support a single source for financially relevant information.
· The first phase of the project involved creating an inventory of the existing reports identifying relevant sources and eliminating non-critical and redundant reports.
· The second phase involved designing and implementing the functional and technical capabilities needed to capture and store data used to generate relevant information. This includes the consideration of automated control activities around completeness, accuracy, restricted access, and validity of the data and information generated.
· The third phase involved training end users on techniques for effective input and extraction of information and reports from the data warehouse using reporting tools.
· The final phase involved designing and implementing operating procedures and control activities over the data warehouse and reporting tools to ensure the completeness, accuracy, restricted access, and validity of the data and information input and reports generated.
As a result of the project, International Food Distributors has a well-defined inventory of reports, improved data, and a more efficient process for capturing and using information for external financial reporting.
Approach: Using an Application to Process Data into Information
• Identifies Information Requirements Captures Internal and External Sources of Data • Processes Relevant Data into Information • Maintains Quality Throughout Processing Considers Costs and Benefits
Management designs its computer applications to capture data from internal and external sources, transform the data into information, and maintain the quality of the data and information throughout processing and reporting. The activities relating to capturing and processing data about financial transactions (e.g., initiate/enter, authorize, record, process, and report) are documented in company policies and procedures manuals. The application design includes automated application controls such as input checks for existence and validity and output checks for completeness and accuracy. It also is supported by technology general controls.
Example: Data Capture and Processing for the Purchasing and Payables Cycle
Insight Media, Inc., a publishing company, recently implemented the purchasing and payables module of its existing ERP system. The key goals were to improve data quality, reduce manual handoffs through automation, and improve information flow and visibility into purchasing transactions.
The implementation project team was led by the controller, who was supported by employees involved in the purchase to payables process. Workshops were held to confirm the current end-to-end process and identify important information about sources of transactions, key data requirements, risks to financial reporting, and
information required for accounting and reporting. The project team used the results from these workshops to
review
the ERP module's capabilities for automating tasks and controls such as:
· Checking that data input was valid, complete, and accurate to electronic sources
· Passing data between the related transactions to minimize data entry and improve data consistency
· Automatically recording the accounting transaction upon data input
· Automatically reconciling the payables subsidiary ledger to the general ledger
· Generating exception and analytical reports
As a result of the implementation, management of Insight Media gained access to more accurate, complete, and timely information to perform internal controls over the evaluation of accounting entries and disclosures for accounts payable and accrued expense balances, purchasing commitments, and expected cash balances.
The following flowchart was created as a result of the above procedures and assisted management in identifying the relevant information.
Approach: Enhancing Information Quality through a Data Governance Program
Identifies Information Requirements Captures Internal and External Sources of Data • Processes Relevant Data into Information • Maintains Quality Throughout Processing Considers Costs and Benefits
Senior management establishes a data governance program to support the company's objectives of ensuring reliability of information used in support of internal controls and external financial reporting. Senior management formalizes policies, procedures, and responsibilities for data and information management considering the volume, complexity, and demand for rapid capture and dissemination from multiple sources. The data governance program includes policies and procedures for:
· Assigning roles and responsibilities between a central data management group, business functions, and IT
· Validating sources of information
· Establishing data-quality requirements before accepting sources into the information system
· Accessing rights to underlying data and related information produced through processing
· Protecting data during transmission and storage
Example: Validating Data and Information
RightChoice Pharmacy, Inc., a national drugstore chain, obtains significant data underlying transactions recorded in point-of-sale systems located at each retail store. Data underlying credit card transactions is sent immediately to the credit card company and to RightChoice's internal data warehouse. Daily reports are produced from the data warehouse and used to prepare reconciliations of payments due from the credit card companies.
The chief information officer and the credit and collections manager have designed and implemented continuous transaction monitoring software to support their data and information quality efforts. This software helps management to verify accounts receivable balances each day and to avoid time-consuming month-end reconciliations by quickly identifying data anomalies. Targeted data queries allow the software to identify duplicate entries, unusual transactions, missing data, and incomplete data transfers. Additionally, continuous monitoring software enables data analysis used to support control activities to detect potential indicators of fraud.
Approach: Identifying, Securing, and Retaining Financial Data and Information
• Identifies Information Requirements • Captures Internal and External Sources of Data Processes Relevant Data into Information • Maintains Quality Throughout Processing
Considers Costs and Benefits
Senior IT management establishes policies to define categories of data and assign requirements for securing and retaining the data. These policies support management and employee responsibilities for securing information from unauthorized access or change and for adhering to retention and data destruction requirements. The senior data administrator develops processes and repositories to carry out the data classification policy. Data classification requirements are communicated to personnel responsible for transaction processing through periodic reminders on important internal control responsibilities. Important to this process is considering the benefits and costs to manage and store information and the relative value of the information to the entity.
Example: Identifying and Protecting Financial Data and Information
Bio-Adaptive, Inc., a global life science and chemical manufacturer, has developed standard operating procedures to identify, classify, and secure sensitive information, including financial information, throughout the data and information life cycle (input, processing, output, storage). These procedures include, but are not limited to:
Bio-Adaptive, Inc., a global life science and chemical manufacturer, has developed standard operating procedures to identify, classify, and secure financial data and information across the entity and the stages of information life cycle (input, processing, output, storage). As part of these procedures, personnel:
· Confirm adherence to standard operating procedures
· Identify financial data and information that requires restriction of access and retention in order to meet
reporting requirements
· Assign appropriate data security categories to sensitive financial data and information when input into
the information system
· Review automated application controls that support security, privacy, and storage of financial data and
information based on the data security category input
· Review periodically that sensitive financial data and information have been properly categorized fn 22
Example: Identifying and Classifying Data for Financial Reporting
Freedom Corp., a financial services firm, has a process to tag financial data during transaction processing based on criteria established in the company's data classification policy. Business and IT personnel who are involved in detailed transaction processing are trained in data entry to support accurate and complete classification, tagging, storage, retention, and disposal.
This process reduces the time required to format, organize, and report data. It also enables the company to tag data through eXtensible Business Reporting Language (XBRL). XBRL enables Freedom Corp. to meet certain external financial reporting requirements and to perform comparative analyses to historical, competitor, and projected financial data.
Footnotes (Approaches and Examples for Applying the Principle):
fn 22 This example is continued in Chapter 6, Monitoring Activities, to illustrate how monitoring activities may assess whether controls to effect principles in information and communication are deployed as intended (see page 147).
Communicates Internally Principle 14. The organization internally communicates information, including objectives and
responsibilities for internal control, necessary to support the functioning of internal control.
Points of Focus
The following points of focus highlight important characteristics relating to this principle:
· Communicates Internal Control Information—A process is in place to communicate required information to enable all personnel to understand and carry out their internal control responsibilities.
· Communicates with the Board of Directors—Communication exists between management and the board of directors so that both have information needed to fulfill their roles with respect to the entity's objectives.
· Provides Separate Communication Lines—Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective.
· Selects Relevant Method of Communication—The method of communication considers the timing, audience, and nature of the information.
Approaches and Examples for Applying the Principle
Approach: Communicating Information Regarding External Financial Reporting Objectives and Internal Control
• Communicates Internal Control Information Communicates with The Board of Directors Provides Separate Communication Lines • Selects Relevant Method of Communication
Senior management communicates information about the company's financial reporting objectives, financial control requirements, and internal control policies and procedures, and how they support individual responsibilities through a variety of communication channels. The method of communication varies depending on the audience; the nature of the information; time sensitivity, cost, legal, or regulatory requirements; and ability to use technology solutions. Such mechanisms may include:
· Departmental vision and mission objective signposts in high-traffic areas or on the company's website
· Accounting and finance internal meetings or conferences to discuss internal control matters and
accounting policy changes
· Periodic employee surveys related to awareness and compliance to internal control policies and
procedures
· An intranet site specific to internal control matters, including code of conduct, roles and responsibilities,
policies, procedures, and other relevant matters
· Regular organization-wide emails, newsletters, conference calls, webcasts, or meetings about updates
on internal control matters
· Senior finance and executive management visits to plants, sales offices, major customers, and other
locations
Example: Using Communications Programs to Reinforce Internal Control
AtHome Corp. is a global home-building company. Both the CEO, Janis Wilcox, and the CFO, Terry Tomlinson, use regular broadcast emails and personal visits to various company sites to communicate with finance, accounting, and other personnel who impact internal control over external financial reporting.
Mr. Tomlinson uses these mechanisms to reinforce company expectations for adherence to internal control over external financial reporting, laws, and regulations; the importance of the company's internal audit function; and actions taken in response to internal audit findings and internal control recommendations from its external auditors.
In turn, Ms. Wilcox finds the broadcast emails an effective means of sharing information about the company's business objectives and goals, including a periodic update on progress toward those goals. She also visits the various corporate sites and meets with employees and managers to ascertain how well they understand key business and financial objectives relevant to their sites and to reinforce the messages about internal control from Mr. Tomlinson. Presentation material and supporting information and intranet links are provided to the participants to support these communications.
Example: Using an Internal Accounting and Finance Conference to Reinforce Policy Changes
NetComm, Inc., a broadband infrastructure company, holds a semi-annual meeting led by the CFO and controller. The personnel from the finance department attend these meetings to obtain updated information on significant new or changed matters that impact finance activities and financial results. Meeting topics routinely include:
· Key objectives for the next six months
· Reinforcement of the company's policies related to ethics and integrity
· Expectations regarding recent findings from internal or external audits related to financial reporting and
control
· Changes to the internal control structure
· Significant recent or anticipated events such as the sale of a business, acquisition of assets, restructuring
of operations, or introduction of a new product
· Changes to accounting policy and regulatory rules that would impact how the company processes its
financial transactions and produces its financial reports
Approach: Communicating Internal Control Responsibilities
• Communicates Internal Control Information Communicates with The Board of Directors Provides Separate Communication Lines • Selects Relevant Method of Communication
Documentation on internal controls related to financially significant business processes and systems is stored in a shared repository that is accessible to management and personnel who are responsible for external financial reporting. This repository contains:
· Risk assessment documentation
· Business process documentation, including process flow diagrams and supporting narratives
· Internal controls identified by management based on risk assessments
· List of individual internal controls, including assignment responsibility for performance and
review/approval to specified employees and management
The internal audit department reviews the information in the repository as part of its ongoing and separate evaluations. Updates to specific internal controls are communicated to both the control performer and reviewer through email alerts with links to the repository.
Example: Using Governance, Risk, and Compliance Technology to Manage Internal Controls
A manufacturer of chemical and pharmaceutical products, Travis Pharma, has implemented a governance, risk, and compliance technology solution. This provides the CFO, Frances VanWyck, with a reporting tool to support her oversight of the system of internal control over external financial reporting. Information communicated through the tool includes:
· External financial reporting objectives
· Related external financial reporting risks
· Internal controls
· Evaluation approaches for each control
· Responsibility for performance and review of each control
· Evaluation results and action plans to address deviations
The reporting tool also provides a personalized dashboard; workflow process (for performance or review, as appropriate); reporting capabilities for more detailed status, issues, and trends; and other information to understand and manage the individual's internal control responsibilities.
Approach: Developing Guidelines for Communication to the Board of Directors
Communicates Internal Control Information • Communicates with The Board of Directors Provides Separate Communication Lines • Selects Relevant Method of Communication
The Board of Directors establishes a board charter that defines the guidelines for information to be shared with the board of directors, responsibilities for communication, and the method of communication. The charter specifies key guidelines, which may include:
· Frequency and number of board meetings, including committees of the board
· Objectives of each board or committee meeting (e.g., strategy reviews, annual budgets, and plan
reviews)
· Nature and extent of information to be shared for each meeting
· Responsibility for preparing and approving minutes
Example: Facilitating Communication between Executive Management and the Board of Directors
Fred Cummins, the general counsel of a printing company, EasySigns, Inc., under the direction of the chair of the board, is responsible for coordinating all meetings of the board of directors and board committees. He has implemented a straightforward system to ensure timely and effective communication.
Mr. Cummins reviews the annual calendar of audit committee meetings and the general agenda for each meeting. He develops specific topics for discussion for each meeting relevant to the company's external financial reporting requirements and confirms the agenda details with the CFO, CAE, and audit committee chair. Based on the detailed agenda, Mr. Cummins gathers relevant information to be included in the audit committee meeting materials that are sent to members one week prior to the meeting. From time to time, he requests that members of management attend meetings to present information in person and allow for active communication. For example, the CIO presents on the company's security and privacy programs and new events that may impact risks.
Mr. Cummins also meets with the chair of the audit committee on a periodic basis to communicate issues or risks related to significant, time-sensitive transactions, or to update the audit committee chair on significant issues, such as investigations of potential fraud.
Approach: Reviewing Financial and Internal Control Information with the Board of Directors
Communicates Internal Control Information • Communicates with The Board of Directors Provides Separate Communication Lines Selects Relevant Method of Communication
At designated board meetings the CFO and supporting personnel present financial information, provide an analysis of the results compared with expectations, give updates on forecasts and major changes to original budgets, and communicate other matters of significance to financial reporting.
On a regular basis, the CEO, CFO, and the chief audit executive (CAE) present the draft external financial statements. Material events, changes in significant estimates, or assumptions and significant new disclosure matters since the prior quarter are also presented and discussed. The external auditors attend these meetings to present their point of view on the financial statements.
At each quarterly meeting, the CFO and the CAE present a summary of key changes in internal control, results of evaluations, and actions in response to any deviations identified. Matters of significance are reported in writing. The audit committee holds separate private sessions with management and the external auditors. These sessions provide the audit committee and either management or the auditors with an opportunity to share sensitive information and ask probing questions that facilitate each party's responsibilities related to internal control.
Example: Preparing Financial and Internal Control Reporting Package for Discussion with the Board
The senior financial management at a privately held mining company, Precious Metals Corp., has developed a financial and internal control reporting package for the board meeting. The package has been developed from both quantitative and qualitative financial reporting and internal control information. It highlights financial and internal control trends and internal control matters requiring the board's attention, such as significant, non- recurring adjustments and internal control deficiencies by each financial statement line item for each of the last four quarters. Other information in the package includes:
· Dollar impact of adjustments
· Estimated impact of deficiencies after considering compensating controls
· Brief description of severity of issues, business function, and processes impacted
· Management point of contact and action plan
· Changes in accounting policies
· New regulatory requirements
· Significant changes in financial statements and disclosures
The management team sends the package to the board in advance of the meeting to allow board members to review and follow up with management in preparation of the meeting, if necessary.
Approach: Communicating a Whistle-Blower Program to Company Personnel
Communicates Internal Control Information • Communicates with The Board of Directors • Provides Separate Communication Lines Selects Relevant Method of Communication
Management and the board establish a whistle-blower program for employees to use a hotline to communicate concerns, instances of perceived misconduct, matters relating to external financial reporting, or other significant matters that may impact internal control. To enhance employee awareness of the program, a number of communication channels are used. These include postings in high-traffic areas in offices and periodic messages from the director of human resources.
The program allows employees who report matters through the hotline to remain anonymous, and all communication is completely confidential. Reported matters are evaluated by an objective party and communicated to the board of directors or, where appropriate, a specified delegate (such as the audit committee or internal audit).
Example: Employee Ethics Hotline
General Goods Packaging has established a toll-free hotline for employees to report misconduct. The hotline is described in the employee handbook and on the company intranet. Information is also posted at various high- traffic locations in the company's facilities, such as the cafeteria, coffee room, restrooms, and main entrance.
The hotline is administered by a third party. All matters received on the line are categorized, summarized, and reported to a separate compliance department that reports to internal audit. The director of compliance then reviews and prioritizes all reports.
Those matters of significance or heightened sensitivity are reported immediately to the chair of the audit committee. Others are investigated based on their priority. The members of the executive management team review the results of all investigations and recommend what actions should be taken.
Information about each reported matter, including evidence gathered, actions taken, and conclusions reached, is documented in a separate, confidential section of the hotline system.
Approach: Communicating through Alternative Reporting Channels
Communicates Internal Control Information Communicates with The Board of Directors
• Provides Separate Communication Lines Selects Relevant Method of Communication
Management provides an alternative to reporting to a line manager so that employees are confident that they will be heard. Alternative reporting and communications channels may include:
Mentoring programs to provide employees with a support structure beyond their direct line manager Town hall meetings where employees are encouraged to ask questions and discuss their concerns A staff council comprising employees from various departments and various levels below manager
which meets to discuss various issues and relays comments and observations to management
Example: Establishing a Mentoring Program to Encourage Communicating with Management
Odette Group, a designer and distributor of sports apparel, has established a successful mentoring program for its employees. Every employee is assigned an individual "coach," who is selected from management of a different department. The employee and coach meet quarterly, or as needed, to discuss topics such as the employee's long-term goals, areas of interest for growth and development, and results of periodic performance reviews. At these meetings, coaches encourage employees to provide feedback on any issues or concerns for which they did not see a clear communication channel.
As an added measure, all staff involved in the financial reporting process is assigned a mentor with financial reporting and internal control experience. This provides an alternative to the employee's line supervisor for discussing and reporting concerns on matters such as compensation, operations, or internal controls.
Approach: Establishing Cross-Functional and Multidirectional Internal Control Communication Processes and Forums
• Communicates Internal Control Information Communicates with The Board of Directors • Provides Separate Communication Lines Selects Relevant Method of Communication
Management from all departments develop cross-functional and departmental communication processes and forums that enable personnel to communicate internal control matters across the entity. Representatives from each department have defined roles and responsibilities for communicating internal control matters using these processes and forums. The group meets periodically to discuss issues, trends, and upcoming events that impact internal controls. Control matters and issues noted by a shared service center, business unit, or department are communicated to the other departments and business units. Management and personnel in the departments and business units evaluate and respond to the impact of these matters and issues.
Example: Establishing a Cross-Functional Internal Control Committee
Sea to Sky Telecommunications has established an internal control council comprising functional and IT business process owners from each business unit, corporate accounting, shared service center, and internal audit. The council meets monthly to define information that should be shared among business units and that may impact company processes. Topics raised at these meetings include:
· Incidents of fraud in one department that may impact other departments
· Changes to systems that have a cross-functional impact on processes and controls
· Changes to regulations that impact how different departments exchange information
· Internal and external audit findings
The representatives on the council review all matters raised to consider how they impact the various departments of Sea to Sky. Council members take turns recording the meeting proceedings, which are reviewed by all council members and then shared with the CFO.
Communicates Externally Principle 15. The organization communicates with external parties regarding matters affecting
the functioning of internal control.
Points of Focus
The following points of focus highlight important characteristics relating to this principle:
· Communicates to External Parties—Processes are in place to communicate relevant and timely information to external parties, including shareholders, partners, owners, regulators, customers, and financial analysts and other external parties.
· Enables Inbound Communications—Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information.
· Communicates with the Board of Directors—Relevant information resulting from assessments conducted by external parties is communicated to the board of directors.
· Provides Separate Communication Lines—Separate communications channels, such as whistle- blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective.
· Selects Relevant Method of Communication—The method of communication considers the timing, audience, nature of the communication, and legal, regulatory, and fiduciary requirements and expectations.
Approaches for Applying the Principle Approach: Communicating Information to Relevant External Parties • Communicates to External Parties Enables Inbound Communications Communicates with The Board of Directors Provides Separate Communication Lines Selects Relevant Method of Communication
Management considers all relevant external parties who have an interest in or who would be reasonably expected to obtain information about the company's internal control over external financial reporting. The
company's disclosure committee (or similar group responsible for external communications) has established a process to evaluate ongoing company events, policies, activities, and other matters that impact external parties that are important to the company's external financial reporting objectives. The disclosure committee determines the information that should be reported to external parties, as needed. Such information may include:
· Internal controls over transactions and balances that represent significant payables, receivables, or commitments to external stakeholders
· Results of procedures for monitoring compliance with contractual commitments and related loss or damages provisions
· Policies for protecting information received from external parties during normal business transactions
· Customer responsibilities for managing their employees’ access to the company's web-based ordering
system to prevent unauthorized orders
· Policies related to performing background checks and credit checks, or using collection agencies
Example: Communicating Internal Control Information to a Federal Agency
A federal agency is responsible for managing and overseeing the distribution of approved funds to not-for- profit organizations that provide community outreach programs for underprivileged children. In connection with its oversight responsibilities, the federal agency requests information from each community organization about its program's controls over the allocation and use of funds received.
Management of each community organization summarizes their control activities over the allocation and use of funds and provides a statement that control activities were designed, implemented, and operating for the quarter. Any changes to or deterioration in the controls, such as changes in ability to segregate duties due to loss of personnel, are communicated along with management's actions to mitigate risks. This summary is provided quarterly to the federal agency.
Example: Establishing Periodic Communications with Contractors and Outsourced Service Providers
ConFab Group, a large, privately held telecommunications equipment provider, outsources all its manufacturing activities to third parties, which are located around the world. Under the contractual arrangements, ConFab is responsible for damage or loss of inventory from the receipt of raw materials at the third-party contract manufacturer until the completed products are delivered to the freight forwarder for shipment. This means management retains significant risk to inventory that is not within its physical control.
ConFab's management team has specific policies and procedures for the purchasing, manufacture, and preparation of shipments to mitigate its economic exposure and that support its estimates for inventory reserves. Management communicates these policies to the manufacturers, along with specific contract clauses that require adherence to the policies and the right to audit by the company.
To ensure that policies and procedures are carried out as intended, ConFab has implemented several methods of communicating with the contract manufacturers:
· A website is built specifically for communications between the company and the contract manufacturers.
· A link is provided on the company's website to policies and procedures, which contractors are required to acknowledge they have read and understood, and that they will adhere to it.
· A variety of periodic reports from the contract manufacturers are provided, which are used in company control activities to ensure that inventory balances and related estimates are properly reported.
· Periodic on-site audits at contract manufacturers are performed to validate the inventory quantities on hand, stage of production, and quality. The audits include random interviews of personnel to confirm
their understanding and adherence to policies and procedures and inspection of inventory transactions, documents, and reports.
ConFab also performs annual reviews of the contract manufacturers’ controls that support the completeness and accuracy of reports provided throughout the year.
Approach: Obtaining Information from Outside Sources
Communicates to External Parties • Enables Inbound Communications Communicates with The Board of Directors Provides Separate Communication Lines Selects Relevant Method of Communication
Management and other personnel stay abreast of new matters relevant to their area of responsibility in order to identify and respond to changes that may impact, directly or indirectly, external financial reporting objectives or the related internal control. Management of each business unit or functional group identifies relevant means to receive information from outside the company, and assigns responsibility to themselves and other personnel to be responsible for obtaining, reviewing, and sharing relevant information within the company, as appropriate. Sources of information may include:
· Publications that provide updates to financial accounting, reporting, and disclosure standards or regulations
· Technical journals that analyze the impact of financial accounting and reporting matters
· Competitor or peer regulatory filings
· Information gathered at industry or trade association meetings
· Industry, market, economic, or competitor data relevant to key metrics or accounting estimates
· Alerts from outside counsel on regulatory or legal changes
· Periodic meetings with external auditors and advisors to understand new accounting and disclosure requirements
· Meetings with outside advisors or subject matter specialists with the expertise to assess complex accounting and disclosures for major transactions or events
· Standard-setter and regulator projects and publications
· Postings on organization-sponsored or supported social media websites or communication tools
Example: Communications from Regulatory Bodies
As a result of a regulator's examination, Norgaard-Kellogg Financial, a registered investment advisor, was informed that the firm was not in compliance with rules requiring documentation of certain compliance policies and procedures for trading activities and the related accounting and disclosure requirements. Eileen Nachbar, the company CFO, met with outside counsel and external auditors to review the matters and obtain their views. She also engaged other external advisors with expertise on risks and best practice procedures related to trading activities.
After these discussions, Ms. Nachbar met with the senior management of Norgaard-Kellogg responsible for trading activities to discuss the regulator's findings and her own evaluation of the issue and recommendations for enhancements. The information was shared with the disclosure committee, a group responsible for assessing the requirements for disclosures in external filings. After approval of the proposed actions by the disclosure
committee, Ms. Nachbar developed an action plan for updating internal control policies, procedures, and related documentation to address the compliance requirements.
Example: Obtaining Information from External Sources to Assist with Accounting Estimates
Nevio Group regularly sells its products in highly unstable economic environments where currency values fluctuate significantly. These fluctuations significantly affect the accounting treatment of transactions and balances recorded in the financial statements.
Clint Bell, the assistant treasurer, is responsible for obtaining and analyzing information from an outside advisory firm related to the past, present, and future expectations of currency fluctuations. One of his sources is a subscription service that provides reporting on currency values, changes in values, and trends over periods of time. It also provides alerts if currency fluctuations exceed certain thresholds.
Mr. Bell sets up the relevant currencies, time periods, and alerts appropriate for Nevio Group. The treasurer reviews the settings and approves changes, if needed, each quarter. On a monthly basis, or more frequently based on alerts received, Mr. Bell evaluates the currency rates used for financial accounting associated with significant estimates impacted by currency values.
Based on the information gathered and corroborated from various external sources, he updates his analysis estimates. The analysis is given to the treasurer, director of financial reporting, and controller to help them ensure that the basis for their estimates and communications in external reports is current and appropriate.
Approach: Surveying External Parties
Communicates to External Parties • Enables Inbound Communications Communicates with The Board of Directors • Provides Separate Communication Lines Selects Relevant Method of Communication
Management surveys customers, vendors, and others on their perception of the integrity and ethical values of company personnel. This survey process is controlled by company personnel independent of the main customer/vendor contacts. These surveys not only provide a sounding board for the company's customers, but also enable management to gain important information about the commitments made to customers and ensure that such commitments are consistent with the understanding of formal arrangements between parties.
Management carries out surveys of external parties in a variety of ways, which may include:
· Sending to all customers periodic surveys with standard questions regarding the company and its products or services
· Providing a feedback mechanism on the company's website or through a feedback box on documents that are sent regularly to external parties
· Periodically meeting with external parties, in person or by video or teleconference Example: Conducting Discussions with Customers
Fitness Four, a manufacturer of strength and cardiovascular fitness equipment, has developed a policy requiring a member of management to contact each customer at least annually. The management team member must not be the customer's primary contact or in any senior line of reporting of the customer's primary contact at the company.
During these discussions with customers, the manager is expected to address a number of areas relevant to the customer-company relationship that impact external financial reporting, including:
· Customers’ adherence to acceptable use provisions based on licensing rights that may impact royalty costs
· Confirmation of continued use of products or services that may impact the estimated life of assets or term of contracts used for accounting judgments
· Issues, concerns, or return activity of company products that may indicate that recorded sales transactions were not valid
· Feedback on company individuals that the customer interacts with during the sales, delivery, support, customer service, or billing process
· Any regulatory, compliance, or internal customer policy requirements that should be considered in the manufacture of products or provision of services
· Expectations of the customer for additional products, services, or support that may indicate commitments made outside of the contracts or other written arrangements
The information gathered through these conversations is shared with finance and other relevant company personnel. Any issues that indicate a potential financial reporting issue, such as incomplete delivery of products or services, or billing and payment, are further investigated. Where changes in the accounting for transactions are needed, additional reviews are performed to ensure that the issues are fully resolved. Also, an evaluation of internal controls for deficiencies is conducted to prevent or detect issues from recurring.
Approach: Communicating the Whistle-Blower Program to Outside Parties
• Communicates to External Parties • Enables Inbound Communications Communicates with The Board of Directors • Provides Separate Communication Lines Selects Relevant Method of Communication
Management provides a whistle-blower phone number or email address to customers, suppliers, outsourcing companies, and other external parties to facilitate feedback on potential improprieties or improper or unreliable financial reporting. The contact information is disseminated through various means, such as the company's website and on invoices sent to customers.
Example: Facilitating Communication with External Parties
Shoreup Nutrients is a manufacturer and retailer of branded and private label vitamins and nutritional supplements. It provides a section on its website for anyone who wants to respond with questions, concerns, complaints, or other information.
The internal audit department of Shoreup Nutrients is responsible for maintaining a process to ensure that all reported matters are collected, documented, evaluated, and addressed appropriately. On a weekly basis, internal audit monitors the website and summarizes any new information collected by using a collaboration software tool accessible only to the audit department.
The director of internal audit, Naseema Bahair, evaluates each matter and develops an action plan, which includes:
· Conducting interviews of company personnel
· Obtaining and reviewing relevant documentation
· Contacting the reporting party for additional information, if necessary
Upon review of complaints received through whistle-blower hotlines, a decision is made by the CFO or the audit committee chair about the information that will be shared to the reporting party.
Approach: Reviewing External Audit Communications
Communicates to External Parties • Enables Inbound Communications • Communicates with The Board of Directors Provides Separate Communication Lines Selects Relevant Method of Communication
Following the external auditor's review of financial information and independent evaluation of internal control effectiveness, management receives a written summary of significant matters identified during the course of the work. The board of directors discusses these at a subsequent meeting, where external audit personnel discuss their findings and management discusses proposed resolutions.
Example: Managing and Assessing External Audit Communications
The management at Hessen's Assure, a healthcare insurance company, has established a process with the external audit firm to coordinate the periodic assessments of internal controls and discuss and respond to matters identified during the course of the external audit. The management team meets monthly with the external auditor to discuss internal control testing plans, status, and issues.
Internal control issues or recommendations for improvement that are identified by the external audit firm are assigned to an employee in the impacted business process area, and that person develops and presents a recommended response at the monthly meeting, or more frequently if needed. The management team evaluates each response, such as modifying internal control activities; reinforcing awareness; updating policy, procedure, or control documentation; or performing additional evaluations, and assigns responsibility for carrying out the response.
Results of the management meeting are communicated to the external audit firm. As well, a summary of significant issues and observations are presented at the audit committee meeting at set intervals during the year or as necessary.
8. Monitoring Activities Chapter Summary
Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Ongoing evaluations, built into business processes at different levels of the entity, provide timely information. Separate evaluations, conducted periodically, will vary in scope and frequency depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations. Findings are evaluated against criteria established by regulators, standard-setting bodies, or management and the board of directors, and deficiencies are communicated to management and the board of directors as appropriate.
Principles relating to the Monitoring Activities Component
16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
Principles
16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
Approaches
Periodically Reviewing the Mix of Monitoring Activities
Establishing a Baseline Identifying and Using
Metrics Designing and
Implementing a Dashboard Using Technology to
Support Monitoring
Activities Conducting Separate
Evaluations Using Internal Audit to
Conduct Separate
Evaluations Understanding Controls at
an Outsourced Service Provider
Assessing and Reporting Deficiencies
Monitoring Corrective Action
17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
Principles Approaches
Developing Guidelines for Reporting Deficiencies
Conducts Ongoing and/or Separate Evaluations Principle 16. The organization selects, develops, and performs ongoing and/or separate
evaluations to ascertain whether the components of internal control are present and functioning.
Points of Focus
The following points of focus highlight important characteristics relating to this principle
· Considers a Mix of Ongoing and Separate Evaluations—Management includes a balance of ongoing and separate evaluations.
· Considers Rate of Change—Management considers the rate of change in business and business processes when selecting and developing ongoing and separate evaluations.
· Establishes Baseline Understanding—The design and current state of an internal control system are used to establish a baseline for ongoing and separate evaluations.
· Uses Knowledgeable Personnel—Evaluators who perform ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated.
· Integrates with Business Processes—Ongoing evaluations are built into the business processes and adjust to changing conditions.
· Adjusts Scope and Frequency—Management varies the scope and frequency of separate evaluations depending on risk.
· Objectively Evaluates—Separate evaluations are performed periodically to provide objective feedback. Approaches and Examples for Applying the Principle Approach: Periodically Reviewing the Mix of Monitoring Activities • Considers a Mix of Ongoing and Separate Evaluations
• Considers Rate of Change Establishes Baseline Understanding Uses Knowledgeable Personnel Integrates with Business Processes • Adjusts Scope and Frequency Objectively Evaluates
Senior management meets periodically to review the allocation of effort between ongoing evaluations and separate evaluations used to conduct monitoring activities.
The mix of planned monitoring activities over internal control of external financial reporting may depend on senior management's assessment of:
· The entity's regulatory requirements and financial reporting objectives
· How quickly the entity's industry and/or regulatory environment is changing or anticipated to change
· The results of historical evaluations of control effectiveness
· The extent of ongoing monitoring within the associated processes
· Changes that have occurred in the current year that impact other components of internal control
Senior management may also increase the frequency of separate evaluations from the initial plan in processes where:
· Existing monitoring activities raise potential deficiencies in the system of internal control
· Key performance indicators, which correlate to surfacing potential deficiencies in internal control, have
exceeded a prescribed threshold
Example: Changes in Business Operations
Hunter Manufacturing has thirteen different plant locations, six of which are considered significant. The management team of Hunter Manufacturing has been monitoring the internal control in the seven smaller, less significant plants, primarily through ongoing evaluations. However, management has now determined that some separate evaluations have become necessary. This decision has been made due to the increase in risk factors at these plants, including frequent errors in monthly and quarterly reconciliation activities and turnover among plant-level controllers and supervisory personnel. Accordingly, management now has both ongoing and separate evaluations in place as they have implemented random plant audits to periodically evaluate controls.
Example: Changing the Internal Audit Plan
Viliam Financial Services is a publicly held global company. Recently the industry has experienced a significant rate of change because of increasing regulatory focus and complexity of the company's financial products. In response to these changes, Viliam's management and board of directors have reprioritized the activities conducted by its internal audit department, including:
· More active oversight of Viliam's recently enhanced risk management and governance processes
· An iterative risk assessment process that performs a risk review annually and more often if the business
changes
· Reviews of financial and operational data to identify risks and adverse trends, and to respond to them
accordingly by conducting targeted audits
Approach: Establishing a Baseline
Considers a Mix of Ongoing and Separate Evaluations Considers Rate of Change • Establishes Baseline Understanding Uses Knowledgeable Personnel
Integrates with Business Processes
Adjusts Scope and Frequency Objectively Evaluates
Senior management develops a baseline understanding of the design and current state of the entity's system of internal control by:
· Determining the starting point of the system
· Reviewing if controls within each of the five components of internal control are operating as intended to
achieve an entity's objectives Management then leverages the established baseline to:
· Identify necessary changes in design and conduct of internal controls that result from monitoring activities
· Evaluate changes in people, processes, and technology that may impact the design and implementation of controls
· Establish a new baseline that incorporates any changes that impact the previous baseline Senior management may use the baseline information to establish which ongoing and separate evaluations are
most appropriate.
Example: Establishing a Baseline
The senior management of Judd Co., a beverage manufacturer and distributor, focuses the organization's monitoring efforts by risk priority. In areas of high risk the entity conducts and documents a thorough review of the design and operation of controls to establish a baseline. The documentation includes a written description, flowchart, and walkthrough narrative of how each control within the high-risk area operates. Past and current control performance must also be documented with any anomalies or significant variations noted and evaluated. With risks prioritized and the baseline established, management identifies monitoring activities that can evaluate changes to the system of internal control in a reasonable period of time. The baseline aids Judd Co. in selecting more efficient monitoring activities, such as self-assessments coupled with supervisory review. Then, at intervals appropriate to the level of risk, internal audit performs periodic separate evaluations to reconfirm the system of internal control against the baseline and the effectiveness of the ongoing monitoring procedures.
Approach: Identifying and Using Metrics fn 23 Considers a Mix of Ongoing and Separate Evaluations Considers Rate of Change • Establishes Baseline Understanding Uses Knowledgeable Personnel • Integrates with Business Processes Adjusts Scope and Frequency Objectively Evaluates
Management identifies metrics that correlate to the completeness and accuracy of financial transactions to provide ongoing evaluations of established control activities. When identifying metrics, management considers the processes and sub-processes that should be monitored, and develops the appropriate measure and frequency for the evaluation.
The metrics may use the following information:
· Historical performance data, which may be useful for comparisons to current performance data
· Expected performance targets, which may be used to benchmark current performance against expected
performance
Some metrics have clearly defined allowable tolerances that have been calculated for current performance data, which may be used to highlight anomalies. Other metrics have less defined thresholds and are reviewed by knowledgeable employees for reasonableness and unusual items.
Example: Using Metrics to Monitor Payroll
Approximately 90% of Mynarski Manufacturing employees are located at company plant sites. To monitor whether the payroll processing control activities are working, Henrik Saunders, the corporate payroll manager, reviews the plant payroll metrics. Payroll metrics include:
· Current head count compared with expected and historical head count for the month, quarter, and year
· Current payroll compared with expected and historical payroll for the month, quarter, and year
· Current overtime in hours and dollars compared with expected and historical overtime in hours and
dollars for the month, quarter, and year
In his review, Mr. Saunders looks for any unusual fluctuations, such as increases and decreases in the number of employees and excessive overtime. His review is done in the context of current plant productivity and target thresholds based on historical data and planned productivity, which varies by season. If Mr. Saunders identifies any fluctuations, he investigates the underlying reasons and adjusts the process or control activities as needed.
Example: Using Built-In Operating Measures and Key Control Indicators
Tony Rosco is the controller of Still Craft Foods. He uses operating measures and key performance indicators (KPIs) for major accounting and financial processes, including accounts receivable, payroll, accounts payable, and financial statement preparation. Accounts payable KPIs, for example, focus on the accuracy, timeliness, completeness, and compliance of documents received for vouching and checks prepared, with performance tracked to established targets.
Mr. Rosco leverages his knowledge of changes in the business when developing his expectations on how performance is likely to be consistent with, or vary from, established targets. In the case of accounts payable KPIs, those variances from the established targets could result from known factors, such as significant new vendors, changes in payment terms, and cash flow goals. Where results do not meet expectations, Mr. Rosco evaluates them for potential underlying issues in established control activities. Additionally he uses the KPIs to identify trends that could indicate some fraudulent activity (e.g., he sees a concentration of payments to a vendor that is new or for which he would not expect that volume).
He shares his findings with the management team, which uses the information in performance appraisals and related development programs.
Approach: Designing and Implementing a Dashboard fn 24
Considers a Mix of Ongoing and Separate Evaluations Considers Rate of Change Establishes Baseline Understanding • Uses Knowledgeable Personnel
• Integrates with Business Processes Adjusts Scope and Frequency Objectively Evaluates
As part of its ongoing evaluations, management develops and implements dashboards for reviewers to use in the ordinary course of business. Reviewers are usually supervisors of those employees with first-level knowledge and who are accountable for processes, activities, and their controls. Dashboards may include:
· Detailed and/or summarized information about control performance
· Metrics being measured and/or information being highlighted for evaluation and investigative follow-up
· Visual depictions of the status of control operation
· Details of status including frequency of assessment and last assessment
· Known current deficiencies and their remediation status
· Key personnel and contact details for those responsible for processes and sub-processes
Example: Using Dashboards to Relate Operating Information
Langdale Manufacturing, a manufacturer of industrial machinery parts, uses a set of operating dashboards by business process, with each dashboard containing a series of tasks assigned to the appropriate managers for action. The dashboard for the production inventory process, for example, includes costs associated with tooling: where the warehouse manager checks the usage of tools during production noting how often they are needed, who requested them, and where they are purchased from.
Management then considers this information when reviewing tooling costs included in inventory. In the monthly management meetings, these dashboards are reviewed. Each of the managers responsible for specific tasks discusses recent progress and expected changes over the coming month. To the extent that an increase in tool usage was noted, management would expect that costs related to tooling would be up for the period.
Approach: Using Technology to Support Monitoring Activities fn 25 Considers a Mix of Ongoing and Separate Evaluations Considers Rate of Change Establishes Baseline Understanding
Uses Knowledgeable Personnel • Integrates with Business Processes Adjusts Scope and Frequency
Objectively Evaluates
Management uses technology to support the monitoring of the system of internal controls in the ordinary course of business through automated monitoring applications. Management uses the automated monitoring application to efficiently and continuously review large volumes of data at a low cost with a high standard of objectivity (once programmed and tested). Automated monitoring activities may include:
· Checking transactions against predefined thresholds for anomalies
· Monitoring transactions for trends or patterns
· Assessing automated performance indicators, metrics, and measures that may lead to improvements in
process and business
Example: Using Continuous Monitoring
Gentoo Financial Services employs a continuous monitoring tool to perform a simple regression analysis of nonperforming loans by branch and by loan officers as one form of monitoring control over loan origination. The output from the tool allows Gentoo to look for outliers across multiple dimensions (e.g., policy, industry standards, and statistical standard deviations) and provides input for Gentoo's allowance for loan losses. Further, the report can be repopulated in either real-time or batch mode. This analysis helps Gentoo identify loan officers and/or branches that may not be following loan origination policies.
Example: Using Technology to Identify Trends
Penguin Ice, a manufacturer of ice cream, uses an automated computer application as part of its ongoing monitoring activities. One of the application's activities identifies any trends in the processing of journal entries of personnel who consistently approve entries just below their authorization limit. Management then considers this information in monthly meetings to determine if any fraud is occurring or if journal entry control activities for authorization limits need to be changed.
Approach: Conducting Separate Evaluations
• Considers a Mix of Ongoing and Separate Evaluations Considers Rate of Change Establishes Baseline Understanding • Uses Knowledgeable Personnel
Integrates with Business Processes Adjusts Scope and Frequency • Objectively Evaluates Management may conduct separate evaluations of internal controls over external financial reporting by:
· Conducting ad hoc supervisory management visits and reviews
· Conducting cross-operating unit reviews using management from similar operating units within the
company
· Comparing components of internal control with another similar entity by benchmarking or using a peer evaluation
· Developing a self-assessment questionnaire for a business process for use by personnel responsible for the controls within a particular business unit or function
· Hiring an independent third party to perform specific evaluation Example: Investigating and Reporting Whistle-Blower Allegations fn 26
Annually, the board of Generation Now engages an independent third party to evaluate the effectiveness of its whistle-blower program. The purpose of the evaluation is to ascertain that (1) the general counsel has reviewed the logs of all calls received and reported all calls in the quarterly progress reports to the board; (2) the internal auditor (or other independent individual) carried out the investigations into allegations, as necessary, and made recommendations to address any shortcomings in the whistle-blower program; and, (3) all parties complied with the company's policies and procedures in resolving all whistle-blower calls on a timely basis.
Example: Identifying and Protecting Sensitive Financial Data and Information fn 27
Annually, Bio-Adaptive's chief data officer reviews a system generated report that identifies employees who have access to sensitive financial data and information. For these employees, the chief data officer evaluates the suitability of assigned restricted access and their adherence to the standard operating policies and procedures. Based on the assessment, the chief data officer recommends modifications to existing restricted access, standard operating policies and procedures, and control activities relating to identifying and protecting sensitive financial data and information.
Example: Conducting Senior Financial Officer Visits
Gregson Grenville is a publicly held consumer products company with multiple manufacturing facilities throughout the world. Every year, the company's senior financial officers for each division visit each subsidiary's headquarters, manufacturing site, and/or sales office to gain an understanding of significant business processes at those locations. During these visits, the senior financial officer discusses procedures and controls for all relevant processes impacting financial reporting with those performing the control activities and their supervisors. In addition, a mini-audit of select control activities is conducted, the findings are documented, and the local team develops management action plans for all pertinent recommendations. In addition, findings are shared broadly throughout the organization to facilitate control enhancements at other locations, and areas of concern impact the focus of future senior officer visits at this and other locations.
Example: Using Self-Assessments
Jaron and Associates provides Internet-based securities brokerage and financial services. Recently the company instituted a formal internal control assessment program (ICAP). Under this program, managers of each business unit perform a quarterly control self-assessment and certify the effectiveness of certain controls for which they are responsible.
The senior management of Jaron recognizes that self-assessment, while not completely objective, is an effective first line of defense against internal control failure. Internal audit helps compensate for the lack of objectivity in the control self-assessments by performing periodic audits and comparing the results to the self-assessments.
ICAP allows management to concentrate its ongoing evaluation efforts on several issues:
· Areas of higher risk
· Areas where ICAP has identified potential problems
Areas where separate evaluations have identified control deficiencies that were not reported through the self-assessments
Now Jaron and Associates is better able to focus its separate evaluation efforts on a prioritized risk basis and modify ongoing evaluations where necessary.
Approach: Using Internal Audit to Conduct Separate Evaluations
• Considers a Mix of Ongoing and Separate Evaluations Considers Rate of Change Establishes Baseline Understanding • Uses Knowledgeable Personnel
Integrates with Business Processes Adjusts Scope and Frequency • Objectively Evaluates
Management uses an appropriately staffed and adequately trained internal audit function to provide an objective perspective on key elements of the internal control over external financial reporting. Internal audit reports are distributed to senior management, the board of directors, and others who are positioned to act on the report's recommendations. Internal audit's separate evaluations may be influenced by:
· The entity's regulatory environment and management's methodology and plans for achieving compliance with its financial reporting objective
· An understanding, independent of management, of how the internal control system addresses meaningful risks
· Approval for the planned separate evaluation activities by the board of directors or one of its committees
Example: Identifying and Analyzing Risk of Material Omission and Misstatement due to Fraud fn 28
Maxwell's internal audit considers management's assessments of the likelihood of the risks of material omission and misstatement due to fraud, its planned responses, and the control activities to mitigate these risks when planning its audit projects. Internal audit selects and develops its monitoring activities including the scope, nature, and timing of its evaluations based on its views of the assessed fraud risks and management's planned responses. Internal audit reports these identified fraud risks, along with management's responses and its planned approach, to the chief audit executive and audit committee. Internal audit also discusses the results of its fraud procedures with the external auditor. As part of its approach, internal audit compares any noted fraud incidents to business unit management's fraud risk assessment to identify and evaluate any shortcomings within management's risk assessment process.
Example: Conducting Separate Evaluations
Lee-Basker Parts designs, manufacturers, and distributes precision components and assemblies for aerospace applications. From time to time the board directs the company's internal audit department to perform separate evaluations of specified high-risk business processes that impact the entity's financial statements. The scope
and frequency of these evaluations depend primarily on the significance of the related risks and importance of the controls in reducing risks to an acceptable level.
Subsequent to management's input, it is up to the chief audit executive, Maria Geide, to determine whether the internal audit department adequately understands the process, the overall internal control structure, and the objectives of the review.
Once the review is complete, Ms. Geide submits a report on the process controls to senior management and the board covering the scope of the work (including identification of the controls evaluated), a description of the major risks and the appropriateness of the controls, a list of identified deficiencies, and management's response and proposed remediation.
Approach: Understanding Controls at an Outsourced Service Provider fn 29 Considers a Mix of Ongoing and Separate Evaluations Considers Rate of Change Establishes Baseline Understanding
Uses Knowledgeable Personnel Integrates with Business Processes • Adjusts Scope and Frequency • Objectively Evaluates
Management obtains and reviews periodic information from outsourced service providers to detect any changes in activities that impact the entity's system of internal control over external financial reporting. Information obtained may include:
· The outsourced service provider's applicable control objectives
· Details about which of the outsourced service provider's internal control have been examined and
included in any report
· The details and results from any independent audit testing performed
· Special considerations for the outsourced service provider that impacts the report
To determine what impact any identified changes may have on the entity's system of internal control over external financial reporting, the following may also be assessed:
· Whether management appropriately considered known changes in business processes and their impact on internal control, and whether they were communicated to the outsourced service provider, since such changes could impact the entity's control objectives and design
· Whether exceptions were noted that may trigger further review by senior management
· Whether management is satisfied with the independence and objectivity of the report
Based on management's review and findings, it may be necessary to reassess the separate evaluation activities over the outsourced service provider.
Example: Reviewing the Service Auditor's Report for Changes in Controls
Finlayson Home Works supplies materials used in residential construction. This public entity has outsourced its payroll activities for a number of years to a reputable payroll services provider. The chief audit executive, Rolf Brunner, obtains an annual service auditor's report detailing the internal controls at the service provider. Mr. Brunner then compares the current report to past reports to determine whether there have been any changes in relevant controls that could impact the judgments made on planned monitoring activities over the payroll process. The current report indicates some key changes in the payroll service provider's software and several negative test results in priority risk areas. As a result, Mr. Brunner has the internal audit department of Finlayson Home Works perform a reconciliation of the payroll service provider's processing results to evaluate if additional separate evaluations of the payroll service provider may be necessary.
Footnotes (Approaches and Examples for Applying the Principle):
fn 23 Metrics, often operational in nature, may use information that indirectly signals a failure or anomaly, but there may be other information available more directly linked to changes or failures. The value of metrics should be considered when an entity evaluates what mix of ongoing and separate evaluations is appropriate for that entity.
fn 24 A dashboard, a management tool or report that presents in a summarized manner data on the relevant business performance areas, is often operational in nature and may use information that indirectly signals a failure or anomaly, but there may be other information available more directly linked to changes or failures. The value of metrics should be considered when an entity evaluates what mix of ongoing and separate evaluations is appropriate for that entity.
fn 25 Note that many automated activities used to prevent or detect unintended events or results would be considered control activities.
fn 26 This example is a continuation of the example in Chapter 2, Control Environment (see page 30). fn 27 This example is a continuation of the example in Chapter 5, Information and Communication (see page
123). fn 28 This example is a continuation of the example in Chapter 3, Risk Assessment (see page 73). fn 29 The review of controls at the outsourced service provider is covered in Chapter 4, Control Activities.
Evaluates and Communicates Deficiencies
Principle 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. fn 30
Points of Focus
The following points of focus highlight important characteristics relating to this principle:
Assesses Results—Management and the board of directors, as appropriate, assess results of ongoing and separate evaluations.
· Communicates Deficiencies—Deficiencies are communicated to parties responsible for taking corrective action, and to senior management and the board of directors, as appropriate.
· Monitors Corrective Actions—Management tracks whether deficiencies are remediated on a timely basis.
Approaches and Examples for Applying the Principle Approach: Assessing and Reporting Deficiencies • Assesses Results • Communicates Deficiencies
Monitors Corrective Actions
Management develops policies and practices to periodically assess and communicate deficiencies that result from the entity's monitoring activities and other sources. Management establishes a practice where all deficiencies in internal control over external financial reporting, regardless of materiality, are reported to the responsible manager and at least one level of management above, both of whom are positioned to take or oversee corrective action. Management also classifies deficiencies for the further reporting to senior management or the board based on criteria established by standard setters or regulators. fn 31 The criteria could include the following:
· Nature of the deficiency
· Source of the deficiency
· Known magnitude of a misstatement caused by the deficiency to the entity's financial statements
· The likelihood and potential magnitude of a misstatement caused by the deficiency to the entity's
financial statements
· An aggregation of deficiencies affecting similar areas that could indicate a more serious deficiency
Example: Identifying Sources of Deficiencies
The senior management of Adelie Telecom receives a quarterly report of deficiencies prepared by its internal audit department. On the third-quarter report this year, deficiencies were reported from several sources, including the following:
· External Source—Customer complaints about overbilling were brought to management's attention and investigated. The subsequent investigation exposed that the billing system was using the wrong tariff rate, which had been incorrectly coded in the system. The problem was traced to an input error that was neither prevented nor detected by control activities.
· Separate Evaluations—Management directed internal audit to conduct a special evaluation of the sources and quality of information used for Adelie Telecom's payroll reconciliation. The evaluation identified that some of the information used was not appropriate. Specifically, an outdated report with inaccurate information was being used for the reconciliation. Consequently, the payroll reconciliation control activity was updated to use the correct report.
· Ongoing Evaluations—Adelie Telecom allows a 10% variance in paying installation contractors, and so management developed an automated monitoring control to review the trends in variance activity approvals by payables clerks. One such report identified that Arnie Chinstrap, a payables clerk, was routinely approving variances of 10% for a particular vendor, Bosque & Sons Installers. An investigation confirmed that Mr. Chinstrap had an arrangement with Bosque & Sons for a financial
kickback and that Adelie Telecom was overpaying the contractor. To address the deficiency in internal control, management implemented a supervisory review for all payments within the 10% variance.
Example: Reporting Protocols for Identified Deficiencies
The management of Skea and Associates, an international insurance services organization, classifies financial reporting control deficiencies identified from its monitoring activities as deficiencies, significant deficiencies, or material weaknesses. The communication structure for reporting deficiencies is based on their potential impact on the organization.
For each level of deficiency, fn 32 the company's internal reporting structure calls for certain reporting procedures:
· Deficiencies are reported in detail to the manager responsible for the control.
· Significant deficiencies are reported in detail to the manager responsible for the control and to the senior
management team, and on a quarterly basis, in summary, to the audit committee.
· Material weaknesses are reported in detail to the manager responsible for the control and the senior
management team, and on a quarterly basis to the audit committee.
Approach: Monitoring Corrective Action
Assesses Results
Communicates Deficiencies
• Monitors Corrective Actions
Management establishes a practice to review the status of corrective actions taken to verify that reported deficiencies are remediated in a timely manner. The corrective action practice may include:
· Regularly scheduled meetings to review the status of corrective actions
· An established electronic or hard-copy report in which corrective actions are summarized and collated
· Delegated oversight to a responsible party, such as an internal audit function
Example: Establishing Reporting Protocols for Identified Deficiencies
The senior management of Lwiski Manufacturing tracks all control deficiencies identified during monitoring activities and assesses their impact on the organization. These control deficiencies are reported to the management team responsible for the relevant business unit. If necessary, the management team works with internal audit to develop the remediation plan, and internal audit provides oversight to verify deficiencies are remediated in a timely manner.
Specifically, the plan calls for one individual within the business unit to be assigned responsibility for remediating specific control deficiencies. A time frame for remediation is assigned to each control deficiency, based on its ranking. Working together, management and internal audit verify that deficiencies are remediated within the specified time frame.
Example: Follow-Up Reporting on Internal Audit Issues
Mr. James, the chief audit executive of Puna Incorporated, has established a database that tracks management action plans related to issues coming from internal audit reports. Mr. James receives timely updates on the
status of actions from business process owners, and also periodically reports to the audit committee summaries of the status of action plans. The reporting includes the percent of action plans implemented on time by business unit.
When sufficient action has not been able to be taken by the business on important internal audit issues by the original reported implementation date, the process owner for the area is invited to attend the audit committee and explain the issues associated with implementation of appropriate actions.
Approach: Developing Guidelines for Reporting Deficiencies
Assesses Results • Communicates Deficiencies Monitors Corrective Actions
The board of directors develops a shared expectation with senior management on the types of control deficiencies that get reported to the board. The board of directors understands the facts and circumstances regarding internal control deficiencies that impact external financial reporting and provides oversight on management's conclusions and remediation plans.
Example: Reporting Deficiencies to the Board
Klemmens and Waters provide air transportation services. The management of the company periodically develops a report of significant deficiencies and material weaknesses, a summary of minor deficiencies, and a summary of past deficiencies. The purpose is to track whether deficiencies are being remediated in a timely manner. The reports are presented to the board for review.
Management has also developed with the audit committee a shared expectation, which states that regardless of the previous categorization, management will report all deficiencies resulting from:
· Illegal or otherwise improper acts
· A significant loss of assets
· Intentional errors and omissions in the conduct of external financial reporting
The audit committee is briefed on the cause of the reported deficiencies and provides oversight of management's assessment of the deficiencies and the actions and status of remediation plans.
Footnotes (Evaluates and Communicates Deficiencies):
fn 30 In many cases the board of directors will appoint a committee to oversee the system of internal control depending on the objective. For example the board may appoint an audit committee to oversee system of internal controls for financial reporting.
Footnotes (Approaches and Examples for Applying the Principle):
fn 31 For example, in the United States, the SEC issued "Commission Guidance Regarding Management's Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of
1934." Section B.1. covers the evaluation of control deficiencies that provides management with guidance on the assessment and reporting of deficiencies.
fn 32 For purposes of this example the deficiency classifications used are those related to external financial reporting in the US as promulgated by the SEC.
9. Limitations of Internal Control
The Framework recognizes that while an effective system of internal control provides reasonable assurance of achieving the entity's objectives, inherent limitations do exist. Even an effective system of internal control can experience a failure. These limitations may result from the:
· Suitability of objectives established as a precondition to internal control
· Reality that human judgment in decision making can be faulty and subject to bias
· Breakdowns that can occur because of human failures such as errors
· Ability of management to override internal control
· Ability of management, other personnel, and/or third parties to circumvent controls through collusion
· External events beyond the organization's control
These limitations preclude the board and management from having absolute assurance of the achievement of the entity's objectives—that is, internal control provides reasonable but not absolute assurance.
10. Blockchain and Internal Control
INTERNAL CONTROL
THE COSO PERSPECTIVE
Sponsored By
Deloitte.
Jennifer Burns | Amy Steele | Eric E. Cohen | Dr. Sri Ramamoorti
The information contained herein is of a general nature and based on authorities that are subject to change. Applicability of the information to specific situations should be determined through consultation with your professional adviser, and this paper should not be considered substitute for the services of such advisors, nor should it be used as a basis for any decision or action that may affect your organization.
Authors
Contributing Authors
Jennifer Burns
Deloitte & Touche LLP
Acknowledgements
Amy Steele
Partner Deloitte & Touche LLP
Eric E. Cohen
Cohen Computer Consulting
Dr. Sri Ramamoorti
Associate Professor University of Dayton
We would like to recognize and thank Yoland Sinclair, Manager, Deloitte & Touche LLP, the COSO Board, and COSO Chairman Paul Sobel for providing input, assistance, and valuable feedback in developing this paper. We also thank Tim Davis, Principal, Shelby Murphy, Managing Director, and Gireesh Sivakumar, Senior Manager, Deloitte & Touche LLP for their technical input and advice.
The COSO Board would like to thank Dr. Sri Ramamoorti for originating the idea for this paper and Deloitte & Touche LLP for its support.
COSO Board Members
Paul J. Sobel
COSO Chair
Douglas F. Prawitt
American Accounting Association
Robert D. Dohrer
American Institute of CPAs (AICPA)
Daniel C. Murdock
Financial Executives International
Jeffrey C. Thomson
Institute of Management Accountants
Richard F. Chambers
The Institute of Internal Auditors
Preface
GovernanceandInternalControl
BLOCKCHAIN AND
Blockchain and Internal Control: The COSO Perspective | i
INTERNAL CONTROL
THE COSO PERSPECTIVE
Research Commissioned by
Committee of Sponsoring Organizations of the Treadway Commission
July 2020
Copyright © 2020, Committee of Sponsoring Organizations of the Treadway Commission (COSO). 1234567890 PIP 198765432
COSO images are from the COSO Internal Control - Integrated Framework ©2013, The American Institute of Certified Public Accountants on behalf of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO is a trademark of the Committee of Sponsoring Organizations of the Treadway Commission.
All Rights Reserved. No part of this publication may be reproduced, redistributed, transmitted, or displayed in any form or by any means without written permission. For information regarding licensing and reprint permissions, please contact the American Institute of Certified Public Accountants, which handles licensing and permissions for COSO copyrighted materials. Direct all inquiries to copyright-permissions@aicpa- cima.com or AICPA, Attn: Manager, Licensing & Rights, 220 Leigh Farm Road, Durham, NC 27707 USA. Telephone inquiries may be directed to 888-777-7077.
Design and production: Sergio Analco.
Contents
Executive Summary
I. Introduction
II. The Wave of Change Known as Blockchain
III. Components and Principles Overview
Conclusion and Next Steps
Appendix 1. Technical Appendix
Appendix 2. Key Insights: 10 Things to Know About Blockchain
Appendix 3. Blockchain, Financial Reporting Assertions, and Audit Evidence
Blockchain and Internal Control: The COSO Perspective | iii
EXECUTIVE SUMMARY
As blockchain becomes more mainstream, it is appropriate to focus on how this technology intersects with an entity’s internal control. With careful implementation and integration of blockchain, the distinctive capabilities of blockchain can be leveraged to create more robust controls for organizations. Further, blockchain- enhanced tools have the potential to promote operational efficiency and effectiveness, improve reliability and responsiveness of financial and other reporting, and improve compliance with laws and regulations. At the same time, blockchain creates new risks and the need for new controls. The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Internal Control — Integrated Framework (2013 Framework, see Figure 1) provides an effective and efficient approach that can be leveraged to design and implement controls to address the unique risks associated with blockchain.
Figure 1. The COSO 2013 Framework
When an organization evaluates the use of blockchain through a COSO lens, it enables the board of directors and senior executives to better understand the context and make more informed assessments of the technology’s potential and applicability with respect to internal control. This enables the organization to perform a detailed risk analysis and, in turn, develop appropriate control activities to address such risks, facilitating the effective adoption and use of blockchain.
This paper provides perspectives for using the 2013 Framework to evaluate risks related to the use of blockchain in the context of financial reporting and to design and implement controls to address such risks. It is intended to help inform decisions regarding oversight, risks, and internal control over financial reporting (ICFR). As such, this paper is expected to be of value to the various stakeholders involved in financial reporting, within the context of their own environments (see Table 2). It is not the aim of this paper
to explain the intricacies of blockchain nor detail technical differences between the major platforms. Appendix 1, however, includes a discussion of some of the key concepts as used in this paper (concepts in Appendix 1 are in bold the first time they appear in the Executive Summary and in the body of the paper) and the Supplementary Resources and References includes additional resources.
Observations and Implications
One of the more significant changes resulting from the use of blockchain relates to the hierarchy of the entity. Although the highest level of the hierarchy expressed in the 2013 Framework as shown in Figure 1 is the Entity Level, drilling down to Division, Operating Unit, and Function, blockchain has the ability to create new collaborative units, spanning different entities, operating on a decentralized basis but bound together with
shared data (i.e., a decentralized database). From shared ledgers and record-keeping
to overarching governance (perhaps leveraging smart contracts for oversight and cross-organization internal controls), blockchain can change the concept of an “entity” in an internal control environment as well as the related responsibilities and requirements.
The three objectives of the 2013 Framework, Operations, Reporting, and Compliance, may be heavily impacted by blockchain in terms of how the objectives are achieved.
In particular, many advocates believe that record-keeping will be entirely transformed, leading to completely ad hoc, automated, and on-demand reporting and compliance activities. With those transformations, the role and skillsets of management, management accountants, financial executives, and internal and external auditors may be subject to change.
coso.org
2 | Blockchain and Internal Control: The COSO Perspective
Further, the introduction of blockchain into the business environment will have implications for the five components of the 2013 Framework as follows:
Table 1. Implications of Blockchain on Five Components
Component
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring Activities
Implications of Blockchain
Blockchain may be a tool to help facilitate an effective control environment (e.g., by recording transactions with minimal human intervention). However, many of the principles within this component deal primarily with human behavior, such as management promoting integrity and ethics, which, even with other technologies, blockchain is not able to assess. The greater challenge relates to the intertwining of an entity with other entities or persons participating in a blockchain and how to manage the control environment as a result.
Blockchain creates new risks and simultaneously helps to mitigate extant risks, by promoting accountability, maintaining record integrity, and providing an irrefutable record (i.e., a person or organization cannot deny or contest their role in authorizing/sending a message or record).
Blockchain can act as a tool to help facilitate control activities. Blockchain and smart contracts can be a powerful means of effectively and efficiently conducting global business (e.g., by minimizing human error and opportunities for fraud). The collaborative aspects of blockchain, however, can introduce additional complexity, particularly when the technology is decentralized and there is no single party accountable for the systems that fall under ICFR.
The inherent attributes of blockchain promote enhanced visibility of transactions and availability of data, and can create new avenues for management to communicate financial information to key stakeholders faster and more effectively. One aspect, in particular, for management to consider in applying blockchain is the availability of information to support the financial books and records, and related auditability of information transacted on a blockchain.
The promise of blockchain to facilitate monitoring more often, on more topics, in more detail, may change practice considerably. The use of smart contracts and standardized business rules, in conjunction with Internet of Things (IoT) devices, may alter how monitoring is performed.
The Future of Blockchain and Its Impacts on Financial Reporting and ICFR
The uses of blockchain will continue to develop and evolve and expanded adoption will likely transform how businesses operate. Many have expressed guarded optimism about the potential effect of blockchain on financial reporting and internal control. As with any disruptive technology, there is a need for each organization, in its own specific context, to evaluate the challenges, better understand the related risks, and work together to determine the best course of action and remediate those risks.
Many of the changes that proponents attribute to the adoption of blockchain are not found in isolation; it is blockchain plus something that is most successful. As a foundational technology, blockchain has the potential to radically change the global digital business landscape that would, in turn, have significant impact on almost everything else.
As organizations are contemplating the use of blockchain, they should know the following 10 things (See Appendix 2 for additional discussion):
•1 Information about blockchain in the news and on the Internet is often misleading or incorrect.
•2 Blockchainencompassesfarmorethandigitalassets;the benefits it can bring to an organization can be substantial.
coso.org
3 Blockchain is not magic; it comes at a cost and doesn’t eliminate all risks. In fact, it introduces new risks.
4 Knowing how blockchain works is crucial for evaluating, preparing for, and managing blockchain’s impact on internal control and the organization as a whole.
5 Blockchain has both technology and governance •
implications.
7 Blockchain requires new skill sets (e.g., data science for greater •hindsight, insight, and foresight) and new collaboration within and
6 Blockchain will not make management, accountants, or •
•auditors less relevant, although it will impact what they do and how they do it.
across organizations.
•8 Nowisthetimetoeducateandengagestakeholders throughout the organization.
9 Blockchain is still in flux and continues to evolve. •
10 Adoption of blockchain may not be a choice.
•
The potential benefits of blockchain to financial reporting will be maximized only if those who understand and are responsible for financial reporting, internal controls, and auditing are actively involved in the discourse about blockchain and collaborate to advance the collective agenda.
I. INTRODUCTION
This paper describes the use of the COSO Internal Control
– Integrated Framework (2013 Framework) to evaluate risks related to blockchain1 in the context of financial reporting and to design controls to address such risks. Although this paper provides a discussion of high-level concepts related to blockchain (some of which are explained in Appendix 1),
Table 2. Audience and Intended Use
this paper is not intended to be a comprehensive guide about blockchain or about all issues, risks, and internal controls associated with the use of blockchain. The following table provides additional context on the audience and intended use of this paper.
Blockchain and Internal Control: The COSO Perspective | 3
Audience
Board of directors
Audit committee members
Executives (CEO, CFO, Controllers) Internal auditors, management accountants, and others concerned with
internal control matters
External auditors
Academics
Intended Use
Understanding the following (governance level):
• Key concepts related to blockchain • How blockchain may impact internal control at a sufficient level to enhance oversight
responsibilities
Understanding of the following (operational and/or technical level): • Key concepts related to blockchain • How to leverage the 2013 Framework to evaluate considerations related to the use of
blockchain and make more informed decisions about using blockchain • Examples of how each component of the 2013 Framework may be impacted when block-
chain is implemented
Understanding of the following: (operational and/or technical level)
· Key concepts related to blockchain
· How to evaluate management’s controls with respect to blockchain
Understanding the following (depending on basic or applied research interest):
· Key concepts related to blockchain
· How blockchain may impact internal controls
· How to share the concepts as well as practical applications with students
This paper discusses each of the COSO components, describing:
• how to use blockchain to enhance that component, • new threats or risks that arise from using blockchain, and • examples of how to mitigate such threats or risks.
Finally, with a view to enhancing collaboration, the paper concludes with next steps that can be taken as blockchain becomes more widely adopted.
.........
1 The term “blockchain” is used throughout this paper to reference blockchain and distributed ledger technologies. In a broader context, these terms are sometimes used interchangeably and sometimes strongly differentiated; the ideas in this paper can be applied to both at a conceptual level.
coso.org
4 | Blockchain and Internal Control: The COSO Perspective
II. THE WAVE OF CHANGE KNOWN AS BLOCKCHAIN
In light of the potential changes blockchain may bring to business and operating environments – as both an enabler and a driver – it seems prudent to consider its implications on internal control. Blockchain implementations might address, or even eliminate, extant internal control weaknesses; might be used to improve existing controls; and
– particularly in the absence of recognized best practices – might pose new risks or challenges in practical contexts.
What is blockchain?
There are many conflicting definitions of blockchain, but drawing on a variety of sources this paper uses the following working definition: blockchain is an append-only ledger, a sequential database maintained by a decentralized network of users responsible for agreeing upon additions to the chain and secured through cryptography.2 In laymen’s terms, a blockchain is a secure, transparent, irreversible digital ledger shared across participants. It is important to note that many different types of blockchains exist; there is no singular “the blockchain.”
Many of the changes that proponents attribute to the adoption of blockchain are not found in isolation; it is “blockchain plus something” (i.e., other emerging technologies) that may make the changes possible. These technologies focus on supplementing or eliminating manual tasks, and moving toward a more streamlined state of financial reporting with more timely reporting of relevant information. Certain tools and technologies that may be helpful in further exploiting the potential evolution of blockchain
include the following:
Artificial intelligence (AI)
AI is an area of computer science where intelligent machines work and react like people for tasks like decision-making, problem-solving, emulating senses, learning, planning, and activities like visual perception and speech recognition. It is particularly useful at identifying patterns and outliers. AI can be used to augment human involvement or as
its replacement. For instance, AI can be used to analyze real- time trade transactional data and other information on a blockchain to simulate human judgment in classification, recording,
analytics, and decision-making.
Internet of Things (IoT)
Internet of Things is a broad term for the growing list of things that can link to the Internet. With home automation devices, just about anything that can turn on and off can be Internet-enabled and be part of a network of things that can monitor, report about, and act upon the environment around it.
IoT devices can potentially write to or act upon information in a blockchain to assist auditors in
their work.
Big Data/Open Data
The availability of data beyond an entity’s own books and records, so-called exogenous data, can facilitate broader industry analytics to provide greater context to advanced audit data
analytics. Big data refers to the wide variety of data coming from sources such as IoT, social media, and other data sources too large or complex to be processed by traditional applications. Open data is a subset of big data: large, usually structured, data sets, usually made available by governments.3 Big
data, IoT, AI, and blockchain may all be used together in the future and, working in conjunction with internal
control processes, could become a powerful toolset.
.........
2 Cryptography is relevant in that before any transaction is entered on a blockchain it must be agreed to through a consensus protocol. Each block is linked to the prior block with a unique identifier (i.e., a “hash”).
3www.data.gov.
coso.org
Implications for Internal Control
The internal control environment is likely to be different in a blockchain-enabled world. As such, it is important to consider and leverage these differences, factoring in blockchain capabilities, attributes, risks, and benefits. Leveraging distinctive capabilities of blockchain to enhance internal control, in turn, may promote greater:
• Effectiveness and efficiency of operations, • Accuracy, consistency, and reliability of financial and
other reporting, and • Compliance with applicable laws and regulations.
In many ways, the control considerations with respect to implementing and operating blockchain solutions are much like those of a new Enterprise Resource Planning (ERP) or document management system. When considering financial reporting controls, certain “mainstay” financial controls (e.g., reconciliations) and processes (e.g., creation of financial reports) will likely fundamentally change. Further, new risks may emerge, which will require new controls. See sidebar for examples of how financial reporting controls and processes may change.
.........
4 www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html.
Blockchain and Internal Control: The COSO Perspective | 5
EXAMPLES OF HOW FINANCIAL REPORTING CONTROLS AND PROCESSES MAY CHANGE
Internal controls related to the control environment
The amount of control an entity may be able to impose within different blockchain environments will vary. In many cases, control will no longer rest within the entity. This will impact how entities consider and evaluate issues within the control environment.
Reconciliations
With the use of a blockchain solution to respond to reconciliation- heavy areas (e.g., intercompany transactions), reconciliations will become highly streamlined, efficient, and result in increased visibility to all parties to the transaction.
Confirmations
With the ability to reperform calculations of transactions on the blockchain, there may no longer be a need for certain types of confirmations. However, there may also be an increased need for other confirmations with potentially new service providers.
Vendor and supplier approval
The use of blockchain may change the nature of an organization’s relationships with vendors and suppliers (e.g., how transactions are processed, visibility to pricing, and reporting and transparency of information).
Like other technology solutions, blockchain solutions may be controlled internally or sourced externally. Most externally sourced systems are typically overseen by a particular third party, the service organization. Management can request a type 2 SOC 2® system and organization controls report providing information about “the fairness of the presentation of [third party’s] management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.”4 Consequently, the demand for some form of SOC reporting in these environments will likely increase.
Decentralized external systems
In a blockchain world, there may be no singular, centralized management to oversee a particular blockchain. Although the pre-established rules (protocol) of the designers and changes brought on by the consensus of the stakeholders can be communicated, there may be no singular external entity that can be held accountable for achieving the control objectives or held responsible when there are problems. This lack of accountability poses a serious challenge. Without centralized management, there may be no simple or easy way to engage a SOC auditor and, absent SOC reports, enterprises must consider alternatives.
Third-party service providers
coso.org
6 | Blockchain and Internal Control: The COSO Perspective
EXAMPLES OF HOW FINANCIAL REPORTING CONTROLS AND PROCESSES MAY CHANGE (CONT.) Integration of Digital Assets
Another way blockchain can be different from traditional technology solutions is integration of digital assets into the system. Some blockchains have their own integrated digital payment or value that exists nowhere else and can be tracked no other way. Traditional systems can link into banking or other financial systems; blockchain is sometimes the system itself.
Electronic audit trail
An important benefit from certain blockchains is the automatic creation and presence of an electronic record of all transactions (i.e., an audit trail). Nevertheless, additional challenges exist with respect to determining ownership and rights, and just because a transaction is on a blockchain does not necessarily validate the transactions for books and records purposes. Further, it is possible that the evidence an auditor may wish to find is not on the chain itself (“on-chain”); although, there may be sufficient context to be able to get that information from other sources (“off-chain”), if they exist and are readily available.5
Work of internal and external audit
Given the underlying blockchain-enabled platform for implementing internal control, the work of both external and internal auditors may be facilitated by the increased automation of controls and interactions with other emerging technologies (e.g., AI, IoT). An internal control environment facilitated by blockchain may enable a more reliable internal audit environment on which external auditors may be able to better rely. Coordination of the work performed, and coverage achieved by the external and internal auditors may be enhanced.
Continuous real-time financial reports
More substantive and substantial continuous real-time financial reports will be possible and may become routine. Some parties may wish to have access to a blockchain and produce their own ad hoc reports (and be able to access real-time information), rather than receive agreed-upon, periodic reports from an organization.
Monitoring becomes the only control “after the fact”
If internal environments are streamlined to the point that once a transaction hits the system, the end reporting is pre-determined, one could make the case that everything other than monitoring is considered “before the fact”/ transaction pre-processing, and the only controls needed “after the fact”/post-processing are monitoring controls.
Types of Controls in a Blockchain World
Controls are characterized as preventive (before risk materializes) and detective (during or after risk materializes). With blockchain, these control types are still relevant and applicable.
Table 3. Implications of Blockchain on Types of Controls
Type of Control
Preventive controls
Detective controls
Implications of blockchain
Recognizing the immutable nature of transactions recorded on the blockchain, there is a premium on recording transactions correctly the first time.
The visibility of transactions in a blockchain world provides new avenues for detective controls, when the necessary information is either available on-chain or discoverable off-chain from the on-chain record. In addition, because a significant amount of data will be available, blockchain coupled with the analytical abilities of other emerging technologies – such as AI, IoT, and data analytics – may be used as a means of detecting anomalies6. The challenge, in a blockchain world, is what to do when an issue is identified. Although generally corrections are still possible, given blockchain’s append-only feature, corrections will need to be reflected as adjustments rather than directly as corrections to an existing transaction. Note that this will depend on the specifics of the particular blockchain being used.
Given the speed with which transactions are processed and recorded on the blockchain, coupled with the immutability and irreversibility of such transactions, the implementation of more preventive rather than detective controls will likely
.........
become more prevalent to assist companies in mitigating the risk of significant loss or error. Companies may also consider increasing the frequency with which detective controls are performed to promote more timely identification of errors.
5 On-chain refers to information that is stored on the blockchain itself. In contrast, off-chain refers to information not stored on the blockchain, but directly or indirectly connected to the information on-chain.
6 For instance, comparisons of internally and externally generated data will become quite efficient, and inconsistencies, if any, will be quickly discovered and highlighted. This will become a powerful means of monitoring. See also sidebar on page 4.
coso.org
III. COMPONENTS AND PRINCIPLES OVERVIEW
When implementing blockchain, the potential implications for ICFR, considering each COSO component and principle (see Table 4), should be analyzed. It is helpful to consider:
• Blockchain’s usefulness in achieving the principles of the 2013 Framework
• New threats or risks that may arise from blockchain implementation that impact the referenced principle
• Examples of how to mitigate those risks while seeking the greatest benefit
Blockchain and Internal Control: The COSO Perspective | 7
Table 4. 2013 Framework Control Components and Summarized Principles
Components
Principles
1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority, and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability 6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change 10. Selects and develops control activities
1 1. Selects and develops general controls over technology
12. Deploys control activities through policies and procedures 13. Uses relevant, quality information
14. Communicates internally
15. Communicates externally 16. Conducts ongoing and/or separate evaluations
Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring Activities
17. Evaluates and communicates deficiencies
The internal control opportunities and risks associated with blockchain will vary based on the nature and type of blockchain implemented and the amount of influence, oversight and control an organization can impose within different blockchain environments. In applying the 2013 Framework to blockchain, it is important to be aware of the following:
• Implementing a private, permissioned blockchain within a single enterprise will bring some new considerations and risks, but will also be an experience much like adopting any previous technology, if management has the ability to control the blockchain, including the inputs, processing, and outputs.
· Joining a consortium blockchain or another organization’s private blockchain brings new inter-organizational challenges such as risks and controls being shared across organizations, demanding more coordinated decision-making.
· Making a public, permissionless blockchain part of the financial reporting environment brings an entirely different set of risks and challenges, because decision-making may be decentralized, leaving little room for individual influence and little individual accountability. While this may be compared with the use of an outside service organization, management will need to take a much broader and potentially more in-depth view of these “outsourced” processes.
coso.org
8
| Blockchain and Internal Control: The COSO Perspective
Control Environment
Summary Principle
1. Demonstrates commitment to The organization demonstrates a commitment to integrity and ethical values. integrity and ethical values
2. Exercises oversight responsibility The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
3. Establishes structure, authority, Management establishes, with board oversight, structures, reporting lines, and responsibility and appropriate authorities and responsibilities in the pursuit of objectives.
4. Demonstrates commitment toThe organization demonstrates a commitment to attract, develop, and retain competence competent individuals in alignment with objectives.
5. Enforces accountability The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
Control Environment is primarily about the existence of a risk and control-conscious culture and the policies, processes, and structures that guide people at all levels in carrying out their responsibilities in a manner that is consistent with the entity’s commitment to integrity and ethical values. The perception of blockchain as just another (albeit exciting and perhaps revolutionary) technology could result in underestimating its potential impact on the control environment. Blockchain does not change human nature or the behavioral aspects of governance that have a significant influence on the overall control environment – those remain largely unchanged regardless of the technology used.
Nevertheless, there are important control environment implications when using blockchain. It is important that management has the appropriate skill set to sufficiently understand how the entity plans to use the blockchain and the governance structure of the particular blockchain (i.e., the unique governance structure and ongoing health and operating effectiveness of such structure), in order to assess whether the use of blockchain supports the entity’s
commitment to integrity and ethical values. It is also important that the board of directors has a sufficient understanding of the technology to fulfill their oversight responsibilities.
Using Blockchain to Enhance the Control Environment
• Blockchain can provide organizations with a method of executing and recording transactions with minimal human intervention. Further, the highly automated nature of blockchain, coupled with the technology’s ability to validate and record immutable transactions on a shared ledger, provides organizations with opportunities to avoid human error and combat transactional and
reporting fraud.
.........
· With blockchain, processes will commonly have cryptographically verifiable immutability and irreversibility; thus, with a well-designed and implemented blockchain, management should be able to rely upon and provide evidence of actions.
· The increased visibility provided by a shared ledger system contributes to transparency, which promotes a strong control environment and facilitates the ability to provide real-time financial reports.
· Blockchain, coupled with the analytical abilities of other emerging technologies such as AI and data analytics, may allow organizations to identify deviations from an organization’s standards of conduct on a timelier basis. This may prove especially helpful in implementing effective
oversight in large and/or decentralized organizations.
• In some instances, blockchain may facilitate the removal of management’s manual intervention from processes, making them largely immune to the influence of management decisions, integrity, and ethics.
New Threats or Risks Posed by the Use of Blockchain
• The pseudo-anonymity7 of the parties that transact on a blockchain, coupled with the open nature and potential lack of guard rails, poses a threat that a permissionless blockchain may be used for unethical exploits.8
• Each blockchain is set up with a unique governance structure that needs to be actively monitored concerning the health and the operating effectiveness thereof.
7. 7 Inapublicblockchain,assetsareexchangedbetweenblockchainaddressesandprivatekeysareusedforauthorization,butpeopleandorganizationnamesarenotexplicitlyassociatedwith those addresses and keys. This offers a level of disguised identity, because it is possible to transact without giving any personally identifiable information. It is, however, possible to pierce the veil of identity through various de-anonymizing methods.
8. 8 Recognizing that while efforts are underway to incorporate the Legal Entity Identifier (LEI, a unique serial number for organizations globally) into blockchain – which would make assessing conflicts of interest easier to identify and assess – there still is a threat of potential unethical exploits in the current space given the pseudo-anonymity.
coso.org
For certain blockchains, the decentralization and lack of a central intermediary, system or oversight body to hold parties accountable for their actions leads to situations in which there is literally “no one minding the store.” If and when things go wrong, for certain blockchains, there is no recourse to anyone, and thus no accountability – a serious governance-related drawback.
· Although generally, the use of blockchain is considered forward- thinking and positive, the act of advocating, adopting, and embracing blockchain or associating with certain groups may be seen negatively by an organization’s employees, clients, advisors, and overseers. Further, depending on the nature of the blockchain and the fellow participants in the blockchain, an organization may face reputational risk, because participating may be perceived as sharing in the lowest common denominator of the group’s ethics (i.e., reputation by association).
For certain arrangements, controlling who gets in and consensus changes to the system will be out of the control of management.
· Blockchain’s newness and complexity means competent personnel are hard to find, and a commitment to competence is difficult to guarantee or assess. The potential that blockchain has to facilitate pervasive automation means more tasks can be done automatically, and the nature of people’s responsibilities and related competencies can change, sometimes dramatically. Similarly, it may be difficult for management and those charged with governance to obtain the relevant level of understanding and expertise to effectively oversee the implementation and use of blockchain.
Mitigating New Threats and Risks Associated with Blockchain Implementation
In response to the specific risks identified, management and the board of directors may consider the following actions:
• Where applicable, develop a code of conduct that governs the conduct of parties within a blockchain and establishes guidelines for addressing noncompliance. Organizations seeking to implement a private blockchain or create
a consortium blockchain may develop such a code of conduct and mechanisms to (1) validate each member’s commitment to ethics and integrity and (2) enforce accountability with the code of conduct
Blockchain and Internal Control: The COSO Perspective | 9
and report/ address/remediate any deviations. Organizations should have a clear understanding of the governance process
and actively monitor and evaluate whether it is effective. Organizations may also consider engaging an independent external party to provide oversight and validate adherence to the established code of conduct, if possible. In such cases, it will be important for the organization to have clear reporting lines established to ensure the external party reports directly to those charged with governance of each respective party.9
· Also, consider expectations regarding the code of conduct, responsibilities, and authority of outsourced service providers. Although much of the activity related to outsourced service providers occurs outside the blockchain, the results could be challenging if unreliable data associated with these relationships enters the blockchain.
· Develop due diligence policies that establish guidelines and criteria for determining parties with whom the organization will transact; parties with whom the organization will grant access to a blockchain; and the public blockchains that an organization may elect to use in conducting
.........
transactions. These policies may include Know-Your- Customer (KYC) procedures, Anti-Money Laundering (AML) procedures, asking for SOC reports, and other due-diligence procedures to understand the identity and integrity of the counterparty. Such procedures may also include obtaining an understanding of the policies in place to govern the conduct of parties within a blockchain. Maintaining an understanding of the governance process and continuing to monitor its effectiveness is particularly important.
• Assess the need to obtain or build expertise surrounding the blockchain technology, to ensure effective implementation of blockchain and appropriate use and updating of the technology post-implementation. Further, such competencies should continue to be re-evaluated and monitored as the technology continues to evolve rapidly.
• Ensure that the organization is capable of assessing and evaluating the new technology and process. This may be achieved through in-house resources, outsourced resources, or a combination.
9 Establishing a code of conduct will most likely not be feasible for public blockchains. As such, management and those charged with governance will need to evaluate the risks associated with using a public blockchain and their corresponding levels of tolerance for such risks.
coso.org
10 | Blockchain and Internal Control: The COSO Perspective
•
•
•
Establish cross-disciplinary teams, which include blockchain specialists and representatives from each aspect of the business that are affected by the implementation of the technology (e.g., IT, accounting, finance, operations, and internal audit). Such teams should be engaged throughout the planning, development, and implementation process.
Evaluate and enhance, if needed, the board and audit committee’s ability to understand the potential uses and risks associated with blockchain and its ability to effectively oversee the implementation and use of blockchain.
Define degrees or levels of responsibility and authority surrounding the blockchain technology, considering
Risk Assessment
Summary Principle
segregation of duties concerns (e.g. access-level privileges, private key access and the ability to authorize transactions, and associated financial reporting). Develop a suitable succession plan for assigned degrees or levels of authority and responsibility surrounding the blockchain that are key to internal controls.
• Establish clear reporting lines for consortium or private blockchains that identify individuals or a group of individuals responsible for handling disputes which arise among members of a network, if not built into the underlying protocol. This could involve defining a dispute resolution jurisdiction and mutually agreed-upon procedures as well as potential parting of ways when “irreconcilable differences” arise.
6. Specifies suitable objectivesThe organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change
The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
The organization considers the potential for fraud in assessing risks to the achievement of objectives.
The organization identifies and assesses changes that could significantly impact the system of internal control.
Risk assessment involves the iterative process of identifying and assessing threats to the achievement of objectives. Blockchain will likely bring about new objectives and risks that need to be addressed. It is important for organizations to have the appropriate skills and resources to comprehend the unique
risks associated with blockchain and identify, assess, and address those risks on an ongoing basis.
Using Blockchain to Enhance Risk Assessment
• The integration of blockchain with other emerging technologies could provide management, the board, and external parties with real-time reporting – thereby creating a more agile business environment – that identifies and assesses the achievement of various entity objectives (e.g., operational, external financial reporting, compliance or other internal objectives).
coso.org
New Threats or Risks Posed by the use of Blockchain
· Traditional risk assessments have been entity-focused, but with the use of blockchain, companies will need to consider risks more broadly. For example, entities may consider the susceptibility of the other parties within the blockchain network to risk and the effects that this could have on their respective businesses. Furthermore, different risk appetite/risk tolerances among members of a blockchain can lead to conflict when monitoring controls are designed for a blockchain. For particular blockchains, there may be questions about who is responsible for managing risks if no one party is in charge, and how proper accountability is to be achieved.
· The implementation of a blockchain may leave companies vulnerable to new fraud schemes or new avenues to carry out traditional fraud schemes. See right sidebar for examples.
· The amount of data available in a blockchain-enabled environment can become unmanageably large; attempting to manage too much data may bring about data overload, resulting in exacerbated data governance issues.
· Smart contracts are both a potential risk and an important part of the risk mitigation tool set. Once put in place, they will self-execute and are difficult to stop. Therefore, if developed incorrectly or manipulated, the effects could lead to error or potentially significant loss on a magnified scale.
· The use of a blockchain could present issues surrounding obtaining sufficient appropriate evidence to support transactions recorded in an organization’s financial records (i.e., due to the loss of the transaction audit trail in an electronic environment).
· Digital assets introduce a new class of assets for which there exists little or no prior experience and few meaningful parallels in managing risk and identifying unusual behavior. Businesses considering holding digital assets have incremental considerations regarding the assets themselves, including the market volatility, or lack of market for certain digital assets, cybersecurity risks around the protection of the private keys, accounting and financial reporting of such assets, and evolving regulatory requirements.
blockchain as a result of its use of cryptography, wallets, and its decentralized nature.
Blockchain and Internal Control: The COSO Perspective | 11
EXAMPLES OF NEW TYPES OF FRAUD SCHEMES
· The reliability of financial information stored on the digital shared ledger is dependent on the underlying technology. If the underlying consensus mechanism, or other aspects of the blockchain, have been tampered with, this could render the financial information stored in the ledger to be inaccurate and unreliable.
· The pseudo-anonymity of parties on a blockchain can increase opportunities for collusion or obfuscate related party transactions. This risk may be more applicable with reference to public blockchains, given the likelihood of a more pseudo-anonymous environment with large numbers of unknown parties on such networks.
· Although a reliable blockchain provides transaction security, it does not provide account/ wallet security; hence, value stored in any account is still susceptible to account takeover, if an organization’s private keys are stolen or compromised.
· There are heightened cybersecurity risks to blockchain. If the underlying technology is compromised as a result of cyberattacks an organization’s assets could be stolen. Furthermore, the impact of cyberattacks could extend beyond the organization to others within the network. There are also some unique aspects of cyber risks affecting
.........
10 Deloitte’s 2019 Global Blockchain Survey, Blockchain Gets Down to Business. Deloitte Insights.
coso.org
12 | Blockchain and Internal Control: The COSO Perspective
· Integration challenges between the blockchain and existing legacy systems may arise. Blockchain will most likely be a tool that is a part of a larger core infrastructure and will have to work seamlessly with legacy infrastructure. Poor integration of blockchain with other entity systems could result in less-than- desired outcomes, such as poor client experience and regulatory noncompliance issues. See sidebar at right for additional discussion.
· The regulatory environment surrounding blockchain, smart contracts, and digital assets continues to evolve and may vary across jurisdictions, leading to uncertainty around the regulatory requirements (including tax, data privacy, and protection, reporting, or other regulatory requirements).
· The blockchain business environment also continues to evolve, with improvements in the technology, best practices, and new use cases being identified every day. The ability to monitor the fast-paced, and rapidly evolving, environment may prove difficult and challenging.
· Fragmented solutions that exist today may soon be replaced. The significant investment of time, talent, money, and media coverage into the technology and methodology has resulted in a highly fragmented market of solutions, with overlapping capabilities and little interoperability. Given the ongoing haphazard, uncoordinated approach to blockchain development, Gartner has predicted that 90% of 2019’s blockchain implementations will require replacement by 2021.11
In addition, due to the highly automated nature of the technology, general IT and other risks may be exacerbated or heightened in a blockchain environment, such as in the following areas:
• Although issues such as access rights to the system and data and program integrity are common to other technological solutions, concerns about technology access rights are heightened because the effects of inappropriate access issues can become shared issues across companies on a blockchain.
•
•
•
Interoperability of Blockchain
There are limited success stories related to blockchain interoperability despite indications that businesses believe the integration of multiple chains is important.10 In an era where the Web has brought platform agnosticism, and Macs, PCs, and portable devices can all access important resources, most blockchain use today is stand-alone. Future uses will have to be interoperable, as value networks exchange information with service networks, which exchange information with content networks, and all work together with AI or IoT or traditional databases and systems. The market has proven the network effect in
the past: adoption begets more adoption and enhancements, which will in turn breed more adoption, and so on.
Where the blockchain is visible to many parties, the visibility may bring cybersecurity challenges and cyberattacks.
For most public blockchains, users may not be able to obtain an understanding of the general IT controls implemented and the effectiveness of these controls. Furthermore, where there is no central authority to administer and enforce protocol amendments, there could be a challenge to establishing development/maintenance process control activities for the technology.
Given the speed with which transactions are recorded on a blockchain, coupled with the immutability and irreversibility of transactions, organizations may face increased risk of significant loss or error in the event that deficiencies in internal controls over a blockchain are not identified and corrected in a timely manner. Additionally, the elimination of centralized overseers and intermediaries may leave companies with no recourse when errors or losses occur, creating governance challenges. Companies engaging in blockchain-based transactions cannot rely on central intermediaries, such as a bank, to restore their funds in the event of fraud. As such, companies will need to consider whether enhancements to their internal control infrastructure may be warranted.
.........
11 www.gartner.com/en/newsroom/press-releases/2019-07-03-gartner-predicts-90--of-current-enterprise-blockchain.
coso.org
• As organizations begin to incorporate blockchains, there will be a transition period. During this time, legacy systems, ERPs, or third- party cloud-based systems will perform front-end processing and data collection, then interface with a blockchain for additional processing or recording. Although data is largely secure and tamper- proof once in a blockchain, that data is still vulnerable to common IT risks while outside the blockchain.12 The interface transmission of data from upstream systems to a blockchain will be a sensitive control point in these new environments.
Mitigating New Threats and Risks Associated with Blockchain Implementation
In response to the specific risks identified, organizations may need to consider some of the following actions:
· Establish objectives for the use of blockchain such that its implementation supports reliable and verifiable books and records to enable appropriate accounting and effective financial reporting.
· Develop more robust risk assessment processes that consider the implications of blockchain on all aspects of the organization. In developing such an assessment, it may be helpful for companies to engage relevant IT and blockchain specialists to assist in identifying potential threats, areas of risk, and fraud schemes (based on knowledge of the organization’s control environment, the blockchain, and common fraud schemes). Performance of such a risk assessment process prior to the implementation of blockchain will also be helpful in evaluating the potential benefits and costs associated with the technology.
· Develop procedures to stay abreast of changes in the business and regulatory environment around blockchain. Early engagement of the entity’s legal counsel and internal audit department in the implementation of the technology may assist in keeping informed about changes in the regulatory environment.
· As blockchain is integrated into an organization’s business information process, and such integration has financial
.........
reporting implications, management should engage with appropriate parties (e.g., internal auditors, external auditors) to identify new risks relevant to financial reporting, internal control, appropriate accounting treatment, and implications for audits (e.g., potential auditability challenges).
· Engage appropriate IT and blockchain specialists with knowledge of the entity’s existing systems to assess how blockchain will be integrated into and operate as a part of the entity’s existing IT infrastructure, prior to its implementation.
· Develop strong governance and change-control processes to deploy new or amend existing smart contracts or changes to the blockchain. Such processes should also contemplate incident response management, and methods to identify and respond to glitches in smart contract and blockchain operations.
While control activities will be discussed more fully in the next section, example controls to mitigate fraud and cybersecurity risks could include:
• Implementing appropriate segregation of duties between the ability to authorize blockchain transactions (i.e., access to the private keys) and the ability to record transactions within the entity’s general ledger, as well as establishing appropriate access controls surrounding the ability to authorize and execute changes to the underlying technology.
− User-acceptance testing should be undertaken through blockchain prototypes and realistic use cases to avoid undesirable outcomes, including with respect to segregation of duties.
• Establishing controls over information transfer to and from the blockchain to the entity’s general ledger system and other off-chain systems.
• Using multisignature or key sharding techniques13 to manage the ability to authorize blockchain-based transactions.
Blockchain and Internal Control: The COSO Perspective | 13
12M.D. Sheldon, “A Primer for Information Technology General Control Considerations on a Private and Permissioned Blockchain Audit,” Current Issues in Auditing, Vol. 13, No. 1, (Spring 2019: A15–A29).
13 Key sharding, like multisignatures, is a method of managing keys to decentralize risk and control by requiring multiple parties to be involved (e.g., by splitting up portions of the private key).
coso.org
14
| Blockchain and Internal Control: The COSO Perspective
•
Deploying a combination of preventive controls and detective controls to protect from intruders accessing the information systems; or when an intrusion has occurred, quickly detecting and preventing further access after the initial layers of defense are compromised.
Control Activities
Summary Principle
• Developing and implementing a structured approach to manage the identification and assessment of cybersecurity risk, including an assessment of how the organization and other members of the blockchain network may identify and address shared cybersecurity risks.
10.Selects and develops controlThe organization selects and develops control activities that contribute to the activities mitigation of risks to the achievement of objectives to acceptable levels.
11.Selects and develops generalThe organization selects and develops general control activities over technology to controls over technology support the achievement of objectives.
12.Deploys through policies andThe organization deploys control activities through policies that establish what is procedures expected and procedures that put policies into action.
Control activities help mitigate risks to the achievement of objectives and are performed at all levels of the organization, at various stages within business processes, and over the technology environment. Control activities may be preventive or detective in nature and may encompass a range of manual and automated activities, such as authorizations and approvals, verifications, reconciliations, or business performance reviews. The goal of control activities is to sufficiently mitigate risks to the achievement of objectives to acceptably low levels.
Blockchain – with its use of cryptographic methods, capability to create smart contracts, and its ability to provide increased visibility – can be an important adjunct to enabling control activities, making such controls more reliable and secure, and providing enhanced or new tools to carry out the necessary steps in this context. At the
same time, new challenges emerge requiring specialized considerations for control activities and for IT general controls.
Using Blockchain to Enhance Control Activities
• A well-designed and implemented blockchain may provide companies with the ability to further enhance their internal controls (e.g., by promoting accountability, maintaining record integrity, and being irrefutable). A properly implemented blockchain may reduce concern over direct access to record, modify, or delete historical data. For example, for certain blockchains, once a block is sufficiently buried (i.e., newer verified blocks exist on top of it), there is minimal risk of changes to historical data unless the governing parties agree to perform a change or the chain is forked (presuming no breaches to the security of the blockchain).
· The highly automated nature of blockchain, coupled with the technology’s ability to validate and record immutable transactions on a shared ledger, provides companies with opportunities to combat transactional and reporting fraud, due to the reduction of human intervention in the financial reporting process. With the use of blockchain, traditional opportunities to commit fraud or manual error will decrease, thereby reducing risk of loss. Further, the fact that multiple members participate in the consensus protocol allows for greater likelihood of errors being identified as many parties validate the accuracy of the transaction prior to posting.
· Blockchain eliminates the need for certain IT general controls as it minimizes the risk of data
coso.org
loss and therefore, traditional controls like data backups, batch processing among nodes, and disaster recovery may not be necessary, unless a platform is abandoned or goes into disuse. As the blockchain ledger is shared across multiple nodes on the network, reliance on backups is less important because the most recent versions of the ledger may be recovered from other non-affected nodes across the network.
• Use of blockchain may also mitigate the risk of untimely transaction processing and recording, because depending on the particular blockchain, it may provide the organization with the ability to process and record transactions on a near real- time basis. This capability can greatly reduce errors.
• Smart contracts may enhance control activities and prevent opportunities for fraud (due to the automation of executing contractual terms). Note, however, that as smart contracts are a tool, the tool or inputs used by smart contracts (including inputs from blockchain oracles) could be manipulated to commit fraud.
New Threats or Risks Posed by the use of Blockchain
•
Enterprise key management software is only beginning to emerge, as are key management guidelines.14
The consensus protocol (or mechanism) of a blockchain sets the rules, preconditions, and requirements for validating transactions in accordance with the agreed- upon rules. A poorly designed and implemented consensus protocol compromises the technology’s ability to properly validate transactions in accordance with the agreed-upon rules. In such cases, information recorded on the shared ledger may be invalid and unreliable.
Even with the implementation of an effective consensus protocol, there is still a risk that transactions recorded on the blockchain may be invalid, for many reasons, including if the distribution of computational power among members of the network is such that one or more members of a group of members is able to manipulate the consensus protocol, a.k.a., a “51% attack”.
Consensus protocols drive updates and changes to the system. Chain rollbacks are a primary method of “correcting” major errors in a blockchain but can be used to circumvent the immutability of a chain through restarting from an earlier point. As such, chain rollbacks may provide management with the ability to alter transactions recorded on the blockchain.
The completeness of transactions recorded on the blockchain may be brought into question if the organization engages in recording off-chain transactions. Off-chain transactions are not captured on the blockchain and would require additional considerations and controls to reconcile with on-chain transactions and the associated financial reporting.
· The appropriate functionality of blockchain is highly dependent upon the reliability of the underlying technology and the implementation of complementary business process and general IT controls. A poorly implemented blockchain or the lack of appropriate supporting controls could result in new or more widespread issues related to blockchain, including issues surrounding smart contracts, key management, consensus protocols, chain rollbacks, and forks.
· Smart contracts are powerful but can add complexity. Like any other programming application, smart contracts may contain programming errors or back doors, or be subject to other challenges. Poorly designed and implemented smart contracts with deficient business logic could lead to large-scale automatic execution and recording of invalid transactions, for which there could potentially be no recourse – a highly undesirable outcome.
· Blockchain does not provide management protection over access to an organization’s private keys and hence does not provide direct control of its digital assets. A lack of proper controls over the private keys and the ability to initiate blockchain-based transactions could lead to potential loss or misappropriation of organization assets.
.........
14 NIST Key Management Guidelines.
•
•
Blockchain and Internal Control: The COSO Perspective | 15
coso.org
16 | Blockchain and Internal Control: The COSO Perspective
Mitigating the New Threats and Risks Associated with Blockchain Implementation
Controls over Key Aspects of the Blockchain
Although the implementation of blockchain could either enhance or impair the effectiveness of an entity’s control activities, there are specific steps that can be taken to mitigate these risks and utilize blockchain to its full
Table 5. Controls Over Key Aspects of Blockchain Aspect of the Control Activity Considerations
potential. For example, revised policies and procedures should address new risks, internal controls, and accounting related to the use of blockchain, as well as establish responsibility and accountability for executing the policies and procedures. In addition, organizations should consider identifying and implementing relevant controls over key aspects of the blockchain, including, as appropriate, those outlined in the following the table:
Blockchain
Nodes
Each computer on a blockchain network is known as a “node.” It will be important for companies to
have established controls governing the activities of nodes that store copies of the database, perform validation of transactions, work to prepare data to be added to the chain, or perform other services. Controls may relate to the following objectives:
· Making sure there are enough nodes working to minimize the opportunity for some to collaborate to attack the system. Ensuring the computational power is appropriately distributed across all nodes, such
that the consensus protocol cannot be manipulated.
· Testing the availability of blockchain data from different nodes in the network.
· Verifying the consistency of data obtained from different nodes in the network.
· Testing that nodes are performing relevant validations before agreeing to add data to the chain.
· Tracking and providing incentives for correct validations and penalties for incorrect validations. (Note: An organization may not be able to perform these in relation to a public blockchain, given the large number of nodes operating on the network.)
Consensus protocols for specific blockchains should be periodically evaluated to determine whether: • The appropriate nodes are authorized to participate in consensus.
Consensu s Protocols
• Protocols have
been appropriat ely designed and are operating
Private Keys
Smart Contract
effectively.
• Incentives for complying with the protocols and penalties for not complying have been appropriately designed to mitigate fraud.
The major categories of consensus include proof-of-work, proof-of-stake, or majority vote.15
Companies should take steps to manage access to their private keys. These controls will be dependent on how such keys are stored (e.g., hot wallet or cold wallet). In some instances, companies may engage a
third-party custodian to assist in key management or to manage the assets directly. Custodians may require splitting access to the private key across multiple parties, thereby requiring approval of transactions by multiple parties (multisignature). It will also be important to ensure that the organization has considered appropriate segregation of duties to ensure that persons who approve blockchain transactions do not have the ability to record transactions within the organization’s books and records.
To mitigate the risks associated with smart contracts companies may:
• Implement controls to validate the appropriateness of the design and implementation effectiveness of smart contracts, track changes and updates in a controlled fashion, and ensure there is proper documentation and historical record to establish accountability.
• Implement controls over the inputs into smart contracts, including inputs from blockchain oracles.
Controls over smart contracts should provide timely alerts and exception reports to ensure that everything is working as intended and departures and deviations are promptly reported to appropriate parties.
.........
More information on the nature of public and private blockchains is available in the posting by one of the founders of Ethereum, Vitalik Buterin, “On Public
15 and Private Blockchains,” Buterin, V. 2015. Available at https://ethereum.github.io/blog/2015/08/07/on-public-and-private-blockchains/.
coso.org
Information and Communication
Summary Principle
13.Uses relevant, qualityThe organization obtains or generates and uses relevant, quality information to support the information functioning of other components of internal control.
14.Communicates internally The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
15.Communicates externally The organization communicates with external parties regarding matters affecting the functioning of other components of internal control.
• Blockchain, if properly implemented, can promote the availability of data that is
The Information and Communication component of the 2013 accessible, accurate, consistent, current,
Blockchain and Internal Control: The COSO Perspective | 17
Framework focuses on identifying, processing, and communicating relevant information to and from internal parties and external parties. Blockchain has the opportunity to support the effective and timely communication of information by connecting organizations for collaboration, while also presenting new risks and threats. At the same time, organizations must consider the information and communication changes expected to be needed in light of the use of blockchain. For example, most blockchain implementations today do not include on-chain all of the information helpful to support management’s representations about classes of transactions, events, or account balances.
Using Blockchain to Promote Information and Communication
· Blockchain results in enhanced visibility of transactions and new avenues for management to communicate financial information to key stakeholders (e.g., through ad hoc, real-time financial reporting).
· As a comprehensive, shared database, blockchain can be a foundation for providing data about transactions, relevant to both financial reporting and decision-making.
retained, and timely.
• Data is less likely to be lost when being entered into or aggregated within a common and comprehensive digital ledger, promoting better visibility and offering supplemental provenance evidence.
New Threats or Risks Posed by the use of Blockchain
· With the uncertainty about the full capabilities of blockchain and what blockchain is and does, there can be a false sense of comfort that information on a blockchain is always correct, information is available, people have been notified, and feedback has been received. In fact, information on a blockchain only maintains the integrity of what was entered; as in everything else, “garbage in, garbage out” prevails. Furthermore, the reliability of the data stored on a blockchain is dependent on the effectiveness of the underlying technology. Blockchain supported by flawed technology may provide data that is unreliable and cannot cure underlying deficiencies.
· Although blockchain has the ability to record large amounts of transactional data in a timely manner, this data will need to be processed into useful and actionable information.
• As it pertains to financial reporting, companies may face challenges gathering sufficient appropriate evidence to support assertions they make about the digital assets or digital asset transactions processed on a blockchain. Furthermore, companies may face challenges
with the ability of auditors to obtain the evidence they need to assess whether the books and records are adequately supported (See Appendix 3 for further discussion of assertions.)
coso.org
18 | Blockchain and Internal Control: The COSO Perspective
Mitigating the New Threats or Risks Associated • with Blockchain Implementation
In response to the new risks and threats to providing and receiving information, organizations may need to consider some of the following actions:
· Educate key stakeholders (including those charged with governance) on how blockchain will be used by the business and the associated benefits and risks of using the technology. It will be important for stakeholders to understand that although blockchain has been designed to improve the transaction execution and recording process with the aim of providing real-time validated transactions, there are still risks associated that could render the data unreliable.
· Determine that the board of directors and audit committee have the information they need to perform their related oversight responsibilities.
· Establish a method for members of a blockchain network to report any concerns. The methods may include a whistleblower hotline, if not already in place.
Monitoring Activities
Summary Principle
Develop communication methods to ensure that operational and other changes/updates relating to the use of blockchain are communicated to appropriate personnel so they can understand and carry out their internal control related responsibilities.
• Determine new information requirements needed in light of the use of blockchain in order to produce relevant, quality information to support the functioning of internal controls.
• Develop data analytics procedures to identify and obtain relevant, quality data from the blockchain that can then be processed into information to be used to support management’s business processes and reporting objectives.
• Engage in discussions with both internal and external auditors during the development of or identification of a blockchain to be used in the entity’s processes. As a part of these discussions, it will be important for management to understand typical auditability issues associated with using blockchain and corresponding processes that can be implemented to mitigate against such issues, so that the appropriate information and support for transactions is available.
16.Conducts ongoing and/or The organization selects, develops, and performs ongoing and/or separate evaluations to
separate evaluations
17. Evaluates and communicates deficiencies
ascertain whether the components of internal control are present and functioning.
The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
Monitoring controls are used to determine whether internal control, including each of the components and principles, are effective and functioning. Findings are evaluated
and communicated appropriately. Blockchain does not change the need to evaluate whether the components and principles are present and functioning, but the method of evaluation may change in light of the use of blockchain (for example, when the internal control environment is shared across multiple enterprises and may require more collaboration between organizations).
.........
Using Blockchain to Enhance Monitoring
• As blockchain facilitates a more integrated, flow-through environment with minimized human intervention, evaluations themselves can be built into a blockchain-enabled process using smart contracts, AI, and standardized rules engines. In addition, blockchain can be used with other technologies to help in identifying information for effective oversight. For example,
IoT devices can act where human intervention was previously impractical, to permit real-time recording of transactions16 based on changes in the environment. Blockchain can maintain detailed data that can be summarized in different ways to allow for the completion of evaluations of varying scopes and frequencies.
16For example, IoT sensors in a shipping container can monitor for possible damage from rough movement or temperature variations and trigger appropriate claims for insurance or other contractual reparations.
coso.org
· As information is collected or aggregated onto a blockchain on a real-time basis, monitoring activities can catch problems closer to the occurrence of a deficiency, minimizing exposure and speeding remediation.
· If effectively implemented, the use of blockchain may allow for more timely identification of errors and performance reviews, carried out more holistically. Advanced analytics, AI, and other tools can be used to analyze the detail allowing management to concentrate on higher risk areas. Separate evaluations performed by internal auditors can also focus on the information most relevant to their own use.
New Threats and Risks Posed by the use of Blockchain
· Working with large amounts of data that is frequently updated could potentially exacerbate the level of, and susceptibility to, risks related to information overload and result in additional challenges in adequate monitoring.
· Similar to challenges identified surrounding the control environment component, finding competent people to design and perform effective monitoring controls over blockchain may prove challenging.
· The use cases for blockchain are growing in number and complexity, as are the regulations and laws surrounding blockchain. It is difficult to stay abreast of ongoing change and ensure proper and timely updates to the technology and to any other procedural or operational processes that are needed, including with respect to monitoring.
· The decentralization and lack of a central intermediary associated with certain blockchains may result in no established party or body responsible for executing monitoring controls, posing governance challenges.
Mitigate the New Threats and Risks Associated with Blockchain Implementation
In response to the new risks and threats, organizations may need to consider the following:
• Given the large volume of data processed on the blockchain and the high frequency at which these transactions are processed, using
Blockchain and Internal Control: The COSO Perspective | 19
computerized continuous monitoring techniques to perform ongoing evaluations, as opposed to traditional manual techniques.
· Using ongoing evaluations to identify changes and updates to the technology, and to validate whether the components of internal control are present and functioning.
· Identifying and obtaining talent with requisite knowledge of an entity’s baseline control environment, blockchain technology, and best practices surrounding monitoring techniques to 1) assist in designing and implementing appropriate monitoring controls and 2) assess the results and efficiency of such monitoring activities.
· Assessing the unique aspects of blockchain such as consensus protocols, smart contracts, and private keys, as well as factors relating to the ongoing health, governance, and overall reliability of the blockchain in use.
· Within a consortium or private blockchain, identifying individuals who will be charged with executing monitoring controls and establishing agreed-upon policies and procedures
.........
for communicating deficiencies and taking corrective action in the event that deficiencies are identified.17
· In some instances, retaining an objective third party to assess consortium blockchains. For example, if proprietary information is needed from individual entities to determine whether the components are functioning, to evaluate deficiencies, and to communicate deficiencies, a trusted intermediary can access such information.
· Monitoring service-level agreements with and control reports from outsourced service providers. As stated earlier, if unreliable data associated with these relationships enters the blockchain, the results could be severely compromised, even catastrophically.
17Establishing monitoring controls over a public blockchain may not be possible given the level of decentralization and management’s lack of control over the management and oversight of the technology.
coso.org
20 | Blockchain and Internal Control: The COSO Perspective
CONCLUSION AND NEXT STEPS
Many businesses, industries, and governments are investing in and exploring how blockchain could positively impact the achievement of their objectives.18 When an organization evaluates the potential use of blockchain through a COSO lens, it enables the board of directors and senior executives to better understand the context and make more informed assessments of the technology’s potential and applicability with respect to internal control. This enables others within the organization to perform
a detailed risk analysis and in turn, develop appropriate controls to address such risks, which will facilitate the effective adoption and use of blockchain.
Many challenges need to be addressed to leverage the potential of blockchain. These challenges and issues will
Table 6. Next Steps for Key Stakeholders
likely be sorted out by organizations 1) with motivation to have transparent and accessible blockchain-based systems and 2) in industries that are being disrupted by blockchain.19 These organizations bear a greater burden in identifying solutions, lighting a new path that will help other blockchain adopters in the future. Further, it is these organizations that will develop new use cases, not only advancing their own organization, but also helping others (including regulators and other stakeholders) understand the potential benefits of blockchain.
The introduction provided a list of potential stakeholders and the intended use for the document. The following table provides potential next steps for the same stakeholders.
Audience
Board of directors
Audit committee members
Executives (CEO, CFO, Controllers)
Internal auditors, management
accountants, and others concerned
Next steps
• Leverage this document and relevant blockchain-related information, educational materials, webcasts, training sessions and other resources to gain a foundational understanding of the
technology • Build internal expertise on the board and support discussion at the leadership level on
blockchain activities within the organization and the potential benefits and challenges • Understand how blockchain-enabled processes may promote or reduce reporting
efficiency and risk • Understand how internal and external auditors may be considering the technology’s potential
• Build internal expertise and support discussion at the divisional and/or departmental level on the potential benefits and challenges of blockchain
• Gain insights about how blockchain is being used by peer organizations and what innovative practices are in use
• Coordinate with blockchain developers to help them prioritize and design blockchain technology that is ready for internal control
• Talk with external auditors to understand how blockchain may impact the audit, including
with internal control matters
External auditors
how appropriate audit evidence may be obtained in a blockchain-enabled world
• Put into practice the 2013 Framework to evaluate risks and control implications related to the use of blockchain
• Build knowledge and expertise of blockchain • Understand how blockchain may impact the audit, including how sufficient appropriate audit
evidence may be obtained in a blockchain-enabled world and how blockchain may be used for audit purposes
• Work within the firm and with third-party audit tool developers to develop necessary tools (e.g., to understand the internal controls and audit blockchain transactions)
• Leverage information and educational materials, webcasts, training sessions, and other resources to help educate students
• Consider potential research projects related to the implementation of blockchain and its use cases to help evaluate the implications of blockchain and effective internal control
• Explore new knowledge, innovative practices, and standards and regulations in this evolving space
Academics
.........
18
chains, longer term record-keeping needs, and large volumes of repetitive detail (e.g., financial services; health care, trade, and supply chain management).
coso.org
Deloitte’s 2020 Global Blockchain Survey, From Promise to Reality. Deloitte Insights. 19When people talk about industries being disrupted by blockchain, certain industries tend to rise to the top of the list. Defining characteristics of these industries include those with supply
Even while blockchain technology is evolving, the financial reporting stakeholder community can jointly work to better understand the challenges and risks, ways to remediate, and leading practices such that the potential benefits are realized. Stakeholders must realize that adoption is likely to move forward (even given the associated risks) regardless of whether such activities occur. If efforts are not made now, the knowledge, learning, and application gap will widen, and more effort will be required later to react to the challenges with the technology and its adoption.
The benefits of blockchain specific to financial reporting reliability will be maximized only if those who understand financial reporting, internal controls, and third-party assurance are actively involved in the evolution of the blockchain ecosystem as well as related regulation and guidance. Further, the potential benefits of blockchain to financial reporting stakeholders will be maximized only in conjunction with coupling with other technologies, such as, AI and IoT.
Blockchain and Internal Control: The COSO Perspective | 21
coso.org
22 | Blockchain and Internal Control: The COSO Perspective
APPENDIX 1. TECHNICAL APPENDIX Short History of Blockchain
The initial blockchain adoption was primarily for Bitcoin.
As highlighted in the seminal Satoshi Nakamoto paper,
“Bitcoin: A Peer-to-Peer Electronic Cash System” (2008),20 Bitcoin was designed for peer-to-peer payments (value exchange) without the need for a central bank or intermediary; this has led to excitement by some and concern among others that digital assets could pose a legitimate threat to traditional financial services.
While digital assets and their volatility in value made headlines, market participants began to investigate the underlying technology, blockchain, and its potential as a new means of connecting parties. Given blockchain’s rapidly evolving use cases, global efforts to standardize and utilize the technology for a wide variety of purposes beyond Bitcoin have gained steam. With blockchain functionality (e.g., facilitating the transfer of digital assets in near real time), organizations have the opportunity to work differently, with new business models and value chains, and increased speed toward product or delivery.
When did blockchains begin? The proto-blockchain
Blockchain’s beginning goes back to the early 1990s when Dr. Stuart Haber and Dr. Scott Stornetta published a number of academic research papers21 related to using math and cryptography to prove document integrity by linking new batches of document metadata to an existing chain. This append-only structure leverages time-stamping and digital signatures, with the goal to ensure the integrity of data throughout the chain.
Bitcoin’s blockchain
Nakamoto’s paper, which does not use the term blockchain, cites and expands on Haber and Stornetta ground-breaking work to support electronic cash and peer-to-peer exchange. The goals included eliminating the need for a single financial intermediary, preventing double spending,22 and incentivizing the decentralized participants to maintain the decentralized network and do the work to add the new records. “Bitcoin is open-source; its design is public, nobody owns or controls Bitcoin and everyone can take part.”23 Bitcoin’s ability to rely on the system without needing to trust the participants is the source of the phrase “trustless.”
Later blockchains, adding tokens, and smart contracts
After Bitcoin, a number of other blockchains sprouted (e.g., the ethereum24 blockchain). These added the ability to design custom digital assets called tokens and introduced a powerful programming environment called smart contracts.
.........
20. 20 https://bitcoin.org/bitcoin.pdf.
21. 21 Such as “How to Time-Stamp a Digital Document”; www.anf.es/pdf/Haber_Stornetta.pdf.
22With physical coins and bills, only one person at a time can be in possession. However, when using digital assets that were not designed to deal with the “double spend problem”, the proof of availability of an open balance can be promised to multiple parties at the same time. Bitcoin sought to minimize the problems this might cause.
23. 23 https://bitcoin.org.
24. 24 More about Ethereum, the catalyst for its development, and how it expanded on Bitcoin’s blockchain with tokens and smart contracts, can be found at
https://ethereum.org/.
coso.org
Some of the key concepts associated with blockchain as used in this paper include the following:
Table 7. Key Concepts Associated with Blockchain
Concept Explanation
Consensus With decentralized control of a blockchain, some means of gaining agreement on 1) the way transactions mechanisms are checked against a base set of rules and making sure the blockchain contains a consistent set and 2) the (or protocols) ordering of validated transactions within the shared, distributed information is necessary. This means of
Consortium blockchain
Decentralized database
Digital asset
Forks
gaining agreement is known as a consensus mechanism. (Bitcoin accomplished agreement through incentives by compensating the participants, called “miners.”)
Consortium blockchains are normally permissioned, but some are built upon public blockchains. Consortium blockchains include different organizations that have come together and agreed to jointly use a blockchain.
Blockchain is often described as a “decentralized” database. A “database” is usually described as structured
data organized to be easily accessed, managed, updated, and queried, with a focus on retrieval. This is not true of all blockchains; some are designed to be opaque and prevent any form of third-party analysis.
A major distinction between blockchain with digital assets and a database is the possibility of blockchain being the sole record keeping device for the digital assets.25 Blockchain excels where a disparate group of people want to share information but not have to rely on one of the parties to act as the intermediary.
Blockchain and Internal Control: The COSO Perspective | 23
C)C)C)C)C)C)C)C)C)
The term digital asset as used in this paper is referring broadly to digital records, made using
cryptography for verification and security purposes, on a distributed ledger (e.g., blockchain). Digital
assets, as defined by the AICPA,26 may be characterized by their ability to be used for a variety of
purposes, including as a medium of exchange, as a representation to provide or access goods or
C)C)C)C)C)C)C)C)C) services, or as a financing vehicle, such as a security, among other uses. The rights and obligations
associated with digital assets vary significantly, as do the terms used to describe them.
Forks are an important tool that have been used widely in public blockchains like Bitcoin and Ethereum. As the name would imply, when a blockchain forks, some decision is made that results in two potentially different paths. Two separate chains will now have commonality up to the point of the fork, after which different sets of rules, different additions to data, and sometimes completely different assets will apply. Groups may choose to fork a blockchain in order to make a correction to the “immutable” blockchain on which they are based.
In the fork illustrated in the following example, holders of the original digital asset also became holders
of another digital asset in the new chain created by forking the original chain. Sometimes, Bitcoin and Ethereum have forked solely in order to apply new rules.
Original Chain
Chain created
by forking the original chain
1 2
The same keys ... unlock these
Fork at block 125,998
After the fork, new blocks differ
Hash
Immutability and record integrity
Miners
A hash is a cryptographic, one-way algorithm for taking data of any size and converting it to a unique piece of information of a fixed size. With blockchain, each block on a blockchain is linked to the prior block with such a unique identifier.
Immutability refers to the append-only nature of a blockchain. The design of blockchain as append- only with cryptography means that information, once written to the blockchain, is very difficult to alter. Although corrections are still possible, corrections will need to be reflected as adjustments rather than directly as corrections to an existing transaction. Blockchain promises record integrity, but it does not promise that the records themselves reflect lawful or appropriately classified transactions.
Bitcoin accomplished a consensus through incentives, by compensating the participants (called miners) who exert effort and provide computational power to solve a computationally difficult mathematical puzzle – one that is difficult to perform but easy to check – a method known as “proof-of-work.” The Bitcoin design was purposefully challenging. Other methods, including giving more credibility to those who hold more of the digital asset themselves, called proof-of-stake, are also being used. As the original Bitcoin white paper notes, “What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party.”27
.........
25 For example, the Bitcoin ecosystem focuses on tracking Bitcoin, a digital asset with value that stands on its own (or not). The Ethereum platform has its primary digital asset, Ether, but also permits the creation of customized (bespoke) mutually exchangeable tokens (ERC* 20) and other non-fungible tokens (ERC 721); many digital assets are created using Ethereum.
26. 26 AICPA, “Practice Aid: Accounting for and Auditing Digital Assets,” December 2019.
27. 27 https://bitcoin.org/bitcoin.pdf.
coso.org
24 | Blockchain and Internal Control: The COSO Perspective
Table 7. Key Concepts Associated with Blockchain (cont.)
Concept
Nodes
On-chain transactions, off-chain transactions
Open-source
Oracle
Private (permissioned)
Public (typically permissionless)
Private and Public Keys
Explanation
Each computer on a blockchain network is known as a node.
On-chain transactions are the transactions available on the distributed ledger and are also potentially visible to all the members of the blockchain network. Off-chain transactions represent the movement of assets or recording of related information outside of the blockchain.
An open-source model is a collaborative development and distribution model. It encourages those with common development interests to work together to produce something cost-effectively and with a greater eye to quality through numbers than individual commercial developers could create on their own.
Oracles are a means of writing information to a blockchain as a record so smart contracts can monitor the records for changes and then act on them. Because oracles provide important input used to execute the terms of smart contracts, implementing controls over such oracles is important. It is important to check that an entity obtains periodic evidence about safeguards used to secure third-party oracles, if such are used. In addition, where IoT devices are used to act on external activities as part of the oracle, additional risks and controls should be considered.
Private blockchains require permission from the owner or the protocols set up by the developer to read, write, or otherwise access the blockchain. It is possible, but unusual, for a private blockchain to be permissionless.
Permissionless blockchains do not require permission to read or otherwise access the blockchain. They do have specific rules on who can write, also known as consensus. It is possible for a public blockchain to be permissioned.
Blockchains use public and private keys (see following figure) for the authorization of the movement of digital assets from one blockchain address to another. Although common in security and especially encryption,28 the use of such keys has not been part of daily business activities. Digital asset transfers are authorized using the private key, and managing these keys is a new and critical responsibility in blockchain
Rollback
A chain rollback is similar to copying over an existing database with an older version of that database due to data corruption or other problems. When a situation arises where there is sufficient support to “undo” later transactions, the chain is restored to a prior state, and a process of rewriting the necessary transactions after that point is conducted.
In the following figure, a series of transactions after block 125,998 are invalidated/removed, resulting in a rollback. With public blockchains like Bitcoin, this is not a simple process and has severe repercussions given blockchain’s reputation as immutable. Where there is more centralized control, this could be easier to accomplish, although such an action would be obvious to observers.
.........
environments. Much like multiple written signatures being required for banking transactions, multiple keys may be required for digital asset transactions (multisignature or multisig). And much like people counterfeiting someone else’s signature, someone with access to someone else’s keys can act without the key owner’s permission.
As seen in the following figure, a large random number is used to seed standardized mathematical algorithms to create a private key (kept secret, but used to authorize the movement of digital assets from a specific blockchain address). Further algorithms create the public key and, from the public key, the blockchain address, the tracking number for digital asset balances. It is very easy to determine the address from the seed and the key. It is, however, practically impossible to go the other way – from address to public key, public key to private key, or private key to seed.
Cryptographic Seed
Random information used to create key pairs
Math happens here!
9183801836519301
693737131890007 124663901033018
Private Key
A number derived from this: kept secret
Public Key
A number derived from the private key
Public Blockchain Address
A number derived from the public key (Bitcoin, Ethereum, etc.)
Original Chain
A problem occurs with a transaction in block 125,998, but isn’t caught until much later
1 2 ... 125,998
The original chain is recreated from the point at which the problem occurred (which is the point at which the chain is rolled back to)
28 Encryption is a two-way process where information is altered in a way that only those with appropriate knowledge or tools can re-create the original message. It is used to deny intelligible content to an unauthorized interceptor.
coso.org
Concept
Smart Contracts
Explanation
Smart contracts in blockchain are computer programs stored on a blockchain that “self-execute” and where the outcome of any execution of the program is recorded on that blockchain. Although not limited or designed specifically to act like a legal contract, these programs can drive the recording of a transaction or the exchange of a digital asset automatically given the necessary input. When conditions are met, either from transactions occurring naturally on the blockchain or by transactions written by external sources, called oracles, the smart contract will create transactions autonomously.
Tokens
Wallet
Tokens are a type of digital asset, which can be new digital assets on their own, represent intangible assets (such as voting rights), or work as a digital proxy to physical assets.
Wallets are used to manage keys. A cold wallet is not connected to the Internet. A hot wallet is connected to the Internet.
Oracle writes
Here, both times the oracle writes, the smart contract follows up with a transactionSmart
Contracts act
Oracle writes
Smart Contracts act
Blockchain and Internal Control: The COSO Perspective | 25
Table 7. Key Concepts Associated with Blockchain (cont.)
APPENDIX 2. KEY INSIGHTS: 10 THINGS TO KNOW ABOUT BLOCKCHAIN
The 10 things organizations should know about blockchain include the following:
1 Information about blockchain in the news and on the Internet is often misleading or incorrect.
manage internal record-keeping and data management systems and handle the processing of transactions.
In gaining an understanding of blockchain refer to reliable sources. Be aware there is not one blockchain (i.e., “the Blockchain”) and use of a blockchain will not instantly and magically link every • organization together in commerce in a fully trustworthy, self- auditing environment, where the encrypted data within will open to only the right people at the right time. In fact, there are many blockchains, most of which do not easily speak to each other, many things that can go wrong, and much of the information needed is not on the blockchain itself.
•2 Blockchainencompassesfarmorethandigital assets; the benefits it can bring to an organization can be substantial. Blockchain technology goes beyond digital assets and use cases are broad across industries. Blockchain became best known for Bitcoin, but the use cases are much wider now (e.g., supply chains, finance, insurance, and other areas). As the global economy moves toward digital assets, blockchain technology may affect everything from the products and services organizations provide and how they provide them, to the way entities
3 Blockchain is not magic; it comes at a cost and doesn’t eliminate all risks. In fact, it introduces new risks. Blockchain does not address all risks by replacing all functions of an ERP system nor does it ensure compliance with all rules and requirements. In fact, with blockchain come new risks to consider for new asset classes and processes. When participating in
a blockchain, each participant should understand the responsibilities, operating and governance models, transaction rules, security protocols, incentives, penalties, and processes for joining and leaving the consortium, if applicable.
4 Knowing how blockchain technology works is crucial for evaluating, preparing for, and managing blockchain’s
•impact on internal control and the organization as a whole.
Blockchain will create significant benefits for the right use cases, such as increasing efficiency and reducing human error. Generally, blockchain is most worth considering when:
• There are multiple parties and intermediaries to a process, all recording the same information
coso.org
26
| Blockchain and Internal Control: The COSO Perspective
5
Early engagement throughout the organization will be important to consider the potential blockchain use cases, skill sets and training needed, performance requirements, scalability, integration with present systems, implications on evidence used to support the books and records, and resource needs. Creating both a short-term and long-term plan may be needed.
9 Blockchain is still in flux and continues to evolve. Some analysts •
say any solution implemented today will have to be redone in a few years.29 However, once the industry or regulatory environment clarifies the needed functionalities of blockchains, digital assets, and programming languages, there will be increased stability.
Academics, collaborating with practitioners, could be indispensable in advancing thought leadership, as well as helping cope with real world practical challenges and proposing solutions.
10 Adoption of blockchain may not be a choice. Blockchain will •
likely have an impact on all organizations through direct investments in digital assets, indirect investments in digital assets, creation of their own permissioned blockchain, participation in an external permissioned blockchain, or other activities. There may be a pull for implementation from customers, suppliers, partners, and the government.
· There is a reconciliation-heavy process for managing the business and its relationships
· There is substantial manual data entry and tracking
· Stakeholders require different aggregations of
reports and frequent ad hoc reporting
Blockchain has both technology and
governance implications.
to develop, implement, and monitor the blockchain. Blockchain education and upskilling will be critical. New collaborative skills and blending of management, technical, and legal skills – both within and across organizations – will be necessary.
8 Now is the time to educate and engage stakeholders throughout the organization.
•New blockchain controls will inherently have a heavy technology focus. It is also important, however, to consider issues such as governance, document and data retention, privacy laws, competitive advantage, reputation, accountability, and information visibility.
6 Blockchain will not make management, •accountants, or auditors less relevant, although
it will impact what they do and how they do it.
Blockchain is not currently capable of judgments, interpretation, valuations, accrual accounting, tracking commitments and contingencies, or providing assurance. Further, blockchain will change how financial transactions are recorded and analyzed, how reconciliations are performed, and how auditors obtain evidence. The use of blockchain may increase the demand for service auditor reports on the controls around the technology (See sidebar on page 5). Understanding and monitoring the evolving accounting and financial reporting rules is important.
•7 Blockchainrequiresnewskillsets(e.g.,datascience for greater hindsight, insight, and foresight) and new collaboration within and across organizations. Blockchain will create a demand for different skill sets with expertise in the technology (and its ramifications)
.........
29 Gartner has suggested that 90% of 2019’s blockchain implementations will require replacement by 2021. www.gartner.com/en/newsroom/press-releases/2019-07-03-gartner-predicts-90--of-current-enterprise-blockchain.
•
coso.org
APPENDIX 3. BLOCKCHAIN, FINANCIAL REPORTING ASSERTIONS, AND AUDIT EVIDENCE
Management implicitly or explicitly makes assertions regarding the recognition, measurement, and presentation of information in the financial statements and related disclosures. The work of the auditor is to obtain sufficient appropriate audit evidence to support their opinion. Audit evidence comprises both information that supports and corroborates management’s assertions, and information that potentially contradicts such assertions.
The following table highlights ways in which blockchain may present challenges with respect to how companies provide sufficient and appropriate audit evidence to support management’s assertions surrounding assets or transactions stored on a blockchain.30
Table 8. Management’s Assertions and Blockchain
Concept
Valuation
Existence
Allocation
Occurrence
Completeness
Explanation
Most use of blockchain is to track a quantity of something (such as a digital asset balance), but the value of the item being tracked is not necessarily maintained in the blockchain. In addition, the determination of the value of digital assets may prove difficult in the event that there is little or no observable market data to support the value of these assets or large variations in market data (e.g., Level 3 assets, most illiquid and hardest to value, per ASC Topic 82031).
Often, the existence of digital assets is solely dependent on the evidence that can be obtained from a blockchain. Although blockchain has been developed to reduce tampering within transaction processing and recording, this does not, by itself, render the information stored on the distributed ledger fully reliable. The reliability of the information obtained from the blockchain is heavily dependent on the effectiveness of the underlying technology and relevant controls implemented to support the system. Therefore, solely providing information from a blockchain may not be deemed sufficient appropriate evidence to validate the existence of an asset. In many cases, additional procedures are warranted (e.g., test of internal controls related to the blockchain and security of the private keys to the digital assets).
Blockchain information – such as blockchain-based tracking of shares, voting rights, or other relationships – can be used to support allocation calculations. However, additional procedures may be needed to support the reliability of information obtained from the blockchain to support such allocation calculations.
As with existence, information obtained from the blockchain may not, by itself, support the occurrence assertion. Additional procedures may be necessary to prove the reliability of information stored on the blockchain and hence the occurrence of a transaction. Furthermore, the pseudo-anonymous nature of transactions on the blockchain could provide users with the opportunity to engage in fictitious transactions or transactions with related parties that have no economic substance, thereby inflating revenues.
Where a blockchain is the only record of transactions, it can serve as a complete record; however, the com-pleteness of transactions stored on the blockchain will be dependent on the reliability of the blockchain technology as well as the controls implemented by the entity to ensure its books and records are appropri-ately capturing all transactions. Further, where information is recorded in whole or part in another system, blockchain does not support completeness. Controls would have to be in place to ensure that all activity, on-chain or off, and all detail, on-chain or off, is available and completely recorded.
Blockchain and Internal Control: The COSO Perspective | 27
Classification
Understand- ability
Accuracy
Presentation
.........
The classification of a digital asset may prove difficult, because accounting guidance and precedent sur- rounding this topic is still evolving. Furthermore, companies will need to objectively evaluate the purpose and use of the asset in order to determine the appropriate classification of such assets.
Blockchain does not take into account the need for any reporting or summarization of the information in
an understandable fashion and does not have a function to do so. Management will need to determine what data from the blockchain will be useful to support the development of its financial statements and an appropriate method for obtaining and summarizing such data. Similar to the classification assertion, accounting guidance and precedent surrounding this topic is still evolving and due care should be taken in determining the presentation of digital assets within an entity’s financial statements.
Serving as the record for digital assets, blockchain stores the history of all transactions and balances. It does not mean that information within the blockchain is accurate, only that records keep their integrity.
See considerations surrounding understandability.
30Eric Cohen, “Will Blockchain Make Auditors Obsolete?”, ThinkTWENTY20, Spring 2019. www.thinktwenty20.com/images/docs/Spring-Issue-2019.pdf, accessed June 16, 2020.
31 Fair Value Measurement (Topic 820), https://asc.fasb.org/imageRoot/81/118196181.pdf.
coso.org
28 | Blockchain and Internal Control: The COSO Perspective
Table 8. Management’s Assertions and Blockchain (cont.)
Concept
Cutoff
Obligations and Rights
Explanation
As a complete record of all related transactions, where records or blocks are time-stamped as they are written to the blockchain, there are capabilities to assess cutoff of recording dates. However, there is no inherent capability for accounting recognition dating, or concepts of accruals, prepaids, or matching expenses with revenues.
Generally, there are no written title agreements associated with digital assets to support the rights and obligations assertions. Although procedures such as signed messaging may be used to demonstrate control over a private key (and hence rights to an asset) operational limitations may not allow for these procedures to be completed. Furthermore, these procedures may depend on the reliability of the underlying blockchain technology, thereby warranting the performance of additional procedures (e.g., test of internal controls). Finally, although signed messaging procedures may demonstrate control over the private key, there is still the risk that the private key may not be solely controlled by the organization (i.e. other parties may have access to the private key and hence control or ownership of the associated assets).
