In a permissioned blockchain, participants seek to collectively benefit from a shared ledger system (“Blockchain technology and its potential impact on the audit and assurance profession,” AICPA, 2017, http://bit.ly/2XJakmR). Sometimes this is also referred to as a “blockchain consortium.” Typically, there are business-focused consortia, seeking to use blockchain-based platforms to solve a business problem within a particular industry, and technology-focused consortia, seeking to develop reusable blockchain platforms across different industries (“Banding together for block-chain,” Deloitte, Aug. 16, 2017, http://bit.ly/2XK2Lw0). To avoid confusion, this article will use the term “permissioned blockchain” throughout.
Unlike a traditional database, no central entity manages the information and protects the data in a permissioned block-chain. Instead, all parties on the blockchain control, maintain, and guard the information that is posted to it, providing an additional layer of control if one of the parties attempts to alter or change previously agreed-upon information. The distribution of the shared information provides a layer of trust to the parties on the blockchain by giving each party access over the information simultaneously; this reduces the risk that any single party can alter data that affects all the parties of the blockchain. The benefit is that blockchains are designed to be immutable and require all parties on the blockchain to agree before a transaction is posted—theoretically preventing inaccurate or fraudulent entries from impacting the financial reporting process.
For a simplified example, consider the supply chain to make a widget, illustrated in Exhibit 1. Assume Raw1 Company, Raw2 Company, and Raw3 Company each produces the raw material that goes into the widget. Make1 Company, Make2 Company, and Make3 Company buy the raw materials from any of those companies and manufacture the widget. Sell1 Company, Sell2 Company, and Sell3 Company are retailers that buy the manufactured products for sale to the end consumer. A permissioned blockchain could track the exact widget batches that end up in the final product as well as sales, payables, and receivables between the companies. Each company on the blockchain maintains a copy of the ledger with all transactions between all parties, with cryptographic techniques ensuring that certain data, such as pricing, is kept secure.
Exhibit 1
Transfer of Information on the Blockchain Between Different Stages of the Supply Chain and within Companies at the Same Stage
Audit and Liability Issues
For each of the companies in this example, the permissioned blockchain is now part of its underlying IT infrastructure and general IT controls (GITC), which are a key piece of its financial reporting. Because of the decentralized design that underlies blockchain, each party on the permissioned blockchain maintains the same data on the same technological platform. Although the blockchain is designed to be immutable, risk areas remain, such as data entry, access management, storage, and other cybersecurity issues (“Reinventing Internal Controls in the Digital Age,” PricewaterhouseCoopers, Apr. 2019, https://pwc.to/30wZ4Xq).
As required by auditing standards, “the auditor should obtain an understanding of specific risks to a company’s internal control over financial reporting resulting from IT” to identify and assess any risks of material misstatement in the financial statements (PCAOB AS 2201, Appendix B). Relying on the blockchain’s information for financial reporting or internal controls means that participants’ independent auditors must test and assess the processes related to this technology to ensure data integrity for financial reporting purposes. As the AICPA points out, “this will present new challenges because a blockchain likely would not be controlled by the entity being audited” (http://bit.ly/2XJakmR). If each of the companies on a permissioned blockchain has a different auditor, then these efforts are duplicated across the number of parties on the blockchain at a significant cost in terms of both time and fees. This also creates a situation where different auditors could render different opinions for the same blockchain without users of the financial statement being aware that the opinion related to the same blockchain might vary—inadvertently creating information asymmetry between the parties. It may be more efficient to hire one CPA to perform due diligence and assess the effectiveness of the controls for a permissioned blockchain. This raises questions about who the ultimate client is and what the scope of the audit engagement is.
In addition, aside from the duplicative efforts and costs of conducting an audit of the blockchain, there also exists the issue of legal liability. Participants in a permissioned block-chain are held liable to the other participants through off-chain legal contracts and agreements; thus, rather than using tokens or coins as in the public Bitcoin blockchain, they are incentivized via the threat of legal prosecution (Garrick Hileman and Michel Rauchs, “Global blockchain benchmarking study,” Cambridge Centre for Alternative Finance, 2017). However, “the risk of entangling one’s own balance sheet with other ledger parties’ obligations is a serious barrier to cross-firm ledgers” (Dirk Zetzsche, Ross Buckley, and Douglas Arner, “The Distributed Liability of Distributed Ledgers: Legal Risks of Blockchain,” University of Illinois Law Review, p. 1361, 2018). Although permissioned systems control the parties that have read and write access, this may actually lead to greater risk that the participants will be held liable for breach of contract or be held liable for the actions of seemingly unrelated parties (Zetzsche, Buckley, and Arner, 2018). In a permissioned blockchain, there are also cybersecurity risks if a “malicious actor takes over 51 percent of the network nodes for a duration of time” (“Blockchain risk management,” Deloitte website, Sept. 27, 2017, http://bit.ly/30BzctG) and legal liability risks with smart contracts among some of the parties being erroneously or maliciously executed.
While the audit issues and legal risks of a permissioned blockchain could outweigh the benefits of such a system, there is a potential solution: the participants could establish a legal entity subject to variable interest entity consolidation procedures (VIE) and construct and operate the permissioned blockchain wholly within the VIE.
Variable Interest Entities
Corporations frequently establish other legal structures outside of their primary operating company to perform routine business transactions such as debt issuance, asset formation (i.e., mortgage-backed securities), and foreign expansion. Once established, these legal structures must be assessed for consolidation under the voting interest model or the variable interest model. It is clear that entities fully owned by one corporation must be consolidated into the parent corporation, with the parent recognizing all of the entity’s assets and liabilities. It is less clear, without new legislation or updated GAAP consolidation standards, how these entities must be treated for financial reporting purposes when the establishing corporation is not a majority shareholder, as would be the case if multiple parties elected to establish an entity with equal ownership and equal contributed capital. Under ASC 810-10, the voting interest model requires consolidation if the parent corporation owns the majority voting interest in the legal structure, typically evidenced through the holding of greater than 50% of the voting shares in the legal entity. Legal entities that do not meet the majority threshold are subject to consolidation testing under the variable interest entity model. Under ASC 810-10-05, the variable interest model requires consolidation if both of the following situations exist, regardless of ownership percentage: The power to direct the activities that most significantly impact the VIE’s economic performance The obligation to absorb losses of the VIE that could potentially be significant to the VIE, or the right to receive benefits from the VIE that could potentially be significant to the VIE.
If the above situations exist simultaneously, the party that meets both criteria is considered the primary beneficiary of the VIE and must consolidate the legal entity, even if it does not possess a majority of the voting shares in the entity. However, absent meeting the above criteria, it is possible for multiple unrelated parties to establish an entity and structure the entity such that none of the parties are required to consolidate the assets and liabilities of the VIE by equally sharing power to direct activities and absorb losses at an equal rate.
To illustrate this example, consider a seller and buyer that are preparing to begin a business relationship and elect to establish a permissioned blockchain through a VIE to share information and maintain the ledger of transactions between the two parties (see Exhibit 2). If the buyer and seller fund the VIE—and therefore, the blockchain—by each purchasing 50% of the VIE’s outstanding stock and agree to share profits and losses similarly, neither company may have to consolidate the VIE and its sole asset, the permissioned blockchain.
Exhibit 2
Sharing the Profits and Losses of the Permissioned Blockchain VIE
Under ASC 810-10-25-38D, if the companies share equally in the VIE as they do in the blockchain, there is no primary beneficiary and no entity is required to consolidate the VIE; it is still a stand-alone entity for financial reporting purposes. This financial reporting structure provides two benefits to the parties establishing the permissioned block-chain; it addresses the issue of legal liability pertaining to data breaches and the sharing of information across the blockchain, and provides a method to reduce duplicative audit efforts through the use of SOC 1 reporting.
VIE: Solving the Liability and Audit Issues
First, depending on the legal structure in which the VIE is formed (e.g., joint venture, corporation, limited liability company), the VIE can provide limited liability to participants in the blockchain if one of the other parties suffers a data breach or does not appropriately protect the private information posted to the blockchain—a possibility, because all parties share and maintain the same data under the decentralized design.
Second, expanding on the audit considerations, this approach allows the VIE to designate the blockchain as a service organization subject to a single audit via System and Organization Controls (SOC) reporting. The auditing standards governing service organizations (PCAOB AU 324) indicate that an organization which “develops, provides, and maintains the software used by client organizations” would be considered a service organization. The VIE, established through the permissioned blockchain, would engage an independent auditor to audit the blockchain technology, producing a SOC 1 report.
As PricewaterhouseCoopers points out, SOC reports provide “a cohesive, repeatable reporting process where companies can assess once and report out to many stakeholders… reducing compliance costs and time spent on audits” (https://pwc.to/2XOSrOF). The audit fee flows from the VIE to the engaged service auditor, minimizing the cost associated with each company’s external auditor performing tests of controls related to the blockchain. The VIE would then distribute the SOC 1 report and avoid duplication of efforts by these auditors related to GITC and financial controls testing. This design also lowers the risk of different auditors reaching different conclusions about the blockchain’s internal control reliability or the degree of audit evidence obtained from the blockchain, producing a consistent opinion as to its operating effectiveness.
Consider the Opportunity
Blockchain technology has the promise to improve the reliability of financial reporting and ease the audit process for companies sharing a blockchain. To best utilize this opportunity, companies in a permissioned blockchain should consider transferring their blockchain assets to a VIE and designating the VIE as a service organization, subject to SOC 1 testing. This would improve the audit process, provide a singular audit opinion, reduce costs, and assist with legal liability issues for companies on the permissioned blockchain.
