Impact of Blockchain on IT Audit Amy Kemp, CISA, CRISC, CISSP Senior June 6, 2017 Amy.Kemp@elliottdavis.com 980.201.3174 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion This presentation is for informational purposes and does not contain or convey specific advice It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis Decosimo © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC Agenda  Blockchain Technology Overview  Three Levels of Blockchain, Tokens  Alliances and Industry Adoption  Smart Contracts  Identity Management  Criticism and Challenges  Impact on the IT Audit Function  Learning and Engagement © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC Blockchain Overview Blockchain technology is a digital innovation that is poised to significantly alter financial markets within the next few years, within a cryptographic ecosystem that has the potential to also significantly impact trusted computing activities and therefore cybersecurity concerns as a whole © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC Participant Exposure How many of you: •Have heard of bitcoins? •Own cryptocurrency? •Feel you understand the underlying blockchain technology? •Feel you can summarize for us the benefits of the “trust economy”? •Are involved in projects that involve blockchain technology implementation or related activities? © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC Where It All Started Blockchain technology was first introduced in a whitepaper entitled: “Bitcoin: A Peer-to-Peer Electronic Cash System,” by Satoshi Nakamoto in 2008 • No reliance on trust • Digital signatures • Peer-to-peer network • Proof-of-work • Public history of transactions • Honest, independent nodes control majority of CPU computing power • Nodes vote with CPU computing power • Rules and incentives enforced through consensus mechanism https://bitcoin.org/bitcoin.pdf © Elliott Davis Decosimo, LLC â Elliott Davis Decosimo, PLLC Cryptocurrency Summarized Bitcoin was the first digital, i.e., cryptocurrency • A maximum of 21 million Bitcoins can be generated • Just as with real world mining, energy must be invested to solve complex mathematical problems by which systems earn Bitcoins • https://www.cryptocoincharts.info/coins/info claims to be indexing 4,220 cryptocurrencies • Most circulated: Bitcoin, Ethereum, Litecoin © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC The Technology Behind Bitcoin • Think of Bitcoin as an electronic asset (as well as a digital currency) • A network of computers keeps track of Bitcoin payments, and adds them to an ever-growing list of all the Bitcoin payments that have been made, called “The Bitcoin Blockchain” • The file that contains data about all the Bitcoin transactions is often called a “ledger” • Bitcoin value is created through transaction processing, referred to as “mining,” which is performed by distributed processors called “nodes” of the peer-to-peer network A Gentle Introduction to Bitcoin by Antony Lewis, https://bravenewcoin.com/assets/Reference-Papers/AGentle-Introduction/A-Gentle-Introduction-To-Bitcoin-WEB.pdf © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC Mining Evolution • Mining is the process whereby value is created through transaction processing that occurs on nodes of the network • In 2009, one could mine 200 Bitcoins with a personal, home computer In 2015, it would take about 98 years to mine just Bitcoin • Today there is almost no money to be made through traditional home mining • ASIC (Application Specific Integrated Circuit) has been designed strictly for mining Bitcoins • Groups of miners have formed mining pools, with each being paid their relative share for their contribution to the work performed My Dirty Little Bitcoin Secrets by Ofir Beigel, www.99bitcoins.com © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC Three “Levels” of Blockchain Storage for digital records Exchanging digital assets (called tokens) Executing smart contracts - Ground rules – Terms & conditions recorded in code - Distributed network executes contract & monitors compliance - Outcomes are automatically validated without third party Tech Trends 2017, The Kenetic Enterprise, “Blockchain: Trust economy”, Deloitte University Press, 2017 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC Hyperledger Projects A few of the Hyperledger Projects include: •Hyperledger Burrow – Permissible smart contract machine with a modular blockchain client, built in part to the specification of the Ethereum Virtual Machine (EVM) •Hyperledger Fabric – Foundation for developing plug-n-play solutions within a modular architecture •Hyperledger Iroha – Simple and easy blockchain framework designed to be incorporated into infrastructure projects requiring distributed ledger technology •Hyperledger Sawtooth – A modular platform for building, deploying, and running distributed ledgers © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC Ethereum Alliance Ethereum is a decentralized platform that runs smart contracts: applications that run exactly as programmed without any possibility of downtime, censorship, fraud, or third party interference The Ethereum project was bootstrapped via an ether pre-sale during August 2014 by fans all around the world It is developed by the Ethereum Foundation, a Swiss nonprofit, with contributions from individuals and organizations across the globe www.ethereum.org © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC Ethereum Tools Several Ethereum offerings include: •The  Ethereum Wallet, which is a gateway to decentralized applications on the Ethereum blockchain, allowing users to hold and secure ether and other cryptoassets built on Ethereum, as well as write, deploy and use smart contracts •Design and issue your own cryptocurrency/traceable token Kickstart a project with Crowdsale www.ethereum.org â Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC What is Ether? • Ether is the crypto-fuel for the Ethereum network • Ether is a necessary element – a fuel – for operating the distributed application platform Ethereum It is a form of payment made by the clients of the platform to the machines executing the requested operations, functioning as the incentive that ensures that developers will write quality applications, and that the network remains healthy • The total supply of ether and its rate of issuance was decided by the donations gathered on the 2014 presale • Developers who intend to build apps that will use the Ethereum blockchain need ether • Users who want to access and interact with smart contracts on the Ethereum blockchain also need ether www.ethereum.org © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC Cross-Industry Adoption Sectors leading the way in blockchain implementation: •Consumer products •Manufacturing •Technology • Media •Telecommunications •Health care •Life sciences Thirty-nine percent of the senior executives at large U.S companies initially surveyed indicate they have little or no knowledge about blockchain technology Many deemed it to be crucial  for their companies and industries Forty-two percent believe it will disrupt their industries “Blockchain Adoption Varies by Industry”, CIO Journal, The Wall Street Journal © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC Financial Services Industry • As noted by A Michael Smith in “Creating Assurance in Blockchain,” trust and efficiency are the main value drivers for any use case The finance world is driven by technology • Tracking risk and monitoring compliance with laws and regulations within an increasingly complex cybersecurity environment requires considerable time and resources • The financial services industry immediately saw opportunities in blockchain and has been investing heavily in its usage, primarily as a part of private implementations Creating Assurance in Blockchain, Volume 2, 2017, by A Michael Smith Banking on change: How to respond to new expectations for audit committees by PWC Internal Audit Foundation, Douglas Anderson, CIA, CRMA, Cassian Joe, and Klaas J Westerling © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC Identity Management The IT audit is broadly concerned with identity management concerns Protecting access to data, and the systems that are in place to process, store, and report on that data, requires ongoing resource dedication Multiple solutions are available, all of which require configuring and managing multiple identifiers for an individual’s various identities Identity management is an area that will certainly be impacted by widespread use of private keys to secure transactions © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC Distributed Access Management • Creating an identity on blockchain can give individuals greater control over who has their personal information and how they access it • Areas impacted include passports, e-residency, birth certificates, wedding certificates, IDs, online account logins, etc • Digital ID’s can provide digital watermarks that can be assigned to every online transaction of any asset “21 Companies Leveraging Blockchain for Identity Management and Authentication” by Elena Mesropyan, https://letstalkpayments.com/22-companies-leveraging-blockchain-for-identitymanagement-and-authentication/ © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC Protecting Private Keys • Within the blockchain, trust relies on the safekeeping of private keys, in support of a truly distributed identity management • Ultimately, that safekeeping resides with the actions taken by individuals to secure their private key • For cryptocurrency traders, one frequently sees the recommendation to write one’s private key down on a piece of paper and put it up for safekeeping in, for example, a safe deposit box © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC Digital ID Solutions • May 24, 2017, saw the release of a Digitial ID solution by Netki, a California blockchain startup • Released at Consensus 2017, this is a highly-anticipated Digital ID smartphone app that uses Hyperledger blockchain to provide decentralized, open-source identity management • Approved by governments, fully Anti-Money Laundering (AML) and Know Your Customer (KYC) inclusive https://bravenewcoin.com/news/netki-launches-digital-id-solution-which-bitt-is-using-with-central-banks-inthe-caribbean/ © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC Criticism and Challenges Critics have cited the following blockchain challenges: •Nascent technology •Uncertain regulatory status •Large energy consumption •Control, security and privacy •Integration concerns •Cultural adoption •Cost •Challenges associated with audit, taxes, and compliance Creating Assurance in Blockchain, Volume 2, 2017, by A Michael Smith Deloitte’s Blockchain technology: benefits & challenges, https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/blockchain-technology-9-benefits-and-7challenges.html © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC Energy Consumption • An area of heavy criticism has to with the vast amounts of energy necessary to process and store transactions, especially as the use of blockchain technology increases • The Bitcoin blockchain network’s miners are attempting 450 thousand trillion solutions per second in efforts to validate transactions, using substantial amounts of computer power • Note that there are also opportunities to decentralize the energy grid • Wasted resources: Mining Bitcoin wastes huge amounts of energy ($15million/day) Deloitte’s Blockchain technology: benefits & challenges, https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/blockchain-technology-9-benefits-and-7challenges.html Blockchain in the Energy Sector: Institutional Disruption? By Marius Buchmann http://www.theenergycollective.com/enerquire/2402120/blockchain-energy-sector-institutional-disruption © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC Impact on the IT Audit Function • Although the technology is still in its infancy, boundless usage opportunities exist • The identity management landscape is likely to shift dramatically • There is sure to be evolution within IT audit as various use cases unfold • Features that create trust could drive unachievable overhead costs • Compliance burden should eventually be eased as the technology is adopted, but this requires regulatory updates, which could take a while Tech Trends 2017, The Kenetic Enterprise, “Blockchain: Trust economy”, Deloitte University Press, 2017 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC Learning and Engagement Additional opportunities: •Organizations/alliances that offer the ability to connect with a spectrum of opinions and perspectives: - Ethereum Alliance – www.ethereum.org - Hyperledger Community – www.hyperledger.org • Offers Working Group Meetings •Join or participate in the cryptocurrency exchange marketplace - https://coinsbank.com/ - https://www.ethereum.org/ether © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC Amy Kemp, CISA, CRISC, CISSP Email: Amy.Kemp@elliottdavis.com Phone: 980.201.3174 Website: www.elliottdavis.com Elliott Davis Decosimo provides comprehensive assurance, tax and consulting solutions to diverse businesses, organizations and individuals With a network of forward-thinking professionals in major U.S markets and alliance resources across the globe, the firm ranks among the top 30 and fastest-growing accounting firms in the U.S Visit elliottdavis.com for more information © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC ... has its own blockchain and is engineered to be more programmable Tokens can be issued on top of the Ethereum blockchain • Token buyers are buying private keys, which are similar to API keys,... • Tokens are a new model for technology and can be an alternative to equity-based financing • Tokens not dilute capital They introduce a huge increase to buyer base and time -to- liquidity • Token... Decosimo, PLLC Tokens, continued • Tokens enable a better-than-free new business model • Tokens will introduce the rise of the “tech savvy senior executive.” • Tokens accommodate immediate custody without