This article focuses not only on the audit of the data stored on the blockchain, but also the audit of the blockchain itself. This is an important distinction because, in the former case, CPA auditors can be less concerned about the quality and quantity of audit evidence obtained due to the immutability and enhanced security of the blockchain. Data stored on the blockchain may even be more accurate and complete compared to the data obtained from traditional databases. Also, in the former case, unfamiliarity with blockchain technology will not necessarily hinder auditing the data stored on the blockchain, as long as the data is extracted properly. Nevertheless, the latter case represents a significant challenge for CPA auditors, and unfamiliarity with blockchain technology in such a case can be the bane of an audit engagement.
Smart Contracts and DAOs: An Overview
Ronald Coase suggested that an organization is just a nexus of contracts with stakeholders (viz., employees, customers, investors, regulators, suppliers). Smart contracts are “self-executing” automated contracts that allow for transactions to take place automatically without the need for an intermediary adjudicating the contract terms. They do this by allowing human drafted legal contracts to be converted to computer-readable language (i.e., program code) that runs on the blockchain. For example, a buyer-supplier agreement could have a “smart lien” protocol whereby if a buyer failed to meet the contractual obligation of making the payment for a shipment as per the contract, a supplier would immediately receive the security deposit held in escrow.
Blockchains allow program code to be stored on them. Thus, the program code for a smart contract, which can be examinable by all contracting parties beforehand, can be directly written on the blockchain. The smart contract, once finalized, will automatically execute based on the coded terms or following a certain trigger. Smart contracts reduce transaction costs and counter party risks because they bind parties and prevent default, thus adding more certainty to contractual agreements. Moreover, they are unambiguous as they are based on an explicit program code.
DAOs represent an extension of the application of smart contracts, blockchain-based organizational forms that use smart contracts in place of traditional organizational structures. The basic idea behind DAOs is that there can be corporate structures without a central authority (CEO), but crypto token–holders voting on important issues instead. The smart contracts for DAOs can be programmed to execute all decision-oriented tasks, such as funding capital expenditures for a project when a certain percentage of token-holders agree to it. There are proponents of DAOs who argue that they could make organizations more democratic.
Using the Work of Auditor-Engaged Specialists
DAOs represent an extension of the application of smart contracts, blockchain-based organizational forms that use smart contracts in place of traditional organizational structures.
Because blockchain developer skills are quite a niche skillset and there is an acute shortage of skilled and talented people on the current market, CPA auditors need to know about the following web platforms that they need to use to get the right specialist for their respective engagements: DevTeam. Space (https://www.devteam.space/), X-Team (https://x-team.com/), Toptal (https://www.toptal.com/), Arc (https://www.codementor.io/blog/introducing-arc-7f6q0boco3), and Stack Overflow Talent (https://stackoverflow.co/talent/). Looking for blockchain specialists on general job search websites or through routine talent search methods is not a feasible strategy. Another important strategy to note is that the auditor-engaged specialist should demonstrate knowledge of the specific blockchain platform (e.g., Ethereum, Hyper Ledger) that is being used by the audited organization, since each platform has its unique structures, use cases, and applications.
Moreover, there could be complications in an audit engagement if a lawyer drafts the contract and a programmer then codes it on the blockchain. Thus, a CPA auditor would need to engage and assess the work and expertise of two specialists, namely, the lawyer and the programmer. Further complexities in the audit could arise if the auditor, with the specialist’s help, concludes that the legal intent of a smart contract does not match the contract that is captured in the program code. CPAs auditing DAOs would also face similar challenges because they might have to engage these specialists just to understand the source code, which also includes a history of past decisions made by the token holders. Because there is no federal contract law in the United States, the enforceability and interpretation of smart contracts is determined at the state level. Currently, smart contracts are legally enforceable in most states if they comply with basic contract law requirements—that is, there is an offer, acceptance, and consideration. But the legal system seems to be a bit behind the times on this issue. Thus, CPAs need to exercise caution by first checking whether a smart contract entered into by an organization is legally enforceable.
The profession will first need to create and set standards for audit evidence obtained from programs that run on the blockchain.
An effective strategy for avoiding the above complications is to engage a lawyer that has some experience in smart contract drafting and review. The American Bar Association (ABA) has labelled smart contracts as a disruptive technology in the legal field; over time, it is expected that more lawyers will become familiar with blockchain technology. CPA auditors also need to take special care in auditing contracts when one of the parties to a smart contract indicates that the contract should be stopped, or when one or both parties want the contract changed due to evolving circumstances. It is important to remember that, once deployed, a smart contract cannot be modified due to the immutability of its terms. Thus, auditors may need to keep track of additional smart contracts that are deployed in order to correct actions performed by previous smart contracts.
Obtaining Audit Evidence
Smart contracts and DAOs are also changing the ways in which auditors obtain sufficient audit evidence. On one hand, there is greater transparency and standardization in contracting and reports due to the programmability of the block-chain. On the other hand, there seems to be considerable challenges with respect to performing audit procedures to obtain the right audit evidence. PCAOB Auditing Standard (AS) 1105, Audit Evidence (https://bit.ly/47lM4rd) states that the quantity of audit evidence is affected by the risk of material misstatement or the risk associated with internal controls, and the quality of audit evidence obtained. With respect to smart contracts and DAOs, the former are considerably reduced due to the immutability of the blockchain; however, the challenges associated with the latter are considerable. There is also not much precedent for CPAs to follow. The profession will first need to create and set standards for audit evidence obtained from programs that run on the blockchain.
PCAOB AS 1105 also states that “appropriateness” (relevance and reliability) is the measure of the quality of audit evidence. CPAs who are not familiar with blockchain technology and its use cases will struggle to obtain audit evidence that is both relevant and reliable in supporting their conclusions. AS 1105 also clearly states that if auditors use information produced by the company as audit evidence (which would typically be the case with smart contracts and DAOs), they should perform procedures to test the accuracy and completeness of the information. Performing procedures on the blockchain and its use cases requires an understanding of several disciplines in addition to accounting, such as cryptography, computer science, and engineering.
An effective strategy for auditors may be to first obtain sufficient understanding of relevant internal controls in an organization related to blockchain transactions. This may include understanding controls over how private keys are generated or how only valid transactions are added to the blockchain. Although the blockchain is resilient to tampering, it is not appropriate for auditors to expect that all blockchain protocols work and can be relied on without prior testing from the outset. Financial auditors should also expect to team up with information systems auditors when gathering and interpreting blockchain audit evidence. External auditors also need to expect that, although block-chain may provide audit evidence, it may not necessarily provide sufficient appropriate audit evidence related to the “nature” (economic substance) of a transaction associated with its use cases. For example, in the context of smart contracts, auditors may need to perform additional procedures to gather sufficient appropriate audit evidence to determine whether a self-executing line of code (i.e., programmed if…when…then rules) in a smart contract that releases payment funds automatically after certain delivery conditions are met reflects a simple procure-to-pay transaction or a more complex lease transaction.
Audit Documentation and Reporting of Critical Audit Matters
PCAOB Auditing Standard (AS) 1215, Audit Documentation, requires auditors to prepare documentation in sufficient detail to provide a clear understanding of its purpose, source, and conclusions reached. The issue with documenting audit procedures for smart contracts and DAOs is the level of technical understanding and detail that auditors would need to include in such documentation. If the level of technical detail in audit documentation varies between audit firms, it could create complications if companies change auditors and the incoming auditors have a different level of technical expertise than the outgoing auditors.
Independent auditors may also need to determine and communicate to the audit committee whether their analysis of the program code on the blockchain involved challenging, subjective, or complex judgments, thereby making it a critical audit matter (CAM) under PCAOB Auditing Standard (AS) 3101, The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion (https://bit.ly/3soS4eY).
The broad strategy of auditors should be to help investors and management understand that their discussion of blockchain and its use cases as a CAM (if classified as such) is indicative of organizational-level complexity and significant auditor judgment. CPA auditors should also elaborate on how they performed audit procedures related to this CAM, the outcome of those procedures, and how they responded to any risks. It is extremely important that, with respect to blockchain and its use cases, lucid language is used by auditors to facilitate stakeholder understanding in a meaningful way (as intended by the PCAOB).
Auditors should expect significant disruption in their audit engagements due to the proliferation of smart contracts and DAOs over the course of the next few years.
Prepare for Disruption
Auditors should expect significant disruption in their audit engagements due to the proliferation of smart contracts and DAOs over the course of the next few years. This disruption will be in the specific areas of using and relying upon the work of specialists (programmers, computer scientists), obtaining the right quality and quantity of audit evidence, documenting audit procedures at the right level of technical detail, and the determination and communication of whether the block-chain program code analysis deserves to be classified as a CAM. Currently, auditors are rapidly skilling up on blockchain through continuing professional education (CPE) certificate courses that cover the technology and its use cases from a nontechnical perspective. For example, the two popular CPE certificate courses for auditors include the AICPA’s “Blockchain fundamentals for accounting and finance professionals” course and the IMA’s “Blockchain 101” course. At several professional CPA organization/association conferences, blockchain technology has been regularly featured as a topic of presentation. The author presented on the technical- and audit-related aspects of blockchain technology at different CPA organization/association conferences to a crowd of CFOs, accountants, and auditors three times last year.
Several universities have also scaled up their accounting programs recently to include a large data analytics component. There is a need to also incorporate blockchain technology in accounting curricula so that the next generation of auditors is well-trained and proficient in understanding the enterprise applications of blockchain in order to perform successful audits.